Python bindings for nono capability-based sandboxing

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for lhinds from gravatar.com lhinds

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Luke Hinds
  • Tags sandbox , security , capability , landlock , seatbelt
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

nono-py

Python bindings for nono, a capability-based sandboxing library.

nono provides OS-enforced sandboxing using Landlock (Linux) and Seatbelt (macOS). Once a sandbox is applied, unauthorized operations are structurally impossible.

Installation

pip install nono-py

From source

Requires Rust toolchain and maturin:

pip install maturin
maturin develop

Usage

from nono_py import CapabilitySet, AccessMode, apply, is_supported

# Check platform support
if not is_supported():
    print("Sandboxing not supported on this platform")
    exit(1)

# Build capability set
caps = CapabilitySet()
caps.allow_path("/tmp", AccessMode.READ_WRITE)
caps.allow_path("/home/user/project", AccessMode.READ)
caps.allow_file("/etc/hosts", AccessMode.READ)
caps.block_network()

# Apply sandbox (irreversible!)
apply(caps)

# Now the process can only access granted paths
# Network access is blocked
# This applies to all child processes too

API Reference

Enums

AccessMode

File system access mode:

  • AccessMode.READ - Read-only access
  • AccessMode.WRITE - Write-only access
  • AccessMode.READ_WRITE - Both read and write access

Classes

CapabilitySet

A collection of capabilities that define sandbox permissions.

caps = CapabilitySet()

# Add directory access (recursive)
caps.allow_path("/tmp", AccessMode.READ_WRITE)

# Add single file access
caps.allow_file("/etc/hosts", AccessMode.READ)

# Block network
caps.block_network()

# Add platform-specific rule (macOS Seatbelt)
caps.platform_rule("(allow mach-lookup (global-name \"com.apple.system.logger\"))")

# Utility methods
caps.deduplicate()  # Remove duplicates
caps.path_covered("/tmp/foo")  # Check if path is covered
caps.fs_capabilities()  # List all fs capabilities
caps.summary()  # Human-readable summary

QueryContext

Query permissions without applying the sandbox:

caps = CapabilitySet()
caps.allow_path("/tmp", AccessMode.READ)

ctx = QueryContext(caps)

result = ctx.query_path("/tmp/file.txt", AccessMode.READ)
# {'status': 'allowed', 'reason': 'granted_path', 'granted_path': '/tmp', 'access': 'read'}

result = ctx.query_path("/var/log/test", AccessMode.READ)
# {'status': 'denied', 'reason': 'path_not_granted'}

result = ctx.query_network()
# {'status': 'allowed', 'reason': 'network_allowed'}

SandboxState

Serialize and restore capability sets:

caps = CapabilitySet()
caps.allow_path("/tmp", AccessMode.READ)

# Serialize to JSON
state = SandboxState.from_caps(caps)
json_str = state.to_json()

# Restore from JSON
restored_state = SandboxState.from_json(json_str)
restored_caps = restored_state.to_caps()

SupportInfo

Platform support information:

info = support_info()
print(info.is_supported)  # True/False
print(info.platform)      # "linux" or "macos"
print(info.details)       # Human-readable details

Policy

Load a policy.json document and resolve named groups into a CapabilitySet:

from pathlib import Path

from nono_py import CapabilitySet, load_policy

policy = load_policy(Path("examples/policy_example.json").read_text())
caps = CapabilitySet()
resolved = policy.resolve_groups(["system_tmp_read", "deny_secrets"], caps)

print(resolved.names)
print(resolved.deny_paths)
print(caps.summary())

Functions

apply(caps: CapabilitySet) -> None

Apply the sandbox. This is irreversible. Once applied, the current process and all children can only access resources granted by the capabilities.

is_supported() -> bool

Check if sandboxing is supported on this platform.

support_info() -> SupportInfo

Get detailed platform support information.

load_policy(json: str) -> Policy

Parse a policy.json document.

load_embedded_policy() -> Policy

Load the bundled nono policy shipped with the package.

Platform Support

Platform Backend Requirements
Linux Landlock Kernel 5.13+ with Landlock enabled
macOS Seatbelt macOS 10.5+
Windows - Not supported

Development

# Install dev dependencies
pip install maturin pytest mypy

# Build and install for development
make dev

# Run tests
make test

# Run linters
make lint

# Format code
make fmt

License

Apache-2.0

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for lhinds from gravatar.com lhinds

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Luke Hinds
  • Tags sandbox , security , capability , landlock , seatbelt
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.7.0

0.6.0

This version

0.5.0

0.4.2

0.4.0

0.3.1

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

nono_py-0.5.0.tar.gz (110.7 kB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

nono_py-0.5.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (723.9 kB view details)

Uploaded CPython 3.13manylinux: glibc 2.17+ x86-64

nono_py-0.5.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (1.7 MB view details)

Uploaded CPython 3.13manylinux: glibc 2.17+ ARM64

nono_py-0.5.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (723.9 kB view details)

Uploaded CPython 3.12manylinux: glibc 2.17+ x86-64

nono_py-0.5.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (1.7 MB view details)

Uploaded CPython 3.12manylinux: glibc 2.17+ ARM64

nono_py-0.5.0-cp312-cp312-macosx_11_0_arm64.whl (825.2 kB view details)

Uploaded CPython 3.12macOS 11.0+ ARM64

nono_py-0.5.0-cp312-cp312-macosx_10_12_x86_64.whl (943.2 kB view details)

Uploaded CPython 3.12macOS 10.12+ x86-64

nono_py-0.5.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (723.0 kB view details)

Uploaded CPython 3.11manylinux: glibc 2.17+ x86-64

nono_py-0.5.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (1.7 MB view details)

Uploaded CPython 3.11manylinux: glibc 2.17+ ARM64

nono_py-0.5.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (723.4 kB view details)

Uploaded CPython 3.10manylinux: glibc 2.17+ x86-64

nono_py-0.5.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (1.7 MB view details)

Uploaded CPython 3.10manylinux: glibc 2.17+ ARM64

nono_py-0.5.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (724.3 kB view details)

Uploaded CPython 3.9manylinux: glibc 2.17+ x86-64

nono_py-0.5.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (1.7 MB view details)

Uploaded CPython 3.9manylinux: glibc 2.17+ ARM64

File details

Details for the file nono_py-0.5.0.tar.gz.

File metadata

  • Download URL: nono_py-0.5.0.tar.gz
  • Upload date:
  • Size: 110.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for nono_py-0.5.0.tar.gz
Algorithm Hash digest
SHA256 325681b2004a7f14d728dcb8ff8844f0c79c310c4d972db9cedf525bb9ab0a49
MD5 70fe9688d7f40c2c396e631e3a0f8a92
BLAKE2b-256 d1ab8009543fb26ce22ae2ad4185c53fc3b8cb53f35b644fca2f891ed89ef5d6

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0.tar.gz:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nono_py-0.5.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for nono_py-0.5.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 b8174bf679807e260ecd23a0ca2ce57382a914fb831843056998902e24ac6c81
MD5 5e315a3bfd989ec1e1221f27d9d224cc
BLAKE2b-256 4fc3cc404a027dd815e90a9656f668f0d26b3e7825368e14e1f032652d7cb73f

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nono_py-0.5.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for nono_py-0.5.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 2b586d5981d959086dc40339fafba3d971618e358c0293a5ae564a9a5a15cd29
MD5 564c0917427e938cf3391ff27ee87bdc
BLAKE2b-256 4695a6cc163f938a5a5852400ba0457620b00fa46a5bcc20dc6f2d26720564a7

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nono_py-0.5.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for nono_py-0.5.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 88adb0d074d4ade29b995baa8bcfbff1313b12b54671820f31c72f1d4d20e25b
MD5 d87cc3bcbb4e7bfdc8d2019fe5abc023
BLAKE2b-256 50cb583ac7e0481be2a9ae5a1ba15dfdc23e92efecec6543f0b527482bb0be97

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nono_py-0.5.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for nono_py-0.5.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 760ec9fd347f67fe5efd1e45057c9c6edbb1f256cb88429e14093b5b274bedde
MD5 01f9c4cff61d8d79cb2547c8f8f30e7e
BLAKE2b-256 7b2d4292f6ea651be8a9332f76167a51e6e4450012890f9f0ceb5ccd59c7a749

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nono_py-0.5.0-cp312-cp312-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for nono_py-0.5.0-cp312-cp312-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 ec549778086b8fe324894f041f5fb21c2da65369453ffa46bd6ae92cda7da5f4
MD5 3c6c11f4a12aca2d4efa4c8781851fe1
BLAKE2b-256 8db96b4c1a7a62974e3a1a742fca9686ef4cb2bdb0b15eb17bda630c5d93465f

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0-cp312-cp312-macosx_11_0_arm64.whl:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nono_py-0.5.0-cp312-cp312-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for nono_py-0.5.0-cp312-cp312-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 c688545a95a73e50fc2c8243b000c88f51e20bb7a3258d4f2a59dc5242998ba9
MD5 f391c5c58e47ff004a781f14f34b55ba
BLAKE2b-256 bc9dd8e15158bed819f57bde0dd273227d970b91e3efeed88619b2702d140ae6

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0-cp312-cp312-macosx_10_12_x86_64.whl:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nono_py-0.5.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for nono_py-0.5.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 d7c6ee15e3e76eb76aed26d4bcd130b20bcfd240a57154bc9c0498556198116b
MD5 491bb7e62c6770220b86194a324aa606
BLAKE2b-256 e4624ff722cbe7c5cb7e5949a55ff7376b854a7c5245b99120d2e53f91a0e999

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nono_py-0.5.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for nono_py-0.5.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 36620fd954e59e5df3e517ab10239ec4d5693312d71ba79546a76ec7d8a5cb29
MD5 4a4cb59c89d35ee331477deba6dd3d0a
BLAKE2b-256 12b841c63d3673ce4d4cf3e05f686b91ce0abebf7fbd24f6336e04dc3e0e397f

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nono_py-0.5.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for nono_py-0.5.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 62a06a801bf23c44ff277782d36eba716f4c93f1f439908b9a2feb0b39d24dd1
MD5 2b2de00e181059085ff825db56a279c2
BLAKE2b-256 ad067cc1c048c7c6e2cc5fbbb62c27a691a7f95b90d50f05ed3b42a185fd3d54

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nono_py-0.5.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for nono_py-0.5.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 420693793e7c41486802271150574f5376885eec06b92e0122bcfca375e4e1f3
MD5 8771162527695c5278c7fb0e2da721ea
BLAKE2b-256 65e939fcf44e46e52ae89223dc357331cb724efff197c395c3839d2cc901e727

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nono_py-0.5.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for nono_py-0.5.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 cc929b6577d2a9012894acfdae171e2f88942688de69749cfd21c0c89d87917f
MD5 3dc849542825f9026063e798cde1677f
BLAKE2b-256 fdb8627c2d4de62e68d660bfd91685bc83717079ce03d909d656d6c839774ad7

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file nono_py-0.5.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for nono_py-0.5.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 c1446094fa0371eeb46c6beaca0685a3ede0d1da5f0c13958badfadc7cf2f113
MD5 d40b6fffc6ad72d4ae6d40f8b5e463ba
BLAKE2b-256 012d8f93752feeea173449cb8550c1af472462ebd768e3f36f14271c9c512164

See more details on using hashes here.

Provenance

The following attestation bundles were made for nono_py-0.5.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl:

Publisher: publish.yml on always-further/nono-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page