Skip to main content
Complete feature compatibility for nono running on WSL2 (kernel 6.6, Landlock V3). Legend: Full = identical to native Linux | Blocked (default) = fails secure, requires profile opt-in | Unavailable = not functional on WSL2

Subcommands

FeatureStatusNotes
nono run (supervised mode)FullFork + Landlock + exec works
nono shell (interactive shell)FullSame as run with $SHELL
nono wrap (direct mode)FullNo fork, no supervisor
nono learnFullstrace-based tracing works
nono whyFullPolicy queries are pure logic
nono setupFullReports WSL2 feature matrix
nono rollback (list/show/restore/verify/cleanup)FullPure userspace
nono audit (list/show)FullPure userspace
nono trust (init/sign/verify/list)Fullkeygen/sign-policy require gnome-keyring (distro dependency, not WSL2-specific)
nono policy (groups/profiles/show/diff/validate)FullPure logic
nono profile (init/schema/guide)FullPure logic

Filesystem Permissions

FeatureStatusNotes
--allow (read+write directory)FullLandlock V1+
--read (read-only directory)FullLandlock V1+
--write (write-only directory)FullLandlock V1+
--allow-file (read+write single file)FullLandlock V1+
--read-file (read-only single file)FullLandlock V1+
--write-file (write-only single file)FullLandlock V1+
--allow-cwdFull
--workdirFullVariable expansion only
--override-denyFull
--skip-dirFull
File rename across directoriesFullLandlock V2 (Refer)
File truncation controlFullLandlock V3 (Truncate)
Device ioctl filteringUnavailableNeeds Landlock V5 (kernel 6.10+)
Path canonicalization / symlink resolutionFull
Sensitive path blocking (46 paths)FullPolicy-driven

Network

FeatureStatusNotes
--block-net (block all outbound)Fullseccomp RET_ERRNO, kernel-enforced
Default (allow all network)FullNo restriction applied
--listen-port (child binds TCP port)UnavailableNeeds Landlock V4
--open-port (bidirectional localhost TCP)UnavailableNeeds Landlock V4
Per-port TCP filteringUnavailableNeeds Landlock V4 (kernel 6.7+)

Credential Proxy

FeatureStatusNotes
--credential SERVICE (reverse proxy injection)Blocked (default)Fails secure unless profile sets wsl2_proxy_policy: "insecure_proxy"
--env-credential (env var injection)FullNo proxy needed
--env-credential-mapFullNo proxy needed
--network-profile (host allowlist via proxy)Blocked (default)Requires wsl2_proxy_policy: "insecure_proxy" opt-in; no port lockdown
--allow-domain (domain allowlist)Blocked (default)Same as above
--allow-endpoint (L7 method+path filtering)Blocked (default)Filtering works at proxy level; child can bypass proxy
--upstream-proxy (chain through external proxy)Blocked (default)Same as above
--upstream-bypassBlocked (default)Same as above
--proxy-port (fixed proxy port)Blocked (default)Same as above
Phantom token authenticationFullSession token in env vars
Credential zeroization in memoryFullRust Zeroizing<String>
SSRF protection (cloud metadata blocking)FullApplied at proxy level
Why blocked by default: On native Linux (even pre-V4), proxy-only mode is kernel-enforced via seccomp user notification. On WSL2, seccomp notify returns EBUSY, so the child could bypass the proxy. nono refuses to run in this mode by default. Profiles can opt in to degraded execution with wsl2_proxy_policy: "insecure_proxy" in the security config. When Landlock V4 arrives (kernel 6.7+), enforcement activates automatically and the policy setting becomes irrelevant.

Execution & Supervision

FeatureStatusNotes
Supervised mode (fork + sandbox child)FullBasic supervision works
Direct mode (sandbox + exec)Full
Signal forwarding (SIGTERM, etc.)FullParent forwards to child
Exit code preservationFull
Diagnostic footer on failureFull
--capability-elevation (interactive prompts)Unavailableseccomp notify returns EBUSY
PTY relay for approval UIUnavailableDepends on capability elevation
Runtime capability expansionUnavailableDepends on seccomp notify
--dry-runFullNo execution, pure logic
--no-diagnosticsFull
Threading context managementFull
PR_SET_DUMPABLE(0) on parentFull

Rollback & Snapshots

FeatureStatusNotes
--rollback (enable snapshots)FullPure userspace (content-addressable store)
--no-rollbackFull
--no-rollback-promptFull
--rollback-excludeFull
--rollback-includeFull
--rollback-allFull
--rollback-destFull
Merkle tree integrity verificationFullSHA-256
Incremental snapshotsFull
Interactive restore promptsFull
Gitignore-aware exclusionFull

Audit Trail

FeatureStatusNotes
Session recordingFullJSON per session
--no-auditFull
Audit list/show/filterFull
Date/path/command filteringFull
JSON outputFull

Command Blocking

FeatureStatusNotes
Default dangerous command blocklist (46 commands)FullPolicy-driven
--allow-commandFull
--block-commandFull

Trust & Signing

FeatureStatusNotes
trust initFullCreates trust-policy.json
trust sign (with key)FullRequires gnome-keyring (distro dependency, not WSL2-specific)
trust sign --keyless (Sigstore)FullFulcio + Rekor, no local keystore
trust sign-policyFullRequires gnome-keyring (distro dependency)
trust verifyFullBundle verification is pure crypto
trust listFull
trust keygenFullRequires gnome-keyring (distro dependency)
trust export-keyFullRequires gnome-keyring (distro dependency)
Write-protection for signed filesFullLandlock deny rules
Trust interception in supervised modeFullUses Unix socket IPC, not seccomp
Note: Key-based trust operations (keygen, sign, sign-policy, export-key) require a D-Bus secret service (gnome-keyring or keepassxc). This is a Linux distro dependency, not a WSL2 limitation — the same requirement applies on any headless Linux. Install with: sudo apt install gnome-keyring dbus-x11

Profile System

FeatureStatusNotes
Built-in profiles (claude-code, codex, etc.)Full
Custom user profilesFull
Profile inheritance (extends)Full
Variable expansion (WORKDIR,WORKDIR, HOME, $TMPDIR)Full
Policy group resolutionFull
signal_modeUnavailableNeeds Landlock V6 (Scoping)
process_info_modeUnavailableNeeds Landlock V6 (Scoping)
ipc_modeUnavailableNeeds Landlock V6 (Scoping)
capability_elevation (in profile)Unavailableseccomp notify EBUSY
interactive modeUnavailableDepends on capability elevation
Workdir access levels (none/read/readwrite)Full

Hooks

FeatureStatusNotes
Hook installation (Claude Code)FullShell script installation
Hook script embeddingFull
Settings.json registrationFull

Learn Mode

FeatureStatusNotes
nono learn -- COMMANDFullstrace available on WSL2
--profile (compare against profile)Full
--json (profile fragment output)Full
--timeoutFull
Network connection tracingFullstrace captures connect/bind
Listening port detectionFull

Output & UX

FeatureStatusNotes
--silentFull
--themeFull
--log-fileFull
--verboseFull
--json (on applicable commands)Full
Colored outputFull
Update notificationsFull

Environment & Configuration

FeatureStatusNotes
Environment sanitizationFull
NONO_* env var supportFull
User config (~/.config/nono/)Full
Embedded policy (policy.json)Full

Summary

CategoryFullDegradedUnavailable
Subcommands (11)1100
Filesystem (15)1401
Network (5)203
Credential Proxy (10)406
Execution (12)903
Rollback (10)1000
Audit (5)500
Command Blocking (3)300
Trust (10)1000
Profiles (11)605
Hooks (3)300
Learn Mode (5)500
Output (6)600
Environment (4)400
Total (110)92 (84%)0 (0%)18 (16%)

Root causes of all WSL2-specific limitations

Root CauseFeatures AffectedFix
Landlock V4 missing (kernel 6.6 < 6.7)Per-port network (3)WSL2 kernel upgrade (automatic)
Landlock V6 missing (kernel 6.6 < 6.12)signal_mode, process_info_mode, ipc_mode (3)WSL2 kernel upgrade (automatic)
Landlock V5 missing (kernel 6.6 < 6.10)Device ioctl filtering (1)WSL2 kernel upgrade (automatic)
seccomp notify EBUSYcapability_elevation, interactive mode, PTY relay, runtime expansion (4)microsoft/WSL#9548 fix or eBPF alternative

Distro dependencies (not WSL2-specific)

DependencyFeatures AffectedFix
gnome-keyring or keepassxctrust keygen/sign/sign-policy/export-keysudo apt install gnome-keyring dbus-x11
Proxy port enforcement (seccomp notify + Landlock V4)Credential proxy features (6 blocked by default)WSL2 kernel upgrade or wsl2_proxy_policy: "insecure_proxy" opt-in