Skip to main content
The nono crate is the foundational Rust library that provides:
  • CapabilitySet - Builder for defining filesystem and network capabilities
  • Sandbox - OS-level sandbox enforcement via Landlock (Linux) and Seatbelt (macOS)
  • FFI bindings - C FFI - for other language integrations (e.g., plain C, Go via cgo, etc.)

API Documentation

For detailed API documentation, see docs.rs/nono.

Using the Library

use nono::{CapabilitySet, AccessMode, Sandbox};

let mut caps = CapabilitySet::new();
caps.allow_path("./data", AccessMode::Read)?;
caps.block_network();

Sandbox::apply(&caps)?;
// Process is now sandboxed

Building from Source

git clone https://github.com/always-further/nono
cd nono
cargo build --release
See the Development Guide for more details.