nono-go provides Go bindings for the nono capability-based security sandbox.
It lets a Go process declare the filesystem and network access it needs, then
apply an irreversible kernel-enforced sandbox to itself and its child processes.
The package uses the nono C FFI underneath:
- Linux enforcement uses Landlock.
- macOS enforcement uses Seatbelt through
sandbox_init. - Static libraries are bundled for macOS and Linux on
amd64andarm64. - The public API is available at pkg.go.dev/github.com/always-further/nono-go.
Install
Requirements
- Go 1.24 or newer
- CGo enabled
- A C toolchain such as
clangorgcc
Platform support
| OS | Architecture | Bundled library |
|---|---|---|
| macOS | arm64 | Yes |
| macOS | amd64 | Yes |
| Linux | amd64 | Yes |
| Linux | arm64 | Yes |
nono.ErrUnsupportedPlatform.
Core concepts
CapabilitySet builds the policy: allowed paths, access modes, network mode,
command rules, and optional platform-specific rules.
Apply activates the sandbox for the current process. This is irreversible.
Once applied, the process and its children can only access resources allowed by
the capability set.
QueryContext checks whether a capability set would allow a filesystem or
network operation without applying the sandbox.
SandboxState serializes a capability set to JSON and restores it later.
Next steps
Quickstart
Install the package and apply a minimal sandbox
CapabilitySet
Build filesystem and network permissions
QueryContext
Test permissions before applying a sandbox
Bundled Libraries
Understand how native FFI artifacts are tracked