Hermetik

Hermetik is an experimental sandboxing tool for securely executing subprocesses with restricted capabilities. It builds on the Linux Landlock kernel feature, which enables unprivileged processes to impose fine-grained restrictions on themselves and any subprocesses they spawn.

Hermetik's sandbox lets you define:

• File access rules: Restrict access to specific paths with precise permissions.
• Network restrictions: Explicitly allow only the required bind/connect to specific ports.
• Environment control: Expose only whitelisted environment variables to the subprocess.

How it works

When a sandbox is created, Hermetik applies Landlock restrictions to a dedicated OS thread. The subprocess is then spawned within that thread, inheriting the sandbox constraints. The parent process remains unaffected, avoiding global restrictions. Hermetik prunes environment variables exposed to the subprocess.

Usage

A docker image is provided to test Hermetik's functionality. You can run it using Docker:

docker run --rm -it ghcr.io/vvvinceocam/hermetik:latest bash

The image provides the hermetik CLI binary and a pre-built PHP extension. psysh is also included, allowing you to play with the PHP API.

Both tools provide the same functionality: define sandbox rules, then execute a subprocess with the configured restrictions.

CLI

hermetik --read-path-beneath "/" --inherit-env-var PATH -- printenv

PHP API

<?php
use Hermetik\Sandbox;

$sandbox = new Sandbox()::builder()
    ->canReadPathBeneath('/')
    ->inheritEnvVar('PATH')
    ->build();

$sandbox->exec('printenv');