{"id":45811328,"url":"https://github.com/souk4711/hakoniwa","last_synced_at":"2026-05-16T08:18:57.687Z","repository":{"id":50590778,"uuid":"515799661","full_name":"souk4711/hakoniwa","owner":"souk4711","description":"Process isolation for Linux using namespaces, resource limits, cgroups, landlock and seccomp.","archived":false,"fork":false,"pushed_at":"2026-04-21T06:46:47.000Z","size":12802,"stargazers_count":71,"open_issues_count":0,"forks_count":9,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-04-21T08:37:12.534Z","etag":null,"topics":["cgroups","chroot","container","landlock","linux","linux-namespaces","process","rust","sandbox","sandboxing","seccomp","security","unshare"],"latest_commit_sha":null,"homepage":"https://docs.rs/hakoniwa","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/souk4711.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-07-20T01:56:51.000Z","updated_at":"2026-04-21T06:46:50.000Z","dependencies_parsed_at":"2024-06-21T19:15:19.828Z","dependency_job_id":"39555be7-3536-478d-a2e1-7cd59f09f0b2","html_url":"https://github.com/souk4711/hakoniwa","commit_stats":{"total_commits":202,"total_committers":1,"mean_commits":202.0,"dds":0.0,"last_synced_commit":"b25698334932a7048856fe9b5f989884a1f7a6b2"},"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/souk4711/hakoniwa","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/souk4711%2Fhakoniwa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/souk4711%2Fhakoniwa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/souk4711%2Fhakoniwa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/souk4711%2Fhakoniwa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/souk4711","download_url":"https://codeload.github.com/souk4711/hakoniwa/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/souk4711%2Fhakoniwa/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32271243,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-25T09:15:33.318Z","status":"ssl_error","status_checked_at":"2026-04-25T09:15:31.997Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cgroups","chroot","container","landlock","linux","linux-namespaces","process","rust","sandbox","sandboxing","seccomp","security","unshare"],"created_at":"2026-02-26T16:35:38.962Z","updated_at":"2026-04-25T18:01:41.631Z","avatar_url":"https://github.com/souk4711.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hakoniwa\n\nProcess isolation for Linux using namespaces, resource limits, cgroups, landlock and seccomp.\nIt works by creating a new, completely empty, mount namespace where the root is\non a tmpdir, and will be automatically cleaned up when the last process exits.\n\nIt uses the following techniques:\n\n- **Linux namespaces:** Create an isolated environment for the process.\n- **MNT namespace + pivot_root:** Create a new root file system for the process.\n- **NETWORK namespace + pasta**: Create a new user-mode networking stack for the process.\n- **setrlimit:** Limit the amount of resources that can be used by the process.\n- **cgroups + systemd:** Limit process resources using cgroup v2.\n- **landlock:** Restrict ambient rights (e.g. global filesystem access) for the process.\n- **seccomp:** Restrict the system calls that the process can make.\n\nIt can help you with:\n\n- Compile source code in a restricted sandbox, e.g. [makepkg](https://github.com/souk4711/hakoniwa/tree/main/hakoniwa-cli/docs/app-makepkg)\n- Run browsers, or proprietary softwares in an isolated environment, e.g. [Firefox](https://github.com/souk4711/hakoniwa/tree/main/hakoniwa-cli/docs/app-firefox)\n- Chroot into rootfs, install GUI apps, and launch them, e.g. [containerized Firefox](https://github.com/souk4711/hakoniwa/tree/main/hakoniwa-cli/docs/container-firefox)\n\nIt also provides a set of profiles for the desktop application, read [Hakoniwa.d](https://github.com/souk4711/hakoniwa.d) to learn more.\n\n\u003e [!WARNING]\n\u003e Running untrusted code is never safe, sandboxing cannot change this.\n\n## Installation\n\nSee [INSTALL.md](https://github.com/souk4711/hakoniwa/blob/main/INSTALL.md) for installation instructions.\n\n## Usage\n\n### CLI\n\n```console\n$ hakoniwa run -- sh\nsh-5.2$ pwd\n/\nsh-5.2$ ls\nbin  etc  lib  lib64  proc  sbin  usr\nsh-5.2$ ls /proc\n1           bus        crypto         execdomains  ioports    kmsg         meminfo  net           self      sysrq-trigger  version\n3           cgroups    devices        fb           irq        kpagecgroup  misc     pagetypeinfo  slabinfo  sysvipc        vmallocinfo\nacpi        cmdline    diskstats      filesystems  kallsyms   kpagecount   modules  partitions    softirqs  thread-self    vmstat\nasound      config.gz  dma            fs           kcore      kpageflags   mounts   pressure      stat      timer_list     zoneinfo\nbootconfig  consoles   driver         interrupts   key-users  loadavg      mtd      schedstat     swaps     tty\nbuddyinfo   cpuinfo    dynamic_debug  iomem        keys       locks        mtrr     scsi          sys       uptime\nsh-5.2$ ps aux\nUSER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND\njohndoe        1  0.0  0.0   4708  4020 ?        S    21:22   0:00 /usr/bin/sh\njohndoe        4  0.0  0.0   6620  3896 ?        R+   21:22   0:00 ps aux\nsh-5.2$ exit\nexit\n\n$ hakoniwa run -v --config /etc/hakoniwa.d/firefox.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: /etc/hakoniwa.d/firefox.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/os/bare.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/os/freedesktop.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/device/dri.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/device/snd.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/socket/dbus-session.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/socket/dbus-system.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/socket/pipewire.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/socket/pulseaudio.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/socket/wayland.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/socket/x11.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/network/mode/host.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/network/connect/autoproxy.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/network/connect/http.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/network/connect/https.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/device/v4l.toml\n[2025-07-14T18:40:05Z DEBUG] CONFIG: Including /etc/hakoniwa.d/abstractions/filesystem/xdg-downloads.toml\n[2025-07-14T18:40:05Z DEBUG] Unshare namespaces: CGROUP, MOUNT, PID, USER, UTS\n[2025-07-14T18:40:05Z DEBUG] Mount:    root: /tmp/hakoniwa-4xtFNv\n[2025-07-14T18:40:05Z DEBUG] Mount:   devfs: /dev\n[2025-07-14T18:40:05Z DEBUG] Mount: bind_rw: /dev/dri -\u003e /dev/dri\n[2025-07-14T18:40:05Z DEBUG] Mount: bind_rw: /dev/snd -\u003e /dev/snd\n...\n[2025-07-14T18:40:05Z DEBUG] Execve: \"/usr/bin/firefox\", []\n...\n```\n\nMore examples can be found in [hakoniwa-cli](https://github.com/souk4711/hakoniwa/tree/main/hakoniwa-cli).\n\n### Rust Library\n\nThe code below is almost eq to `hakoniwa run -- sh`:\n\n```rust\nuse hakoniwa::Container;\n\nfn main() {\n    _ = Container::new()        // Create Container with new namespaces via unshare\n        .rootfs(\"/\").unwrap()   // Mount necessary directories, e.g. `/bin`\n        // .devfsmount(\"/dev\")     // Mount `devfs` on `/dev`, it contains a minimal set of device files, like `/dev/null`\n        // .tmpfsmount(\"/tmp\")     // Mount `tmpfs` on `/tmp`\n        // .setrlimit(..)          // Set resource limits\n        // .cgroups_resources(..)  // Set cgroups resources\n        // .landlock_ruleset(..)   // Set landlock ruleset\n        // .seccomp_filter(..)     // Set seccomp filter\n        .command(\"/bin/sh\")     // Create Command\n        .status()               // Execute\n        .expect(\"failed to execute process within container\");\n}\n```\n\nMore examples can be found in [hakoniwa](https://github.com/souk4711/hakoniwa/tree/main/hakoniwa).\n\n## How It Works\n\n![Implementation of Command::staus](https://github.com/souk4711/hakoniwa/raw/main/architecture.svg)\n\n## Acknowledgements\n\n- Special thanks to [bubblewrap](https://github.com/containers/bubblewrap).\n\n## License\n\nThe CLI is licensed under the [GPL-3.0-only](https://github.com/souk4711/hakoniwa/blob/main/hakoniwa-cli/LICENSE).\n\nThe Library is licensed under the [LGPL-3.0-only WITH LGPL-3.0-linking-exception](https://github.com/souk4711/hakoniwa/blob/main/hakoniwa/LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsouk4711%2Fhakoniwa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsouk4711%2Fhakoniwa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsouk4711%2Fhakoniwa/lists"}