dergraf.org ↗ github ↗

canister _

// unprivileged Linux sandboxes — namespaces, seccomp, L7 egress proxy with DLP

Run any command inside layered isolation: user / mount / pid / net namespaces, a 187-syscall seccomp allow list, USER_NOTIF supervisor for argument-level filtering, capability dropping, cgroups v2 limits, /proc hardening, and an inline egress proxy that contracts every outbound HTTP call.

~ — install canister
$ mkdir -p ~/.local/bin
$ curl -fsSL https://github.com/dergraf/canister/releases/download/latest/canister-x86_64-linux.tar.gz \
    | tar xz -C ~/.local/bin
$ can --version
canister 0.1.0  ✓
$ curl -fsSL https://github.com/dergraf/canister/releases/download/latest/canister-x86_64-linux.tar.gz \
    | tar xz -C ~/.local/bin
$ can --version
canister 0.1.0  ✓
  • seccomp BPF
  • USER_NOTIF supervisor
  • cgroups v2
  • L7 egress proxy
  • DLP scanner
  • pasta networking
  • AppArmor / SELinux

Filtered networking needs pasta from the passt package on the host (no daemon — it runs only for the sandbox's lifetime). Hardened distros (Ubuntu 24.04+, Fedora 41+) need sudo can setup once to install the AppArmor / SELinux policy that grants user-namespace creation. After that, everyday can run / can up stays fully unprivileged.

§01 Build a canister.toml

Answer a handful of questions about your project — language, how it's installed, editor, where the code lives — and the builder composes the matching recipes for you. Each section unhides as you answer the previous one; suggested companions are pre-checked and explain themselves on hover. Open Advanced at the bottom to edit the recipe list directly.

01

What are you setting up?

Picks reasonable egress + strict defaults later.

02

Which languages are you using?

Pick one or more. Suggested companions (registries, VCS) appear below.

03

Where do your tools live on disk?

Pick every installer your toolchain lives under. Standard system paths (/bin, /sbin, /usr/bin, /usr/sbin, /usr/lib, /usr/local/bin, /usr/share, /tmp, common /etc files) are already mounted by base.toml — skip this step if that's where everything lives.

04

Editor & dev tooling?

If you pick Neovim, its plugin manager appears in suggested companions.

05

Source & forge?

Picking a forge auto-adds git.

06

Package managers & registries?

Local package-manager tools (npm, pip, cargo …) and the registries they fetch from. Pre-checked items are suggested by your language picks.

07

Remote APIs & SaaS

AI inference (Anthropic, OpenAI, …) and SaaS providers (AWS, Slack, Stripe). Each one is a per-host contract — methods, content types, DLP scope all pre-baked.

08

Additional network hosts

Add bespoke [[host]] entries to your sandbox — internal services, on-prem APIs, anything not covered by a shipped recipe. DLP credential scope ties a detector to this host so a token meant for it isn't blocked, but the same token leaking to a different upstream still is.

09

Network & strict mode

Defaults follow from your goal pick.

egress
Advanced — full recipe list, multi-sandbox edit picks directly · add more sandboxes

§02 Run it — two ways

The manifest is optional. Drop a canister.toml at your project root for repeatable, named sandboxes and run can up <name>. Or skip the file entirely and paste the equivalent can run line below — same recipe composition, no file on disk.

canister.toml — drop at project root
can run — direct invocation (no file)

With the manifest: can up <sandbox-name>. Without: paste the matching can run line. Both compose the same recipe stack — the manifest just remembers the choice for next time.