Kernel-Level Sandboxing
Every workspace in thane can be its own sandbox. Landlock LSM restricts file access to only the paths you allow, seccomp-bpf blocks dangerous syscalls, and network access is opt-in. Claude Code works freely inside its boundaries — your system stays safe.
Landlock Filesystem Restrictions
Define per-workspace read-only, read-write, and denied paths. The Linux kernel enforces the restrictions — no userspace workaround can bypass them.
seccomp-bpf Syscall Filtering
Block dangerous system calls before they reach the kernel. Prevent Claude Code from loading kernel modules, modifying system time, or tracing other processes.
Network Isolation
Control whether each workspace can make network connections. Block all network access, or allow only specific outbound connections.
Per-Workspace Configuration
Each workspace has its own sandbox settings. A documentation workspace might need no network, while a web development workspace needs localhost access.
How it works
thane uses two Linux kernel security features working together. Landlock LSM (Linux Security Module) restricts filesystem access at the kernel level — you define which paths are readable, writable, or denied, and the kernel enforces these rules for every process in the workspace. Unlike Docker volumes or chroot, Landlock works on your real filesystem without copying or mounting.
seccomp-bpf (Secure Computing with Berkeley Packet Filters) intercepts system calls before they execute. thane applies a seccomp filter that blocks dangerous syscalls like ptrace, mount, and kexec — preventing Claude Code from escalating privileges or escaping its sandbox even if it finds a vulnerability in your code.
Together, these create a defense-in-depth sandbox: even if Claude Code tricks your shell into running a malicious command, the kernel blocks filesystem access outside allowed paths and prevents dangerous system calls. All sandbox events are logged in the real-time audit trail.
Use cases
Running Claude Code autonomously
Let Claude Code edit code and run tests — without risking access to ~/.ssh, ~/.aws, or other sensitive directories.
Multi-project isolation
Run Claude Code across multiple workspaces, each with its own filesystem and network boundaries. No workspace can see or affect another's files.
Compliance and auditing
Enforce data boundaries for regulated workloads. Combine sandbox restrictions with the audit trail to prove that Claude Code never accessed restricted files.
Ready to try thane?
Free for personal use. Kernel-level sandboxing, split panes, embedded browser, and a 41-method API — all on your machine.