⚠️ Superseded by v0.17.1 — this release had a regression: the Landlock allow-list was missing /sys, /bin//sbin//usr, and several /etc/* files, so on Linux with the default best-effort sandbox the Dashboard and Interfaces tabs rendered blank. Workaround on v0.17.0 was netwatch --no-sandbox. v0.17.1 expands the allow-list and is the correct version to install.

Original release notes

Release v0.17.0: Linux security sandbox — Landlock + capability drop

After pcap, PKTAP, and the eBPF kprobe finish setup, netwatch hands the elevated capabilities back and locks itself into a Landlock-enforced filesystem allow-list. A memory-safety bug in DPI parsing — the largest unsafe surface — can no longer read SSH keys, exfiltrate arbitrary files, or pivot via a new raw socket.

Two layers applied in order, gated behind a single CLI surface:

netwatch                     # default: best-effort
netwatch --sandbox-strict    # refuse to start if Landlock can't enforce
netwatch --no-sandbox        # debug escape hatch

See CHANGELOG.md for full details.