Skip to content

Childflow

v0.7.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 1mo Offensive & Pentesting
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

dns linux packet-capture pcap penetration-testing-tools proxychains
+1 more
rust

Affected surfaces

auth rbac rce_ssrf

Summary

AI summary

Updates Demo and CI, Highlights, and Proxy and Policy across a mixed release.

Full changelog

childflow 0.7.0

childflow 0.7.0 focused on making the per-command-tree sandbox practical for day-to-day Linux use: a default rootless path, reusable profiles, structured flow logs, stronger proxy enforcement, and more reliable demo / CI coverage.

Highlights

  • Added the default rootless-internal backend for per-command-tree network isolation without switching the whole host session.
  • Kept rootful support available through --root when host-integrated behavior is needed, such as --iface or transparent interception.
  • Added reusable TOML profiles with inheritance via extends and effective config export through --dump-profile.
  • Added structured JSON Lines flow logging with --flow-log, including DNS, connect, result, and policy-violation events.
  • Added post-run summaries with --summary for quick inspection without opening packet captures first.

Proxy and Policy

  • Improved proxy control so childflow can force traffic through an upstream proxy without depending on HTTP_PROXY or similar environment variables.
  • Added support for authenticated upstream proxies and HTTPS proxy handling with --proxy-insecure.
  • Added --proxy-only to require the configured proxy path for outbound traffic.
  • Added --fail-on-leak so blocked direct traffic can turn a run into a non-zero exit when desired.
  • Added outbound sandbox controls including --offline, --block-private, --block-metadata, --default-policy, --allow-cidr, and --deny-cidr.

Capture and Observability

  • Expanded packet capture control with capture points / views: child, egress, wire-egress, and both.
  • Added flow log schema documentation.
  • Added profile schema documentation.
  • Added --doctor to help diagnose whether the current host is ready for the selected backend.

Demo and CI

  • Refreshed the Docker demo and e2e flows so they better exercise proxying, profile-driven runs, and capture output.
  • Improved CI coverage across both ubuntu-22.04 and ubuntu-24.04.
  • Updated the demo / e2e runners to prefer non-root execution first and fall back to sudo only when the host blocks required rootless namespace or capture operations.
  • Added better handling for Ubuntu 24.04 style AppArmor restrictions encountered in CI and containerized test environments.

Notes

  • childflow remains Linux-only.
  • Structured flow logs and --fail-on-leak currently target the default rootless-internal backend.
  • When using profiles, backend selection is configured with backend = "rootful" rather than --root inside the TOML file.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Childflow

Get notified when new releases ship.

Sign up free

About Childflow

All releases →

Related context

Beta — feedback welcome: [email protected]