Download Little Snitch for Linux
We offer packages for four major 64-bit CPU architectures found in desktop and laptop computers
today. For each architecture, we provide .deb (Debian, Ubuntu, Mint, Kali, …),
.rpm (Fedora, RHEL, openSUSE, CentOS, …) and .pkg.tar.zst (Arch, Manjaro,
CachyOS, EndeavourOS, …). Choose the right combination from the list below. For statically linked binaries scroll down.
Minimum system requirements
Kernel version
Little Snitch for Linux requires Linux kernel 6.12 or newer, built with BTF support. In practice
this means Debian 13, Ubuntu 25.04, Mint 22, Fedora 40, RHEL 10. If you're unsure which kernel you're running, uname -r will tell you.
The 6.12 requirement exists because that release significantly improved the eBPF verifier's ability to follow program logic, which reduces the number of code paths it needs to analyze. There is some hope that a future refactor of the eBPF code could bring compatibility down to kernel 5.17, but that hasn't happened yet.
BTF and function tracer support
BTF is what makes CO-RE (Compile Once – Run Everywhere)
possible. This mechanism lets Little Snitch run across different kernel versions without needing
to be recompiled for each one, the way a traditional loadable kernel module would. It works by
reading kernel-provided metadata from /sys/kernel/btf/, which describes the data
structures and function addresses of the running kernel.
All major distributions enable BTF by default, and its presence is easy to verify: if
/sys/kernel/btf/ exists, you're good. The exception is kernels built for embedded
systems or low-memory hardware, which sometimes omit BTF to save space. Those kernels are
incompatible with Little Snitch regardless of their version number.
Function tracing allows BPF programs to intercept any function in the kernel, private or public, and inspect the function's arguments. Little Snitch uses a tracing program to find the executable file node before it is possibly passed to an interpreter. This way it can show the path to a script, not just the interpreter's path. The kernel must be built with CONFIG_FUNCTION_TRACER=y and popular Linux distributions are.
Hardened kernels
Little Snitch for Linux relies on the eBPF helper `bpf_probe_read_kernel()` for computing the file system path of executables from the kernel's internal structures. This helper may not be available on hardened kernels for security and privacy reasons, so Little Snitch is incompatible with these versions.
Verifying download integrity
To check the integrity of downloaded packages, download the following two files and follow the instructions in the .hashes.txt file.
| Integrity Check | ||
|---|---|---|
| littlesnitch-1.0.3.hashes.txt |  Download | 3.10 kB |
| littlesnitch-1.0.3.hashes.txt.sig.github.json | Download | 5.03 kB |
Statically linked binaries
If our binary does not run on your computer, telling you that a library is missing, you can try our statically linked binaries. These binaries have almost no external library dependency.
The archives below contain only the binary. No installer packages, no supporting files. If your machine runs systemd, you can extract the systemd unit from one of the packages above. For other init systems just make sure to run littlesnitch --daemon on system start. The daemon manages everything else.
| Statically Linked | ||
|---|---|---|
| littlesnitch-1.0.3-amd64-linux-musl.tar.gz | Download | 7.2 MB |
| littlesnitch-1.0.3-arm64-linux-musl.tar.gz | Download | 6.7 MB |
| littlesnitch-1.0.3-ppc64le-linux-musl.tar.gz | Download | 7.3 MB |
(RISC-V/musl is currently not supported by the build system.)
Legacy versions
Legacy versions can be downloaded here. Please note that new versions may fix vulnerabilities and running legacy versions may be a security risk.
Release Notes
Little Snitch for Linux 1.0.3 (10003)
Improvements
- Offer presets when adding a new blocklist (thanks to overflo for this contribution).
- Security improvements: the daemon now runs sandboxed and permanently drops all capabilities after loading eBPF programs. Note that this may have introduced new bugs, as we cannot guarantee which capabilities and file paths are used by library code.
- Further reduced verification time of the eBPF programs on Linux 6.19.4 and above.
- Downloads now include a statically linked binary and packages for PPC64LE.
- If the system has less than 16 GB of memory, eBPF programs are loaded sequentially, trading longer load times for lower memory consumption.
Little Snitch for Linux 1.0.2 (10002)
This bugfix release addresses the following issues:
- The previous fix for Btrfs in version 1.0.1 introduced a new bug where connections were attributed to the wrong executables. Little Snitch sometimes showed a parent which executed the program as the connecting program. This was a consequence of using mount IDs to identify mount points between user space and kernel. This version handles the entire path construction in the kernel.
- Optimized loops in eBPF to reduce complexity seen by eBPF verifier. Little Snitch now runs on the latest kernel versions 6.19.4 and above, including the new 7.0 (and 7.1 preview) kernels.
Little Snitch for Linux 1.0.1 (10001)
This bugfix release fixes an issue with Btrfs: Executables on Btrfs appeared as "Not Identified" processes.
It does not fix an incompatibility with Linux 6.19 where the eBPF verifier rejects our program.
Little Snitch for Linux 1.0 (10000)
This is the first public release of Little Snitch for Linux. We hope it proves useful — and perhaps a little eye-opening.