Download Little Snitch for Linux

Security improvements

• The daemon now aborts when a requested security feature could not be activated, ensuring the problem cannot be silently ignored. Two new command-line options allow security features to be explicitly disabled when needed: --no_capability_sandbox and --no_file_sandbox.
• Fixed a bug that prevented Landlock (file sandbox) from activating.
• The SysVinit script now contains a section for OpenRC. However, it is not compatible with OpenRC out of the box. The #!/bin/sh line must be removed so that #!/sbin/openrc-run takes effect.
• New configuration option ui_base_urls for the Web UI adds a check against Cross-Site Request Forgery. If you have overridden web_ui.toml, consider adding this option to your override file.

Other bugfixes

• Fixed a zombie-process leak when the privileged helper is not needed.

Yesterday's security update accidentally broke the disclosure buttons in the connections section. This release restores them.

This release also includes two new features:

• Logout button: If you've set a password to protect the Little Snitch interface, you can now log out directly from the UI to end your session.
• Configurable localhost/localnet: The definitions of localhost and localnet are now stored in a config file, allowing you to customize them to fit your network setup.

This release focuses on security hardening of the local web interface and authentication system.

Security

• Brute-force protection: failed logins now trigger a hold-off period, simultaneous attempts and per-user login attempts are capped.
• Passwords are zeroed in memory immediately after use, and all password checks run inside the privileged helper process.
• Blocklist downloads are capped at 100 MB to prevent denial-of-service from a malicious update server. file:// blocklist URLs are no longer accepted.
• CORS and WebSocket origin checks are tightened. A host like localhost.evil.com no longer passes. A Content Security Policy header is now sent on all responses.
• All user-supplied input is validated: control characters are stripped, lengths are capped, and unsafe UTF-8 conversions on external data have been removed.
• The auto-generated TLS certificate is now persisted so clients can pin it.

Bug fixes

• Fixed GlobalSettings accumulating a new database row on every change.
• Fixed a crash during traffic history iteration when the database contained an invalid entry.
• Fixed decoding of login credentials. This bug could prevent users with certain names/passwords from logging in on the web interface.

Improvements

• Access can now be restricted to members of a specific system group.
• The PAM service name used for authentication is configurable.
• Regular traffic history updates use less CPU time now.

Bug Fixes

• Fixed package install for Fedora Atomic versions. Since rpm-ostree runs in a sandboxed environment, the post-install script always failed and the install was rolled back. Errors are now ignored to allow installation.
• Improved compatibility with SysVinit and OpenRC. Added relevant directories to $PATH in startup script and improved detection of init system in post-install script.
• Rules for an executable were discarded if at least one component of its path was not visible to every user. This bug was caused by a missing capability for Little Snitch's daemon.
• When an executable was added after a rule for its path was created, the rule did not match.
• DNS responses with loopback addresses (127.0.0.0/8, ::1) are now discarded. These are most likely names blocked by Pi-hole, and such blocked names should not appear for loopback traffic.
• A connect system call for a UDP socket is no longer shown as activity in the connections list. For UDP, no data is sent at connect time.

This release fixes a bug where network traffic from Java applications was not shown. This bug affected all processes which open a socket with address family AF_INET6, but use 6-to-4 compatibility addresses to send IPv4 traffic.

It also adds an init.d script for OpenRC and SysVinit compatibility to the installer packages.

Improvements

• Improved compatibility with various kernel configuration options. Now works with Zen kernels and kernels that have no tracing support.
• Sandboxing, introduced in 1.0.3, caused problems on Debian 13. This is now fixed by requesting broader capabilities from systemd.
• Improved detection of executable paths for sockets already open when Little Snitch's daemon starts. This results in fewer "Not Identified" processes.
• The daemon now starts earlier during system boot to improve reliability of executable path detection. Note that executable scripts (with #! in the first line) can only be detected correctly when the daemon is already running at the time the script starts.

Improvements

• Offer presets when adding a new blocklist (thanks to overflo for this contribution).
• Security improvements: the daemon now runs sandboxed and permanently drops all capabilities after loading eBPF programs. Note that this may have introduced new bugs, as we cannot guarantee which capabilities and file paths are used by library code.
• Further reduced verification time of the eBPF programs on Linux 6.19.4 and above.
• Downloads now include a statically linked binary and packages for PPC64LE.
• If the system has less than 16 GB of memory, eBPF programs are loaded sequentially, trading longer load times for lower memory consumption.

This bugfix release addresses the following issues:

• The previous fix for Btrfs in version 1.0.1 introduced a new bug where connections were attributed to the wrong executables. Little Snitch sometimes showed a parent which executed the program as the connecting program. This was a consequence of using mount IDs to identify mount points between user space and kernel. This version handles the entire path construction in the kernel.
• Optimized loops in eBPF to reduce complexity seen by eBPF verifier. Little Snitch now runs on the latest kernel versions 6.19.4 and above, including the new 7.0 (and 7.1 preview) kernels.

This bugfix release fixes an issue with Btrfs: Executables on Btrfs appeared as "Not Identified" processes.

It does not fix an incompatibility with Linux 6.19 where the eBPF verifier rejects our program.

This is the first public release of Little Snitch for Linux. We hope it proves useful — and perhaps a little eye-opening.