'Landrun': Lightweight Linux Sandboxing With Landlock, No Root Required (github.com)
(Saturday April 05, 2025 @05:34PM (EditorDavid)
from the playing-in-the-sandbox dept.)
- Reference: 0176937437
- News link: https://linux.slashdot.org/story/25/04/05/217212/landrun-lightweight-linux-sandboxing-with-landlock-no-root-required
- Source link: https://github.com/zouuup/landrun
Over on Reddit's "selfhosted" subreddit for alternatives to popular services, long-time Slashdot reader [1]Zoup described [2]a pain point :
- Landlock is a Linux Security Module (LSM) that lets unprivileged processes restrict themselves.
- It's been in the kernel since 5.13, but the API is awkward to use directly.
- It always annoyed the hell out of me to run random binaries from the internet without any real control over what they can access.
So they've rolled their own solution, according to Thursday's [3]submission to Slashdot :
> I just [4]released Landrun , a Go-based CLI tool that wraps Linux Landlock (5.13+) to sandbox any process without root, containers, or seccomp. Think firejail, but minimal and kernel-native. Supports fine-grained file access (ro/rw/exec) and TCP port restrictions (6.7+). No daemons, no YAML, just flags.
>
> Example (where --rox allows read-only access with execution to specified path):
>
> # landrun --rox /usr touch /tmp/file
> touch: cannot touch '/tmp/file': Permission denied
> # landrun --rox /usr --rw /tmp touch /tmp/file
> #
>
> It's MIT-licensed, easy to audit, and now supports systemd services.
[1] https://www.slashdot.org/~Zoup
[2] https://www.reddit.com/r/selfhosted/comments/1jh8pnd/i_built_a_cli_tool_to_sandbox_linux_processes/
[3] https://slashdot.org/submission/17334889/landrun-lightweight-linux-sandboxing-with-landlock-no-root-required
[4] https://github.com/zouuup/landrun
- Landlock is a Linux Security Module (LSM) that lets unprivileged processes restrict themselves.
- It's been in the kernel since 5.13, but the API is awkward to use directly.
- It always annoyed the hell out of me to run random binaries from the internet without any real control over what they can access.
So they've rolled their own solution, according to Thursday's [3]submission to Slashdot :
> I just [4]released Landrun , a Go-based CLI tool that wraps Linux Landlock (5.13+) to sandbox any process without root, containers, or seccomp. Think firejail, but minimal and kernel-native. Supports fine-grained file access (ro/rw/exec) and TCP port restrictions (6.7+). No daemons, no YAML, just flags.
>
> Example (where --rox allows read-only access with execution to specified path):
>
> # landrun --rox /usr touch /tmp/file
> touch: cannot touch '/tmp/file': Permission denied
> # landrun --rox /usr --rw /tmp touch /tmp/file
> #
>
> It's MIT-licensed, easy to audit, and now supports systemd services.
[1] https://www.slashdot.org/~Zoup
[2] https://www.reddit.com/r/selfhosted/comments/1jh8pnd/i_built_a_cli_tool_to_sandbox_linux_processes/
[3] https://slashdot.org/submission/17334889/landrun-lightweight-linux-sandboxing-with-landlock-no-root-required
[4] https://github.com/zouuup/landrun
Ok, but... (Score:2)
by ffkom ( 3519199 )
... it is a little ironic that the README.md for a tool that is supposed to help mitigate the risk of running software from a random source on the Internet tells me to `go install github.com/zouuup/landrun/cmd/landrun@latest` ... that's a little like those VPN advertisers telling me "don't trust anyone... only trust us!".
LandLock (Score:1)
To be clear, I don't think Landlock syscalls are difficult, they are simply not designed to be used on shell (No syscall is really!), Landlock maintainer did put years of effort behind developing this amazing feature in kernel!