Comment Re:Ok, but... (Score 1) 40
it won't have the permission to "unset" previously set permissions, but it will be able to restrict itself further.
Comment Re:I'd love to use it but dependencies scare me (Score 1) 40
Yeah, aware of that risk, a usecase of landrun is when you trust a binary, but don't trust what second layer of abstraction does (yay -S something, or just running a browser), --ldd is useful there.
Comment Re:Ok, but... (Score 1) 40
that's what it does, setting restrictions first and then forking itself.
Comment Re:This anything like Bubblejail? (Score 1) 40
It's not based on Bubblewrap
Comment Re:I'd love to use it but dependencies scare me (Score 1) 40
my pleasure! thank you for having a look.
Also agreed with points on supply chain, specially when it comes to NPM, PYPY stuff. I don't think OSS Distro package maintainers really have the time to go
through the source before pushing package tho... this will only get worse with AI generated codes and explosion of number of packages.
Should we all go "Ubuntu Pro"? they simply don't have the resources to package/review at this pace.
the only thing I can think of is for likes of github to implement reliable AI safeguards against supply chain attacks, and that's (at least) is not the immediate future...
Comment Re:I'd love to use it but dependencies scare me (Score 2) 40
fair point!
Comment Re:I'd love to use it but dependencies scare me (Score 3, Interesting) 40
It always annoyed the hell out of me to run random binaries from the internet without any real control over what they can access.
Totally agree! But when I tried to build landrun it downloads code from several github accounts. Random dependencies from the internet are a worse security risk than what it is trying to solve. I'd sandbox Firefox (the only binary to be an obvious entry point for hackers on a typical desktop machine). But for this I need to trust that none of the github accounts "russross", "urfave", "cpuguy83" or "xrash" on github have been compromised by hackers (unlikely but not impossible), and therefore increases the attack surface.
go build -o landrun cmd/landrun/main.go
go: downloading github.com/urfave/cli/v2 v2.27.6 go: downloading github.com/landlock-lsm/go-landlock v0.0.0-20250303204525-1544bccde3a3 go: downloading kernel.org/pub/linux/libs/security/libcap/psx v1.2.70 go: downloading golang.org/x/sys v0.26.0 go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.5 go: downloading github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 go: downloading github.com/russross/blackfriday/v2 v2.1.0
Yeah agreed, the "Supply chain" problem of OSS will bite us in the ass someday, although if you are willing to trust me, you should definitely trust likes of unfave!
Comment Re:Ok, but... (Score 0) 40
... it is a little ironic that the README.md for a tool that is supposed to help mitigate the risk of running software from a random source on the Internet tells me to `go install github.com/zouuup/landrun/cmd/landrun@latest`
Ahem, go install builds from source, so you're not trusting a binary. That said... you can always run landrun in landrun.
Comment LandLock (Score 5, Informative) 40
To be clear, I don't think Landlock syscalls are difficult, they are simply not designed to be used on shell (No syscall is really!), Landlock maintainer did put years of effort behind developing this amazing feature in kernel!
Submission + - Landrun: Lightweight Linux Sandboxing with Landlock, No Root Required (github.com) 1
Zoup writes: I just released landrun, a Go-based CLI tool that wraps Linux Landlock (5.13+) to sandbox any process without root, containers, or seccomp. Think firejail, but minimal and kernel-native. Supports fine-grained file access (ro/rw/exec) and TCP port restrictions (6.7+). No daemons, no YAML, just flags.
Example:
# landrun --rox /usr touch /tmp/file
touch: cannot touch '/tmp/file': Permission denied
# landrun --rox /usr --rw /tmp touch /tmp/file
#
It's MIT-licensed, easy to audit, and now supports systemd services.
Example:
# landrun --rox
touch: cannot touch '/tmp/file': Permission denied
# landrun --rox
#
It's MIT-licensed, easy to audit, and now supports systemd services.
Comment Typo! (Score 1) 1
Second command line should be
landrun --rox /usr --rw /tmp touch /tmp/file
Submission + - Landrun: CLI tool to sandbox processes using Landlock, no containers, no root (github.com) 1
Zoup writes: Hey folks, I built a CLI tool called landrun that uses the Linux Landlock LSM to sandbox commands without needing containers or root.
You can define what paths a command can read or write to, and everything else is blocked by the kernel:
# landrun --rox
/usr touch /tmp/file
touch: cannot touch '/tmp/file': Permission denied
# landrun --ro/xusr --rw /tmp touch /tmp/file
#
Why does this matter?
Landlock is a Linux Security Module (LSM) that lets unprivileged processes restrict themselves.
It's been in the kernel since 5.13, but the API is awkward to use directly.
It always annoyed the hell out of me to run random binaries from the internet without any real control over what they can access.
Features:
Works with any CLI command
Secure-by-default: deny all, allow only specified paths
No root, no special privileges required
More convenient than selinux, apparmor, etc
Written in Go, small and fast
GitHub:
https://github.com/Zouuup/land...
Comment Psychohistory!! (Score 1) 347
Psychohistory!!!!
Comment Now that's (Score 1) 45
WTF
Submission + - Ask Slashdot: As Programmer/Geek, Should I Learn business? 2
An anonymous reader writes: During my career i was always focused on learning new technologies and trending programming languages, while i made a good fortune out of it, what's next step? should i learn business, network making and marketing? should i start to run my own business?
Slashdot Top Deals
Put no trust in cryptic comments.
