Zoup - Slashdot User

Submission + - Landrun: Lightweight Linux Sandboxing with Landlock, No Root Required (github.com) 1

Submitted by Zoup on Thursday April 03, 2025 @02:54PM

Zoup writes: I just released landrun, a Go-based CLI tool that wraps Linux Landlock (5.13+) to sandbox any process without root, containers, or seccomp. Think firejail, but minimal and kernel-native. Supports fine-grained file access (ro/rw/exec) and TCP port restrictions (6.7+). No daemons, no YAML, just flags.

Example:
# landrun --rox /usr touch /tmp/file
touch: cannot touch '/tmp/file': Permission denied
# landrun --rox /usr --rw /tmp touch /tmp/file
#

It's MIT-licensed, easy to audit, and now supports systemd services.

Submission + - Landrun: CLI tool to sandbox processes using Landlock, no containers, no root (github.com) 1

Submitted by Zoup on Tuesday March 25, 2025 @07:08AM

Zoup writes: Hey folks, I built a CLI tool called landrun that uses the Linux Landlock LSM to sandbox commands without needing containers or root. You can define what paths a command can read or write to, and everything else is blocked by the kernel:
# landrun --rox /usr touch /tmp/file touch: cannot touch '/tmp/file': Permission denied # landrun --ro /xusr --rw /tmp touch /tmp/file #

Why does this matter? Landlock is a Linux Security Module (LSM) that lets unprivileged processes restrict themselves. It's been in the kernel since 5.13, but the API is awkward to use directly. It always annoyed the hell out of me to run random binaries from the internet without any real control over what they can access. Features: Works with any CLI command Secure-by-default: deny all, allow only specified paths No root, no special privileges required More convenient than selinux, apparmor, etc Written in Go, small and fast GitHub: https://github.com/Zouuup/land...

Slashdot Top Deals