Landrun offers an efficient solution for executing Linux processes in a secure, unprivileged environment. Built with Landlock LSM, it ensures kernel-level security with minimal overhead, making it user-friendly. Options for fine-grained access control and TCP network management further enhance its capabilities, catering to varied user needs.
A lightweight and secure sandbox environment for executing Linux processes using Landlock LSM. Designed with kernel-level security and minimal overhead in mind, landrun offers an effective alternative to traditional sandboxing tools like firejail.
Key Features
- Kernel-Level Security: Utilizes the Landlock Linux Security Module for enhanced security.
- Lightweight & Fast: Designed for efficient execution without unnecessary resource consumption.
- Fine-Grained Access Control: Easily manage file and directory permissions with read-only and read-write options.
- Network Access Control: Control both binding and connecting TCP network access, adding an extra layer of security.
Quick Overview of Usage
Executing commands within the secure sandbox is straightforward. Use the basic syntax:
landrun [options] <command> [args...]
Example Commands:
- To run a command with read-only access to specific directories:
landrun --ro /usr/bin --ro /lib --ro /lib64 --ro /path/to/dir ls /path/to/dir - Enable write access to a directory:
landrun --ro /usr/bin --ro /lib --ro /lib64 --rw /path/to/dir touch /path/to/dir/newfile - Allow executing files within specified paths:
landrun --ro /usr/bin --ro /lib --ro /lib64 --exec /usr/bin/bash
Security Highlights
Landrun enhances security through:
- File System Access Control: Limit and manage filesystem interactions for processes.
- Execution & Directory Control: Define specific permissions for what executables can run and which directories can be accessed.
- TCP Network Restrictions: Carefully regulate which TCP ports can be used for binding or connecting, a critical feature for network security.
Kernel Compatibility
Landrun requires a minimum of Linux kernel version 5.13 with a later version necessary for advanced networking features:
| Feature | Minimum Kernel Version | Landlock ABI Version |
|---|---|---|
| Basic filesystem sandboxing | 5.13 | 1 |
| Network TCP restrictions | 6.8 | 5 |
Future Development
Plans for future enhancements include:
- Improved filesystem control with more fine-grained permissions.
- Support for additional network protocols.
- Further security features as the Landlock API evolves.
By employing Landlock, landrun provides developers with a robust tool for secure application execution, protecting against vulnerabilities while maintaining flexibility and performance.
No comments yet.
Sign in to be the first to comment.