Feed: Slashdot
Feed Link: https://slashdot.org/
---

Title: 'Landrun': Lightweight Linux Sandboxing With Landlock, No Root
Required

Link: https://linux.slashdot.org/story/25/04/05/217...

Over on Reddit's "selfhosted" subreddit for alternatives to popular services,
long-time Slashdot reader Zoup described a pain point: - Landlock is a Linux
Security Module (LSM) that lets unprivileged processes restrict themselves. -
It's been in the kernel since 5.13, but the API is awkward to use directly. -
It always annoyed the hell out of me to run random binaries from the internet
without any real control over what they can access. So they've rolled their
own solution, according to Thursday's submission to Slashdot: I just released
Landrun, a Go-based CLI tool that wraps Linux Landlock (5.13+) to sandbox any
process without root, containers, or seccomp. Think firejail, but minimal and
kernel-native. Supports fine-grained file access (ro/rw/exec) and TCP port
restrictions (6.7+). No daemons, no YAML, just flags. Example (where --rox
allows read-only access with execution to specified path): # landrun --rox
/usr touch /tmp/filetouch: cannot touch '/tmp/file': Permission denied#
landrun --rox /usr --rw /tmp touch /tmp/file# It's MIT-licensed, easy to
audit, and now supports systemd services.

Read more of this story at Slashdot.

---
VRSS v2.1.180528