Linux's Landlock security module has been available since kernel 5.13, but despite its powerful sandboxing capabilities, adoption has been limited due to its complex API. A new tool called Landrun aims to change that by making Landlock's security features accessible through a simple command-line interface.
Landrun, a lightweight CLI tool written in Go, enables unprivileged processes to create secure sandboxes with fine-grained filesystem and network access controls. Unlike traditional sandboxing solutions that require root privileges or complex container setups, Landrun leverages the kernel-native Landlock LSM (Linux Security Module) to provide robust security with minimal overhead.
Simplified Security for Unprivileged Processes
Landrun addresses a significant gap in Linux security tooling by making Landlock's powerful but complex API accessible to everyday users. The tool allows for precise control over which directories a process can read from, write to, or execute files from, as well as which TCP ports it can bind to or connect to.
Linux Landlock is a kernel-native security module that lets unprivileged processes sandbox themselves - but nobody uses it because the API is... hard!
This approach to security is reminiscent of OpenBSD's pledge and unveil system calls, which many users in the discussion praised for their simplicity. While Landlock's implementation is necessarily more complex due to Linux's strict ABI compatibility requirements, Landrun abstracts away this complexity, providing a more approachable interface.
Comparison with Existing Solutions
The community discussion highlighted several comparisons between Landrun and existing sandboxing tools like Firejail, Bubblewrap, and nsjail. While these tools often use Linux namespaces for isolation, Landrun's use of Landlock provides some distinct advantages.
Namespaces, while powerful, can introduce a large attack surface and typically require more substantial changes to applications that want to sandbox themselves. They also often require root privileges or special system configurations. In contrast, Landlock is designed specifically to be used by unprivileged processes and integrates well with existing security mechanisms.
Several users noted that Firejail recently added Landlock support as well, indicating growing interest in this security mechanism across the Linux ecosystem.
Network Restrictions and Future Development
One of the most discussed aspects of Landrun was its network restriction capabilities. Currently, Landrun supports TCP port-based restrictions (binding and connecting), but only on Linux kernel 6.8 or later with Landlock ABI v5.
The developers have indicated plans to expand network filtering capabilities in future releases, including UDP support and potentially more fine-grained controls. This incremental approach to feature development aligns with Landlock's own evolution in the Linux kernel.
Some users expressed interest in per-process firewall settings, noting that this has been a longstanding challenge in Linux security. While Landrun doesn't completely solve this problem, its TCP restrictions provide a step in that direction for applications that need controlled network access.
Landrun Features
- Kernel-level security using Landlock LSM
- Lightweight and fast execution
- Fine-grained access control for directories
- Support for read and write paths
- Path-specific execution permissions
- TCP network access control (binding and connecting)
Kernel Compatibility Table
| Feature | Minimum Kernel Version | Landlock ABI Version |
|---|---|---|
| Basic filesystem sandboxing | 5.13 | 1 |
| File referring/reparenting control | 5.19 | 2 |
| File truncation control | 6.2 | 3 |
| Network TCP restrictions | 6.7 | 4 |
| IOCTL on special files | 6.10 | 5 |
Practical Applications
Community members shared various use cases for Landrun, from securing web servers with selective network permissions to running untrusted code in a controlled environment. One user mentioned using a similar tool to confine builds of third-party software, highlighting the practical security benefits for everyday development workflows.
For desktop users, some drew parallels to macOS's permission system, where applications must request access to specific directories. While Landrun doesn't currently implement an interactive permission system, it provides the underlying mechanism that could enable such functionality in the future.
The tool's lightweight nature and lack of dependencies make it particularly attractive for security-conscious users who want to add an extra layer of protection without the overhead of full containerization.
As Linux continues to evolve its security capabilities, tools like Landrun play a crucial role in making advanced security features accessible to a broader audience. By simplifying the interface to Landlock, Landrun helps bridge the gap between powerful kernel-level security mechanisms and practical, everyday use cases.
Reference: landrun