landdown
Simple Sandboxing for shell scripts.
git clone git://mccd.space/landdown
| Log | Files | Refs | README | LICENSE |
commit 2f400913ba8ff21cc55b342952cf053a104bd934 parent 8719bfb36a7247dd2d7d4393c4a5f7ad130c58b5 Author: Marc <marc@coquand.email> Date: Tue, 31 Mar 2026 16:02:36 +0200 Simplify and clean Diffstat:
| M | main.go | | | 25 | +++++++++++-------------- |
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/main.go b/main.go
@@ -58,6 +58,7 @@ func main() {
break
}
+ // Ignore white space and comments
if line == "" || strings.HasPrefix(line, "#") {
continue
}
@@ -108,15 +109,14 @@ func main() {
if len(rwFilePaths) > 0 {
rules = append(rules, landlock.RWFiles(rwFilePaths...))
}
- if len(netRules) > 0 {
- rules = append(rules, netRules...)
+ rules = append(rules, netRules...)
+
+ if len(execCmd) == 0 {
+ log.Fatal("no exec target found (second #! line)")
}
- if len(rules) > 0 {
- err = landlock.V5.BestEffort().Restrict(rules...)
- if err != nil {
- log.Fatalf("failed to apply landlock: %v", err)
- }
+ if err := landlock.V6.BestEffort().Restrict(rules...); err != nil {
+ log.Fatalf("landlock failed: %v", err)
}
fullPath, err := exec.LookPath(execCmd[0])
@@ -126,21 +126,18 @@ func main() {
argv := append(execCmd, extraArgs...)
- env := os.Environ()
// Create a memfile that is the content of the script
// we actually want to run, execute the script with that.
if len(stdinData) > 0 {
- fd, err := unix.MemfdCreate("landdown", 0)
- if err != nil {
- log.Fatalf("memfd_create failed: %v", err)
- }
- unix.Write(fd, stdinData)
+ fd, _ := unix.MemfdCreate("landdown", 0)
+ f := os.NewFile(uintptr(fd), "script")
+ f.Write(stdinData)
// Rewind
unix.Seek(fd, 0, 0)
argv = append(argv, fmt.Sprintf("/dev/fd/%d", fd))
}
- if err := syscall.Exec(fullPath, argv, env); err != nil {
+ if err := syscall.Exec(fullPath, argv, os.Environ()); err != nil {
log.Fatalf("failed to exec: %v", err)
}
}