landdown
Simple Sandboxing for shell scripts.
git clone git://mccd.space/landdown
| Log | Files | Refs | README | LICENSE |
commit 37a2ebb69d67f34176e0c5b5ff4c1e7a5d876e8a parent f8c2ec74b9e4c5d388f3ddbc176918c1bf2812fd Author: Marc <marc@coquand.email> Date: Tue, 31 Mar 2026 22:40:40 +0200 README Diffstat:
| M | README.md | | | 29 | ++++++++++++++--------------- |
1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md @@ -1,6 +1,6 @@ # Landdown - Simple shell script sandbox -An ergonomic Linux utility for sandboxing shell scripts using [landlock](https://landlock.io). To use, prepend your script with landdown and allow list. For example: +An ergonomic Linux utility for sandboxing shell scripts using [landlock](https://landlock.io). In particular, it aims to protect you against the security impacts of bugs or unexpected/malicious behavior. To use, prepend your script with landdown and allow list. For example: ```sh #!/usr/bin/env landdown @@ -24,7 +24,19 @@ rules... script content... ``` -The sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. +## Supported rules + +``` +rof <file> +rwf <file> +ro <dir> +rw <dir> +bind <port> +connect <port> +``` + +Each rule can be used zero or more times. + ## Install @@ -64,17 +76,4 @@ curl https://www.google.com Try removing `ro /etc/ssl`, `rof /etc/resolv.conf`, or `connect 443` and it should fail. Network access needs to be explicitly set. -## Supported rules - -``` -rof <file> -rwf <file> -ro <dir> -rw <dir> -bind <port> -connect <port> -``` - -Each rule can be used zero or more times. -