landdown
Simple Sandboxing for shell scripts.
git clone git://mccd.space/landdown
| Log | Files | Refs | README | LICENSE |
commit 8aae3002e9b8b2639e2941b85633aa0b1b6e1447 parent 2f400913ba8ff21cc55b342952cf053a104bd934 Author: Marc <marc@coquand.email> Date: Tue, 31 Mar 2026 16:28:03 +0200 README Diffstat:
| M | README.md | | | 33 | +++++++++++++++++---------------- |
1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md @@ -1,6 +1,6 @@ # Landdown - Easy shell script sandbox -A minimal Linux utility tool for locking down a shell script's access using [landlock](https://landlock.io). For example: +A minimal Linux utility tool for sandboxing shell scripts using [landlock](https://landlock.io). To use, prepend your script with landdown and rules. Here is a basic example: ```sh #!/usr/bin/env landdown @@ -11,38 +11,39 @@ rwf /tmp/some-file.txt echo Edit > /tmp/some-file.txt ``` -The aim is to allow developers to easily lock down scripts. I personally use it for my CGI scripts to have per-endpoint sandboxing. +By default, landdown locks down file and network access of a script and then whitelists based on the rules given. -It works by prefixing the shebang with a list of locations that should be accessible +The syntax is: ``` #!/usr/bin/env landdown -<directives> +<directives...> #!<interpreter> script content ``` ## Install -Requires go, run - ``` go install git.sr.ht/~marcc/landdown@latest ``` -Make sure $HOME/go/bin is in your path. ## Supported directives ``` -- rof <file> -- rwf <file> -- ro <dir> -- rw <dir> -- bind <port> -- connect <port> +rof <file> +rwf <file> +ro <dir> +rw <dir> +bind <port> +connect <port> ``` +Each directive can be used zero or more times. + +`ro`, `rw` and `rwf` give execute access. + ## Examples ### Hello world @@ -55,7 +56,7 @@ ro /lib echo "Hello world" ``` -Try removing `/bin` or `/lib` and it should fail. +Try removing `/bin` or `/lib`, the script should then fail. ### Edit a file @@ -70,9 +71,9 @@ echo Edit > /tmp/some-file.txt Try removing `rwf /tmp/some-file.txt` and the script should fail. -Note: the file need to exist in order to landlock it. +Note: the file need to exist in order for landlock to work, run `touch /tmp/some-file.txt` to test. -### Curl google +### Curl ```sh #!/usr/bin/env landdown