Landlock is Great
For most software I write these days, Landlock has been my goto for a lightweight sandbox. Landlock is a Linux security module that is very easy to use, and the intention is to "help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications", and works on a process level.
Landlock security module for Linux
Landlock's C interface is a bit complex to use, but luckily Go and Rust both have a higher-level library that manage that complexity for us. As a result, to restrict what my program should have access to, I simply just need to import the library and add:
err := landlock.V6.BestEffort().RestrictPaths(
landlock.RODirs("/usr", "/bin"),
landlock.RWDirs("/tmp"),
)
And you might figure what that code above does just by reading it. If the process tries to read anything except the permitted directories, it will get a permission denied error. I did notice that a program can still sniff what files are on the system, because the permission denied error is different from the not found error, but nonetheless good enough.
Along with that, Landlock can also restirct networking.
err := landlock.V6.BestEffort().RestrictNet(
landlock.BindTCP(8080),
landlock.ConnectTCP(53),
)
I think it is particularly interesting in combination with some older tech. For example this blog uses Landlock in the inetd handler to restrict what the handler can access. It is much more flexible than chroots, and takes about a minute to set up.
For shell scripts, I have a wrapper that I haven't shared to lock down the process, but there is also a public one called landrun.
Reply