{ "componentChunkName": "component---src-templates-issues-tsx", "path": "/issues/346", "result": {"data":{"issuesJson":{"id":"8c71a8e0-e3df-5b2e-846e-d52082c1edf4","title":"Zouuup/landrun: 使用Landlock在一个安全的、非特权的沙盒中运行任何Linux进程。","number":346,"bodyHTML":"

\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Repos	Zouuup/landrun
Views	$\"views\"$
Stars	$\"stars\"$
Forks	$\"forks\"$
License	$\"license\"$
UpdatedAt	$\"last-commit\"$
CreatedAt	$\"create-at\"$

\n\n

\n

\n

\n

Landrun

\n

A lightweight, secure sandbox for running Linux processes using Landlock. Think firejail, but with kernel-level security and minimal overhead.

\n

Linux Landlock is a kernel-native security module that lets unprivileged processes sandbox themselves.

\n

Landrun is designed to make it practical to sandbox any command with fine-grained filesystem and network access controls. No root. No containers. No SELinux/AppArmor configs.

\n

It's lightweight, auditable, and wraps Landlock v5 features (file access + TCP restrictions).

\n

Features

\n

🔒 Kernel-level security using Landlock
🚀 Lightweight and fast execution
🛡️ Fine-grained access control for directories and files
🔄 Support for read and write paths
⚡ Path-specific execution permissions
🌐 TCP network access control (binding and connecting)

\n

Demo

\n

\n $\"landrun$ \n

\n

Requirements

\n

Linux kernel 5.13 or later with Landlock enabled
Linux kernel 6.7 or later for network restrictions (TCP bind/connect)
Go 1.18 or later (for building from source)

\n

Installation

\n

Quick Install

\n

go install github.com/zouuup/landrun/cmd/landrun@latest

\n

From Source

\n

git clone https://github.com/zouuup/landrun.git\ncd landrun\ngo build -o landrun cmd/landrun/main.go\nsudo cp landrun /usr/local/bin/

\n

Distros

\n

Arch (AUR)

\n

stable maintained by Vcalv
latest commit maintained by juxuanu

\n

Slackware

\n

maintained by r1w1s1

\n

\n

sudo sbopkg -i packagename

\n

Usage

\n

Basic syntax:

\n

landrun [options] <command> [args...]

\n

Options

\n

--ro <path>: Allow read-only access to specified path (can be specified multiple times or as comma-separated values)
--rox <path>: Allow read-only access with execution to specified path (can be specified multiple times or as comma-separated values)
--rw <path>: Allow read-write access to specified path (can be specified multiple times or as comma-separated values)
--rwx <path>: Allow read-write access with execution to specified path (can be specified multiple times or as comma-separated values)
--bind-tcp <port>: Allow binding to specified TCP port (can be specified multiple times or as comma-separated values)
--connect-tcp <port>: Allow connecting to specified TCP port (can be specified multiple times or as comma-separated values)
--env <var>: Environment variable to pass to the sandboxed command (format: KEY=VALUE or just KEY to pass current value)
--best-effort: Use best effort mode, falling back to less restrictive sandbox if necessary [default: disabled]
--log-level <level>: Set logging level (error, info, debug) [default: \"error\"]
--unrestricted-network: Allows unrestricted network access (disables all network restrictions)
--unrestricted-filesystem: Allows unrestricted filesystem access (disables all filesystem restrictions)
--add-exec: Automatically adds the executing binary to --rox
--ldd: Automatically adds required libraries to --rox

\n

Important Notes

\n

You must explicitly add the directory or files to the command you want to run with --rox flag
For system commands, you typically need to include /usr/bin, /usr/lib, and other system directories
Use --rwx for directories or files where you need both write access and the ability to execute files
Network restrictions require Linux kernel 6.7 or later with Landlock ABI v4
By default, no environment variables are passed to the sandboxed command. Use --env to explicitly pass environment variables
The --best-effort flag allows graceful degradation on older kernels that don't support all requested restrictions
Paths can be specified either using multiple flags or as comma-separated values (e.g., --ro /usr,/lib,/home)
If no paths or network rules are specified and neither unrestricted flag is set, landrun will apply maximum restrictions (denying all access)

\n

Environment Variables

\n

LANDRUN_LOG_LEVEL: Set logging level (error, info, debug)

\n

Examples

\n

Run a command that allows exec access to a specific file

\n

landrun --rox /usr/bin/ls --rox /usr/lib --ro /home ls /home

\n

Run a command with read-only access to a directory:

\n

landrun --rox /usr/ --ro /path/to/dir ls /path/to/dir

\n

Run a command with write access to a directory:

\n

landrun --rox /usr/bin --ro /lib --rw /path/to/dir touch /path/to/dir/newfile

\n

Run a command with write access to a file:

\n

landrun --rox /usr/bin --ro /lib --rw /path/to/dir/newfile touch /path/to/dir/newfile

\n

Run a command with execution permissions:

\n

landrun --rox /usr/ --ro /lib,/lib64 /usr/bin/bash

\n

Run with debug logging:

\n

landrun --log-level debug --rox /usr/ --ro /lib,/lib64,/path/to/dir ls /path/to/dir

\n

Run with network restrictions:

\n

landrun --rox /usr/ --ro /lib,/lib64 --bind-tcp 8080 --connect-tcp 80 /usr/bin/my-server

\n

This will allow the program to only bind to TCP port 8080 and connect to TCP port 80.

\n

Run a DNS client with appropriate permissions:

\n

landrun --log-level debug --ro /etc,/usr --rox /usr/ --connect-tcp 443 nc kernel.org 443

\n

This allows connections to port 443, requires access to /etc/resolv.conf for resolving DNS.

\n

Run a web server with selective network permissions:

\n

landrun --rox /usr/bin --ro /lib,/lib64,/var/www --rwx /var/log --bind-tcp 80,443 /usr/bin/nginx

\n

Running anything without providing parameters is... maximum security jail!

\n

landrun ls

\n

If you keep getting permission denied without knowing what exactly going on, best to use strace with it.

\n

landrun --rox /usr strace -f -e trace=all ls

\n

Run with specific environment variables:

\n

landrun --rox /usr --ro /etc --env HOME --env PATH --env CUSTOM_VAR=my_value -- env

\n

This example passes the current HOME and PATH variables, plus a custom variable named CUSTOM_VAR.

\n

Run command with explicity access to files instead of directories:

\n

landrun --rox /usr/lib/libc.so.6 --rox /usr/lib64/ld-linux-x86-64.so.2  --rox /usr/bin/true /usr/bin/true

\n

Run a command with --add-exec which automatically adds target binary to --rox

\n

landrun --rox /usr/lib/ --add-exec /usr/bin/true

\n

Run a command with --ldd and --add-exec which automatically adds required libraries and target binary to --rox

\n

landrun --ldd --add-exec /usr/bin/true

\n

Note that shared libs always need exec permission due to how they are loaded, PROT_EXEC on mmap() etc.

\n

Systemd Integration

\n

landrun can be integrated with systemd to run services with enhanced security. Here's an example of running nginx with landrun:

\n

Create a systemd service file (e.g., /etc/systemd/system/nginx-landrun.service):

\n

[Unit]\nDescription=nginx with landrun sandbox\nAfter=network.target\n\n[Service]\nType=simple\nExecStart=/usr/bin/landrun \\\n    --rox /usr/bin,/usr/lib \\\n    --ro  /etc/nginx,/etc/ssl,/etc/passwd,/etc/group,/etc/nsswitch.conf \\\n    --rwx /var/log/nginx \\\n    --rwx /var/cache/nginx \\\n    --bind-tcp 80,443 \\\n    /usr/bin/nginx -g 'daemon off;'\nRestart=always\nUser=nginx\nGroup=nginx\n\n[Install]\nWantedBy=multi-user.target

\n

Enable and start the service:

\n

sudo systemctl daemon-reload\nsudo systemctl enable nginx-landrun\nsudo systemctl start nginx-landrun

\n

Check the service status:

\n

sudo systemctl status nginx-landrun

\n

This configuration:

\n

Runs nginx with minimal required permissions
Allows binding to ports 80 and 443
Provides read-only access to configuration files
Allows write access only to log and cache directories
Runs as the nginx user and group
Automatically restarts on failure

\n

You can adjust the permissions based on your specific needs. For example, if you need to serve static files from /var/www, add --ro /var/www to the ExecStart line.

\n

Security

\n

landrun uses Linux's Landlock to create a secure sandbox environment. It provides:

\n

File system access control
Directory access restrictions
Execution control
TCP network restrictions
Process isolation
Default restrictive mode when no rules are specified

\n

Landlock is an access-control system that enables processes to securely restrict themselves and their future children. As a stackable Linux Security Module (LSM), it creates additional security layers on top of existing system-wide access controls, helping to mitigate security impacts from bugs or malicious behavior in applications.

\n

Landlock Access Control Rights

\n

landrun leverages Landlock's fine-grained access control mechanisms, which include:

\n

File-specific rights:

\n

Execute files (LANDLOCK_ACCESS_FS_EXECUTE)
Write to files (LANDLOCK_ACCESS_FS_WRITE_FILE)
Read files (LANDLOCK_ACCESS_FS_READ_FILE)
Truncate files (LANDLOCK_ACCESS_FS_TRUNCATE) - Available since Landlock ABI v3
IOCTL operations on devices (LANDLOCK_ACCESS_FS_IOCTL_DEV) - Available since Landlock ABI v5

\n

Directory-specific rights:

\n

Read directory contents (LANDLOCK_ACCESS_FS_READ_DIR)
Remove directories (LANDLOCK_ACCESS_FS_REMOVE_DIR)
Remove files (LANDLOCK_ACCESS_FS_REMOVE_FILE)
Create various filesystem objects (char devices, directories, regular files, sockets, etc.)
Refer/reparent files across directories (LANDLOCK_ACCESS_FS_REFER) - Available since Landlock ABI v2

\n

Network-specific rights (requires Linux 6.7+ with Landlock ABI v4):

\n

Bind to specific TCP ports (LANDLOCK_ACCESS_NET_BIND_TCP)
Connect to specific TCP ports (LANDLOCK_ACCESS_NET_CONNECT_TCP)

\n

Limitations

\n

Landlock must be supported by your kernel
Network restrictions require Linux kernel 6.7 or later with Landlock ABI v4
Some operations may require additional permissions
Files or directories opened before sandboxing are not subject to Landlock restrictions

\n

Kernel Compatibility Table

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Feature	Minimum Kernel Version	Landlock ABI Version
Basic filesystem sandboxing	5.13	1
File referring/reparenting control	5.19	2
File truncation control	6.2	3
Network TCP restrictions	6.7	4
IOCTL on special files	6.10	5

\n

Troubleshooting

\n

If you receive \"permission denied\" or similar errors:

\n

Ensure you've added all necessary paths with --ro or --rw
Try running with --log-level debug to see detailed permission information
Check that Landlock is supported and enabled on your system:\n
landlock|lsm=' /boot/config-$(uname -r)\n# alternatively, if there are no /boot/config-* files\nzgrep -iE 'landlock|lsm=' /proc/config.gz\n# another alternate method\ngrep -iE 'landlock|lsm=' /lib/modules/$(uname -r)/config
\nYou should see CONFIG_SECURITY_LANDLOCK=y and lsm=landlock,... in the output
For network restrictions, verify your kernel version is 6.7+ with Landlock ABI v4:\n
```
uname -r
```
\n

\n

Technical Details

\n

Implementation

\n

This project uses the landlock-lsm/go-landlock package for sandboxing, which provides both filesystem and network restrictions. The current implementation supports:

\n

Read/write/execute restrictions for files and directories
TCP port binding restrictions
TCP port connection restrictions
Best-effort mode for graceful degradation on older kernels

\n

Best-Effort Mode

\n

When using --best-effort (disabled by default), landrun will gracefully degrade to using the best available Landlock version on the current kernel. This means:

\n

On Linux 6.7+: Full filesystem and network restrictions
On Linux 6.2-6.6: Filesystem restrictions including truncation, but no network restrictions
On Linux 5.19-6.1: Basic filesystem restrictions including file reparenting, but no truncation control or network restrictions
On Linux 5.13-5.18: Basic filesystem restrictions without file reparenting, truncation control, or network restrictions
On older Linux: No restrictions (sandbox disabled)

\n

When no rules are specified and neither unrestricted flag is set, landrun will apply maximum restrictions available for the current kernel version.

\n

Tests

\n

The project includes a comprehensive test suite that verifies:

\n

Basic filesystem access controls (read-only, read-write, execute)
Directory traversal and path handling
Network restrictions (TCP bind/connect)
Environment variable isolation
System command execution
Edge cases and regression tests

\n

Run the tests with:

\n

./test.sh

\n

Use --keep-binary to preserve the test binary after completion:

\n

./test.sh --keep-binary

\n

Use --use-system to test against the system-installed landrun binary:

\n

./test.sh --use-system

\n

Future Features

\n

Based on the Linux Landlock API capabilities, we plan to add:

\n

🔒 Enhanced filesystem controls with more fine-grained permissions
🌐 Support for UDP and other network protocol restrictions (when supported by Linux kernel)
🔄 Process scoping and resource controls
🛡️ Additional security features as they become available in the Landlock API

\n

Acknowledgements

\n

This project wouldn't exist without:

\n

Landlock, the kernel security module enabling unprivileged sandboxing - maintained by @l0kod
go-landlock, the Go bindings powering this tool - developed by @gnoack

\n

Contributing

\n

Contributions are welcome! Please feel free to submit a Pull Request.

","updatedAt":"2025-05-21T16:09:54Z","upvoteCount":null,"author":{"login":"eryajf","avatarUrl":"https://avatars.githubusercontent.com/u/33259379?u=e4a4090a38ac2473aaed4ef9945233636776c6c3&v=4","url":"https://github.com/eryajf"},"category":null,"labels":{"edges":[{"node":{"name":"更多","color":"25B472"}},{"node":{"name":"命令行工具","color":"e05879"}},{"node":{"name":"Zouuup","color":"45d73f"}}]},"comments":{"edges":[]}}},"pageContext":{"number":346,"previous":{"title":"kubernetes-sigs/kwok: 一个没有 Kubelet 的 Kubernetes，你可以在笔记本电脑上在几秒钟内模拟数千个节点，而不会大量消耗 CPU 或内存资源。且兼容 K8S API","number":345},"next":{"title":"aceld/Lars: Lars是一个简单、易用、高性能的服务间远程调用管理、调度、负载均衡系统。","number":347}}}, "staticQueryHashes": ["151096407","2861350382"]}