‘Landrun’: Lightweight Linux Sandboxing With Landlock, No Root Required
Landrun, a new CLI tool, utilises Linux’s Landlock functionality to create a lightweight sandboxing environment for processes without requiring root access. This tool affords users greater control over the execution of potentially harmful binaries.
Overview
Landrun is a tool developed by the user Zoup, specifically designed for the Linux ecosystem. It allows unprivileged processes to restrict their own permissions, enhancing security when executing downloaded binaries. By leveraging Landlock, which has been part of the Linux kernel since version 5.13, Landrun aims to mitigate risks associated with executing untrusted software.
Key Features
- Built on the Landlock kernel feature, allowing fine-grained control without requiring root permissions.
- Supports restrictions on file access (read-only, read-write, execution) and TCP port usage (from version 6.7 onwards).
- Minimalist approach—no complex configurations like YAML files; uses simple command-line flags.
- MIT-licensed, ensuring transparency and ease of auditing for users.
- Also supports systemd services for integrated system management.
Why should I read this?
This article highlights a significant advancement in Linux security, particularly for developers and system administrators who wish to run applications securely. Landrun provides a straightforward method for sandboxing processes, which is increasingly important in a landscape where cyber threats are pervasive. By simplifying the access control for Linux processes, it encourages safe practices for executing third-party binaries, addressing common concerns around security vulnerabilities.