|
|
Пишет Slashdot (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_slashdot)@ 2025-04-05 21:34:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
'Landrun': Lightweight Linux Sandboxing With Landlock, No Root Required
Over on Reddit's "selfhosted" subreddit for alternatives to popular services, long-time Slashdot reader Zoup described a pain point: - Landlock is a Linux Security Module (LSM) that lets unprivileged processes restrict themselves. - It's been in the kernel since 5.13, but the API is awkward to use directly. - It always annoyed the hell out of me to run random binaries from the internet without any real control over what they can access. So they've rolled their own solution, according to Thursday's submission to Slashdot: I just released Landrun, a Go-based CLI tool that wraps Linux Landlock (5.13+) to sandbox any process without root, containers, or seccomp. Think firejail, but minimal and kernel-native. Supports fine-grained file access (ro/rw/exec) and TCP port restrictions (6.7+). No daemons, no YAML, just flags. Example (where --rox allows read-only access with execution to specified path): # landrun --rox /usr touch /tmp/filetouch: cannot touch '/tmp/file': Permission denied# landrun --rox /usr --rw /tmp touch /tmp/file# It's MIT-licensed, easy to audit, and now supports systemd services.
Over on Reddit's "selfhosted" subreddit for alternatives to popular services, long-time Slashdot reader Zoup described a pain point: - Landlock is a Linux Security Module (LSM) that lets unprivileged processes restrict themselves. - It's been in the kernel since 5.13, but the API is awkward to use directly. - It always annoyed the hell out of me to run random binaries from the internet without any real control over what they can access. So they've rolled their own solution, according to Thursday's submission to Slashdot: I just released Landrun, a Go-based CLI tool that wraps Linux Landlock (5.13+) to sandbox any process without root, containers, or seccomp. Think firejail, but minimal and kernel-native. Supports fine-grained file access (ro/rw/exec) and TCP port restrictions (6.7+). No daemons, no YAML, just flags. Example (where --rox allows read-only access with execution to specified path): # landrun --rox /usr touch /tmp/filetouch: cannot touch '/tmp/file': Permission denied# landrun --rox /usr --rw /tmp touch /tmp/file# It's MIT-licensed, easy to audit, and now supports systemd services.
Read more of this story at Slashdot.
