[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-73286":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":16,"forks30d":16,"starsTrendScore":16,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":32,"readmeContent":33,"aiSummary":34,"trendingCount":16,"starSnapshotCount":16,"syncStatus":35,"lastSyncTime":36,"discoverSource":37},73286,"landrun","Zouuup\u002Flandrun","Zouuup","Run any Linux process in a secure, unprivileged sandbox using Landlock. Think firejail, but lightweight, user-friendly, and baked into the kernel.","",null,"Go",2215,53,19,14,0,5,12,60.9,"MIT License",false,"main",[24,25,26,27,28,29,30,31],"cli","golang","kernel","landlock","sandbox","sandbox-environment","security","security-tools","2026-06-12 04:01:08","# Landrun \u003Cimg src=\"https:\u002F\u002Favatars.githubusercontent.com\u002Fu\u002F21111839?s=48&v=4\" align=\"right\"\u002F>\n\nA lightweight, secure sandbox for running Linux processes using Landlock. Think firejail, but with kernel-level security and minimal overhead.\n\nLinux Landlock is a kernel-native security module that lets unprivileged processes sandbox themselves.\n\nLandrun is designed to make it practical to sandbox any command with fine-grained filesystem and network access controls. No root. No containers. No SELinux\u002FAppArmor configs.\n\nIt's lightweight, auditable, and wraps Landlock v5 features (file access + TCP restrictions).\n\n## Features\n\n- 🔒 Kernel-level security using Landlock\n- 🚀 Lightweight and fast execution\n- 🛡️ Fine-grained access control for directories and files\n- 🔄 Support for read and write paths\n- ⚡ Path-specific execution permissions\n- 🌐 TCP network access control (binding and connecting)\n\n## Demo\n\n\u003Cp align=\"center\">\n  \u003Cimg src=\"demo.gif\" alt=\"landrun demo\" width=\"700\"\u002F>\n\u003C\u002Fp>\n\n## Requirements\n\n- Linux kernel 5.13 or later with Landlock enabled\n- Linux kernel 6.7 or later for network restrictions (TCP bind\u002Fconnect)\n- Go 1.18 or later (for building from source)\n\n## Installation\n\n### Quick Install\n\n```bash\ngo install github.com\u002Fzouuup\u002Flandrun\u002Fcmd\u002Flandrun@latest\n```\n\n### From Source\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fzouuup\u002Flandrun.git\ncd landrun\ngo build -o landrun cmd\u002Flandrun\u002Fmain.go\nsudo cp landrun \u002Fusr\u002Flocal\u002Fbin\u002F\n```\n\n### Distros\n\n#### Arch (AUR)\n\n- [stable](https:\u002F\u002Faur.archlinux.org\u002Fpackages\u002Flandrun) maintained by [Vcalv](https:\u002F\u002Fgithub.com\u002Fvcalv)\n- [latest commit](https:\u002F\u002Faur.archlinux.org\u002Fpackages\u002Flandrun-git) maintained by [juxuanu](https:\u002F\u002Fgithub.com\u002Fjuxuanu\u002F)\n\n#### Slackware\n\nmaintained by [r1w1s1](https:\u002F\u002Fgithub.com\u002Fr1w1s1)\n\n[Slackbuild](https:\u002F\u002Fslackbuilds.org\u002Frepository\u002F15.0\u002Fnetwork\u002Flandrun\u002F?search=landrun)\n```bash\nsudo sbopkg -i packagename\n```\n\n## Usage\n\nBasic syntax:\n\n```bash\nlandrun [options] \u003Ccommand> [args...]\n```\n\n### Options\n\n- `--ro \u003Cpath>`: Allow read-only access to specified path (can be specified multiple times or as comma-separated values)\n- `--rox \u003Cpath>`: Allow read-only access with execution to specified path (can be specified multiple times or as comma-separated values)\n- `--rw \u003Cpath>`: Allow read-write access to specified path (can be specified multiple times or as comma-separated values)\n- `--rwx \u003Cpath>`: Allow read-write access with execution to specified path (can be specified multiple times or as comma-separated values)\n- `--bind-tcp \u003Cport>`: Allow binding to specified TCP port (can be specified multiple times or as comma-separated values)\n- `--connect-tcp \u003Cport>`: Allow connecting to specified TCP port (can be specified multiple times or as comma-separated values)\n- `--env \u003Cvar>`: Environment variable to pass to the sandboxed command (format: KEY=VALUE or just KEY to pass current value)\n- `--best-effort`: Use best effort mode, falling back to less restrictive sandbox if necessary [default: disabled]\n- `--log-level \u003Clevel>`: Set logging level (error, info, debug) [default: \"error\"]\n- `--unrestricted-network`: Allows unrestricted network access (disables all network restrictions)\n- `--unrestricted-filesystem`: Allows unrestricted filesystem access (disables all filesystem restrictions)\n- `--add-exec`: Automatically adds the executing binary to --rox\n- `--ldd`: Automatically adds required libraries to --rox\n\n### Important Notes\n\n- You must explicitly add the directory or files to the command you want to run with `--rox` flag\n- For system commands, you typically need to include `\u002Fusr\u002Fbin`, `\u002Fusr\u002Flib`, and other system directories\n- Use `--rwx` for directories or files where you need both write access and the ability to execute files\n- Network restrictions require Linux kernel 6.7 or later with Landlock ABI v4\n- By default, no environment variables are passed to the sandboxed command. Use `--env` to explicitly pass environment variables\n- The `--best-effort` flag allows graceful degradation on older kernels that don't support all requested restrictions\n- Paths can be specified either using multiple flags or as comma-separated values (e.g., `--ro \u002Fusr,\u002Flib,\u002Fhome`)\n- If no paths or network rules are specified and neither unrestricted flag is set, landrun will apply maximum restrictions (denying all access)\n\n### Environment Variables\n\n- `LANDRUN_LOG_LEVEL`: Set logging level (error, info, debug)\n\n### Examples\n\n1. Run a command that allows exec access to a specific file\n\n```bash\nlandrun --rox \u002Fusr\u002Fbin\u002Fls --rox \u002Fusr\u002Flib --ro \u002Fhome ls \u002Fhome\n```\n\n2. Run a command with read-only access to a directory:\n\n```bash\nlandrun --rox \u002Fusr\u002F --ro \u002Fpath\u002Fto\u002Fdir ls \u002Fpath\u002Fto\u002Fdir\n```\n\n3. Run a command with write access to a directory:\n\n```bash\nlandrun --rox \u002Fusr\u002Fbin --ro \u002Flib --rw \u002Fpath\u002Fto\u002Fdir touch \u002Fpath\u002Fto\u002Fdir\u002Fnewfile\n```\n\n4. Run a command with write access to a file:\n\n```bash\nlandrun --rox \u002Fusr\u002Fbin --ro \u002Flib --rw \u002Fpath\u002Fto\u002Fdir\u002Fnewfile touch \u002Fpath\u002Fto\u002Fdir\u002Fnewfile\n```\n\n5. Run a command with execution permissions:\n\n```bash\nlandrun --rox \u002Fusr\u002F --ro \u002Flib,\u002Flib64 \u002Fusr\u002Fbin\u002Fbash\n```\n\n6. Run with debug logging:\n\n```bash\nlandrun --log-level debug --rox \u002Fusr\u002F --ro \u002Flib,\u002Flib64,\u002Fpath\u002Fto\u002Fdir ls \u002Fpath\u002Fto\u002Fdir\n```\n\n7. Run with network restrictions:\n\n```bash\nlandrun --rox \u002Fusr\u002F --ro \u002Flib,\u002Flib64 --bind-tcp 8080 --connect-tcp 80 \u002Fusr\u002Fbin\u002Fmy-server\n```\n\nThis will allow the program to only bind to TCP port 8080 and connect to TCP port 80.\n\n8. Run a DNS client with appropriate permissions:\n\n```bash\nlandrun --log-level debug --ro \u002Fetc,\u002Fusr --rox \u002Fusr\u002F --connect-tcp 443 nc kernel.org 443\n```\n\nThis allows connections to port 443, requires access to \u002Fetc\u002Fresolv.conf for resolving DNS.\n\n9. Run a web server with selective network permissions:\n\n```bash\nlandrun --rox \u002Fusr\u002Fbin --ro \u002Flib,\u002Flib64,\u002Fvar\u002Fwww --rwx \u002Fvar\u002Flog --bind-tcp 80,443 \u002Fusr\u002Fbin\u002Fnginx\n```\n\n10. Running anything without providing parameters is... maximum security jail!\n\n```bash\nlandrun ls\n```\n\n11. If you keep getting permission denied without knowing what exactly going on, best to use strace with it.\n\n```bash\nlandrun --rox \u002Fusr strace -f -e trace=all ls\n```\n\n12. Run with specific environment variables:\n\n```bash\nlandrun --rox \u002Fusr --ro \u002Fetc --env HOME --env PATH --env CUSTOM_VAR=my_value -- env\n```\n\nThis example passes the current HOME and PATH variables, plus a custom variable named CUSTOM_VAR.\n\n13. Run command with explicity access to files instead of directories:\n```bash\nlandrun --rox \u002Fusr\u002Flib\u002Flibc.so.6 --rox \u002Fusr\u002Flib64\u002Fld-linux-x86-64.so.2  --rox \u002Fusr\u002Fbin\u002Ftrue \u002Fusr\u002Fbin\u002Ftrue\n```\n\n14. Run a command with --add-exec which automatically adds target binary to --rox\n\n```bash\nlandrun --rox \u002Fusr\u002Flib\u002F --add-exec \u002Fusr\u002Fbin\u002Ftrue\n```\n\n15. Run a command with --ldd and --add-exec which automatically adds required libraries and target binary to --rox\n\n```bash\nlandrun --ldd --add-exec \u002Fusr\u002Fbin\u002Ftrue\n```\n\nNote that shared libs always need exec permission due to how they are loaded, PROT_EXEC on mmap() etc.\n\n## Systemd Integration\n\nlandrun can be integrated with systemd to run services with enhanced security. Here's an example of running nginx with landrun:\n\n1. Create a systemd service file (e.g., `\u002Fetc\u002Fsystemd\u002Fsystem\u002Fnginx-landrun.service`):\n\n```ini\n[Unit]\nDescription=nginx with landrun sandbox\nAfter=network.target\n\n[Service]\nType=simple\nExecStart=\u002Fusr\u002Fbin\u002Flandrun \\\n    --rox \u002Fusr\u002Fbin,\u002Fusr\u002Flib \\\n    --ro  \u002Fetc\u002Fnginx,\u002Fetc\u002Fssl,\u002Fetc\u002Fpasswd,\u002Fetc\u002Fgroup,\u002Fetc\u002Fnsswitch.conf \\\n    --rwx \u002Fvar\u002Flog\u002Fnginx \\\n    --rwx \u002Fvar\u002Fcache\u002Fnginx \\\n    --bind-tcp 80,443 \\\n    \u002Fusr\u002Fbin\u002Fnginx -g 'daemon off;'\nRestart=always\nUser=nginx\nGroup=nginx\n\n[Install]\nWantedBy=multi-user.target\n```\n\n2. Enable and start the service:\n\n```bash\nsudo systemctl daemon-reload\nsudo systemctl enable nginx-landrun\nsudo systemctl start nginx-landrun\n```\n\n3. Check the service status:\n\n```bash\nsudo systemctl status nginx-landrun\n```\n\nThis configuration:\n- Runs nginx with minimal required permissions\n- Allows binding to ports 80 and 443\n- Provides read-only access to configuration files\n- Allows write access only to log and cache directories\n- Runs as the nginx user and group\n- Automatically restarts on failure\n\nYou can adjust the permissions based on your specific needs. For example, if you need to serve static files from `\u002Fvar\u002Fwww`, add `--ro \u002Fvar\u002Fwww` to the ExecStart line.\n\n## Security\n\nlandrun uses Linux's Landlock to create a secure sandbox environment. It provides:\n\n- File system access control\n- Directory access restrictions\n- Execution control\n- TCP network restrictions\n- Process isolation\n- Default restrictive mode when no rules are specified\n\nLandlock is an access-control system that enables processes to securely restrict themselves and their future children. As a stackable Linux Security Module (LSM), it creates additional security layers on top of existing system-wide access controls, helping to mitigate security impacts from bugs or malicious behavior in applications.\n\n### Landlock Access Control Rights\n\nlandrun leverages Landlock's fine-grained access control mechanisms, which include:\n\n**File-specific rights:**\n\n- Execute files (`LANDLOCK_ACCESS_FS_EXECUTE`)\n- Write to files (`LANDLOCK_ACCESS_FS_WRITE_FILE`)\n- Read files (`LANDLOCK_ACCESS_FS_READ_FILE`)\n- Truncate files (`LANDLOCK_ACCESS_FS_TRUNCATE`) - Available since Landlock ABI v3\n- IOCTL operations on devices (`LANDLOCK_ACCESS_FS_IOCTL_DEV`) - Available since Landlock ABI v5\n\n**Directory-specific rights:**\n\n- Read directory contents (`LANDLOCK_ACCESS_FS_READ_DIR`)\n- Remove directories (`LANDLOCK_ACCESS_FS_REMOVE_DIR`)\n- Remove files (`LANDLOCK_ACCESS_FS_REMOVE_FILE`)\n- Create various filesystem objects (char devices, directories, regular files, sockets, etc.)\n- Refer\u002Freparent files across directories (`LANDLOCK_ACCESS_FS_REFER`) - Available since Landlock ABI v2\n\n**Network-specific rights** (requires Linux 6.7+ with Landlock ABI v4):\n\n- Bind to specific TCP ports (`LANDLOCK_ACCESS_NET_BIND_TCP`)\n- Connect to specific TCP ports (`LANDLOCK_ACCESS_NET_CONNECT_TCP`)\n\n### Limitations\n\n- Landlock must be supported by your kernel\n- Network restrictions require Linux kernel 6.7 or later with Landlock ABI v4\n- Some operations may require additional permissions\n- Files or directories opened before sandboxing are not subject to Landlock restrictions\n\n## Kernel Compatibility Table\n\n| Feature                            | Minimum Kernel Version | Landlock ABI Version |\n| ---------------------------------- | ---------------------- | -------------------- |\n| Basic filesystem sandboxing        | 5.13                   | 1                    |\n| File referring\u002Freparenting control | 5.19                   | 2                    |\n| File truncation control            | 6.2                    | 3                    |\n| Network TCP restrictions           | 6.7                    | 4                    |\n| IOCTL on special files             | 6.10                   | 5                    |\n\n## Troubleshooting\n\nIf you receive \"permission denied\" or similar errors:\n\n1. Ensure you've added all necessary paths with `--ro` or `--rw`\n2. Try running with `--log-level debug` to see detailed permission information\n3. Check that Landlock is supported and enabled on your system:\n   ```bash\n   grep -E 'landlock|lsm=' \u002Fboot\u002Fconfig-$(uname -r)\n   # alternatively, if there are no \u002Fboot\u002Fconfig-* files\n   zgrep -iE 'landlock|lsm=' \u002Fproc\u002Fconfig.gz\n   # another alternate method\n   grep -iE 'landlock|lsm=' \u002Flib\u002Fmodules\u002F$(uname -r)\u002Fconfig\n   ```\n   You should see `CONFIG_SECURITY_LANDLOCK=y` and `lsm=landlock,...` in the output\n4. For network restrictions, verify your kernel version is 6.7+ with Landlock ABI v4:\n   ```bash\n   uname -r\n   ```\n\n## Technical Details\n\n### Implementation\n\nThis project uses the [landlock-lsm\u002Fgo-landlock](https:\u002F\u002Fgithub.com\u002Flandlock-lsm\u002Fgo-landlock) package for sandboxing, which provides both filesystem and network restrictions. The current implementation supports:\n\n- Read\u002Fwrite\u002Fexecute restrictions for files and directories\n- TCP port binding restrictions\n- TCP port connection restrictions\n- Best-effort mode for graceful degradation on older kernels\n\n### Best-Effort Mode\n\nWhen using `--best-effort` (disabled by default), landrun will gracefully degrade to using the best available Landlock version on the current kernel. This means:\n\n- On Linux 6.7+: Full filesystem and network restrictions\n- On Linux 6.2-6.6: Filesystem restrictions including truncation, but no network restrictions\n- On Linux 5.19-6.1: Basic filesystem restrictions including file reparenting, but no truncation control or network restrictions\n- On Linux 5.13-5.18: Basic filesystem restrictions without file reparenting, truncation control, or network restrictions\n- On older Linux: No restrictions (sandbox disabled)\n\nWhen no rules are specified and neither unrestricted flag is set, landrun will apply maximum restrictions available for the current kernel version.\n\n### Tests\n\nThe project includes a comprehensive test suite that verifies:\n\n- Basic filesystem access controls (read-only, read-write, execute)\n- Directory traversal and path handling\n- Network restrictions (TCP bind\u002Fconnect)\n- Environment variable isolation\n- System command execution\n- Edge cases and regression tests\n\nRun the tests with:\n\n```bash\n.\u002Ftest.sh\n```\n\nUse `--keep-binary` to preserve the test binary after completion:\n\n```bash\n.\u002Ftest.sh --keep-binary\n```\n\nUse `--use-system` to test against the system-installed landrun binary:\n\n```bash\n.\u002Ftest.sh --use-system\n```\n\n## Future Features\n\nBased on the Linux Landlock API capabilities, we plan to add:\n\n- 🔒 Enhanced filesystem controls with more fine-grained permissions\n- 🌐 Support for UDP and other network protocol restrictions (when supported by Linux kernel)\n- 🔄 Process scoping and resource controls\n- 🛡️ Additional security features as they become available in the Landlock API\n\n## Acknowledgements\n\nThis project wouldn't exist without:\n\n- [Landlock](https:\u002F\u002Flandlock.io), the kernel security module enabling unprivileged sandboxing - maintained by [@l0kod](https:\u002F\u002Fgithub.com\u002Fl0kod)\n- [go-landlock](https:\u002F\u002Fgithub.com\u002Flandlock-lsm\u002Fgo-landlock), the Go bindings powering this tool - developed by [@gnoack](https:\u002F\u002Fgithub.com\u002Fgnoack)\n\n## Contributing\n\nContributions are welcome! Please feel free to submit a Pull Request.\n","Landrun 是一个利用 Landlock 在安全、无特权的沙箱环境中运行任何 Linux 进程的工具。它提供了基于内核级别的安全保障，具有轻量级和快速执行的特点，并支持细粒度的文件系统和网络访问控制。通过 Landrun，用户可以轻松地为命令设置读写路径权限及TCP网络访问限制，无需root权限或复杂的配置。该项目适用于需要在受控环境下测试或运行不可信代码的场景，如开发测试、自动化脚本执行等，确保主机系统的安全性和稳定性。",2,"2026-06-11 03:44:51","high_star"]