Primary Use Case

Landrun is used to securely sandbox Linux commands and processes by restricting their filesystem and network access, making it ideal for developers, system administrators, and security professionals who want to isolate applications without complex configurations or elevated privileges. It enables running potentially risky or untrusted commands safely on Linux systems with minimal overhead.

Key Features

Kernel-level security using Landlock

Lightweight and fast execution

Fine-grained access control for directories and files

Support for read and write paths

Path-specific execution permissions

TCP network access control (binding and connecting)

No root or container requirements

Auditable and minimal overhead

Insights & Recommendations

Requires Linux kernel 5.13 or later with Landlock enabled; network restrictions need kernel 6.7 or later. Users must explicitly specify filesystem paths and network ports to allow. No environment variables are passed by default; use --env to pass them. The --best-effort flag enables graceful fallback on older kernels. Properly including system directories like /usr/bin and /usr/lib is necessary for sandboxed commands to run correctly.

Installation

Run `go install github.com/zouuup/landrun/cmd/landrun@latest` for quick install
Clone the repository: `git clone https://github.com/zouuup/landrun.git`
Build from source: `cd landrun` then `go build -o landrun cmd/landrun/main.go`
Copy binary to system path: `sudo cp landrun /usr/local/bin/`
Install via Arch AUR stable package maintained by Vcalv
Install via Arch AUR latest commit package maintained by juxuanu
Install on Slackware using Slackbuild maintained by r1w1s1 with `sudo sbopkg -i packagename`

Usage

landrun [options] <command> [args...]

Run a Linux command inside the Landrun sandbox with specified options

--ro <path>

Allow read-only access to the specified path

--rox <path>

Allow read-only access with execution permissions to the specified path

--rw <path>

Allow read-write access to the specified path

--rwx <path>

Allow read-write access with execution permissions to the specified path

--bind-tcp <port>

Allow binding to the specified TCP port

--connect-tcp <port>

Allow connecting to the specified TCP port

--env <var>

Pass environment variables to the sandboxed command

--best-effort

Enable best effort mode to fall back to less restrictive sandboxing if needed

--log-level <level>

Set the logging level (error, info, debug)

--unrestricted-network

Disable all network restrictions allowing full network access

--unrestricted-filesystem

Disable all filesystem restrictions allowing full filesystem access

--add-exec

Automatically add the executing binary to read-only with execution permissions

--ldd

Automatically add required libraries to read-only with execution permissions

Smart Usage Notes

Integrate Landrun into CI/CD pipelines to sandbox build and test processes, reducing risk of supply chain attacks.Use Landrun to isolate suspicious or untrusted binaries during incident response to prevent lateral movement.Combine Landrun with host-based monitoring tools to enforce least privilege and detect anomalous process behavior.Leverage Landrun’s network restrictions to simulate and test attacker network tactics in red team exercises.Deploy Landrun for developer environments to safely test new code with minimal risk to host system integrity.

OpenSec Atlas

landrun

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like