landrun

by Zouuup

1.9Kstars

38forks

18watchers

Updated 6 months ago

About

Landrun is a lightweight, user-friendly Linux sandbox tool that leverages kernel-level Landlock security to run processes with fine-grained filesystem and network restrictions without requiring root or containers.

Run any Linux process in a secure, unprivileged sandbox using Landlock. Think firejail, but lightweight, user-friendly, and baked into the kernel.

Primary Use Case

Landrun is used to securely sandbox Linux commands and processes by restricting their filesystem and network access, making it ideal for developers, system administrators, and security professionals who want to isolate applications without complex configurations or elevated privileges. It enables running potentially risky or untrusted commands safely on Linux systems with minimal overhead.

Key Features

Kernel-level security using Landlock
Lightweight and fast execution
Fine-grained access control for directories and files
Support for read and write paths
Path-specific execution permissions
TCP network access control (binding and connecting)
No root or container requirements
Auditable and minimal overhead

Installation

Run `go install github.com/zouuup/landrun/cmd/landrun@latest` for quick install
Clone the repository: `git clone https://github.com/zouuup/landrun.git`
Build from source: `cd landrun` then `go build -o landrun cmd/landrun/main.go`
Copy binary to system path: `sudo cp landrun /usr/local/bin/`
Install via Arch AUR stable package maintained by Vcalv
Install via Arch AUR latest commit package maintained by juxuanu
Install on Slackware using Slackbuild maintained by r1w1s1 with `sudo sbopkg -i packagename`

Usage

>_ landrun [options] <command> [args...]

Run a Linux command inside the Landrun sandbox with specified options

>_ --ro <path>

Allow read-only access to the specified path

>_ --rox <path>

Allow read-only access with execution permissions to the specified path

>_ --rw <path>

Allow read-write access to the specified path

>_ --rwx <path>

Allow read-write access with execution permissions to the specified path

>_ --bind-tcp <port>

Allow binding to the specified TCP port

>_ --connect-tcp <port>

Allow connecting to the specified TCP port

>_ --env <var>

Pass environment variables to the sandboxed command

>_ --best-effort

Enable best effort mode to fall back to less restrictive sandboxing if needed

>_ --log-level <level>

Set the logging level (error, info, debug)

>_ --unrestricted-network

Disable all network restrictions allowing full network access

>_ --unrestricted-filesystem

Disable all filesystem restrictions allowing full filesystem access

>_ --add-exec

Automatically add the executing binary to read-only with execution permissions

>_ --ldd

Automatically add required libraries to read-only with execution permissions

Security Frameworks

Defense Evasion

Execution

Persistence

Privilege Escalation

Impact

Usage Insights

Integrate Landrun into CI/CD pipelines to sandbox build and test processes, reducing risk of supply chain attacks.
Use Landrun to isolate suspicious or untrusted binaries during incident response to prevent lateral movement.
Combine Landrun with host-based monitoring tools to enforce least privilege and detect anomalous process behavior.
Leverage Landrun’s network restrictions to simulate and test attacker network tactics in red team exercises.
Deploy Landrun for developer environments to safely test new code with minimal risk to host system integrity.