landrun

Stale
GitHub Go MIT

Description

landrun is a lightweight, Landlock-based Linux process sandbox that runs any program under tight capability isolation without requiring root.

Key Features

  • Landlock kernel isolation - leverages Linux 5.13+ Landlock LSM for filesystem access control
  • No-root deployment - regular users can launch sandboxes without sudo or privileged containers
  • Fine-grained policy - declare readable, writable, and executable directory sets from the CLI
  • Network capability control - optionally disable networking or restrict to specific ports
  • firejail-like ergonomics - simple `landrun ./program` wraps any binary in a sandbox
  • Static binary - single-file distribution with zero external runtime dependencies

Use Cases

💡 Force filesystem isolation when AI agents invoke third-party CLI tools
💡 Run untrusted npm/pip install scripts without polluting the home directory
💡 Restrict dev environment network access to internal registries only
💡 Launch user-submitted code on multi-tenant servers inside landrun
💡 Provide a lighter alternative to firejail for Landlock-capable kernels

Tags

sandbox landlock linux security go

Categories

🏗️ Sandbox & Execution 🛡️ Security & Guardrails

Quick Start

# Install (requires Linux 5.13+ kernel)
curl -fsSL https://raw.githubusercontent.com/Zouuup/landrun/main/install.sh | bash

# Wrap any command in a sandbox
# read-only /etc, read-write /tmp, no network access
landrun --ro /etc --rw /tmp --net-none -- ./untrusted-binary

# Restrict a browser to its profile dir only
landrun --ro / --rw $HOME/.config/firefox --rw /tmp -- ./firefox

# Check whether Landlock is enabled in your kernel
cat /sys/kernel/security/landlock
# prints landlock: UP when supported
Visit GitHub

Related Projects