landrun: Run any Linux process in a secure, unprivileged sandbox using Landlock LSM
landrun
A lightweight, secure sandbox for running Linux processes using Landlock LSM. Think firejail, but with kernel-level security and minimal overhead.
Linux Landlock is a kernel-native security module that lets unprivileged processes sandbox themselves – but nobody uses it because the API is … hard!
Landrun is designed to make it practical to sandbox any command with fine-grained filesystem and network access controls. No root. No containers. No SELinux/AppArmor configs.
It’s lightweight, auditable, and wraps Landlock v5 features (file access + TCP restrictions).
Features
- ? Kernel-level security using Landlock LSM
- ? Lightweight and fast execution
- ?️ Fine-grained access control for directories
- ? Support for read and write paths
- ⚡ Path-specific execution permissions
- ? TCP network access control (binding and connecting)
Security
landrun uses Linux’s Landlock LSM to create a secure sandbox environment. It provides:
- File system access control
- Directory access restrictions
- Execution control
- TCP network restrictions
- Process isolation
Landlock is an access-control system that enables processes to securely restrict themselves and their future children. As a stackable Linux Security Module (LSM), it creates additional security layers on top of existing system-wide access controls, helping to mitigate security impacts from bugs or malicious behavior in applications.
