Project Landrun has initiated the development of a new system for the isolated execution of individual applications. The Landlock LSM Linux core is utilized for isolation, eliminating the need for privileged operations during the creation of Sandbox-rejection. Landrun is similar to the Firejail utility in terms of tasks but stands out with its simpler implementation, lightweight nature, and the ability to function under a regular user without the SUID flag requirement. The project code is written in Go and is distributed under the gplv2 license.
The Landlock mechanism enables non-privileged programs to restrict the use of Linux core functionalities, such as file hierarchies, network sockets, and iOctl. The isolated environment is created by the Linux core as an additional layer above existing systemic access control mechanisms, unlike namespace and system call filtering. Landrun utilizes the go-landlock library developed by Landlock to interact with the Landlock subsystem.
Landrun provides a way to decrease the risk when running untrusted or potentially vulnerable programs, by offering selective access restrictions on individual directories, permission binding to file paths (allowing or disallowing reading, writing, and execution), and oversight on TCP connection initiation and acceptance.
By utilizing Landrun, a process can be prevented from launching executable files, restricted to writing in a specific subdirectory, disallowed from creating listening sockets for network connections, and limited to sending network requests only to defined TCP ports. For example, to restrict writing, launching, and network capabilities, the command “Landrun –ro /ro” can be used, while to isolate Nginx, the command can be: Landrun –ROX/USR/BIN-LIB64,/VAR/www –rwx/var/log/var/log/var/log/var/log/var/logind-tcp 80.4443 /usr/bin/nginx.
Future plans for Landrun include extended file system access management, UDP support, and process management. A minimum requirement of Linux 5.13 core is needed for file system access limitations, while 6.8 core is required for network restrictions.
It is worth mentioning that the codejail code base has already