this post was submitted on 23 Mar 2025
1 points (100.0% liked)

Self-Hosted Alternatives to Popular Services

222 readers
1 users here now

A place to share, discuss, discover, assist with, gain assistance for, and critique self-hosted alternatives to our favorite web apps, web...

founded 2 years ago
MODERATORS
bot@lemmit.online
1
I built a CLI tool to sandbox Linux processes using Landlock : no containers, no root (old.reddit.com)
submitted 5 months ago by bot@lemmit.online to c/selfhosted@lemmit.online
0 comments fedilink hide all child comments
 
This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/zouuup on 2025-03-22 13:42:13+00:00.

Hey folks, I built a CLI tool called landrun that uses the Linux Landlock LSM to sandbox commands without needing containers or root.

You can define what paths a command can read or write to, and everything else is blocked by the kernel:

# landrun --ro /usr touch /tmp/file
touch: cannot touch '/tmp/file': Permission denied
# landrun --ro /usr --rw /tmp touch /tmp/file
#

🔐 Why does this matter?

  • Landlock is a Linux Security Module (LSM) that lets unprivileged processes restrict themselves.
  • It's been in the kernel since 5.13, but the API is awkward to use directly.
  • It always annoyed the hell out of me to run random binaries from the internet without any real control over what they can access.

🛠 Features:

  • Works with any CLI command
  • Secure-by-default: deny all, allow only specified paths
  • No root, no special privileges required
  • More convenient than selinux, apparmor, etc
  • Written in Go, small and fast

🔗 GitHub:

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here