Skip to content(if available)orjump to list(if available)

Landlock-Ing Linux

Landlock-Ing Linux

7 comments

·November 29, 2025
Visit

seethishat

LandLock is a Minor LSM intended for software developers. They incorporate it into their source code to limit where the programs may read/write. Here's a simple Go example:

    package main

    import (
     "flag"
     "fmt"
     "github.com/landlock-lsm/go-landlock/landlock"
     "io/ioutil"
     "log"
     "os"
    )

    // simple program that demonstrates how landlock works in Go on Linux systems.
    // Requires 5.13 or newer kernel and .config should look something like this:
    // CONFIG_SECURITY_LANDLOCK=y
    //  CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
    func main() {
     var help = flag.Bool("help", false, "landlock-example -f /path/to/file.txt")
     var file = flag.String("f", "", "the file path to read")

    flag.Parse()
     if *help || len(os.Args) == 1 {
      flag.PrintDefaults()
      return
     }
    
    // allow the program to read files in /home/user/tmp
     err := landlock.V1.RestrictPaths(landlock.RODirs("/home/user/tmp"))
     if err != nil {
     log.Fatal(err)
     }
    
    // attempt to read a file
     bytes, err := ioutil.ReadFile(*file)
     if err != nil {
     log.Fatal(err)
     }
    
    fmt.Println(string(bytes))
    }

PeterWhittaker

So like using seccomp with a whitelist (fairly easy to do) with per-object access rights.

I'd love to see a comparison of landlock to restricted containers.

razighter777

Comparing landlock to containers isn't really an apples to apples comparison. Containers use a bunch of linux security mechanisms together like chroot seccomp and user namespaces to accomplish their goals. Landlock is just another building block that devs can use.

Fun fact: because landlock is unprivleged, you can even use it inside containers; or to build an unprivileged container runtime :)

razighter777

What the Landlock LSM can add to the state of Linux security

kosolam

So it works also by using some cli utility to run my software for example?

razighter777

Yup. There are tools that use landlock to accomplish just that.

https://github.com/Zouuup/landrun

All you gotta do is apply a policy and do a fork() exec(). There is also support in firejail.

seethishat

Firejail requires SUID, LandLock does not.

Also, it's very easy to write your own LandLock policy in the programming language of your choice and wrap whatever program you like rather than downloading stuff from Github. Here's another example in Go:

    package main

    import (
     "fmt"
     "github.com/landlock-lsm/go-landlock/landlock"
     "log"
     "os"
     "os/exec"
    )

    func main() {
        // Define the LandLock policy
        err := landlock.V1.RestrictPaths(...)

        // Execute FireFox
        cmd := exec.Command("/usr/bin/firefox")
    }