logoalt Hacker News

razighter777yesterday at 10:24 PM1 replyview on HN

Yup. There are tools that use landlock to accomplish just that.

https://github.com/Zouuup/landrun

All you gotta do is apply a policy and do a fork() exec(). There is also support in firejail.

Replies

seethishatyesterday at 10:36 PM

Firejail requires SUID, LandLock does not.

Also, it's very easy to write your own LandLock policy in the programming language of your choice and wrap whatever program you like rather than downloading stuff from Github. Here's another example in Go:

    package main

    import (
     "fmt"
     "github.com/landlock-lsm/go-landlock/landlock"
     "log"
     "os"
     "os/exec"
    )

    func main() {
        // Define the LandLock policy
        err := landlock.V1.RestrictPaths(...)

        // Execute FireFox
        cmd := exec.Command("/usr/bin/firefox")
    }