Runlock

A lightweight, secure sandbox for running Linux processes using Landlock. Think firejail, but with kernel-level security and minimal overhead.

Linux Landlock is a kernel-native security module that lets unprivileged processes sandbox themselves.

Runlock is a fork/rewrite of landrun with additional features. Like the original, it is designed to make it practical to sandbox any command with fine-grained filesystem and network access controls. No root. No containers. No SELinux/AppArmor configs.

It's lightweight, auditable, and wraps Landlock v6 features (file access + TCP + abstract Unix sockets restiction + signal restrictions ).

Usage

Basic syntax:

runlock [OPTIONS] <COMMAND> [ARGS]...

Arguments:
  <COMMAND>  Command to run
  [ARGS]...  Arguments for the command
Options:
      --log-level <LOG_LEVEL>    Set logging level (error, info, debug) [env: LANDRUN_LOG_LEVEL=] [default: warn]
      --ro <PATH>                Allow read-only access to this path
      --rox <PATH>               Allow read-only access with execution to this path
      --rw <PATH>                Allow read-write access to this path
      --rwx <PATH>               Allow read-write access with execution to this path
      --bind-tcp <PORT>          Allow binding to these TCP ports
      --connect-tcp <PORT>       Allow connecting to these TCP ports
      --env <VAR>                Environment variables to pass to the sandboxed command (KEY=VALUE or just KEY to pass current value)
      --unrestricted-filesystem  Allow unrestricted filesystem access
      --unrestricted-network     Allow unrestricted network access
  -d, --disable-auto-import      Disable the automatic executable import to --rox. If this flag is set, then you must add the executable path manually, as well as all of its dynamic dependencies. And the executable dependencies and their dynamic libraries are also ignored
  -h, --help                     Print help
  -V, --version                  Print version

Configuration file

In addition to the CLI arguments, runlock allows to use a sandbox configuration file, using the toml format

[ls]
ro = ["."]
rox = []
rw = []
rwx = []
bind_tcp = []
connect_tcp = []
env = []
executable_dependencies = []
unrestricted_filesystem = false
unrestricted_network = false
auto_add_binary_dependencies = true

runlock looks for the configuration file in at the location defined SANDBOX_CONFIG environment variable (if set), or if the SANDBOX_CONFIG env variable is not set, it will look for a sandbox.toml file in the current directory.

Remarks

• As much as your kernel version allows, accessing to everything is disabled by default except for read-only-execute permission on the binary you are running and its shared library depenencies. If, for some reason, you want to disable this automatic whitelisting, you can pass the --disable-auto-import (shorthand -d) flag to runlock.
• By default, no environment variables are passed to the sandboxed command. Use --env to explicitly pass environment variables
• Paths can be specified either using multiple flags or as comma-separated values (e.g., --ro /usr,/lib,/home)

Requirements

This sandbox requires at least Linux kernel 5.13 or later with Landlock enabled, but the exact sandboxing capabilities you'll get depend on your kernel version:

• On Linux 5.13 -> 5.18: Basic filesystem
• On Linux 5.19 -> 6.1: Reparenting can be restricted
• On Linux 6.2 -> 6.6: Truncation can be restricted
• On Linux 6.7 -> 6.9: Network can be restricted in addition to file system
• On Linux 6.10 -> 6.11: IOCTL operations on files can be restricted
• On Linux 6.12 and above: Abstract Unix sockets and signals can be restricted
• TODO: on Linux 6.15 and above: implement Audit support (need to contribute to upstream rust-landlock)

The sandbox, like Landlock itself, works in “best effort” mode by default, which means that if you configure the sandbox to be stricter than what the kernel allows, the program will still run without the restriction not supported by the kernel but a warning will be emited. For instance, running runlock on a Linux system with a kernel 6.5, means sandboxed programs will be able to open any TCP connection even if you don't supply the unrestricted-network flag.

Installation

From Source

This requires to have a somewhate up-to-date rust toolchain installed. (It's been developped and tested under rustc 1.90, but it likely works with a somewhat older version)

git clone https://github.com/StyMaar/runlock.git
cd runlock
cargo build --release
cp target/release/runlock <SOMEWHERE IN YOUR PATH>

Examples

You can find usage examples in Examples.md

Security

runlock uses Linux's Landlock to create a secure sandbox environment. It provides:

• File system access control
• Directory access restrictions
• Execution control
• TCP network restrictions
• Process isolation
• Default restrictive mode when no rules are specified

Landlock is an access-control system that enables processes to securely restrict themselves and their future children. As a stackable Linux Security Module (LSM), it creates additional security layers on top of existing system-wide access controls, helping to mitigate security impacts from bugs or malicious behavior in applications.

Differences with landrun

This project started as a Rust rewrite of landrun, but it has since evolved on its own path. To get an overview of the differences between runlock and landrun go to Landrun.md.

Tests

The project re-uses the landrun test suite, go to Tests.md to know how to run them.

Acknowledgements

This project wouldn't exist without:

• landrun, which this project started as a Rust rewrite.
• Landlock, the kernel security module enabling unprivileged sandboxing - maintained by @l0kod
• rust-landlock the official Rust binding for Landlock.