{"id":19635934,"url":"https://github.com/git-bruh/landbox","last_synced_at":"2025-02-26T21:42:44.151Z","repository":{"id":123990955,"uuid":"551435912","full_name":"git-bruh/landbox","owner":"git-bruh","description":"Small wrapper library for the Linux landlock API, including an example sandboxing utility ","archived":false,"fork":false,"pushed_at":"2022-10-14T14:11:18.000Z","size":8,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-09T16:56:11.248Z","etag":null,"topics":["c","landlock","linux","rootless","sandboxing"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/git-bruh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-14T11:54:12.000Z","updated_at":"2023-02-22T20:59:04.000Z","dependencies_parsed_at":"2024-04-22T09:46:49.393Z","dependency_job_id":null,"html_url":"https://github.com/git-bruh/landbox","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/git-bruh%2Flandbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/git-bruh%2Flandbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/git-bruh%2Flandbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/git-bruh%2Flandbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/git-bruh","download_url":"https://codeload.github.com/git-bruh/landbox/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240941488,"owners_count":19882062,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","landlock","linux","rootless","sandboxing"],"created_at":"2024-11-11T12:27:38.474Z","updated_at":"2025-02-26T21:42:44.133Z","avatar_url":"https://github.com/git-bruh.png","language":"C","readme":"# landbox\n\nTiny helper library that wraps the Linux [landlock](https://landlock.io) API providing a few helpers over the raw syscall API.\n\n# Building\n\n```sh\nmake\nmake DESTDIR=\"$pkgdir\" PREFIX=/usr install\n```\n\nWill build the library `liblandbox.a` and the example tool `landbox` and install them to `$DESTDIR/usr/{lib,include,usr}`.\n\n# Usage\n\nInclude `landbox.h` for using the library, the public API consists of ~8 functions. Read the header file for more details. TLDR (error checking ommited):\n\n```c\n#define _GNU_SOURCE\n#include \u003cfcntl.h\u003e\n#include \u003clandbox.h\u003e\n#include \u003cunistd.h\u003e\n\nint main(void) {\n /* Makes the library check the available landlock ABI and filter out\n * unsupported flags accordingly */\n landbox_init();\n\n /* Opens a landlock handle to apply rules with. */\n int handle = landbox_open();\n\n /* Example */\n int fd = open(\"/usr\", O_PATH);\n\n landbox_set_perm(handle, fd, LANDBOX_PERM_READ | LANDBOX_PERM_EXECUTE);\n\n close(fd);\n fd = open(\"/etc\", O_PATH);\n\n landbox_set_perm(handle, fd, LANDBOX_PERM_READ);\n\n close(fd);\n fd = open(\"/tmp\", O_PATH);\n\n /* Not granting execute permissions */\n landbox_set_perm(handle, fd, LANDBOX_PERM_READ | LANDBOX_PERM_WRITE);\n\n close(fd);\n\n /* Actually enforce the rules */\n landbox_enforce(handle);\n\n landbox_close(handle);\n\n execv(\"/bin/sh\", (char *[]){\"/bin/sh\", NULL});\n}\n```\n\nThe predefined permission related enums `LANDBOX_PERM_{READ,WRITE,EXECUTE}` internally map to a bitmask of the corresponding landlock constants, to the extent supported by the ABI determined at runtime.\n\nA few helper functions like `landbox_get_raw_perms` and `landbox_filter_raw_perms` are also provided along with syscall wrappers if the macro `LANDBOX_SYSCALL_WRAPPERS` is defined, which also expose the aforementioned information.\n\nRunning the above program:\n\n```sh\nλ cc example.c -Iinclude ./liblandbox.a\nλ ./a.out\nλ pwd\n/home/testuser/Development/Repos/landbox\nλ ls\nls: can't open '.': Permission denied\nλ ls /mnt\nls: can't open '/mnt': Permission denied\nλ ls /usr\nbin etc include lib lib64 libexec local man sbin share\nλ cat /etc/passwd\nroot:x:0:0:root:/root:/bin/sh\nnobody:x:99:99:Unprivileged User:/dev/null:/bin/false\ntestuser:x:1000:1000:Linux User,,,:/home/testuser:/bin/sh\nλ cd /tmp\nλ printf '#!/bin/sh\\necho test\\n' \u003e exec.sh\nλ chmod +x exec.sh\nλ ./exec.sh\n/bin/sh: ./exec.sh: Permission denied\nλ # LANDBOX_PERM_EXECUTE was not granted for /tmp\n```\n\nA sample program `landbox` is also provided:\n\n```sh\nλ ./landbox --help\nUsage: ./landbox [option...] [--] command [args...]\n --help Print this help and exit\n --version Print program version and exit\n --dev Grant basic access to /dev\n --proc Grant basic access to /proc\n --ro PATH Grant read-only access to PATH\n --ro-try PATH Same as --ro but ignore missing PATH\n --rw PATH Grant read-write access to PATH\n --rw-try PATH Same as --rw but ignore missing PATH\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgit-bruh%2Flandbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgit-bruh%2Flandbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgit-bruh%2Flandbox/lists"}