{"id":17925941,"url":"https://github.com/shoenig/go-landlock","last_synced_at":"2025-03-24T03:31:16.716Z","repository":{"id":62867521,"uuid":"561119828","full_name":"shoenig/go-landlock","owner":"shoenig","description":"Go filesystem isolation via Linux landlock sandbox ","archived":false,"fork":false,"pushed_at":"2025-03-01T14:39:06.000Z","size":96,"stargazers_count":17,"open_issues_count":5,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-19T02:38:08.998Z","etag":null,"topics":["access","filesystem","go","isolation","landlock","linux","restrict","sandbox","secure"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shoenig.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-03T01:44:32.000Z","updated_at":"2025-03-04T12:51:17.000Z","dependencies_parsed_at":"2023-02-15T23:31:03.109Z","dependency_job_id":"cbdf09f1-9b53-4dfc-a042-d63d93f8812b","html_url":"https://github.com/shoenig/go-landlock","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shoenig%2Fgo-landlock","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shoenig%2Fgo-landlock/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shoenig%2Fgo-landlock/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shoenig%2Fgo-landlock/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shoenig","download_url":"https://codeload.github.com/shoenig/go-landlock/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245204544,"owners_count":20577370,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access","filesystem","go","isolation","landlock","linux","restrict","sandbox","secure"],"created_at":"2024-10-28T20:58:28.784Z","updated_at":"2025-03-24T03:31:15.854Z","avatar_url":"https://github.com/shoenig.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# go-landlock\n\n\u003cimg align=\"right\" width=\"240\" height=\"257\" src=\"https://i.imgur.com/uOcXkpt.png\"\u003e\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/shoenig/go-landlock.svg)](https://pkg.go.dev/github.com/shoenig/go-landlock)\n[![CI Tests](https://github.com/shoenig/go-landlock/actions/workflows/ci.yaml/badge.svg)](https://github.com/shoenig/go-landlock/actions/workflows/ci.yaml)\n[![License: MPL 2.0](https://img.shields.io/badge/License-MPL_2.0-orange.svg)](https://opensource.org/licenses/MPL-2.0)\n\nThe `go-landlock` module provides a Go library for interfacing with the Linux kernel\nlandlock feature. Landlock is a mechanism for minimizing filesystem access to a\nLinux process. Using `go-landlock` does not require `root` or any escalated capabilities.\n\n### Requirements\n\nRequires **Linux 5.13+** with Landlock enabled. There is a no-op implementation provided\nfor non-Linux platforms for convenience, which provide no isolation.\n\nMost recent Linux distributions should be supported.\n\nVerified distros\n- Ubuntu 22.04 LTS\n- Ubuntu 20.04 LTS\n- Fedora 36\n\nThe minimum Go version is `go1.19`.\n\n### Install\n\nUse `go get` to grab the latest version of `go-landlock`.\n\n```shell\ngo get -u github.com/shoenig/go-landlock@latest\n```\n\n### Influence\n\nThis library is made possible after studying several sources, including but\nnot limited to\n\n- [landlock.io](https://landlock.io/) official documentation\n- [LWN](https://lwn.net/Articles/859908/)'s Landlock finally Sails\n- [pledge.com](https://justine.lol/pledge/) by Justine Tunney\n- [sandboxer.c](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.c) kernel reference implementation\n\n### API\n\nFull documentation is on [pkg.go.dev](https://pkg.go.dev/github.com/shoenig/go-landlock).\n\nThe `go-landlock` package aims to provide a simple abstraction over the Kernel landlock\nimplementation details. Simply create a `Locker` with the `Path`'s to expose, and then\ncall `.Lock()` to isolate the process. The process will only be able to access the files\nand directories, at the file modes specified. Attempts to access any other filesystem\npaths will result in errors returned from the kernel system calls (like `open`).\n\nGroups of commonly used paths are pre-defined for convenience.\n\n- `Shared()` : for executing dynamically linked binaries\n- `Stdio()` : for using standard I/O operations\n- `TTY()` : for using terminal operations\n- `Tmp()` : for accessing system tmp directory\n- `VMInfo()` : for reading system information\n- `DNS()` : for reading DNS related information\n- `Certs()` : for reading system SSL/TLS certificate files\n\nCustom paths can be specified using `File()` or `Dir()`. Each takes 2 arguments - the actual\nfilepath (absolute or relative), and a `mode` string. A mode string describes what level\nof file mode permissions to allow. Must be a subset of `\"rwxc\"`.\n\n- `r` : enable read permissions\n- `w` : enable write permissions\n- `x` : enable execute permissions\n- `c` : enable create permissions\n\nOnce a `Locker` is configured, isolation starts on the call to `Lock()`. The level\nof safety is configured by passing either `Mandatory` or `Try`.\n\n- `Mandatory` : return an error is Landlock is unsupported or activation causes an error\n- `Try` : continue without error regardless if landlock is supported or working\n- `OnlySupported` : like `Mandatory`, but returns no error if the operating system does not support landlock\n\nOnce a process has been locked, it cannot be unlocked. Any descendent processes of the\nlocked process will also be locked, and cannot be unlocked. A child process can further\nrestrict itself via additional uses of landlock.\n\n### Examples\n\n#### complete example\n\nThis is a complete example of a small program which is able to read from\n`/etc/os-release`, and is unable to access any other part of the filesystem\n\n```go\npackage main\n\nimport (\n  \"fmt\"\n  \"os\"\n\n  \"github.com/shoenig/go-landlock\"\n)\n\nfunc main() {\n  l := landlock.New(\n    landlock.File(\"/etc/os-release\", \"r\"),\n  )\n  err := l.Lock(landlock.Mandatory)\n  if err != nil {\n    panic(err)\n  }\n\n  _, err = os.ReadFile(\"/etc/os-release\")\n  fmt.Println(\"reading /etc/os-release\", err)\n\n  _, err = os.ReadFile(\"/etc/passwd\")\n  fmt.Println(\"reading /etc/passwd\", err)\n}\n```\n\n```\n➜ go run main.go\nreading /etc/os-release \u003cnil\u003e\nreading /etc/passwd open /etc/passwd: permission denied\n```\n\n#### shared objects (dynamic linking)\n\nPrograms that exec other processes may need to un-restrict a set of\nshared object libraries. `go-landlock` provides the `Shared()` path\nto simplify this configuration.\n\n```go\nl := landlock.New(\n  landlock.Shared(), // common shared object files\n  landlock.File(\"/usr/bin/echo\", \"rx\"),\n)\n\n// e.g. execute echo in a sub-process\n```\n\n#### ssl/tls/dns (networking)\n\nPrograms that make use of the internet can use the `DNS()` and `Certs()`\nhelper paths to unlock necessary files for DNS resolution and reading\nsystem SSL/TLS certificates.\n\n```go\nl := landlock.New(\n  landlock.DNS(),\n  landlock.Certs(),\n)\n\n// e.g.\n// _, err = http.Get(\"https://example.com\")\n```\n\n### License\n\nOpen source under the [MPL](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshoenig%2Fgo-landlock","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshoenig%2Fgo-landlock","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshoenig%2Fgo-landlock/lists"}