Icelock is a small CLI tool for restricting programs with Landlock (and seccomp). You can use icelock to run programs with reduced privileges
Run icelock --help for a list of options, and see USAGE.md for details
Just run nix build
You can also run go build -v in the src/ dir, but then you'll need to ensure that libseccomp and pkg-config are installed
-
execute permission only covers direct file execution, so it can be bypassed
-
if filesystem access is restricted the app can't modify filesystem topology, which breaks bubblewrap and other sandboxing solutions that use mount namespaces
-
icelock doesn't stop the app from using too much resources (memory, CPU time, etc), so it won't protect you from eg. a fork bomb
-
reading file metadata (
stat(2)) isn't restricted -
file locking (
flock(2)) isn't restricted -
changing file access/modify times (
utime(2)) isn't restricted
Landrun was the initial inspiration for icelock, and what got me interested in Landlock in the first place. That being said, there are some major differences. As of landrun version 0.1.15:
-
landrun doesn't restrict unix sockets, which allows for sandbox escape
-
landrun only passes the env vars that you explicitly specify, which makes it very annoying to use
-
icelock has support for Landlock features up to ABI v9, while landrun only up to v5
-
icelock uses seccomp (in addition to Landlock)
-
icelock drops capabilities by default
-
landrun has flags for automatically adding the app executable/libraries to RX paths
Island is the official Landlock sandboxing tool. Island is designed around workspaces, and as such is very different from icelock