[ranger_danger]

This is the minimum options I needed to get it to work:

landrun --log-level debug --exec --ro /usr/bin --ro /usr/lib --rw /tmp touch /tmp/foo

Personally I don't like that --exec would allow binaries in /tmp to be executed as well...

[qwertox]

But

`landrun --ro /usr/bin --ro /lib --ro /lib64 --rw /path/to/dir touch /path/to/dir/newfile`

vs

`landrun --ro /usr/bin --ro /lib --ro /lib64 --exec /usr/bin/bash`

seems to indicate that `--exec` is only required if the command you're executing then uses an `exec`-call internally, which `bash` would need to be able to fork.

So `touch` should not need `--exec`, while `bash` should be able to run anything it can read (including that whitelisted `/tmp`).

[ranger_danger]

The former does not work for me, I have to add --exec. I can only assume it's because touch is in /usr/bin and so it needs permission to execute it from there.

It seems that using --ro or --rw at all makes --exec also mandatory.

[Zoup]

well yeah you'll need --exec when you want to run binaries (unlike... cat?) I hope landlock adds support to bind --exec to actual directories, that'll be fun!

[ranger_danger]

> you'll need --exec when you want to run binaries

well when wouldn't it do that? in what scenario could you even use this tool without needing to execute a binary?

[Zoup]

running cat isn't a --exec for one :)

[ranger_danger]

how so?

$ landrun --ro /usr/bin cat a

[landrun:error] 2025/03/22 23:50:16 permission denied

[nine_k]

As a workaround you could create a tmpfs device like /tmp_noexec with noexec flag, and mount it instead of the normal /tmp. But landrun does not (yet?) allow changing the name in directory options :(

For added security, I'd create an ephemeral tmpfs disk for each landlocked invocation: obviously the program we're running has no business seeing what other processes may have put to /tmp.

[ranger_danger]

> I'd create an ephemeral tmpfs disk for each landlocked invocation

And now you've just invented firejail.

[nine_k]

UX-wise, yes. Internally firejail and landrun use different isolation APIs.

[ranger_danger]

Firejail supports Landlock though: https://github.com/netblue30/firejail/pull/6078