Landstrip

Landstrip

[Jarkko Sakkinen]

I played with an idea could Landlock LSM be used to do conceptually a
better fit sandbox for programs such as Anthropic Sandbox Runtime [1].

After some missteps at first I got it pulled together quite well:

https://crates.io/crates/landstrip

To see it in action I also have a fork of pi-hashline-readmap plugin,
which was a cherry-picked test case I wanted to try out given it already
hooks the bash tool command for compressed output.

I just thought that this might interest some as Landlock is not really
over-used kernel feature in "application sense".

This is a more lower barrier and more failure tolerant to deploy than
Bubblewrap based container for this use and purpose in my opinion
at least.

[1] https://github.com/anthropic-experimental/sandbox-runtime/issues/291
[2] https://github.com/jarkkojs/pi-hashline-readmap

BR, Jarkko

Re: Landstrip

[Justin Suess]

On Tue, Jun 02, 2026 at 04:42:51AM +0300, Jarkko Sakkinen wrote:
> I played with an idea could Landlock LSM be used to do conceptually a
> better fit sandbox for programs such as Anthropic Sandbox Runtime [1].
> 
> After some missteps at first I got it pulled together quite well:
> 
> https://crates.io/crates/landstrip
> 
> To see it in action I also have a fork of pi-hashline-readmap plugin,
> which was a cherry-picked test case I wanted to try out given it already
> hooks the bash tool command for compressed output.
> 
> I just thought that this might interest some as Landlock is not really
> over-used kernel feature in "application sense".
> 
> This is a more lower barrier and more failure tolerant to deploy than
> Bubblewrap based container for this use and purpose in my opinion
> at least.
> 
Very cool! Landlock is great for this usecase of application driven
sandboxing.

(just a quick note, the linux-security-module/linux-integrity
mailing lists mostly for kernel development patches, the
landlock.lists.linux.dev list is more for
userspace Landlock topics like this. so I removed the cc for
linux-security-module/linux-integrity and added that list)

I notice there is a seccomp policy for unix sockets in this application.
Although it might not be in your kernel yet, support for sandboxing
named unix sockets with Landlock was recently merged. :)

https://lore.kernel.org/linux-security-module/20260327164838.38231-1-gnoack3000@gmail.com/

Justin

> [1] https://github.com/anthropic-experimental/sandbox-runtime/issues/291
> [2] https://github.com/jarkkojs/pi-hashline-readmap
> 
> BR, Jarkko
> 

Re: Landstrip

[Jarkko Sakkinen]

On Fri, Jun 05, 2026 at 03:19:09PM -0400, Justin Suess wrote:
> On Tue, Jun 02, 2026 at 04:42:51AM +0300, Jarkko Sakkinen wrote:
> > I played with an idea could Landlock LSM be used to do conceptually a
> > better fit sandbox for programs such as Anthropic Sandbox Runtime [1].
> > 
> > After some missteps at first I got it pulled together quite well:
> > 
> > https://crates.io/crates/landstrip
> > 
> > To see it in action I also have a fork of pi-hashline-readmap plugin,
> > which was a cherry-picked test case I wanted to try out given it already
> > hooks the bash tool command for compressed output.
> > 
> > I just thought that this might interest some as Landlock is not really
> > over-used kernel feature in "application sense".
> > 
> > This is a more lower barrier and more failure tolerant to deploy than
> > Bubblewrap based container for this use and purpose in my opinion
> > at least.
> > 
> Very cool! Landlock is great for this usecase of application driven
> sandboxing.
> 
> (just a quick note, the linux-security-module/linux-integrity
> mailing lists mostly for kernel development patches, the
> landlock.lists.linux.dev list is more for
> userspace Landlock topics like this. so I removed the cc for
> linux-security-module/linux-integrity and added that list)
> 
> I notice there is a seccomp policy for unix sockets in this application.
> Although it might not be in your kernel yet, support for sandboxing
> named unix sockets with Landlock was recently merged. :)
> 
> https://lore.kernel.org/linux-security-module/20260327164838.38231-1-gnoack3000@gmail.com/

Thanks for the pointer. My focus has been more in the wiring than inner
shenanigans but soon might be a good time to revisit :-)

I have also Seatbelt FFI and Windows AppContainer profiles are whatever
they call them through Win32 API.

BR, Jarkko

Re: Landstrip

[Jarkko Sakkinen]

On Mon, Jun 08, 2026 at 05:28:39AM +0300, Jarkko Sakkinen wrote:
> On Fri, Jun 05, 2026 at 03:19:09PM -0400, Justin Suess wrote:
> > On Tue, Jun 02, 2026 at 04:42:51AM +0300, Jarkko Sakkinen wrote:
> > > I played with an idea could Landlock LSM be used to do conceptually a
> > > better fit sandbox for programs such as Anthropic Sandbox Runtime [1].
> > > 
> > > After some missteps at first I got it pulled together quite well:
> > > 
> > > https://crates.io/crates/landstrip
> > > 
> > > To see it in action I also have a fork of pi-hashline-readmap plugin,
> > > which was a cherry-picked test case I wanted to try out given it already
> > > hooks the bash tool command for compressed output.
> > > 
> > > I just thought that this might interest some as Landlock is not really
> > > over-used kernel feature in "application sense".
> > > 
> > > This is a more lower barrier and more failure tolerant to deploy than
> > > Bubblewrap based container for this use and purpose in my opinion
> > > at least.
> > > 
> > Very cool! Landlock is great for this usecase of application driven
> > sandboxing.
> > 
> > (just a quick note, the linux-security-module/linux-integrity
> > mailing lists mostly for kernel development patches, the
> > landlock.lists.linux.dev list is more for
> > userspace Landlock topics like this. so I removed the cc for
> > linux-security-module/linux-integrity and added that list)
> > 
> > I notice there is a seccomp policy for unix sockets in this application.
> > Although it might not be in your kernel yet, support for sandboxing
> > named unix sockets with Landlock was recently merged. :)
> > 
> > https://lore.kernel.org/linux-security-module/20260327164838.38231-1-gnoack3000@gmail.com/
> 
> Thanks for the pointer. My focus has been more in the wiring than inner
> shenanigans but soon might be a good time to revisit :-)
> 
> I have also Seatbelt FFI and Windows AppContainer profiles are whatever
> they call them through Win32 API.

I migrated to direct syscalls with Landlock in order to keep in faster
phase.

I'll implement ACCESS_FS_RESOLVE_UNIX support, and run-time detection to
know whether to fall back to a seccomp policy (which is needed still
few years to come).

One LSM I'm not really familiar of and it bothers me a bit is the eBPF
LSM. I'm not exactly sure would it do anything useful/valuable for
me in this project.

And I think Anthropic's app security policy is actually quite nice
and practical. I plan to use this myself when I do find+xargs type
of risky operations :-) It's great with scripts, which kind of
makes sense.

JSON is quite horrible tho so without breaking backwards compatibility
I'll add --format json|yml. In yml-version there won't be bucket
lists for each rule. Instead it will have singular "allowRead" etc.
statements. This is more to use cases where I find it useful :-)

BR, Jarkko