A lightweight C# wrapper for the Linux https://landlock.io/ kernel sandboxing feature.
Add the NuGet package:
dotnet add package LandlockOr visit: https://www.nuget.org/packages/Landlock
Landlock is a Linux kernel security feature (available since Linux 5.13) that lets unprivileged applications restrict their own filesystem access using an allow-list model. Once a ruleset is enforced, the process—and any child processes—can only access explicitly permitted paths, providing simple but effective sandboxing without requiring root privileges or system-wide configuration.
This library provides a clean and idiomatic C# interface for working with Landlock, allowing you to define filesystem rulesets, grant specific directory or file permissions, and enforce permanent access restrictions at runtime. It is intended for sandboxing plugins, securing file operations, or adding defense-in-depth to applications running on Linux.
using Landlock;
var supported = Landlock.IsSupported();
if (supported)
{
var sandbox = Landlock.CreateRuleset(Landlock.FileSystem.CORE);
sandbox.AddPathBeneathRule(
AllowedDir,
Landlock.FileSystem.READ_FILE,
Landlock.FileSystem.READ_DIR
);
sandbox.Enforce();
}This example checks for kernel support, creates a ruleset controlling core filesystem operations, allows read access to a specific directory, and enforces the sandbox so the process cannot access anything outside the allowed paths.
- Linux kernel 5.13+
- .NET 6.0+
- No root privileges required
MIT License.
Landlock logo © 2024 by Mickaël Salaün is licensed under CC BY-SA 4.0