razighter777 4 days ago

Yup. There are tools that use landlock to accomplish just that.

https://github.com/Zouuup/landrun

All you gotta do is apply a policy and do a fork() exec(). There is also support in firejail.

Reply View 3 replies
  • seethishat 4 days ago

    Firejail requires SUID, LandLock does not.

    Also, it's very easy to write your own LandLock policy in the programming language of your choice and wrap whatever program you like rather than downloading stuff from Github. Here's another example in Go:

        package main

    import (
     "fmt"
     "github.com/landlock-lsm/go-landlock/landlock"
     "log"
     "os"
     "os/exec"
    )

    func main() {
        // Define the LandLock policy
        err := landlock.V1.RestrictPaths(...)

        // Execute FireFox
        cmd := exec.Command("/usr/bin/firefox")
    }
    Reply View 2 replies
    • butvacuum 4 days ago

      Isn't this example just "downloading stuff from GitHub,"(the external Go dependency) but with extra steps? (Having to write and compile a golang app)

      Reply View 0 replies
    • pdimitar 3 days ago

      So you're basically writing a program launcher? In this case this program is what you'd want to have a desktop shortcut to and not to Firefox itself, is that it?

      Reply View 0 replies