Integrations

Contents

Integrations#

This page provides non-exhaustive lists of open-source projects that have integrated Landlock sandboxing support. These lists are provided for informational purposes to highlight potentially interesting projects using Landlock, but we have not audited their code.

Sandboxed projects#

Project	Type	Source	Notes
bevy_mod_lockdown	Sandbox library	GitHub repository	Sandbox library for Bevy game engine
Cloud Hypervisor	VM monitor	Merged GitHub PR	Virtual machine monitor
Codex CLI	AI agent	Merged GitHub PR	OpenAI’s CLI agent
Crazy traceroute	Network tool	Merged commit	Network simulation program
Pledge for Linux	Sandbox library	Blog post	Pledge and Unveil implementation for Linux using Landlock and the Cosmopolitan libc
dosemu2	Emulator	Merged GitHub PR	DOS emulator for Linux
egress-eddie	Network tool	Released	Network filtering tool (support since v0.5.0)
Emilua	Lua runtime	Upstream Documentation	Lua runtime with Landlock support (since v0.5)
exile.h	Sandbox library	GitHub repository	Header-only sandboxing library
extrasafe	Sandbox library	Merged GitHub PR	Rust sandbox library (v0.4.0+)
Firejail	Sandboxer	Merged GitHub PR	SUID sandbox program (v0.9.74+)
Game of Trees	Development tool	Upstream code	Version control system
Gemini CLI	AI agent	Open GitHub PR	Google’s AI agent
Go Landlock	Sandbox library	GitHub repository	Official Go library for Landlock, see documentation
Haskell Landlock	Sandbox library	GitHub repository	Haskell bindings for Landlock
Island	Sandboxer	GitHub repository	Official Landlock sandboxing tool
Nomad exec2	Orchestrator	Upstream documentation	HashiCorp workload orchestrator
Keysas	Security tool	GitHub repository	USB malware cleaning station
Landlock Config	Sandbox library	GitHub repository	Official Landlock configuration format and library
Landlock Make	Development tool	Blog post	Zero-configuration sandboxing for hermetic builds
Landrun	Sandboxer	GitHub repository	Sandboxing tool leveraging Landlock
Minijail	Sandboxer	Upstream code	ChromeOS sandbox manager and library
OCI Runtime Spec	Specification	Open GitHub PR	Open Container Initiative runtime specification
p7zip	Archive manager	Open GitHub PR	Archive manager (forked)
Pacman	Package manager	Merged GitLab MR	Arch Linux package manager (support since v7.0.0)
PAM	Authentication	Open GitHub PR	Pluggable Authentication Modules
Polkadot	Blockchain	Merged GitHub PR	Blockchain SDK
runc	Container runtime	Open GitHub PR	OCI container runtime
Rust Landlock	Sandbox library	GitHub repository	Official Rust library for Landlock, see documentation
rust-wasm-landlock	WebAssembly runtime	GitHub repository	WebAssembly runtime with Landlock support
setpriv	Sandboxer	Merged GitHub PR	Utility to run programs with different privileges (support since util-linux v2.40)
snapd	Package manager	Merged GitHub PR	Package manager (support since v2.72)
sslh	Network service	Merged release	Applicative protocol multiplexer (v2.1.0+)
strace	Developer tool	Merged commit	System call tracer with Landlock syscall support (v5.13+)
Suricata	Network service	Merged GitHub PR, see documentation	Network security monitoring engine (support since v7.0.0)
systemd	Service manager	Open GitHub PR	System and service manager
tracker-extract	Desktop service	Merged GitLab MR	GNOME metadata extraction service (GNOME 46+)
Ukuleleweb	Network service	Merged commit	Lightweight wiki server
Unblob	Archive manager	Merged GitHub PR	Extraction tool for firmware and file systems (support since v24.12.4)
Warpinator	Network service	Merged GitHub PR	LAN file transfer tool with Landlock isolation
websrv	Network service	Merged commit	Web server in Go (support since v3.2.0)
wireproxy	Network client	Merged GitHub PR	Wireguard client (support since 1.0.8)
XZ Utils	Archive manager	Merged commit	Archive manager and compression library (support since v5.6.0), also see the backdoor incident)
Zathura	Document viewer	Merged GitHub PR	Document viewer (work in progress)

Examples and proof of concepts#

Project	Type	Source	Notes
ImageMagick	Graphics	Example workshop	Example of sandboxing ImageMagick
lighttpd	Network service	Example tutorial	Lightweight web server with sandboxing tutorial
sandboxer	Sandboxer	Sample from the Linux kernel	Official Landlock example in C

Linux distributions#

The following Linux distributions have Landlock enabled in their kernel configuration.

Distribution	Status	Source
Alpine Linux	Enabled by default	Merged commit
Arch Linux	Enabled by default	Merged commit (5.13.1.arch1-1)
Azure Linux	Enabled by default	Merged GitHub PR (formerly called CBL-Mariner)
CentOS Stream	Enabled by default	Same as RHEL
ChromeOS	Enabled by default	Merged CL (Linux 5.10) and CL (Linux 5.15)
ChromeOS (Termina VM)	Enabled by default	Merged CL
Debian	Enabled by default	Merged commit and commit (Debian Sid since kernel 5.18.16-1)
Fedora	Enabled by default	Merged commit (since Fedora 35)
Flatcar	Enabled by default	Merged GitHub PR
Gentoo	Enabled wrt kernel variant	Merged commit
GNOME OS	Enabled by default	Merged GitLab MR
Red Hat Enterprise Linux (RHEL)	Enabled by default	Merged GitLab MR (since RHEL 9.6.0, backported features up to ABI 5: kernel-5.14.0-568.el9)
Rocky Linux	Enabled by default	Bug report
OpenSUSE	Enabled by default	Merged commit (since kernel 5.13-rc1)
Ubuntu	Enabled by default	Merged commit (since 20.04 LTS)
Windows Subsystem for Linux 2 (WSL)	Enabled by default	Released