Skip to content

Latest commit

 

History

History
94 lines (67 loc) · 2.34 KB

Examples.md

File metadata and controls

94 lines (67 loc) · 2.34 KB

Examples

  1. Run a command that allows read access to a specific directory and nothing else
runlock --ro /home ls /home
  1. Run a command with write access to a file or a directory:
runlock --rw /path/to/dir touch /path/to/dir/newfile
runlock --rox /usr/bin --ro /lib --rw /path/to/dir/newfile touch /path/to/dir/newfile
  1. Run with debug logging:
runlock --log-level debug --ro /path/to/dir ls /path/to/dir
  1. Run with network access enabled :
runlock --bind-tcp 8080 --connect-tcp 80 /usr/bin/my-server

This will allow the program to only bind to TCP port 8080 and connect to TCP port 80.

  1. Run with specific environment variables:
runlock --rox /usr --ro /etc --env HOME --env PATH --env CUSTOM_VAR=my_value -- env

This example passes the current HOME and PATH variables, plus a custom variable named CUSTOM_VAR.

  1. If you keep getting permission denied without knowing what exactly going on, best to use strace with it.
runlock --rox /usr/bin/ls strace -f -e trace=all ls

Systemd Integration

Like landrun, runlock can be integrated with systemd to run services with enhanced security. Here's an example of running nginx with runlock:

  1. Create a systemd service file (e.g., /etc/systemd/system/nginx-runlock.service):
[Unit]
Description=nginx with runlock sandbox
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/runlock \
    --ro  /etc/nginx,/etc/ssl,/etc/passwd,/etc/group,/etc/nsswitch.conf \
    --rwx /var/log/nginx \
    --rwx /var/cache/nginx \
    --bind-tcp 80,443 \
    /usr/bin/nginx -g 'daemon off;'
Restart=always
User=nginx
Group=nginx

[Install]
WantedBy=multi-user.target
  1. Enable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable nginx-runlock
sudo systemctl start nginx-runlock
  1. Check the service status:
sudo systemctl status nginx-runlock

This configuration:

  • Runs nginx with minimal required permissions
  • Allows binding to ports 80 and 443
  • Provides read-only access to configuration files
  • Allows write access only to log and cache directories
  • Runs as the nginx user and group
  • Automatically restarts on failure

You can adjust the permissions based on your specific needs. For example, if you need to serve static files from /var/www, add --ro /var/www to the ExecStart line.