Go Landlock

💾 Git | 📚 Docs

The Go Landlock library is designed to be easy to use. A typical use of the library might look like this:

err := landlock.V5.BestEffort().RestrictPaths(
    landlock.RODirs("/usr", "/bin"),
    landlock.RWDirs("/tmp"),
)

After this call:

• your program will have opportunistically enabled a Landlock policy, on kernels where Landlock can be used (LandlockBestEffortMode)
• file accesses will be as restricted as possible, but the program will continue to have (roughly) read and read-write access to the indicated directories

More details

• Go API documentation
• The GoLandlockTalk covers the Go library
• Alvar Penning’s talk Privilege Separation in Go: a broader overview of privilege separation mechanisms that can be used for Go programs (slides about Go-Landlock start at 7:26)