Skip to main content

Overview

sandboxec relies on Linux’s Landlock LSM (Linux Security Module). Different features require different Landlock ABI versions, which map to specific kernel versions.
Landlock must be enabled in your kernel. Most modern distributions enable it by default, but some older or custom kernels may not have Landlock support compiled in.

Capability Table

The following table shows which features require which Landlock ABI and kernel versions:
CapabilityLandlock ABITypical Minimum Kernel
Filesystem restrictionsv1+5.13+
TCP bind/connect restrictionsv4+6.7+
Scoped restrictions (--restrict-scoped)v6+Newer kernels only
The kernel version is “typical” because distributions may backport Landlock features to older kernels. Check your actual Landlock ABI support using the methods below.

Feature Requirements

Available since: Linux 5.13 (2021)Controls:
  • Read access to files and directories
  • Write access (create, modify, delete)
  • Execute access (run binaries)
# Requires Linux 5.13+
sandboxec --fs rx:/usr -- /usr/bin/id
Supported on most modern distributions (Ubuntu 22.04+, Debian 12+, RHEL 9+, etc.)

Checking Kernel Support

Method 1: Check Kernel Version

uname -r
Compare the output to the minimum kernel versions in the table above. 
$ uname -r
6.8.0-45-generic
# ✓ Supports filesystem, network, and scoped restrictions

Method 2: Test with sandboxec

Run a simple command and observe the behavior: 
# Test filesystem restrictions
sandboxec --fs rx:/usr -- /usr/bin/id
If filesystem restrictions work, try network rules: 
# Test network restrictions
sandboxec --fs rx:/usr --net c:443 -- /usr/bin/curl https://example.com
If your kernel doesn’t support a feature, you’ll see errors like:
Error: Landlock ABI version too old for network restrictions
Use --best-effort to continue with supported features only.

Best-Effort Mode

The --best-effort flag allows sandboxec to gracefully degrade when the kernel lacks support for certain features.

How It Works

1

Parse all rules

sandboxec reads all --fs and --net rules from CLI or config.
2

Check kernel support

Determines which Landlock ABI version is available.
3

Apply supported features only

  • Filesystem rules are applied on ABI v1+ kernels
  • Network rules are applied on ABI v4+ kernels
  • Scoped restrictions are applied on ABI v6+ kernels
  • Unsupported features are silently skipped
4

Launch command

Command runs with whatever restrictions the kernel supports.

Example Usage

# Config file requests both filesystem and network restrictions
sandboxec --best-effort --config sandboxec.yaml -- command
Behavior:
  • On Linux 6.8+: Both filesystem and network restrictions apply
  • On Linux 5.15: Only filesystem restrictions apply (network rules skipped)
  • On Linux 5.10: No restrictions apply (command runs normally)
Security implication: With --best-effort, your command may run with fewer restrictions than expected on older kernels.For security-critical workloads, consider enforcing minimum kernel versions or failing fast without --best-effort.

When to Use Best-Effort

Good Use Cases

  • Cross-platform scripts that run on various kernel versions
  • Development environments where strict enforcement isn’t critical
  • Gradual rollout of sandboxing policies

Avoid for

  • Production security boundaries
  • Compliance-required isolation
  • Multi-tenant environments

Forcing a Specific ABI Version

You can force sandboxec to use a specific Landlock ABI version: 
sandboxec --abi 4 --fs rx:/usr --net c:443 -- command
  • Testing behavior on systems with newer Landlock versions
  • Debugging ABI-specific issues
  • Ensuring consistent behavior across different kernel versions

ABI Version Reference

ABI VersionIntroduced Features
v1Filesystem read/write/execute restrictions
v2Additional filesystem controls (refer, truncate)
v3Extended filesystem metadata restrictions
v4TCP bind and connect restrictions
v5Additional network protocol controls
v6Scoped IPC and signal restrictions
Use --abi 0 (default) to automatically detect and use the highest available ABI version on your kernel.

Distribution-Specific Notes

  • Ubuntu 24.04+: Full support (kernel 6.8+)
  • Ubuntu 22.04 LTS: Filesystem only (kernel 5.15)
  • Ubuntu 20.04 LTS: Filesystem only (kernel 5.4, requires backports)
To get network support on Ubuntu 22.04, upgrade to the HWE kernel:
sudo apt install linux-generic-hwe-22.04
  • Debian 13+ (Trixie): Full support
  • Debian 12 (Bookworm): Filesystem only (kernel 6.1)
  • Debian 11 (Bullseye): Filesystem only (kernel 5.10)
  • RHEL 9+: Filesystem support (kernel 5.14+)
  • RHEL 8: May require custom kernel or backports
Network restrictions likely unavailable unless using a very recent kernel.
  • Rolling release: Full support (typically latest stable kernel)
  • Landlock enabled by default
  • Fedora 38+: Full support (kernel 6.2+)
  • Fedora 36-37: Filesystem only

Troubleshooting

Error: “Landlock not supported”

Your kernel either:
  1. Is too old (< 5.13)
  2. Was compiled without Landlock support
  3. Has Landlock disabled at boot
Solution:
  • Upgrade to a modern kernel (5.13+ for basic support, 6.7+ for network support)
  • Check if Landlock is enabled: cat /sys/kernel/security/lsm should include landlock
  • If landlock is missing, your kernel was not compiled with Landlock or needs a boot parameter

Error: “network restrictions require ABI v4+”

Your kernel supports filesystem restrictions but not network restrictions. Solutions:
  1. Remove network rules: --net c:443
  2. Use --best-effort to skip network rules
  3. Upgrade to kernel 6.7+

Error: “scoped restrictions require ABI v6+”

The --restrict-scoped flag requires very new kernels. Solution:
  • Remove --restrict-scoped (most users don’t need it)
  • Upgrade to the latest stable kernel
  • Use --best-effort to skip this feature

Recommendations

Development

Use --best-effort for flexibility across different developer machines.
sandboxec.yaml
best-effort: true
fs:
  - rx:/usr
  - rw:$PWD
net:
  - c:443

Production

Enforce minimum kernel versions and avoid --best-effort for security-critical workloads.
sandboxec.yaml
best-effort: false
fs:
  - rx:/usr
  - rw:/app
net:
  - c:443
Fail fast if kernel doesn’t meet requirements.
For CI/CD pipelines, document the minimum kernel version in your README and pin runner images to distributions with sufficient Landlock support.

Build docs developers (and LLMs) love

Get started for freeTalk to us