Installation
Landlock-Sharp is a tiny, pure-managed NuGet package. There is no native binary to install — the library makes Landlock syscalls directly through libc via [DllImport], so all you need is a Linux kernel that supports Landlock.
Install the package
dotnet add package Landlock
Package name
The NuGet package is published as Landlock. The assembly and namespace are both Sandbox — the public type is Sandbox.Landlock. See nuget.org/packages/Landlock for the latest version.
Runtime requirements
| Requirement | Minimum | Notes |
|---|---|---|
| Linux kernel | 5.13 (Landlock ABI 1) | Enables EXECUTE, READ_FILE, WRITE_FILE, READ_DIR, REMOVE_*, MAKE_*. |
| Linux kernel | 5.19 (ABI 2) | Adds REFER for cross-directory rename/link. |
| Linux kernel | 6.2 (ABI 3) | Adds TRUNCATE. |
| Linux kernel | 6.7 (ABI 4) | Adds TCP BIND_TCP / CONNECT_TCP. |
| Linux kernel | 6.10 (ABI 5) | Adds IOCTL_DEV. |
| Linux kernel | 6.12 (ABI 6) | Adds ABSTRACT_UNIX_SOCKET / SIGNAL scopes. |
| Architecture | x86-64 | The library uses x86-64 syscall numbers (444, 445, 446). |
| .NET | .NET 6.0 or later | Required for OperatingSystem.IsLinux() and modern marshalling. |
| Privileges | None | Landlock is explicitly designed for unprivileged processes. |
For the canonical table of what each ABI version adds, see the "Backwards and forwards compatibility" section of the landlock(7) man page. Landlock-Sharp encodes the same table in its ABI versions guide.
Distro support
Most modern distributions ship Landlock-enabled kernels, but some build with the feature compiled in and disabled by default. Check by running on the target host:
# Should print "Y" if Landlock is built into the kernel
zcat /proc/config.gz 2>/dev/null | grep CONFIG_SECURITY_LANDLOCK
# Or just query the ABI from your app:
dotnet run -e "Console.WriteLine(Sandbox.Landlock.GetAbiVersion());"
# Negative number → unsupported, otherwise the ABI version (1..6+)
The kernel documentation lists how each major distribution ships Landlock and how to enable it if your kernel was built with lsm= excluding landlock.
Supported platforms
| OS | Supported? | Behaviour |
|---|---|---|
| Linux (x86-64, kernel ≥ 5.13) | Yes | Full functionality. |
| Linux (x86-64, kernel < 5.13) | No | Landlock.IsSupported() returns false. Calls to CreateRuleset throw. |
| Linux (arm64, riscv, …) | Not yet | The library uses x86-64 syscall numbers. PRs welcome — see the GitHub repo. |
| macOS / Windows | No | Landlock.IsSupported() returns false. Safe to call — your code can branch on it. |
Always gate on IsSupported()
Because Landlock is a Linux-only kernel feature, every public call into the library should be guarded:
using Sandbox;
if (Landlock.IsSupported())
{
// Build and enforce a ruleset
}
else
{
// Fall back: log a warning, run unsandboxed, or refuse to start —
// your policy choice.
}
IsSupported() checks three things:
- The host OS is Linux (
OperatingSystem.IsLinux()). - The process architecture is x86-64.
landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION)returns a positive ABI version.
You can also call Landlock.GetAbiVersion() directly to learn which features are available — the ABI versions page walks through how to use that.
.NET target frameworks
Landlock-Sharp targets .NET 6.0+. It uses no platform-specific NuGet dependencies — the only P/Invoke target is libc, which is always present on Linux.
There are no native binaries shipped inside the NuGet package and no runtimes/ folder to worry about during publish. Self-contained, framework-dependent, and single-file publishes all work without extra MSBuild flags.
Verify the install
Create a tiny console app and run it — if it prints a positive ABI version, you're set.
using Sandbox;
if (!Landlock.IsSupported())
{
Console.WriteLine("Landlock not supported on this host.");
return;
}
Console.WriteLine($"Landlock ABI version: {Landlock.GetAbiVersion()}");
dotnet add package Landlock
dotnet run
# Landlock ABI version: 5
Next steps
Head to the Quick Start for a guided tour, or jump into the Guides for end-to-end recipes.