Landlock: unprivileged access control
The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM, it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.
- Short term:
improve kernel performance for the current features;
add the ability to change the parent directory of files (see current Landlock limitations).
- Medium term:
add audit features to ease debugging;
extend filesystem access-control types to address the current limitations;
add the ability to follow a deny listing approach, which is required for some use cases.
- Long term:
add minimal network access-control types;
add the ability to create (file descriptor) capabilities compatible with Capsicum.
[PATCH v34] – Landlock LSM
Merged in mainline: will be available in Linux 5.13!
GNU Tar – [PATCH v1] Landlock support
Landlock is not based on eBPF anymore. These talks are outdated but kept for reference.