Landlock: unprivileged access control

The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM, it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.

Mailing list dedicated to user space development involving Landlock: subscription, posting and archives.

Landlock documentation – code – sandbox manager example – tests – syzkaller coverage

News

Newsletter (2023-03-22) - Landlock news #3
Linux 6.2 (2023-02-19) - New LANDLOCK_ACCESS_FS_TRUNCATE
Newsletter (2022-08-17) - Landlock news #2
Linux 5.19 (2022-07-31) - New LANDLOCK_ACCESS_FS_REFER, improved documentation and 16 layers limit
Newsletter (2021-09-01) - Landlock news #1
Linux 5.13 (2021-06-27) - Initial Landlock version
LWN article (2021-06-17) - Landlock (finally) sets sail

Conferences

Kernel Recipes (2023-09-25) - Update on Landlock: Audit, Debugging and Metrics and slides
Linux Security Summit Europe (2023-09-21) - Landlock Workshop: Sandboxing Application for Fun and Protection and slides
Linux Security Summit Europe (2023-09-21) - Update on Landlock: Audit, Debugging and Metrics and slides
FOSDEM (2023-02-04) - Backward and forward compatibility for security features (illustrated with Landlock) – slides
Netdev 0x16 (2022-10-24) - How to sandbox a network application with Landlock – slides and tutorial files
Pass the Salt (2022-07-04) - Sandboxing your application with Landlock, illustration with the p7zip case – slides and recording
Linux Security Summit North America (2022-06-24) - Update on Landlock: Lifting the File Reparenting Limits and Supporting Network Rules – slides and recording
Linux Security Summit (2021-09-29) - Deep Dive into Landlock Internals – slides and recording
Open Source Summit (2021-09-28) - Sandboxing Applications with Landlock – slides and recording

Roadmap (kernel-side)

Short term:

add audit features to ease debugging;
add minimal network access-control types;
add minimal process signaling access-control types;
improve kernel performance for the current features;

Medium term:

extend filesystem access-control types to address the current limitations;
add the ability to follow a deny listing approach, which is required for some use cases.
extend network access-control types;

Long term:

add the ability to create (file descriptor) capabilities compatible with Capsicum.

p7zip – Landlock support (WIP)

Add sandboxing with Landlock #184

GNU Tar – [PATCH v1] Landlock support

patch – code

External links

Twitter – GitHub

Archives

Warning

Landlock is not based on eBPF anymore. These talks are outdated but kept for reference.

Summary 2019 – Landlock: a new kind of Linux Security Module leveraging eBPF

Slides

Linux Security Summit 2018 – How to safely restrict access to files in a programmatic way with Landlock?

Abstract – Slides – Demo video #1 (web server) – Demo video #2 (dynamic map update) – Demo code

Pass the SALT 2018 – Internals of Landlock: a new kind of Linux Security Module leveraging eBPF

Abstract and video – Slides – Demo video #1 (web server) – Demo video #2 (dynamic map update) – Demo code

FOSDEM 2018 – File access-control per container with Landlock

Abstract and video – Slides – Demo video – Demo code

Linux Security Summit 2017 – Landlock LSM: toward unprivileged sandboxing

Slides – Demo #1 – Demo #2