Landlock: programmatic access control

Landlock is a stackable Linux Security Module (LSM) that makes it possible to create security sandboxes. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications. Landlock is inspired by seccomp-bpf but instead of filtering syscalls and their raw arguments, a Landlock rule can inspect the use of kernel objects like files and hence make a decision according to the kernel semantic.

Linux Security Summit 2017

[PATCH v7] Landlock LSM: toward unprivileged sandboxing