Landlock

Landlock is a stackable Linux Security Module (LSM) that makes it possible to create security sandboxes. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications. Landlock is inspired by seccomp-bpf but instead of filtering syscalls and their raw arguments, a Landlock rule can inspect the use of kernel objects like files and hence make a decision according to the kernel semantic.

Pass the SALT 2018

Internals of Landlock: a new kind of Linux Security Module leveraging eBPF

Abstract and video Slides Demo video #1 (web server) Demo video #2 (dynamic map update) Demo code

[PATCH v8]

Landlock LSM: toward unprivileged sandboxing

LKML code program example documentation

FOSDEM 2018

File access-control per container with Landlock

Abstract and video Slides Demo video Demo code

Linux Security Summit 2017

Landlock LSM: toward unprivileged sandboxing

Slides Demo #1 Demo #2

[PATCH v7]

Landlock LSM: toward unprivileged sandboxing

LKML code rule example documentation

Landlock: programmatic access control

Pass the SALT 2018

Internals of Landlock: a new kind of Linux Security Module leveraging eBPF

[PATCH v8]

Landlock LSM: toward unprivileged sandboxing

FOSDEM 2018

File access-control per container with Landlock

Linux Security Summit 2017

Landlock LSM: toward unprivileged sandboxing

[PATCH v7]

Landlock LSM: toward unprivileged sandboxing