Landlock: unprivileged access control
The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM, it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.
Newsletter (2022-08-17) - Landlock news #2
Linux 5.19 (2022-07-31) - New LANDLOCK_ACCESS_FS_REFER, improved documentation and 16 layers limit
Newsletter (2021-09-01) - Landlock news #1
Linux 5.13 (2021-06-27) - Initial Landlock version
LWN article (2021-06-17) - Landlock (finally) sets sail
FOSDEM (2023-02-04) - Backward and forward compatibility for security features (illustrated with Landlock) – slides
Netdev 0x16 (2022-10-24) - How to sandbox a network application with Landlock – slides and tutorial files
Pass the Salt (2022-07-04) - Sandboxing your application with Landlock, illustration with the p7zip case – slides and recording
Linux Security Summit North America (2022-06-24) - Update on Landlock: Lifting the File Reparenting Limits and Supporting Network Rules – slides and recording
- Short term:
add audit features to ease debugging;
add minimal network access-control types;
add minimal process signaling access-control types;
improve kernel performance for the current features;
- Medium term:
extend filesystem access-control types to address the current limitations;
add the ability to follow a deny listing approach, which is required for some use cases.
extend network access-control types;
- Long term:
add the ability to create (file descriptor) capabilities compatible with Capsicum.
p7zip – Landlock support (WIP)
GNU Tar – [PATCH v1] Landlock support
Landlock is not based on eBPF anymore. These talks are outdated but kept for reference.