Landlock: programmatic access control
Landlock is a stackable Linux Security Module (LSM) that makes it possible to create security sandboxes, programmable access-controls or safe endpoint security agents.
This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications.
Landlock is inspired by seccomp-bpf but instead of filtering syscalls and their raw arguments, a Landlock rule can inspect the use of kernel objects like files and hence make a decision according to the kernel semantic.
Summary 2019
Landlock: a new kind of Linux Security Module leveraging eBPF
[PATCH v10]
Landlock LSM: toward unprivileged sandboxing
[PATCH v9]
Landlock LSM: toward unprivileged sandboxing
Linux Security Summit 2018
How to safely restrict access to files in a programmatic way with Landlock?
Pass the SALT 2018
Internals of Landlock: a new kind of Linux Security Module leveraging eBPF
[PATCH v8]
Landlock LSM: toward unprivileged sandboxing
FOSDEM 2018
File access-control per container with Landlock
Linux Security Summit 2017
Landlock LSM: toward unprivileged sandboxing
[PATCH v7]
Landlock LSM: toward unprivileged sandboxing