Landlock: unprivileged access control¶
The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM, it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications. Landlock empower any process, including unprivileged ones, to securely restrict themselves.
[PATCH v24] – Landlock LSM¶
LKML – code – sandbox manager example – tests – documentation
[PATCH v23] – Landlock LSM¶
LKML – code – sandbox manager example – tests – documentation
[PATCH v22] – Landlock LSM¶
LKML – code – sandbox manager example – tests – documentation
[PATCH v21] – Landlock LSM¶
LKML – code – sandbox manager example – tests – documentation
[PATCH v20] – Landlock LSM¶
LKML – code – sandbox manager example – tests – documentation
[PATCH v19] – Landlock LSM¶
LKML – code – sandbox manager example – tests – documentation
[PATCH v18] – Landlock LSM¶
LKML – code – sandbox manager example – tests – documentation
[PATCH v17] – Landlock LSM¶
LKML – code – sandbox manager example – tests – documentation
[PATCH v16] – Landlock LSM¶
LKML – code – sandbox manager example – tests – documentation
[PATCH v15] – Landlock LSM¶
LKML – code – sandbox manager example – tests – documentation
[PATCH v14] – Landlock LSM¶
LKML – code – sandbox manager example – tests – documentation
[PATCH v13] – Landlock LSM¶
LKML – code – ptrace tests – documentation
[PATCH v12] – Landlock LSM¶
LKML – code – ptrace tests – documentation
[PATCH v11] – Landlock LSM¶
LKML – code – ptrace tests – documentation
[PATCH v10] – Landlock LSM: toward unprivileged sandboxing¶
LKML – code – program example – documentation
[PATCH v9] – Landlock LSM: toward unprivileged sandboxing¶
LKML – code – program example – documentation
Linux Security Summit 2018 – How to safely restrict access to files in a programmatic way with Landlock?¶
Abstract – Slides – Demo video #1 (web server) – Demo video #2 (dynamic map update) – Demo code
Pass the SALT 2018 – Internals of Landlock: a new kind of Linux Security Module leveraging eBPF¶
Abstract and video – Slides – Demo video #1 (web server) – Demo video #2 (dynamic map update) – Demo code
[PATCH v8] – Landlock LSM: toward unprivileged sandboxing¶
LKML – code – program example – documentation
FOSDEM 2018 – File access-control per container with Landlock¶
Linux Security Summit 2017 – Landlock LSM: toward unprivileged sandboxing¶
[PATCH v7] – Landlock LSM: toward unprivileged sandboxing¶
LKML – code – rule example – documentation