Landlock: unprivileged access control
The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM, it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.
Mailing list dedicated to user space development involving Landlock: subscription, posting and archives.
Landlock documentation – code – sandbox manager example – tests – syzkaller coverage
News
Newsletter (2022-08-17) - Landlock news #2
Linux 5.19 (2022-07-31) - New LANDLOCK_ACCESS_FS_REFER, improved documentation and 16 layers limit
Newsletter (2021-09-01) - Landlock news #1
Linux 5.13 (2021-06-27) - Initial Landlock version
LWN article (2021-06-17) - Landlock (finally) sets sail
Conferences
FOSDEM (2023-02-04) - Backward and forward compatibility for security features (illustrated with Landlock) – slides
Netdev 0x16 (2022-10-24) - How to sandbox a network application with Landlock – slides and tutorial files
Pass the Salt (2022-07-04) - Sandboxing your application with Landlock, illustration with the p7zip case – slides and recording
Linux Security Summit North America (2022-06-24) - Update on Landlock: Lifting the File Reparenting Limits and Supporting Network Rules – slides and recording
Linux Security Summit (2021-09-29) - Deep Dive into Landlock Internals – slides and recording
Open Source Summit (2021-09-28) - Sandboxing Applications with Landlock – slides and recording
Roadmap (kernel-side)
- Short term:
add audit features to ease debugging;
add minimal network access-control types;
add minimal process signaling access-control types;
improve kernel performance for the current features;
- Medium term:
extend filesystem access-control types to address the current limitations;
add the ability to follow a deny listing approach, which is required for some use cases.
extend network access-control types;
- Long term:
add the ability to create (file descriptor) capabilities compatible with Capsicum.
p7zip – Landlock support (WIP)
GNU Tar – [PATCH v1] Landlock support
External links
Archives
Warning
Landlock is not based on eBPF anymore. These talks are outdated but kept for reference.
Summary 2019 – Landlock: a new kind of Linux Security Module leveraging eBPF
Linux Security Summit 2018 – How to safely restrict access to files in a programmatic way with Landlock?
Abstract – Slides – Demo video #1 (web server) – Demo video #2 (dynamic map update) – Demo code
Pass the SALT 2018 – Internals of Landlock: a new kind of Linux Security Module leveraging eBPF
Abstract and video – Slides – Demo video #1 (web server) – Demo video #2 (dynamic map update) – Demo code