Landlock Compared To Other Sandboxing Mechanisms

Sandboxing on Linux has long been the domain of distribution-specific frameworks like SeLinux and AppArmor. These are configured by the system administrator or distribution provider (privileged sandboxing).

When program development and sandbox policy creation are done by unrelated teams, it creates additional friction, the sandboxes can not be as specific as they could be, and versioning programs and their policies in separate repositories makes it challenging to keep the two in sync.

UnprivilegedSandboxing has been possible with SeccompBpf and with UnprivilegedUserNamespaces, but these have so far been difficult to use correctly on Linux:

• Users of SeccompBpf need to control their system calls very closely (an abstraction level that does not work for many programs), and also keep track of syscall lists on Linux.
• UnprivilegedUserNamespaces often require bigger changes to program architecture, as programs might have to jump through a clone() syscall. Furthermore, this feature has been associated with security bugs in the past and is not homogeneously available on Linux distributions.

Until recently, software developers have not had a good way to provide sandboxing guarantees while also striking a good balance between policy creation effort and effectiveness.

Landlock solves this by:

• making UnprivilegedSandboxing easier than before
  • no BPF bytecode, no radical changes to program architecture
  • a more natural abstraction level for defining policies
• making sandboxing policies part of the sandboxed program

Another comparison to other LSMs is also in Mickaël Salaün’s SSTIC paper.