Plugin Systems With Unknown Code Problem
If a program loads other program libraries dynamically, it needs to have an understanding of what these libraries are going to do, to enact the correct Landlock policy.
Unfortunately, the glibc itself already comes with such a plugin system for doing directory lookups: the NameServiceSwitch (NSS) facility.
Workaround 1: Turn off the plugin systems. Do not give access to read /etc/nsswitch.conf
. Then glibc will fall back to doing dictionary lookups in known standard ways.
Real solution: The architecturally right thing to do would be that Glibc would expose suitable functions, so that the configured NSS plugins can all be made to work under a Landlock policy. The NSS plugins should all define exactly which of the Landlock access rights they need, so that glibc can enforce the best access rights.
Any glibc developers reading this?