Using Landlock

LandlockComparedToOtherSandboxingMechanisms

Sandboxing is a developer task

With Landlock, it is the application developers who define the sandboxing policies from within the program. This means that:

General Principle

Identify the threat

It helps to have a clear understanding what you want to protect against. The different inputs to a program usually come from different sources with different levels of trust:

It depends on the use case.

command line arguments config files stdin process

Enabling a Landlock policy before processing untrusted input

Therefore,

This works well with the Unix security model, where access permissions are generally checked at the time of providing new file descriptors to a process. We can open all required file descriptors during the initialization phase, and then forbid opening of new file descriptors very broadly, but continue using the ones which are already open.

The big overview diagram is this:

💚 Initialization 🛡️ Drop rights 🔴 Process untrusted input 👨‍💻 Attacker Landlock library? Syscall impl Enable Landlock for the calling thread Syscall impl check if permitted Landlock LSM Userspace process System calls Linux kernel

Examples

💾 Github

Known problems and their workarounds

This is a collection of known problems and the workarounds for them which we know about.