Announcement

Collapse
No announcement yet.

Landlock LSM Still Tackling Unprivileged Sandboxing For Linux

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Landlock LSM Still Tackling Unprivileged Sandboxing For Linux

    Phoronix: Landlock LSM Still Tackling Unprivileged Sandboxing For Linux

    The "Landlock" Linux security module continues to be developed as an effort to let any progress -- even unprivileged processes -- create "powerful security" sandboxes...

    http://www.phoronix.com/scan.php?pag...andlock-LSM-V3

  • #2
    Michael phoronix

    Seabelt
    should be Seatbelt.

    Comment


    • #3
      I would be happy if we could just be allowed to use anonymous kernel namespaces by default on Debian.

      Comment


      • #4
        Originally posted by carewolf View Post
        I would be happy if we could just be allowed to use anonymous kernel namespaces by default on Debian.
        This is precisely what you want. Currently, the namespaces and linux security models are very dependent on user land implementations and distribution \ root security policy. Docker needs everything configured just right. AppArmor and SELinux are configured by root... The result is that the end-users can't just run anything they want just like that.

        Landlock is application level LSM. For instance, firefox could decide to run their javascript engine in it and they won't need any special polices set from root. You could pick up a python script and just run it in a directory, and not even look at the code to make sure it's not traversing outside the directory into your $HOME...

        Use-land will need support for it of course. But effectively, it's anonymous namespaces.

        Comment


        • #5
          Originally posted by c117152 View Post

          This is precisely what you want. Currently, the namespaces and linux security models are very dependent on user land implementations and distribution \ root security policy. Docker needs everything configured just right. AppArmor and SELinux are configured by root... The result is that the end-users can't just run anything they want just like that.

          Landlock is application level LSM. For instance, firefox could decide to run their javascript engine in it and they won't need any special polices set from root. You could pick up a python script and just run it in a directory, and not even look at the code to make sure it's not traversing outside the directory into your $HOME...

          Use-land will need support for it of course. But effectively, it's anonymous namespaces.
          Well, there is already a feature like that. It is used by Chrome for instance, though they also have the setuid wrapper. It would be nice to get away from the setuid wrapper, unfortunately that require a newish Linux kernel, and that distros doesn't choose to cripple the ability to start sandboxes as a user: https://github.com/bazelbuild/bazel/issues/433

          Comment


          • #6
            Originally posted by unixfan2001 View Post
            Michael phoronix
            should be Seatbelt.
            I'm sure he was talking of algae.
            This is a seabelt


            Comment


            • #7
              Originally posted by carewolf View Post

              Well, there is already a feature like that. It is used by Chrome for instance, though they also have the setuid wrapper. It would be nice to get away from the setuid wrapper, unfortunately that require a newish Linux kernel, and that distros doesn't choose to cripple the ability to start sandboxes as a user: https://github.com/bazelbuild/bazel/issues/433
              that's still userland defined for the most part. this sucka limits syscalls as well.

              well, none of these linux stuff come anywhere near the plan9 namespaces since there's no union mounts... but it's something.

              Comment


              • #8
                Originally posted by starshipeleven View Post
                I'm sure he was talking of algae.
                This is a seabelt

                That's not the name of the project though. Which is Apple Seatbelt.

                Comment


                • #9
                  Originally posted by unixfan2001 View Post
                  That's not the name of the project though. Which is Apple Seatbelt.
                  Do you want also a photoshopped image with an apple in there to get my point?

                  Comment

                  Working...
                  X