Originally posted by unixfan2001
View Post
Announcement
Collapse
No announcement yet.
Landlock LSM Still Tackling Unprivileged Sandboxing For Linux
Collapse
X
-
-
Originally posted by starshipeleven View PostI'm sure he was talking of algae.
This is a seabelt
Leave a comment:
-
Originally posted by carewolf View Post
Well, there is already a feature like that. It is used by Chrome for instance, though they also have the setuid wrapper. It would be nice to get away from the setuid wrapper, unfortunately that require a newish Linux kernel, and that distros doesn't choose to cripple the ability to start sandboxes as a user: https://github.com/bazelbuild/bazel/issues/433
well, none of these linux stuff come anywhere near the plan9 namespaces since there's no union mounts... but it's something.
Leave a comment:
-
-
Originally posted by c117152 View Post
This is precisely what you want. Currently, the namespaces and linux security models are very dependent on user land implementations and distribution \ root security policy. Docker needs everything configured just right. AppArmor and SELinux are configured by root... The result is that the end-users can't just run anything they want just like that.
Landlock is application level LSM. For instance, firefox could decide to run their javascript engine in it and they won't need any special polices set from root. You could pick up a python script and just run it in a directory, and not even look at the code to make sure it's not traversing outside the directory into your $HOME...
Use-land will need support for it of course. But effectively, it's anonymous namespaces.
- Likes 1
Leave a comment:
-
Originally posted by carewolf View PostI would be happy if we could just be allowed to use anonymous kernel namespaces by default on Debian.
Landlock is application level LSM. For instance, firefox could decide to run their javascript engine in it and they won't need any special polices set from root. You could pick up a python script and just run it in a directory, and not even look at the code to make sure it's not traversing outside the directory into your $HOME...
Use-land will need support for it of course. But effectively, it's anonymous namespaces.
- Likes 1
Leave a comment:
-
I would be happy if we could just be allowed to use anonymous kernel namespaces by default on Debian.
- Likes 1
Leave a comment:
-
Landlock LSM Still Tackling Unprivileged Sandboxing For Linux
Phoronix: Landlock LSM Still Tackling Unprivileged Sandboxing For Linux
The "Landlock" Linux security module continues to be developed as an effort to let any progress -- even unprivileged processes -- create "powerful security" sandboxes...
Tags: None
Leave a comment: