Landlock Revved An 11th Time For Unprivileged Yet Powerful Security Sandboxes

Written by Michael Larabel in Linux Security on 30 October 2019 at 04:04 AM EDT. 1 Comment
LINUX SECURITY
We first wrote about the Landlock Linux security module in 2016 with its aspirations for offering powerful security sandboxing abilities. Landlock has seen revisions every few months and this week marks the 11th time the patches have been volleyed for this interesting sandboxing Linux Security Module (LSM).

For those who don't recall or had previously not read about Landlock, it offers sandbox functionality similar to what can be found on some of the BSDs while employing eBPF to make it quite extensible:
Landlock is a stackable LSM intended to be used as a low-level framework to build custom access-control/audit systems or safe endpoint security agents. There is currently one Landlock hook dedicated to check ptrace(2). This hook accepts a dedicated eBPF program, called a Landlock program, which can currently compare its position in the hierarchy of similar programs tied to other processes. This enables to enforce programmatic scoped ptrace restrictions.

The final goal of this new Linux Security Module (LSM) called Landlock is to allow any process, including unprivileged ones, to create powerfulsecurity sandboxes comparable to XNU Sandbox, FreeBSD Capsicum or OpenBSD Pledge (which could be implemented with Landlock). This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications.

The use of seccomp and Landlock is more suitable with the help of a user-space library (e.g. libseccomp) that could help to specify a high-level language to express a security policy instead of raw eBPF programs. Moreover, thanks to the LLVM front-end, it is quite easy to write an eBPF program with a subset of the C language.

These days there is also the landlock.io project site with more details.

The v11 patches drop the file-system features at least for now, a new ptrace program has been added and extending the ptrace tests, more documentation has been added, and other code improvements. The v11 patches among to just under two thousand lines of new code in the current kernel form, thanks to leveraging existing code like eBPF.

Here's to hoping Landlock will manage to make it into a stable kernel release in 2020.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week