Landlock LSM Still Tackling Unprivileged Sandboxing For Linux
The "Landlock" Linux security module continues to be developed as an effort to let any progress -- even unprivileged processes -- create "powerful security" sandboxes.
The Landlock Linux Security Module (LSM) aims to be comparable to OpenBSD's Pledge or Seabelt/XNU sandboxing approaches. Landlock makes use of cgroups and allows for security rules to be created using the eBPF in-kernel virtual machine.
Landlock is described as differing from SELinux, AppArmor, Smack, and other security modules in that it's not only dedicated to administrators, there is a more limited kernel attack surface, and has other design differences in particularly focusing upon unprivileged processes.
Those wishing to learn more about the current patches for the Landlock module can find this kernel mailing list message. So far it's not been requested by its developers to be mainlined in the Linux kernel.
The Landlock Linux Security Module (LSM) aims to be comparable to OpenBSD's Pledge or Seabelt/XNU sandboxing approaches. Landlock makes use of cgroups and allows for security rules to be created using the eBPF in-kernel virtual machine.
Landlock is described as differing from SELinux, AppArmor, Smack, and other security modules in that it's not only dedicated to administrators, there is a more limited kernel attack surface, and has other design differences in particularly focusing upon unprivileged processes.
Those wishing to learn more about the current patches for the Landlock module can find this kernel mailing list message. So far it's not been requested by its developers to be mainlined in the Linux kernel.
8 Comments