New Sandboxing Linux Security Module Coming

AutoCascade · Oct 31, 2019

https://www.phoronix.com/scan.php?page=news_item&px=Landlock-11-Linux-LSM

Landlock Revved An 11th Time For Unprivileged Yet Powerful Security Sandboxes
Written by Michael Larabel in Linux Security on 30 October 2019 at 04:04 AM EDT.

We first wrote about the Landlock Linux security module in 2016 with its aspirations for offering powerful security sandboxing abilities. Landlock has seen revisions every few months and this week marks the 11th time the patches have been volleyed for this interesting sandboxing Linux Security Module (LSM).

For those who don't recall or had previously not read about Landlock, it offers sandbox functionality similar to what can be found on some of the BSDs while employing eBPF to make it quite extensible:
Landlock is a stackable LSM intended to be used as a low-level framework to build custom access-control/audit systems or safe endpoint security agents. There is currently one Landlock hook dedicated to check ptrace(2). This hook accepts a dedicated eBPF program, called a Landlock program, which can currently compare its position in the hierarchy of similar programs tied to other processes. This enables to enforce programmatic scoped ptrace restrictions.

The final goal of this new Linux Security Module (LSM) called Landlock is to allow any process, including unprivileged ones, to create powerfulsecurity sandboxes comparable to XNU Sandbox, FreeBSD Capsicum or OpenBSD Pledge (which could be implemented with Landlock). This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications.

The use of seccomp and Landlock is more suitable with the help of a user-space library (e.g. libseccomp) that could help to specify a high-level language to express a security policy instead of raw eBPF programs. Moreover, thanks to the LLVM front-end, it is quite easy to write an eBPF program with a subset of the C language.
These days there is also the landlock.io project site with more details.

The v11 patches drop ....................................................
Click to expand...

summerheat · Oct 31, 2019

Yes, I had read that earlier. Sounds promising.

AutoCascade · Oct 31, 2019

This would be something Firejail could make use of as well as browsers correct?

summerheat · Oct 31, 2019

AutoCascade said: ↑

This would be something Firejail could make use of as well as browsers correct?
Click to expand...

I guess that would be possible.

BoerenkoolMetWorst · Feb 7, 2022

Anyone using this? It was integrated in mainline kernel last June (5.13).

summerheat · Aug 17, 2022 at 10:04 AM

FWIW, there is a pull request to add Landlock support to Firejail. We'll see what comes out of this.

Log in or Sign up

New Sandboxing Linux Security Module Coming

AutoCascade Registered Member

summerheat Registered Member

AutoCascade Registered Member

summerheat Registered Member

BoerenkoolMetWorst Registered Member

summerheat Registered Member