[HN Gopher] Landlock-Ing Linux
___________________________________________________________________
Landlock-Ing Linux
Author : razighter777
Score : 39 points
Date : 2025-11-29 21:30 UTC (1 hours ago)
(HTM) web link (blog.prizrak.me)
(TXT) w3m dump (blog.prizrak.me)
| razighter777 wrote:
| What the Landlock LSM can add to the state of Linux security
| PeterWhittaker wrote:
| So like using seccomp with a whitelist (fairly easy to do) with
| per-object access rights.
|
| I'd love to see a comparison of landlock to restricted
| containers.
| razighter777 wrote:
| Comparing landlock to containers isn't really an apples to
| apples comparison. Containers use a bunch of linux security
| mechanisms together like chroot seccomp and user namespaces to
| accomplish their goals. Landlock is just another building block
| that devs can use.
|
| Fun fact: because landlock is unprivleged, you can even use it
| inside containers; or to build an unprivileged container
| runtime :)
| kosolam wrote:
| So it works also by using some cli utility to run my software for
| example?
| razighter777 wrote:
| Yup. There are tools that use landlock to accomplish just that.
|
| https://github.com/Zouuup/landrun
|
| All you gotta do is apply a policy and do a fork() exec().
| There is also support in firejail.
| seethishat wrote:
| Firejail requires SUID, LandLock does not.
|
| Also, it's very easy to write your own LandLock policy in the
| programming language of your choice and wrap whatever program
| you like rather than downloading stuff from Github. Here's
| another example in Go: package main
| import ( "fmt" "github.com/landlock-lsm/go-
| landlock/landlock" "log" "os"
| "os/exec" ) func main() { //
| Define the LandLock policy err :=
| landlock.V1.RestrictPaths(...) // Execute
| FireFox cmd := exec.Command("/usr/bin/firefox")
| }
| codethief wrote:
| Yeah, see e.g. sydbox: https://gitlab.exherbo.org/sydbox/sydbox
| seethishat wrote:
| LandLock is a Minor LSM intended for software developers. They
| incorporate it into their source code to limit where the programs
| may read/write. Here's a simple Go example:
| package main import ( "flag" "fmt"
| "github.com/landlock-lsm/go-landlock/landlock"
| "io/ioutil" "log" "os" )
| // simple program that demonstrates how landlock works in Go on
| Linux systems. // Requires 5.13 or newer kernel and
| .config should look something like this: //
| CONFIG_SECURITY_LANDLOCK=y // CONFIG_LSM="landlock,lockd
| own,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoy
| o" func main() { var help = flag.Bool("help",
| false, "landlock-example -f /path/to/file.txt") var file
| = flag.String("f", "", "the file path to read")
| flag.Parse() if *help || len(os.Args) == 1 {
| flag.PrintDefaults() return }
| // allow the program to read files in /home/user/tmp err
| := landlock.V1.RestrictPaths(landlock.RODirs("/home/user/tmp"))
| if err != nil { log.Fatal(err) }
| // attempt to read a file bytes, err :=
| ioutil.ReadFile(*file) if err != nil {
| log.Fatal(err) }
| fmt.Println(string(bytes)) }
| razighter777 wrote:
| Yup. In the application code itself is where landlock shines at
| the moment.
|
| It's becoming increasingly usable as a wrapper for untrusted
| applications as well.
___________________________________________________________________
(page generated 2025-11-29 23:00 UTC)