docker
[FEATURE] Enable Landlock Security Module in Default Linux Image in Docker Desktop
Tell us about your request
The default Linux image provided by Apple Container currently lacks support for the landlock security module. This means applications running within the container cannot leverage Landlock's powerful sandboxing capabilities, which is a significant security feature for restricting filesystem access.
While I understand that image size optimization is often a priority for default images (similar to how Docker Desktop or Podman Desktop might omit certain features), the absence of Landlock limits the security posture of applications deployed within Apple Container.
Which service(s) is this request for? Docker Desktop
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Let's take this project as example:
https://github.com/Zouuup/landrun?tab=readme-ov-file
If running in a landlock available container, then users can use this command to restrict unpexected file access like:
landrun --rox /usr/ --ro /path/to/dir ./shell-bin /path/to/dir This functionality works within Docker containers running on a native Linux host, as they share the host's kernel. However, it fails in containers provided by Docker Desktop, Podman Desktop, and apple/container. This is because the Linux kernels within the virtual machines used by these desktop container platforms lack Landlock support.
The Landlock feature is crucial for file security, and I believe it's worth introducing into this slim kernel.
Consider, for example, a scenario where an AI agent is run within a container and its read access needs to be restricted. This functionality would necessitate Landlock support. Notably, the sandbox implementation utilized by OpenAI Codex already leverages Landlock for similar security measures.
Are you currently working around the issue?
I also open the same issue in the apple container and podman desktop
Additional context
