Günther Noack
Günther Noack
@l0kod This is running the go-landlock tests as Github actions on qemu... (It's based on the example at https://github.com/florianl/bluebox/blob/main/.github/workflows/example.yml by @florianl) Some unsolved logistics problems: * It probably uses a...
Does golandlock need a fallback mechanism for non-existent files? This occurred to me when landlocking some real-life programs; there are some files, such as `~/.Xauthority` or various configuration directories, which...
Improve documentation, explain underlying concepts a bit better.
Users should be able to group their own libraries of commonly used rules that are used together idea: ``` package llopts import ... var SharedLibraries = landlock.GroupRules( landlock.RODirs("/usr/lib", "/lib"), landlock.RWDirs(os.Getenv("TMPDIR")),...
When using non-file access rights on files (rather than directories), it is possible to get go-landlock to return a `BUG(go-landlock)` error. This is unintended and should be fixed. Reported by...
Should we restrict the use of POSIX message queues? https://man7.org/linux/man-pages/man7/mq_overview.7.html According to [*mq_open(3)*](https://man7.org/linux/man-pages/man3/mq_open.3.html), this is implemented based on a system call with the same name, but I could not find...
System V message queues are acquired with msgget(2). The key for acquiring these is in a system-global namespace, so it seems that we might want to restrict their use somehow,...
https://lore.kernel.org/linux-security-module/[email protected]/ When a process accesses a file on eCryptfs, the kernel accesses the encrypted underlying file for it from a different file system, but it does so with the calling...
[*statfs*(2)](https://man7.org/linux/man-pages/man2/statfs.2.html) lets callers probe for the existence of files, and retrieve information about the file system. We might want to restrict that. * There is already an existing LSM hook...
Compare https://wiki.gnoack.org/LandlockIoctlSupport Work underway on the "ioctl" branch.