Mickaël Salaün
Mickaël Salaün
p7zip handles a lot of archive formats, each bringing complexity and extending its attack surface. Landlock is a Linux security sandboxing mechanism which helps limit the impact of bug exploitation....
[Nadeko](https://github.com/klutzy/nadeko) could replace custom unsafe assembly code while keeping constant-time operations. cc #93
Landlock is a Linux feature that enables creating security sandboxes (see https://docs.kernel.org/userspace-api/landlock.html). Allow the three related system calls (available since Linux 5.13): landlock_create_ruleset, landlock_add_rule, and landlock_restrict_self. Signed-off-by: Mickaël Salaün
Binder is able to emulate a thread migration to transfer the client's priority to the receiving thread. Underneath, the kernel set the receiving thread's nice level (cf. binder_set_nice() in drivers/android/binder.c)....
The common pieces from [appjaillauncher-rs](https://github.com/trailofbits/appjaillauncher-rs) and [flying-sandbox-monster](https://github.com/trailofbits/flying-sandbox-monster) (acl.rs and appcontainer.rs) may be packed in a standalone library and published on [crates.io](https://crates.io). This would be useful to reuse your code without...
As explained in #3928, enable the Landlock LSM by default for 5.15 kernels. Remove old experimental patches.
We worked together a few years ago (cf. #1554) before the Landlock LSM was in mainline. A lot changed since then, and Landlock is now widely available and enabled by...
We need tooling to measure the performance impact of kernel changes. Until now, we used simple scripts to get an idea of the [worse case scenarios](https://lore.kernel.org/all/[email protected]/), and manual profiling. It...
To make it simpler, a Landlock domains is currently a `landlock_ruleset` struct. The use of this data structure includes fields which are useless for a domain, and a red-black tree...
We can now control TCP actions (`bind(2)` and `connect(2)`), and it would be useful to have a similar semantic for UDP. It's a bit tricky because of the datagram nature...