Mickaël Salaün
Mickaël Salaün
To avoid filesystem (FS) security policy bypass, a landlocked process with FS restrictions cannot do any FS topology changes (see d7220364039f6beb76f311c05f74cad89da5fad5), which include any mount calls. Even with FS restrictions,...
Currently, `landlock_restrict_self(2)` applies a ruleset on the calling thread, which makes sense from a kernel point of view, and enables some use cases such as tests. However it might be...
Before enforcing a sandbox on a fleet with potential different configurations and states, it would be useful to know whether a restriction would have an effect on legitimate use cases....
Because of the way path-based LSM hooks work, it is not possible to control some actions such as `chdir`, which may enable a sandboxed process to infer file names. It...
[Fault injection](https://docs.kernel.org/fault-injection/fault-injection.html) enables to trigger kernel errors (e.g. when calling `kmalloc()`) and then test rare cases. It would be useful to improve kernel test coverage by extending currents test cases...
Because some network services and clients might `bind(2)` (or even `connect(2)`) to a legitimate range of ports (e.g. to improve the number of concurrent connections between internal services), it would...
Make `ioctl(2)` requests restrictable with Landlock, in a way that is useful for real-world applications. See https://lore.kernel.org/all/[email protected]/ @gnoack is working on that.
We should be able to control access to file metadata (e.g. `chmod`, `chgrp`, `setxattr`, `getxattr`, `utime`). Some path-based LSM hooks enable to control a subset of these modifications, but we...
Linux 6.7 adds an initial Landlock network support with TCP bind and connect restrictions.
The kernel will eventually enable to handle all the threads from the current process (see landlock-lsm/linux#2), but it would be good to do the same from the currently available user...