#landlock — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #landlock, aggregated by home.social.
-
Just pushed #Landlock support to #lwan!
This should significantly improve its security (can't call exec*(2), can't bind to ports other than those in the config file, can't read files outside where they should be served, etc).
I still need to clean some stuff up so it all works well with older kernels (or with Landlock disabled system-wise), but I'm happy with the results so far.
-
#Sydbox 3.51.0 is out: #Security update fixing multiple Crypt Sandboxing race conditions, an ioctl(2) truncation bypass, and a MIPS ptrace(2) bug. Force Sandboxing now uses the Kernel Crypto API (AF_ALG) for zero-copy hashing. #Landlock sandboxing is on by default. wordexp(3) confinement hardened. pandora 0.20.0 generates #Landlock rules. Sydbox is a rock solid application #kernel to sandbox applications on #Linux: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3510 #exherbo
-
Linux Landlock — песочница для приложений без root
Landlock — редкий для Linux случай, когда «песочницу» можно включить руками самого приложения: без root, без километров политик и с понятной логикой «по умолчанию запрещено всё». В этой статье разбираем, что это за LSM, какие три системных вызова нужны, как выбрать минимальный набор прав и почему открытые до ограничений файловые дескрипторы способны тихо обнулить всю задумку. Открыть разбор
https://habr.com/ru/companies/otus/articles/1001910/
#Landlock #песочница_приложений #Linux #sandboxing #безопасность_приложений #ограничение_прав #системные_вызовы
-
Linux Landlock — песочница для приложений без root
Landlock — редкий для Linux случай, когда «песочницу» можно включить руками самого приложения: без root, без километров политик и с понятной логикой «по умолчанию запрещено всё». В этой статье разбираем, что это за LSM, какие три системных вызова нужны, как выбрать минимальный набор прав и почему открытые до ограничений файловые дескрипторы способны тихо обнулить всю задумку. Открыть разбор
https://habr.com/ru/companies/otus/articles/1001910/
#Landlock #песочница_приложений #Linux #sandboxing #безопасность_приложений #ограничение_прав #системные_вызовы
-
Linux Landlock — песочница для приложений без root
Landlock — редкий для Linux случай, когда «песочницу» можно включить руками самого приложения: без root, без километров политик и с понятной логикой «по умолчанию запрещено всё». В этой статье разбираем, что это за LSM, какие три системных вызова нужны, как выбрать минимальный набор прав и почему открытые до ограничений файловые дескрипторы способны тихо обнулить всю задумку. Открыть разбор
https://habr.com/ru/companies/otus/articles/1001910/
#Landlock #песочница_приложений #Linux #sandboxing #безопасность_приложений #ограничение_прав #системные_вызовы
-
Linux Landlock — песочница для приложений без root
Landlock — редкий для Linux случай, когда «песочницу» можно включить руками самого приложения: без root, без километров политик и с понятной логикой «по умолчанию запрещено всё». В этой статье разбираем, что это за LSM, какие три системных вызова нужны, как выбрать минимальный набор прав и почему открытые до ограничений файловые дескрипторы способны тихо обнулить всю задумку. Открыть разбор
https://habr.com/ru/companies/otus/articles/1001910/
#Landlock #песочница_приложений #Linux #sandboxing #безопасность_приложений #ограничение_прав #системные_вызовы
-
To compare #sydbox and #gvisor, take 2 CVEs: CVE-2018-19333, gvisor proc2proc arbitrary-memory-write which wasn't classified as sandbox break. Vuln is there because gvisor uses the seccomp-trap API to run all in a single process ignoring ASLR.. CVE-2024-42318 aka Houdini is a #landlock break where a keyrings(7) call would unlock the sandbox. Syd wasn't affected: 1. keyrings is def disabled 2. open call happens in a syd emulator thread confined by same landlock sandbox. #exherbo #linux #security
-
I gave a talk at #FOSDEM about Island: Sandboxing tool powered by #Landlock
https://fosdem.org/2026/schedule/event/EW8M3R-island/ -
#sydbox 3.48.6 is out! Each time I say last release before #FOSDEM I end up doing another one so I don't do that this time :-) Some bug fixes and hardenings, AES encryption threads now run with no access to filesystem and network thanks to a per-thread #landlock sandbox which is somewhat cool. ChangeLog is where the rest of the story is as usual: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3486 #exherbo #linux #security
-
🐧 Leveraging #Landlock Telemetry for #Linux Detection Engineering
Sekoia #TDR explores how Linux Landlock telemetry can be leveraged to build high-fidelity, low-noise detections by observing sandbox policy violations.
https://blog.sekoia.io/leveraging-landlock-telemetry-for-linux-detection-engineering/
-
signify-rs 0.3.0 is released! The main code now runs sandboxed with #capsicum on #FreeBSD, #pledge/#unveil on #OpenBSD, and #landlock on #Linux. File opens are hardened with openat2 on Linux and O_NOFOLLOW on #unix. Resource limits are set for further hardening. Code fixed to create deterministic signatures, bit-exact with the reference implementation. Refer to the ChangeLog for more information: https://git.sr.ht/~alip/signify/tree/main/item/ChangeLog.md #rustlang #security
-
@tris @cas @craftyguy bwrap is useful as a wrapper, and I previously contributed to it. The iced command is a shell script, so it needs such a wrapper, and in fact bwrap is used to run commands *outside* a chroot: https://gitlab.postmarketos.org/postmarketOS/iced/-/commit/2c2f5fd343444a6b4541bb782765204468d2cfb5
Built-in sandboxing would be useful though: #Landlock is unprivileged and then a safer approach while being more flexible, but it doesn't have the same features. -
I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.
Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.
Source code: https://codeberg.org/mark22k/mping-sender
#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng
-
I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.
Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.
Source code: https://codeberg.org/mark22k/mping-sender
#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng
-
I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.
Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.
Source code: https://codeberg.org/mark22k/mping-sender
#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng
-
I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.
Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.
Source code: https://codeberg.org/mark22k/mping-sender
#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng
-
I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.
Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.
Source code: https://codeberg.org/mark22k/mping-sender
#Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng
-
RustNet v0.17.0 released 🎉
What's New:
- Landlock sandbox & capability dropping (Linux security)
- eBPF thread-to-process name resolution
- New CLI options: --no-sandbox, --sandbox-strict
- Platform code reorganizationInstallation:
Fedora/RHEL: COPR | Ubuntu: PPA | Arch: AUR
macOS: Homebrew | Windows: Chocolatey | FreeBSD: pkg🔗 https://github.com/domcyrus/rustnet/releases/tag/v0.17.0
#RustLang #Rust #Linux #Networking #OpenSource #Terminal #TUI #Security #eBPF #landlock
-
Just released Island 🏝️, a sandboxing tool powered by #Landlock.
It auto‑confines processes according to the caller's context (e.g. CWD) and comes with slick Zsh integration, so you can use your terminal naturally without command prefixes. Feedback welcome!
https://github.com/landlock-lsm/island -
Hardening with Firejail, Landlock, and bubblewrap
Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.
First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.
What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.
Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.
The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.
Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.
I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.
#security #linux #bwrap #landlock #firejail
Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)
-
Hardening with Firejail, Landlock, and bubblewrap
Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.
First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.
What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.
Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.
The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.
Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.
I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.
#security #linux #bwrap #landlock #firejail
Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)
-
Hardening with Firejail, Landlock, and bubblewrap
Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.
First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.
What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.
Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.
The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.
Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.
I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.
#security #linux #bwrap #landlock #firejail
Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)
-
Hardening with Firejail, Landlock, and bubblewrap
Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.
First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.
What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.
Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.
The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.
Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.
I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.
#security #linux #bwrap #landlock #firejail
Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)
-
Hardening with Firejail, Landlock, and bubblewrap
Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.
First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.
What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.
Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.
The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.
Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.
I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.
#security #linux #bwrap #landlock #firejail
Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)
-
In a shocking twist, a blog post from the future claims to have discovered #Landlock, a "new" #Linux #API that lets developers play a feeble game of 'Mother, May I?' with the #kernel. 🎩✨ Apparently, this revolutionary concept is so simple, even your grandmother could understand it—if she knew what a kernel was! 😜📚
https://blog.prizrak.me/post/landlock/ #FutureTech #Development #Fun #HackerNews #ngated -
crazytrace, my network simulation program that generates a crazy topology behind a TAP device to test traceroute implementations, now has an apparmor profile.
Furthermore, I have now implemented capability dropping with libcap-ng, landlock sandboxing (via a blacklist), and seccomp sandboxing (via a blacklist).
https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/apparmor/usr.bin.crazytrace
https://codeberg.org/mark22k/crazytrace/src/commit/c5eb9eaf8b12266ecad3c3d1e0cd5388f351cc72/src/main.cpp#crazytrace #traceroute #Networking #Programming #Security #apparmor #libcap #libcapng #landlock #seccomp
-
Talking about sandboxing services, I'll give a talk at #AllSystemsGo in a few hours about using #Landlock with systemd: https://cfp.all-systems-go.io/all-systems-go-2025/talk/FXWDCF/
-
Talking about sandboxing services, I'll give a talk at #AllSystemsGo in a few hours about using #Landlock with systemd: https://cfp.all-systems-go.io/all-systems-go-2025/talk/FXWDCF/
-
Talking about sandboxing services, I'll give a talk at #AllSystemsGo in a few hours about using #Landlock with systemd: https://cfp.all-systems-go.io/all-systems-go-2025/talk/FXWDCF/
-
Talking about sandboxing services, I'll give a talk at #AllSystemsGo in a few hours about using #Landlock with systemd: https://cfp.all-systems-go.io/all-systems-go-2025/talk/FXWDCF/
-
#sydbox 3.38.0 is released! Refined device restrictions, hardened proc & seccomp filters, #OpenBSD pledge(2) style category sets, #Landlock ABI 7 support, and safer handling of memfd & personality flags. See https://is.gd/syd_3_38_0 I'll be giving a talk on advanced sandboxing at #BalCCon2k25! Everyone is invited! #exherbo #linux #security
-
I gave a (2nd) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, to define sandboxing security policies. The provided library (Rust and C for now) can also compose configurations to ease sharing and maintenance. This is especially useful to sandbox programs without modifying them, and to easily manage and audit Landlock policies. It could also be part of other configuration formats such as the OCI runtime specification.
https://lsseu2025.sched.com/event/25GET -
I gave a (2nd) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, to define sandboxing security policies. The provided library (Rust and C for now) can also compose configurations to ease sharing and maintenance. This is especially useful to sandbox programs without modifying them, and to easily manage and audit Landlock policies. It could also be part of other configuration formats such as the OCI runtime specification.
https://lsseu2025.sched.com/event/25GET -
I gave a (2nd) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, to define sandboxing security policies. The provided library (Rust and C for now) can also compose configurations to ease sharing and maintenance. This is especially useful to sandbox programs without modifying them, and to easily manage and audit Landlock policies. It could also be part of other configuration formats such as the OCI runtime specification.
https://lsseu2025.sched.com/event/25GET -
I gave a (2nd) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, to define sandboxing security policies. The provided library (Rust and C for now) can also compose configurations to ease sharing and maintenance. This is especially useful to sandbox programs without modifying them, and to easily manage and audit Landlock policies. It could also be part of other configuration formats such as the OCI runtime specification.
https://lsseu2025.sched.com/event/25GET -
I gave a (2nd) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, to define sandboxing security policies. The provided library (Rust and C for now) can also compose configurations to ease sharing and maintenance. This is especially useful to sandbox programs without modifying them, and to easily manage and audit Landlock policies. It could also be part of other configuration formats such as the OCI runtime specification.
https://lsseu2025.sched.com/event/25GET -
AI agents can potentially gain extensive access to user data, and even write or execute arbitrary code.
OpenAI Codex CLI uses #Landlock sandboxing to reduce the risk of buggy or malicious commands: https://github.com/openai/codex/pull/763
For now, it only blocks arbitrary file changes, but there’s room to strengthen protections further, and the ongoing rewrite in #Rust will help: https://github.com/openai/codex/pull/629
Landlock is designed for exactly this kind of use case, providing unprivileged and flexible access control.
-
-
Updated #sydbox to 3.35.0: hardened #Landlock, empty mount namespaces using pivot_root and root:tmpfs a la #bubblewrap, many bug fixes thx to LTP, many bug/portability fixes thx to #alpine #linux folks. New utilities #syd-fd and #syd-x. See the release mail for more information: https://is.gd/syd_3_35_0 #exherbo #hacking #security
-
News from #sydbox #git: #Landlock compatibility levels are now supported with the "default/lock" option. Default compat level has been changed from "best-effort" to "hard-requirement" to adhere to the principle of secure defaults. Our standalone #Landlock utility syd-lock learned "-C" option to interface with compat levels. ENOENT, aka "No such file or directory" errors during sandbox setup are now fatal unless compat level has been set to "best-effort". #linux #security https://man.exherbo.org/syd-lock.1.html
-
News from #sydbox: when you configure syd-tor to use a #UNIX domain socket for external #TOR connections which is a new feature it will open an O_PATH fd to the socket, enter into a network+mount+user+... namespace, chroot into /proc/self/fd and access the unix socket using the fd number. This means it will work even if you remove the socket. The socket is duplicated to a random fd to make fd reuse harder. We also apply mdwe, #seccomp and #landlock on top, read more here: https://man.exherbo.org/syd-tor.1.html#SECURITY
-
#sydbox-3.33.0 is released, This work continues the sandbox category rework: "rmdir" category is now split from the "delete" category and the #landlock categories have been refined to be more #openbsd #pledge like. The tool syd-lock also got a rework so landlock categories may be used with that too while the old, easyinterface is still available so your scripts will not break! See the release announcement for more information: https://is.gd/eVxsBt #exherbo
-
Landrun: Sandbox any Linux process using Landlock, no root or containers
https://github.com/Zouuup/landrun
#HackerNews #Landrun #Sandbox #Linux #Landlock #NoRoot #Containers
-
Landrun: Sandbox any Linux process using Landlock, no root or containers
https://github.com/Zouuup/landrun
#HackerNews #Landrun #Sandbox #Linux #Landlock #NoRoot #Containers