home.social

#landlock — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #landlock, aggregated by home.social.

  1. Just pushed #Landlock support to #lwan!

    This should significantly improve its security (can't call exec*(2), can't bind to ports other than those in the config file, can't read files outside where they should be served, etc).

    I still need to clean some stuff up so it all works well with older kernels (or with Landlock disabled system-wise), but I'm happy with the results so far.

  2. #Sydbox 3.51.0 is out: #Security update fixing multiple Crypt Sandboxing race conditions, an ioctl(2) truncation bypass, and a MIPS ptrace(2) bug. Force Sandboxing now uses the Kernel Crypto API (AF_ALG) for zero-copy hashing. #Landlock sandboxing is on by default. wordexp(3) confinement hardened. pandora 0.20.0 generates #Landlock rules. Sydbox is a rock solid application #kernel to sandbox applications on #Linux: gitlab.exherbo.org/sydbox/sydb #exherbo

  3. Linux Landlock — песочница для приложений без root

    Landlock — редкий для Linux случай, когда «песочницу» можно включить руками самого приложения: без root, без километров политик и с понятной логикой «по умолчанию запрещено всё». В этой статье разбираем, что это за LSM, какие три системных вызова нужны, как выбрать минимальный набор прав и почему открытые до ограничений файловые дескрипторы способны тихо обнулить всю задумку. Открыть разбор

    habr.com/ru/companies/otus/art

    #Landlock #песочница_приложений #Linux #sandboxing #безопасность_приложений #ограничение_прав #системные_вызовы

  4. Linux Landlock — песочница для приложений без root

    Landlock — редкий для Linux случай, когда «песочницу» можно включить руками самого приложения: без root, без километров политик и с понятной логикой «по умолчанию запрещено всё». В этой статье разбираем, что это за LSM, какие три системных вызова нужны, как выбрать минимальный набор прав и почему открытые до ограничений файловые дескрипторы способны тихо обнулить всю задумку. Открыть разбор

    habr.com/ru/companies/otus/art

    #Landlock #песочница_приложений #Linux #sandboxing #безопасность_приложений #ограничение_прав #системные_вызовы

  5. Linux Landlock — песочница для приложений без root

    Landlock — редкий для Linux случай, когда «песочницу» можно включить руками самого приложения: без root, без километров политик и с понятной логикой «по умолчанию запрещено всё». В этой статье разбираем, что это за LSM, какие три системных вызова нужны, как выбрать минимальный набор прав и почему открытые до ограничений файловые дескрипторы способны тихо обнулить всю задумку. Открыть разбор

    habr.com/ru/companies/otus/art

    #Landlock #песочница_приложений #Linux #sandboxing #безопасность_приложений #ограничение_прав #системные_вызовы

  6. Linux Landlock — песочница для приложений без root

    Landlock — редкий для Linux случай, когда «песочницу» можно включить руками самого приложения: без root, без километров политик и с понятной логикой «по умолчанию запрещено всё». В этой статье разбираем, что это за LSM, какие три системных вызова нужны, как выбрать минимальный набор прав и почему открытые до ограничений файловые дескрипторы способны тихо обнулить всю задумку. Открыть разбор

    habr.com/ru/companies/otus/art

    #Landlock #песочница_приложений #Linux #sandboxing #безопасность_приложений #ограничение_прав #системные_вызовы

  7. To compare #sydbox and #gvisor, take 2 CVEs: CVE-2018-19333, gvisor proc2proc arbitrary-memory-write which wasn't classified as sandbox break. Vuln is there because gvisor uses the seccomp-trap API to run all in a single process ignoring ASLR.. CVE-2024-42318 aka Houdini is a #landlock break where a keyrings(7) call would unlock the sandbox. Syd wasn't affected: 1. keyrings is def disabled 2. open call happens in a syd emulator thread confined by same landlock sandbox. #exherbo #linux #security

  8. #sydbox 3.48.6 is out! Each time I say last release before #FOSDEM I end up doing another one so I don't do that this time :-) Some bug fixes and hardenings, AES encryption threads now run with no access to filesystem and network thanks to a per-thread #landlock sandbox which is somewhat cool. ChangeLog is where the rest of the story is as usual: gitlab.exherbo.org/sydbox/sydb #exherbo #linux #security

  9. 🐧 Leveraging #Landlock Telemetry for #Linux Detection Engineering

    Sekoia #TDR explores how Linux Landlock telemetry can be leveraged to build high-fidelity, low-noise detections by observing sandbox policy violations.

    blog.sekoia.io/leveraging-land

  10. The blog post dives into how #Landlock, originally designed as a security hardening mechanism, can also become a powerful source of telemetry for detection engineering on #Linux systems.

  11. signify-rs 0.3.0 is released! The main code now runs sandboxed with #capsicum on #FreeBSD, #pledge/#unveil on #OpenBSD, and #landlock on #Linux. File opens are hardened with openat2 on Linux and O_NOFOLLOW on #unix. Resource limits are set for further hardening. Code fixed to create deterministic signatures, bit-exact with the reference implementation. Refer to the ChangeLog for more information: git.sr.ht/~alip/signify/tree/m #rustlang #security

  12. @tris @cas @craftyguy bwrap is useful as a wrapper, and I previously contributed to it. The iced command is a shell script, so it needs such a wrapper, and in fact bwrap is used to run commands *outside* a chroot: gitlab.postmarketos.org/postma
    Built-in sandboxing would be useful though: #Landlock is unprivileged and then a safer approach while being more flexible, but it doesn't have the same features.

  13. I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

    Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

    Source code: codeberg.org/mark22k/mping-sen

    #Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

  14. I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

    Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

    Source code: codeberg.org/mark22k/mping-sen

    #Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

  15. I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

    Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

    Source code: codeberg.org/mark22k/mping-sen

    #Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

  16. I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

    Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

    Source code: codeberg.org/mark22k/mping-sen

    #Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

  17. I have developed mping-sender over the last few days. It is a simple program that sends a UDP packet to a (freely selectable) multicast address every second. It is therefore well suited for testing multicast. It is partially compatible with the mping client.

    Furthermore, it is protected by landlock, seccomp, libcap-ng, AppArmor, and systemd.

    Source code: codeberg.org/mark22k/mping-sen

    #Networking #Programming #dn42 #Multicast #landlock #AppArmor #libseccomp #seccomp #systemd #libcapng

  18. RustNet v0.17.0 released 🎉

    What's New:
    - Landlock sandbox & capability dropping (Linux security)
    - eBPF thread-to-process name resolution
    - New CLI options: --no-sandbox, --sandbox-strict
    - Platform code reorganization

    Installation:
    Fedora/RHEL: COPR | Ubuntu: PPA | Arch: AUR
    macOS: Homebrew | Windows: Chocolatey | FreeBSD: pkg

    🔗 github.com/domcyrus/rustnet/re

    #RustLang #Rust #Linux #Networking #OpenSource #Terminal #TUI #Security #eBPF #landlock

  19. Just released Island 🏝️, a sandboxing tool powered by #Landlock.
    It auto‑confines processes according to the caller's context (e.g. CWD) and comes with slick Zsh integration, so you can use your terminal naturally without command prefixes. Feedback welcome!
    github.com/landlock-lsm/island

  20. Hardening with Firejail, Landlock, and bubblewrap

    Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

    First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

    What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

    Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

    The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

    Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

    I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

    #security #linux #bwrap #landlock #firejail

    Originally published [on my blog](advancedweb.hu/shorts/hardenin)

  21. Hardening with Firejail, Landlock, and bubblewrap

    Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

    First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

    What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

    Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

    The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

    Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

    I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

    #security #linux #bwrap #landlock #firejail

    Originally published [on my blog](advancedweb.hu/shorts/hardenin)

  22. Hardening with Firejail, Landlock, and bubblewrap

    Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

    First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

    What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

    Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

    The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

    Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

    I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

    #security #linux #bwrap #landlock #firejail

    Originally published [on my blog](advancedweb.hu/shorts/hardenin)

  23. Hardening with Firejail, Landlock, and bubblewrap

    Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

    First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

    What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

    Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

    The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

    Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

    I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

    #security #linux #bwrap #landlock #firejail

    Originally published [on my blog](advancedweb.hu/shorts/hardenin)

  24. Hardening with Firejail, Landlock, and bubblewrap

    Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

    First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

    What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

    Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

    The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

    Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

    I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

    #security #linux #bwrap #landlock #firejail

    Originally published [on my blog](advancedweb.hu/shorts/hardenin)

  25. In a shocking twist, a blog post from the future claims to have discovered #Landlock, a "new" #Linux #API that lets developers play a feeble game of 'Mother, May I?' with the #kernel. 🎩✨ Apparently, this revolutionary concept is so simple, even your grandmother could understand it—if she knew what a kernel was! 😜📚
    blog.prizrak.me/post/landlock/ #FutureTech #Development #Fun #HackerNews #ngated

  26. crazytrace, my network simulation program that generates a crazy topology behind a TAP device to test traceroute implementations, now has an apparmor profile.

    Furthermore, I have now implemented capability dropping with libcap-ng, landlock sandboxing (via a blacklist), and seccomp sandboxing (via a blacklist).

    codeberg.org/mark22k/crazytrac
    codeberg.org/mark22k/crazytrac

    #crazytrace #traceroute #Networking #Programming #Security #apparmor #libcap #libcapng #landlock #seccomp

  27. Before you write your own #landlock wrapper, check this one out: syd-lock, a simple #cli that supports up to #landlock abi 7 with a simple interface: man.exherbo.org/syd-lock.1.html #exherbo #linux #security

  28. #sydbox 3.38.0 is released! Refined device restrictions, hardened proc & seccomp filters, #OpenBSD pledge(2) style category sets, #Landlock ABI 7 support, and safer handling of memfd & personality flags. See is.gd/syd_3_38_0 I'll be giving a talk on advanced sandboxing at #BalCCon2k25! Everyone is invited! #exherbo #linux #security

  29. I gave a (2nd) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, to define sandboxing security policies. The provided library (Rust and C for now) can also compose configurations to ease sharing and maintenance. This is especially useful to sandbox programs without modifying them, and to easily manage and audit Landlock policies. It could also be part of other configuration formats such as the OCI runtime specification.
    lsseu2025.sched.com/event/25GET

    github.com/landlock-lsm/landlo

  30. I gave a (2nd) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, to define sandboxing security policies. The provided library (Rust and C for now) can also compose configurations to ease sharing and maintenance. This is especially useful to sandbox programs without modifying them, and to easily manage and audit Landlock policies. It could also be part of other configuration formats such as the OCI runtime specification.
    lsseu2025.sched.com/event/25GET

    github.com/landlock-lsm/landlo

  31. I gave a (2nd) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, to define sandboxing security policies. The provided library (Rust and C for now) can also compose configurations to ease sharing and maintenance. This is especially useful to sandbox programs without modifying them, and to easily manage and audit Landlock policies. It could also be part of other configuration formats such as the OCI runtime specification.
    lsseu2025.sched.com/event/25GET

    github.com/landlock-lsm/landlo

  32. I gave a (2nd) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, to define sandboxing security policies. The provided library (Rust and C for now) can also compose configurations to ease sharing and maintenance. This is especially useful to sandbox programs without modifying them, and to easily manage and audit Landlock policies. It could also be part of other configuration formats such as the OCI runtime specification.
    lsseu2025.sched.com/event/25GET

    github.com/landlock-lsm/landlo

  33. I gave a (2nd) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, to define sandboxing security policies. The provided library (Rust and C for now) can also compose configurations to ease sharing and maintenance. This is especially useful to sandbox programs without modifying them, and to easily manage and audit Landlock policies. It could also be part of other configuration formats such as the OCI runtime specification.
    lsseu2025.sched.com/event/25GET

    github.com/landlock-lsm/landlo

  34. AI agents can potentially gain extensive access to user data, and even write or execute arbitrary code.

    OpenAI Codex CLI uses #Landlock sandboxing to reduce the risk of buggy or malicious commands: github.com/openai/codex/pull/7

    For now, it only blocks arbitrary file changes, but there’s room to strengthen protections further, and the ongoing rewrite in #Rust will help: github.com/openai/codex/pull/6

    Landlock is designed for exactly this kind of use case, providing unprivileged and flexible access control.

  35. Updated #sydbox to 3.35.0: hardened #Landlock, empty mount namespaces using pivot_root and root:tmpfs a la #bubblewrap, many bug fixes thx to LTP, many bug/portability fixes thx to #alpine #linux folks. New utilities #syd-fd and #syd-x. See the release mail for more information: is.gd/syd_3_35_0 #exherbo #hacking #security

  36. News from #sydbox #git: #Landlock compatibility levels are now supported with the "default/lock" option. Default compat level has been changed from "best-effort" to "hard-requirement" to adhere to the principle of secure defaults. Our standalone #Landlock utility syd-lock learned "-C" option to interface with compat levels. ENOENT, aka "No such file or directory" errors during sandbox setup are now fatal unless compat level has been set to "best-effort". #linux #security man.exherbo.org/syd-lock.1.html

  37. News from #sydbox: when you configure syd-tor to use a #UNIX domain socket for external #TOR connections which is a new feature it will open an O_PATH fd to the socket, enter into a network+mount+user+... namespace, chroot into /proc/self/fd and access the unix socket using the fd number. This means it will work even if you remove the socket. The socket is duplicated to a random fd to make fd reuse harder. We also apply mdwe, #seccomp and #landlock on top, read more here: man.exherbo.org/syd-tor.1.html

  38. #sydbox-3.33.0 is released, This work continues the sandbox category rework: "rmdir" category is now split from the "delete" category and the #landlock categories have been refined to be more #openbsd #pledge like. The tool syd-lock also got a rework so landlock categories may be used with that too while the old, easyinterface is still available so your scripts will not break! See the release announcement for more information: is.gd/eVxsBt #exherbo