- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Landlock: What Is It?
Landlock is a Linux API that lets applications explicitly declare which resources they are allowed to access. Its philosophy is similar to OpenBSD’s unveil() and (less so) pledge(): programs can make a contract with the kernel stating, “I only need these files or resources — deny me everything else if I’m compromised.”
It provides a simple, developer-friendly way to add defense-in-depth to applications. Compared to traditional Linux security mechanisms, Landlock is vastly easier to understand and integrate.
This post is meant to be an accessible introduction, and hopefully persuade you to give Landlock a try.
Neat. Tbh the app you are securing being the one in charge makes this limited and not a replacement of SELINUX or containers, but it does add some neat features like dynamic controls based on runtime configs that have bit my butt before. So say you set a port or working dir during startup, now it can set landlock to that and the actual process running it will be limited. Very cool still.