User:JM01085758/lsm/landlock
From Gentoo Wiki
< User:JM01085758 | lsm
Jump to:navigation
Jump to:search
[proj_blog_url Blog]
Landlock is a stackable LSM that enables creation of sandboxes to restrict the ambient rights of unprivileged processes. The aim is to lessen the security impact of bugs, malicious programs, or misbehaving user space applications. Other LSMs are designed to allow root to enforce a security policy for the system. Landlock intends to fill the gap of providing a way for developers to enforce a security policy for their applications. It is similar to Seatbelt/XNU Sandbox or OpenBSD Pledge.
Ambient rights global filesystem access
not based on eBPF anymore
Installation
Kernel
KERNEL Enable support for <Software_title>
Write menuconfig instructions here.
Additional software
Configuration
Environment variables
- VAR1
- VAR2
Files
- /etc/global_file_example - Global (system wide) configuration file.
- ~/.local_file_example - Local (per user) configuration file.
Usage
Important
Landlock runs in blocking mode by default.
Landlock runs in blocking mode by default.
Invocation
Suricata
https://docs.suricata.io/en/latest/configuration/landlock.html
Troubleshooting
Issue 1
Removal
See also
External resources
- https://docs.kernel.org/security/landlock.html
- https://subspace.kernel.org/lists.linux.dev.html — Landlock mailing list]