Landlock-Ing Linux

Summary

Landlock: What Is It? Landlock is a Linux API that lets applications explicitly declare which resources they are allowed to access. Its philosophy is similar to OpenBSD’s unveil() and (less so) pledge(): programs can make a contract with the kernel stating, “I only need these files or resources — deny me everything else if I’m compromised.” It provides a simple, developer-friendly way to add defense-in-depth to applications. Compared to traditional Linux security mechanisms, Landlock is vastly easier to understand and integrate. This post is meant to be an accessible introduction, and hopefully persuade you to give Landlock a try. How Does It Work? Landlock is a Linux Security Module (LSM) available since Linux 5.13. Unlike MAC frameworks such as SELinux or AppArmor, Landlock applies transient restrictions: policies are created at runtime, enforced on the current thread and its future descendants, and disappear when the process exits. You don’t tag files with labels or extended attributes. Instead, applications create policies dynamically. A Landlock policy consists of two pieces: Handled accesses — the categories of operations you want to restrict (e.g., filesystem read/write). Access grants — an explicit allowlist of which objects are permitted for those operations. For example, you could create a policy that handles all filesystem reads/writes and network binds, and grants: read-only access to /home/user read/write access to /tmp permission to bind to port 2222 The application then calls landlock_restrict_self() to enter the restricted domain. From that point on, that thread’s child threads and child processes are permanently constrained. Restrictions cannot be revoked. Policies can be layered (up to 16 layers). A child layer may further reduce access, but cannot reintroduce permissions the parent layer removed. For example, a child thread may add a layer to this policy to restrict itself to only reading /home/user, but it cannot regain permission to bind to port...