Talk: Update on Landlock: IOCTL support

📢 I gave a talk about the recent changes in Landlock and its new support for restricting IOCTL usage at the Linux Security Summit Europe 2024 in Vienna:

🌍 Talk page | 🎥 Video on YouTube | 😎 We have stickers!

Talk Summary

The Landlock security module lets Linux processes restrict what they can do and puts developers in charge of defining appropriate sandboxing policies for their programs. We will give a brief overview over Landlock’s current features, recent developments, and talk about what is next. We will discuss in more detail Landlock’s new support for restricting the use of IOCTL and the design considerations and trade-offs that went into it.

In other news

I finally took the time to finish up the mathematical writeup of how Landlock’s file system access rights are composed on the wiki. All of this should be obvious from the documentation, but it can still be helpful to have a mathematical model to check against.