📢 I gave a talk about the recent changes in Landlock and its new
[support for restricting IOCTL
usage](https://wiki.gnoack.org/LandlockIoctlControl) at the Linux
Security Summit Europe 2024 in Vienna:

<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/K2onopkMhuM?si=cywowLOp4-jH-8RB" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

🌍 [Talk page](https://sched.co/1ebVW)
| 🎥 [Video on YouTube](https://www.youtube.com/watch?v=K2onopkMhuM)
| 😎 [We have stickers!](https://github.com/landlock-lsm/landlock-logo)

## Talk Summary

> The Landlock security module lets Linux processes restrict what they
> can do and puts developers in charge of defining appropriate
> sandboxing policies for their programs. We will give a brief
> overview over Landlock’s current features, recent developments, and
> talk about what is next. We will discuss in more detail Landlock’s
> new support for restricting the use of IOCTL and the design
> considerations and trade-offs that went into it.

## In other news

I finally took the time to finish up the [mathematical writeup of how
Landlock's file system access rights are
composed](https://wiki.gnoack.org/LandlockFileSystemCompositionModel)
on the wiki.  All of this should be obvious from the documentation,
but it can still be helpful to have a mathematical model to check
against.