Landlock Multithreaded Policy Enforcement
With Linux 7.0, Landlock gains the new LANDLOCK_RESTRICT_SELF_TSYNC feature.
With this new flag to the landlock_restrict_self(2) system call,
the Landlock policy enforcement is applied to the entire process
rather than just the calling thread. (The naming is analogous to
the similarly named SECCOMP_FILTER_FLAG_TSYNC flag for Seccomp-BPF.)
The old workaround
This works around Landlock’s need for libpsx in multithreaded environments. Libpsx is a user-space library which uses low-level trickery to make every thread call the Landlock system call directly. This worked to some extent, but had the drawback that with that, all the different threads were enforcing the same policy, but it still resulted in technically distinct Landlock sandboxes - and that makes a difference in some corner cases.
Programming language support
C
Simple C programs which enforce Landlock at the start of main() won’t need this feature, but it can be useful when you are using Landlock in scenarios that are already multithreaded, like multithreaded frameworks or implicitly multithreaded programming languages.
Go
The Go-Landlock library moves to version 0.8.0 and offers support for this new feature. To update, update your dependency on Go-Landlock to version 0.8.0.
No change in API usage is needed. As Go is inherently multithreaded, Landlock policy enforcements through Go-Landlock will automatically use it if the kernel supports it.
References
More details are in:
- https://github.com/landlock-lsm/go-landlock/issues/53 - Go-Landlock bug
- https://wiki.gnoack.org/LandlockMultithreadedEnforcement - kernel implementation notes
For the curious, I’ll give a talk about this feature at the upcoming Go meetup in Zurich on 2026-04-23.