Sandboxing with Landlock
Linux 5.13 is going to include the unprivileged sandboxing feature Landlock, which has been in the making for many years now.
Unprivileged means that you don’t need special system-level
CAP_MAC_ADMIN to use it, as some other
Linux sandboxing mechanisms do. Philosophically speaking, you should
not need additional special privileges just to drop the privileges
that you already have.
With Landlock, processes can restrict themselves to only use a specified set of file paths, and it lets them control which operations are available on these paths and their subdirectories (for example opening for reading, writing, and directory operations1).
A similar sandboxing feature has been around in OpenBSD for a while
unveil(): This slide
and talk by Bob Beck
talks about the lessons learned and has examples on how to sandbox
software with it, which should translate well to Landlock.
To make it easier to play with, I forked the Landlock example tool from the kernel sources and made it compile standalone: You can get it at https://github.com/gnoack/landlockjail, or you can just download a precompiled statically linked version.
At the moment, there are still some gaps, like
stat(), which can still be done even in landlocked processes. But it’s moving in the right direction, and at least accesses to the files’ contents can already be restricted. ↩︎