Sandbox IDs with Landlock
UD2.218A | Day 1 | 15:00 - 15:30 | Speakers: Mickaël Salaün
Abstract
Landlock is an unprivileged access control designed to create security sandboxes (i.e. Landlock domains). We are working on observability interfaces to identify the cause of denied requests, which require logging (audit) and a dedicated user space interface to get information about Landlock domains.
In this talk, we'll explain the challenges to tie log entries with running processes and their properties, considering the unprivileged approach of Landlock. This led us to create a new kind of ID to tie processes to Landlock domains. We are now working on a new user space interface to safely get information about these Landlock domains. Thanks to its flexibility, Landlock could be leveraged by container runtimes to better isolate processes and now also to cleanly identify them. We'll talk about the container labels/IDs challenges, how Landlock could help, and the potential limitations.
Attachments
Speakers
Links
- Landlock website
- Landlock documentation
- GitHub issue: Identify tasks' domain
- LPC 2018: Container IDs
- LPC 2024: Immutable process tags for container tracking
- [RFC PATCH v1 0/3] Expose Landlock domain IDs via pidfd
- Video recording (AV1/WebM) - 106.0 MB
- Video recording (MP4) - 667.0 MB
- Video recording subtitle file (VTT)
- Chat room(web)
- Chat room(app)
- Submit Feedback
External Links
Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.