Island: Sandboxing tool powered by Landlock

Landlock is a Linux Security Module that empowers unprivileged processes to securely restrict their own access rights (e.g., filesystem, network). While Landlock provides powerful kernel primitives, using it typically requires modifying application code.

Island makes Landlock practical for everyday workflows by acting as a high-level wrapper and policy manager. Developed alongside the kernel feature and its Rust libraries, it bridges the gap between raw security mechanisms and user activity through:

• Zero-code integration: Runs existing binaries without modification.
• Declarative policies: Uses TOML profiles instead of code-based rules.
• Context-aware activation: Automatically applies security profiles based on your current working directory.
• Full environment isolation: Manages isolated workspaces (XDG directories, TMPDIR) in addition to access control.

In this talk, we will provide a brief overview of the related kernel mechanisms before diving into Island. We'll explain the main differences with other mechanisms and tools, and we'll explain Island's design and how it works, with a demo.