Deep Dive into Landlock Internals (LSS 2021)

Landlock is the first Mandatory Access Control available to unprivileged processes on Linux. It is available since Linux 5.13, which enables all applications to sandbox themselves. Landlock development started 5 years ago, and multiple approaches were tried (e.g. extending seccomp, using eBPF) before picking the good one. This talk first explains the goal of Landlock and the related consequences. This will enable to explain the kernel implementation constraints, the choices that led to the current design, and the potential and limits of the current and future features. More information about Landlock can be found on the official website: https://landlock.io

Talk recorded for the Linux Security Summit 2021: https://sched.co/ljRQ
Slides: https://landlock.io/talks/2021-09-29_...