Show threadH@R0👨🏻‍💻Jun 17

簡單查一下資料好似直接用landlock-cli跑都可以,再叫llm自己審查自己的命令,勉強能用

#landlock #cli

Jarkko SakkinenJun 13
This was exactly kind of tricky corner-case that would be very hard to rethink in a spec. The experimental plugin for Pi really helps finding out bugs like this.

https://github.com/jarkkojs/landstrip/commit/00635b63ef46b46fba2e4f04abb96c866217c68e

#landlock #landstrip #lsm
seccomp: Suppress non-fatal filesystem probes · jarkkojs/landstrip@00635b6

When a sandboxed process probes filesystem paths during normal operation (e.g. shell searching PATH for an executable), each probe against a denied directory produces an AccessDenied error. These e...

GitHub
cryptaxMay 29

Learning about Landlock with a sandboxed opencode in nono. Nono is a sandbox, uses Landlock, and for example we can restrict directories opencode can go into.

#auvergnhack #landlock #sekoia

Maxime090Apr 14
Le Québec analyse enfin une technologie qui pourrait sauver nos routes (et nos nerfs). Landlock, une entreprise de Chicago, propose de solidifier le sol avec un polymère à base d'eau : moins cher, plus rapide, et apparemment aussi solide que le béton. On attend que le ministère sorte de sa torpeur bureaucratique pour tester ça, parce que nos nids-de-poule, eux, n'attendent pas! wi #Innovation #Routes #Québec #Technologie #Landlock #Infra #Transport #Polymère #JournalDeMontréal
HabrFeb 20

Linux Landlock — песочница для приложений без root

Landlock — редкий для Linux случай, когда «песочницу» можно включить руками самого приложения: без root, без километров политик и с понятной логикой «по умолчанию запрещено всё». В этой статье разбираем, что это за LSM, какие три системных вызова нужны, как выбрать минимальный набор прав и почему открытые до ограничений файловые дескрипторы способны тихо обнулить всю задумку. Открыть разбор

https://habr.com/ru/companies/otus/articles/1001910/

#Landlock #песочница_приложений #Linux #sandboxing #безопасность_приложений #ограничение_прав #системные_вызовы

Linux Landlock — песочница для приложений без root

В этой статье поговорим о том, как использовать API Landlock для защиты Linux -приложений, ограничивая доступ к файловой системе и сети. Два часа ночи. Вас будит уведомление: хакер нашёл уязвимость в...

Хабр
Mickaël SalaünFeb 1
I gave a talk at #FOSDEM about Island: Sandboxing tool powered by #Landlock
https://fosdem.org/2026/schedule/event/EW8M3R-island/
FOSDEM 2026 - Island: Sandboxing tool powered by Landlock

CyberVeille.chJan 14
📢 Landlock, mécanisme de sécurité et source de télémétrie pour la détection
📝 Selon le blog de SEKOIA, cet article explore Landlock en tant que mécanisme de sécurité et comme source de données utiles à...
📖 cyberveille : https://cyberveille.ch/posts/2026-01-14-landlock-mecanisme-de-securite-et-source-de-telemetrie-pour-la-detection/
🌐 source : https://blog.sekoia.io/leveraging-landlock-telemetry-for-linux-detection-engineering/
#Landlock #ingénierie_de_détection #Cyberveille
Landlock, mécanisme de sécurité et source de télémétrie pour la détection

Selon le blog de SEKOIA, cet article explore Landlock en tant que mécanisme de sécurité et comme source de données utiles à l’ingénierie de détection. Landlock (Linux) comme télémétrie pour la détection Contexte L’équipe Sekoia TDR (Threat Detection & Research) s’intéresse à Landlock, un Linux Security Module (LSM) introduit dans le noyau Linux 5.13. Landlock permet de créer des sandbox applicatives (contrôles d’accès “par processus”), applicables à des processus privilégiés ou non, en complément des mécanismes d’accès systèmes existants (défense en profondeur).

CyberVeille
SekoiaJan 14

🐧 Leveraging #Landlock Telemetry for #Linux Detection Engineering

Sekoia #TDR explores how Linux Landlock telemetry can be leveraged to build high-fidelity, low-noise detections by observing sandbox policy violations.

https://blog.sekoia.io/leveraging-landlock-telemetry-for-linux-detection-engineering/

Show threadSekoiaJan 14
The blog post dives into how #Landlock, originally designed as a security hardening mechanism, can also become a powerful source of telemetry for detection engineering on #Linux systems.
Show threadMickaël SalaünDec 27
@tris @cas @craftyguy bwrap is useful as a wrapper, and I previously contributed to it. The iced command is a shell script, so it needs such a wrapper, and in fact bwrap is used to run commands *outside* a chroot: https://gitlab.postmarketos.org/postmarketOS/iced/-/commit/2c2f5fd343444a6b4541bb782765204468d2cfb5
Built-in sandboxing would be useful though: #Landlock is unprivileged and then a safer approach while being more flexible, but it doesn't have the same features.
use bubblewrap to run apps outside the chroot (2c2f5fd3) · Commits · postmarketOS / iced · GitLab

Signed-off-by: Clayton Craft

GitLab