HabrFeb 20

Linux Landlock — песочница для приложений без root

Landlock — редкий для Linux случай, когда «песочницу» можно включить руками самого приложения: без root, без километров политик и с понятной логикой «по умолчанию запрещено всё». В этой статье разбираем, что это за LSM, какие три системных вызова нужны, как выбрать минимальный набор прав и почему открытые до ограничений файловые дескрипторы способны тихо обнулить всю задумку. Открыть разбор

https://habr.com/ru/companies/otus/articles/1001910/

#Landlock #песочница_приложений #Linux #sandboxing #безопасность_приложений #ограничение_прав #системные_вызовы

Linux Landlock — песочница для приложений без root

В этой статье поговорим о том, как использовать API Landlock для защиты Linux -приложений, ограничивая доступ к файловой системе и сети. Два часа ночи. Вас будит уведомление: хакер нашёл уязвимость в...

Хабр
alipFeb 5
To compare #sydbox and #gvisor, take 2 CVEs: CVE-2018-19333, gvisor proc2proc arbitrary-memory-write which wasn't classified as sandbox break. Vuln is there because gvisor uses the seccomp-trap API to run all in a single process ignoring ASLR.. CVE-2024-42318 aka Houdini is a #landlock break where a keyrings(7) call would unlock the sandbox. Syd wasn't affected: 1. keyrings is def disabled 2. open call happens in a syd emulator thread confined by same landlock sandbox. #exherbo #linux #security
Mickaël SalaünFeb 1
I gave a talk at #FOSDEM about Island: Sandboxing tool powered by #Landlock
https://fosdem.org/2026/schedule/event/EW8M3R-island/
FOSDEM 2026 - Island: Sandboxing tool powered by Landlock

alipJan 24
#sydbox 3.48.6 is out! Each time I say last release before #FOSDEM I end up doing another one so I don't do that this time :-) Some bug fixes and hardenings, AES encryption threads now run with no access to filesystem and network thanks to a per-thread #landlock sandbox which is somewhat cool. ChangeLog is where the rest of the story is as usual: https://gitlab.exherbo.org/sydbox/sydbox/-/blob/main/ChangeLog.md?ref_type=heads#3486 #exherbo #linux #security
ChangeLog.md · main · Sydbox / sydbox · GitLab

rock-solid application kernel

GitLab
CyberVeille.chJan 14
📢 Landlock, mécanisme de sécurité et source de télémétrie pour la détection
📝 Selon le blog de SEKOIA, cet article explore Landlock en tant que mécanisme de sécurité et comme source de données utiles à...
📖 cyberveille : https://cyberveille.ch/posts/2026-01-14-landlock-mecanisme-de-securite-et-source-de-telemetrie-pour-la-detection/
🌐 source : https://blog.sekoia.io/leveraging-landlock-telemetry-for-linux-detection-engineering/
#Landlock #ingénierie_de_détection #Cyberveille
Landlock, mécanisme de sécurité et source de télémétrie pour la détection

Selon le blog de SEKOIA, cet article explore Landlock en tant que mécanisme de sécurité et comme source de données utiles à l’ingénierie de détection. Landlock (Linux) comme télémétrie pour la détection Contexte L’équipe Sekoia TDR (Threat Detection & Research) s’intéresse à Landlock, un Linux Security Module (LSM) introduit dans le noyau Linux 5.13. Landlock permet de créer des sandbox applicatives (contrôles d’accès “par processus”), applicables à des processus privilégiés ou non, en complément des mécanismes d’accès systèmes existants (défense en profondeur).

CyberVeille
Sekoia.ioJan 14

🐧 Leveraging #Landlock Telemetry for #Linux Detection Engineering

Sekoia #TDR explores how Linux Landlock telemetry can be leveraged to build high-fidelity, low-noise detections by observing sandbox policy violations.

https://blog.sekoia.io/leveraging-landlock-telemetry-for-linux-detection-engineering/

Show threadSekoia.ioJan 14
The blog post dives into how #Landlock, originally designed as a security hardening mechanism, can also become a powerful source of telemetry for detection engineering on #Linux systems.
alipJan 4
signify-rs 0.3.0 is released! The main code now runs sandboxed with #capsicum on #FreeBSD, #pledge/#unveil on #OpenBSD, and #landlock on #Linux. File opens are hardened with openat2 on Linux and O_NOFOLLOW on #unix. Resource limits are set for further hardening. Code fixed to create deterministic signatures, bit-exact with the reference implementation. Refer to the ChangeLog for more information: https://git.sr.ht/~alip/signify/tree/main/item/ChangeLog.md #rustlang #security
Show threadMickaël SalaünDec 27
@tris @cas @craftyguy bwrap is useful as a wrapper, and I previously contributed to it. The iced command is a shell script, so it needs such a wrapper, and in fact bwrap is used to run commands *outside* a chroot: https://gitlab.postmarketos.org/postmarketOS/iced/-/commit/2c2f5fd343444a6b4541bb782765204468d2cfb5
Built-in sandboxing would be useful though: #Landlock is unprivileged and then a safer approach while being more flexible, but it doesn't have the same features.
use bubblewrap to run apps outside the chroot (2c2f5fd3) · Commits · postmarketOS / iced · GitLab

Signed-off-by: Clayton Craft

GitLab
wladmisDec 13

Island: Sandboxing tool powered by Landlock

https://www.openwall.com/lists/oss-security/2025/12/05/1

Looks interesting.

#linux #sandbox #landlock

oss-security - Island: Sandboxing tool powered by Landlock