Sebastien TricaudFeb 23, 2025
n0toose

I'd like to share something nice that I am currently working on: A Landlock integration for Forgejo.

Landlock (https://landlock.io) lets userspace processes tell the kernel "hey kernel, please only let me access the following filesystem resources" (and it also supports sockets, etc. now).

My integration only limits unfettered access to arbitrary files. It needs a lot more yak shaving (refactoring, configurations, using the PATH variable for Git binaries) and time.

#landlock #forgejo

Landlock: Unprivileged Sandboxing — Landlock documentation

Landlock: the Linux sandboxing mechanism

Feb 22, 2025 at 4:09pmWeb
Show threadn0tooseFeb 22, 2025

This will take a while because I'm busy with some real-life obligations and because this needs tests and a bunch of software architecture decisions as well (e.g. if I were to hardcode /usr/bin/git, the NixOS folk wouldn't really like that).

The proof of concept is there, however. :)

Landlock's website can be found here: https://landlock.io

Landlock: Unprivileged Sandboxing — Landlock documentation

Landlock: the Linux sandboxing mechanism

Show threadSlatianFeb 22, 2025
@n0toose Thanks, I didn’t know about landlock!
Show threadEloy.Feb 22, 2025
@n0toose that sounds like OpenBSD pledge() for Linux
Show threadAhoFeb 23, 2025
@n0toose so it's kind of a firejail for python?