Mickaël Salaün

@l0kod
337 Followers
173 Following
190 Posts
Security and open source enthusiast. Maintainer of #Landlock: https://docs.kernel.org/userspace-api/landlock.html
Personal websitehttps://digikod.net
Landlockhttps://landlock.io
Blueskyhttps://bsky.app/profile/l0kod.bsky.social
Twitterhttps://twitter.com/l0kod
Show threadMickaël SalaünFeb 2
@Regit the default config for a new profile should just work (wrt the install path)
Show threadMickaël SalaünFeb 1
@tcheneau Indeed: https://fosdem.org/2026/schedule/event/37NC8K-gomodjail/
The Q/A about Landlock in the slide is a bit cryptic though 🤔
FOSDEM 2026 - gomodjail: library sandboxing for Go modules

Show threadMickaël SalaünFeb 1
@tcheneau thanks for the heads-up. Which talk is it?
Mickaël SalaünFeb 1
I gave a talk at #FOSDEM about Island: Sandboxing tool powered by #Landlock
https://fosdem.org/2026/schedule/event/EW8M3R-island/
FOSDEM 2026 - Island: Sandboxing tool powered by Landlock

Show threadMickaël SalaünDec 27
@tris @cas @craftyguy bwrap is useful as a wrapper, and I previously contributed to it. The iced command is a shell script, so it needs such a wrapper, and in fact bwrap is used to run commands *outside* a chroot: https://gitlab.postmarketos.org/postmarketOS/iced/-/commit/2c2f5fd343444a6b4541bb782765204468d2cfb5
Built-in sandboxing would be useful though: #Landlock is unprivileged and then a safer approach while being more flexible, but it doesn't have the same features.
use bubblewrap to run apps outside the chroot (2c2f5fd3) · Commits · postmarketOS / iced · GitLab

Signed-off-by: Clayton Craft

GitLab
Show threadMickaël SalaünDec 13
@jmorris @jann there is WIP but so far not a lot of feedback: https://github.com/systemd/systemd/pull/39174
@pid_eins
Landlock Config by l0kod · Pull Request #39174 · systemd/systemd

Landlock is a kernel feature dedicated to create unprivileged security sandboxes. I'm maintaining Landlock and also creating a Landlock Config library to easily manage security policies as conf...

GitHub
Show threadMickaël SalaünDec 6
@trou there is definitely room for doc improvement, but I wanted to release it sooner than later. Contributions are welcome too!
Show threadMickaël SalaünDec 6
@trou You can restrict TCP connect and bind, see [[net_port]]: https://github.com/landlock-lsm/landlockconfig/blob/main/examples/mini-write-tmp.toml
Show threadMickaël SalaünDec 6
@trou Only TCP is supported for now, but UDP support is WIP: https://github.com/landlock-lsm/linux/issues/10
and the socket creation restriction is almost ready: https://github.com/landlock-lsm/linux/issues/6
More reviewers would help 😉
Show threadMickaël SalaünDec 6
https://news.ycombinator.com/item?id=46160134
Island: Linux sandboxing tool powered by Landlock | Hacker News