Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This seems pretty nice, as it using directly landlock API from the Linux Kernel (like pledge from OpenBSD). One feature I would like to have is like yaml description for some set of configuration rather that use all this arguments. So we could have preconfigured commands and just execute them. But I think it is just a matter of taste. I will try the tool. Thanks for it.


If you want a file format, I'd lobby for one of the existing ones rather than some random yaml one

- sandbox-exec's scheme one https://github.com/BrianSwift/macOSSandboxBuild/blob/main/co...

- AppArmor https://wiki.apparmor.net/ (although I'm cognizant that tries to address way more than just filesystem access)

- Java's permission one https://docs.oracle.com/javase/8/docs/technotes/guides/secur...

Likely tens more


I agree that re-use file format could a good option. BTW the used landlock go library has sort of example https://github.com/landlock-lsm/go-landlock/blob/main/exampl...


We are working on a JSON/TOML format for Landlock, with the related library, and bindings for several languages: https://github.com/landlock-lsm/landlockconfig

We are working to make it part of the OCI runtime specification too.

Using existing configuration format would not work because Landlock has its own unique properties: unprivileged, nested sandboxes, dedicated Linux syscalls, and a good compatibility story with opt-in and incremental features.


Still early but Mickaël Salaün, the author of landlock, is working on this.

https://github.com/landlock-lsm/landlockconfig

I'm going to write up some Go bindings for this when it becomes relevant.


(Author of go-Landlock here)

Awesome! I'm happy to hear that you and others are interested in the configuration language. We should probably coordinate that on the Landlock mailing list when the time comes, so that we don't duplicate that work. We are open to outside contributions :)


Would be cool to see integration of landlock with configuration file in a way that a service launched by systemd can apply the configuration to the executable.

Akin to systemd SystemCallFilter directive for no-code application of seccomp filters to the sandboxed process https://www.freedesktop.org/software/systemd/man/latest/syst...


That could be a separate wrapper, like bubblejail is for bubblewrap. Landjail?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: