mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-09-26 16:18:30 +00:00
Move roadmap to README where there is only one
This way something comes up when you click on the project on github, rather than having to hunt for something to explain the project. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit is contained in:
Justin Cormack
22
projects/landlock/README.md
Normal file
22
projects/landlock/README.md
Normal file
@@ -0,0 +1,22 @@
|
||||
# Landlock LSM
|
||||
|
||||
[Landlock](https://lwn.net/Articles/698226/) is a Linux Security Module currently under development by Mickaël Salaün (@l0kod). Landlock is based on eBPF,
|
||||
extended Berkeley Packet filters (see [ebpf project](../ebpf/roadmap.md)), to attach small programs to hooks in the kernel.
|
||||
|
||||
These eBPF programs provide context that can allow for very robust decision-making when integrated with LSM hooks.
|
||||
In particular, this lends itself very nicely to container-based environments.
|
||||
One such example is that Landlock could be used to write policies to restrict containers from accessing file descriptors they do
|
||||
not own, acting as a last line of defense to restrict container escapes,
|
||||
|
||||
Landlock is stackable on top of other LSMs, like SELinux and Apparmor.
|
||||
|
||||
|
||||
## Roadmap
|
||||
|
||||
**Near-term:**
|
||||
- We will carry the Landlock patches in a `kernel-landlock` image for people to test, and update them continuously
|
||||
- Draft and include a simple Landlock policy that can be demonstrated with the current patch-set, to show an example
|
||||
- Offer design and code review help on Landlock, using Moby as a test-bed
|
||||
|
||||
**Long-term:**
|
||||
- Develop a robust container-minded Landlock policy, and include it in Moby by default
|
||||
Reference in New Issue
Block a user