mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-07-21 10:09:07 +00:00
23 lines
1.2 KiB
Markdown
23 lines
1.2 KiB
Markdown
# Landlock LSM
|
|
|
|
[Landlock](https://lwn.net/Articles/698226/) is a Linux Security Module currently under development by Mickaël Salaün (@l0kod). Landlock is based on eBPF,
|
|
extended Berkeley Packet filters (see [ebpf project](../ebpf/roadmap.md)), to attach small programs to hooks in the kernel.
|
|
|
|
These eBPF programs provide context that can allow for very robust decision-making when integrated with LSM hooks.
|
|
In particular, this lends itself very nicely to container-based environments.
|
|
One such example is that Landlock could be used to write policies to restrict containers from accessing file descriptors they do
|
|
not own, acting as a last line of defense to restrict container escapes,
|
|
|
|
Landlock is stackable on top of other LSMs, like SELinux and Apparmor.
|
|
|
|
|
|
## Roadmap
|
|
|
|
**Near-term:**
|
|
- We will carry the Landlock patches in a `kernel-landlock` image for people to test, and update them continuously
|
|
- Draft and include a simple Landlock policy that can be demonstrated with the current patch-set, to show an example
|
|
- Offer design and code review help on Landlock, using Moby as a test-bed
|
|
|
|
**Long-term:**
|
|
- Develop a robust container-minded Landlock policy, and include it in LinuxKit by default
|