mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-07-19 09:16:29 +00:00
14c29db5c2
* containerd to semver v2.0.3 Signed-off-by: Avi Deitcher <avi@deitcher.net> * containerd v2.0.3 plus commits to fix blkdiscard Signed-off-by: Avi Deitcher <avi@deitcher.net> * update containerd-dev dependencies Signed-off-by: Avi Deitcher <avi@deitcher.net> * updated pkg/init and pkg/containerd deps Signed-off-by: Avi Deitcher <avi@deitcher.net> --------- Signed-off-by: Avi Deitcher <avi@deitcher.net> |
||
|---|---|---|
| .. | ||
| kernel-landlock | ||
| landlock.yml | ||
| README.md | ||
Landlock LSM
Landlock is a Linux Security Module currently under development by Mickaël Salaün (@l0kod). Landlock is based on eBPF, extended Berkeley Packet filters (see ebpf project), to attach small programs to hooks in the kernel.
These eBPF programs provide context that can allow for very robust decision-making when integrated with LSM hooks. In particular, this lends itself very nicely to container-based environments. One such example is that Landlock could be used to write policies to restrict containers from accessing file descriptors they do not own, acting as a last line of defense to restrict container escapes,
Landlock is stackable on top of other LSMs, like SELinux and Apparmor.
Roadmap
Near-term:
- We will carry the Landlock patches in a
kernel-landlockimage for people to test, and update them continuously - Draft and include a simple Landlock policy that can be demonstrated with the current patch-set, to show an example
- Offer design and code review help on Landlock, using Moby as a test-bed
Long-term:
- Develop a robust container-minded Landlock policy, and include it in LinuxKit by default