Landlock is a Linux Security Module (LSM) that provides a flexible, unprivileged sandboxing mechanism for applications. Unlike traditional LSMs such as SELinux and AppArmor, which enforce mandatory access control policies set by system administrators, Landlock allows applications to define their own security restrictions. This makes it a powerful tool for developers seeking to add additional security layers without requiring elevated privileges.
Key Features
- Unprivileged Sandboxing: Landlock enables applications to apply security restrictions without requiring root access or administrative intervention.
- Filesystem Access Control: Developers can define which files and directories an application can access.
- Incremental Restrictions: A process can only tighten its access permissions over time, preventing privilege escalation.
- Composability: Can be used in combination with other LSMs such as SELinux and AppArmor for enhanced security.
- User-Space Control: Allows developers to enforce security policies dynamically within their applications.
How Landlock Works
Landlock uses a set of security rules that define what resources an application can access. These rules are enforced at the kernel level and prevent applications from performing unauthorized actions. Unlike traditional access control mechanisms, Landlock works on a per-process basis, meaning individual applications can define and enforce their own security policies without affecting the rest of the system.
Security Model
Landlock operates on the principle of least privilege, meaning that applications can restrict their own access to prevent unintended behavior or exploitation. The security policies are designed to be incremental, meaning that once a restriction is applied, it cannot be lifted during the lifetime of the process. This ensures that even if an application is compromised, it cannot extend its privileges beyond what was initially allowed.
Landlock Rules
Landlock rules specify which operations can be performed on which resources. For example, a rule might specify that a process can read files from a particular directory but cannot modify them. These rules are defined using Landlock’s API and enforced by the kernel.
Use Cases
Securing User Applications
Developers can integrate Landlock into their applications to restrict access to sensitive files and directories. For example, a web browser could use Landlock to prevent access to system-critical files, reducing the impact of potential exploits.
Sandboxing Third-Party Code
Software that executes untrusted code, such as plugins or scripts, can use Landlock to create a restricted environment, ensuring that malicious or vulnerable components do not compromise system security.
Least-Privilege Software Execution
By applying Landlock restrictions, applications can be limited to only the resources they require, reducing the risk of privilege escalation attacks and minimizing the potential damage caused by security vulnerabilities.
Example: Using Landlock
A simple example of using Landlock in C to restrict file access:
#include <linux/landlock.h>
#include <sys/prctl.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
int main() {
struct landlock_ruleset_attr ruleset_attr = {
.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE |
LANDLOCK_ACCESS_FS_WRITE_FILE
};
int ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
if (ruleset_fd < 0) {
perror("landlock_create_ruleset");
return 1;
}
// Apply the ruleset to the current process
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl");
return 1;
}
if (landlock_restrict_self(ruleset_fd, 0)) {
perror("landlock_restrict_self");
return 1;
}
printf("Landlock restrictions applied.\n");
return 0;
}
This example creates a ruleset that allows reading and writing files but prevents other operations. Once applied, the process cannot increase its privileges, ensuring a safer execution environment.
Comparison with Other LSMs
| Feature | Landlock | SELinux | AppArmor | Smack | TOMOYO |
|---|---|---|---|---|---|
| Mandatory Access Control | Yes | Yes | Yes | Yes | Yes |
| Unprivileged Use | Yes | No | No | No | No |
| Incremental Restrictions | Yes | No | No | No | No |
| Per-Application Control | Yes | No | No | No | No |
| Ease of Use | Medium | Hard | Medium | Medium | Medium |
Unlike SELinux and AppArmor, which enforce policies system-wide and require administrative privileges, Landlock is designed to be used by unprivileged applications on a per-process basis. This makes it particularly useful for developers who want to integrate security features directly into their software without needing system-wide configuration.
Conclusion
Landlock is a powerful and flexible security mechanism that enables applications to define and enforce their own security policies. By allowing unprivileged sandboxing, it provides a new way to enhance security without requiring administrative control. Its incremental restriction model ensures that once a security policy is applied, it cannot be relaxed, making it a valuable tool for protecting applications from exploits and vulnerabilities. With its integration into the Linux kernel, Landlock represents a significant advancement in user-space access control and application security.
For more information, visit the Landlock documentation.