Hacker News new | ask | show | jobs
by bastiao 457 days ago
This seems pretty nice, as it using directly landlock API from the Linux Kernel (like pledge from OpenBSD). One feature I would like to have is like yaml description for some set of configuration rather that use all this arguments. So we could have preconfigured commands and just execute them. But I think it is just a matter of taste. I will try the tool. Thanks for it.
4 comments
mdaniel 457 days ago
If you want a file format, I'd lobby for one of the existing ones rather than some random yaml one

- sandbox-exec's scheme one https://github.com/BrianSwift/macOSSandboxBuild/blob/main/co...

- AppArmor https://wiki.apparmor.net/ (although I'm cognizant that tries to address way more than just filesystem access)

- Java's permission one https://docs.oracle.com/javase/8/docs/technotes/guides/secur...

Likely tens more

link
bastiao 457 days ago
I agree that re-use file format could a good option. BTW the used landlock go library has sort of example https://github.com/landlock-lsm/go-landlock/blob/main/exampl...
link
l0kod 457 days ago
We are working on a JSON/TOML format for Landlock, with the related library, and bindings for several languages: https://github.com/landlock-lsm/landlockconfig

We are working to make it part of the OCI runtime specification too.

Using existing configuration format would not work because Landlock has its own unique properties: unprivileged, nested sandboxes, dedicated Linux syscalls, and a good compatibility story with opt-in and incremental features.

link
Foxboron 457 days ago
Still early but Mickaël Salaün, the author of landlock, is working on this.

https://github.com/landlock-lsm/landlockconfig

I'm going to write up some Go bindings for this when it becomes relevant.

link
gnoack 457 days ago
(Author of go-Landlock here)

Awesome! I'm happy to hear that you and others are interested in the configuration language. We should probably coordinate that on the Landlock mailing list when the time comes, so that we don't duplicate that work. We are open to outside contributions :)

link
ARob109 457 days ago
Would be cool to see integration of landlock with configuration file in a way that a service launched by systemd can apply the configuration to the executable.

Akin to systemd SystemCallFilter directive for no-code application of seccomp filters to the sandboxed process https://www.freedesktop.org/software/systemd/man/latest/syst...

link
yjftsjthsd-h 457 days ago
That could be a separate wrapper, like bubblejail is for bubblewrap. Landjail?
link