-
Motivation of socket access-control feature is to restrict actions of adding sockets in a sandboxed process. This can be useful to limit the range of allowed protocols or even to disable the addition …
-
**Is your feature request related to a problem? Please describe.**
The problem: Lynis does not check and detect presense and state of some modern Linux kernel's security subsystems, such as _lockdo…
-
- [ ] Code
- [ ] https://github.com/netblue30/firejail/pull/5315#pullrequestreview-1073973090
- [ ] https://github.com/netblue30/firejail/pull/5315#pullrequestreview-1074357756
- [ ] https://…
-
### Description
https://www.kernel.org/doc/html/latest/userspace-api/landlock.html
Landlock is an unprivileged LSM. It is already compiled in Arch Linux.
For bubblejail it makes sense to restri…
-
### Nomad version
Output from `nomad version`
1.6.1
### Operating system and Environment details
Nixos 23.05 with additional package nomad 1.6.1
```
# uname --all …
-
It would be useful to identify the Landlock domain restricting threads for tests and auditing purpose. To make easy to get this information, we could create a `/proc//attr/landlock/current` entry cont…
l0kod updated
3 months ago
-
`LANDLOCK_ACCESS_NET_BIND_TCP` is useful to limit the scope of "bindable" ports to forbid a malicious sandboxed process to impersonate a legitimate server process. However, `bind(2)` might be used by …
l0kod updated
2 weeks ago
-
We can try to improve landlock code structure and extensibility, remove repetitive patterns.
As @gnoack suggested it'll be effective to gather refactoring ideas before implementing the patch itself…
-
It would be nice to be able to scope access to abstract unix sockets the same way ptrace is restricted (but this time it would be opt-in).
See https://lore.kernel.org/all/20231023.ahphah4Wii4v@digi…
-
The construction of a Landlock ruleset is based on an authorization list model. Thus, in order to sandbox an application, all necessary resources and their associated permissions must be first establi…