-
Hi, appreciate the work on this! I'm curious if it's possible to get what the `RestrictionStatus` *would* be, without actually applying the restrictions. Kind of like a dry run? I have two use cases:
…
-
I hope everyone with eye on landlock functionality could plant this feature as fast as possible inside firejail.
https://www.phoronix.com/news/Landlock-Networking-Linux-6.7
Thanks and
…
-
`io_uring` is a complex interface growing quickly that can lead to [critical security issues](https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html) and [bypass of security ch…
l0kod updated
3 months ago
-
**Motivation**
I think we need an issue to track all the missing syscalls that can have a security value for `Falco`. I detected these ones right now:
- [x] `fsconfig` https://github.com/falcos…
-
To avoid filesystem (FS) security policy bypass, a landlocked process with FS restrictions cannot do any FS topology changes (see d7220364039f6beb76f311c05f74cad89da5fad5), which include any mount cal…
l0kod updated
3 months ago
-
We need tooling to measure the performance impact of kernel changes. Until now, we used simple scripts to get an idea of the [worse case scenarios](https://lore.kernel.org/all/20210630224856.1313928-1…
l0kod updated
3 weeks ago
-
Currently, `landlock_restrict_self(2)` applies a ruleset on the calling thread, which makes sense from a kernel point of view, and enables some use cases such as tests. However it might be misleading …
l0kod updated
4 months ago
-
In other managed Kubernetes distros bpf lsm support is enabled in newer kernels (> 5.10 usually). We were hoping to see this feature enabled on the latest node pools that come standard with aks 1.25 …
-
To make it simpler, a Landlock domains is currently a `landlock_ruleset` struct. The use of this data structure includes fields which are useless for a domain, and a red-black tree which is not useful…
l0kod updated
2 months ago
-
### Distribution
Debian 12 Bookworm, aarch64
### Package version
1.8.3, flatpak package
### Frequency
Always
### Bug description
I installed it yesterday from flathub and it worke…