Update on Landlock: Audit, Debugging and Metrics
Landlock enables to sandbox Linux applications but it might be challenging to identify the cause of denied accesses. Being able to debug a security policy is an important feature for an access control system. Likewise, logging denied accesses (and their reason) helps detect attacks. Because Landlock is dedicated to unprivileged users, some restrictions applies to such features (e.g., no global rule identifier, scoped debugging). We’ll explain the in-development approach and the intended features to help developers sandbox their applications.
Mickaël Salaün is a security researcher and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes before hacking into the kernel on a new LSM called Landlock, of which he is now the maintainer. He previously worked for the French national cybersecurity agency (ANSSI) on hardening operating systems. He is currently employed by Microsoft to work on Linux-related security projects.