Landlock is a Linux API that lets applications explicitly declare which resources they are allowed to access. Its philosophy is similar to OpenBSD’s
unveil()and (less so)pledge(): programs can make a contract with the kernel stating, “I only need these files or resources — deny me everything else if I’m compromised.”It provides a simple, developer-friendly way to add defense-in-depth to applications. Compared to traditional Linux security mechanisms, Landlock is vastly easier to understand and integrate.
This post is meant to be an accessible introduction, and hopefully persuade you to give Landlock a try.
↫ prizrak.me blog
I had no idea this existed, even though it seems to plug a hole in the security and sandboxing landscape on Linux by not requiring any privileges and by being relatively simple and straightforward to use. There’s even an additional “supervisor” proposal that would bring Android-like permissions not just to, say, desktop applications (see Flatpak), but to every process trying to access anything for the first time.
I’m not knowledgeable enough to make any statements about Landlock compared to any other options we have for securing desktop Linux in a user-friendly, non-intrusive manner, but I definitely like its simplicity.
They mention Android, and it is … or rather a very similar thing is heavily used in there.
Android requires apps to declare intents (not sure the term is called). So, you want to access SD card? You have to declare that in the manifest. You want to serve ads? You need Internet access. Joking of course, it is enabled by default 🙂
But I’m not sure how this will work for Linux command line. By definition things get what they need to access from command line arguments, and many times by resolving config files. Yes, this could be useful for desktop applications “The Music Jukebox will only access its config, the graphical resources, and of course user selected music content”. But for ls? cat? find? git? Things become trickier…
(I get this is more for “sandboxed” execution of random things we install like npm, conda, or uv. But… that is an entirely different issue. If you don’t trust an installer of a library, how can you trust the library to do the right thing at runtime)?