| Description | Landlock is a feature to create security sandboxes thanks to 3 dedicated system calls. They are designed to be safe to used by any processes, which can only drop their privileges, similarly to seccomp.
The Landlock LSM needs to be build in the kernel (CONFIG_SECURITY_LANDLOCK=y) and enabled by default (CONFIG_LSM=landlock,...) to be useful (supported since Linux 5.13). See https://docs.kernel.org/userspace-api/landlock.html#kernel-support
Landlock is already enabled by default on Ubuntu 22.04 LTS, Fedora 35, Arch Linux, Alpine Linux, Gentoo, Debian, chromeOS, and more. There is an opened ticket for RHEL but no real activity since two years (see RHBZ: 2103989): https://issues.redhat.com/browse/RHEL-8810
Because the goal of sandboxing is to be seamlessly integrated in applications/services and work in a best-effort mode (see https://sched.co/1ej3a), no specific user space configuration is needed to leverage Landlock.
Landlock should be enabled on Rock Linux 9 and 10. |
|---|
