Because this newsletter includes container-related and security-related information, I'm relaying this to other appropriate mailing lists. If you want to get updates, you can subscribe by sending an email to landlock+subscribe@xxxxxxxxxxxxxxx Regards, Mickaël On 01/09/2021 18:30, Mickaël Salaün wrote: > Hi, > > Landlock landed in Linux 5.13 and here is an overview of the ongoing > developments. > > User space > ---------- > > ### Rust library > > This Rust library enables to manage Landlock in a best-effort way. It is > still a work-in-progress, but we plan to release a new major version in > the coming weeks, including documentation. Feedback is welcome! > https://github.com/landlock-lsm/rust-landlock > > ### Go library > > We are pleased to welcome Günther Noack and his Go library which enables > to create sandboxes with Landlock. This will be useful for any projects > developed in Go. > https://github.com/landlock-lsm/go-landlock > > ### Open Container Initiative Runtime Specification > > This project is intended to be a shared specification amongst container > runtimes (e.g. Docker/runc). Thanks to H. Vetinari for bringing the > subject and to Kailun Qin, Günther Noack, Konstantin Meskhidze, Aleksa > Sarai, Akihiro Suda for working on this and giving feedback! > https://github.com/opencontainers/runtime-spec/pull/1111 > > ### runc > > Bringing Landlock support to runc has started. > https://github.com/opencontainers/runc/pull/3194 > > ### strace > > strace 5.13 (2021-07-19) now supports Landlock syscalls and especially > their argument decoding. We can now easily debug programs using > Landlock. Thanks to Eugene Syromyatnikov and Dmitry V. Levin! > https://github.com/strace/strace/commit/7592a0eeab2588162c1741077053f8a052c8418f > > ### glibc > > glibc 2.34 (2021-08-01) now includes Landlock system call IDs, which are > required to properly use Landlock in C and C++ programs. > https://sourceware.org/git/?p=glibc.git;a=commit;h=b1b4f7209ecaad4bf9a5d0d2ef1338409d364bac > > ### musl libc > > A patch series is under review for musl libc to include Landlock system > call IDs in this alternative libc. > https://www.openwall.com/lists/musl/2021/07/10/12 > > ### Man Pages > > Four manual pages dedicated to Landlock are being reviewed by Alejandro > Colomar and G. Branden Robinson. Thanks to them! This documentation is > splitted into a general overview landlock(7) and one page per syscall. > https://lore.kernel.org/linux-man/20210818155931.484070-1-mic@xxxxxxxxxxx/ > > Conferences > ----------- > > I'm glad that two (complementary) Landlock talks have been accepted to > the Open Source Summit and to the Linux Security Summit. I have given a > few talks in the last years but Landlock has changed drastically since > then (i.e. no more eBPF). These talks will unfortunately be virtual, but > I'll still be available for questions. See you at the end of the month! > > ### Open Source Summit 2021 - Sandboxing Applications with Landlock > > This talk focuses on the use of Landlock by user space, explaining the > rationale behind the design, how backward and forward compatibility is > handled, what features are currently available and what could come next. > https://sched.co/lAVl > > ### Linux Security Summit 2021 - Deep Dive into Landlock Internals > > This talk first explains the goal of Landlock and the related > consequences. This will enable to explain the kernel implementation > constraints, the choices that led to the current design, and the > potential and limits of the current and future features. > https://sched.co/ljRQ > > Roadmap (kernel-side) > --------------------- > > Last but not least, here is an overview of the roadmap for Landlock. > We'll add a proper dedicated page to the website soon: https://landlock.io > > Short term: > * improve kernel performance for the current features; > * add the ability to change the parent directory of files (see current > Landlock limitations). > > Medium term: > * add audit features to ease debugging; > * extend filesystem access-control types to address the current limitations; > * add the ability to follow a deny listing approach, which is required > for some use cases. > > Long term: > * add minimal network access-control types; > * add the ability to create (file descriptor) capabilities compatible > with Capsicum. > > Regards, > Mickaël >
