Linux

10336 readers

665 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

Landlock-ing Linux (blog.prizrak.me)

submitted 1 day ago by cm0002@lemmy.cafe to c/linux@programming.dev

7 comments fedilink hide all child comments

Landlock: What Is It?

Landlock is a Linux API that lets applications explicitly declare which resources they are allowed to access. Its philosophy is similar to OpenBSD’s unveil() and (less so) pledge(): programs can make a contract with the kernel stating, “I only need these files or resources — deny me everything else if I’m compromised.”

It provides a simple, developer-friendly way to add defense-in-depth to applications. Compared to traditional Linux security mechanisms, Landlock is vastly easier to understand and integrate.

This post is meant to be an accessible introduction, and hopefully persuade you to give Landlock a try.

you are viewing a single comment's thread
view the rest of the comments

[–] JakenVeina@midwest.social 15 points 1 day ago (1 children)

So, it's a way for applications to make themselves more hardened against exploitation? Was really confused on first reading the title, but that makes some sense. Applications declare what permissions they need, up-front, so any exploits during normal operation can only operate under that umbrella. Unless the startup processes of the application itself are exploited.

[–] somerandomperson@lemmy.dbzer0.com 6 points 1 day ago

Flatpaks also do that. Kinda.