Implement Linux LandLock into runc (POC/WIP) #4864
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Related to opencontainers/runtime-spec#1241 and https://github.com/landlock-lsm/landlockconfig (WIP) |
Signed-off-by: Michael Zappa <[email protected]>
MikeZappa87
force-pushed
the
mzappa/landlockpoc
branch
from
d8f8f33 to
cc3493d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I found the Linux Landlock feature last night and thought it had several usecases in the container/k8s ecosystem. I then ended up finding a presentation from one of the maintainers that validated my assumptions. I quickly just started putting some code together to see what this would look like since the current approach requires a code change to the application and I wanted to see if its possible to do this transparently to the process down in the oci runtime layer. A lot of other steps need to go into this obviously such as a specification proposal. By no means is this final or even working. Its just to start a conversation.
Presentation:
https://landlock.io/talks/2024-09-17_landlock-oss.pdf
Man Page:
https://man7.org/linux/man-pages/man7/landlock.7.html
Main Page:
https://landlock.io/