[ANN] landlock

I’m happy to announce the latest version of landlock, a Haskell library to access the Linux Landlock LSM API. This version updates the library to expose all Landlock features up to Linux 6.2 (Landlock ABI 3). It also introduces landlocked, a utility to spawn some process in a landlocked environment, and serves as a demo of how to use the API (next to the library documentation and README.md).

It’s available on Hackage and GitHub.

The Linux kernel Landlock API provides unprivileged access control. The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM, it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.

For more information, see the Landlock homepage and its kernel documentation.


Nice, this looks pretty interesting!

Are you using landlock for something interesting in one of your own projects (or work)?

1 Like

Thanks! Actually, at this point I’m not. I’m working on a project (going to talk about it soon’ish…) where at some point in time it would make perfect sense to landlock it at runtime, however, it’s way too early to work on that.

I’m actually not sure why I created this library in the first place :laughing: Might be simply because I read about Landlock when it landed in Linux, and wanted to play with it.