Symposium sur la sécurité des technologies de l'information et des communications

Conférence francophone sur le thème de la sécurité de l'information.
Elle a eu lieu à Rennes du 5 au 7 juin 2024.

Landlock: From a security mechanism idea to a widely available implementationMickaël Salaün


Date : 06 June 2024 à 09:30 — 30 min.

Landlock's goal is to make it possible for Linux applications to sandbox themselves. On Linux, many traditional access control mechanisms are only available to the system administrator, which do not follow the principle of least privilege. As a result, sandboxing policies were created independently of an actual program execution, leading to unnecessarily broad policies. With Landlock, unprivileged processes can safely create sandboxing policies well-tailored to the expected needs of a running application. Landlock also solves the organizational aspect of keeping policy and software in sync with each other, by putting the policy definition and maintenance in the developer's hands.

The development of Landlock happened in three steps: design, integration in the Linux kernel, adoption by distributions and developers. This talk gives our feedback on all these steps, which are all crucial to widely protect users.