this post was submitted on 30 Nov 2025
51 points (100.0% liked)

Linux

10629 readers
737 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
51
Landlock-ing Linux (blog.prizrak.me)
submitted 2 weeks ago by cm0002@lemmy.cafe to c/linux@programming.dev
8 comments fedilink hide all child comments
 

Landlock: What Is It?

Landlock is a Linux API that lets applications explicitly declare which resources they are allowed to access. Its philosophy is similar to OpenBSD’s unveil() and (less so) pledge(): programs can make a contract with the kernel stating, “I only need these files or resources — deny me everything else if I’m compromised.”

It provides a simple, developer-friendly way to add defense-in-depth to applications. Compared to traditional Linux security mechanisms, Landlock is vastly easier to understand and integrate.

This post is meant to be an accessible introduction, and hopefully persuade you to give Landlock a try.

top 8 comments
sorted by: hot top controversial new old
[–] JakenVeina@midwest.social 17 points 2 weeks ago (1 children)

So, it's a way for applications to make themselves more hardened against exploitation? Was really confused on first reading the title, but that makes some sense. Applications declare what permissions they need, up-front, so any exploits during normal operation can only operate under that umbrella. Unless the startup processes of the application itself are exploited.

[–] somerandomperson@lemmy.dbzer0.com 6 points 2 weeks ago

Flatpaks also do that. Kinda.

[–] boredsquirrel@slrpnk.net 12 points 2 weeks ago (1 children)

https://codeberg.org/crabjail

Here is a sandboxing tool using that feature

[–] The_Decryptor@aussie.zone 3 points 2 weeks ago (1 children)

Landrun as well, takes the restrictions on the command line. Can look messy, but does make it entirely standalone, so you can e.g. drop it into a service file as the readme shows easily enough.

[–] boredsquirrel@slrpnk.net 2 points 2 weeks ago

Thanks, I have to try that!

I am missing something to isolate my Browser(s) without using Flatpak (as that breaks everything)

[–] sga@piefed.social 6 points 2 weeks ago

A nice article. I need to read more about it, but I will likely use it. My guess on the performance is that there is not going to be any major performance drawback, but since it is runtime, I can not say for sure.

[–] rycee@lemmy.world 3 points 2 weeks ago

I didn't know about this API and it seems really cool. Will definitely try it out.

[–] fruitycoder@sh.itjust.works 1 points 2 weeks ago

Neat. Tbh the app you are securing being the one in charge makes this limited and not a replacement of SELINUX or containers, but it does add some neat features like dynamic controls based on runtime configs that have bit my butt before. So say you set a port or working dir during startup, now it can set landlock to that and the actual process running it will be limited. Very cool still.