File access-control per container with Landlock
- Track: Containers devroom
- Room: UD2.120 (Chavanne)
- Day: Sunday
- Start: 12:10
- End: 12:50
Linux has multiple access-control systems, including SELinux, AppArmor, Smack or Tomoyo, that can enforce a security policy. However, it may be challenging to create and maintain such a policy per container. Moreover, a dynamically configured and unprivileged access control may better fit to container needs.
In this talk, we present a Linux Security Module (LSM) proposal called Landlock, leveraging eBPF to create flexible access-control rules. Landlock can be used as a new security layer, composing with namespaces, cgroups, seccomp and other LSMs, to sandbox applications and containers. We highlight the last Landlock patchset (v8) which brings a new way to restrict access to files.
Speakers
Mickaël Salaün |