Brussels / 4 & 5 February 2023


Backward and forward compatibility for security features

Application developers working and testing with a specific kernel version should be able to easily control their application compatibility behavior with previous (and future) kernel versions as well. We developed a Landlock library (for security sandboxing purpose) that protects users as much as possible while making the work of application developers easier and safer.

This talk gives feedback about the development of a security library that needs to deal with backward and forward compatibility, because of security features tied to specific kernel versions, handling different use cases in a safe and secure way. We explain patterns that we used to make it possible to fine tune the requested (optional) features while providing a safe default behavior. For simple use cases, the idea is to provide a best-effort security approach for potentially unsupported kernel features: use available features and ignore others. However, in more complex use cases, we may want to make some features depend on others. We may also want to handle errors differently based on unsupported features.


Mickaël Salaün