Upstreamed to the Linux kernel back in 2021 was Landlock as a new means of unprivileged application sandboxing. It aimed to be very powerful and since being upstreamed four years ago has seen some minor enhancements and fixes but has been without any formal code maintainer. Thankfully two developers have stepped up to oversee this Linux security module going foreward.
As a reminder about Landlock, from the kernel.org documentation:
“The goal of Landlock is to enable restriction of ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock is a stackable LSM, it makes it possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.”
Since being upstreamed though and without any formal maintainer, continued progress — and maintenance — on it has been slow.
Thankfully though Xiu Jianfeng of Huawei and Nicolas Bouchinet of the government of France have stepped up to maintain Landlock in the upstream kernel.
The Landlock merge to Linux 6.17 explains:
“Add Nicolas Bouchinet and Xiu Jianfeng as Lockdown maintainers
The Lockdown LSM has been without a dedicated mantainer since its original acceptance upstream, and it has suffered as a result. Thankfully we have two new volunteers who together I believe have the background and desire to help ensure Lockdown is properly supported.”
Here’s to the continued success of Landlock moving forward.
