libcontainer: add support for Landlock #3194
Draft
Commits on Sep 9, 2021
-
libcontainer: add support for Landlock
This patch introduces Landlock Linux Security Module (LSM) support in runc, which was landed in Linux kernel 5.13. This allows unprivileged processes to create safe security sandboxes that can securely restrict the ambient rights (e.g. global filesystem access) for themselves. runtime-spec: opencontainers/runtime-spec#1111 Fixes opencontainers#2859 Signed-off-by: Kailun Qin <[email protected]>
-
* use landlock.AccessFSSet type directly * remove non-linux files * some minor updates Signed-off-by: Kailun Qin <[email protected]>
-
Add unit test for SetupLandlock
Signed-off-by: Kailun Qin <[email protected]>
-
Add check for DisableBestEffort in the unit test
Signed-off-by: Kailun Qin <[email protected]>
-
Update go-landlock and use NewConfig instead
Signed-off-by: Kailun Qin <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.