Conversation
jarkko

Jarkko Sakkinen

Landstrip 0.9.6 implements the Unix domain socket policy for Linux with LANDLOCK_ACCESS_FS_RESOLVE_UNIX, and falls back on using seccomp policy if the interface is not available.

Unix domain socket Landlock LSM policies are an upcoming feature in Linux 7.1.

https://crates.io/crates/landstrip/0.9.6
https://lore.kernel.org/linux-security-module/20260327164838.38231-1-gnoack3000@gmail.com/
0
0
1
jmorris

James Morris

@jarkko nice!

RE: https://social.kernel.org/objects/89a9d649-aed7-412b-afa6-f3a334a08ef0
1
0
1
jarkko

Jarkko Sakkinen

Reply to @jmorris
@jmorris Thanks James :-) Your endorsement means a lot to me!
1
0
0
jarkko

Jarkko Sakkinen

Reply to @jarkko
@jmorris And despite being critical about Microsoft as a company, Landstrip also proactively supports Win32 security mechanisms. Not many of these sandboxes do. macOS, Linux and Windows are all equally supported.
1
0
1
jarkko

Jarkko Sakkinen

Reply to @jarkko
@jmorris Actually I love whenever I have a chance to do something with Win32 API :-) It's well documented and well engineered and usually solutions are not a dissapointment. I think overall it is an engineering achievement having been relevant and backwards compatible such a long span of time.
1
0
0
jmorris

James Morris

Reply to @jarkko
@jarkko Interesting take ;-) You are probably right but I tried it once in the 90s and did not enjoy.
1
0
1
jarkko

Jarkko Sakkinen

Reply to @jmorris
@jmorris With coding agents, we're in a situation where we have bad behaving processes by design. So they need sandboxing, but it is in the level of preventing them going "over the top". I.e. a different scenario where you have actor that proactively tries to exploit your system :-) What I'm trying to do is to get a single binary that can address that level of brickwalls for agents, with a cross-os compatible policy - not to be the "IMAX prison".

To make something meaningful I thought that being Anthropic policy format driven but with a more serious sandbox implementation is pretty good way to move forward on hardening this ecosystem.
0
0
0
About social.kernel.org

Terms of service

  1. Please do not use this service in violation of the Linux Kernel Code of Conduct. Doing so will result in your account suspension with the referral of the matter to the CoC committee.

  2. "Repeating"/"boosting" someone else's status on this platform will be treated as endorsement and will fall under rule #1.

  3. You are encouraged to use this platform to promote your work on the Linux Kernel, but there is no restriction on permitted topics (with the exception of anything covered by #1 above).

  4. There is no requirement to post in English, but it should be considered the primary language of communication on this platform.

Privacy notice

The admins of this service have access to all posted statuses. They aren't looking, but if it's something they shouldn't know about, then you should not post it on this platform.

Please see the Linux Foundation Privacy Policy, which applies to this platform as well.

Getting your own account

If you would like an account on this instance, please check that the following applies to you:

  • You are listed in MAINTAINERS or CREDITS

  • OR: You have a kernel.org account or email address

  • OR: You have a long and established history of involvement with the Linux Kernel

If the above is true and you agree with the Terms of Service and Privacy Notice listed above, please use these instructions to request an account: