Sandboxing your application with Landlock, illustration with the p7zip case
2022-07-04, 16:15–16:35 (Europe/Paris), Amphitheater

Landlock is the security sandboxing feature available since Linux 5.13. Its goal is to empower developers by letting them harden their applications. Indeed, it is assumed that with enough skill and time, most of software could be compromised. Sandboxing enables to add a new layer of security to mitigate such attack.

This talk quickly introduce the main Landlock properties, and we then explain how to sandbox your own application. We'll use p7zip, a C++ archive manager, as a practical example.

See also: 🎥 video

See also: slides

Mickaël Salaün is a security researcher and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes before hacking into the kernel on a new LSM called Landlock, of which he is now the maintainer. He previously worked for the French national cybersecurity agency (ANSSI) on systems hardening. He is currently employed by Microsoft to work on Linux-related security projects.