Landlock workshop: Linux sandboxing in practice
2024-07-03, 10:15–12:15 (Europe/Paris), Workshop room 1

Landlock is the sandboxing mechanism available on Linux. In this workshop, we'll sandbox an application in a way which is transparent to users. This hardening will help mitigate security vulnerabilities.

The goal of this workshop is to illustrate how sandboxing can mitigate vulnerabilities. To showcase usefulness of sandboxing, we'll use an old and vulnerable version of ImageMagick, but all kind of applications could still be impacted by similar vulnerabilities.

The CVE-2016-3714 vulnerability, aka ImageTragick, is caused by an insufficient shell characters filtering that can lead to (potentially remote) code execution. Thanks to Landlock, we'll restrict the convert tool's access rights before it can get exploited by opening a malicious file, and then mitigate the impact of such vulnerability.

Attendees should be fluent in C, have a working Linux system, and follow these instructions (if possible before the workshop):

See for useful links.

See also: slides

Mickaël Salaün is a kernel developer and open source enthusiast. He is mainly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes before hacking into the kernel on a new LSM called Landlock, of which he is now the maintainer. He previously worked for the French national cybersecurity agency (ANSSI) on systems hardening. He is currently employed by Microsoft to work on Linux-related security projects.