September 14-15, 2017 - Los Angeles, CA
Click Here For Information & Registration
Back To Schedule
Thursday, September 14 • 10:45am - 11:30am
Landlock LSM: Toward Unprivileged Sandboxing - Mickaël Salaün, Developer

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Linux has multiple access-control systems that can help containing malicious processes. However, it may be difficult and inefficient, especially for unprivileged users, to create a sandboxed application because of the currently administrator-oriented security. Unlike XNU Sandbox (macOS, iOS), Capsicum (FreeBSD) or Pledge (OpenBSD), seccomp-bpf lacks the ability to create a full standalone sandbox (e.g. restrict access to a set of files).

In this talk, we present a new LSM called Landlock. Its final aim is to enable unprivileged users to isolate their processes following the principle of least privilege. To achieve this goal, Landlock leverages eBPF to create flexible access-control rules. Thanks to multiple reviews, Landlock is getting closer to upstream, while gaining interest from the hardening and the container communities.

avatar for Mickaël Salaün

Mickaël Salaün

Senior Software Engineer, Microsoft
Mickaël Salaün is a security researcher and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He has built security sandboxes before hacking into the kernel on a new LSM called Landlock, of which he is now... Read More →

Thursday September 14, 2017 10:45am - 11:30am PDT
Gold 4