Re: Landstrip

[Jarkko Sakkinen <jarkko@kernel.org>]

On Mon, Jun 08, 2026 at 05:28:39AM +0300, Jarkko Sakkinen wrote:
> On Fri, Jun 05, 2026 at 03:19:09PM -0400, Justin Suess wrote:
> > On Tue, Jun 02, 2026 at 04:42:51AM +0300, Jarkko Sakkinen wrote:
> > > I played with an idea could Landlock LSM be used to do conceptually a
> > > better fit sandbox for programs such as Anthropic Sandbox Runtime [1].
> > > 
> > > After some missteps at first I got it pulled together quite well:
> > > 
> > > https://crates.io/crates/landstrip
> > > 
> > > To see it in action I also have a fork of pi-hashline-readmap plugin,
> > > which was a cherry-picked test case I wanted to try out given it already
> > > hooks the bash tool command for compressed output.
> > > 
> > > I just thought that this might interest some as Landlock is not really
> > > over-used kernel feature in "application sense".
> > > 
> > > This is a more lower barrier and more failure tolerant to deploy than
> > > Bubblewrap based container for this use and purpose in my opinion
> > > at least.
> > > 
> > Very cool! Landlock is great for this usecase of application driven
> > sandboxing.
> > 
> > (just a quick note, the linux-security-module/linux-integrity
> > mailing lists mostly for kernel development patches, the
> > landlock.lists.linux.dev list is more for
> > userspace Landlock topics like this. so I removed the cc for
> > linux-security-module/linux-integrity and added that list)
> > 
> > I notice there is a seccomp policy for unix sockets in this application.
> > Although it might not be in your kernel yet, support for sandboxing
> > named unix sockets with Landlock was recently merged. :)
> > 
> > https://lore.kernel.org/linux-security-module/20260327164838.38231-1-gnoack3000@gmail.com/
> 
> Thanks for the pointer. My focus has been more in the wiring than inner
> shenanigans but soon might be a good time to revisit :-)
> 
> I have also Seatbelt FFI and Windows AppContainer profiles are whatever
> they call them through Win32 API.

I migrated to direct syscalls with Landlock in order to keep in faster
phase.

I'll implement ACCESS_FS_RESOLVE_UNIX support, and run-time detection to
know whether to fall back to a seccomp policy (which is needed still
few years to come).

One LSM I'm not really familiar of and it bothers me a bit is the eBPF
LSM. I'm not exactly sure would it do anything useful/valuable for
me in this project.

And I think Anthropic's app security policy is actually quite nice
and practical. I plan to use this myself when I do find+xargs type
of risky operations :-) It's great with scripts, which kind of
makes sense.

JSON is quite horrible tho so without breaking backwards compatibility
I'll add --format json|yml. In yml-version there won't be bucket
lists for each rule. Instead it will have singular "allowRead" etc.
statements. This is more to use cases where I find it useful :-)

BR, Jarkko