How to sandbox a network application with Landlock
Network access-control is well covered by different kind of firewalls, but for some use cases it may be interesting to tie the semantic of an application instance and its configuration to a set of rules. For instance, only some processes of web browsers or web servers may legitimately be allowed to share data over the network, while other processes should be blocked. Linux provides some mechanisms to do so, including SELinux or AppArmor, but until now it has not been possible for applications to safely sandbox themselves. This tutorial will first introduce Landlock, the new Linux sandboxing feature, which currently only supports filesystem access. We will then talk about a new set of access rights that are being developed to restrict TCP, which will also be an opportunity to discuss network restrictions that might come next. This will allow us to patch a simple network application (written in C) to make it sandbox itself following a best-effort approach.
The schedule is up!
[Tue, 4, Oct. 2022]
We are pleased to announce our Netdev 0x16 keynote speaker: John Ousterhout
[Fri, 23, Sep. 2022]
Registration for Netdev 0x16 is now OPEN!
[Wed, 21, Sep. 2022]
Bronze Sponsor, OpenVPN
[Sat, 10, Sep. 2022]
Bronze Sponsor, Jump Trading
[Fri, 9, Sep. 2022]
Bronze Sponsor, NVIDIA
[Thu, 8, Sep. 2022]
|Closing of CFS||Wed, Sept. 7, 2022|
|Notification by||Thu, Sept. 15, 2022|
|Conference dates||Oct 24th - 28th, 2022|