Mickaël Salaün
@l0kod.bsky.social
Building Landlock, the Linux security sandboxing mechanism: https://landlock.io
🧑💻 https://digikod.net
🦣 https://mastodon.social/@l0kod
🐦 https://twitter.com/l0kod
🧑💻 https://digikod.net
🦣 https://mastodon.social/@l0kod
🐦 https://twitter.com/l0kod
I gave a (second) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, designed to define sandboxing security policies in JSON or TOML.
lsseu2025.sched.com/event/25GET
You can easily try it: github.com/landlock-lsm...
Feedback welcome!
lsseu2025.sched.com/event/25GET
You can easily try it: github.com/landlock-lsm...
Feedback welcome!
August 29, 2025 at 3:59 PM
I gave a (second) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, designed to define sandboxing security policies in JSON or TOML.
lsseu2025.sched.com/event/25GET
You can easily try it: github.com/landlock-lsm...
Feedback welcome!
lsseu2025.sched.com/event/25GET
You can easily try it: github.com/landlock-lsm...
Feedback welcome!
Script integrity: I gave a talk at #linuxsecuritysummit in Amsterdam on the latest news about Linux's AT_EXECVE_CHECK, useful to check the full file executability (including LSMs' policies), and the two new secbits to really control executable code.
lsseu2025.sched.com/event/25GEQ
lsseu2025.sched.com/event/25GEQ
Linux Security Summit Europe 2025: Script Integrity - Mickaël Salaün, Micro...
View more about this event at Linux Security Summit Europe 2025
lsseu2025.sched.com
August 29, 2025 at 12:32 PM
Script integrity: I gave a talk at #linuxsecuritysummit in Amsterdam on the latest news about Linux's AT_EXECVE_CHECK, useful to check the full file executability (including LSMs' policies), and the two new secbits to really control executable code.
lsseu2025.sched.com/event/25GEQ
lsseu2025.sched.com/event/25GEQ
AI agents can potentially gain extensive access to user data, and even write or execute arbitrary code.
OpenAI Codex CLI uses #Landlock sandboxing to reduce the risk of buggy or malicious commands: github.com/openai/codex...
OpenAI Codex CLI uses #Landlock sandboxing to reduce the risk of buggy or malicious commands: github.com/openai/codex...
August 15, 2025 at 5:22 PM
AI agents can potentially gain extensive access to user data, and even write or execute arbitrary code.
OpenAI Codex CLI uses #Landlock sandboxing to reduce the risk of buggy or malicious commands: github.com/openai/codex...
OpenAI Codex CLI uses #Landlock sandboxing to reduce the risk of buggy or malicious commands: github.com/openai/codex...
I just published the fifth #Landlock newsletter! 🤓
- new kernel features: IPC scoping and audit logs
- kernel fixes
- library and talk updates
- new doc
- new open source Landlock users
- RHEL support
lore.kernel.org/landlock/202...
- new kernel features: IPC scoping and audit logs
- kernel fixes
- library and talk updates
- new doc
- new open source Landlock users
- RHEL support
lore.kernel.org/landlock/202...
May 19, 2025 at 2:55 PM
I just published the fifth #Landlock newsletter! 🤓
- new kernel features: IPC scoping and audit logs
- kernel fixes
- library and talk updates
- new doc
- new open source Landlock users
- RHEL support
lore.kernel.org/landlock/202...
- new kernel features: IPC scoping and audit logs
- kernel fixes
- library and talk updates
- new doc
- new open source Landlock users
- RHEL support
lore.kernel.org/landlock/202...
I released a new version of the #Landlock crate: github.com/landlock-lsm...
We can now easily restrict signal sending and connections to abstract UNIX sockets for #rustlang programs.
We can now easily restrict signal sending and connections to abstract UNIX sockets for #rustlang programs.
github.com
April 29, 2025 at 6:37 PM
I released a new version of the #Landlock crate: github.com/landlock-lsm...
We can now easily restrict signal sending and connections to abstract UNIX sockets for #rustlang programs.
We can now easily restrict signal sending and connections to abstract UNIX sockets for #rustlang programs.
Starting with Linux 6.14, we'll be able to securely control script execution thanks to new syscall flags, successors of O_MAYEXEC. This is crucial to fully support code integrity.
The next step is to enlighten script interpreters. Let me know if you want to help!
docs.kernel.org/userspace-ap...
The next step is to enlighten script interpreters. Let me know if you want to help!
docs.kernel.org/userspace-ap...
Executability check — The Linux Kernel documentation
docs.kernel.org
March 26, 2025 at 6:53 PM
Starting with Linux 6.14, we'll be able to securely control script execution thanks to new syscall flags, successors of O_MAYEXEC. This is crucial to fully support code integrity.
The next step is to enlighten script interpreters. Let me know if you want to help!
docs.kernel.org/userspace-ap...
The next step is to enlighten script interpreters. Let me know if you want to help!
docs.kernel.org/userspace-ap...
Reposted by Mickaël Salaün
"Most people don’t understand how Linux deals with 4,000+ devs from 500+ companies a year with only email, git and no project managers."
When Greg Kroah-Hartman (a Linux Foundation fellow) wrote this to me, I also did not understand, for obvious reasons. I asked him to explain, and he did:
When Greg Kroah-Hartman (a Linux Foundation fellow) wrote this to me, I also did not understand, for obvious reasons. I asked him to explain, and he did:
March 20, 2025 at 4:18 PM
"Most people don’t understand how Linux deals with 4,000+ devs from 500+ companies a year with only email, git and no project managers."
When Greg Kroah-Hartman (a Linux Foundation fellow) wrote this to me, I also did not understand, for obvious reasons. I asked him to explain, and he did:
When Greg Kroah-Hartman (a Linux Foundation fellow) wrote this to me, I also did not understand, for obvious reasons. I asked him to explain, and he did:
Reposted by Mickaël Salaün
I've written a post that shows how to list all mounts in all mount namespaces (all mounts on the system) using new apis we added to the #vfs last year.
brauner.io/2024/12/16/l...
#kernel #linux #vfs
brauner.io/2024/12/16/l...
#kernel #linux #vfs
Listing all mounts in all mount namespaces
Introduction
brauner.io
December 16, 2024 at 10:32 PM
I've written a post that shows how to list all mounts in all mount namespaces (all mounts on the system) using new apis we added to the #vfs last year.
brauner.io/2024/12/16/l...
#kernel #linux #vfs
brauner.io/2024/12/16/l...
#kernel #linux #vfs
I'll give a talk at #FOSDEM: #Sandbox IDs with #Landlock
We'll talk about the challenges to identify sandboxed processes in a safe and unprivileged way, and how that could be used to identify #containers.
fosdem.org/2025/schedul...
#FOSDEM2025 #container
We'll talk about the challenges to identify sandboxed processes in a safe and unprivileged way, and how that could be used to identify #containers.
fosdem.org/2025/schedul...
#FOSDEM2025 #container
FOSDEM 2025 - Sandbox IDs with Landlock
fosdem.org
December 16, 2024 at 6:04 PM
I'll give a talk at #FOSDEM: #Sandbox IDs with #Landlock
We'll talk about the challenges to identify sandboxed processes in a safe and unprivileged way, and how that could be used to identify #containers.
fosdem.org/2025/schedul...
#FOSDEM2025 #container
We'll talk about the challenges to identify sandboxed processes in a safe and unprivileged way, and how that could be used to identify #containers.
fosdem.org/2025/schedul...
#FOSDEM2025 #container