#Landlock Security Module Adds File Truncation Support With #Linux 6.2

https://www.phoronix.com/news/Landlock-Linux-6.2

Original tweet : https://twitter.com/phoronix/status/1604437671786516480

#nowwatching #landlock https://letterboxd.com/film/landlock/

The portable version of #gameoftrees has received support for #landlock on #linux!

This is a significant improvement because a major point of our application design is to allow for process-level isolation of code which touches Git repository data that was (potentially) fetched from other computers. Network protocol speakers, decompression routines, object parsing routines, pack-file parsing and recombination of file content from deltas, and configuration file parsers, all run in a distinct process context of their own.

The #OpenBSD version relies on #pledge to provide process-level isolation. The helpers can make no unnecessary system calls and do not have any filesystem access. This makes it harder to run useful arbitrary code after a successful attack.

But so far, the -portable version had no such isolation at all. Every process could in theory read the invoking user account's sensitive files (such as SSH or PGP private keys) after a successful exploit. The next -portable release will revoke file system access from every helper process on Linux 5.13 and up if landlock is enabled at run-time in the kernel :flan_hurrah:​

Huge thanks to @op for implementing this!

https://git.gameoftrees.org/gitweb/?p=got-portable.git;a=commit;h=97799ccd4b67a81f97039305d4fdd66588da9962

RT @phoronix@twitter.com

#Linux 5.13 Released With #Apple M1 Bringup, #Landlock, @Radeon@twitter.com #FreeSync HDMI + Much More

https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.13-Released

🐦🔗: https://twitter.com/phoronix/status/1409279572345069570

Looks like Landlock (a tool to sanbox the filesystem) is making it to Linux 5.13 - that's another solution in the sandboxing swamp on Linux https://landlock.io/ #linux #sandbox #landlock