top | item 44575697

(no title)

gnoack | 7 months ago

Landlock is currently still lacking some wrapper libraries that make it easier to use, in C.

We do have libraries for Go and Rust, and the invocation is much more terse there, e.g.

  err := landlock.V5.BestEffort().RestrictPaths(
      landlock.RODirs("/usr", "/bin"),
      landlock.RWDirs("/tmp"),
  )

FWIW, the additional ceremony in Linux is because Linux guarantees full ABI backwards compatibility (whereas in OpenBSD policy, compiled programs may need recompilation occasionally).

Similarly terse APIs as for Go and Rust are possible in C as well though, as wrapper libraries.

For full disclosure, I am the author of the go-landlock library and contributor to Landlock in the kernel.

discuss

No comments yet.