Attending this event?
August 27 - 28 - Vancouver, BC, Canada
Click for Information & Registration
View analytic
Monday, August 27 • 4:20pm - 4:50pm
How to Safely Restrict Access to Files in a Programmatic Way with Landlock? - Mickaël Salaün, ANSSI

Sign up or log in to save this to your schedule and see who's attending!

Mandatory Access Control is implemented in four major LSMs. They either identify a file with its inode attribute (SELinux and Smack) or with its path (AppArmor and Tomoyo). This techniques share a common drawback: they cannot safely be used from an unprivileged context. One of Landlock's goal is to tackle this problem with a new hybrid way to identify a file from a user-defined security policy.

After a brief recap of the main mechanisms used by Landlock (covered in LSS 2017), this talk highlight the constraints of applying an unprivileged access-control on files, what was the previous Landlock attempts, and how works the new way to programmatically describe a file access (cf. the eighth patch series of Landlock). We illustrate this with a demo of a dynamic access-control for end user. Finally, we discuss some drawbacks and how much it depends on the internal kernel implementation.


Mickaël Salaün

Security Engineer, ANSSI
Mickaël Salaün is a security researcher, software developer and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He works on system hardening and has built security sandboxes (e.g. StemJail) before hacking... Read More →

Monday August 27, 2018 4:20pm - 4:50pm
Room 114/115
Feedback form isn't open yet.