Landlock enables to sandbox Linux applications but it might be challenging to identify the cause of denied accesses. Being able to debug a security policy is an important feature for an access control system. Likewise, logging denied accesses (and their reason) helps detect attacks. Because Landlock is dedicated to unprivileged users, some restrictions applies to such features (e.g., no global rule identifier, scoped debugging). We’ll explain the in-development approach and the intended features to help developers sandbox their applications.
Mickaël Salaün