Skip to content

support guest Landlock syscalls for in-sandbox application sandboxing #13439

Description

@lukehinds

Description

gVisor currently does not expose the Linux Landlock ABI. Tools such as nono and openai codex use Landlock as an unprivileged, inherited, kernel-enforced sandbox for filesystem, networking, and process/IPC scoping. When run inside a gVisor container, these tools cannot apply their expected sandbox policy.

As one of the maintainers of nono, I have had a good few users asking about gVisor support and it makes sense why - they compose really well together with the strong isolation model of gvisor and nono's capability based policy model.

Is this feature related to a specific bug?

Its a feature request.

Do you have a specific solution in mind?

current gVisor syscall tables do not register:

  • landlock_create_ruleset
  • landlock_add_rule
  • landlock_restrict_self

So Applications probing Landlock observe it as unavailable.

An incremental path (if prefered) could be the following as we walk up the ABI versions, or even better include support for all - but we need to consider managing older kernels

  1. Landlock V3 filesystem enforcement.
  2. Landlock V4 TCP port enforcement.
  3. Landlock V5/V6 device ioctl and scoping.
  4. Landlock ABI 7 (audit)

cc @EtiennePerot and @l0kod

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions