software

More Security With Landlock

Published: (December 6, 2025 at 12:25 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

The Problem with Privileged Tools

Network capture tools require elevated privileges. On Linux, CAP_NET_RAW allows creating raw sockets to capture packets. But once you have this capability, you usually keep it for the entire process lifetime—even though you only need it during initialization.

# Traditional approach: run with elevated privileges
sudo ./network-tool --interface eth0
# Tool now has CAP_NET_RAW for its entire lifetime

This creates a larger attack surface than necessary. If a bug in Deep Packet Inspection (DPI) code is exploited, the attacker inherits all the privileges the process has.

Enter Landlock

Landlock is a Linux Security Module (LSM) that allows unprivileged sandboxing. Unlike seccomp (which filters syscalls) or namespaces (which need privileges to set up), Landlock lets a process restrict itself. It’s been in the kernel since 5.13 (filesystem), and network restrictions were added in 6.4.

The key insight: sandbox after initialization, not before. We can:

  • Open packet capture handles (needs CAP_NET_RAW)
  • Load eBPF programs (needs CAP_BPF)
  • Create log files (needs filesystem write access)

Then apply Landlock restrictions

Then drop CAP_NET_RAW

The existing pcap handle remains valid—the kernel doesn’t revoke it. But new raw sockets? Blocked.

Implementation

The Landlock API involves creating a ruleset, adding rules, and enforcing it:

pub fn apply_sandbox(config: &SandboxConfig) -> Result {
    // Check kernel support
    let abi_version = landlock_create_ruleset(
        ptr::null(),
        0,
        LANDLOCK_CREATE_RULESET_VERSION,
    );

    if abi_version  Result {
    let mut caps = CapSet::empty();

    // Read current capabilities
    capget(&mut header, &mut caps)?;

    // Clear CAP_NET_RAW from all sets
    caps.effective &= !(1  info!("Sandbox fully applied"),
    SandboxStatus::PartiallyEnforced => warn!("Partial sandbox: {}", result.details),
    SandboxStatus::NotAvailable => warn!("Sandboxing unavailable: {}", result.reason),
}

// Continue running either way—don't fail on missing sandbox

For high‑security environments, a --sandbox-strict flag makes the tool exit if full enforcement isn’t possible.

The UI Feedback Loop

RustNet’s TUI now shows the sandbox status clearly:

┌─Security────────────────────────────────────────┐
│ Landlock: Fully enforced [kernel supported]     │
│ CAP_NET_RAW dropped, FS restricted, Net blocked│
└─────────────────────────────────────────────────┘
Back to Blog

Related posts

Read more »

Landlock-Ing Linux

Article URL: https://blog.prizrak.me/post/landlock/ Comments URL: https://news.ycombinator.com/item?id=46090969 Points: 101 # Comments: 29...

The Tor Project is switching to Rust

Article URL: https://itsfoss.com/news/tor-rust-rewrite-progress/ Comments URL: https://news.ycombinator.com/item?id=46243543 Points: 106 Comments: 49...