FOSDEM 2026 - Island: Sandboxing tool powered by Landlock

I gave a talk at #FOSDEM about Island: Sandboxing tool powered by #Landlock
fosdem.org/2026/schedul...

GitHub - landlock-lsm/island: Sandboxing tool powered by Landlock Sandboxing tool powered by Landlock. Contribute to landlock-lsm/island development by creating an account on GitHub.

Just released Island 🏝️, a sandboxing tool powered by #Landlock.
It auto‑confines processes according to the caller's context (e.g. CWD) and comes with slick Zsh integration, so you can use your terminal naturally without command prefixes. Feedback welcome!
github.com/landlock-lsm...

Configuration example in TOML

I gave a (second) talk at #linuxsecuritysummit on a new configuration format, #Landlock Config, designed to define sandboxing security policies in JSON or TOML.
lsseu2025.sched.com/event/25GET

You can easily try it: github.com/landlock-lsm...

Feedback welcome!

Linux Security Summit Europe 2025: Script Integrity - Mickaël Salaün, Micro... View more about this event at Linux Security Summit Europe 2025

Script integrity: I gave a talk at #linuxsecuritysummit in Amsterdam on the latest news about Linux's AT_EXECVE_CHECK, useful to check the full file executability (including LSMs' policies), and the two new secbits to really control executable code.
lsseu2025.sched.com/event/25GEQ

OpenAI Codex CLI leveraging Landlock sandboxing

AI agents can potentially gain extensive access to user data, and even write or execute arbitrary code.

OpenAI Codex CLI uses #Landlock sandboxing to reduce the risk of buggy or malicious commands: github.com/openai/codex...

I just published the fifth #Landlock newsletter! 🤓
- new kernel features: IPC scoping and audit logs
- kernel fixes
- library and talk updates
- new doc
- new open source Landlock users
- RHEL support
lore.kernel.org/landlock/202...

I released a new version of the #Landlock crate: github.com/landlock-lsm... 
We can now easily restrict signal sending and connections to abstract UNIX sockets for #rustlang programs.

Starting with Linux 6.14, we'll be able to securely control script execution thanks to new syscall flags, successors of O_MAYEXEC. This is crucial to fully support code integrity.
The next step is to enlighten script interpreters. Let me know if you want to help!
docs.kernel.org/userspace-ap...

"Most people don’t understand how Linux deals with 4,000+ devs from 500+ companies a year with only email, git and no project managers."

When Greg Kroah-Hartman (a Linux Foundation fellow) wrote this to me, I also did not understand, for obvious reasons. I asked him to explain, and he did:

FOSDEM 2025 - Sandbox IDs with Landlock

Slides and patches are now online! #FOSDEM
fosdem.org/2025/schedul...

I've written a post that shows how to list all mounts in all mount namespaces (all mounts on the system) using new apis we added to the #vfs last year.

brauner.io/2024/12/16/l...

#kernel #linux #vfs

FOSDEM 2025 - Sandbox IDs with Landlock

I'll give a talk at #FOSDEM: #Sandbox IDs with #Landlock
We'll talk about the challenges to identify sandboxed processes in a safe and unprivileged way, and how that could be used to identify #containers.
fosdem.org/2025/schedul...
#FOSDEM2025 #container