Unhelpful error when Landlock is unsupported about birdcage HOT 6 CLOSED

I don't really see how this error is an issue with birdcage, considering it does exactly what it should?

The error is very clear in stating that the requested flags are incompatible with the operating system.

from birdcage.

I didn't know this error meant that the kernel didn't support Landlock (or even that Landlock support was optional) until today. I thought that phylum's requests to use Landlock were being denied by Docker security policies. There is a lot of superfluous information that makes it seem like if I'd just requested different parameters it would have worked.

From the landlock side I think it makes sense because birdcage requests a set of flags, some of which are only supported on certain kernel versions. However, from a birdcage user's perspective, no flags have been requested, so it's weird to get back an error saying that the requested flags were not supported.

I expect with the current error behavior, eventually somebody will log this as a bug in phylum-dev/cli because their workflow involves Docker on Windows or Mac and none of the Phylum extensions will work under Docker Desktop and they get this cryptic message instead. The returned error enum variant is platform dependent and conditionally compiled, so for phylum to display a more helpful message would require adding its own conditionally compiled code and direct dependency on landlock to check for this condition.

Maybe we should also create a ticket requesting that linuxkit's default kernel configurations have Landlock enabled. I searched and found only old issues, one of which mentioned a desire to have Landlock support as part of some special patched kernel with additional security features that hadn't been upstreamed, but Landlock is upstreamed now so I don't see why they wouldn't include it.

from birdcage.

I thought that phylum's requests to use Landlock were being denied by Docker security policies.

I don't think there's technically any differences between this and landlock not being supported.

from birdcage.

Maybe if Landlock is completely blocked by security policies you would get the same error. I was thinking it was something like we requested to manage something like MakeBlock on a temp directory and that was being denied. However, knowing more about Landlock now, it seems unlikely that you would ever get this kind of incompatible error due to existing security policies because Landlock is supposed to be cumulative restrictions and this error is happening before we specify any exceptions for what we want to allow.

from birdcage.

However, knowing more about Landlock now, it seems unlikely that you would ever get this kind of incompatible error due to existing security policies because Landlock is supposed to be cumulative restrictions and this error is happening before we specify any exceptions for what we want to allow.

I feel like seccomp with the right options should be able to do it.

from birdcage.

Landlock has been removed.

from birdcage.