Comments (6)
I don't really see how this error is an issue with birdcage, considering it does exactly what it should?
The error is very clear in stating that the requested flags are incompatible with the operating system.
from birdcage.
I didn't know this error meant that the kernel didn't support Landlock (or even that Landlock support was optional) until today. I thought that phylum
's requests to use Landlock were being denied by Docker security policies. There is a lot of superfluous information that makes it seem like if I'd just requested different parameters it would have worked.
From the landlock
side I think it makes sense because birdcage
requests a set of flags, some of which are only supported on certain kernel versions. However, from a birdcage
user's perspective, no flags have been requested, so it's weird to get back an error saying that the requested flags were not supported.
I expect with the current error behavior, eventually somebody will log this as a bug in phylum-dev/cli because their workflow involves Docker on Windows or Mac and none of the Phylum extensions will work under Docker Desktop and they get this cryptic message instead. The returned error enum variant is platform dependent and conditionally compiled, so for phylum
to display a more helpful message would require adding its own conditionally compiled code and direct dependency on landlock
to check for this condition.
Maybe we should also create a ticket requesting that linuxkit's default kernel configurations have Landlock enabled. I searched and found only old issues, one of which mentioned a desire to have Landlock support as part of some special patched kernel with additional security features that hadn't been upstreamed, but Landlock is upstreamed now so I don't see why they wouldn't include it.
from birdcage.
I thought that phylum's requests to use Landlock were being denied by Docker security policies.
I don't think there's technically any differences between this and landlock not being supported.
from birdcage.
Maybe if Landlock is completely blocked by security policies you would get the same error. I was thinking it was something like we requested to manage something like MakeBlock
on a temp directory and that was being denied. However, knowing more about Landlock now, it seems unlikely that you would ever get this kind of incompatible error due to existing security policies because Landlock is supposed to be cumulative restrictions and this error is happening before we specify any exceptions for what we want to allow.
from birdcage.
However, knowing more about Landlock now, it seems unlikely that you would ever get this kind of incompatible error due to existing security policies because Landlock is supposed to be cumulative restrictions and this error is happening before we specify any exceptions for what we want to allow.
I feel like seccomp
with the right options should be able to do it.
from birdcage.
Landlock has been removed.
from birdcage.
Related Issues (20)
- Implement macOS network filtering
- Implement macOS executable filtering
- Add networking tests
- Add executable tests
- Implement or circumvent `LANDLOCK_ACCESS_FS_REFER` in `rust-landlock`
- Does not compile on arm64
- Add more tests to cover behaviors of the sandboxes HOT 1
- Add env exceptions to sandbox example
- Publish `birdcage` to crates.io HOT 3
- Remove/reword disclaimer in readme
- Potential ways to get around networking sandbox HOT 5
- Switch seccomp network filter from blacklist to whitelist
- `cargo audit` finding for `atty` v0.2.14 HOT 2
- Run Linux tests on multiple kernels
- Add general-purpose seccomp syscall filter
- mention sandbox mechanisms and implications to changelog HOT 2
- TOCTOU issue with invalid paths
- Cleanup temporary test directories
- Use `env_clear` for environment variable reset
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from birdcage.