Problem
The supervisor process currently has unrestricted host filesystem access.
A compromised LKL instance or supervisor bug could read/write arbitrary host
files. Landlock syscalls are in the BPF deny list (seccomp-bpf.c), so
guests cannot self-restrict either.
Proposed Changes
Apply a Landlock ruleset in the supervisor during initialization (before
spawning the guest) to confine its own host-level access:
- Read-only: system dirs and dynamic loader paths (runtime-detected, not
hardcoded)
- Read-write: workspace/rootfs ext4 image, temp dirs, sockets
- Network rules (TCP bind/connect deny): require Landlock ABI v4+, gated on
runtime kernel probing via landlock_create_ruleset
Prerequisites:
PR_SET_NO_NEW_PRIVS must be set before landlock_restrict_self()- Graceful fallback when Landlock is unavailable or ABI is too old (log
warning, continue without confinement)
Guest Landlock passthrough is explicitly out of scope: guest FDs are LKL FDs,
and the host kernel would misinterpret them, applying rules to the wrong host
files.
Considerations
- Landlock restriction is irreversible for the process tree. The supervisor
must retain access to the ext4 image, seccomp notification FDs, and
minislirp sockets after confinement.
- Path list must be broader than
/usr and /lib: include /lib64, /bin,
/sbin, /etc, and architecture-specific loader paths.
- Interaction with LKL-backed vs host-backed paths (see
path.c path
classification) must be audited to ensure Landlock rules align with the
supervisor's actual host access patterns.
- Keep Landlock syscalls in the BPF deny list for the guest.
Affected Files
src/seccomp-bpf.c (keep Landlock in deny list for guest)- Supervisor initialization code (new Landlock setup before guest spawn)
Problem
The supervisor process currently has unrestricted host filesystem access.
A compromised LKL instance or supervisor bug could read/write arbitrary host
files. Landlock syscalls are in the BPF deny list (
seccomp-bpf.c), soguests cannot self-restrict either.
Proposed Changes
Apply a Landlock ruleset in the supervisor during initialization (before
spawning the guest) to confine its own host-level access:
hardcoded)
runtime kernel probing via
landlock_create_rulesetPrerequisites:
PR_SET_NO_NEW_PRIVSmust be set beforelandlock_restrict_self()warning, continue without confinement)
Guest Landlock passthrough is explicitly out of scope: guest FDs are LKL FDs,
and the host kernel would misinterpret them, applying rules to the wrong host
files.
Considerations
must retain access to the ext4 image, seccomp notification FDs, and
minislirp sockets after confinement.
/usrand/lib: include/lib64,/bin,/sbin,/etc, and architecture-specific loader paths.path.cpathclassification) must be audited to ensure Landlock rules align with the
supervisor's actual host access patterns.
Affected Files
src/seccomp-bpf.c(keep Landlock in deny list for guest)