[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Idea: Add landlock support where present

From: David A. Wheeler
Subject: Idea: Add landlock support where present
Date: Wed, 17 Aug 2022 19:20:34 -0400


There's a fork of GNU make that uses of
Linux "landlock" to sandbox "command invocations automatically
based on your build rule config. This tool will:
        • Restrict filesystem access to target and prerequisite only
        • Prevent public internet access, using SECCOMP BPF and ptrace()".

More here: https://github.com/jart/landlock-make

I think it'd be great if this was supported in upstream make, so
that doing something like ".ENFORCE_LANDLOCK" enabled this.
This mechanism would make it easy to detect certain kinds of makefile errors
(e.g., an undeclared dependency), and those fixes would help even
those *not* running on systems with landlock.
Limiting access during execution could counter certain kinds of
build-time attacks, too.

More about landlock here:

Sadly, I suspect it'd be nontrivial effort to integrate their changes
upstream, but the developers might be willing to help if there's interest.

If you want to detect makefile rule errors at run-time, you're
also welcome to try out my "make-audit" tool:

If you're using make to implement a data pipeline (esp. with Python),
you might find my "make-booster" useful:

--- David A. Wheeler

reply via email to

[Prev in Thread] Current Thread [Next in Thread]