CME-506

Landlock LSM (Filesystem Sandboxing)

Isolate OS/Kernel High Confidence

Description

Linux Security Module that allows unprivileged processes to restrict their own filesystem access. Process voluntarily drops access to paths it does not need, reducing impact of compromise.

CVSS Vector Impacts

Metric Transition Rationale
Scope (S) C U Process cannot access filesystem paths outside its Landlock ruleset
Confidentiality (C) H L File read access restricted to declared paths

CWE Relationships

CWE-284 CWE-269

Verification

Check if process has active Landlock restrictions

$ grep Landlock /proc/self/status
# Expected: Landlock
Platform: linux
← CME-505: IMA/EVM (Integrity Measurement Architecture) CME-507: Secure Dynamic Linker Configuration (LD_PRELOAD/PATH Hardening) →