Island sandboxing tool
Sandboxing tool to help secure day-to-day workflows
This project develops a Linux-native sandboxing tool, based on the Landlock security module in the Linux kernel. Current sandboxing on Linux doesn't have much of a middle ground between a chroot (which changes the apparent root directory for the current running process and its children but is easy for programmes to escape), and a full virtual machine / container environment. Island would require no privileges and ensure robust security via context-driven sandboxing. The main innovation is context-driven sandboxing, where security profiles are applied automatically based on the current working directory or other contextual cues. Key features include seamless shell integration, a dedicated declarative configuration format, automated profile management, advanced environment isolation, and auto-completion for profiles and commands. The expected outcome is a user-friendly, flexible, and secure tool that streamlines command execution, policy management, and environment handling for modern Linux environments.
- The project's own website: https://github.com/landlock-lsm
This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI).