Landlock

[ngc92]

restrict file-system write access

[Copilot]

Pull request overview

This PR introduces a Linux Landlock LSM sandbox (csrc/landlock.cpp) that restricts filesystem write access during untrusted kernel evaluation. The sandbox allows read access to the entire filesystem but limits writes to /tmp and /dev. It also consolidates the existing prctl hardening calls (previously in manager.cpp) into the new install_landlock() function. A new exploit test (submission_replace_torch) is added to verify that attempts to write a shadow torch.py file to the current working directory are blocked.

Changes:

• New csrc/landlock.cpp implementing install_landlock() which sets up a Landlock ruleset (read-only everywhere, read-write in /tmp and /dev) and applies prctl hardening.
• csrc/manager.cpp replaces the inline prctl calls with a single install_landlock() call.
• New exploit exploits/submission_replace_torch.py and corresponding entry in exploits/run_all.py to test the defense.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
csrc/landlock.cpp	New file implementing the Landlock filesystem sandbox and prctl hardening
csrc/manager.cpp	Replaces inline prctl calls with install_landlock()
CMakeLists.txt	Adds landlock.cpp to the build
exploits/submission_replace_torch.py	New exploit testing file-write-via-cwd attack
exploits/run_all.py	Registers the new exploit in the test suite

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.