Implement Linux LandLock into runc (POC/WIP)

[MikeZappa87]

I found the Linux Landlock feature last night and thought it had several usecases in the container/k8s ecosystem. I then ended up finding a presentation from one of the maintainers that validated my assumptions. I quickly just started putting some code together to see what this would look like since the current approach requires a code change to the application and I wanted to see if its possible to do this transparently to the process down in the oci runtime layer. A lot of other steps need to go into this obviously such as a specification proposal. By no means is this final or even working. Its just to start a conversation.

Presentation:
https://landlock.io/talks/2024-09-17_landlock-oss.pdf

Man Page:
https://man7.org/linux/man-pages/man7/landlock.7.html

Main Page:
https://landlock.io/

[l0kod]

Related to opencontainers/runtime-spec#1241 and https://github.com/landlock-lsm/landlockconfig (WIP)

[h-vetinari]

C.f. also #2859, #3194 and links therein

[MikeZappa87]

C.f. also #2859, #3194 and links therein

Thanks! I didn’t even see these. Some good conversations in there however it looks abandoned :-/ I’m happy to try and take over those.