Landlock LSM Support

[Gerharddc]

Feature request description

It would be great if Podman offered an additional --security-opt option for improved isolation strength/security using the Landlock LSM (https://landlock.io/) which I believe has been included in the kernel of most distros for a while now.

Suggest potential solution

In theory, Podman already has knowledge about which filesystem and network operations a container needs access to. Hence, during the process of container creation, Podman could appropriately sandbox the container process (using Landlock) after setting up namespaces and before entering them.

Also, Landlock already provides a Go library to assist with integration at https://pkg.go.dev/github.com/landlock-lsm/go-landlock/landlock.

Have you considered any alternatives?

As per https://docs.podman.io/en/stable/markdown/podman-build.1.html#security-opt-option, Podman already has support for increased runtime security through the SELinux and AppArmor LSMs. This is great, but these are much more complex to use, require external tooling to configure and root access. Landlock on the other hand is designed to allow unprivileged processes to sandbox themselves and can thus offer increased security with very little added friction for the user.

Additional context

I am working on a tool for easily building/managing sandboxed development environments using Podman (https://github.com/Gerharddc/litterbox) which would greatly benefit from this feature. As per https://lore.kernel.org/landlock/20260119.eiphie8iNgu2@digikod.net/T/#t, there are potentially ways to use Landlock without requiring direct support from Podman, but this will be complex/hacky since the order of sandboxing and namespace operations is very important for things to work properly.

For this application, my original plan was to use SELinux + Udica. However, after trying to implement that, it turned out to be overly complex and require root permissions. Another problem is that most distros do not have SELinux support which means many users would not be able to benefit from the feature. Likewise, AppArmor would come with similar issues.

[Luap99]

Podman doesn't create the actual container sandbox, that is delegated to the oci runtime (crun, runc, etc...) so the support for landlock would need to go into the runtime spec first. I am not sure on the status over there but there is opencontainers/runtime-spec#1241

Then on podman the side the question would be how it should be exposed exactly but I guess that might be more obvious once we know how the crun or runc support would look like.

[Gerharddc]

@Luap99 ah thanks! I had no idea it was already being worked on at that level. But yeah, then I guess this will indeed have to wait for the OCI spec change etc.