feat(jailer): add Landlock LSM sandboxing via --landlock flag

[pavitrabhalla]

Summary

This PR implements the feature requested in #5513 — adding opt-in Landlock LSM support to the Firecracker jailer as a defense-in-depth mechanism.

What it does

Adds a --landlock flag to the jailer. When passed:

1. Before pivot_root: a Landlock ruleset is created and a PathFd is opened on the jail directory, capturing its inode
2. Right before exec: restrict_self() is called, enforcing the ruleset on the jailed Firecracker process

The ruleset grants all filesystem access rights within the jail directory and denies everything outside. This means if Firecracker escapes the pivot_root chroot via a kernel exploit, Landlock independently prevents access to files outside the jail — enforced by a separate LSM path in the kernel.

The flag is opt-in — existing deployments are completely unaffected.

Why Landlock on top of chroot?

pivot_root + chroot lives in the kernel's VFS layer and can be bypassed by a guest-triggered kernel exploit. Landlock is enforced by a separate LSM subsystem and independently blocks filesystem access, so it provides defense-in-depth even if pivot_root is defeated. The inode-based rules (not path-based) also survive the pivot_root boundary.

Verification

Tested on kernel 6.8.0-1048-gcp (Landlock V1/V2/V3 supported). strace confirms the correct syscalls are made:

Without --landlock — no Landlock syscalls:

+++ exited with 0 +++

With --landlock — all 4 Landlock syscalls succeed:

landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION) = 4
landlock_create_ruleset({handled_access_fs=LANDLOCK_ACCESS_FS_EXECUTE|...|LANDLOCK_ACCESS_FS_MAKE_SYM, ...}, 24, 0) = 4
landlock_add_rule(4, LANDLOCK_RULE_PATH_BENEATH, {allowed_access=..., parent_fd=3}, 0) = 0
landlock_restrict_self(4, 0) = 0
+++ exited with 0 +++

parent_fd=3 is the PathFd opened before pivot_root — confirming the inode reference survives the chroot boundary.

Changes

• src/jailer/src/landlock.rs (new): prepare_ruleset() and enforce()
• src/jailer/src/env.rs: wires Landlock into run() — before chroot and before exec
• src/jailer/src/main.rs: --landlock CLI flag + JailerError::Landlock variant
• src/jailer/Cargo.toml: landlock = "0.4" dependency
• tests/framework/jailer.py: landlock parameter in JailerContext
• CHANGELOG.md: entry under [Unreleased] → Added

License Acceptance

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

PR Checklist

• I have read and understand CONTRIBUTING.md.
• I have run tools/devtool checkbuild --all to verify that the PR passes build checks on all supported architectures.
• I have run tools/devtool checkstyle to verify that the PR passes the automated style checks.
• I have described what is done in these changes, why they are needed, and how they are solving the problem in a clear and encompassing way.
• I have updated any relevant documentation (both in code and in the docs) in the PR.
• I have mentioned all user-facing changes in CHANGELOG.md.
• If a specific issue led to this PR, this PR closes the issue.
• When making API changes, I have followed the Runbook for Firecracker API changes.
• I have tested all new and changed functionalities in unit tests and/or integration tests.
• I have linked an issue to every new TODO.

---

• This functionality cannot be added in rust-vmm.

[l0kod]

Please don't pin to ABI::V1 but to the latest that you actually tested on a machine. Restricting only to ABI::V1 will limit the features to only the initial ones, whereas if you take the greatest version you'll get all the ones supported by the running system (i.e. best-effort). See the documentation. BTW, this version should regularly be incremented once the new version is tested on a kernel supporting it.

[l0kod]

Please don't check kernel version. Landlock may be available/backported to older kernels. Landlock provides a dedicated interface to check which ABI version is supported by the running kernel. You should use LandlockStatus instead, but keep in mind that there are only a few valid use case to check this support (testing makes sense here) because the normal use of the Rust crate automatically follows a best-effort approach.

[l0kod]

This option should probably reflect the goal, not (only) the mechanism. Landlock is gaining new feature over time and the current option doesn't reflect the related description.

[pavitrabhalla]

@l0kod Thanks for the feedback. I updated everything as per your comments.

[JackThomson2]

Hi @pavitrabhalla thanks for the PR and sorry for the delay got lost in my queue somehow. I am talking with the team to decide if this is something we want to support. However, for now, a couple of things to look at now:

• Could we get some testing for this in our integration test framework?
• We need to rebase against main, looks like there's a conflict in the Cargo.toml
• Looks like the style tests are failing for gitlint and rust style (you can test these with ./tool/devtool checkstyle)
• It looks like it's failing to compile with this error below:

error[E0599]: no method named `set_compatibility` found for struct `landlock::Ruleset` in the current scope
--
--> src/jailer/src/landlock.rs:87:14
\|
86 \| /         Ruleset::default()
87 \| \|             .set_compatibility(CompatLevel::HardRequirement)
\| \|             -^^^^^^^^^^^^^^^^^ method not found in `landlock::Ruleset`
\| \|_____________\|
\|
\|
::: /usr/local/rust/registry/src/index.crates.io-1949cf8c6b5b557f/landlock-0.4.4/src/compat.rs:571:8
\|
571 \|       fn set_compatibility(mut self, level: CompatLevel) -> Self {
\|          ----------------- the method is available for `landlock::Ruleset` here
\|
= help: items from traits can only be used if the trait is in scope
help: trait `Compatible` which provides `set_compatibility` is implemented but not in scope; perhaps you want to import it
\|
76 +     use landlock::Compatible;
\|
 
error[E0282]: type annotations needed
--> src/jailer/src/landlock.rs:89:24
\|
89 \|             .and_then(\|r\| r.create())
\|                        ^  - type must be known at this point
\|
help: consider giving this closure parameter an explicit type
\|
89 \|             .and_then(\|r: /* Type */\| r.create())
\|                         ++++++++++++
 
Some errors have detailed explanations: E0282, E0599.
For more information about an error, try `rustc --explain E0282`.
error: could not compile `jailer` (bin "jailer" test) due to 2 previous errors
warning: build failed, waiting for other jobs to finish...
 
Returned error code: 101

Thanks again,

Jack

[pavitrabhalla]

@JackThomson2 thanks for your comments and apologies for the delay here. I addressed as per your feedback. Let me know if you have further feedback and I'll address quickly.

[JackThomson2]

For our CI it looks like we'll need to specify the patch version in the dependency, so if you could update that'd be great.

[JackThomson2]

Hey @pavitrabhalla thanks taking a look,

Looks like some doc style failures:

Returned error code: 1
--
  | FAILED integration_tests/style/test_markdown.py::test_markdown_style - AssertionError: Some markdown files need formatting. Either run `./tools/devtool sh mdformat .` in the repository root, or apply the diffs manually.
  |  

[codecov]

Codecov Report

❌ Patch coverage is 64.70588% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.86%. Comparing base (7503f25) to head (ff33f03).

⚠️ Current head ff33f03 differs from pull request most recent head c92cb2d

Please upload reports for the commit c92cb2d to get more accurate results.

Files with missing lines	Patch %	Lines
src/jailer/src/env.rs	25.00%	6 Missing ⚠️
src/jailer/src/landlock.rs	72.72%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5771      +/-   ##
==========================================
- Coverage   83.08%   82.86%   -0.23%     
==========================================
  Files         277      278       +1     
  Lines       30201    30120      -81     
==========================================
- Hits        25094    24959     -135     
- Misses       5107     5161      +54     

Flag	Coverage Δ
5.10-m5n.metal	83.14% <44.11%> (-0.29%)	⬇️
5.10-m6a.metal	82.47% <44.11%> (-0.30%)	⬇️
5.10-m6g.metal	79.76% <44.11%> (-0.30%)	⬇️
5.10-m6i.metal	83.12% <44.11%> (-0.30%)	⬇️
5.10-m7a.metal-48xl	82.46% <44.11%> (-0.30%)	⬇️
5.10-m7g.metal	79.76% <44.11%> (-0.30%)	⬇️
5.10-m7i.metal-24xl	83.10% <44.11%> (-0.29%)	⬇️
5.10-m7i.metal-48xl	83.11% <44.11%> (-0.29%)	⬇️
5.10-m8g.metal-24xl	79.76% <44.11%> (-0.30%)	⬇️
5.10-m8g.metal-48xl	79.76% <44.11%> (-0.30%)	⬇️
5.10-m8i.metal-48xl	83.11% <44.11%> (-0.29%)	⬇️
5.10-m8i.metal-96xl	83.11% <44.11%> (-0.28%)	⬇️
6.1-m5n.metal	83.19% <64.70%> (-0.26%)	⬇️
6.1-m6a.metal	82.53% <64.70%> (-0.27%)	⬇️
6.1-m6g.metal	79.79% <64.70%> (-0.28%)	⬇️
6.1-m6i.metal	83.18% <64.70%> (-0.26%)	⬇️
6.1-m7a.metal-48xl	82.52% <64.70%> (-0.26%)	⬇️
6.1-m7g.metal	79.79% <64.70%> (-0.28%)	⬇️
6.1-m7i.metal-24xl	83.20% <64.70%> (-0.25%)	⬇️
6.1-m7i.metal-48xl	83.19% <64.70%> (-0.27%)	⬇️
6.1-m8g.metal-24xl	79.78% <64.70%> (-0.28%)	⬇️
6.1-m8g.metal-48xl	79.79% <64.70%> (-0.28%)	⬇️
6.1-m8i.metal-48xl	83.19% <64.70%> (-0.27%)	⬇️
6.1-m8i.metal-96xl	83.20% <64.70%> (-0.26%)	⬇️
6.18-m5n.metal	?
6.18-m6a.metal	?
6.18-m6g.metal	?
6.18-m6i.metal	?
6.18-m7a.metal-48xl	?
6.18-m7g.metal	?
6.18-m7i.metal-24xl	?
6.18-m7i.metal-48xl	?
6.18-m8g.metal-24xl	?
6.18-m8g.metal-48xl	?
6.18-m8i.metal-48xl	?
6.18-m8i.metal-96xl	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[pavitrabhalla]

@JackThomson2 please approve the workflows again. The code coverage and styling issues should be resolved now.

[JackThomson2]

How come we've chosen V4 here, I was looking through the docs seems like V4 requires 6.7 kernel version, so to support 6.1 we'd need min V2?

Firecracker recently onboarded 6.18 as the next host kernel version, so I wonder if the best setup would be, hard requirement of v2 (for 6.1 hosts) then best effort v6 (for the 6.18 hosts) seems like v5 added some nice device IOCTL features.

What do you think?

[l0kod]

The Landlock crate is in best-effort by default (i.e. it uses the latest available ABI, detected at runtime), which means that the abi should be the highest tested version (currently ABI::V7).

[pavitrabhalla]

Updated 👍

[pavitrabhalla]

The crate’s default SoftRequirement mode automatically downgrades at runtime to whatever the running kernel supports. So rather than a hard V2 + best-effort V6 split, I updated to ABI::V7 with Ruleset::default() (soft-requirement). On a 6.1 host it degrades gracefully; on 6.18 it uses the full V7 feature set.

[JackThomson2]

Do we need to check the okay value it looks like it returns a status docs and we'd silently continue even if this wasn't enabled?

[pavitrabhalla]

You’re right that the status is silently dropped. This is intentional — since we’re using soft-requirement mode, NotEnforced or PartiallyEnforced on older kernels is expected best-effort behavior rather than a failure condition. I’ve added a doc comment to enforce() in c92cb2d to make this explicit so it’s clear it’s a deliberate choice and not an oversight.