Feature Request
Firecracker's guest kernel CI configs currently build Linux kernels with Landlock disabled and with landlock absent from the configured LSM list.
For example, the current 6.1 guest configs include:
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
Describe the desired solution
Would the project consider enabling Landlock in the guest kernel configs and adding it to CONFIG_LSM?
Suggested effective configuration:
CONFIG_SECURITY_LANDLOCK=y
CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
Additional context
Firecracker provides a strong microVM isolation boundary. Landlock enables a complementary layer inside the guest: unprivileged, process-local, kernel-enforced sandboxing that can be used by higher-level runtimes, developer tools, build systems, agent sandboxes, and application frameworks to provide fine-grained isolation.
These tools can use Landlock to reduce the authority of individual guest processes without requiring privileges, containers, or additional host configuration. This composes well with Firecracker:
- Firecracker provides the guest/host boundary.
- Landlock provides fine-grained in-guest restrictions for individual processes.
- Higher-level sandboxes can enforce least privilege inside the microVM rather than relying only on the outer VM boundary.
- This is useful for workloads that intentionally run untrusted or semi-trusted code inside a microVM but still want per-process filesystem restrictions within the guest
The behavior would then be to run the following inside a Firecracker kernel:
cat /sys/kernel/security/lsm
And see include landlock, allowing userspace to be able to detect and use the supported Landlock ABI.
For Linux 6.1, this would enable the filesystem-oriented Landlock features available on that kernel series. Newer Landlock features that require later kernels would naturally remain unavailable until the guest kernel version is updated.
That gives Firecracker users a better default foundation for layered isolation inside the microVM, while preserving Firecracker's role as the outer isolation boundary.
Note: This request is separate from host-side jailer hardening in PR #5771 . Enabling Landlock in the guest kernel does not change Firecracker's host-side security model. It simply makes a standard upstream Linux unprivileged sandboxing mechanism available to guest userspace.
I am happy to help in anyway, make the pull request, ensure test coverage , documentation etc
Checks
Feature Request
Firecracker's guest kernel CI configs currently build Linux kernels with Landlock disabled and with landlock absent from the configured LSM list.
For example, the current 6.1 guest configs include:
Describe the desired solution
Would the project consider enabling Landlock in the guest kernel configs and adding it to
CONFIG_LSM?Suggested effective configuration:
Additional context
Firecracker provides a strong microVM isolation boundary. Landlock enables a complementary layer inside the guest: unprivileged, process-local, kernel-enforced sandboxing that can be used by higher-level runtimes, developer tools, build systems, agent sandboxes, and application frameworks to provide fine-grained isolation.
These tools can use Landlock to reduce the authority of individual guest processes without requiring privileges, containers, or additional host configuration. This composes well with Firecracker:
The behavior would then be to run the following inside a Firecracker kernel:
And see include
landlock, allowing userspace to be able to detect and use the supported Landlock ABI.For Linux 6.1, this would enable the filesystem-oriented Landlock features available on that kernel series. Newer Landlock features that require later kernels would naturally remain unavailable until the guest kernel version is updated.
That gives Firecracker users a better default foundation for layered isolation inside the microVM, while preserving Firecracker's role as the outer isolation boundary.
Note: This request is separate from host-side jailer hardening in PR #5771 . Enabling Landlock in the guest kernel does not change Firecracker's host-side security model. It simply makes a standard upstream Linux unprivileged sandboxing mechanism available to guest userspace.
I am happy to help in anyway, make the pull request, ensure test coverage , documentation etc
Checks