 So we'll see in the workshop how to send back the application and especially a common line application So we will use a all vulnerable version because It is useful to see how it works and how an exploit my Well get access to your data So I hope everyone follow this setup if you didn't You should still be able to do that right now, but that might be a bit short. Anyway, if you didn't I can flash this query code Follow this URL and everything is explained there I saw reminder these slides are available on the Well on schedule, so you might want to download the PDF and to keep it Close because I will try to switch between these slides and a terminal. So So if you did follow this step So vagrant install on your machine, great You can connect Swisssh, vagrant.sh But now you need to shut down this machine because I deleted the repository this morning. So just pull it off You do a git pull on The vagrant repository that you just clown You do a vagrant up and vagrant.sh again, and then you get what deleted files If you miss that it's okay, you can do that later Okay, so I guess everyone did that already So if you don't know there's a feature with vagrant that in MLU to do snapshots And what that might be useful to restore pure state that was working for instance should not Well should not You're not required to use the video of course, but yeah, that's kind of free And then you can do in scissor vagrant scissor and connect to the machine If you have vagrant install you can so launch it and see the video machine But it will be more convenient to use a scissor so what did the reasoning if you execute the Setup script it first build the environment so with our nap-to-date Arch Linux distro install all the good packages Installed Vulnerable version of image magic which is not Easy to find but still there Then The set up created a new package and install it So now let's see how to sandbox this kind of stuff with Yes, oh Okay, maybe you should start again. Yeah. Yeah It was connected and it was Okay so it start again quickly just for the one which are Online Oops Yeah That's basically what I said. It will be easier to flash this square code now And yeah, so what you can do is go to the red one with three do a good pull We're gonna up and they're gonna see each to get the latest version But if you don't do that now it you could do it later No, everything is written in the with me so you have all that and Let's start for real so First why do we want to sandbox an application? Well, just assume that with enough skills and time Well, most application could be compromised that includes again, of course, but also all these space applications and as developers Well, we don't want to be involved in such issues. So It might be a good idea to kind of prevent that It's some kind of insurance. So you want to protect users and Even if there's a bug in your application because there is somewhere Well, that could Make such an attack more closely. So It will give more time to Updates your application fix it updates and push it over the fleet or distros or get a whatever and Yeah, as users well When you use an application, you can increase your attacks to face so Yeah, it would be nice. We're able to control these attacks face Simple example is as a Linux user on your desktop instance or on a server When you launch an application even a common light application Well, it runs Most of time with the same credential as the user So this case if this addiction is compromised, well, you can have access to all your files You might have You might have well harden this rule With Selenix, Apamor, SMAC, Tomeo, and whatever that's great, but I guess it doesn't cover everything because It is really complex and if you want to install whatever application you want Well, the system-wide policy needs to be aware of that. So most of the time might not Anyway most flexible and it's fun So Sunboxing is really to isolate an application to isolate process from the rest of system to not Let him harm or access your data Yeah, even in a just and trusted application processes can become many shoes, so you need to be careful and You don't want to give privileges to your application to be able for it to drop some more accesses and You don't want this can feature to harm your system. Yes, and unlock is designed just for that It is an upper-edge Linux security module So available to everyone. There is mainly what is free dedicated schools for that to configure security policy and to load it and to enforce it on the consulate and Still gaining new and new features of the time so When you update your canal, you might get new features if you Ask the canal to use them. So thanks to these schools Okay, so this workshop is focused on the file system access control Basically you can control which file an application and process can execute read or write which did we allowed to be read and where you can create fires dectories or character devices or stuff like that So let's see an example Let's say this one first sandbox Which is kind of a generic one. So it only configures the security policy to a low instance read and execute on the slash user It only allow read to slash ETC and so on so it's quite generic, but it might be even sense Enforce when I use a login so every efficient user will launch after that We'll be restricted by this first layer of sandboxing Let's say They either want well launch a new application Let's say it's a image magic instance Or any picture application Well division can force also a new security and self and this will see What should be kind of take load to its own use to the code of the application and Because the application knows which files it should it should have access to well, you can say Well, I don't access to Don't cage that config and the pictures data, but when this application open a file actually it can also Further restrict its own sandboxing By adding a new layer third layer in this case and that might be for instance to only allow read to the specific file That is requested to be opened by the user and To still have access to the cage because well that might need Required and How does this work? So let's say that we can actually open the cool.jpeg file here So the first year grants is access Forward access, so it's okay But we need to have the same approval for the two first layers too So the kennel goes through the hierarchy and Looks for the second layer and it finds that the second layer Granted access to the pictures data. So it's okay so Let's go for the first layer now and The can go back to the primary directory and find that well the first layer grants access to the Home directory. So that's okay. Everything you checked and the access is allowed Okay, so how do you send back some vacation? Well first you need to define a thread model. You need to know what is potentially Malicious or not what is trusted or not Most of the time Well, I think in cooperation should be trusted because it changed the behavior of the application, but input files like pictures Everything that we're between can ingest from the network or the fact is them could be harmful Then you need to identify some part of the call that are meaningful and Where there's kind of good chance that is some back for instance five parsing in this case in the case we will see it's when Image parser of image magic part image and then do some stuff that you should not do Then we need to identify Where is this code and where we can patch it actually And if possible where the application already loaded its configuration so this way the efficient knows what is literally made to be allowed to access and All everything else should be denied and then Well, you can do that in an incremental way You can identify all the parts of the code and make it more generic To what get more security countries There's something to keep in mind. I will not talk too much about that, but it's it's important in what? It's forward. Well, but what commodity is? Ensured by the canal but because now luck is gaining more and more feature of a time and Because it is deterministic Mechanism you need to ask for specific feature before being able to use it So this means that if you develop an application That should be run on new canal and So using a new feature if while this feature is not arable on another system with an other canal That might not work. So this mechanism in place to handle that and Well, there's some responsibility for the rubber to be sure that what the efficient will work well And the main idea is to prove for an ABI version so With one of the non-oxyscal You can ask the canal to give you a number and this number will change with increment One the canal will get new features and to know which feature we need to take a look at the documentation So at runtime you can check which feature are supported and knows what you should ask and what you cannot ask to the can This way you can implement some mixing in a best default way That would that should protect the user as much as possible. So how does it work? So for this we use a first is called which is called and I create a reset with a specific flag so the landlock create reset version and With this call we get the ABI version So if it's a less than zero, this means that the can doesn't support the log at all Otherwise, it means that it supports Without the full set of them fetus or a subset of them then When you know the can support some luck you can create a reset and for that you need to specify which Access right You want your son back to be able to restrict So this is part of the compatibility contract This case. Well, you tell the canal The tone box will by default deny execution writing files creating new files and so on and Then you can add exceptions to allow some specific files fire key to what be alert So to create this will set you feel district to this is called and like create with this call Yeah, so it's an extensible archer it's so this might grow of a time and Then you get a file descriptor. That's a real file descriptor It's not five, but it's file descriptor that can be used and to populate this will set and To populate this will set you first define a rule. So that would be an exception and You say well, for instance, I want To what this pass to be? Exitable for instance slash user you wanted to what you want to execute a picture that are in this day to it So you first define a set of access rights and then you define the route of this fire key in this case Slash slash So you open this directory you fill the file descriptor in district and then You pass this trip to a new syscall which is called Landlock at will The first as human is rule set by descriptor and then well you pass the rule So you populate the rule and when you're done Adding all your exceptions all your rule all the stuff that you have to need to have access to it Then you can enforce this will set on the ground said and for that most of the time you'll need to Kind of pledge to the canal that you will not get more privileges One way to get more privileges is to execute set ready binaries. That will not be allowed except if you run as what which is kind of special and Might not be a good idea Anyway, after that once you're ready. You can call a third syscall, which is landlock restrict self With they will set file descriptor and then from that point Until the end of this thread and all its child This thread will be restricted and the sandbox cannot be removed. Okay, that's patch image magic Just quick reminder image magic I say it is pretty common It is a set of tools to manipulate images pictures to transform them and displace them and Can end a lot of fight formats Most of the time it is used as a tool in common line, but it might also be used for what buy servers web servers and so on Might not be a good idea, but that's the fact Um, so the attack scenario is what was called image magic image tragic So it was some years ago the issue is that there is well some image format are quite flexible and They include some URL to get some Some Scheme kind of some some some extra information with a leader to the to complete the understanding of the fight and That was in a shell past to Well a tool Like curl or do you a get so I can find that it's not safe And it could lead to shell Jelly skate so and that was case Okay, and what we do is to use this version Test it and then patch it and then test it again to see what happened even if if the Expert is used So here's the agenda. We'll quickly switch to another laptop So, yeah, I try to switch between these slides and the console So, yeah, did all you or most of you downloaded the pf the slides, yeah, that might be useful and Yeah, as a reminder and it is within there What we are doing now is Well, these changes are in in the patches in the Repository, so you already have these patches So it's just in case or if you want to get back to that later But of course it is not to apply this patches. Otherwise, it will be done in two minutes But you understand how It works and what that So, yeah spoke a bit about that But the different steps we need to do and what we'll do is first to declare long log schools because as you may know a school is mainly an ID a number and it might not come with an Dot H and API header other time deep seas provides these kind feeders but In the case of long log like was our new schools. It is not the case. So it will be more convenient to write right simple shim around that Yeah, then we'll take a look at where we want to patch it Well, I will help you with that because that might take a bit of time to listen an application Especially when it's not yours, of course Then we'll create a rule set our static rules Dynamic rules and then finally enforce everything We might not do that in this order because we'll try to test as much as possible and Yeah, let's start Yeah, first you can go in this directory So it's a main one that contains the source code so On my system, it's it's here. So I like to Okay, okay so I Guess it's okay So we end the good radio the good repository and now that you updated your Vagran script repository you can update well launch this first script It will initialize Image the image magic source directory to make it easy to work with kids So yeah, I can go there My grant image magic patches in it repo And I don't have that I need to update it. It's okay Walk even better if I have internet So I guess I'll do like you. I will start again And the dragon's this one's good So you see that Right now automatically think the files Okay So let's go in this directory image magic trying source magic And there's no at RC. So it's a typo here, but we're good So let's say good this script Okay, good So I cheated a bit. I already have with the reset up so Can just you know that but yeah, that's it too. I have like you this commit Yeah, I guess it's not the same name, but That's it Okay, let's switch to next part Then we'll need to copy kind of skeleton with the syscalls and Changed a bit So let's do that. So for the newcomer we are in this territory. The PDF is on the website Okay, let's copy this sandboxer.c. So if you want to take a look it's exactly the file She's provided by the kind of sources So and the one that I use in the first talk, okay, so let's copy that into magic slash unlock and Then change a bit this file. So the main thing we want to remove is well the main function, of course because That should only be a kind of healer library So we remove everything after that We might want to keep these two definitions here There's access fs from roughly read and roughly writes so this groups well Mostly reads accesses and mostly write Accesses so that that will help us after that and You can remove all the rest of the c code Except the two Cisco definitions at the top the three Cisco definition as a top so if you Look again this landlock we will set here Then look at rule and Landlock restricts self Otherwise is kind of optional The define these two define will be useful So let's save that I'm using them I guess not everyone is using them, but you can use whatever you want If you want to start something you can do pseudo Like you should do Pac-Man and Install whatever you want. Okay. No now we are Will look at The code of one tool of your magic which is called convert. So I guess you get it It's to convert from one five format to another So let's open this file It's rend Convert so I guess you you get the joke Okay, and now well will not Look too much as this code because well this is a lot But I look at it before and I know where It's kind of the sweet spot to patch it So I would tell you you can look for copy magic string There's only one sense and Just after this line We will add our code So the first thing to add is to create a rule set Yeah, I guess it's okay for everyone So, yeah, let's define a rule set So we will create a new strict viable Then I will set it here. So let's call it to set it here and Had handled Access FS with You guess Everything that we want to handle so everything that will be denied by default and everything that can be A load by rule also So we'll use what was defined the other five so access FS roughly Read and the same for right, okay, so you should have something of that And let's first try to Test it But I forgot to first I guess you did it, but we might do it again to Exploit the install version So let's launch a shell So yeah convert is already installed here we are changing what modifying a new version so we can call the install one which is vulnerable With the exploit Phi and try to write it changing from MVG which is kind of uncommon five format to PNG so this works and Well, this works I can tell you that it works because there's a image here and What you can see when you so I guess before is that there's so something actually which is printed It's a USH key. So it is it key in the victim machine, of course But yeah, that's you want this one So yeah, that was generated when you created your victim machine. So it's unique and it's not used anywhere But in your real laptop I guess you have this kind of keys So you don't want this well first to be printed on screen, but that that is fairly an example But if it's if it can be printed here well, it can be uploaded anywhere and same for your personal pictures for Any key you can have any code and see so We change a bit the convert source code and Only added this will set definition, but it's not enough We need to well if you build with that will tell that it doesn't know the landline will set editor type Because it doesn't know where to look. That's okay. We need to add at the top to include the file. We just import it So when don't don't look I'll put that here So now that should be okay. It is not because it is not in one. It is in magic Magic and look and the build should be I guess it should be quite quick because you build it before But if it's not the next one will be much more quick So that's it. We have a long lock defined, but it's not used anywhere. So Let's use it So what is status here? Do you hold off the convert will compiling? Well, no issues great Yeah, now we need to add to use this rule So like this we'll call the non-increed rule set with the will set 80 tiers that we defy and We'll get a file descriptor and then if everything is okay We'll use this file descriptor But yeah, first, let's create this file descriptor So, yeah, let's define all the variable Soon as we need them. It will be easier in case you're wondering There's a zero at the end and that is a flag and that is mostly not used except This kind of trick but to get the long version but all the time we could get new features and we What these flies could what this empty flag could get new flags Empty argument, I mean Okay, so we should be good now Let's check if this rule set is Okay So if there's an error instead, so if there's an error, let's print something Okay, and in this case, let's return and let Exit the program. So magic rules is just one, I guess Not sure if we have that somewhere, but it's yeah It's used as a way you can see that here too So, okay. Now we should have our file descriptor. We can test that to be sure Let's bring a debug stuff Yeah, just printf The rule set was created Well, you can print it if you want Okay, something like that Okay, let's build that again. Okay, and now let's execute the same command that we did before But this time we are with our own version of Convert, so it's in utilities convert Then you can take the same input image pregnant Exploit malicious Write that here So it should do the same. Yeah, it works. It still works. It's okay. There's no something in force yet we just created a file descriptor and You can see that here file descriptor and File descriptor is free. Great. Let's move on and yeah at the end we should close this file descriptor Of course, it's not a secret security risk, but it will be a file descriptor leak. So, yeah It is always good to close stuff to avoid resource leaks Yeah, so Yeah, let's close it now maybe to not forget But we'll put that at the end here. So as you can see oops At the bottom right you can see the patch name that Contains this stuff. So you can either take a look at the patch or even apply it if you want But yeah, you should try to write it yourself Now let's enforce it and What do you think will happen if you enforce this rule set as is You have some idea I Get some clues We have a rule set that restrict all wheat and all white oppressions and Allows Nothing so everything all this action will be denied So you can test that Yeah, so Let's call the first C school Pia CTL. So it's kind of a bit special But if you use second, you know it because it is required for second to Pia CTL Pia set no new briefs and Set it to one the other arguments are just not used Is there's an issue? Let's print that okay, and Let's do same for actually their Lana X is cool. So Lana grist itself So there's a typo in a slide. It's not a survey because there's no survey available But it's will set a D and in this case Because it should not happen Let's exit if there's an issue here. So it's not restricted It was to luck which is Okay, and now as before let's return magic okay, so now to summarize we have We define a rule set We credit the rule set we call Pia CTL and We enforce this will take this rule set on the ground thread with this C score So let's build that again and this typo here so Better now Okay, and now let's land launch it again 2d these convert Let's take the malicious file and write to TMP and I didn't walk and That's okay because we denied everything and you can see well converts complain that Well, it cannot write Where it won't you can read stuff first, but it will not be able to write it either So, okay with some bugs, but it's useless because it doesn't work. We need to add exceptions We need to add rules So what is your status here? Do you all have the same stuff? Let's move on Now we'll add we'll define a first rule this one will be To allow Access to all the libraries and stuff that convert my use So it is about allowing slash us and Yeah, that we need to open it get the file descriptor this rule strict and then What defined is full with the access? Mostly execute Read file and write and read actually and all this is defined with the access FS probably roughly read So, let's do that Yeah, you can print some stuff if you want No, that's not good one. Okay Now Let's create the strict, okay, and this one again is defined the long log file not the H5. Well Which also includes A file she's provided by your distro this time We can take a look quickly at this file. It is Should be in USA includes Linux Landlock and that is yeah once again for it by your distro and it contains the relevant bit for The run bits for your space. So Strict definitions you can find it again the long group set 80 tier you can find the Long log path beneath 80 tier with the two fields and you can also find all the access right which are defined here Okay, let's look at this rule. So I will add first Brown file descriptor so the root of the hierarchy and You don't need to but it's a good thing to do. It's to the opath flag opath is Used to reference a file, but you cannot do anything with this file descriptor except reference it for some syscrolls And no look is one of them So yeah, you don't need to open this victory and to be able to read the content You just need to be able to tell to the candle that I want this secretary to be a load To reference it a tree. Yeah, and oak log is like it's always good Now let's add the access rights So once again this type of here Guess Can take a look quickly because I did a copy past and that should be a load access not Handle access FS but it's good in the patch. Okay so we should allow Read in the victory and that's it Now let's load this rule. Let's add this rule to the rule set with the alarm. Like I do which is called so Well, if I do set with file descriptor We tell the candidate that it is a path penis rule and Yeah, you put the route there if everything goes Wrong, let's print an error message. Okay and all that Well, there's a mistake here should be Before using the whole set, of course, so I Added that at the end, but as you can see on the slide, it should be before the peer CTL cool Of course So let's move this code Up Okay, so let's recap We define a rule set Recreate a rule set for descriptor. We define a rule we populate the rule and We add this rule to the rule set And then we call peer CTL and an aggressive self to enforce this will set on the ground set so now we have kind of Small sandbox, but that would make sense So it will not work because what some stuff will work, but you will not have access to The input file, of course, but we can still test that and make sure that it built. Well It does apparently Is everything okay for everyone? Good Let's continue So now we'll add more rules. So let me let me make some room here So Of course when you're developing stuff you want to factor out code and so on for this tutorial, it would be much more Easy to just do copy pass on the same code But if you want to you can improve this code, of course So that was it for the first Exceptions the first rule and now let's add another one because if you execute this you'll see some issues probably but We can test it We can test it Yeah, so it works The rule was added But yeah, you can you can you still cannot Read and write The input file right to the that's okay So yeah, let's copy this block and add a new Rule This time not will not be to for slash user but for slash Dev null because that might be used internally. So we change the path and We need to change the access right to and this time we'll use a wheel Landlock access right not a group of them. So it will be then look Access a fair sweet fine because we want to be able to read Dev Null because that might be used for Well internal reasons That's it again to be sure you can build to make sure that it works and We'll go to the next part Which it to which is to add dynamic arguments So dynamic That is a fun part I hope Okay, so once again, let's copy the block and this time so If you're curious you took a look at the code before that before where we are in setting code and You can see that is just The fine name here. So this fine name is a one which is passed as an input path and so in our use case in our case it will contain the slash background explore issues that MVG think So that's good. We need to Well a low convert to read this file because That's what we want So, yeah, let's use it. So let's replace the previous Dev Null with fine name Same here. You just we don't just print it. We just actually use it that's better and Yeah, that's it. We want to be able to read it and that's it. We don't want to write to the input file Okay and so this time we can also build again and Test if it can read the file which wasn't allowed before So again, I'm using well, of course the utilities slash convert version not the version which is in time So new error message you see So what is interesting is Pension deny mother time There is no more before there was Pension denied to Access the input file convert in able to open image here pension denied and that is gone now You can see that we create we created three rules slash reserve for slash reserve slash Dev Null and The input file, which is dynamic. So that's great. You cannot define that in a system wide policy because well That's static So I think is almost good The only issue is that this tool cannot write on the output file, which is infotainate so Let's add that Once again, let's copy this block the ad will block We'll change file name with something else and The same thing else is mostly that so I didn't mention that but I should have image magic is kind of written Special way It pass arguments as long as it reads them, which is okay, but it also interprets arguments When it reads them so there is actual computational code near the argument passing and as much as the Well the convert will read the CLI arguments it do it does stuff So that is not really clean and that is Yeah an issue for different reasons and one of them is Well, it is more difficult to maintain to evolve and so to patch But you can still do that here And so, yeah, it's a bit weird to look at the output path like this, but it's a way image magic and convert do it You can just look at the code and you'll see what it went so Yeah, let's do it The thing is the output file doesn't exist when you execute the application So the efficient will need to be able to write to the day tree Okay, so we cannot just Low will open the distinction file that doesn't exist yet We need to abandon the directory that should exist and then I'd exception to this victory So let's do that Let's get the other path first Properly, okay now let's get the Dear name of this one and now let's replace the fine names with out there and We need to change the access rights for this specific You need to be able to write on it so and I'm not sure but maybe read read on it too, but we can try first with only the right access So it should be something like Yeah Okay, so that should be it Maybe this some Stuff that convert need to do on the directory like listing the content, but we'll see that Just now Except in my not built because I guess is a missing here looks to be looks fine great Yeah, let's test it. Yeah, cool. That's not good. So if we trace it we can Get an idea of what's going on And oh Yeah, it's not one plus one. It's I plus one. Thank you Yeah, so you can see here this Dear name is not known That's okay So let's take a look at what we need for that It's Here, you know. Oh, yeah, sorry So if you take a look at the main page, I can see that we need to add the include deep gen H Either so let's add it At the top Like here instance And that should be it. Okay. No warning anymore. Let's try it and It looks like this An issue This is another permission denied because convert try to do something if we are done audit feature We could we couldn't know what's going on exactly But otherwise you can just use a trace and take a look We can actually and you can see that it tries to Well open the TMP out.png So it means that you need read and write access to the content of the directory So let's add it. So I just Did a copy of This access groups so we know we now have also access of every read and roughly writes for again the output directory That should be it. I Will come later if you need to take a look but everything is in the patch again number six Okay, let's try to convert it again without a trace this time And there is something this thing going on here The decision went well There's still some issues with convert but oh It is in able to open this fire, right? Let's make sure of that it did write on this file. So that's good and what you can see is The exploit is still executed which is okay, but It cannot read the private key so The picture is still available but we limited the impact of such Will limited to only the output directory and to read the input five mainly is that good for everyone? Did you succeed to patch it this way? I do want me to Show it again Yes Yeah Requirement So these three schools right so what you call a bi exactly Yeah Yeah, yeah Oh, yeah, so yeah, so that's for extensibility flexibility reasons to be able to extend it later and because Well arguments are kind of limited for instance, you cannot pass 64-bit value Because That's the way it is For computer regions and so on So if you need to buy something else than only a such to bits value, you need to have pointer and Yeah, the beauty with this API is that you can pass point to restrict and Because you specify the size of strict it can evolve over time and If you don't feel a strict even if the size of strict change But if the trading part is filled with zeros, it will work even with other cannons So, yeah, so that was a question. I Asked myself. Yes, and I think it's not a good thing because You ask a user of this API, you don't really care about the API about the version you care about features you want to check this and that okay and If you want to deal with ABI compatibility You want to use in the library that will handle that Better than you could because some people spend some time it and that's the idea. So, yeah, that's why It is really simple. They can I can just return an API version then the use base library can do whatever it wants It it find good for the goal of Sound bug thing Yes, right and it's much simpler for the can too, which is good Okay, so I guess everyone almost did patch the application to that's good Again, all the solutions are in the patches, which is provided You can install it if you want on your system with these commands And this time you're up on your system on your computer machine the patch version Okay, and here are some existing left if you want to continue that Well, of course that was a workshop. So The idea is to make it simple to explain. I hope it was okay But of course you may want to add some loops here to have more and more complex tricks to Park the pass and the access right and so on and then build something more flexible Convert imagine that also supports some specific we already scheme like fd and that can also Walk with slanlock You might want to support more commands than only convert and there's two more arguments because that is kind of straight here Well, if you want to go further you can build your own candle at the support and test and For your own application if you want to patch it We're working on a set of tools To make this easier and especially to make it easier to test your applications on different cannot versions and that some can inversion that may not super unlock and that some that may support subset of it and that and Other that may support all the new features So and that is really convenient to put that in a CI and to know when you're developing your library your application that Well, it would work. Well, whatever the innovation you're using. Well, your users are using and Yeah, if you want to go on you can send patches of stream idea and try to Yeah, it's left as an exercise Okay, let's wrap up. So What does this patch So this patch is To sandbox native CLI application and it deals with well, it's native arguments So whenever you will run this application if the kind of supports and lock It will be sandbox. You don't need to have any specific confusion for system any System-wide policy just need to run your application. So if it doesn't support unlock Well, you should check that and just not try to sandbox because it will fail, of course But if the current channel do support unlock, well You can use it in sandbox as a code. I Guess it was quite quick to implement this first proof of concept Even if well this more time required to understand where to patch to find the sweet spot But that is doable and it's even quicker with your application, of course because you know it. So that's much more If you want to contribute this lot of stuff to do is there on the other side or your space side There's a bus library go library Ask a library or the other stuff that you'll see some tools using it You can take a look at the website and unlock the tail and on the github and yeah, look for the unlock on github, you'll see if you want to test to challenge the implementation feel free and Yeah, there's still some improvement to Do for the documentation and of course well What can suggest you is to sandbox your application and others If you want some motivation, well, there's some rewards program. So that might be a good things to do Thank you If you have any question feel free to ask them now or later There's almost no one sleeping, which is good Yeah, so my question is would it be possible to apply this type of sandboxing on top of a binary without Recompiling the binary directly so you would create a wrapper binary that would then load the secondary binary to sandbox it apply the the landlock Permissions on the top one and then the it would load the second binary and launch into it with those restrictions in place So that way you don't have to recompile your target Yes, definitely so That is so one goal from like is to be able to not only the sun does your addiction but create sandboxes like container manager or even Like application which are designed to send back stuff Like flatback or whatever the bell for up and so on and yes, you can do that I can do a quick demo. I did did the same in the pre-stock, but I can do it here So yeah, if you go in the samples landlock directory in a canel sistery, you'll see there's a sandboxer file and When you execute it, you'll see what the configuration so let's try to Yes So let's just copy the default the example configuration So in this case Yeah, I'm launching the sandbox application which is patch with strong lock will sandbox itself according to a configuration here in the Environment variables, it could be a fire or whatever you want and then launch. Well, what I put here to bash this case And that it's I'm in sandbox. Well, there's an error here, but it's an error from bash because you cannot read Well the home directory, but that's okay. I cannot read that. It's okay But I can still read the tmp directory, but I can read the slash actually and so on Got it. Thanks Okay So thank you