BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.all-systems-go.io//all-systems-go-2025//SDBXLJ
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-all-systems-go-2025-FXWDCF@cfp.all-systems-go.io
DTSTART;TZID=CET:20250930T145000
DTEND;TZID=CET:20250930T151500
DESCRIPTION:Landlock is an unprivileged kernel feature that enables all Lin
 ux users to sandbox their processes. Complementary to seccomp\, developers
  can leverage Landlock to restrict their programs in a fine-grained way. W
 hile Landlock can be used by end users through sandboxer tools\, there is 
 currently no well-integrated solution to define security policies tailored
  to system services. Although AppArmor and seccomp security policies can a
 lready be tied to a system unit\, we aim to provide a more dynamic\, stand
 alone\, and unprivileged option with Landlock.\n\nIn this talk\, we'll bri
 efly explain what Landlock is and highlight its differences from other Lin
 ux security features (e.g.\, namespaces\, seccomp\, other LSMs). We'll the
 n focus on the new configuration format we are designing for Landlock secu
 rity policies\, its characteristics\, and how it could extend systemd unit
 s by taking into account runtime context (e.g.\, XDG variables).\n\nSee ht
 tps://github.com/systemd/systemd/pull/39174
DTSTAMP:20260315T013934Z
LOCATION:Galerie
SUMMARY:Sandboxing services with Landlock - Mickaël Salaün
URL:https://cfp.all-systems-go.io/all-systems-go-2025/talk/FXWDCF/
END:VEVENT
END:VCALENDAR