1.2 KiB
1.2 KiB
Sandbox
Some basic sandboxing for i2pd using seccomp and Landlock.
If you tested this please let me know how it worked.
Dependencies
For seccomp header files need to be installed.
sudo apt install libseccomp-dev
You also need a kernel with Landlock support enabled.
grep landlock /sys/kernel/security/lsm
If Landlock is not enabled check the kernel.
grep CONFIG_SECURITY_LANDLOCK /boot/config-`uname -r`
Or alternatively.
sudo modprobe configs
zgrep CONFIG_SECURITY_LANDLOCK /proc/config.gz
If Landlock is built in but not enabled you can add "lsm=landlock" to the kernel boot parameters.
Building
Copy the modified files to a complete set of i2pd sources. Then build.
make SANDBOX=yes
Tested
i2pd-2.53.0
✅ Docker Image (aarch64)
i2pd-2.52.0
✅ Docker Image (aarch64)
✅ Debian 12.4 (x86-64)
✅ Debian 12.4 (aarch64)
i2pd-2.51.0
✅ Debian 12.4 (x86-64)
✅ Debian 12.4 (aarch64)
i2pd-2.50.2
✅ Debian 12.4 (x86-64)
✅ Debian 12.4 (aarch64)
❌ Raspberry Pi OS 2024-03-12 (aarch64). Fail: no Landlock support.