LSM: Linux Security Module

https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html

  1. By label: SELinux, Smack;
  2. By path: AppArmor, TOMOYO, Landlock
  3. LoadPin: 确保所有固件、内核模块来自同一文件系统;
  4. Yama:限制 ptrace;
  5. SafeSetID:限制 setid 切换 uid 和 gid;
  6. Integrity Policy Enforcement (IPE):基于数据完整性(数字签名)的安全策略;

沙箱工具

  1. Low-level tools
    1. AppArmor
    2. Container
      1. Fakeroot: Rootlesskitproot + care
      2. Bubblewrap
      3. Podman
      4. Nerdctl
      5. systemd-nspawn
      6. Incus
    3. gVisor
    4. KataContainers
  2. High-level tools
    1. 强隔离
      1. Landrun
      2. Firejail + Firetools
      3. Bubblejail
      4. Flatpak
      5. Snap
      6. 玲珑
      7. boxxy
    2. 弱隔离
      1. Distrobox
      2. Toolbx