[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#999551: Support Landlock by default in Debian kernels

Package: src:linux
Version: 5.14.16-1
Severity: normal
Tags: patch
X-Debbugs-Cc: landlock@lists.linux.dev

Hi,

The Landlock security feature is built in Debian kernel since
5.13.12-1~exp1 which is great!  However, it is not enough to enable the
CONFIG_SECURITY_LANDLOCK option as described in the related help.  The
CONFIG_LSM option needs to be prepended by "landlock," to make Landlock
system calls available without modifying the kernel boot arguments.

Could you please apply the attached patch to make this feature more
broadly available?

This can be validated with the tests provided by the kernel sources:

fakeroot make -C tools/testing/selftests TARGETS=landlock gen_tar
tar -xf
tools/testing/selftests/kselftest_install/kselftest-packages/kselftest.tar.gz
# as root:
./run_kselftest.sh

If Yama is enabled, half of the ptrace tests may failed, which is OK.

Regards,
 Mickaël

--- a/config-5.14.0-4-amd64
+++ b/config-5.14.0-4-amd64
@@ -9275,7 +9275,7 @@ CONFIG_EVM_ATTR_FSUUID=y
 # CONFIG_DEFAULT_SECURITY_TOMOYO is not set
 CONFIG_DEFAULT_SECURITY_APPARMOR=y
 # CONFIG_DEFAULT_SECURITY_DAC is not set
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
 
 #
 # Kernel hardening options
Reply to: