Bug#999551: Support Landlock by default in Debian kernels
On 12/11/2021 13:34, Yves-Alexis Perez wrote:
> Hey Mickaël, kernel team,
>
> On Fri, 2021-11-12 at 12:23 +0100, Mickaël Salaün wrote:
>> -
>> CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack
>> ,to
>> moyo"
>> +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,sel
>> in
>> ux,smack,tomoyo"
>
> At first sight the change looks reasonable, but just to check: right now there
> is there is no userland stuff using Landlock LSM packaged in Debian? So
> nothing is currently broken by not having the above, it's just more practical
> when testing or using the feature?
>
> (not saying we shouldn't enable it, it's just so we know what exactly we gain
> or not).
Applications using Landlock should not break if the feature is not
supported by the running kernel (best-effort security). Whether some
Debian packaged applications are using Landlock or not doesn't seem
important since users can download and run their own applications, right?
Reply to: