sys-kernel/coreos-modules: Enable Landlock

Landlock is a feature to create security sandboxes thanks to 3 dedicated
system calls.  They are designed to be safe to used by any processes,
which can only drop their privileges, similarly to seccomp.

The new Landlock LSM is build in the kernel (CONFIG_SECURITY_LANDLOCK=y)
but it is not enough to make it usable by default.  As a stackable LSM,
it is required to enable it at boot time with the CONFIG_LSM list.  See
https://docs.kernel.org/userspace-api/landlock.html#kernel-support

As for other stackable LSMs, prepending Landlock to the default LSM list
enables users to potentially get more protection by default by letting
programs sandbox themselves.

As a dependency, CONFIG_SECURITY_PATH=y will be automatically set.

Signed-off-by: Mickaël Salaün <mic@digikod.net>

changelog/changes/2024-07-29-landlock.md

@@ -0,0 +1 @@
+- The kernel security module Landlock is now enabled for programs to sandbox themselves ([flatcar/scripts#2158](https://github.com/flatcar/scripts/pull/2158))

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6

@@ -424,7 +424,7 @@ CONFIG_LIBFCOE=m
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOG_BUF_SHIFT=18
 CONFIG_LOOPBACK_TARGET=m
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LWTUNNEL=y
 CONFIG_MACVLAN=m
 CONFIG_MACVTAP=m
@@ -821,6 +821,7 @@ CONFIG_SCSI_SYM53C8XX_2=m
 CONFIG_SCSI_VIRTIO=m
 CONFIG_SCTP_COOKIE_HMAC_SHA1=y
 CONFIG_SECURITY=y
+CONFIG_SECURITY_LANDLOCK=y
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
 CONFIG_SECURITY_NETWORK=y