From b2be80734949ef6ec494c72b79a6de45adaec57d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= Date: Fri, 26 Jul 2024 12:14:40 +0200 Subject: [PATCH] sys-kernel/coreos-modules: Enable Landlock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Landlock is a feature to create security sandboxes thanks to 3 dedicated system calls. They are designed to be safe to used by any processes, which can only drop their privileges, similarly to seccomp. The new Landlock LSM is build in the kernel (CONFIG_SECURITY_LANDLOCK=y) but it is not enough to make it usable by default. As a stackable LSM, it is required to enable it at boot time with the CONFIG_LSM list. See https://docs.kernel.org/userspace-api/landlock.html#kernel-support As for other stackable LSMs, prepending Landlock to the default LSM list enables users to potentially get more protection by default by letting programs sandbox themselves. As a dependency, CONFIG_SECURITY_PATH=y will be automatically set. Signed-off-by: Mickaël Salaün --- changelog/changes/2024-07-29-landlock.md | 1 + .../sys-kernel/coreos-modules/files/commonconfig-6.6 | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 changelog/changes/2024-07-29-landlock.md diff --git a/changelog/changes/2024-07-29-landlock.md b/changelog/changes/2024-07-29-landlock.md new file mode 100644 index 0000000000..3c56dcda3c --- /dev/null +++ b/changelog/changes/2024-07-29-landlock.md @@ -0,0 +1 @@ +- The kernel security module Landlock is now enabled for programs to sandbox themselves ([flatcar/scripts#2158](https://github.com/flatcar/scripts/pull/2158)) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 index c676bdc88e..285289282d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 @@ -424,7 +424,7 @@ CONFIG_LIBFCOE=m # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOG_BUF_SHIFT=18 CONFIG_LOOPBACK_TARGET=m -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" CONFIG_LWTUNNEL=y CONFIG_MACVLAN=m CONFIG_MACVTAP=m @@ -821,6 +821,7 @@ CONFIG_SCSI_SYM53C8XX_2=m CONFIG_SCSI_VIRTIO=m CONFIG_SCTP_COOKIE_HMAC_SHA1=y CONFIG_SECURITY=y +CONFIG_SECURITY_LANDLOCK=y CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_SECURITY_NETWORK=y