Hello Peter,
On 3 Nov 2022, at 15:10, Peter Müller peter.mueller@ipfire.org wrote:
From the kernel's documentation:
Landlock is a sandboxing mechanism that enables processes to restrict themselves (and their future children) by gradually enforcing tailored access control policies. A Landlock security policy is a set of access rights (e.g. open a file in read-only, make a directory, etc.) tied to a file hierarchy. Such policy can be configured and enforced by any processes for themselves using the dedicated system calls: landlock_create_ruleset(), landlock_add_rule(), and landlock_restrict_self().
There is no harm in enabling this security feature, so applications supporting Landlock can benefit from it.
Agreed.
Do we know of any applications that make use of this?
-Michael
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 4 ++-- config/kernel/kernel.config.armv6l-ipfire | 4 ++-- config/kernel/kernel.config.x86_64-ipfire | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 63dc80d4a..4935dbc85 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7569,7 +7569,7 @@ CONFIG_SECURITY_DMESG_RESTRICT=y CONFIG_SECURITY=y CONFIG_SECURITYFS=y # CONFIG_SECURITY_NETWORK is not set -# CONFIG_SECURITY_PATH is not set +CONFIG_SECURITY_PATH=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY_FALLBACK=y @@ -7587,7 +7587,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set -# CONFIG_SECURITY_LANDLOCK is not set +CONFIG_SECURITY_LANDLOCK=y CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set # CONFIG_IMA is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 54260aec1..ad79cb22f 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7547,7 +7547,7 @@ CONFIG_SECURITY_DMESG_RESTRICT=y CONFIG_SECURITY=y CONFIG_SECURITYFS=y # CONFIG_SECURITY_NETWORK is not set -# CONFIG_SECURITY_PATH is not set +CONFIG_SECURITY_PATH=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY_FALLBACK=y @@ -7565,7 +7565,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set -# CONFIG_SECURITY_LANDLOCK is not set +CONFIG_SECURITY_LANDLOCK=y CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set # CONFIG_IMA is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index bb4655a99..bef0b900e 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6944,7 +6944,7 @@ CONFIG_SECURITY_DMESG_RESTRICT=y CONFIG_SECURITY=y CONFIG_SECURITYFS=y # CONFIG_SECURITY_NETWORK is not set -# CONFIG_SECURITY_PATH is not set +CONFIG_SECURITY_PATH=y # CONFIG_INTEL_TXT is not set CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y @@ -6963,7 +6963,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set -# CONFIG_SECURITY_LANDLOCK is not set +CONFIG_SECURITY_LANDLOCK=y CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set
# CONFIG_IMA is not set
2.35.3