Package: src:linux Version: 5.14.16-1 Severity: normal Tags: patch X-Debbugs-Cc: landl...@lists.linux.dev
Hi, The Landlock security feature is built in Debian kernel since 5.13.12-1~exp1 which is great! However, it is not enough to enable the CONFIG_SECURITY_LANDLOCK option as described in the related help. The CONFIG_LSM option needs to be prepended by "landlock," to make Landlock system calls available without modifying the kernel boot arguments. Could you please apply the attached patch to make this feature more broadly available? This can be validated with the tests provided by the kernel sources: fakeroot make -C tools/testing/selftests TARGETS=landlock gen_tar tar -xf tools/testing/selftests/kselftest_install/kselftest-packages/kselftest.tar.gz # as root: ./run_kselftest.sh If Yama is enabled, half of the ptrace tests may failed, which is OK. Regards, Mickaël
--- a/config-5.14.0-4-amd64 +++ b/config-5.14.0-4-amd64 @@ -9275,7 +9275,7 @@ CONFIG_EVM_ATTR_FSUUID=y # CONFIG_DEFAULT_SECURITY_TOMOYO is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" # # Kernel hardening options
