On 12/11/2021 13:34, Yves-Alexis Perez wrote: > Hey Mickaël, kernel team, > > On Fri, 2021-11-12 at 12:23 +0100, Mickaël Salaün wrote: >> - >> CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack >> ,to >> moyo" >> +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,sel >> in >> ux,smack,tomoyo" > > At first sight the change looks reasonable, but just to check: right now there > is there is no userland stuff using Landlock LSM packaged in Debian? So > nothing is currently broken by not having the above, it's just more practical > when testing or using the feature? > > (not saying we shouldn't enable it, it's just so we know what exactly we gain > or not).
Applications using Landlock should not break if the feature is not supported by the running kernel (best-effort security). Whether some Debian packaged applications are using Landlock or not doesn't seem important since users can download and run their own applications, right?
