View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001486 | channel: kernel/el9 | --kernel--request-for-enhancement-- | public | 2024-10-09 16:10 | 2024-10-19 15:38 |
| Reporter | toracat | Assigned To | toracat | ||
| Priority | low | Severity | minor | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Summary | 0001486: Consider enabling LANDLOCK in kernel-ml and kernel-lt | ||||
| Description | This is something we may want to discuss. No one has actually made a request. A Rocky Linux user filed this request: https://bugs.rockylinux.org/view.php?id=7987 A Rocky dev (solardiz) said in their chat: "Landlock should be enabled on Rock Linux 9 and 10." which I don't think we'd do while we're bug-for-bug with RHEL. But it's a reminder for what to consider in alternative kernel builds, such as if we ever have one from SIG/Security. | ||||
| Tags | No tags attached. | ||||
|
|
kernel-ml config diff: $ diff config-6.11.2-x86_64.published config-6.11.2-x86_64 10066c10066 < # CONFIG_SECURITY_LANDLOCK is not set --- > CONFIG_SECURITY_LANDLOCK=y 10104c10104 < CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" --- > CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf" Build of kernel-ml-6.11.2-1landlock.el9.elrepo was successful. |
|
|
https://static.sched.com/hosted_files/osseu2024/e3/Landlock%20sandboxing.pdf (slides) <Landlock> • Pros Real access control system Dynamic security policies Embeddable in apps/services: unprivileged • Cons Scoped to a set of processes <SELinux> • Pros Real access control systems • Cons Security policy is system-wide and cannot be embedded in apps/services: complex and static configuration |
|
|
The changes will be implemented in the upcoming kernel-ml-6.11.4 and kernel-lt-6.1.113 (el9). |
|
|
In kernel-lt-6.1.112, there was an additional change: 9301c9301 < # CONFIG_SECURITY_PATH is not set --- > CONFIG_SECURITY_PATH=y 9327c9327 < # CONFIG_SECURITY_LANDLOCK is not set --- > CONFIG_SECURITY_LANDLOCK=y 9365c9365 < CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" --- > CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf" Note that kernel-ml has CONFIG_SECURITY_PATH=y. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-10-09 16:10 | toracat | New Issue | |
| 2024-10-09 16:10 | toracat | Status | new => assigned |
| 2024-10-09 16:10 | toracat | Assigned To | => toracat |
| 2024-10-09 18:38 | toracat | Note Added: 0010149 | |
| 2024-10-10 13:51 | toracat | Note Added: 0010150 | |
| 2024-10-14 22:01 | toracat | Note Added: 0010151 | |
| 2024-10-14 22:49 | toracat | Note Added: 0010152 | |
| 2024-10-19 15:38 | toracat | Status | assigned => resolved |
| 2024-10-19 15:38 | toracat | Resolution | open => fixed |
