kernel: Enable Landlock

Set CONFIG_SECURITY_LANDLOCK=y and enable Landlock by default at boot time with CONFIG_LSM. See https://docs.kernel.org/userspace-api/landlock.html#kernel-support Closes linuxkit#3928 Signed-off-by: Mickaël Salaün <mic@digikod.net>
l0kod · Oct 10, 2023 · 2211ba3 · 2211ba3
1 parent 5d78de4
commit 2211ba3
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/kernel/config-5.15.x-aarch64 b/kernel/config-5.15.x-aarch64
@@ -4581,7 +4581,7 @@ CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper"
 CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
-# CONFIG_SECURITY_LANDLOCK is not set
+CONFIG_SECURITY_LANDLOCK=y
 CONFIG_INTEGRITY=y
 CONFIG_INTEGRITY_SIGNATURE=y
 CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
@@ -4611,7 +4611,7 @@ CONFIG_EVM=y
 CONFIG_EVM_ATTR_FSUUID=y
 # CONFIG_EVM_ADD_XATTRS is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="yama,loadpin,safesetid,integrity"
+CONFIG_LSM="landlock,yama,loadpin,safesetid,integrity"
 
 #
 # Kernel hardening options

diff --git a/kernel/config-5.15.x-x86_64 b/kernel/config-5.15.x-x86_64
@@ -4159,7 +4159,7 @@ CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper"
 CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
-# CONFIG_SECURITY_LANDLOCK is not set
+CONFIG_SECURITY_LANDLOCK=y
 CONFIG_INTEGRITY=y
 CONFIG_INTEGRITY_SIGNATURE=y
 CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
@@ -4189,7 +4189,7 @@ CONFIG_EVM=y
 CONFIG_EVM_ATTR_FSUUID=y
 # CONFIG_EVM_ADD_XATTRS is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="yama,loadpin,safesetid,integrity"
+CONFIG_LSM="landlock,yama,loadpin,safesetid,integrity"
 
 #
 # Kernel hardening options