From 2211ba378f2e1a576d1427aee7e4669f69316e97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
Date: Mon, 5 Jun 2023 09:28:49 +0200
Subject: [PATCH] kernel: Enable Landlock
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Set CONFIG_SECURITY_LANDLOCK=y and enable Landlock by default at boot
time with CONFIG_LSM.

See https://docs.kernel.org/userspace-api/landlock.html#kernel-support

Closes #3928

Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
 kernel/config-5.15.x-aarch64 | 4 ++--
 kernel/config-5.15.x-x86_64  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/config-5.15.x-aarch64 b/kernel/config-5.15.x-aarch64
index 527045d99d..d96ee819ca 100644
--- a/kernel/config-5.15.x-aarch64
+++ b/kernel/config-5.15.x-aarch64
@@ -4581,7 +4581,7 @@ CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper"
 CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
-# CONFIG_SECURITY_LANDLOCK is not set
+CONFIG_SECURITY_LANDLOCK=y
 CONFIG_INTEGRITY=y
 CONFIG_INTEGRITY_SIGNATURE=y
 CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
@@ -4611,7 +4611,7 @@ CONFIG_EVM=y
 CONFIG_EVM_ATTR_FSUUID=y
 # CONFIG_EVM_ADD_XATTRS is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="yama,loadpin,safesetid,integrity"
+CONFIG_LSM="landlock,yama,loadpin,safesetid,integrity"
 
 #
 # Kernel hardening options
diff --git a/kernel/config-5.15.x-x86_64 b/kernel/config-5.15.x-x86_64
index 43539b72bb..716a69aa4c 100644
--- a/kernel/config-5.15.x-x86_64
+++ b/kernel/config-5.15.x-x86_64
@@ -4159,7 +4159,7 @@ CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper"
 CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 # CONFIG_SECURITY_LOCKDOWN_LSM is not set
-# CONFIG_SECURITY_LANDLOCK is not set
+CONFIG_SECURITY_LANDLOCK=y
 CONFIG_INTEGRITY=y
 CONFIG_INTEGRITY_SIGNATURE=y
 CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
@@ -4189,7 +4189,7 @@ CONFIG_EVM=y
 CONFIG_EVM_ATTR_FSUUID=y
 # CONFIG_EVM_ADD_XATTRS is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="yama,loadpin,safesetid,integrity"
+CONFIG_LSM="landlock,yama,loadpin,safesetid,integrity"
 
 #
 # Kernel hardening options