Message ID | 20211203185226.1957311-2-mic@digikod.net |
---|---|
State | New |
Headers | show |
Series | Enable Landlock by default | expand |
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 912871ce8fde..0e26e7846024 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -5702,7 +5702,7 @@ CONFIG_LPARCFG=y # CONFIG_LP_CONSOLE is not set CONFIG_LRU_CACHE=m CONFIG_LSI_ET1011C_PHY=m -CONFIG_LSM="lockdown,yama,integrity,apparmor" +CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor" CONFIG_LSM_MMAP_MIN_ADDR=0 CONFIG_LS_EXTIRQ=y CONFIG_LS_SCFG_MSI=y
BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1953192 Landlock is a feature to create security sandboxes thanks to 3 new dedicated system calls. They are designed to be safe to used by any processes, which can only drop their privileges, similarly to seccomp. The new Landlock LSM is build in the kernel (CONFIG_SECURITY_LANDLOCK=y) but it is not enough to make it usable by default. As a stackable LSM, it is required to enable it at boot time, either with the "lsm=" boot argument, or with the CONFIG_LSM list (as described in the kernel documentation). As for other stackable LSMs, prepending Landlock to the default LSM list enables users to potentially get more protection by default by letting applications sandbox themselves. Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20211203185226.1957311-2-mic@digikod.net --- debian.master/config/config.common.ubuntu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)