From patchwork Fri Dec 3 18:52:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 1564573 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J7Zrf3Xd6z9t1r for ; Tue, 7 Dec 2021 20:34:42 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1muWrl-0007p8-5g; Tue, 07 Dec 2021 09:34:29 +0000 Received: from smtp-8fa8.mail.infomaniak.ch ([83.166.143.168]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mtDeX-0007zu-It for kernel-team@lists.ubuntu.com; Fri, 03 Dec 2021 18:51:25 +0000 Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4J5MNs2C1RzMqWNg; Fri, 3 Dec 2021 19:51:25 +0100 (CET) Received: from localhost (unknown [23.97.221.149]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4J5MNs0MTJzlhP5Z; Fri, 3 Dec 2021 19:51:24 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: kernel-team@lists.ubuntu.com Subject: [PATCH v1 1/1] UBUNTU: [Config] Enable Landlock by default Date: Fri, 3 Dec 2021 19:52:26 +0100 Message-Id: <20211203185226.1957311-2-mic@digikod.net> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211203185226.1957311-1-mic@digikod.net> References: <20211203185226.1957311-1-mic@digikod.net> MIME-Version: 1.0 X-Mailman-Approved-At: Tue, 07 Dec 2021 09:34:27 +0000 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , landlock@lists.linux.dev, Tyler Hicks Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1953192 Landlock is a feature to create security sandboxes thanks to 3 new dedicated system calls. They are designed to be safe to used by any processes, which can only drop their privileges, similarly to seccomp. The new Landlock LSM is build in the kernel (CONFIG_SECURITY_LANDLOCK=y) but it is not enough to make it usable by default. As a stackable LSM, it is required to enable it at boot time, either with the "lsm=" boot argument, or with the CONFIG_LSM list (as described in the kernel documentation). As for other stackable LSMs, prepending Landlock to the default LSM list enables users to potentially get more protection by default by letting applications sandbox themselves. Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20211203185226.1957311-2-mic@digikod.net --- debian.master/config/config.common.ubuntu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 912871ce8fde..0e26e7846024 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -5702,7 +5702,7 @@ CONFIG_LPARCFG=y # CONFIG_LP_CONSOLE is not set CONFIG_LRU_CACHE=m CONFIG_LSI_ET1011C_PHY=m -CONFIG_LSM="lockdown,yama,integrity,apparmor" +CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor" CONFIG_LSM_MMAP_MIN_ADDR=0 CONFIG_LS_EXTIRQ=y CONFIG_LS_SCFG_MSI=y