From: "Mickaël Salaün" <mic@digikod.net>
To: Andrea Righi <andrea.righi@canonical.com>
Cc: kernel-team@lists.ubuntu.com, Tyler Hicks <code@tyhicks.com>,
landlock@lists.linux.dev
Subject: Re: APPLIED[J]: [PATCH v1 0/1] Enable Landlock by default
Date: Wed, 22 Dec 2021 13:06:03 +0100 [thread overview]
Message-ID: <5ea7940a-ea59-d930-1e5b-8d839209fb5a@digikod.net> (raw)
In-Reply-To: <YboEZixLVr2BnUX5@arighi-desktop>
On 15/12/2021 16:06, Andrea Righi wrote:
> On Fri, Dec 03, 2021 at 07:52:25PM +0100, Mickaël Salaün wrote:
>> Hi,
>>
>> The Landlock security feature is built in Ubuntu kernel since 5.13 which
>> is great! However, it is not enough to enable the
>> CONFIG_SECURITY_LANDLOCK option as described in the related help. The
>> CONFIG_LSM option needs to be prepended by "landlock," to make Landlock
>> system calls available without modifying the kernel boot arguments.
>>
>> Could you please apply the attached patch to make this feature more
>> broadly available?
>>
>> This can be validated with the tests provided by the kernel sources:
>>
>> fakeroot make -C tools/testing/selftests TARGETS=landlock gen_tar
>> tar -xf
>> tools/testing/selftests/kselftest_install/kselftest-packages/kselftest.tar.gz
>> # as root:
>> ./run_kselftest.sh
>>
>> If Yama is enabled, half of the ptrace tests may failed, which is OK.
>>
>> Regards,
>>
>> Mickaël Salaün (1):
>> UBUNTU: [Config] Enable Landlock by default
>
> It makes sense to enable this security feature by default to me, it's
> also what upstream is doing.
>
> Applied to jammy:linux (with an additional change to update CONFIG_LSM
> in debian.master/config/annotations).
>
> Thanks,
> -Andrea
>
Thanks Andrea!
prev parent reply other threads:[~2021-12-22 14:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-03 18:52 [PATCH v1 0/1] Enable Landlock by default Mickaël Salaün
2021-12-03 18:52 ` [PATCH v1 1/1] UBUNTU: [Config] " Mickaël Salaün
[not found] ` <YboEZixLVr2BnUX5@arighi-desktop>
2021-12-22 12:06 ` Mickaël Salaün [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5ea7940a-ea59-d930-1e5b-8d839209fb5a@digikod.net \
--to=mic@digikod.net \
--cc=andrea.righi@canonical.com \
--cc=code@tyhicks.com \
--cc=kernel-team@lists.ubuntu.com \
--cc=landlock@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).