Enable Landlock #2158
Enable Landlock #2158
Conversation
|
Test failures look expected right now. this is a bug in the test runner right now: |
|
Build action triggered: https://github.com/flatcar/scripts/actions/runs/10144713034 |
| @@ -0,0 +1 @@ | |||
| - Landlock is now enabled for programs to sandbox themselves. | |||
There was a problem hiding this comment.
can you please add a PR ref here similar to 7d4917d#diff-b1db1840bbe6435ffd261eeff937e5e0ade3e082a99ed9dff6affc044b92a22dR1 ? Also, I would suggest adding some context - Linux kernel security module 'landlock' is now enabled for programs to be able to sandbox themselves ([flatcar/scripts#2158](https://github.com/flatcar/scripts/pull/2158))
|
I verified the image changes and it seems that the make config + defconfig also enabled |
That's indeed an automatic dependency. I'll update the commit message. |
l0kod
force-pushed
the
landlock
branch
2 times, most recently
from
1d2d53e to
aa1c948
Compare
Landlock is a feature to create security sandboxes thanks to 3 dedicated system calls. They are designed to be safe to used by any processes, which can only drop their privileges, similarly to seccomp. The new Landlock LSM is build in the kernel (CONFIG_SECURITY_LANDLOCK=y) but it is not enough to make it usable by default. As a stackable LSM, it is required to enable it at boot time with the CONFIG_LSM list. See https://docs.kernel.org/userspace-api/landlock.html#kernel-support As for other stackable LSMs, prepending Landlock to the default LSM list enables users to potentially get more protection by default by letting programs sandbox themselves. As a dependency, CONFIG_SECURITY_PATH=y will be automatically set. Signed-off-by: Mickaël Salaün <[email protected]>
|
Thanks! |
Enable Landlock
Landlock is a feature to create security sandboxes thanks to 3 dedicated system calls. They are designed to be safe to used by any processes, which can only drop their privileges, similarly to seccomp.
The new Landlock LSM is build in the kernel (CONFIG_SECURITY_LANDLOCK=y) but it is not enough to make it usable by default. As a stackable LSM, it is required to enable it at boot time with the CONFIG_LSM list. See https://docs.kernel.org/userspace-api/landlock.html#kernel-support
As for other stackable LSMs, prepending Landlock to the default LSM list enables users to potentially get more protection by default by letting programs sandbox themselves.
Landlock is already enabled by default on Ubuntu 22.04 LTS, Fedora 35, Arch Linux, Alpine Linux, Gentoo, Debian, chromeOS, Azure Linux, WSL2, and more.
How to use
The full test suite is available in the kernel source code.
Alternatively, the sandboxer can be used to easily test Landlock.
Because the goal of sandboxing is to be seamlessly integrated in applications/services and work in a best-effort mode, no specific user space configuration should be needed to leverage Landlock.
Backport
After some time, it would be good to backport this configuration down to the 5.15 kernel to protect users as much as possible.
Testing done
I ran the
sort_config.shscript and tested the configuration with a vanilla kernel (not a Flatcar system). It should be tested by someone with knowledge of the Flatcar SDK though.changelog/directory (user-facing change, bug fix, security fix, update)/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.