From the kernel's documentation:
> Landlock is a sandboxing mechanism that enables processes to restrict
> themselves (and their future children) by gradually enforcing
> tailored access control policies. A Landlock security policy is a
> set of access rights (e.g. open a file in read-only, make a
> directory, etc.) tied to a file hierarchy. Such policy can be
> configured and enforced by any processes for themselves using the
> dedicated system calls: landlock_create_ruleset(),
> landlock_add_rule(), and landlock_restrict_self().
There is no harm in enabling this security feature, so applications
supporting Landlock can benefit from it.
Rolled forward from https://patchwork.ipfire.org/project/ipfire/patch/
d7ac0caf-5a7c-bcca-6293-
16c773523942@ipfire.org/
to submit all kernel-related changes as a single patchset.
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_NETWORK is not set
-# CONFIG_SECURITY_PATH is not set
+CONFIG_SECURITY_PATH=y
# CONFIG_INTEL_TXT is not set
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
-# CONFIG_SECURITY_LANDLOCK is not set
+CONFIG_SECURITY_LANDLOCK=y
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
# CONFIG_IMA is not set