linux: Enable Landlock support

From the kernel's documentation:

> Landlock is a sandboxing mechanism that enables processes to restrict
> themselves (and their future children) by gradually enforcing
> tailored access control policies. A Landlock security policy is a
> set of access rights (e.g. open a file in read-only, make a
> directory, etc.) tied to a file hierarchy. Such policy can be
> configured and enforced by any processes for themselves using the
> dedicated system calls: landlock_create_ruleset(),
> landlock_add_rule(), and landlock_restrict_self().

There is no harm in enabling this security feature, so applications
supporting Landlock can benefit from it.

Rolled forward from https://patchwork.ipfire.org/project/ipfire/patch/d7ac0caf-5a7c-bcca-6293-16c773523942@ipfire.org/
to submit all kernel-related changes as a single patchset.

Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 71f40ddc639a7f633be8da855651d33e769c0423..50df315b11a2393a7c168e6ea10e911529f82964 100644 (file)
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6884,7 +6884,7 @@ CONFIG_SECURITY_DMESG_RESTRICT=y
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 # CONFIG_SECURITY_NETWORK is not set
-# CONFIG_SECURITY_PATH is not set
+CONFIG_SECURITY_PATH=y
 # CONFIG_INTEL_TXT is not set
 CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
 CONFIG_HARDENED_USERCOPY=y
@@ -6903,7 +6903,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
 CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
-# CONFIG_SECURITY_LANDLOCK is not set
+CONFIG_SECURITY_LANDLOCK=y
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
 # CONFIG_IMA is not set