Bug#999551: Support Landlock by default in Debian kernels

All of lore.kernel.org
 help / color / mirror / Atom feed

* Bug#999551: Support Landlock by default in Debian kernels
@ 2021-11-12 11:23 ` Mickaël Salaün
  0 siblings, 0 replies; 6+ messages in thread
From: Mickaël Salaün @ 2021-11-12 11:23 UTC (permalink / raw)
  To: Debian Bug Tracking System; +Cc: landlock, Yves-Alexis Perez

[-- Attachment #1: Type: text/plain, Size: 889 bytes --]

Package: src:linux
Version: 5.14.16-1
Severity: normal
Tags: patch
X-Debbugs-Cc: landlock@lists.linux.dev

Hi,

The Landlock security feature is built in Debian kernel since
5.13.12-1~exp1 which is great!  However, it is not enough to enable the
CONFIG_SECURITY_LANDLOCK option as described in the related help.  The
CONFIG_LSM option needs to be prepended by "landlock," to make Landlock
system calls available without modifying the kernel boot arguments.

Could you please apply the attached patch to make this feature more
broadly available?

This can be validated with the tests provided by the kernel sources:

fakeroot make -C tools/testing/selftests TARGETS=landlock gen_tar
tar -xf
tools/testing/selftests/kselftest_install/kselftest-packages/kselftest.tar.gz
# as root:
./run_kselftest.sh

If Yama is enabled, half of the ptrace tests may failed, which is OK.

Regards,
 Mickaël

[-- Attachment #2: config-5.14.0-4-amd64-with-landlock.patch --]
[-- Type: text/plain, Size: 441 bytes --]

--- a/config-5.14.0-4-amd64
+++ b/config-5.14.0-4-amd64
@@ -9275,7 +9275,7 @@ CONFIG_EVM_ATTR_FSUUID=y
 # CONFIG_DEFAULT_SECURITY_TOMOYO is not set
 CONFIG_DEFAULT_SECURITY_APPARMOR=y
 # CONFIG_DEFAULT_SECURITY_DAC is not set
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"

 #
 # Kernel hardening options

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Support Landlock by default in Debian kernels
@ 2021-11-12 11:23 ` Mickaël Salaün
  0 siblings, 0 replies; 6+ messages in thread
From: Mickaël Salaün @ 2021-11-12 11:23 UTC (permalink / raw)
  To: Debian Bug Tracking System; +Cc: landlock, Yves-Alexis Perez

[-- Attachment #1: Type: text/plain, Size: 889 bytes --]

Package: src:linux
Version: 5.14.16-1
Severity: normal
Tags: patch
X-Debbugs-Cc: landlock@lists.linux.dev

Hi,

The Landlock security feature is built in Debian kernel since
5.13.12-1~exp1 which is great!  However, it is not enough to enable the
CONFIG_SECURITY_LANDLOCK option as described in the related help.  The
CONFIG_LSM option needs to be prepended by "landlock," to make Landlock
system calls available without modifying the kernel boot arguments.

Could you please apply the attached patch to make this feature more
broadly available?

This can be validated with the tests provided by the kernel sources:

fakeroot make -C tools/testing/selftests TARGETS=landlock gen_tar
tar -xf
tools/testing/selftests/kselftest_install/kselftest-packages/kselftest.tar.gz
# as root:
./run_kselftest.sh

If Yama is enabled, half of the ptrace tests may failed, which is OK.

Regards,
 Mickaël

[-- Attachment #2: config-5.14.0-4-amd64-with-landlock.patch --]
[-- Type: text/plain, Size: 441 bytes --]

--- a/config-5.14.0-4-amd64
+++ b/config-5.14.0-4-amd64
@@ -9275,7 +9275,7 @@ CONFIG_EVM_ATTR_FSUUID=y
 # CONFIG_DEFAULT_SECURITY_TOMOYO is not set
 CONFIG_DEFAULT_SECURITY_APPARMOR=y
 # CONFIG_DEFAULT_SECURITY_DAC is not set
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"

 #
 # Kernel hardening options

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Bug#999551: Support Landlock by default in Debian kernels
  2021-11-12 11:23 ` Mickaël Salaün
  (?)
@ 2021-11-12 12:34 ` Yves-Alexis Perez
  2021-11-12 13:40   ` Mickaël Salaün
  -1 siblings, 1 reply; 6+ messages in thread
From: Yves-Alexis Perez @ 2021-11-12 12:34 UTC (permalink / raw)
  To: Mickaël Salaün, 999551; +Cc: landlock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey Mickaël, kernel team,

On Fri, 2021-11-12 at 12:23 +0100, Mickaël Salaün wrote:
> -
> CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack
> ,to
> moyo"
> +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,sel
> in
> ux,smack,tomoyo"
>   
At first sight the change looks reasonable, but just to check: right now there
is there is no userland stuff using Landlock LSM packaged in Debian? So
nothing is currently broken by not having the above, it's just more practical
when testing or using the feature?

(not saying we shouldn't enable it, it's just so we know what exactly we gain
or not).

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmGOX14ACgkQ3rYcyPpX
RFuWRQf7B96Z1IoKkm7qbHswja4TmPuM2cJcBzXJLX0t591MO2D/GdAS08w+/kTL
ALUJSXKiDvcC9AmzKD4tFszs13NJwSXlhUB4sflqLk2TBltDEhSdlVSwAw2UGHxx
/NJRqH7nMWvMeghO/SLkaoXDEOAIQUR75cyQs1/oQIcfmYx+A68cr0DarEJKWUM8
SrLWTvY90IKKyBwKEY3hT/qFtb+YhPRp76tykT0J25b55EmkPO/f3p5vz+uUBG+N
WaKS+KKI1D4XubcmOOfa09XMh1OnZ1u3Jd6WZopcB7G2I18j/ejDXiz1pPDC7BrF
7nh/V2L7YRv0r4ppP5QwglLgRF5SOQ==
=xSao
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Bug#999551: Support Landlock by default in Debian kernels
  2021-11-12 11:23 ` Mickaël Salaün
  (?)
  (?)
@ 2021-11-12 12:45 ` Bastian Blank
  2021-11-12 13:36   ` Mickaël Salaün
  -1 siblings, 1 reply; 6+ messages in thread
From: Bastian Blank @ 2021-11-12 12:45 UTC (permalink / raw)
  To: Mickaël Salaün, 999551; +Cc: landlock, Yves-Alexis Perez

Control: tag -1 wontfix

On Fri, Nov 12, 2021 at 12:23:13PM +0100, Mickaël Salaün wrote:
> The Landlock security feature is built in Debian kernel since
> 5.13.12-1~exp1 which is great!  However, it is not enough to enable the
> CONFIG_SECURITY_LANDLOCK option as described in the related help.  The
> CONFIG_LSM option needs to be prepended by "landlock," to make Landlock
> system calls available without modifying the kernel boot arguments.

It was left out of this list by team decision, as is e.g. bpf.  So not
right now.

Bastian

-- 
Military secrets are the most fleeting of all.
		-- Spock, "The Enterprise Incident", stardate 5027.4

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Bug#999551: Support Landlock by default in Debian kernels
  2021-11-12 12:45 ` Bastian Blank
@ 2021-11-12 13:36   ` Mickaël Salaün
  0 siblings, 0 replies; 6+ messages in thread
From: Mickaël Salaün @ 2021-11-12 13:36 UTC (permalink / raw)
  To: Bastian Blank, 999551, landlock, Yves-Alexis Perez

On 12/11/2021 13:45, Bastian Blank wrote:
> Control: tag -1 wontfix
> 
> On Fri, Nov 12, 2021 at 12:23:13PM +0100, Mickaël Salaün wrote:
>> The Landlock security feature is built in Debian kernel since
>> 5.13.12-1~exp1 which is great!  However, it is not enough to enable the
>> CONFIG_SECURITY_LANDLOCK option as described in the related help.  The
>> CONFIG_LSM option needs to be prepended by "landlock," to make Landlock
>> system calls available without modifying the kernel boot arguments.
> 
> It was left out of this list by team decision, as is e.g. bpf.  So not
> right now.

Could we know the reason? FYI, Landlock is enabled by default at least
in Arch and Fedora (and then Gentoo according to selected configuration).

BPF-LSM is very specific and would require privileged services to manage
it. However, Landlock brings new security features (like seccomp) and
would then benefit potentially all Debian applications. It is designed
from the beginning to be safely usable by all users, including
unprivileged ones.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Bug#999551: Support Landlock by default in Debian kernels
  2021-11-12 12:34 ` Bug#999551: " Yves-Alexis Perez
@ 2021-11-12 13:40   ` Mickaël Salaün
  0 siblings, 0 replies; 6+ messages in thread
From: Mickaël Salaün @ 2021-11-12 13:40 UTC (permalink / raw)
  To: Yves-Alexis Perez, 999551; +Cc: landlock


On 12/11/2021 13:34, Yves-Alexis Perez wrote:
> Hey Mickaël, kernel team,
> 
> On Fri, 2021-11-12 at 12:23 +0100, Mickaël Salaün wrote:
>> -
>> CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack
>> ,to
>> moyo"
>> +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,sel
>> in
>> ux,smack,tomoyo"
> 
> At first sight the change looks reasonable, but just to check: right now there
> is there is no userland stuff using Landlock LSM packaged in Debian? So
> nothing is currently broken by not having the above, it's just more practical
> when testing or using the feature?
> 
> (not saying we shouldn't enable it, it's just so we know what exactly we gain
> or not).

Applications using Landlock should not break if the feature is not
supported by the running kernel (best-effort security). Whether some
Debian packaged applications are using Landlock or not doesn't seem
important since users can download and run their own applications, right?

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-11-12 14:55 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-12 11:23 Bug#999551: Support Landlock by default in Debian kernels Mickaël Salaün
2021-11-12 11:23 ` Mickaël Salaün
2021-11-12 12:34 ` Bug#999551: " Yves-Alexis Perez
2021-11-12 13:40   ` Mickaël Salaün
2021-11-12 12:45 ` Bastian Blank
2021-11-12 13:36   ` Mickaël Salaün

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.