Add support for Landlock #3929
Add support for Landlock #3929
Conversation
|
I'm not sure what is tested, but I don't see any mention of Landlock in the kernel boot log. We should see |
|
A bit delayed in responding. I am not surprised. It doesn't look like the kernel was built, or that any of the tests were updated to use the new hash. See for example here. That I think you would need to ensure a new kernel is built, and update the tags in the tests. We build the linuxkit binary with each CI run here, and all packages here (although it recognizes ones that already exist), but nothing automatically rebuilds kernels with each CI run. The kernel build process is documented here, although, again @rn really is the expert. Normally we use update-component-sha.sh to update packages, so if you actually had a new kernel with a new tag, then you could update it, but it would affect everything beginning with Again, deferring to @rn (and I don't have time to track this down extensively), but it is something like:
Given that we only have, e.g. 5.15.27 and nothing sub to that, unlike the regular packages, it might be easiest to just roll this into a new kernel version, even a patch version. Linux is well ahead of 5.15.27, so that should be easy enough. |
l0kod
force-pushed
the
landlock
branch
4 times, most recently
from
da2f60d
to
a2f2b5b
Compare
|
OK, indeed I cannot do anything more. I rebased it anyway. |
|
I would like to help, but I am likely a bit lost. @rn is needed for this. |
Set CONFIG_SECURITY_LANDLOCK=y and enable Landlock by default at boot time with CONFIG_LSM. See https://docs.kernel.org/userspace-api/landlock.html#kernel-support Closes linuxkit#3928 Signed-off-by: Mickaël Salaün <mic@digikod.net>
Now that Landlock is in mainline and enabled with the previous commit, we can remove these old patches. Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
I rebased and all tests passed. Gentle ping @rn |
As explained in #3928, enable the Landlock LSM by default for 5.15 kernels.
Remove old experimental patches.