Skip to content

[redhat] New configs in security/landlock

CKI Gitlab requested to merge configs/2021-05-02/security/landlock into os-build

Hi,

As part of the ongoing rebase effort, the following configuration options need to be reviewed.

As a reminder, the ARK configuration flow involves moving unreviewed configuration options from the pending directory to the ark directory. In the diff below, options are removed from the pending directory and added to the ark hierarchy. The final options that need to be ACKed are the files that are being added to the ark hierarchy.

If the value for a file that is added should be changed, please reply with a better option.

CONFIG_SECURITY_LANDLOCK:

Landlock is a sandboxing mechanism that enables processes to restrict themselves (and their future children) by gradually enforcing tailored access control policies. A Landlock security policy is a set of access rights (e.g. open a file in read-only, make a directory, etc.) tied to a file hierarchy. Such policy can be configured and enforced by any processes for themselves using the dedicated system calls: landlock_create_ruleset(), landlock_add_rule(), and landlock_restrict_self().

See Documentation/userspace-api/landlock.rst for further information.

If you are unsure how to answer this question, answer N. Otherwise, you should also prepend "landlock," to the content of CONFIG_LSM to enable Landlock at boot time.

Symbol: SECURITY_LANDLOCK [=n] Type : bool Defined at security/landlock/Kconfig:3 Prompt: Landlock support Depends on: SECURITY [=y] && !ARCH_EPHEMERAL_INODES [=n] Location: -> Security options Selects: SECURITY_PATH [=n]

Signed-off-by: Fedora Kernel Team kernel-team@fedoraproject.org

Merge request reports