On 12/11/2021 13:45, Bastian Blank wrote: > Control: tag -1 wontfix > > On Fri, Nov 12, 2021 at 12:23:13PM +0100, Mickaël Salaün wrote: >> The Landlock security feature is built in Debian kernel since >> 5.13.12-1~exp1 which is great! However, it is not enough to enable the >> CONFIG_SECURITY_LANDLOCK option as described in the related help. The >> CONFIG_LSM option needs to be prepended by "landlock," to make Landlock >> system calls available without modifying the kernel boot arguments. > > It was left out of this list by team decision, as is e.g. bpf. So not > right now.
Could we know the reason? FYI, Landlock is enabled by default at least in Arch and Fedora (and then Gentoo according to selected configuration). BPF-LSM is very specific and would require privileged services to manage it. However, Landlock brings new security features (like seccomp) and would then benefit potentially all Debian applications. It is designed from the beginning to be safely usable by all users, including unprivileged ones.
