On Mon, Feb 19, 2024 at 01:07:48PM -0800, Kees Cook wrote:
> On Mon, Feb 19, 2024 at 08:18:04PM +0100, Mickaël Salaün wrote:
> > Because sandboxing can be used as an opportunistic security measure,
> > user space may not log unsupported features. Let the system
> > administrator know if an application tries to use Landlock but failed
> > because it isn't enabled at boot time. This may be caused by bootloader
> > configurations with outdated "lsm" kernel's command-line parameter.
> >
> > Cc: Günther Noack <gnoack@xxxxxxxxxx>
> > Cc: stable@xxxxxxxxxxxxxxx
> > Fixes: 265885daf3e5 ("landlock: Add syscall implementations")
> > Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx>
> > ---
> > security/landlock/syscalls.c | 18 +++++++++++++++---
> > 1 file changed, 15 insertions(+), 3 deletions(-)
> >
> > diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> > index f0bc50003b46..b5b424819dee 100644
> > --- a/security/landlock/syscalls.c
> > +++ b/security/landlock/syscalls.c
> > @@ -33,6 +33,18 @@
> > #include "ruleset.h"
> > #include "setup.h"
> >
> > +static bool is_not_initialized(void)
> > +{
> > + if (likely(landlock_initialized))
> > + return false;
> > +
> > + pr_warn_once(
> > + "Disabled but requested by user space. "
> > + "You should enable Landlock at boot time: "
> > + "https://docs.kernel.org/userspace-api/landlock.html#kernel-support\n";);
>
> Perhaps update this docs to be really explicit with a example, maybe...
>
> If `landlock` is not present in `CONFIG_LSM`, you can add it. For
> example, if this was the current config::
>
> $ zgrep -h ^CONFIG_LSM= /boot/config-$(uname -r) /proc/config.gz 2>/dev/null
> CONFIG_LSM="lockdown,yama,integrity,apparmor"
>
> You can boot with::
>
> lsm=landlock,lockdown,yama,integrity,apparmor
>
Indeed, I'll send a dedicated patch and update the link accordingly.
>
> I *still* wish we had the "+" operator for lsm=. It would be SO much
> easier to say "boot with lsm=+landlock". *shrug*
I guess it's still possible and it would need to be backported to be
more useful.
>
>
> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
>
> --
> Kees Cook
>
