Bug 13645

Summary: Landlock Support seems to be entirely disabled
Product: IPFire Reporter: Michael Tremer <michael.tremer>
Component: ---Assignee: Peter Müller <peter.mueller>
Status: CLOSED FIXED QA Contact:
Severity: Security    
Priority: Will affect all users CC: adolf.belka, arne.fitzenreiter, stefan.schantl
Version: 2   
Hardware: unspecified   
OS: Unspecified   

Description Michael Tremer 2024-04-08 15:59:20 UTC 
During testing Suricata 7 I can confirm that enabling Landlock Support with obviously incorrect data results in Suricata running just fine.

It seems that the kernel has this not enabled:

> [root@fw01 ipfire-2.x]# cat /sys/kernel/security/lockdown
> [none] integrity confidentiality

However, changing this to "integrity" does not seem to change anything:

> [root@fw01 ipfire-2.x]# cat /sys/kernel/security/lockdown
> none [integrity] confidentiality

We have various kernel options that seem like the enable Landlock by default. However that does not seem to be the case at all.

Please investigate if this intended behaviour. If so, we might not need to compile Landlock.

If we want to enable this by default, we will have to identify all services that might use this to prevent that we break anything when rolling out a kernel with Landlock enabled.
Comment 1 Peter Müller 2024-04-22 16:45:00 UTC 
Patchset to fix this has been sent to the development mailing list:

https://patchwork.ipfire.org/project/ipfire/list/?series=4268
Comment 2 Adolf Belka 2024-05-10 19:50:25 UTC 
CU186 Testing release has been issued

https://www.ipfire.org/blog/ipfire-2-29-core-update-186-is-available-for-testing
Comment 3 Adolf Belka 2024-06-23 14:37:38 UTC 
Di the patchset from @Peter solve this bug in Core Update 186.

If yes then the bug can be closed as fixed.
Comment 4 Peter Müller 2024-07-01 18:06:35 UTC 
This has been indeed fixed in Core Update 186.

https://www.ipfire.org/blog/ipfire-2-29-core-update-186-released