During testing Suricata 7 I can confirm that enabling Landlock Support with obviously incorrect data results in Suricata running just fine. It seems that the kernel has this not enabled: > [root@fw01 ipfire-2.x]# cat /sys/kernel/security/lockdown > [none] integrity confidentiality However, changing this to "integrity" does not seem to change anything: > [root@fw01 ipfire-2.x]# cat /sys/kernel/security/lockdown > none [integrity] confidentiality We have various kernel options that seem like the enable Landlock by default. However that does not seem to be the case at all. Please investigate if this intended behaviour. If so, we might not need to compile Landlock. If we want to enable this by default, we will have to identify all services that might use this to prevent that we break anything when rolling out a kernel with Landlock enabled.
Patchset to fix this has been sent to the development mailing list: https://patchwork.ipfire.org/project/ipfire/list/?series=4268
CU186 Testing release has been issued https://www.ipfire.org/blog/ipfire-2-29-core-update-186-is-available-for-testing
Di the patchset from @Peter solve this bug in Core Update 186. If yes then the bug can be closed as fixed.
This has been indeed fixed in Core Update 186. https://www.ipfire.org/blog/ipfire-2-29-core-update-186-released