From d8ae1c2ff7445fa3a62596e290a28dda28941e25 Mon Sep 17 00:00:00 2001 From: Aakash Chaudhary Date: Fri, 26 Jun 2026 23:52:20 -0700 Subject: [PATCH] guest-configs: enable Landlock LSM in 6.1 kernel configs Enable CONFIG_SECURITY_LANDLOCK=y and prepend "landlock," to CONFIG_LSM in the 6.1 guest kernel configs for both x86_64 and aarch64 architectures. Landlock is an unprivileged access control mechanism merged into mainline Linux in 5.13. It allows processes to restrict their own filesystem access without requiring privileges, complementing Firecracker's guest/host isolation boundary with fine-grained in-guest per-process sandboxing. Landlock is not available in the 5.10 kernel configs (predates 5.13) so those are left unchanged. The LSM ordering follows upstream Linux defaults, with "landlock" placed first in the initialization list. Resolves #5997 Signed-off-by: Aakash Chaudhary --- resources/guest_configs/microvm-kernel-ci-aarch64-6.1.config | 5 ++--- resources/guest_configs/microvm-kernel-ci-x86_64-6.1.config | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/resources/guest_configs/microvm-kernel-ci-aarch64-6.1.config b/resources/guest_configs/microvm-kernel-ci-aarch64-6.1.config index 1ebc78ff2c9..df3199c660e 100644 --- a/resources/guest_configs/microvm-kernel-ci-aarch64-6.1.config +++ b/resources/guest_configs/microvm-kernel-ci-aarch64-6.1.config @@ -3004,13 +3004,12 @@ CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256 # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set -# CONFIG_SECURITY_LANDLOCK is not set +CONFIG_SECURITY_LANDLOCK=y # CONFIG_INTEGRITY is not set # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set CONFIG_DEFAULT_SECURITY_SELINUX=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" - +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" # # Kernel hardening options # diff --git a/resources/guest_configs/microvm-kernel-ci-x86_64-6.1.config b/resources/guest_configs/microvm-kernel-ci-x86_64-6.1.config index f56e15c3f10..555be7dd201 100644 --- a/resources/guest_configs/microvm-kernel-ci-x86_64-6.1.config +++ b/resources/guest_configs/microvm-kernel-ci-x86_64-6.1.config @@ -2933,11 +2933,11 @@ CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256 # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set -# CONFIG_SECURITY_LANDLOCK is not set +CONFIG_SECURITY_LANDLOCK=y # CONFIG_INTEGRITY is not set CONFIG_DEFAULT_SECURITY_SELINUX=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" # # Kernel hardening options