[SOLVED] enable kernel lockdown in PVE

[abma]

it seems the linux kernel shipped with PVE doesn't have lockdown support:

$ cat /sys/kernel/security/lsm
capability,yama,apparmor

(output of pve-kernel-6.2.9-1-pve)

is there a reason why its disabled at compile time?

i couldn't find any info about it, the default ubuntu kernel seems to support it.

edit:
https://git.proxmox.com/?p=pve-kernel.git;a=commit;h=f6d3198e5d8d038f86342a094b8472a69b6df608
->
https://bugzilla.proxmox.com/show_bug.cgi?id=2814

so, whats preventing enabling it again?

afaik is disabled when secureboot is disabled, i.e.

mokutil --disable-validation

 

[abma]

Seems with PVE 8.1 / Kernel 6.5 lockdown is enabled.

https://git.proxmox.com/?p=pve-kernel.git;a=commitdiff;h=345bdbd26477f976b2f1807112d43dfe1e666b6e

 

[ilgio]

I have PVE 8.1 and kernel 6.5.11-7-pve
but landlock is not enable.

dmesg | grep landlock || journalctl -kg landlock
-- No entries --

 

[abma]

This thread is about lockdown and it works with kernel 6.5:

# cat /proc/version /sys/kernel/security/lsm
Linux version 6.5.11-6-pve (build@proxmox) (gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC PMX 6.5.11-6 (2023-11-29T08:32Z)
lockdown,capability,yama,apparmor

for problems / questions wrt landlock, please create a new thread.

 

[ilgio]

questo è mio:
[CODICE]# cat /proc/version /sys/kernel/security/lsm
Linux versione 6.5.11-7-pve (build@proxmox) (gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils per Debian) 2.40) #1 SMP PREEMPT_DYNAMIC PMX 6.5.11-7 (2023 -12-05T09:44Z)[/CODICE]