Hi,
is there any reason that the landlock feature is disabled by default in the PVE kernel?
I am running several unprivileged Arch Linux LXCs in which the package manager "pacman" now requires the landlock feature to continue working.
https://bbs.archlinux.org/viewtopic.php?id=299402
As a workaround I uncommented the "DisableSandbox" feature in the
At the same time I want to keep the PVE configuration as stock as possible.
So before I manually enable the landlock feature using "CONFIG_LSM" I would like to ask why it is disabeled by default in the first place?
Kind Regards
TheHellSite
is there any reason that the landlock feature is disabled by default in the PVE kernel?
Code:
Linux PVE 6.17.4-2-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.4-2 (2025-12-19T07:49Z) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@PVE:~# dmesg | grep landlock || journalctl -kb -g landlock
[ 326.241612] landlock: Disabled but requested by user space. You should enable Landlock at boot time: https://docs.kernel.org/userspace-api/landlock.html#boot-time-configuration
root@PVE:~# zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null
CONFIG_LSM="lockdown,yama,integrity,apparmor"I am running several unprivileged Arch Linux LXCs in which the package manager "pacman" now requires the landlock feature to continue working.
https://bbs.archlinux.org/viewtopic.php?id=299402
As a workaround I uncommented the "DisableSandbox" feature in the
pacman.conf for now, but this weakens security, which is why I would like to revert this asap.At the same time I want to keep the PVE configuration as stock as possible.
So before I manually enable the landlock feature using "CONFIG_LSM" I would like to ask why it is disabeled by default in the first place?
Kind Regards
TheHellSite