From eff260aaf2ddc17305efd18cf6cb26306316ddb8 Mon Sep 17 00:00:00 2001
From: nullrequest <30698906+advaithm@users.noreply.github.com>
Date: Thu, 12 Aug 2021 17:37:12 +0530
Subject: [PATCH] linux config: enable Landlock LSM

---
 pkgs/os-specific/linux/kernel/common-config.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 93c6b390eb2a..012833a538cc 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -462,6 +462,9 @@ let
       SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
       # Prevent processes from ptracing non-children processes
       SECURITY_YAMA                    = option yes;
+      # The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.
+      # This does not have any effect if a program does not support it
+      SECURITY_LANDLOCK                = whenAtLeast "5.13" yes;
       DEVKMEM                          = whenOlder "5.13" no; # Disable /dev/kmem
 
       USER_NS                          = yes; # Support for user namespaces