On Pi desktop, numerous reports of lack of landlock supported ABI

I checked https://man7.org/linux/man-pages/man2/landlock_create_ruleset.2.html
The macro which fails is https://gitlab.gnome.org/GNOME/localsearch/-/blob/master/src/libtracker-miners-common/tracker-landlock.c#L36, introduced in https://gitlab.gnome.org/GNOME/localsearch/-/commit/38f0bed52b412a89ae6669a478805c8f91af0ff9

Running dmesg | grep landlock || journalctl -kb -g landlock, I get:

[ 42.661148] landlock: Disabled but requested by user space. You should enable Landlock at boot time: https://docs.kernel.org/userspace-api/landlock.html#boot-time-configuration

The fix would be to enable the Landlock LSM during boot

Nice! Looks like this is a difference between the Ubuntu PC kernel's configuration and the Ubuntu Pi kernel's configuration. On a PC:

  CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor"

On a Pi:

  CONFIG_LSM="yama,integrity,apparmor"

Adding "lsm=landlock,lockdown,yama,integrity,apparmor" to /boot/firmware/cmdline.txt did enable landlock successfully on a subsequent boot, and the messages mentioned in the description above do disappear. However, now touching a file in the home-directory leads to the following in the journal:

  Sep 10 10:36:00 kermit tracker-miner-fs-3[5442]: (tracker-extract-3:5442): GLib-GIO-WARNING **: 10:36:00.310: Error creating IO channel for /proc/self/mountinfo: Invalid argument (g-io-error-quark, 13)
  Sep 10 10:36:00 kermit tracker-miner-fs-3[5442]: (tracker-extract-3:5442): GLib-WARNING **: 10:36:00.361: getpwuid_r(): failed due to unknown user id (1000)
  Sep 10 10:36:43 kermit tracker-miner-fs-3[5494]: (tracker-extract-3:5494): GLib-GIO-WARNING **: 10:36:43.582: Error creating IO channel for /proc/self/mountinfo: Invalid argument (g-io-error-quark, 13)
  Sep 10 10:36:43 kermit tracker-miner-fs-3[5494]: (tracker-extract-3:5494): GLib-WARNING **: 10:36:43.631: getpwuid_r(): failed due to unknown user id (1000)

However, I note this is on my rather customized desktop development Pi, and needs replicating on the bare Pi desktop image.

I'm going to add linux-raspi as affected here given this is (at least partially) down to a linux-raspi configuration difference. Kernel team: is there a reason landlock is disabled in the Pi kernel? Seems to work happily on a Pi 5, but perhaps there was some incompatibility with earlier models?

I can replicate the above fix on a bare Ubuntu desktop image on both the Pi 5 and the Pi 3b+.

I'm not finding any traces why we might have deliberately disabled this. It was introduced in Focal and I suspect we just didn't realize there was a new option that could be enabled. Or maybe the memory footprint was too big but in that case we should have noted that somewhere.

However, memory consumption should be evaluated. This is wanted by a GNOME thingy so maybe we want this only in the desktop image.

This bug is awaiting verification that the linux-raspi/6.8.0-1016.18 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-raspi' to 'verification-done-noble-linux-raspi'. If the problem still exists, change the tag 'verification-needed-noble-linux-raspi' to 'verification-failed-noble-linux-raspi'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the linux-raspi/6.11.0-1005.5 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-oracular-linux-raspi' to 'verification-done-oracular-linux-raspi'. If the problem still exists, change the tag 'verification-needed-oracular-linux-raspi' to 'verification-failed-oracular-linux-raspi'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

ack, the problem is now fixed

ubuntu@ubuntu:~$ sudo uname -a
Linux ubuntu 6.11.0-1005-raspi #5-Ubuntu SMP PREEMPT_DYNAMIC Fri Nov 22 13:24:30 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux
ubuntu@ubuntu:~$ sudo dmesg | grep landl
[ 0.000580] LSM: initializing lsm=lockdown,capability,landlock,yama,apparmor,ima,evm
[ 0.000654] landlock: Up and running.

Seems to be working on oracular, too.

This bug is awaiting verification that the linux-raspi-realtime/6.8.0-2015.16 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-raspi-realtime' to 'verification-done-noble-linux-raspi-realtime'. If the problem still exists, change the tag 'verification-needed-noble-linux-raspi-realtime' to 'verification-failed-noble-linux-raspi-realtime'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug was fixed in the package linux-raspi - 6.8.0-1016.18

---------------
linux-raspi (6.8.0-1016.18) noble; urgency=medium

  * noble/linux-raspi: 6.8.0-1016.18 -proposed tracker (LP: #2086292)

  * Packaging resync (LP: #1786013)
    - [Packaging] debian.raspi/dkms-versions -- update from kernel-versions
      (main/2024.10.28)

  * On Pi desktop, numerous reports of lack of landlock supported ABI
    (LP: #2066885)
    - [Config] raspi: Enable landlock LSM by default

  * Miscellaneous Ubuntu changes
    - [Config] raspi: updateconfigs after rebase to Ubuntu-6.8.0-50.51

  [ Ubuntu: 6.8.0-50.51 ]

  * noble/linux: 6.8.0-50.51 -proposed tracker (LP: #2086301)
  * Packaging resync (LP: #1786013)
    - [Packaging] debian.master/dkms-versions -- update from kernel-versions
      (main/2024.10.28)
  * Noble update: upstream stable patchset 2024-10-31 (LP: #2086138)
    - device property: Add cleanup.h based fwnode_handle_put() scope based
      cleanup.
    - device property: Introduce device_for_each_child_node_scoped()
    - iio: adc: ad7124: Switch from of specific to fwnode based property handling
    - ksmbd: override fsids for share path check
    - ksmbd: override fsids for smb2_query_info()
    - usbnet: ipheth: remove extraneous rx URB length check
    - usbnet: ipheth: drop RX URBs with no payload
    - usbnet: ipheth: do not stop RX on failing RX callback
    - usbnet: ipheth: fix carrier detection in modes 1 and 4
    - net: ethernet: use ip_hdrlen() instead of bit shift
    - drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero
    - drm: panel-orientation-quirks: Add quirk for Ayn Loki Max
    - net: phy: vitesse: repair vsc73xx autonegotiation
    - powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL
    - wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change
    - net: hns3: use correct release function during uninitialization
    - btrfs: update target inode's ctime on unlink
    - Input: ads7846 - ratelimit the spi_sync error message
    - Input: synaptics - enable SMBus for HP Elitebook 840 G2
    - HID: multitouch: Add support for GT7868Q
    - scripts: kconfig: merge_config: config files: add a trailing newline
    - platform/surface: aggregator_registry: Add Support for Surface Pro 10
    - platform/surface: aggregator_registry: Add support for Surface Laptop Go 3
    - drm/msm/adreno: Fix error return if missing firmware-name
    - Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table
    - smb/server: fix return value of smb2_open()
    - NFSv4: Fix clearing of layout segments in layoutreturn
    - NFS: Avoid unnecessary rescanning of the per-server delegation list
    - platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses
    - platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array
    - mptcp: pm: Fix uaf in __timer_delete_sync
    - arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on
      RK3399 Puma
    - arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399
      Puma
    - minmax: reduce min/max macro expansion in atomisp driver
    - net: tighten bad gso csum offset check in virtio_net...

This bug was fixed in the package linux-raspi - 6.11.0-1005.5

---------------
linux-raspi (6.11.0-1005.5) oracular; urgency=medium

  * oracular/linux-raspi: 6.11.0-1005.5 -proposed tracker (LP: #2086260)

  * Ubuntu 24.10 Beta, Raspberry Pi 4: kdump-tools service not started, with
    errors (LP: #2081746)
    - [Config] raspi: Enable KEXEC

  * On Pi desktop, numerous reports of lack of landlock supported ABI
    (LP: #2066885)
    - [Config] raspi: Enable landlock LSM by default

  * Miscellaneous Ubuntu changes
    - [Config] raspi: updateconfigs after rebase to Ubuntu-6.11.0-12.13

  [ Ubuntu: 6.11.0-12.13 ]

  * oracular/linux: 6.11.0-12.13 -proposed tracker (LP: #2089269)
  * LXD fan bridge causes blocked tasks (LP: #2064176)
    - SAUCE: fan: release rcu_read_lock on skb discard path
    - SAUCE: fan: fix racy device stat update
  * OVTI08F4:00: number of CSI2 data lanes 2 is not supported (LP: #2084059)
    - SAUCE: media: ipu-bridge: Add support for additional link frequencies
  * [Oracular] Allow overriding Rust tools (LP: #2084693)
    - [Packaging] Allow rust overrides
  * Intel(R) PRO/1000 I219 ethernet adapter [8086:550c] may block entrance of
    modern standby (LP: #2081130)
    - platform/x86: intel/pmc: Ignore all LTRs during suspend
    - e1000e: change I219 (19) devices to ADP
    - x86/apic: Always explicitly disarm TSC-deadline timer
  * Need driver support for Realtek RTL8126A rev.b 5Gbps ethernet [10ec:8126]
    (LP: #2079017)
    - r8169: add support for RTL8126A rev.b
    - r8169: add missing MODULE_FIRMWARE entry for RTL8126A rev.b
  * Missing device ID for amd_atl driver for AMD Strix platform (LP: #2083292)
    - SAUCE: x86/amd_nb: Add new PCI ID for AMD family 1Ah model 20h
  * Lack of UART boot output on rb3gen2 even with earlycon (LP: #2083559)
    - [Config] move qcom clk and serial options as builtin
  * r8169: transmit queue 0 timed out error when re-plugging the Ethernet cable
    (LP: #2084526)
    - r8169: disable ALDPS per default for RTL8125
  * Dell Alienware sysytem reports errors of dell_wmi_sysman and dell_smbios in
    demsg (LP: #2084808)
    - platform/x86: dell-sysman: add support for alienware products
  * Add Intel Arrow Lake-H LPSS PCI IDs (LP: #2083905)
    - mfd: intel-lpss: Add Intel Arrow Lake-H LPSS PCI IDs
  * rtw89: reset IDMEM mode to prevent download firmware failure (LP: #2077396)
    - wifi: rtw89: 885xb: reset IDMEM mode to prevent download firmware failure
  * Missing Bluetooth device IDs for new Mediatek MT7920/MT7925 (LP: #2078878)
    - SAUCE: Bluetooth: btusb: Add USB HW IDs for MT7920/MT7925
  * rtw89: Support hardware rfkill (LP: #2077384)
    - wifi: rtw89: add support for hardware rfkill
  * [SRU] uncore: Add ARL and LNL support on 6.11 (LP: #2081810)
    - perf/x86/intel/uncore: Add Arrow Lake support
    - perf/x86/intel/uncore: Factor out common MMIO init and ops functions
    - perf/x86/intel/uncore: Add Lunar Lake support
    - perf/x86/intel/uncore: Add LNL uncore iMC freerunning support
    - perf/x86/intel/uncore: Use D0:F0 as a default device
  * Support Qualcomm WCN7851 Dual Bluetooth Adapter 0489:E0F3 (LP: #2081796)
    - SAUCE: Bluetooth: btusb: Add one more...

This bug was fixed in the package linux-raspi - 6.14.0-1003.3

---------------
linux-raspi (6.14.0-1003.3) plucky; urgency=medium

  * plucky/linux-raspi: 6.14.0-1003.3 -proposed tracker (LP: #2100493)

  * CONFIG_EFI_STUB support disabled since 6.5.0-1002.2 (LP: #2053147)
    - [Config] raspi: Set EFI=y

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log

  * Miscellaneous Ubuntu changes
    - [Config] raspi: updateconfigs following rebase to Ubuntu-6.14.0-5.5
    - raspi: Update to upstream raspberrypi rpi-6.14.y (2025-02-28)
    - [Config] raspi: updateconfigs after updating rpi-6.14.y patchset

  * Miscellaneous upstream changes
    - configs: Regenerate defconfigs"
    - Revert "Revert "media: i2c: imx290: Register 0x3011 varies between imx327
      and imx290""
    - drm/edid: When reset, assume HDMI displays support RGB444
    - configs: Enable more ZRAM backends
    - overlays: Add OpenHydroponics RootMaster overlay
    - arm64: dts: Add the Audio Out block to rp1.dtsi
    - clk: rp1: Allow audio out to use PLL_AUDIO_SEC; workaround rounding error
    - sound: soc: raspberrypi: RP1 Audio Out driver as an ASOC DAI
    - dts: overlays: Enable RP1 Audio Out using audremap-pi5-overlay
    - media: i2c: arducam-pivariety: Fix mutex init and NULL pointer
    - misc: rp1-pio: Demote fw probe error to warning
    - dts: Add hogs for RP1 GPIO 46/48 on CM5
    - spi: rp2040-gpio-bridge: fix gpiod error handling
    - spi: rp2040-gpio-bridge: probe: Cfg fast_xfer clk

  [ Ubuntu: 6.14.0-5.5 ]

  * plucky/linux: 6.14.0-5.5 -proposed tracker (LP: #2100254)
  * Miscellaneous Ubuntu changes
    - [Packaging] Sync riscv64.mk with linux-riscv tree
    - [Packaging] clean up the distclean rule
    - [Config] updateconfigs following v6.14-rc4 rebase

linux-raspi (6.14.0-1002.2) plucky; urgency=medium

  * Kernel compiled with different CONFIG_SERIAL_8250_NR_UARTS to Raspberry Pi
    OS (LP: #2096796)
    - [Config] raspi: Set SERIAL_8250_NR_UARTS=16

  * Packaging resync (LP: #1786013)
    - [Packaging] update update.conf
    - [Packaging] resync git-ubuntu-log

  * Miscellaneous Ubuntu changes
    - [packaging] raspi: split flavour-control.stub
    - [packaging] raspi: remove DESC and =HUMAN= substitution
    - [Config] raspi: updateconfigs following rebase to Ubuntu-6.14.0-4.4

  [ Ubuntu: 6.14.0-4.4 ]

  * plucky/linux: 6.14.0-4.4 -proposed tracker (LP: #2098875)
  * Packaging resync (LP: #1786013)
    - [Packaging] debian.master/dkms-versions -- update from kernel-versions
      (main/d2025.02.11)
  * update apparmor and LSM stacking patch set (LP: #2028253)
    - SAUCE: apparmor4.0.0 [1/53]: Stacking: Audit: Create audit_stamp structure
    - SAUCE: apparmor4.0.0 [2/53]: Stacking: Audit: Allow multiple records in an
      audit_buffer
    - SAUCE: apparmor4.0.0 [3/53]: Stacking: LSM: security_lsmblob_to_secctx
      module selection
    - SAUCE: apparmor4.0.0 [4/53]: Stacking: Audit: Add record for multiple task
      security contexts
    - SAUCE: apparmor4.0.0 [5/53]: Stacking: Audit: multiple subject lsm values
      for netlabel
    - SAUCE: apparmor4.0.0 [6/53]: Stacking: Audit: Add record for multiple object
      con...