Odroid N2 and Pinebook Pro have a problem with Pacman 7.0

Pudge · September 22, 2024, 12:46am

Odroid N2 and Pinebook Pro have a problem with Pacman 7.0 when using the EnOS kernel linux-eos-arm.

With pacman 7.0, Archlinux has added the ability to use a sandbox with a new user and new group they added named alpm. I think this is supposed to restrict filesystem access to user alpm when doing updates.

When updating on Odroid N2 or Pinebook Pro with pacman or yay, the following error occurs.

error: restricting filesystem access failed because landlock is not supported by the kernel

I have edited the config file that the EnOS linux-eos-arm PKGBUILD uses from

# CONFIG_SECURITY_LANDLOCK is not set

to

CONFIG_SECURITY_LANDLOCK=y

The kernel re-compile did not fix the problem. It must need something else enabled besides LANDLOCK.

Archlinux ARM has already fixed the LANDLOCK problem on RPi 4b, and RPi 5 kernels.
So they are not affected. Archlinux ARM has also fixed the LANLOCK problem on it’s linux-aarch64 kernel.

So currently, the Odroid N2 and Pinebook Pro users have two choices.

Use Archlinux ARM kernel linux-aarch64 instead of EnOS ARM kernel linux-eos-arm
Use EnOS kernel linux-eos-arm and edit /etc/pacman.conf to uncomment the following line.

#DisableSandbox

and operate with the sand box disabled like Archlinux was before pacman 7.0

In the mean time, I will continue to look into getting kernel linux-eos-arm installed with
LANDLOCK enabled.

If there are any kernel GURUs out there that have any suggestions, please feel free to contact me in this Endeavour.

I do not know how much this pacman sandbox addition means security wise for the average home user. Maybe @dalto can clarify this.

Pudge

dalto · September 22, 2024, 12:53am

Did you try adding landlock to the CONFIG_LSM line:

github.com

endeavouros-arm/PKGBUILDS/blob/main/linux-eos-arm/config#L9680


      
          CONFIG_SECURITY_APPARMOR_PARANOID_LOAD=y
          # CONFIG_SECURITY_LOADPIN is not set
          CONFIG_SECURITY_YAMA=y
          # CONFIG_SECURITY_SAFESETID is not set
          # CONFIG_SECURITY_LOCKDOWN_LSM is not set
          # CONFIG_SECURITY_LANDLOCK is not set
          # CONFIG_INTEGRITY is not set
          # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
          # CONFIG_DEFAULT_SECURITY_APPARMOR is not set
          CONFIG_DEFAULT_SECURITY_DAC=y
          CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
          
          #
          # Kernel hardening options
          #
          
          #
          # Memory initialization
          #
          CONFIG_CC_HAS_AUTO_VAR_INIT_PATTERN=y
          CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO_BARE=y

Pudge · September 22, 2024, 12:58am

No sir, I did not. I will try that this evening & report results.

Thanks for the guidance, my kernel compiling skills are not strong.

Pudge

EDIT:
Started compiling, it will be completed in about an hour.

Pudge · September 22, 2024, 2:55am

Adding ‘landlock’ to the ‘CONFIG_LSM’ line did the trick.

The fixed linux-eos-arm-6.10.11-1 kernel will be available in about an hour.

Tomorrow I will need to create new images and get them to ghithub.

@dalto Thanks for the help. Who knows how long that would have taken for me to figure that out.

Pudge

Pudge · September 24, 2024, 2:56am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.