Following the community guide for building archlinux (which I have used and worked in the past) no longer works. It spits out an error while running make qubes-vm about the kernel not supporting landlock. Is this a known issue and/or is there a workaround for it?
Hi @arkfox ,
since ~1 month, I see also this error message when I update my ArchLinux Qubes-OS templates:
[root@tpl-archlinux ~]# pacman -Syu
:: Synchronizing package databases...
qubes-r4.2-current-testing is up to date
qubes-r4.2-current is up to date
core is up to date
extra is up to date
error: restricting filesystem access failed because landlock is not supported by the kernel!
:: Starting full system upgrade...
there is nothing to do
I suggest you first search in the ArchLinux news and Linux Kernel news to understand what is landlock. Maybe an ArchLinux setting could disable it…
And remind that the used Linux Kernel is the kernel-vm from dom0, not the kernel from the template OS.
Resources:
I should mention this is related to the archlinux-minimal template rather than the one in the community-testing repository.
I have an idea of what landlock is but this gets a bit complicated with the build scripts in place and no obvious solutions. Seems like an issue with the build script for vmm-xen not being compatible with archlinux after the move to landlock sandboxing but not sure if there was a workaround.
I figured I could use the archlinux template from community testing as an HVM with its own kernel to build the template but alas qubes-builder requires yum/dnf.
The explanation and two workarounds:
https://bbs.archlinux.org/viewtopic.php?pid=2195953#p2195953
I changed the pacman.conf entry in my ArchLinux qubes.
Other ways to explore:
- find which is the required kernel version for landlock
- test the Qubes-OS kernel-last package if the good kernel version is available
The Landlock linux security module came with Linux 5.13 (phoronix source) but new features added in 6.7 (phoronix source).
Current ArchLinux template contains the 6.6 kernel (the last Qubes-OS stable kernel package):
[user@tpl-archlinux-42 ~]$ uname -a; zgrep -i landlock /proc/config.gz
Linux tpl-archlinux-42 6.6.48-1.qubes.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Sep 4 01:09:59 GMT 2024 x86_64 GNU/Linux
CONFIG_SECURITY_LANDLOCK=y
So two possible options:
- Linux 6.7 requirement, the last Qubes-OS kernel-latest package is 6.10.3
(see repo) - Xen or another layer blocks this feature
I’m not sure if I understand the solution. I use kernel-latest and use it in the build template which is currently 6.10.10 so it should support landlock. I assumed the issue was within the template build scripts where it uses a chroot to prepare the file system etc and it is unclear how to fix this. Is the archlinux-minimal build using its own kernel to prepare the template?