From patchwork Tue Jun  9 18:38:24 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 3185
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 49hJn02xpHz3yQv
	for <patchwork@web04.haj.ipfire.org>; Tue,  9 Jun 2020 18:39:16 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 49hJmz1QLpz1f1;
	Tue,  9 Jun 2020 18:39:15 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 49hJmy5ztGz2yVl;
	Tue,  9 Jun 2020 18:39:14 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49hJmx0wBPz2xB8
 for <development@lists.ipfire.org>; Tue,  9 Jun 2020 18:39:13 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 49hJmv2PPSzNj
 for <development@lists.ipfire.org>; Tue,  9 Jun 2020 18:39:11 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1591727952;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=398HFRod0GbFzCZ76QsTF4jO2C3OEI+Kax5qjaRDdxg=;
 b=FTaFhbOgCUrO0NuwjRCFo4Gk9tRWogj3OrYn81z4Yhi4gl6WgzZ7YE8RHBhK5WYKQDB29Z
 5DRNNJxV+Wb3qoBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1591727952;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=398HFRod0GbFzCZ76QsTF4jO2C3OEI+Kax5qjaRDdxg=;
 b=f1qMEQystcIW8T2JO6rxB8FgWXNplagXB4h//P4lX1J5kNtS88Pghpfv7jxY23sBGyN+8I
 EDO2dR1c+l4Gx0Kjo4pNYWMJmmT1lPWpbpKK4ftsrdbiWHwEzlZTY3dJKzPZ1LD12AIPLd
 bvV1MuGwNN1LNDGbHRGPcz66FO7ArAXEDBInBlI8rreZUNngSYe2wt0BoKrBRUu5XSdeZk
 BCjEs5E57t/5PJxa8ZRsQVHfHzkA+AH1Xjx2Z/ZlVSpxiIxyRT3r71398eUAAizbfpyAiF
 HWxdgYpRPSRW6GMQmp9AdGs2ZhhcB/pfUi1R2IvNeabRhU/549zLPGk2EFNG/A==
To: development@lists.ipfire.org
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH 1/2] kernel: enable CONFIG_SECURITY_LOADPIN
Message-ID: <86af19ef-9c55-b83a-7895-25ce81ec97e6@ipfire.org>
Date: Tue, 9 Jun 2020 18:38:24 +0000
MIME-Version: 1.0
Content-Language: en-US
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.mailfrom=peter.mueller@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Quoted from #12432:
> For every boot, any file read through the kernel file reading interface can
> be pinned to the first filesystem used for loading. If you try to load any
> file that comes from other filesystem will be rejected.

IMHO this can be safely enabled as there is no legitimate reason to swap
filesystems on an IPFire machine during runtime.

Partially fixes: #12432

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire        | 2 +-
 config/kernel/kernel.config.armv5tel-ipfire-multi | 2 +-
 config/kernel/kernel.config.i586-ipfire           | 2 +-
 config/kernel/kernel.config.x86_64-ipfire         | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index e0f2f6df8..62b518977 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -6548,7 +6548,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi
index 15183300f..4e0ca0460 100644
--- a/config/kernel/kernel.config.armv5tel-ipfire-multi
+++ b/config/kernel/kernel.config.armv5tel-ipfire-multi
@@ -7030,7 +7030,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index 578931497..096ef6141 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -6694,7 +6694,7 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 6a5fbbfe9..841a45bd0 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6560,7 +6560,7 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set