From patchwork Mon Sep 19 12:35:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 6003 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4MWPKl6vStz3wc4 for ; Mon, 19 Sep 2022 12:35:55 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4MWPKk6fgWz29h; Mon, 19 Sep 2022 12:35:54 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4MWPKk58Jtz2yfn; Mon, 19 Sep 2022 12:35:54 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4MWPKj2lh1z2xGQ for ; Mon, 19 Sep 2022 12:35:53 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4MWPKf2zwhzqN for ; Mon, 19 Sep 2022 12:35:49 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1663590953; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/sbpu5JjIS3U8orAqHzwOXLqD58zODBWGNqkSGjerw4=; b=OjS4vuOs3rWwvXKEBXIWY8ioQMuKuQwDi6BqzpLHQbZtp/MRFPVRQ3i16zmc2EenGt9t7U v3PiO7RNrHH4+GBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1663590953; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/sbpu5JjIS3U8orAqHzwOXLqD58zODBWGNqkSGjerw4=; b=ffZpvp51qdd795XtdoGOpRsziqnU9wrdUflB3cVLvMsOEd9qdmWa8p/XxR3dAsJukSGAAB kSnV+Ciges0EW2KV5O3TGowooakYLmLCrSihE5JhAd1HaRsOSAv2MF9AHyCDSBlPaJ1D2J j9Mxzv+4Nf45NfZ8ifl7f4OOWrfgs2NemVJqlpMYbDcUO9qvnH91hH6WiwsTDW5Vg1yXjv Gntp1k9jB5gjHdSpOG3t4gzY55y7xSCNNpklkiZPVL1P31M6naYWb/B1xsaVO3EFom4xLE nuMm8qBjOVJXcOeQwNmSPZsxEHT9q7o/6XaMyf68A+UI6bZtiEHPh2T6VNNVHw== Message-ID: <52660e04-d262-68ab-c42a-429821688153@ipfire.org> Date: Mon, 19 Sep 2022 12:35:41 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [RFC PATCH] linux: Enable seccomp filter on ARM X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Since last time we checked, the kernel's security features on ARM have improved notably (see CONFIG_RANDOMIZE_BASE discussion). This patch therefore proposes to give the seccomp filter on both 32- and 64-bit ARM another try, since it provides significant security benefit to applications using it. Due to operational constraints, rootfile changes have been omitted, and will be conducted, should this patch be approved. Note to future self: Once this patch is approved, applications using seccomp (OpenSSH, Tor) need to be updated/shipped on ARM. Fixes: #12366 Fixes: #12370 Cc: Arne Fitzenreiter Signed-off-by: Peter Müller --- config/kernel/kernel.config.aarch64-ipfire | 4 +++- config/kernel/kernel.config.armv6l-ipfire | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index b557f4cf3..62ef1316a 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -683,7 +683,9 @@ CONFIG_HAVE_CMPXCHG_DOUBLE=y CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y CONFIG_HAVE_ARCH_SECCOMP=y CONFIG_HAVE_ARCH_SECCOMP_FILTER=y -# CONFIG_SECCOMP is not set +CONFIG_SECCOMP=y +CONFIG_SECCOMP_FILTER=y +# CONFIG_SECCOMP_CACHE_DEBUG is not set CONFIG_HAVE_ARCH_STACKLEAK=y CONFIG_HAVE_STACKPROTECTOR=y CONFIG_STACKPROTECTOR=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index b8e0ee70c..47baada15 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -767,7 +767,9 @@ CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y CONFIG_ARCH_WANT_IPC_PARSE_VERSION=y CONFIG_HAVE_ARCH_SECCOMP=y CONFIG_HAVE_ARCH_SECCOMP_FILTER=y -# CONFIG_SECCOMP is not set +CONFIG_SECCOMP=y +CONFIG_SECCOMP_FILTER=y +# CONFIG_SECCOMP_CACHE_DEBUG is not set CONFIG_HAVE_STACKPROTECTOR=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y