Message ID | 867bc7ac-1f22-4f70-5a8c-867f0d020e78@ipfire.org |
---|---|
State | Rejected |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYR15gCFz3xK1 for <patchwork@web04.haj.ipfire.org>; Sat, 19 Mar 2022 21:09:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYR12Jtrz4Cx; Sat, 19 Mar 2022 21:09:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYR12RbGz301l; Sat, 19 Mar 2022 21:09:17 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYR03yRhz2yXw for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:09:16 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYQz5gvMz3Yk for <development@lists.ipfire.org>; Sat, 19 Mar 2022 21:09:15 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1647724156; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=exhmqVdXRjryL8wYhM/GRo4b8gU2jxb3r6BBN16hDrQ=; b=8W/gHT05mRBLI1ejXasn8oALxoK6JJgPkee0rLfbg704louk2dnCVLGYUZY8df/Oq9PYZ7 rFyZSsm2iWs4wTBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1647724156; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=exhmqVdXRjryL8wYhM/GRo4b8gU2jxb3r6BBN16hDrQ=; b=eH8E4YVqmqOvpdJ5KN8yq/vHG3UwUFBX0rO/4QmpmxIAONfotE7b3gbFqzCBf415cLH9Pc G0/l9XDeuFcJwUM2J6ii1kG2LyOdZqxDtVNVDtb0iFNpWwm3C9BiKEx8A7r+JmpSRbFYQd AqUkTKlKneHIA+bVhLxwibawc2pes+Sd69DHAGA+l0F9EVIgHEIjYP8GRfKrsYcR7S5xRA 6xuD2X17+WhtQaRPWZjIYEHGWn+nPHjmNJIOdo7d7/0altBrOFRXGdoA6AeSZ0Lbn21q0r NjJ4Wa1e0BwIUWZ1g/WeFa8lxaen/XZzviUO0BaBoKbJnkYuqOm9DmoDpMrb4w== Message-ID: <867bc7ac-1f22-4f70-5a8c-867f0d020e78@ipfire.org> Date: Sat, 19 Mar 2022 21:09:13 +0000 MIME-Version: 1.0 Subject: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem Content-Language: en-US To: development@lists.ipfire.org References: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> In-Reply-To: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
Kernel: Improve hardening
|
|
Commit Message
Peter Müller
March 19, 2022, 9:09 p.m. UTC
This can be safely enabled on IPFire, as we never swap filesystems
during runtime.
Fixes: #12432
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 3 ++-
config/kernel/kernel.config.armv6l-ipfire | 3 ++-
config/kernel/kernel.config.riscv64-ipfire | 3 ++-
config/kernel/kernel.config.x86_64-ipfire | 3 ++-
4 files changed, 8 insertions(+), 4 deletions(-)
Comments
At my knowledge enforce loadpin is incompatible with initramfs. https://lwn.net/Articles/682302/ Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware so i think we cannot apply this! Arne Am 2022-03-19 22:09, schrieb Peter Müller: > This can be safely enabled on IPFire, as we never swap filesystems > during runtime. > > Fixes: #12432 > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/kernel/kernel.config.aarch64-ipfire | 3 ++- > config/kernel/kernel.config.armv6l-ipfire | 3 ++- > config/kernel/kernel.config.riscv64-ipfire | 3 ++- > config/kernel/kernel.config.x86_64-ipfire | 3 ++- > 4 files changed, 8 insertions(+), 4 deletions(-) > > diff --git a/config/kernel/kernel.config.aarch64-ipfire > b/config/kernel/kernel.config.aarch64-ipfire > index 35c249253..d9179c061 100644 > --- a/config/kernel/kernel.config.aarch64-ipfire > +++ b/config/kernel/kernel.config.aarch64-ipfire > @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > +CONFIG_SECURITY_LOADPIN_ENFORCE=y > # CONFIG_SECURITY_YAMA is not set > # CONFIG_SECURITY_SAFESETID is not set > # CONFIG_SECURITY_LOCKDOWN_LSM is not set > diff --git a/config/kernel/kernel.config.armv6l-ipfire > b/config/kernel/kernel.config.armv6l-ipfire > index 5b4ff8e20..522278160 100644 > --- a/config/kernel/kernel.config.armv6l-ipfire > +++ b/config/kernel/kernel.config.armv6l-ipfire > @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > +CONFIG_SECURITY_LOADPIN_ENFORCE=y > # CONFIG_SECURITY_YAMA is not set > # CONFIG_SECURITY_SAFESETID is not set > # CONFIG_SECURITY_LOCKDOWN_LSM is not set > diff --git a/config/kernel/kernel.config.riscv64-ipfire > b/config/kernel/kernel.config.riscv64-ipfire > index d4c0e0451..ebb830eb7 100644 > --- a/config/kernel/kernel.config.riscv64-ipfire > +++ b/config/kernel/kernel.config.riscv64-ipfire > @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > +CONFIG_SECURITY_LOADPIN_ENFORCE=y > # CONFIG_SECURITY_YAMA is not set > # CONFIG_SECURITY_SAFESETID is not set > # CONFIG_SECURITY_LOCKDOWN_LSM is not set > diff --git a/config/kernel/kernel.config.x86_64-ipfire > b/config/kernel/kernel.config.x86_64-ipfire > index 8b525ef89..675c3ce1e 100644 > --- a/config/kernel/kernel.config.x86_64-ipfire > +++ b/config/kernel/kernel.config.x86_64-ipfire > @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > +CONFIG_SECURITY_LOADPIN_ENFORCE=y > # CONFIG_SECURITY_YAMA is not set > # CONFIG_SECURITY_SAFESETID is not set > # CONFIG_SECURITY_LOCKDOWN_LSM is not set
Hello, > On 21 Mar 2022, at 17:15, Arne Fitzenreiter <arne_f@ipfire.org> wrote: > > At my knowledge enforce loadpin is incompatible with initramfs. > https://lwn.net/Articles/682302/ I cannot find that being mentioned in this article. And I am not sure whether the initramdisk counts as its own file system. > Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware > so i think we cannot apply this! The firmware currently is in /lib/firmware and since we have now a way to compress it, there is no need to move it any more. That should allow us enabling this switch. Best, -Michael > Arne > > > Am 2022-03-19 22:09, schrieb Peter Müller: >> This can be safely enabled on IPFire, as we never swap filesystems >> during runtime. >> Fixes: #12432 >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/kernel/kernel.config.aarch64-ipfire | 3 ++- >> config/kernel/kernel.config.armv6l-ipfire | 3 ++- >> config/kernel/kernel.config.riscv64-ipfire | 3 ++- >> config/kernel/kernel.config.x86_64-ipfire | 3 ++- >> 4 files changed, 8 insertions(+), 4 deletions(-) >> diff --git a/config/kernel/kernel.config.aarch64-ipfire >> b/config/kernel/kernel.config.aarch64-ipfire >> index 35c249253..d9179c061 100644 >> --- a/config/kernel/kernel.config.aarch64-ipfire >> +++ b/config/kernel/kernel.config.aarch64-ipfire >> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y >> # CONFIG_SECURITY_SMACK is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> -# CONFIG_SECURITY_LOADPIN is not set >> +CONFIG_SECURITY_LOADPIN=y >> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >> # CONFIG_SECURITY_YAMA is not set >> # CONFIG_SECURITY_SAFESETID is not set >> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >> diff --git a/config/kernel/kernel.config.armv6l-ipfire >> b/config/kernel/kernel.config.armv6l-ipfire >> index 5b4ff8e20..522278160 100644 >> --- a/config/kernel/kernel.config.armv6l-ipfire >> +++ b/config/kernel/kernel.config.armv6l-ipfire >> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y >> # CONFIG_SECURITY_SMACK is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> -# CONFIG_SECURITY_LOADPIN is not set >> +CONFIG_SECURITY_LOADPIN=y >> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >> # CONFIG_SECURITY_YAMA is not set >> # CONFIG_SECURITY_SAFESETID is not set >> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >> diff --git a/config/kernel/kernel.config.riscv64-ipfire >> b/config/kernel/kernel.config.riscv64-ipfire >> index d4c0e0451..ebb830eb7 100644 >> --- a/config/kernel/kernel.config.riscv64-ipfire >> +++ b/config/kernel/kernel.config.riscv64-ipfire >> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y >> # CONFIG_SECURITY_SMACK is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> -# CONFIG_SECURITY_LOADPIN is not set >> +CONFIG_SECURITY_LOADPIN=y >> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >> # CONFIG_SECURITY_YAMA is not set >> # CONFIG_SECURITY_SAFESETID is not set >> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >> diff --git a/config/kernel/kernel.config.x86_64-ipfire >> b/config/kernel/kernel.config.x86_64-ipfire >> index 8b525ef89..675c3ce1e 100644 >> --- a/config/kernel/kernel.config.x86_64-ipfire >> +++ b/config/kernel/kernel.config.x86_64-ipfire >> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y >> # CONFIG_SECURITY_SMACK is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> -# CONFIG_SECURITY_LOADPIN is not set >> +CONFIG_SECURITY_LOADPIN=y >> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >> # CONFIG_SECURITY_YAMA is not set >> # CONFIG_SECURITY_SAFESETID is not set >> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
Den 2022-03-21 19:50, skrev Michael Tremer: > Hello, > >> On 21 Mar 2022, at 17:15, Arne Fitzenreiter <arne_f@ipfire.org> wrote: >> >> At my knowledge enforce loadpin is incompatible with initramfs. >> https://lwn.net/Articles/682302/ > > I cannot find that being mentioned in this article. And I am not sure > whether the initramdisk counts as its own file system. > Quoting what I think is the relevant section from the article " The current module is also likely to run into trouble on systems that boot with an initramfs image; the first modules will almost certainly be loaded from that image (that's why it exists, usually), causing loads to be pinned to a temporary filesystem that will go away at the end of the bootstrap process. In the current patch, if the filesystem to which loading is pinned disappears, loading of files will be disabled entirely — behavior that makes sense, but which may not lead to the desired results in an initramfs setting. " And a somewhat related discussion https://forums.gentoo.org/viewtopic-p-8686594.html?sid=bbf2ffea6f1ad4a3f69073bfabfdb021 And a patch to the kernel, which I could not figure out if has been merged https://lkml.org/lkml/2021/4/8/1446 But it does not seem to be merged to me https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/security/loadpin/loadpin.c Alf >> Also we have some older installations that have a seperate /var >> partition and /lib/firmware was moved to /var/lib/firmware >> so i think we cannot apply this! > > The firmware currently is in /lib/firmware and since we have now a way > to compress it, there is no need to move it any more. That should > allow us enabling this switch. > > Best, > -Michael > >> Arne >> >> >> Am 2022-03-19 22:09, schrieb Peter Müller: >>> This can be safely enabled on IPFire, as we never swap filesystems >>> during runtime. >>> Fixes: #12432 >>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>> --- >>> config/kernel/kernel.config.aarch64-ipfire | 3 ++- >>> config/kernel/kernel.config.armv6l-ipfire | 3 ++- >>> config/kernel/kernel.config.riscv64-ipfire | 3 ++- >>> config/kernel/kernel.config.x86_64-ipfire | 3 ++- >>> 4 files changed, 8 insertions(+), 4 deletions(-) >>> diff --git a/config/kernel/kernel.config.aarch64-ipfire >>> b/config/kernel/kernel.config.aarch64-ipfire >>> index 35c249253..d9179c061 100644 >>> --- a/config/kernel/kernel.config.aarch64-ipfire >>> +++ b/config/kernel/kernel.config.aarch64-ipfire >>> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y >>> # CONFIG_SECURITY_SMACK is not set >>> # CONFIG_SECURITY_TOMOYO is not set >>> # CONFIG_SECURITY_APPARMOR is not set >>> -# CONFIG_SECURITY_LOADPIN is not set >>> +CONFIG_SECURITY_LOADPIN=y >>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >>> # CONFIG_SECURITY_YAMA is not set >>> # CONFIG_SECURITY_SAFESETID is not set >>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >>> diff --git a/config/kernel/kernel.config.armv6l-ipfire >>> b/config/kernel/kernel.config.armv6l-ipfire >>> index 5b4ff8e20..522278160 100644 >>> --- a/config/kernel/kernel.config.armv6l-ipfire >>> +++ b/config/kernel/kernel.config.armv6l-ipfire >>> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y >>> # CONFIG_SECURITY_SMACK is not set >>> # CONFIG_SECURITY_TOMOYO is not set >>> # CONFIG_SECURITY_APPARMOR is not set >>> -# CONFIG_SECURITY_LOADPIN is not set >>> +CONFIG_SECURITY_LOADPIN=y >>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >>> # CONFIG_SECURITY_YAMA is not set >>> # CONFIG_SECURITY_SAFESETID is not set >>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >>> diff --git a/config/kernel/kernel.config.riscv64-ipfire >>> b/config/kernel/kernel.config.riscv64-ipfire >>> index d4c0e0451..ebb830eb7 100644 >>> --- a/config/kernel/kernel.config.riscv64-ipfire >>> +++ b/config/kernel/kernel.config.riscv64-ipfire >>> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y >>> # CONFIG_SECURITY_SMACK is not set >>> # CONFIG_SECURITY_TOMOYO is not set >>> # CONFIG_SECURITY_APPARMOR is not set >>> -# CONFIG_SECURITY_LOADPIN is not set >>> +CONFIG_SECURITY_LOADPIN=y >>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >>> # CONFIG_SECURITY_YAMA is not set >>> # CONFIG_SECURITY_SAFESETID is not set >>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >>> diff --git a/config/kernel/kernel.config.x86_64-ipfire >>> b/config/kernel/kernel.config.x86_64-ipfire >>> index 8b525ef89..675c3ce1e 100644 >>> --- a/config/kernel/kernel.config.x86_64-ipfire >>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y >>> # CONFIG_SECURITY_SMACK is not set >>> # CONFIG_SECURITY_TOMOYO is not set >>> # CONFIG_SECURITY_APPARMOR is not set >>> -# CONFIG_SECURITY_LOADPIN is not set >>> +CONFIG_SECURITY_LOADPIN=y >>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >>> # CONFIG_SECURITY_YAMA is not set >>> # CONFIG_SECURITY_SAFESETID is not set >>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
Hello, Hmm, Peter confirmed to me that this works on the kernel he built. > On 21 Mar 2022, at 20:24, alf@i100.no wrote: > > Den 2022-03-21 19:50, skrev Michael Tremer: >> Hello, >>> On 21 Mar 2022, at 17:15, Arne Fitzenreiter <arne_f@ipfire.org> wrote: >>> At my knowledge enforce loadpin is incompatible with initramfs. >>> https://lwn.net/Articles/682302/ >> I cannot find that being mentioned in this article. And I am not sure >> whether the initramdisk counts as its own file system. > > Quoting what I think is the relevant section from the article > " > The current module is also likely to run into trouble on systems that boot with an initramfs image; the first modules will almost certainly be loaded from that image (that's why it exists, usually), causing loads to be pinned to a temporary filesystem that will go away at the end of the bootstrap process. In the current patch, if the filesystem to which loading is pinned disappears, loading of files will be disabled entirely — behavior that makes sense, but which may not lead to the desired results in an initramfs setting. > " Thank you for helping me finding the correct paragraph. > And a somewhat related discussion > https://forums.gentoo.org/viewtopic-p-8686594.html?sid=bbf2ffea6f1ad4a3f69073bfabfdb021 I generally do agree that it does not make a lot of sense for kernel modules to have this enabled. We sign our kernel modules anyways which means that we do not need to trust the filesystem we load them from. However, there is some benefit here for firmware and other files the kernel loads. Those have no protection, and we can slightly mitigate any attacks here. How likely is this? Very unlikely, but still we can protect ourselves against them. So this means that we potentially cannot enable the ENFORCE mode. But we can boot up the system and very early in the boot process set the loadpin sysctl so that any other file systems being mounted after that point can be used to load any files into the kernel. @Peter: Would you please change the patch? -Michael > And a patch to the kernel, which I could not figure out if has been merged > https://lkml.org/lkml/2021/4/8/1446 > But it does not seem to be merged to me > https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/security/loadpin/loadpin.c > > Alf > >>> Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware >>> so i think we cannot apply this! >> The firmware currently is in /lib/firmware and since we have now a way >> to compress it, there is no need to move it any more. That should >> allow us enabling this switch. >> Best, >> -Michael >>> Arne >>> Am 2022-03-19 22:09, schrieb Peter Müller: >>>> This can be safely enabled on IPFire, as we never swap filesystems >>>> during runtime. >>>> Fixes: #12432 >>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>> --- >>>> config/kernel/kernel.config.aarch64-ipfire | 3 ++- >>>> config/kernel/kernel.config.armv6l-ipfire | 3 ++- >>>> config/kernel/kernel.config.riscv64-ipfire | 3 ++- >>>> config/kernel/kernel.config.x86_64-ipfire | 3 ++- >>>> 4 files changed, 8 insertions(+), 4 deletions(-) >>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire >>>> b/config/kernel/kernel.config.aarch64-ipfire >>>> index 35c249253..d9179c061 100644 >>>> --- a/config/kernel/kernel.config.aarch64-ipfire >>>> +++ b/config/kernel/kernel.config.aarch64-ipfire >>>> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y >>>> # CONFIG_SECURITY_SMACK is not set >>>> # CONFIG_SECURITY_TOMOYO is not set >>>> # CONFIG_SECURITY_APPARMOR is not set >>>> -# CONFIG_SECURITY_LOADPIN is not set >>>> +CONFIG_SECURITY_LOADPIN=y >>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >>>> # CONFIG_SECURITY_YAMA is not set >>>> # CONFIG_SECURITY_SAFESETID is not set >>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire >>>> b/config/kernel/kernel.config.armv6l-ipfire >>>> index 5b4ff8e20..522278160 100644 >>>> --- a/config/kernel/kernel.config.armv6l-ipfire >>>> +++ b/config/kernel/kernel.config.armv6l-ipfire >>>> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y >>>> # CONFIG_SECURITY_SMACK is not set >>>> # CONFIG_SECURITY_TOMOYO is not set >>>> # CONFIG_SECURITY_APPARMOR is not set >>>> -# CONFIG_SECURITY_LOADPIN is not set >>>> +CONFIG_SECURITY_LOADPIN=y >>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >>>> # CONFIG_SECURITY_YAMA is not set >>>> # CONFIG_SECURITY_SAFESETID is not set >>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire >>>> b/config/kernel/kernel.config.riscv64-ipfire >>>> index d4c0e0451..ebb830eb7 100644 >>>> --- a/config/kernel/kernel.config.riscv64-ipfire >>>> +++ b/config/kernel/kernel.config.riscv64-ipfire >>>> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y >>>> # CONFIG_SECURITY_SMACK is not set >>>> # CONFIG_SECURITY_TOMOYO is not set >>>> # CONFIG_SECURITY_APPARMOR is not set >>>> -# CONFIG_SECURITY_LOADPIN is not set >>>> +CONFIG_SECURITY_LOADPIN=y >>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >>>> # CONFIG_SECURITY_YAMA is not set >>>> # CONFIG_SECURITY_SAFESETID is not set >>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire >>>> b/config/kernel/kernel.config.x86_64-ipfire >>>> index 8b525ef89..675c3ce1e 100644 >>>> --- a/config/kernel/kernel.config.x86_64-ipfire >>>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>>> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y >>>> # CONFIG_SECURITY_SMACK is not set >>>> # CONFIG_SECURITY_TOMOYO is not set >>>> # CONFIG_SECURITY_APPARMOR is not set >>>> -# CONFIG_SECURITY_LOADPIN is not set >>>> +CONFIG_SECURITY_LOADPIN=y >>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >>>> # CONFIG_SECURITY_YAMA is not set >>>> # CONFIG_SECURITY_SAFESETID is not set >>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 35c249253..d9179c061 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 5b4ff8e20..522278160 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index d4c0e0451..ebb830eb7 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 8b525ef89..675c3ce1e 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set