From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 05/11] Kernel: Gate SETID transitions to limit
 CAP_SET(G|U)ID capabilities
Date: Wed, 23 Mar 2022 11:46:59 +0000
Message-ID: <19209BED-3B89-4234-BA37-230E04A8D9ED@ipfire.org>
In-Reply-To: <1e8ebe39-63a5-6c76-764b-b8293fb5cfa2@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3552798773287060272=="
List-Id: <development.lists.ipfire.org>

--===============3552798773287060272==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Where is this whitelist defined then?

We use setuid and I would assume that this change will break all misc-progs.

-Michael

> On 19 Mar 2022, at 21:09, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv6l-ipfire  | 2 +-
> config/kernel/kernel.config.riscv64-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire  | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
>=20
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/ker=
nel.config.aarch64-ipfire
> index b2ef43e51..b485c2fb6 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7558,7 +7558,7 @@ CONFIG_FORTIFY_SOURCE=3Dy
> CONFIG_SECURITY_LOADPIN=3Dy
> CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy
> # CONFIG_SECURITY_YAMA is not set
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=3Dy
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=3Dy
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kern=
el.config.armv6l-ipfire
> index 13326a29c..98b554d91 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7562,7 +7562,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=3Dy
> CONFIG_SECURITY_LOADPIN=3Dy
> CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy
> # CONFIG_SECURITY_YAMA is not set
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=3Dy
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=3Dy
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/ker=
nel.config.riscv64-ipfire
> index fa4ee46fa..b595ae8cd 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6195,7 +6195,7 @@ CONFIG_FORTIFY_SOURCE=3Dy
> CONFIG_SECURITY_LOADPIN=3Dy
> CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy
> # CONFIG_SECURITY_YAMA is not set
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=3Dy
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=3Dy
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kern=
el.config.x86_64-ipfire
> index e6a03a9e5..b325feb1d 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=3Dy
> CONFIG_SECURITY_LOADPIN=3Dy
> CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy
> # CONFIG_SECURITY_YAMA is not set
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=3Dy
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=3Dy
> --=20
> 2.34.1


--===============3552798773287060272==--