From mboxrd@z Thu Jan 1 00:00:00 1970 From: Arne Fitzenreiter To: development@lists.ipfire.org Subject: Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem Date: Mon, 21 Mar 2022 18:15:36 +0100 Message-ID: <5ea67ed518b725070f61be32cfe6e505@ipfire.org> In-Reply-To: <867bc7ac-1f22-4f70-5a8c-867f0d020e78@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4091842256587552406==" List-Id: --===============4091842256587552406== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit At my knowledge enforce loadpin is incompatible with initramfs. https://lwn.net/Articles/682302/ Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware so i think we cannot apply this! Arne Am 2022-03-19 22:09, schrieb Peter Müller: > This can be safely enabled on IPFire, as we never swap filesystems > during runtime. > > Fixes: #12432 > > Signed-off-by: Peter Müller > --- > config/kernel/kernel.config.aarch64-ipfire | 3 ++- > config/kernel/kernel.config.armv6l-ipfire | 3 ++- > config/kernel/kernel.config.riscv64-ipfire | 3 ++- > config/kernel/kernel.config.x86_64-ipfire | 3 ++- > 4 files changed, 8 insertions(+), 4 deletions(-) > > diff --git a/config/kernel/kernel.config.aarch64-ipfire > b/config/kernel/kernel.config.aarch64-ipfire > index 35c249253..d9179c061 100644 > --- a/config/kernel/kernel.config.aarch64-ipfire > +++ b/config/kernel/kernel.config.aarch64-ipfire > @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > +CONFIG_SECURITY_LOADPIN_ENFORCE=y > # CONFIG_SECURITY_YAMA is not set > # CONFIG_SECURITY_SAFESETID is not set > # CONFIG_SECURITY_LOCKDOWN_LSM is not set > diff --git a/config/kernel/kernel.config.armv6l-ipfire > b/config/kernel/kernel.config.armv6l-ipfire > index 5b4ff8e20..522278160 100644 > --- a/config/kernel/kernel.config.armv6l-ipfire > +++ b/config/kernel/kernel.config.armv6l-ipfire > @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > +CONFIG_SECURITY_LOADPIN_ENFORCE=y > # CONFIG_SECURITY_YAMA is not set > # CONFIG_SECURITY_SAFESETID is not set > # CONFIG_SECURITY_LOCKDOWN_LSM is not set > diff --git a/config/kernel/kernel.config.riscv64-ipfire > b/config/kernel/kernel.config.riscv64-ipfire > index d4c0e0451..ebb830eb7 100644 > --- a/config/kernel/kernel.config.riscv64-ipfire > +++ b/config/kernel/kernel.config.riscv64-ipfire > @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > +CONFIG_SECURITY_LOADPIN_ENFORCE=y > # CONFIG_SECURITY_YAMA is not set > # CONFIG_SECURITY_SAFESETID is not set > # CONFIG_SECURITY_LOCKDOWN_LSM is not set > diff --git a/config/kernel/kernel.config.x86_64-ipfire > b/config/kernel/kernel.config.x86_64-ipfire > index 8b525ef89..675c3ce1e 100644 > --- a/config/kernel/kernel.config.x86_64-ipfire > +++ b/config/kernel/kernel.config.x86_64-ipfire > @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > +CONFIG_SECURITY_LOADPIN_ENFORCE=y > # CONFIG_SECURITY_YAMA is not set > # CONFIG_SECURITY_SAFESETID is not set > # CONFIG_SECURITY_LOCKDOWN_LSM is not set --===============4091842256587552406==--