From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem Date: Mon, 21 Mar 2022 18:50:03 +0000 Message-ID: <63A98A2B-447B-4613-96FA-45C220F94BE4@ipfire.org> In-Reply-To: <5ea67ed518b725070f61be32cfe6e505@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0968019318932207824==" List-Id: --===============0968019318932207824== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 21 Mar 2022, at 17:15, Arne Fitzenreiter wrote: >=20 > At my knowledge enforce loadpin is incompatible with initramfs. > https://lwn.net/Articles/682302/ I cannot find that being mentioned in this article. And I am not sure whether= the initramdisk counts as its own file system. > Also we have some older installations that have a seperate /var partition a= nd /lib/firmware was moved to /var/lib/firmware > so i think we cannot apply this! The firmware currently is in /lib/firmware and since we have now a way to com= press it, there is no need to move it any more. That should allow us enabling= this switch. Best, -Michael > Arne >=20 >=20 > Am 2022-03-19 22:09, schrieb Peter M=C3=BCller: >> This can be safely enabled on IPFire, as we never swap filesystems >> during runtime. >> Fixes: #12432 >> Signed-off-by: Peter M=C3=BCller >> --- >> config/kernel/kernel.config.aarch64-ipfire | 3 ++- >> config/kernel/kernel.config.armv6l-ipfire | 3 ++- >> config/kernel/kernel.config.riscv64-ipfire | 3 ++- >> config/kernel/kernel.config.x86_64-ipfire | 3 ++- >> 4 files changed, 8 insertions(+), 4 deletions(-) >> diff --git a/config/kernel/kernel.config.aarch64-ipfire >> b/config/kernel/kernel.config.aarch64-ipfire >> index 35c249253..d9179c061 100644 >> --- a/config/kernel/kernel.config.aarch64-ipfire >> +++ b/config/kernel/kernel.config.aarch64-ipfire >> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=3Dy >> # CONFIG_SECURITY_SMACK is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> -# CONFIG_SECURITY_LOADPIN is not set >> +CONFIG_SECURITY_LOADPIN=3Dy >> +CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy >> # CONFIG_SECURITY_YAMA is not set >> # CONFIG_SECURITY_SAFESETID is not set >> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >> diff --git a/config/kernel/kernel.config.armv6l-ipfire >> b/config/kernel/kernel.config.armv6l-ipfire >> index 5b4ff8e20..522278160 100644 >> --- a/config/kernel/kernel.config.armv6l-ipfire >> +++ b/config/kernel/kernel.config.armv6l-ipfire >> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=3Dy >> # CONFIG_SECURITY_SMACK is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> -# CONFIG_SECURITY_LOADPIN is not set >> +CONFIG_SECURITY_LOADPIN=3Dy >> +CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy >> # CONFIG_SECURITY_YAMA is not set >> # CONFIG_SECURITY_SAFESETID is not set >> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >> diff --git a/config/kernel/kernel.config.riscv64-ipfire >> b/config/kernel/kernel.config.riscv64-ipfire >> index d4c0e0451..ebb830eb7 100644 >> --- a/config/kernel/kernel.config.riscv64-ipfire >> +++ b/config/kernel/kernel.config.riscv64-ipfire >> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=3Dy >> # CONFIG_SECURITY_SMACK is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> -# CONFIG_SECURITY_LOADPIN is not set >> +CONFIG_SECURITY_LOADPIN=3Dy >> +CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy >> # CONFIG_SECURITY_YAMA is not set >> # CONFIG_SECURITY_SAFESETID is not set >> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >> diff --git a/config/kernel/kernel.config.x86_64-ipfire >> b/config/kernel/kernel.config.x86_64-ipfire >> index 8b525ef89..675c3ce1e 100644 >> --- a/config/kernel/kernel.config.x86_64-ipfire >> +++ b/config/kernel/kernel.config.x86_64-ipfire >> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=3Dy >> # CONFIG_SECURITY_SMACK is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> -# CONFIG_SECURITY_LOADPIN is not set >> +CONFIG_SECURITY_LOADPIN=3Dy >> +CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy >> # CONFIG_SECURITY_YAMA is not set >> # CONFIG_SECURITY_SAFESETID is not set >> # CONFIG_SECURITY_LOCKDOWN_LSM is not set --===============0968019318932207824==--