Re: [PATCH 1/2] kernel: enable CONFIG_SECURITY_LOADPIN

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Arne Fitzenreiter <arne_f@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/2] kernel: enable CONFIG_SECURITY_LOADPIN
Date: Wed, 10 Jun 2020 17:02:10 +0200	[thread overview]
Message-ID: <69b334dfefc16137cc305a7e3d2aae56@ipfire.org> (raw)
In-Reply-To: <86af19ef-9c55-b83a-7895-25ce81ec97e6@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 3332 bytes --]

I think this will not work because we boot from an initrd and later 
switch
to the real rootfs.

Arne


Am 2020-06-09 20:38, schrieb Peter Müller:
> Quoted from #12432:
>> For every boot, any file read through the kernel file reading 
>> interface can
>> be pinned to the first filesystem used for loading. If you try to load 
>> any
>> file that comes from other filesystem will be rejected.
> 
> IMHO this can be safely enabled as there is no legitimate reason to 
> swap
> filesystems on an IPFire machine during runtime.
> 
> Partially fixes: #12432
> 
> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
>  config/kernel/kernel.config.aarch64-ipfire        | 2 +-
>  config/kernel/kernel.config.armv5tel-ipfire-multi | 2 +-
>  config/kernel/kernel.config.i586-ipfire           | 2 +-
>  config/kernel/kernel.config.x86_64-ipfire         | 2 +-
>  4 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire
> b/config/kernel/kernel.config.aarch64-ipfire
> index e0f2f6df8..62b518977 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -6548,7 +6548,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
>  # CONFIG_SECURITY_YAMA is not set
>  CONFIG_INTEGRITY=y
>  # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi
> b/config/kernel/kernel.config.armv5tel-ipfire-multi
> index 15183300f..4e0ca0460 100644
> --- a/config/kernel/kernel.config.armv5tel-ipfire-multi
> +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi
> @@ -7030,7 +7030,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
>  # CONFIG_SECURITY_YAMA is not set
>  CONFIG_INTEGRITY=y
>  # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.i586-ipfire
> b/config/kernel/kernel.config.i586-ipfire
> index 578931497..096ef6141 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -6694,7 +6694,7 @@ CONFIG_FORTIFY_SOURCE=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
>  # CONFIG_SECURITY_YAMA is not set
>  CONFIG_INTEGRITY=y
>  # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire
> b/config/kernel/kernel.config.x86_64-ipfire
> index 6a5fbbfe9..841a45bd0 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6560,7 +6560,7 @@ CONFIG_FORTIFY_SOURCE=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
>  # CONFIG_SECURITY_YAMA is not set
>  CONFIG_INTEGRITY=y
>  # CONFIG_INTEGRITY_SIGNATURE is not set

     prev parent reply	other threads:[~2020-06-10 15:02 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-09 18:38 Peter Müller
2020-06-09 18:38 ` [PATCH 2/2] kernel: enable CONFIG_SECURITY_LOADPIN_ENFORCE Peter Müller
2020-06-10 15:02 ` Arne Fitzenreiter [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69b334dfefc16137cc305a7e3d2aae56@ipfire.org \
    --to=arne_f@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox