I think this will not work because we boot from an initrd and later 
switch
to the real rootfs.

Arne


Am 2020-06-09 20:38, schrieb Peter Müller:
> Quoted from #12432:
>> For every boot, any file read through the kernel file reading 
>> interface can
>> be pinned to the first filesystem used for loading. If you try to load 
>> any
>> file that comes from other filesystem will be rejected.
> 
> IMHO this can be safely enabled as there is no legitimate reason to 
> swap
> filesystems on an IPFire machine during runtime.
> 
> Partially fixes: #12432
> 
> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
>  config/kernel/kernel.config.aarch64-ipfire        | 2 +-
>  config/kernel/kernel.config.armv5tel-ipfire-multi | 2 +-
>  config/kernel/kernel.config.i586-ipfire           | 2 +-
>  config/kernel/kernel.config.x86_64-ipfire         | 2 +-
>  4 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire
> b/config/kernel/kernel.config.aarch64-ipfire
> index e0f2f6df8..62b518977 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -6548,7 +6548,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
>  # CONFIG_SECURITY_YAMA is not set
>  CONFIG_INTEGRITY=y
>  # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi
> b/config/kernel/kernel.config.armv5tel-ipfire-multi
> index 15183300f..4e0ca0460 100644
> --- a/config/kernel/kernel.config.armv5tel-ipfire-multi
> +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi
> @@ -7030,7 +7030,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
>  # CONFIG_SECURITY_YAMA is not set
>  CONFIG_INTEGRITY=y
>  # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.i586-ipfire
> b/config/kernel/kernel.config.i586-ipfire
> index 578931497..096ef6141 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -6694,7 +6694,7 @@ CONFIG_FORTIFY_SOURCE=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
>  # CONFIG_SECURITY_YAMA is not set
>  CONFIG_INTEGRITY=y
>  # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire
> b/config/kernel/kernel.config.x86_64-ipfire
> index 6a5fbbfe9..841a45bd0 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6560,7 +6560,7 @@ CONFIG_FORTIFY_SOURCE=y
>  # CONFIG_SECURITY_SMACK is not set
>  # CONFIG_SECURITY_TOMOYO is not set
>  # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
>  # CONFIG_SECURITY_YAMA is not set
>  CONFIG_INTEGRITY=y
>  # CONFIG_INTEGRITY_SIGNATURE is not set