From mboxrd@z Thu Jan 1 00:00:00 1970 From: Arne Fitzenreiter To: development@lists.ipfire.org Subject: Re: [PATCH 1/2] kernel: enable CONFIG_SECURITY_LOADPIN Date: Wed, 10 Jun 2020 17:02:10 +0200 Message-ID: <69b334dfefc16137cc305a7e3d2aae56@ipfire.org> In-Reply-To: <86af19ef-9c55-b83a-7895-25ce81ec97e6@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8322656219379380750==" List-Id: --===============8322656219379380750== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit I think this will not work because we boot from an initrd and later switch to the real rootfs. Arne Am 2020-06-09 20:38, schrieb Peter Müller: > Quoted from #12432: >> For every boot, any file read through the kernel file reading >> interface can >> be pinned to the first filesystem used for loading. If you try to load >> any >> file that comes from other filesystem will be rejected. > > IMHO this can be safely enabled as there is no legitimate reason to > swap > filesystems on an IPFire machine during runtime. > > Partially fixes: #12432 > > Cc: Arne Fitzenreiter > Signed-off-by: Peter Müller > --- > config/kernel/kernel.config.aarch64-ipfire | 2 +- > config/kernel/kernel.config.armv5tel-ipfire-multi | 2 +- > config/kernel/kernel.config.i586-ipfire | 2 +- > config/kernel/kernel.config.x86_64-ipfire | 2 +- > 4 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/config/kernel/kernel.config.aarch64-ipfire > b/config/kernel/kernel.config.aarch64-ipfire > index e0f2f6df8..62b518977 100644 > --- a/config/kernel/kernel.config.aarch64-ipfire > +++ b/config/kernel/kernel.config.aarch64-ipfire > @@ -6548,7 +6548,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > # CONFIG_SECURITY_YAMA is not set > CONFIG_INTEGRITY=y > # CONFIG_INTEGRITY_SIGNATURE is not set > diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi > b/config/kernel/kernel.config.armv5tel-ipfire-multi > index 15183300f..4e0ca0460 100644 > --- a/config/kernel/kernel.config.armv5tel-ipfire-multi > +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi > @@ -7030,7 +7030,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > # CONFIG_SECURITY_YAMA is not set > CONFIG_INTEGRITY=y > # CONFIG_INTEGRITY_SIGNATURE is not set > diff --git a/config/kernel/kernel.config.i586-ipfire > b/config/kernel/kernel.config.i586-ipfire > index 578931497..096ef6141 100644 > --- a/config/kernel/kernel.config.i586-ipfire > +++ b/config/kernel/kernel.config.i586-ipfire > @@ -6694,7 +6694,7 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > # CONFIG_SECURITY_YAMA is not set > CONFIG_INTEGRITY=y > # CONFIG_INTEGRITY_SIGNATURE is not set > diff --git a/config/kernel/kernel.config.x86_64-ipfire > b/config/kernel/kernel.config.x86_64-ipfire > index 6a5fbbfe9..841a45bd0 100644 > --- a/config/kernel/kernel.config.x86_64-ipfire > +++ b/config/kernel/kernel.config.x86_64-ipfire > @@ -6560,7 +6560,7 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > # CONFIG_SECURITY_YAMA is not set > CONFIG_INTEGRITY=y > # CONFIG_INTEGRITY_SIGNATURE is not set --===============8322656219379380750==--