From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 06/11] Kernel: Enable LSM support and set security level to "integrity" Date: Wed, 23 Mar 2022 17:50:54 +0000 Message-ID: <77F17CE3-D3EB-42F5-8BE7-461453CF4DD9@ipfire.org> In-Reply-To: <3cdff493-ce39-353e-3c24-7b4ab93bc3ff@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4894875220752682485==" List-Id: --===============4894875220752682485== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This looks good to me. Reviewed-by: Michael Tremer > On 19 Mar 2022, at 21:10, Peter M=C3=BCller wr= ote: >=20 > Signed-off-by: Peter M=C3=BCller > --- > config/kernel/kernel.config.aarch64-ipfire | 6 +++++- > config/kernel/kernel.config.armv6l-ipfire | 6 +++++- > config/kernel/kernel.config.riscv64-ipfire | 6 +++++- > config/kernel/kernel.config.x86_64-ipfire | 6 +++++- > 4 files changed, 20 insertions(+), 4 deletions(-) >=20 > diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/ker= nel.config.aarch64-ipfire > index b485c2fb6..356d9051d 100644 > --- a/config/kernel/kernel.config.aarch64-ipfire > +++ b/config/kernel/kernel.config.aarch64-ipfire > @@ -7559,7 +7559,11 @@ CONFIG_SECURITY_LOADPIN=3Dy > CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy > # CONFIG_SECURITY_YAMA is not set > CONFIG_SECURITY_SAFESETID=3Dy > -# CONFIG_SECURITY_LOCKDOWN_LSM is not set > +CONFIG_SECURITY_LOCKDOWN_LSM=3Dy > +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy > +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set > +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=3Dy > +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set > # CONFIG_SECURITY_LANDLOCK is not set > CONFIG_INTEGRITY=3Dy > # CONFIG_INTEGRITY_SIGNATURE is not set > diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kern= el.config.armv6l-ipfire > index 98b554d91..9dab473d4 100644 > --- a/config/kernel/kernel.config.armv6l-ipfire > +++ b/config/kernel/kernel.config.armv6l-ipfire > @@ -7563,7 +7563,11 @@ CONFIG_SECURITY_LOADPIN=3Dy > CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy > # CONFIG_SECURITY_YAMA is not set > CONFIG_SECURITY_SAFESETID=3Dy > -# CONFIG_SECURITY_LOCKDOWN_LSM is not set > +CONFIG_SECURITY_LOCKDOWN_LSM=3Dy > +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy > +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set > +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=3Dy > +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set > # CONFIG_SECURITY_LANDLOCK is not set > CONFIG_INTEGRITY=3Dy > # CONFIG_INTEGRITY_SIGNATURE is not set > diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/ker= nel.config.riscv64-ipfire > index b595ae8cd..adef88dc9 100644 > --- a/config/kernel/kernel.config.riscv64-ipfire > +++ b/config/kernel/kernel.config.riscv64-ipfire > @@ -6196,7 +6196,11 @@ CONFIG_SECURITY_LOADPIN=3Dy > CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy > # CONFIG_SECURITY_YAMA is not set > CONFIG_SECURITY_SAFESETID=3Dy > -# CONFIG_SECURITY_LOCKDOWN_LSM is not set > +CONFIG_SECURITY_LOCKDOWN_LSM=3Dy > +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy > +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set > +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=3Dy > +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set > # CONFIG_SECURITY_LANDLOCK is not set > CONFIG_INTEGRITY=3Dy > # CONFIG_INTEGRITY_SIGNATURE is not set > diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kern= el.config.x86_64-ipfire > index b325feb1d..222b2dc53 100644 > --- a/config/kernel/kernel.config.x86_64-ipfire > +++ b/config/kernel/kernel.config.x86_64-ipfire > @@ -6972,7 +6972,11 @@ CONFIG_SECURITY_LOADPIN=3Dy > CONFIG_SECURITY_LOADPIN_ENFORCE=3Dy > # CONFIG_SECURITY_YAMA is not set > CONFIG_SECURITY_SAFESETID=3Dy > -# CONFIG_SECURITY_LOCKDOWN_LSM is not set > +CONFIG_SECURITY_LOCKDOWN_LSM=3Dy > +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=3Dy > +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set > +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=3Dy > +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set > # CONFIG_SECURITY_LANDLOCK is not set > CONFIG_INTEGRITY=3Dy > # CONFIG_INTEGRITY_SIGNATURE is not set > --=20 > 2.34.1 --===============4894875220752682485==--