* [PATCH 1/2] kernel: enable CONFIG_SECURITY_LOADPIN
@ 2020-06-09 18:38 Peter Müller
2020-06-09 18:38 ` [PATCH 2/2] kernel: enable CONFIG_SECURITY_LOADPIN_ENFORCE Peter Müller
2020-06-10 15:02 ` [PATCH 1/2] kernel: enable CONFIG_SECURITY_LOADPIN Arne Fitzenreiter
0 siblings, 2 replies; 3+ messages in thread
From: Peter Müller @ 2020-06-09 18:38 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3110 bytes --]
Quoted from #12432:
> For every boot, any file read through the kernel file reading interface can
> be pinned to the first filesystem used for loading. If you try to load any
> file that comes from other filesystem will be rejected.
IMHO this can be safely enabled as there is no legitimate reason to swap
filesystems on an IPFire machine during runtime.
Partially fixes: #12432
Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 2 +-
config/kernel/kernel.config.armv5tel-ipfire-multi | 2 +-
config/kernel/kernel.config.i586-ipfire | 2 +-
config/kernel/kernel.config.x86_64-ipfire | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index e0f2f6df8..62b518977 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -6548,7 +6548,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi
index 15183300f..4e0ca0460 100644
--- a/config/kernel/kernel.config.armv5tel-ipfire-multi
+++ b/config/kernel/kernel.config.armv5tel-ipfire-multi
@@ -7030,7 +7030,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index 578931497..096ef6141 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -6694,7 +6694,7 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 6a5fbbfe9..841a45bd0 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6560,7 +6560,7 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
--
2.26.2
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 2/2] kernel: enable CONFIG_SECURITY_LOADPIN_ENFORCE
2020-06-09 18:38 [PATCH 1/2] kernel: enable CONFIG_SECURITY_LOADPIN Peter Müller
@ 2020-06-09 18:38 ` Peter Müller
2020-06-10 15:02 ` [PATCH 1/2] kernel: enable CONFIG_SECURITY_LOADPIN Arne Fitzenreiter
1 sibling, 0 replies; 3+ messages in thread
From: Peter Müller @ 2020-06-09 18:38 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2565 bytes --]
Partially fixes: #12432
Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 1 +
config/kernel/kernel.config.armv5tel-ipfire-multi | 1 +
config/kernel/kernel.config.i586-ipfire | 1 +
config/kernel/kernel.config.x86_64-ipfire | 1 +
4 files changed, 4 insertions(+)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 62b518977..d20b92fc4 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -6549,6 +6549,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi
index 4e0ca0460..b71c43243 100644
--- a/config/kernel/kernel.config.armv5tel-ipfire-multi
+++ b/config/kernel/kernel.config.armv5tel-ipfire-multi
@@ -7031,6 +7031,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index 096ef6141..33649d95c 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -6695,6 +6695,7 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 841a45bd0..85ac82f92 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6561,6 +6561,7 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
--
2.26.2
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] kernel: enable CONFIG_SECURITY_LOADPIN
2020-06-09 18:38 [PATCH 1/2] kernel: enable CONFIG_SECURITY_LOADPIN Peter Müller
2020-06-09 18:38 ` [PATCH 2/2] kernel: enable CONFIG_SECURITY_LOADPIN_ENFORCE Peter Müller
@ 2020-06-10 15:02 ` Arne Fitzenreiter
1 sibling, 0 replies; 3+ messages in thread
From: Arne Fitzenreiter @ 2020-06-10 15:02 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3332 bytes --]
I think this will not work because we boot from an initrd and later
switch
to the real rootfs.
Arne
Am 2020-06-09 20:38, schrieb Peter Müller:
> Quoted from #12432:
>> For every boot, any file read through the kernel file reading
>> interface can
>> be pinned to the first filesystem used for loading. If you try to load
>> any
>> file that comes from other filesystem will be rejected.
>
> IMHO this can be safely enabled as there is no legitimate reason to
> swap
> filesystems on an IPFire machine during runtime.
>
> Partially fixes: #12432
>
> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv5tel-ipfire-multi | 2 +-
> config/kernel/kernel.config.i586-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire
> b/config/kernel/kernel.config.aarch64-ipfire
> index e0f2f6df8..62b518977 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -6548,7 +6548,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
> # CONFIG_SECURITY_SMACK is not set
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_INTEGRITY=y
> # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi
> b/config/kernel/kernel.config.armv5tel-ipfire-multi
> index 15183300f..4e0ca0460 100644
> --- a/config/kernel/kernel.config.armv5tel-ipfire-multi
> +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi
> @@ -7030,7 +7030,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
> # CONFIG_SECURITY_SMACK is not set
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_INTEGRITY=y
> # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.i586-ipfire
> b/config/kernel/kernel.config.i586-ipfire
> index 578931497..096ef6141 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -6694,7 +6694,7 @@ CONFIG_FORTIFY_SOURCE=y
> # CONFIG_SECURITY_SMACK is not set
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_INTEGRITY=y
> # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire
> b/config/kernel/kernel.config.x86_64-ipfire
> index 6a5fbbfe9..841a45bd0 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6560,7 +6560,7 @@ CONFIG_FORTIFY_SOURCE=y
> # CONFIG_SECURITY_SMACK is not set
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_INTEGRITY=y
> # CONFIG_INTEGRITY_SIGNATURE is not set
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-10 15:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-09 18:38 [PATCH 1/2] kernel: enable CONFIG_SECURITY_LOADPIN Peter Müller
2020-06-09 18:38 ` [PATCH 2/2] kernel: enable CONFIG_SECURITY_LOADPIN_ENFORCE Peter Müller
2020-06-10 15:02 ` [PATCH 1/2] kernel: enable CONFIG_SECURITY_LOADPIN Arne Fitzenreiter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox