From: alf@i100.no
To: development@lists.ipfire.org
Subject: Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem
Date: Mon, 21 Mar 2022 21:24:48 +0100 [thread overview]
Message-ID: <fbd24c9d62e583879d8b5648d6f16599@i100.no> (raw)
In-Reply-To: <63A98A2B-447B-4613-96FA-45C220F94BE4@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 5027 bytes --]
Den 2022-03-21 19:50, skrev Michael Tremer:
> Hello,
>
>> On 21 Mar 2022, at 17:15, Arne Fitzenreiter <arne_f(a)ipfire.org> wrote:
>>
>> At my knowledge enforce loadpin is incompatible with initramfs.
>> https://lwn.net/Articles/682302/
>
> I cannot find that being mentioned in this article. And I am not sure
> whether the initramdisk counts as its own file system.
>
Quoting what I think is the relevant section from the article
"
The current module is also likely to run into trouble on systems that
boot with an initramfs image; the first modules will almost certainly be
loaded from that image (that's why it exists, usually), causing loads to
be pinned to a temporary filesystem that will go away at the end of the
bootstrap process. In the current patch, if the filesystem to which
loading is pinned disappears, loading of files will be disabled entirely
— behavior that makes sense, but which may not lead to the desired
results in an initramfs setting.
"
And a somewhat related discussion
https://forums.gentoo.org/viewtopic-p-8686594.html?sid=bbf2ffea6f1ad4a3f69073bfabfdb021
And a patch to the kernel, which I could not figure out if has been
merged
https://lkml.org/lkml/2021/4/8/1446
But it does not seem to be merged to me
https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/security/loadpin/loadpin.c
Alf
>> Also we have some older installations that have a seperate /var
>> partition and /lib/firmware was moved to /var/lib/firmware
>> so i think we cannot apply this!
>
> The firmware currently is in /lib/firmware and since we have now a way
> to compress it, there is no need to move it any more. That should
> allow us enabling this switch.
>
> Best,
> -Michael
>
>> Arne
>>
>>
>> Am 2022-03-19 22:09, schrieb Peter Müller:
>>> This can be safely enabled on IPFire, as we never swap filesystems
>>> during runtime.
>>> Fixes: #12432
>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>> ---
>>> config/kernel/kernel.config.aarch64-ipfire | 3 ++-
>>> config/kernel/kernel.config.armv6l-ipfire | 3 ++-
>>> config/kernel/kernel.config.riscv64-ipfire | 3 ++-
>>> config/kernel/kernel.config.x86_64-ipfire | 3 ++-
>>> 4 files changed, 8 insertions(+), 4 deletions(-)
>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire
>>> b/config/kernel/kernel.config.aarch64-ipfire
>>> index 35c249253..d9179c061 100644
>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_SMACK is not set
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> -# CONFIG_SECURITY_LOADPIN is not set
>>> +CONFIG_SECURITY_LOADPIN=y
>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>> # CONFIG_SECURITY_YAMA is not set
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire
>>> b/config/kernel/kernel.config.armv6l-ipfire
>>> index 5b4ff8e20..522278160 100644
>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>>> # CONFIG_SECURITY_SMACK is not set
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> -# CONFIG_SECURITY_LOADPIN is not set
>>> +CONFIG_SECURITY_LOADPIN=y
>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>> # CONFIG_SECURITY_YAMA is not set
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire
>>> b/config/kernel/kernel.config.riscv64-ipfire
>>> index d4c0e0451..ebb830eb7 100644
>>> --- a/config/kernel/kernel.config.riscv64-ipfire
>>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>>> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_SMACK is not set
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> -# CONFIG_SECURITY_LOADPIN is not set
>>> +CONFIG_SECURITY_LOADPIN=y
>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>> # CONFIG_SECURITY_YAMA is not set
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire
>>> b/config/kernel/kernel.config.x86_64-ipfire
>>> index 8b525ef89..675c3ce1e 100644
>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_SMACK is not set
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> -# CONFIG_SECURITY_LOADPIN is not set
>>> +CONFIG_SECURITY_LOADPIN=y
>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>> # CONFIG_SECURITY_YAMA is not set
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
next prev parent reply other threads:[~2022-03-21 20:24 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
2022-03-19 21:08 ` [PATCH 01/11] Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Peter Müller
2022-03-23 11:42 ` Michael Tremer
2022-03-19 21:08 ` [PATCH 02/11] Kernel: Disable support for tracing block I/O actions Peter Müller
2022-03-23 11:44 ` Michael Tremer
2022-03-19 21:09 ` [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem Peter Müller
2022-03-21 17:15 ` Arne Fitzenreiter
2022-03-21 18:50 ` Michael Tremer
2022-03-21 20:24 ` alf [this message]
2022-03-22 11:17 ` Michael Tremer
2022-03-19 21:09 ` [PATCH 04/11] Kernel: Enable undefined behaviour sanity checker Peter Müller
2022-03-23 11:45 ` Michael Tremer
2022-03-19 21:09 ` [PATCH 05/11] Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Peter Müller
2022-03-23 11:46 ` Michael Tremer
2022-03-19 21:10 ` [PATCH 06/11] Kernel: Enable LSM support and set security level to "integrity" Peter Müller
2022-03-23 17:50 ` Michael Tremer
2022-03-19 21:10 ` [PATCH 07/11] Kernel: Trigger BUG if data corruption is detected Peter Müller
2022-03-23 17:53 ` Michael Tremer
2022-03-19 21:10 ` [PATCH 08/11] Kernel: Do not automatically load TTY line disciplines, only if necessary Peter Müller
2022-03-23 17:54 ` Michael Tremer
2022-03-19 21:10 ` [PATCH 09/11] Kernel: Enable SVA support for both Intel and AMD CPUs Peter Müller
2022-03-23 17:54 ` Michael Tremer
2022-03-19 21:11 ` [PATCH 10/11] Kernel: Disable function and stack tracers Peter Müller
2022-03-23 17:56 ` Michael Tremer
2022-03-19 21:11 ` [PATCH 11/11] Kernel: Update rootfile for x86_64 Peter Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fbd24c9d62e583879d8b5648d6f16599@i100.no \
--to=alf@i100.no \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox