Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem

At my knowledge enforce loadpin is incompatible with initramfs. https://lwn.net/Articles/682302/

Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware so i think we cannot apply this!

Arne

Am 2022-03-19 22:09, schrieb Peter Müller:

This can be safely enabled on IPFire, as we never swap filesystems during runtime.

Fixes: #12432

Signed-off-by: Peter Müller peter.mueller@ipfire.org

config/kernel/kernel.config.aarch64-ipfire | 3 ++- config/kernel/kernel.config.armv6l-ipfire | 3 ++- config/kernel/kernel.config.riscv64-ipfire | 3 ++- config/kernel/kernel.config.x86_64-ipfire | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 35c249253..d9179c061 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 5b4ff8e20..522278160 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index d4c0e0451..ebb830eb7 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 8b525ef89..675c3ce1e 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOADPIN=y +CONFIG_SECURITY_LOADPIN_ENFORCE=y # CONFIG_SECURITY_YAMA is not set # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set