This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 250f6efc3868f97914c42e94361932d86bd910db (commit) via 5bd8fc1273ebda6bf999da593a23fe1acdb04c6b (commit) from 5b966f1b0a0f191c7d79b1609c122c16a65d3bfc (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 250f6efc3868f97914c42e94361932d86bd910db Author: Peter Müller peter.mueller@ipfire.org Date: Thu Apr 21 19:30:42 2022 +0000
kernel: Do not enforce "integrity" mode of LSM
LSM was found to render firmware flashing unusable, and patching out LSM functionality for all features needed (such as /dev/io, direct memory access and probably raw PCI access for older cards), this would effectively render much of LSM's functionality useless as well.
For the time being, we do ship LSM, but do not enforce any protection mode. Users hence can run it in "integrity" or even "confidentiality" mode by custom commands; hopefully, we will be able to revert this change at a future point.
Acked-by: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 5bd8fc1273ebda6bf999da593a23fe1acdb04c6b Author: Peter Müller peter.mueller@ipfire.org Date: Thu Apr 21 19:29:32 2022 +0000
Revert "linux: Disable LSM for /dev/io port access"
This reverts commit 5b966f1b0a0f191c7d79b1609c122c16a65d3bfc.
-----------------------------------------------------------------------
Summary of changes: config/kernel/kernel.config.aarch64-ipfire | 4 +-- config/kernel/kernel.config.armv6l-ipfire | 4 +-- config/kernel/kernel.config.riscv64-ipfire | 4 +-- config/kernel/kernel.config.x86_64-ipfire | 4 +-- lfs/linux | 3 --- ...nux-5.15.32-disable_lsm_for_ioport_access.patch | 30 ---------------------- 6 files changed, 8 insertions(+), 41 deletions(-) delete mode 100644 src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
Difference in files: diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 8aea57e37..5b8538f69 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7559,8 +7559,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set -CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 178c2ab6b..c10b117da 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7565,8 +7565,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set -CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index ec09eacdf..2d1fdbd28 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6197,8 +6197,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set -CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 773845765..5549a1aa4 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6975,8 +6975,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set -CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/lfs/linux b/lfs/linux index 0deef74f2..91bba123b 100644 --- a/lfs/linux +++ b/lfs/linux @@ -143,9 +143,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # https://bugzilla.ipfire.org/show_bug.cgi?id=12760 cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch
- # Unfortunately, /dev/io access is needed for firmware flashing; patch out LSM part in ioport.c - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch - ifeq "$(BUILD_ARCH)" "armv6l" # Apply Arm-multiarch kernel patches. cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1 diff --git a/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch b/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch deleted file mode 100644 index df7521d3b..000000000 --- a/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch +++ /dev/null @@ -1,30 +0,0 @@ ---- linux-5.15.32.orig/arch/x86/kernel/ioport.c 2022-04-19 12:54:46.468477540 +0000 -+++ linux-5.15.32/arch/x86/kernel/ioport.c 2022-04-19 12:56:21.423185714 +0000 -@@ -4,7 +4,6 @@ - * by Linus. 32/64 bits code unification by Miguel Botón. - */ - #include <linux/capability.h> --#include <linux/security.h> - #include <linux/syscalls.h> - #include <linux/bitmap.h> - #include <linux/ioport.h> -@@ -70,8 +69,7 @@ - - if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) - return -EINVAL; -- if (turn_on && (!capable(CAP_SYS_RAWIO) || -- security_locked_down(LOCKDOWN_IOPORT))) -+ if (turn_on && (!capable(CAP_SYS_RAWIO))) - return -EPERM; - - /* -@@ -186,8 +184,7 @@ - - /* Trying to gain more privileges? */ - if (level > old) { -- if (!capable(CAP_SYS_RAWIO) || -- security_locked_down(LOCKDOWN_IOPORT)) -+ if (!capable(CAP_SYS_RAWIO)) - return -EPERM; - } -
hooks/post-receive -- IPFire 2.x development tree