This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 6d0e3c5a5719ea66a47f1859871808d8b2095fa4 (commit) via 16eb2d5379757076c23b4cdd14a8af595fd9d1bc (commit) via 25a3d87645609b3deffdc45a153eb2e2696032f9 (commit) via e79c4372ceb87d3fa91cd440745cb6125c57e23e (commit) from 9826ac9bc299360a89c7f3f5bf3df0b9dfc05217 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 6d0e3c5a5719ea66a47f1859871808d8b2095fa4 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Oct 3 21:58:25 2022 +0000
libseccomp: Bump package version
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 16eb2d5379757076c23b4cdd14a8af595fd9d1bc Author: Peter Müller peter.mueller@ipfire.org Date: Mon Sep 19 12:35:41 2022 +0000
linux: Enable seccomp filter on ARM
Since last time we checked, the kernel's security features on ARM have improved notably (see CONFIG_RANDOMIZE_BASE discussion). This patch therefore proposes to give the seccomp filter on both 32- and 64-bit ARM another try, since it provides significant security benefit to applications using it.
Due to operational constraints, rootfile changes have been omitted, and will be conducted, should this patch be approved.
Note to future self: Once this patch is approved, applications using seccomp (OpenSSH, Tor) need to be updated/shipped on ARM.
Fixes: #12366 Fixes: #12370 Cc: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 25a3d87645609b3deffdc45a153eb2e2696032f9 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Oct 2 14:47:52 2022 +0000
linux: Remove user-space probe support
From the kernels' documentation:
> Uprobes is the user-space counterpart to kprobes: they > enable instrumentation applications (such as 'perf probe') > to establish unintrusive probes in user-space binaries and > libraries, by executing handler functions when the probes > are hit by user-space applications. > > ( These probes come in the form of single-byte breakpoints, > managed by the kernel and kept transparent to the probed > application. )
To the best of the authors' understanding, no application on IPFire needs this functionality, and given its abuse potential, we should probably not enable it.
As expected, strace functionality is not impaired by this.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit e79c4372ceb87d3fa91cd440745cb6125c57e23e Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Sep 29 22:35:18 2022 +0200
suricata 6.0.8 - suggested change in 'suricata.yaml': set app-layer mqtt: enabled: yes
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/kernel/kernel.config.aarch64-ipfire | 9 ++++----- config/kernel/kernel.config.armv6l-ipfire | 9 ++++----- config/kernel/kernel.config.x86_64-ipfire | 5 +---- config/suricata/suricata.yaml | 2 +- lfs/libseccomp | 2 +- 5 files changed, 11 insertions(+), 16 deletions(-)
Difference in files: diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 836e2b15f..e2ae8da17 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -645,7 +645,6 @@ CONFIG_CRYPTO_AES_ARM64_BS=m # CONFIG_KPROBES is not set CONFIG_JUMP_LABEL=y CONFIG_STATIC_KEYS_SELFTEST=y -CONFIG_UPROBES=y CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y CONFIG_HAVE_KPROBES=y CONFIG_HAVE_KRETPROBES=y @@ -681,7 +680,9 @@ CONFIG_HAVE_CMPXCHG_DOUBLE=y CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y CONFIG_HAVE_ARCH_SECCOMP=y CONFIG_HAVE_ARCH_SECCOMP_FILTER=y -# CONFIG_SECCOMP is not set +CONFIG_SECCOMP=y +CONFIG_SECCOMP_FILTER=y +# CONFIG_SECCOMP_CACHE_DEBUG is not set CONFIG_HAVE_ARCH_STACKLEAK=y CONFIG_HAVE_STACKPROTECTOR=y CONFIG_STACKPROTECTOR=y @@ -8154,9 +8155,7 @@ CONFIG_TRACER_SNAPSHOT=y CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set # CONFIG_BLK_DEV_IO_TRACE is not set -CONFIG_UPROBE_EVENTS=y -CONFIG_DYNAMIC_EVENTS=y -CONFIG_PROBE_EVENTS=y +# CONFIG_UPROBE_EVENTS is not set CONFIG_FTRACE_MCOUNT_RECORD=y CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y # CONFIG_SYNTH_EVENTS is not set diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index ae611fc6f..54260aec1 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -738,7 +738,6 @@ CONFIG_AS_VFP_VMRS_FPINST=y # CONFIG_KPROBES is not set CONFIG_JUMP_LABEL=y CONFIG_STATIC_KEYS_SELFTEST=y -CONFIG_UPROBES=y CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y CONFIG_ARCH_USE_BUILTIN_BSWAP=y CONFIG_HAVE_KPROBES=y @@ -765,7 +764,9 @@ CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y CONFIG_ARCH_WANT_IPC_PARSE_VERSION=y CONFIG_HAVE_ARCH_SECCOMP=y CONFIG_HAVE_ARCH_SECCOMP_FILTER=y -# CONFIG_SECCOMP is not set +CONFIG_SECCOMP=y +CONFIG_SECCOMP_FILTER=y +# CONFIG_SECCOMP_CACHE_DEBUG is not set CONFIG_HAVE_STACKPROTECTOR=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y @@ -8129,9 +8130,7 @@ CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set # CONFIG_PROFILE_ALL_BRANCHES is not set # CONFIG_BLK_DEV_IO_TRACE is not set -CONFIG_UPROBE_EVENTS=y -CONFIG_DYNAMIC_EVENTS=y -CONFIG_PROBE_EVENTS=y +# CONFIG_UPROBE_EVENTS is not set CONFIG_FTRACE_MCOUNT_RECORD=y CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y # CONFIG_SYNTH_EVENTS is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index d005f98d4..bb4655a99 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -671,7 +671,6 @@ CONFIG_GENERIC_ENTRY=y CONFIG_JUMP_LABEL=y CONFIG_STATIC_KEYS_SELFTEST=y # CONFIG_STATIC_CALL_SELFTEST is not set -CONFIG_UPROBES=y CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y CONFIG_ARCH_USE_BUILTIN_BSWAP=y CONFIG_USER_RETURN_NOTIFIER=y @@ -7594,9 +7593,7 @@ CONFIG_TRACER_SNAPSHOT=y CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set # CONFIG_BLK_DEV_IO_TRACE is not set -CONFIG_UPROBE_EVENTS=y -CONFIG_DYNAMIC_EVENTS=y -CONFIG_PROBE_EVENTS=y +# CONFIG_UPROBE_EVENTS is not set CONFIG_FTRACE_MCOUNT_RECORD=y CONFIG_FTRACE_MCOUNT_USE_CC=y # CONFIG_SYNTH_EVENTS is not set diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 03a7a83af..fb4f9426b 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -371,7 +371,7 @@ app-layer: dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 # MQTT, disabled by default. mqtt: - # enabled: no + enabled: yes # max-msg-length: 1mb krb5: enabled: yes diff --git a/lfs/libseccomp b/lfs/libseccomp index ada345c2f..c00ca3907 100644 --- a/lfs/libseccomp +++ b/lfs/libseccomp @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = libseccomp -PAK_VER = 8 +PAK_VER = 9
DEPS =
hooks/post-receive -- IPFire 2.x development tree