From: "Peter Müller" <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 250f6efc3868f97914c42e94361932d86bd910db
Date: Thu, 21 Apr 2022 19:33:51 +0000 [thread overview]
Message-ID: <4Kknlg5WHQz2xyH@people01.haj.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 7338 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 250f6efc3868f97914c42e94361932d86bd910db (commit)
via 5bd8fc1273ebda6bf999da593a23fe1acdb04c6b (commit)
from 5b966f1b0a0f191c7d79b1609c122c16a65d3bfc (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 250f6efc3868f97914c42e94361932d86bd910db
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Thu Apr 21 19:30:42 2022 +0000
kernel: Do not enforce "integrity" mode of LSM
LSM was found to render firmware flashing unusable, and patching out LSM
functionality for all features needed (such as /dev/io, direct memory
access and probably raw PCI access for older cards), this would
effectively render much of LSM's functionality useless as well.
For the time being, we do ship LSM, but do not enforce any protection
mode. Users hence can run it in "integrity" or even "confidentiality"
mode by custom commands; hopefully, we will be able to revert this
change at a future point.
Acked-by: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 5bd8fc1273ebda6bf999da593a23fe1acdb04c6b
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Thu Apr 21 19:29:32 2022 +0000
Revert "linux: Disable LSM for /dev/io port access"
This reverts commit 5b966f1b0a0f191c7d79b1609c122c16a65d3bfc.
-----------------------------------------------------------------------
Summary of changes:
config/kernel/kernel.config.aarch64-ipfire | 4 +--
config/kernel/kernel.config.armv6l-ipfire | 4 +--
config/kernel/kernel.config.riscv64-ipfire | 4 +--
config/kernel/kernel.config.x86_64-ipfire | 4 +--
lfs/linux | 3 ---
...nux-5.15.32-disable_lsm_for_ioport_access.patch | 30 ----------------------
6 files changed, 8 insertions(+), 41 deletions(-)
delete mode 100644 src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
Difference in files:
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 8aea57e37..5b8538f69 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7559,8 +7559,8 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_SAFESETID is not set
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
-CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 178c2ab6b..c10b117da 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7565,8 +7565,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
# CONFIG_SECURITY_SAFESETID is not set
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
-CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index ec09eacdf..2d1fdbd28 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6197,8 +6197,8 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_SAFESETID is not set
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
-CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 773845765..5549a1aa4 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6975,8 +6975,8 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_SAFESETID is not set
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
-CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
diff --git a/lfs/linux b/lfs/linux
index 0deef74f2..91bba123b 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -143,9 +143,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# https://bugzilla.ipfire.org/show_bug.cgi?id=12760
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch
- # Unfortunately, /dev/io access is needed for firmware flashing; patch out LSM part in ioport.c
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
-
ifeq "$(BUILD_ARCH)" "armv6l"
# Apply Arm-multiarch kernel patches.
cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
diff --git a/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch b/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
deleted file mode 100644
index df7521d3b..000000000
--- a/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
+++ /dev/null
@@ -1,30 +0,0 @@
---- linux-5.15.32.orig/arch/x86/kernel/ioport.c 2022-04-19 12:54:46.468477540 +0000
-+++ linux-5.15.32/arch/x86/kernel/ioport.c 2022-04-19 12:56:21.423185714 +0000
-@@ -4,7 +4,6 @@
- * by Linus. 32/64 bits code unification by Miguel Botón.
- */
- #include <linux/capability.h>
--#include <linux/security.h>
- #include <linux/syscalls.h>
- #include <linux/bitmap.h>
- #include <linux/ioport.h>
-@@ -70,8 +69,7 @@
-
- if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
- return -EINVAL;
-- if (turn_on && (!capable(CAP_SYS_RAWIO) ||
-- security_locked_down(LOCKDOWN_IOPORT)))
-+ if (turn_on && (!capable(CAP_SYS_RAWIO)))
- return -EPERM;
-
- /*
-@@ -186,8 +184,7 @@
-
- /* Trying to gain more privileges? */
- if (level > old) {
-- if (!capable(CAP_SYS_RAWIO) ||
-- security_locked_down(LOCKDOWN_IOPORT))
-+ if (!capable(CAP_SYS_RAWIO))
- return -EPERM;
- }
-
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2022-04-21 19:33 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4Kknlg5WHQz2xyH@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox