* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 250f6efc3868f97914c42e94361932d86bd910db
@ 2022-04-21 19:33 Peter Müller
0 siblings, 0 replies; only message in thread
From: Peter Müller @ 2022-04-21 19:33 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 7338 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 250f6efc3868f97914c42e94361932d86bd910db (commit)
via 5bd8fc1273ebda6bf999da593a23fe1acdb04c6b (commit)
from 5b966f1b0a0f191c7d79b1609c122c16a65d3bfc (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 250f6efc3868f97914c42e94361932d86bd910db
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Thu Apr 21 19:30:42 2022 +0000
kernel: Do not enforce "integrity" mode of LSM
LSM was found to render firmware flashing unusable, and patching out LSM
functionality for all features needed (such as /dev/io, direct memory
access and probably raw PCI access for older cards), this would
effectively render much of LSM's functionality useless as well.
For the time being, we do ship LSM, but do not enforce any protection
mode. Users hence can run it in "integrity" or even "confidentiality"
mode by custom commands; hopefully, we will be able to revert this
change at a future point.
Acked-by: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 5bd8fc1273ebda6bf999da593a23fe1acdb04c6b
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Thu Apr 21 19:29:32 2022 +0000
Revert "linux: Disable LSM for /dev/io port access"
This reverts commit 5b966f1b0a0f191c7d79b1609c122c16a65d3bfc.
-----------------------------------------------------------------------
Summary of changes:
config/kernel/kernel.config.aarch64-ipfire | 4 +--
config/kernel/kernel.config.armv6l-ipfire | 4 +--
config/kernel/kernel.config.riscv64-ipfire | 4 +--
config/kernel/kernel.config.x86_64-ipfire | 4 +--
lfs/linux | 3 ---
...nux-5.15.32-disable_lsm_for_ioport_access.patch | 30 ----------------------
6 files changed, 8 insertions(+), 41 deletions(-)
delete mode 100644 src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
Difference in files:
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 8aea57e37..5b8538f69 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7559,8 +7559,8 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_SAFESETID is not set
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
-CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 178c2ab6b..c10b117da 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7565,8 +7565,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
# CONFIG_SECURITY_SAFESETID is not set
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
-CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index ec09eacdf..2d1fdbd28 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6197,8 +6197,8 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_SAFESETID is not set
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
-CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 773845765..5549a1aa4 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6975,8 +6975,8 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_SAFESETID is not set
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
-CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
diff --git a/lfs/linux b/lfs/linux
index 0deef74f2..91bba123b 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -143,9 +143,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# https://bugzilla.ipfire.org/show_bug.cgi?id=12760
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch
- # Unfortunately, /dev/io access is needed for firmware flashing; patch out LSM part in ioport.c
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
-
ifeq "$(BUILD_ARCH)" "armv6l"
# Apply Arm-multiarch kernel patches.
cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
diff --git a/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch b/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
deleted file mode 100644
index df7521d3b..000000000
--- a/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
+++ /dev/null
@@ -1,30 +0,0 @@
---- linux-5.15.32.orig/arch/x86/kernel/ioport.c 2022-04-19 12:54:46.468477540 +0000
-+++ linux-5.15.32/arch/x86/kernel/ioport.c 2022-04-19 12:56:21.423185714 +0000
-@@ -4,7 +4,6 @@
- * by Linus. 32/64 bits code unification by Miguel Botón.
- */
- #include <linux/capability.h>
--#include <linux/security.h>
- #include <linux/syscalls.h>
- #include <linux/bitmap.h>
- #include <linux/ioport.h>
-@@ -70,8 +69,7 @@
-
- if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
- return -EINVAL;
-- if (turn_on && (!capable(CAP_SYS_RAWIO) ||
-- security_locked_down(LOCKDOWN_IOPORT)))
-+ if (turn_on && (!capable(CAP_SYS_RAWIO)))
- return -EPERM;
-
- /*
-@@ -186,8 +184,7 @@
-
- /* Trying to gain more privileges? */
- if (level > old) {
-- if (!capable(CAP_SYS_RAWIO) ||
-- security_locked_down(LOCKDOWN_IOPORT))
-+ if (!capable(CAP_SYS_RAWIO))
- return -EPERM;
- }
-
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-04-21 19:33 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-21 19:33 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 250f6efc3868f97914c42e94361932d86bd910db Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox