linux: Enable seccomp filter on ARM

Since last time we checked, the kernel's security features on ARM have
improved notably (see CONFIG_RANDOMIZE_BASE discussion). This patch
therefore proposes to give the seccomp filter on both 32- and 64-bit ARM
another try, since it provides significant security benefit to
applications using it.

Due to operational constraints, rootfile changes have been omitted, and
will be conducted, should this patch be approved.

Note to future self: Once this patch is approved, applications using
seccomp (OpenSSH, Tor) need to be updated/shipped on ARM.

Fixes: #12366
Fixes: #12370
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 76dbafc5f65bb0877c22364cf023f587ae011b87..e2ae8da17c5aa865e87211ea628d6dbba285dfb9 100644 (file)
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -680,7 +680,9 @@ CONFIG_HAVE_CMPXCHG_DOUBLE=y
 CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
 CONFIG_HAVE_ARCH_SECCOMP=y
 CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
-# CONFIG_SECCOMP is not set
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
+# CONFIG_SECCOMP_CACHE_DEBUG is not set
 CONFIG_HAVE_ARCH_STACKLEAK=y
 CONFIG_HAVE_STACKPROTECTOR=y
 CONFIG_STACKPROTECTOR=y

diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 28f4ef3aab4c2986126c616eb3ba16f64938c743..54260aec1a16430ff32814ecea0918b1ec653385 100644 (file)
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -764,7 +764,9 @@ CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
 CONFIG_ARCH_WANT_IPC_PARSE_VERSION=y
 CONFIG_HAVE_ARCH_SECCOMP=y
 CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
-# CONFIG_SECCOMP is not set
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
+# CONFIG_SECCOMP_CACHE_DEBUG is not set
 CONFIG_HAVE_STACKPROTECTOR=y
 CONFIG_STACKPROTECTOR=y
 CONFIG_STACKPROTECTOR_STRONG=y