]> git.ipfire.org Git - ipfire-2.x.git/commitdiff
projects / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1a4e1bc)
linux: Disable LSM for /dev/io port access
authorPeter Müller <peter.mueller@ipfire.org>
Tue, 19 Apr 2022 13:57:35 +0000 (13:57 +0000)
committerPeter Müller <peter.mueller@ipfire.org>
Tue, 19 Apr 2022 13:57:35 +0000 (13:57 +0000)
flashrom needs access to /dev/io ports for flashing firmware, a
functionality we cannot cease to support. Therefore, LSM constraints are
disabled for ioport.c, hopefully permitting us to keep it enabled.

Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
lfs/linux patch | blob | blame | history
src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch [new file with mode: 0644] patch | blob

diff --git a/lfs/linux b/lfs/linux
index 91bba123bfdcd1d56fc172074a7db2965edf5922..0deef74f2696ab3282064907c9d100a55a21ba14 100644 (file)
--- a/lfs/linux
+++ b/lfs/linux
@@ -143,6 +143,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        # https://bugzilla.ipfire.org/show_bug.cgi?id=12760
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch
 
+       # Unfortunately, /dev/io access is needed for firmware flashing; patch out LSM part in ioport.c
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
+
 ifeq "$(BUILD_ARCH)" "armv6l"
        # Apply Arm-multiarch kernel patches.
        cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
diff --git a/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch b/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
new file mode 100644 (file)
index 0000000..df7521d
--- /dev/null
+++ b/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
@@ -0,0 +1,30 @@
+--- linux-5.15.32.orig/arch/x86/kernel/ioport.c        2022-04-19 12:54:46.468477540 +0000
++++ linux-5.15.32/arch/x86/kernel/ioport.c     2022-04-19 12:56:21.423185714 +0000
+@@ -4,7 +4,6 @@
+  * by Linus. 32/64 bits code unification by Miguel Botón.
+  */
+ #include <linux/capability.h>
+-#include <linux/security.h>
+ #include <linux/syscalls.h>
+ #include <linux/bitmap.h>
+ #include <linux/ioport.h>
+@@ -70,8 +69,7 @@
+       if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
+               return -EINVAL;
+-      if (turn_on && (!capable(CAP_SYS_RAWIO) ||
+-                      security_locked_down(LOCKDOWN_IOPORT)))
++      if (turn_on && (!capable(CAP_SYS_RAWIO)))
+               return -EPERM;
+       /*
+@@ -186,8 +184,7 @@
+       /* Trying to gain more privileges? */
+       if (level > old) {
+-              if (!capable(CAP_SYS_RAWIO) ||
+-                  security_locked_down(LOCKDOWN_IOPORT))
++              if (!capable(CAP_SYS_RAWIO))
+                       return -EPERM;
+       }
IPFire 2.x development tree