From 250f6efc3868f97914c42e94361932d86bd910db Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Thu, 21 Apr 2022 19:30:42 +0000 Subject: [PATCH] kernel: Do not enforce "integrity" mode of LSM MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit LSM was found to render firmware flashing unusable, and patching out LSM functionality for all features needed (such as /dev/io, direct memory access and probably raw PCI access for older cards), this would effectively render much of LSM's functionality useless as well. For the time being, we do ship LSM, but do not enforce any protection mode. Users hence can run it in "integrity" or even "confidentiality" mode by custom commands; hopefully, we will be able to revert this change at a future point. Acked-by: Arne Fitzenreiter Signed-off-by: Peter Müller --- config/kernel/kernel.config.aarch64-ipfire | 4 ++-- config/kernel/kernel.config.armv6l-ipfire | 4 ++-- config/kernel/kernel.config.riscv64-ipfire | 4 ++-- config/kernel/kernel.config.x86_64-ipfire | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 8aea57e373..5b8538f69a 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7559,8 +7559,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set -CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 178c2ab6b4..c10b117dae 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7565,8 +7565,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set -CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index ec09eacdf8..2d1fdbd285 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6197,8 +6197,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set -CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 773845765e..5549a1aa48 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6975,8 +6975,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set -CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y -- 2.39.2