From 250f6efc3868f97914c42e94361932d86bd910db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Thu, 21 Apr 2022 19:30:42 +0000 Subject: [PATCH] kernel: Do not enforce "integrity" mode of LSM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit LSM was found to render firmware flashing unusable, and patching out LSM functionality for all features needed (such as /dev/io, direct memory access and probably raw PCI access for older cards), this would effectively render much of LSM's functionality useless as well. For the time being, we do ship LSM, but do not enforce any protection mode. Users hence can run it in "integrity" or even "confidentiality" mode by custom commands; hopefully, we will be able to revert this change at a future point. Acked-by: Arne Fitzenreiter Signed-off-by: Peter Müller --- config/kernel/kernel.config.aarch64-ipfire | 4 ++-- config/kernel/kernel.config.armv6l-ipfire | 4 ++-- config/kernel/kernel.config.riscv64-ipfire | 4 ++-- config/kernel/kernel.config.x86_64-ipfire | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 8aea57e37..5b8538f69 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7559,8 +7559,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set -CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 178c2ab6b..c10b117da 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7565,8 +7565,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set -CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index ec09eacdf..2d1fdbd28 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6197,8 +6197,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set -CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 773845765..5549a1aa4 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6975,8 +6975,8 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set -CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set # CONFIG_SECURITY_LANDLOCK is not set CONFIG_INTEGRITY=y