bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 19:53:24 +02:00

Author	SHA1	Message	Date
Arne Fitzenreiter	340f11ccbc	kernel: update to 6.6.25 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-04-05 22:27:55 +02:00
Arne Fitzenreiter	2fc167d93b	kernel: update to 6.6.24 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-04-04 23:33:01 +02:00
Arne Fitzenreiter	ce30d74893	kernel: update to 6.6.23 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-03-31 10:49:46 +02:00
Arne Fitzenreiter	28796e09e5	kernel: update to 6.6.22 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-03-21 19:10:10 +01:00
Arne Fitzenreiter	d145574673	kernel: update to 6.6.15 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-02-02 07:33:38 +00:00
Arne Fitzenreiter	0722f42ed2	kernel: update to 6.6.13 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-21 19:10:22 +01:00
Peter Müller	bca096b453	linux: Forbid legacy TIOCSTI usage To quote from the kernel documentation: > Historically the kernel has allowed TIOCSTI, which will push > characters into a controlling TTY. This continues to be used > as a malicious privilege escalation mechanism, and provides no > meaningful real-world utility any more. Its use is considered > a dangerous legacy operation, and can be disabled on most > systems. > > Say Y here only if you have confirmed that your system's > userspace depends on this functionality to continue operating > normally. > > Processes which run with CAP_SYS_ADMIN, such as BRLTTY, can > use TIOCSTI even when this is set to N. > > This functionality can be changed at runtime with the > dev.tty.legacy_tiocsti sysctl. This configuration option sets > the default value of the sysctl. This patch therefore proposes to no longer allow legacy TIOCSTI usage in IPFire, given its security implications and the apparent lack of legitimate usage. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-01-16 15:46:37 +00:00
Arne Fitzenreiter	a93525c0ca	kernel: update to 6.6.12 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-16 12:41:08 +01:00
Arne Fitzenreiter	19e66d7e2b	kernel: update to 6.6.11 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-11 10:30:13 +01:00
Arne Fitzenreiter	d303f7c154	kernel: update to 6.6.10 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-07 16:08:31 +01:00
Arne Fitzenreiter	3920ba127f	kernel: update to 6.6.9 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-02 09:54:10 +01:00
Arne Fitzenreiter	bf92e55968	kernel: update to 6.6.8 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-21 13:50:59 +01:00
Arne Fitzenreiter	0108697131	kernel: update to 6.6.6 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-12 21:12:37 +01:00
Arne Fitzenreiter	5109f8ee7f	kernel: update to 6.6.5 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-08 16:12:17 +01:00
Arne Fitzenreiter	a7c9eca495	kernel: update to 6.6.4 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-05 17:17:40 +00:00
Arne Fitzenreiter	941190cb3a	kernel: update to 6.6.3 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-12-05 17:17:35 +00:00
Arne Fitzenreiter	95f9d9350d	kernel: update to 6.6.2 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-05 17:15:48 +00:00
Arne Fitzenreiter	8a37e7f0e3	kernel: update to 6.1.61 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-11-03 14:27:58 +00:00
Arne Fitzenreiter	cfe911bab5	kernel: update to 6.1.60 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-27 08:43:35 +00:00
Arne Fitzenreiter	cce398bca5	kernel: update to 6.1.59 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-25 11:01:30 +00:00
Arne Fitzenreiter	2b834ef42a	kernel: update to 6.1.58 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-25 11:01:30 +00:00
Peter Müller	447d0bf51e	linux: Disable io_uring This subsystem has been a frequent source of security vulnerabilities affecting the Linux kernel; as a result, Google announced on June 14, 2023, that they would disable it in their environment as widely as possible. IPFire does not depend on the availability of io_uring. Therefore, disable this subsystem as well in order to preemptively cut attack surface. See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-20 08:44:26 +00:00
Arne Fitzenreiter	554e339b9e	kernel: update to 6.1.57 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-13 08:13:12 +00:00
Arne Fitzenreiter	e275a07b67	kernel: update to 6.1.56 this also builds the dtb files on riscv64 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-09 08:13:02 +00:00
Arne Fitzenreiter	e5ad33d9ee	kernel: update 6.1.53 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-09-28 09:29:29 +00:00
Arne Fitzenreiter	14bd32221e	kernel: update to 6.1.52 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-09-28 09:29:23 +00:00
Arne Fitzenreiter	162a068448	kernel: update to 6.1.45 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-08-11 23:25:37 +02:00
Arne Fitzenreiter	6084fa89bf	kernel: update to 6.1.42 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-28 16:34:59 +00:00
Arne Fitzenreiter	50c07b4938	kernel: update to 6.1.41 fix for CVE-2023-20593 (Zenbleed) Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-26 16:01:20 +00:00
Arne Fitzenreiter	719864d37e	kernel: update to 6.1.40 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-25 10:39:22 +00:00
Arne Fitzenreiter	f2d5cb7c99	kernel: update to 6.1.39 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-21 09:34:12 +00:00
Peter Müller	e08399ddd3	linux: Trigger a BUG() when corruption of kernel data structures is detected Given that this will merely log such an incident, this can be safely enabled. Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-07-13 14:20:48 +00:00
Peter Müller	c084d8f970	linux: Enable Indirect Branch Tracking by default This became upstream default (see https://www.phoronix.com/news/Linux-IBT-By-Default-Tip for IT news media coverage), and given its security-relevance, we should adopt this setting as well. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-13 14:20:32 +00:00
Arne Fitzenreiter	f7447b1b8e	kernel: update to 6.1.38 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-13 14:20:18 +00:00
Arne Fitzenreiter	1a44c7a638	kernel: update to 6.1.37 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-09 14:57:38 +00:00
Arne Fitzenreiter	25aa552258	kernel: update to 6.1.30 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-30 09:21:34 +00:00
Arne Fitzenreiter	c6c78f8e11	kernel: update to 6.1.29 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-19 12:05:52 +00:00
Arne Fitzenreiter	6a005bd9aa	kernel: update to 6.1.28 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-16 18:53:01 +00:00
Peter Müller	e155e2f999	linux: Compile "Intel XHCI USB Role Switch" as a module on x86_64 From the kernel documentation: > Driver for the internal USB role switch for switching the USB data > lines between the xHCI host controller and the dwc3 gadget controller > found on various Intel SoCs. [...] This may unblock USB-LAN-adaptor usage on certain boards, as reported once in #12750. Overall affected devices seem to be scanty; nevertheless, enabling this as a module only is highly unlikely to cause any harm, so let's give it a try. Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-05-11 20:04:33 +00:00
Arne Fitzenreiter	6a0c5ef65a	kernel: update to 6.1.27 the layer7 patch is rebased to apply without fuzzing. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-03 05:07:17 +00:00
Peter Müller	6aa0837d24	linux: Update to 6.1.24 Compiling the kernel has automatically introduced CONFIG_INIT_STACK_ALL_ZERO=y and removed GCC's structleak plugin (not to be confused with its stackleak counterpart). However, according to related documentation, this neither introduces a security nor performance disadvantage. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-04-19 09:33:38 +00:00
Peter Müller	1296cdc40b	linux: Align kernel configurations after merging 6.1 branch Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-01-18 23:09:22 +00:00
Arne Fitzenreiter	3e066f550b	kernel: update rootfiles and config Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-01-15 09:19:25 +00:00
Arne Fitzenreiter	6535255270	kernel: update to 6.1.3 the kernel-6.1.x series should be the next lts series...	2023-01-08 10:08:33 +00:00
Peter Müller	f46f939827	linux: Update configuration files and x86_64 rootfile Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-01-04 21:26:43 +00:00
Peter Müller	6647dd5c5c	linux: Disable the latent entropy plugin It does not generate cryptographically secure entropy. Backported from IPFire 3.x as 6aea180b26906f001611dcc0c54f494818069d8c. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>	2023-01-03 16:11:56 +00:00
Peter Müller	00efe232b7	linux: Disable syscalls that allows processes to r/w other processes' memory Backported from IPFire 3.x as 48931178ff83911c5bbc86194dea694845ae1608. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>	2023-01-03 16:11:20 +00:00
Peter Müller	a5fbbcf464	linux: Disable some character devices that do not make sense Inspired by IPFire 3.x (commit 472fb5fa6b1f77a2166407a8936fda6c8cbdb80b). Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>	2023-01-03 16:10:53 +00:00
Peter Müller	440e2c2e68	linux: Disable all sorts of useless Device Mapper targets This patch also compiles all sorts of device mapper stuff as modules. Backported from IPFire 3.x as 6fe31a44d07d8705ca7713c449ccbb3dbb9684a0. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>	2023-01-03 16:10:28 +00:00
Peter Müller	0186d8d0e1	linux: Disable ACPI configfs support This is disabled in IPFire 3.x, and projects such as grsecurity recommend doing so for security reasons as well. Also, skimming through our source code, there is no point where this ACPI configfs would have been explicitly mounted, which leads to the assumption that we never used it anyway. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>	2023-01-03 16:09:25 +00:00

1 2 3 4 5

209 Commits