[OS-BUILD PATCHv3 1/2] configs: clean up LSM configs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Ondrej Mosnacek <omosnace@xxxxxxxxxx>

configs: clean up LSM configs

1. Set CONFIG_SECURITY_LOCKDOWN_LSM=y on both Fedora and ARK and move
   the associated configs from fedora/ to common/. On both this is
   required for proper UEFI secure boot support.
2. Remove ark/generic/CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE - this
   config has been removed upstream.
3. Deduplicate default value of CONFIG_LSM_MMAP_MIN_ADDR - set it to
   65536 under common/ and only override it in
   fedora/generic/arm/armv7/.
4. Trim LSMs that are not build-enabled from CONFIG_LSM on Fedora/ARK,
   which can now be unified under common/.

Note that this commit adds the Lockdown LSM to the default LSM list and
therefore effectively enables it on both Fedora (where it was enabled in
build, but disabled on boot) and ARK (where it wasn't even enabled at
build). According to Peter Robinson and Al Stone it should be enabled,
so hopefully this is the expected result.

Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>

diff a/redhat/configs/ark/generic/CONFIG_LSM b/redhat/configs/ark/generic/CONFIG_LSM
--- a/redhat/configs/ark/generic/CONFIG_LSM
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_LSM="yama,integrity,selinux"
diff a/redhat/configs/ark/generic/CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE b/redhat/configs/ark/generic/CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
--- a/redhat/configs/ark/generic/CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
diff a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
--- a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+++ b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
diff a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
--- a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
+++ b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
diff a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY
--- a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY
+++ b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY
diff a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE
--- a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE
+++ b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE
diff a/redhat/configs/common/generic/CONFIG_LSM b/redhat/configs/common/generic/CONFIG_LSM
--- /dev/null
+++ b/redhat/configs/common/generic/CONFIG_LSM
@@ -0,0 +1 @@
+CONFIG_LSM="lockdown,yama,integrity,selinux"
diff a/redhat/configs/ark/generic/CONFIG_LSM_MMAP_MIN_ADDR b/redhat/configs/common/generic/CONFIG_LSM_MMAP_MIN_ADDR
--- a/redhat/configs/ark/generic/CONFIG_LSM_MMAP_MIN_ADDR
+++ b/redhat/configs/common/generic/CONFIG_LSM_MMAP_MIN_ADDR
diff a/redhat/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM b/redhat/configs/common/generic/CONFIG_SECURITY_LOCKDOWN_LSM
--- a/redhat/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM
+++ b/redhat/configs/common/generic/CONFIG_SECURITY_LOCKDOWN_LSM
diff a/redhat/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY b/redhat/configs/common/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
--- a/redhat/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
+++ b/redhat/configs/common/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
diff a/redhat/configs/fedora/generic/CONFIG_LSM b/redhat/configs/fedora/generic/CONFIG_LSM
--- a/redhat/configs/fedora/generic/CONFIG_LSM
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
diff a/redhat/configs/fedora/generic/CONFIG_LSM_MMAP_MIN_ADDR b/redhat/configs/fedora/generic/CONFIG_LSM_MMAP_MIN_ADDR
--- a/redhat/configs/fedora/generic/CONFIG_LSM_MMAP_MIN_ADDR
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_LSM_MMAP_MIN_ADDR=65536
diff a/redhat/configs/fedora/generic/x86/x86_64/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT b/redhat/configs/fedora/generic/x86/x86_64/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
--- a/redhat/configs/fedora/generic/x86/x86_64/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
diff a/redhat/configs/pending-common/generic/CONFIG_SECURITY_LOCKDOWN_LSM b/redhat/configs/pending-common/generic/CONFIG_SECURITY_LOCKDOWN_LSM
--- a/redhat/configs/pending-common/generic/CONFIG_SECURITY_LOCKDOWN_LSM
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/922
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux