From: Ondrej Mosnacek <omosnace@xxxxxxxxxx> configs: clean up LSM configs 1. Set CONFIG_SECURITY_LOCKDOWN_LSM=y on both Fedora and ARK and move the associated configs from fedora/ to common/. On both this is required for proper UEFI secure boot support. 2. Remove ark/generic/CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE - this config has been removed upstream. 3. Deduplicate default value of CONFIG_LSM_MMAP_MIN_ADDR - set it to 65536 under common/ and only override it in fedora/generic/arm/armv7/. 4. Trim LSMs that are not build-enabled from CONFIG_LSM on Fedora/ARK, which can now be unified under common/. Note that this commit adds the Lockdown LSM to the default LSM list and therefore effectively enables it on both Fedora (where it was enabled in build, but disabled on boot) and ARK (where it wasn't even enabled at build). According to Peter Robinson and Al Stone it should be enabled, so hopefully this is the expected result. Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> diff a/redhat/configs/ark/generic/CONFIG_LSM b/redhat/configs/ark/generic/CONFIG_LSM --- a/redhat/configs/ark/generic/CONFIG_LSM +++ /dev/null @@ -1 +0,0 @@ -CONFIG_LSM="yama,integrity,selinux" diff a/redhat/configs/ark/generic/CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE b/redhat/configs/ark/generic/CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE --- a/redhat/configs/ark/generic/CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE +++ /dev/null @@ -1 +0,0 @@ -CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 diff a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT --- a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT +++ b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT diff a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY --- a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY +++ b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY diff a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY --- a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY +++ b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY diff a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE --- a/redhat/configs/fedora/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE +++ b/redhat/configs/common/generic/CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE diff a/redhat/configs/common/generic/CONFIG_LSM b/redhat/configs/common/generic/CONFIG_LSM --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_LSM @@ -0,0 +1 @@ +CONFIG_LSM="lockdown,yama,integrity,selinux" diff a/redhat/configs/ark/generic/CONFIG_LSM_MMAP_MIN_ADDR b/redhat/configs/common/generic/CONFIG_LSM_MMAP_MIN_ADDR --- a/redhat/configs/ark/generic/CONFIG_LSM_MMAP_MIN_ADDR +++ b/redhat/configs/common/generic/CONFIG_LSM_MMAP_MIN_ADDR diff a/redhat/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM b/redhat/configs/common/generic/CONFIG_SECURITY_LOCKDOWN_LSM --- a/redhat/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM +++ b/redhat/configs/common/generic/CONFIG_SECURITY_LOCKDOWN_LSM diff a/redhat/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY b/redhat/configs/common/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY --- a/redhat/configs/fedora/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY +++ b/redhat/configs/common/generic/CONFIG_SECURITY_LOCKDOWN_LSM_EARLY diff a/redhat/configs/fedora/generic/CONFIG_LSM b/redhat/configs/fedora/generic/CONFIG_LSM --- a/redhat/configs/fedora/generic/CONFIG_LSM +++ /dev/null @@ -1 +0,0 @@ -CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" diff a/redhat/configs/fedora/generic/CONFIG_LSM_MMAP_MIN_ADDR b/redhat/configs/fedora/generic/CONFIG_LSM_MMAP_MIN_ADDR --- a/redhat/configs/fedora/generic/CONFIG_LSM_MMAP_MIN_ADDR +++ /dev/null @@ -1 +0,0 @@ -CONFIG_LSM_MMAP_MIN_ADDR=65536 diff a/redhat/configs/fedora/generic/x86/x86_64/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT b/redhat/configs/fedora/generic/x86/x86_64/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT --- a/redhat/configs/fedora/generic/x86/x86_64/CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT +++ /dev/null @@ -1 +0,0 @@ -CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y diff a/redhat/configs/pending-common/generic/CONFIG_SECURITY_LOCKDOWN_LSM b/redhat/configs/pending-common/generic/CONFIG_SECURITY_LOCKDOWN_LSM --- a/redhat/configs/pending-common/generic/CONFIG_SECURITY_LOCKDOWN_LSM +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_SECURITY_LOCKDOWN_LSM is not set -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/922 _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure