Bug 12432

Summary: enable CONFIG_SECURITY_LOADPIN and CONFIG_SECURITY_LOADPIN_ENFORCE
Product: IPFire Reporter: Peter Müller <peter.mueller>
Component: ---Assignee: Peter Müller <peter.mueller>
Status: CLOSED WONTFIX QA Contact:
Severity: Security    
Priority: - Unknown - CC: peter.mueller
Version: 2   
Hardware: unspecified   
OS: Unspecified   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=12430
Bug Depends on:    
Bug Blocks: 12361    

Description Peter Müller 2020-06-09 18:35:24 UTC
> For every boot, any file read through the kernel file reading interface can
> be pinned to the first filesystem used for loading. If you try to load any
> file that comes from other filesystem will be rejected.

IMHO this can be safely enabled as there is no legitimate reason to swap filesystems on an IPFire machine during runtime.
Comment 3 Peter Müller 2023-03-20 15:20:00 UTC
Closing this, since we probably never be able to turn this on, and since we enforce proper signing of kernel modules already, there is little security benefit in pinning them to the same filesystem.