Bug 12431 - enable SECURITY_LOCKDOWN_LSM, SECURITY_LOCKDOWN_LSM_EARLY and LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
Summary: enable SECURITY_LOCKDOWN_LSM, SECURITY_LOCKDOWN_LSM_EARLY and LOCK_DOWN_KERNE...
Status: CLOSED CANTFIX
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: - Unknown - Security
Assignee: Peter Müller
QA Contact:
URL:
Keywords:
Depends on:
Blocks: KERNSEC
  Show dependency treegraph
 
Reported: 2020-06-09 18:22 UTC by Peter Müller
Modified: 2022-06-29 19:52 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Müller 2020-06-09 18:22:26 UTC 
Triggered by output of #12430.

Refer to https://github.com/torvalds/linux/blob/master/security/lockdown/Kconfig for further information.
Comment 2 Peter Müller 2022-04-11 19:04:51 UTC 
https://blog.ipfire.org/post/ipfire-2-27-core-update-167-is-available-for-testing

Since I am not sure if we can switch to the "enforce confidentiality" mode, I am bumping this to ON_QA.
Comment 3 Peter Müller 2022-04-27 18:27:47 UTC 
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=250f6efc3868f97914c42e94361932d86bd910db

Resetting this back to ASSIGNED.
Comment 4 Peter Müller 2022-06-29 19:52:07 UTC 
Most probably, we are never going to be able to enforce even the "integrity" mode in IPFire 2.x, since we cannot break firmware flashing, and there is no way of providing users with a system mode where constraints one usually wants to have in production are not applied.