12432 – enable CONFIG_SECURITY_LOADPIN and CONFIG_SECURITY_LOADPIN_ENFORCE

Bug 12432 - enable CONFIG_SECURITY_LOADPIN and CONFIG_SECURITY_LOADPIN_ENFORCE

Summary: enable CONFIG_SECURITY_LOADPIN and CONFIG_SECURITY_LOADPIN_ENFORCE

Status:	CLOSED WONTFIX

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified Unspecified

Importance:	- Unknown - Security
Assignee:	Peter Müller
QA Contact:

URL:
Keywords:

Depends on:
Blocks:	KERNSEC
	Show dependency tree / graph

Reported:	2020-06-09 18:35 UTC by Peter Müller
Modified:	2023-03-20 15:20 UTC (History)
CC List:	1 user (show)

See Also:	12430

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Müller 2020-06-09 18:35:24 UTC

> For every boot, any file read through the kernel file reading interface can
> be pinned to the first filesystem used for loading. If you try to load any
> file that comes from other filesystem will be rejected.

IMHO this can be safely enabled as there is no legitimate reason to swap filesystems on an IPFire machine during runtime.

Comment 1 Peter Müller 2020-06-09 18:39:55 UTC

https://patchwork.ipfire.org/project/ipfire/list/?series=1350

Comment 2 Peter MÃ¼ller 2022-03-21 21:40:28 UTC

https://patchwork.ipfire.org/project/ipfire/patch/867bc7ac-1f22-4f70-5a8c-867f0d020e78@ipfire.org/

Comment 3 Peter MÃ¼ller 2023-03-20 15:20:00 UTC

Closing this, since we probably never be able to turn this on, and since we enforce proper signing of kernel modules already, there is little security benefit in pinning them to the same filesystem.