From patchwork Mon Oct 28 16:12:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 2003404 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XcdhL2NdLz1xtp for ; Tue, 29 Oct 2024 03:12:34 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1t5SLw-0004V6-UV; Mon, 28 Oct 2024 16:12:24 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1t5SLv-0004Ur-Hw for kernel-team@lists.ubuntu.com; Mon, 28 Oct 2024 16:12:23 +0000 Received: from mail-ej1-f70.google.com (mail-ej1-f70.google.com [209.85.218.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 9D5FF3F129 for ; Mon, 28 Oct 2024 16:12:21 +0000 (UTC) Received: by mail-ej1-f70.google.com with SMTP id a640c23a62f3a-a9a2ccb77ceso303601066b.2 for ; Mon, 28 Oct 2024 09:12:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730131940; x=1730736740; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a4ut2GWU2YSdcZzGCs+mRoOploFaC/Y8yGD2bqUN0uQ=; b=FrT744Tvl8qcbati6kXIys22p7o3cQJ4SWPwsrPKdNU8/tKYtPF2dvWH/zGkGrgXK5 qaA7rNPb85wOqlTb+zNkOUZezykzH1P/u9Hxd08Q82KsYkKDaCBn67QgthSslN9/0GME kphlgFo18V03T8yh5Jmo79EsCHRGTD3Fb+3DDK8xSzH14DcpQqcMpn2/XDcWu9nfxX/T QDNKlO3YV50hccj/Mp3nHLS+PdvFeDDTHYJriRd0LYMIKVuyJTQaCfiwrjM/pnXvqWSy oHOHyD7IUToUiycZLzKtirJm8byVNDW9iufAj7xqVO0ySisimYqE5kq9srVAjk1R+bXV mzAg== X-Gm-Message-State: AOJu0YwaNfOhfL6sOTqfcGiWtpF8PbenJunTDNqpkVt+TUqUgGB3g5Pr //ipeX2ZB8MnnEsQW0FRYZMfCql4o63RCTzYZ0EKtyUAylfFw8Ko/LPlsaAHpmt5Std5OHpwDhf GOxu4sumLhX8Yx4h9kaTcSze+D+LXtyXi2VhmqJ2vw9W/a/HuMODXXm98MGM+tgZE6B6FMMErRp fVAH+uATHk5g== X-Received: by 2002:a17:907:7b93:b0:a9a:b70:2a7c with SMTP id a640c23a62f3a-a9de5f3f87cmr641240966b.25.1730131940435; Mon, 28 Oct 2024 09:12:20 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEm5LoP2ybPUzkUEEa1lak57YESRRbJkTrFA/o9HqJhYWDcN02WAfal3FzD6Zn6CErfD6Juww== X-Received: by 2002:a17:907:7b93:b0:a9a:b70:2a7c with SMTP id a640c23a62f3a-a9de5f3f87cmr641239366b.25.1730131940085; Mon, 28 Oct 2024 09:12:20 -0700 (PDT) Received: from localhost ([81.221.247.52]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9b1dec8100sm388987766b.6.2024.10.28.09.12.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Oct 2024 09:12:19 -0700 (PDT) From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][N:raspi][O:raspi][PATCH 1/1] UBUNTU: [Config] raspi: Enable landlock LSM by default Date: Mon, 28 Oct 2024 17:12:16 +0100 Message-ID: <20241028161216.226888-2-juerg.haefliger@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241028161216.226888-1-juerg.haefliger@canonical.com> References: <20241028161216.226888-1-juerg.haefliger@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/2066885 The landlock LSM was introduced in 5.15 and forgotten to be enabled for raspi. The only difference to the generic kernel should be the (lack of the) lockdown LSM. Signed-off-by: Juerg Haefliger --- debian.raspi/config/annotations | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian.raspi/config/annotations b/debian.raspi/config/annotations index f69c52956c3e..9e5dcdb57a3d 100644 --- a/debian.raspi/config/annotations +++ b/debian.raspi/config/annotations @@ -380,7 +380,7 @@ CONFIG_LOGO_LINUX_CLUT224 policy<{'arm64': 'y'}> note<'Req CONFIG_LOGO_LINUX_MONO policy<{'arm64': 'n'}> note<'Required for Pi (not in master)'> CONFIG_LOGO_LINUX_VGA16 policy<{'arm64': 'n'}> note<'Required for Pi (not in master)'> CONFIG_LOG_BUF_SHIFT policy<{'arm64': '17'}> note<'Different from master'> -CONFIG_LSM policy<{'arm64': '"yama,integrity,apparmor"'}> note<'Required for Pi (different from master)'> +CONFIG_LSM policy<{'arm64': '"landlock,yama,integrity,apparmor"'}> note<'Required for Pi (different from master)'> CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE policy<{'arm64': '0x1'}> note<'Required for Pi (different from master)'> CONFIG_MAX5432 policy<{'arm64': 'n'}> note<'Different from master'> CONFIG_MCTP policy<{'arm64': 'n'}> note<'Different from master'>