kjh
/
arch-linux-kernel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

FS#71270: Don't enable "bpf" LSM by default 

It provides all possible hooks, which makes it harder to properly use
major LSMs. Using security= to enable a major LSM puts it at the end of
the list. Some functions (like security_getprocattr) only use the first
matching hook, thus prefer bpf.
This commit is contained in:
Jan Alexander Steffens 2021-06-16 22:13:34 +00:00
parent 3f21513a71
commit d7bf404c33
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
PKGBUILD
View File

@ -25,7 +25,7 @@ validpgpkeys=(
'A2FF3A36AAA56654109064AB19802F8B0D70FC30' # Jan Alexander Steffens (heftig) 'A2FF3A36AAA56654109064AB19802F8B0D70FC30' # Jan Alexander Steffens (heftig)
) )
sha256sums=('SKIP' sha256sums=('SKIP'
'0d0691aa0f80fea0d9d204c05a845416dd443f3bb629cbb68e098e4d19cc841d') '3179e545a24ca7ed4c53fdc60299262381b9b2c587fb66c82aece2133ef762a9')
export KBUILD_BUILD_HOST=archlinux export KBUILD_BUILD_HOST=archlinux
export KBUILD_BUILD_USER=$pkgbase export KBUILD_BUILD_USER=$pkgbase

4
config
View File

@ -1,6 +1,6 @@
# #
# Automatically generated file; DO NOT EDIT. # Automatically generated file; DO NOT EDIT.
# Linux/x86 5.12.8-arch1 Kernel Configuration # Linux/x86 5.12.10-arch1 Kernel Configuration
# #
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.1.0" CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.1.0"
CONFIG_CC_IS_GCC=y CONFIG_CC_IS_GCC=y
@ -9689,7 +9689,7 @@ CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set # CONFIG_DEFAULT_SECURITY_TOMOYO is not set
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set # CONFIG_DEFAULT_SECURITY_APPARMOR is not set
CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_LSM="lockdown,yama,bpf" CONFIG_LSM="lockdown,yama"
# #
# Kernel hardening options # Kernel hardening options