Re: Kernel lockdown patch & IPAddressAllow/IPAddressDeny systemd feature with Secure Boot

From: Laura Abbott
Date: Thu Aug 16 2018 - 09:36:33 EST

Next message: Rasmus Villemoes: "[PATCH] fscache: don't duplicate seq_release_private"
Previous message: Colin King: "[PATCH] scsi: aacraid: remove unused variables dev and cpu"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 08/15/2018 07:10 PM, Alexei Starovoitov wrote:

On Tue, Aug 14, 2018 at 07:14:00AM -0700, Andrew Lutomirski wrote:

[Removed Fedora devel list because it's subscriber-only]

On Aug 8, 2018, at 12:29 AM, Peter Robinson <pbrobinson@xxxxxxxxx> wrote:

Probably a good idea to cc: this to the kernel list :-)

I suspect it's intentional but with the planned changes for iptables
etc to be backed by bpf in the upstream kernel sometime in the future
it's likely going to need to be reviewed.

I thought this got covered in review. I think this part of lockdown
needs to get reverted or fixed ASAP.

I don't see lockdown in Linus's tree. Is this fedora only issue?

The entire lockdown/secure boot series is out of tree at the moment.
We're working to get it included. If you search LWN, you
can find some articles explaining the long saga of the patch series.

(I definitely brought up multiple issues with the bpf lockdown stuff.
It's clearly extremely broken right now in the "new kernel breaks
*current* Linux distro" sense.)

+1

Yes, we need to review what exactly is in Fedora. It's the merge
window so this is a good time to do that anyway. We're still
playing catch up after Flock in Dresden last week. Can you file
a bugzilla for tracking so we don't forget?

Thanks,
Laura

Next message: Rasmus Villemoes: "[PATCH] fscache: don't duplicate seq_release_private"
Previous message: Colin King: "[PATCH] scsi: aacraid: remove unused variables dev and cpu"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]