[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAObL_7GOOQ01NPf4y1MqRJh4S=CYV8NPmEGTbkrTcjrfUKc5LA@mail.gmail.com>
Date: Tue, 14 Aug 2018 07:14:00 -0700
From: Andrew Lutomirski <luto@...nel.org>
To: dhowells@...hat.com,
Linus Torvalds <torvalds@...ux-foundation.org>, ast@...nel.org,
Laura Abbott <labbott@...oraproject.org>,
linux-kernel@...r.kernel.org, Linux API <linux-api@...r.kernel.org>
Cc: Kernel Fedora <kernel@...ts.fedoraproject.org>
Subject: Re: Kernel lockdown patch & IPAddressAllow/IPAddressDeny systemd
feature with Secure Boot
[Removed Fedora devel list because it's subscriber-only]
> On Aug 8, 2018, at 12:29 AM, Peter Robinson <pbrobinson@...il.com> wrote:
>
> Probably a good idea to cc: this to the kernel list :-)
>
> I suspect it's intentional but with the planned changes for iptables
> etc to be backed by bpf in the upstream kernel sometime in the future
> it's likely going to need to be reviewed.
>
I thought this got covered in review. I think this part of lockdown
needs to get reverted or fixed ASAP.
(I definitely brought up multiple issues with the bpf lockdown stuff.
It's clearly extremely broken right now in the "new kernel breaks
*current* Linux distro" sense.)
> Peter
>
>> On Tue, Aug 7, 2018 at 10:25 PM, Timothée Ravier <tim@...sm.fr> wrote:
>> Booting Fedora with Secure Boot enabled will result in Lockdown being enabled at boot time. This will completly disable the BPF system call for all users [1][2].
>>
>> Unfortunately, this breaks the IPAddressAllow & IPAddressDeny systemd feature [3][4][5].
>>
>> I don't have a solution for this, but as far as I understand, this will also prevent other BPF use-cases (for example: Cilium on Fedora CoreOS).
>>
>> [1] https://src.fedoraproject.org/rpms/kernel/blob/master/f/efi-lockdown.patch#_1525
>> [2] https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?h=lockdown&id=0eb0d0851747787f7182b3e9d0d38edb5925a678
>> [3] https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c
>> [4] https://github.com/systemd/systemd/blob/master/NEWS#L1192
>> [5] https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6
>> _______________________________________________
>> devel mailing list -- devel@...ts.fedoraproject.org
>> To unsubscribe send an email to devel-leave@...ts.fedoraproject.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/ZMEWJMQH6DDMV3AZ4IG7LOYMMIETCH42/
> _______________________________________________
> devel mailing list -- devel@...ts.fedoraproject.org
> To unsubscribe send an email to devel-leave@...ts.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/RUWDEDQHS5I47YBPEZVEKXNU2BAX2SLU/
Powered by blists - more mailing lists