lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <17c09f82-a32d-fc3b-042b-c44c366f873c@redhat.com>
Date:   Thu, 16 Aug 2018 06:36:26 -0700
From:   Laura Abbott <labbott@...hat.com>
To:     Alexei Starovoitov <alexei.starovoitov@...il.com>,
        Andrew Lutomirski <luto@...nel.org>
Cc:     dhowells@...hat.com,
        Linus Torvalds <torvalds@...ux-foundation.org>, ast@...nel.org,
        Laura Abbott <labbott@...oraproject.org>,
        linux-kernel@...r.kernel.org,
        Linux API <linux-api@...r.kernel.org>,
        Kernel Fedora <kernel@...ts.fedoraproject.org>,
        daniel@...earbox.net
Subject: Re: Kernel lockdown patch & IPAddressAllow/IPAddressDeny systemd
 feature with Secure Boot

On 08/15/2018 07:10 PM, Alexei Starovoitov wrote:
> On Tue, Aug 14, 2018 at 07:14:00AM -0700, Andrew Lutomirski wrote:
>> [Removed Fedora devel list because it's subscriber-only]
>>
>>> On Aug 8, 2018, at 12:29 AM, Peter Robinson <pbrobinson@...il.com> wrote:
>>>
>>> Probably a good idea to cc: this to the kernel list :-)
>>>
>>> I suspect it's intentional but with the planned changes for iptables
>>> etc to be backed by bpf in the upstream kernel sometime in the future
>>> it's likely going to need to be reviewed.
>>>
>>
>> I thought this got covered in review. I think this part of lockdown
>> needs to get reverted or fixed ASAP.
> 
> I don't see lockdown in Linus's tree. Is this fedora only issue?
> 

The entire lockdown/secure boot series is out of tree at the moment.
We're working to get it included.  If you search LWN, you
can find some articles explaining the long saga of the patch series.

>> (I definitely brought up multiple issues with the bpf lockdown stuff.
>> It's clearly extremely broken right now in the "new kernel breaks
>> *current* Linux distro" sense.)
> 
> +1
> 

Yes, we need to review what exactly is in Fedora. It's the merge
window so this is a good time to do that anyway. We're still
playing catch up after Flock in Dresden last week. Can you file
a bugzilla for tracking so we don't forget?

Thanks,
Laura

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ