Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kernel-5.15: disable IMA and SafeSetID LSM #2789

Merged
merged 2 commits into from
Feb 10, 2023
Merged

kernel-5.15: disable IMA and SafeSetID LSM #2789

merged 2 commits into from
Feb 10, 2023

Conversation

foersleo
Copy link
Contributor

@foersleo foersleo commented Feb 9, 2023

Issue number:

Closes # #2708 #2707

Description of changes:

As a fallout of the latest kernel updates we inherited some additional hardening features. Evaluating both of these features (IMA, SafeSetID LSM) we identified them as not applicable in a meaningful way in Bottlerocket. Hence, disable them to keep our kernel as lean as possible.

Testing done:

With disabling IMA we also remove a bunch of IMA sub-configurations that are not reachable anymore. We do not remove any unwanted options:

config-aarch64-5.15-aws-dev-diff:        18 removed,   0 added,   2 changed
config-aarch64-5.15-metal-dev-diff:      18 removed,   0 added,   2 changed
config-x86_64-5.15-aws-dev-diff:         16 removed,   0 added,   2 changed
config-x86_64-5.15-metal-dev-diff:       16 removed,   0 added,   2 changed

A full config diff for all versions can be found in this gist.

Running the a test build locally in qemu worked as expected.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@foersleo
kernel-5.15: Disable IMA
14d7429 
The integrity measurement architecture is a kernel feature to allow for
runtime integrity checking of files. As the file system is immutable in
Bottlerocket and we are doing boot time integrity checking there is no
real use for IMA.

Signed-off-by: Leonard Foerster <foersleo@amazon.com>
@foersleo
kernel-5.15: Disable safesetid LSM
2b08bb7 
We do not grant CAP_SETUID of CAP_SETGID to any of the users we have on
the host system. Using this LSM to controll uid/gid transitions in a
finer grained way is not useful for our use case.

Signed-off-by: Leonard Foerster <foersleo@amazon.com>
@foersleo foersleo changed the title Disable ima kernel-5.15: disable IMA and SafeSetID LSM Feb 9, 2023
@foersleo foersleo merged commit d2c7d63 into bottlerocket-os:develop Feb 10, 2023
@foersleo foersleo deleted the disable_ima branch February 10, 2023 09:49
This was referenced Feb 10, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stmcginnis stmcginnis stmcginnis approved these changes

@markusboehme markusboehme markusboehme approved these changes

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

@bcressey bcressey Awaiting requested review from bcressey

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@foersleo @stmcginnis @markusboehme @arnaldo2792