Bug#1003697: linux-image-5.10.0-9-amd64: Please support LSM SafeSetID
Package: src:linux
Version: 5.10.70-1
Severity: wishlist
X-Debbugs-Cc: earl_chew@yahoo.com
Dear Maintainer,
I would like to use LSM SafeSetID, and found that it is not supported:
$ cat /sys/kernel/security/lsm
lockdown,capability,yama,apparmor,tomoy
$ grep SAFESETID /boot/config-5.10.0-9-amd64
# CONFIG_SECURITY_SAFESETID is not set
As described in Documentation/admin-guide/LSM/SafeSetID.rst, the
SafeSetID module allows policy to be applied to CAP_SETUID and
CAP_SETGID to prevent unwanted privilege escalation.
I found a similar request made for Ubuntu kernels:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1845391
Earl
-- Package-specific info:
** Version:
Linux version 5.10.0-9-amd64 (debian-kernel@lists.debian.org) (gcc-10
(Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian)
2.35.2) #1 SMP Debian 5.10.70-1 (2021-09-30)
** Command line:
BOOT_IMAGE=/vmlinuz
root=/dev/disk/by-id/md-uuid-2cc5b643:b86d952e:e69a0b40:5cfe83e7 ro
rootflags=rw,errors=remount-ro
** Not tainted
** Kernel log:
Unable to read kernel log; any relevant messages should be attached
** Model information
sys_vendor:
product_name:
product_version:
chassis_vendor:
chassis_version:
bios_vendor: Intel Corp.
bios_version: MUCDT10N.86A.0076.2013.0618.1644
board_vendor: Intel Corporation
board_name: D2700MUD
board_version: AAG32419-504
** Loaded modules:
nft_redir
nft_chain_nat
nf_nat
nft_counter
nft_ct
nf_conntrack
nf_defrag_ipv6
nf_defrag_ipv4
binfmt_misc
loop
snd_hda_codec_realtek
snd_hda_codec_generic
ledtrig_audio
snd_hda_intel
snd_intel_dspcfg
soundwire_intel
soundwire_generic_allocation
snd_soc_core
snd_compress
soundwire_cadence
snd_hda_codec
snd_hda_core
snd_hwdep
soundwire_bus
snd_pcm
gma500_gfx
ppdev
snd_timer
iTCO_wdt
drm_kms_helper
snd
intel_pmc_bxt
evdev
intel_powerclamp
iTCO_vendor_support
soundcore
coretemp
pcspkr
parport_pc
watchdog
cec
at24
i2c_algo_bit
sg
parport
button
nf_tables
nfnetlink
drm
fuse
configfs
ip_tables
x_tables
autofs4
ext4
crc16
mbcache
jbd2
btrfs
blake2b_generic
raid10
raid456
async_raid6_recov
async_memcpy
async_pq
async_xor
async_tx
xor
raid6_pq
libcrc32c
crc32c_generic
raid0
multipath
linear
raid1
md_mod
sd_mod
t10_pi
crc_t10dif
crct10dif_generic
crct10dif_common
ahci
libahci
ehci_pci
uhci_hcd
ehci_hcd
libata
e1000e
usbcore
scsi_mod
i2c_i801
ptp
pps_core
lpc_ich
i2c_smbus
usb_common
video
** PCI devices:
<< snip >>
** USB devices:
<< snip >>
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages linux-image-5.10.0-9-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.140
ii kmod 28-1
ii linux-base 4.6
Versions of packages linux-image-5.10.0-9-amd64 recommends:
ii apparmor 2.13.6-10
ii firmware-linux-free 20200122-1
Versions of packages linux-image-5.10.0-9-amd64 suggests:
pn debian-kernel-handbook <none>
ii grub-pc 2.04-20
pn linux-doc-5.10 <none>
Versions of packages linux-image-5.10.0-9-amd64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
pn firmware-iwlwifi <none>
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
Reply to: