--- Begin Message ---
Package: src:linux
Version: 5.14.16-1
Severity: normal
Tags: patch
X-Debbugs-Cc: landlock@lists.linux.dev
Hi,
The Landlock security feature is built in Debian kernel since
5.13.12-1~exp1 which is great! However, it is not enough to enable the
CONFIG_SECURITY_LANDLOCK option as described in the related help. The
CONFIG_LSM option needs to be prepended by "landlock," to make Landlock
system calls available without modifying the kernel boot arguments.
Could you please apply the attached patch to make this feature more
broadly available?
This can be validated with the tests provided by the kernel sources:
fakeroot make -C tools/testing/selftests TARGETS=landlock gen_tar
tar -xf
tools/testing/selftests/kselftest_install/kselftest-packages/kselftest.tar.gz
# as root:
./run_kselftest.sh
If Yama is enabled, half of the ptrace tests may failed, which is OK.
Regards,
Mickaël
--- a/config-5.14.0-4-amd64
+++ b/config-5.14.0-4-amd64
@@ -9275,7 +9275,7 @@ CONFIG_EVM_ATTR_FSUUID=y
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
CONFIG_DEFAULT_SECURITY_APPARMOR=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
#
# Kernel hardening options
--- End Message ---
--- Begin Message ---
Source: linux
Source-Version: 5.18.16-1
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 999551@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 10 Aug 2022 20:11:48 +0200
Source: linux
Architecture: source
Version: 5.18.16-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 999551
Changes:
linux (5.18.16-1) unstable; urgency=medium
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.18.15
- [arm64] pinctrl: armada-37xx: use raw spinlocks for regmap to avoid
invalid wait context
- [armhf] pinctrl: stm32: fix optional IRQ support to gpios
- [riscv64] add as-options for modules with assembly compontents
- lockdown: Fix kexec lockdown bypass with ima policy (CVE-2022-21505)
- [armhf] mmc: sdhci-omap: Fix a lockdep warning for PM runtime init
- [armhf] mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on
program/erase times
- drm/ttm: fix locking in vmap/vunmap TTM GEM helpers
- drm/amd/display: Fix new dmub notification enabling in DM
- drm/scheduler: Don't kill jobs in interrupt context
- net: usb: ax88179_178a needs FLAG_SEND_ZLP
- PCI: hv: Fix multi-MSI to allow more than one MSI vector
- PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI
- PCI: hv: Reuse existing IRTE allocation in compose_msi_msg()
- PCI: hv: Fix interrupt mapping for multi-MSI
- r8152: fix a WOL issue
- ip: Fix data-races around sysctl_ip_default_ttl.
- xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in
xfrm_bundle_lookup() (CVE-2022-36879)
- RDMA/irdma: Do not advertise 1GB page size for x722
- RDMA/irdma: Fix sleep from invalid context BUG
- perf/core: Fix data race between perf_event_set_output() and
perf_mmap_close()
- e1000e: Enable GPT clock before sending message to CSME
- Revert "e1000e: Fix possible HW unit hang after an s0ix exit"
- igc: Reinstate IGC_REMOVED logic and implement it properly
- ip: Fix data-races around sysctl_ip_no_pmtu_disc.
- ip: Fix data-races around sysctl_ip_fwd_use_pmtu.
- ip: Fix data-races around sysctl_ip_fwd_update_priority.
- ip: Fix data-races around sysctl_ip_nonlocal_bind.
- ip: Fix a data-race around sysctl_ip_autobind_reuse.
- ip: Fix a data-race around sysctl_fwmark_reflect.
- tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept.
- tcp: sk->sk_bound_dev_if once in inet_request_bound_dev_if()
- tcp: Fix data-races around sysctl_tcp_l3mdev_accept.
- tcp: Fix data-races around sysctl_tcp_mtu_probing.
- tcp: Fix data-races around sysctl_tcp_base_mss.
- tcp: Fix data-races around sysctl_tcp_min_snd_mss.
- tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor.
- tcp: Fix a data-race around sysctl_tcp_probe_threshold.
- tcp: Fix a data-race around sysctl_tcp_probe_interval.
- net: stmmac: fix pm runtime issue in stmmac_dvr_remove()
- net: stmmac: fix unbalanced ptp clock issue in suspend/resume flow
- tcp/udp: Make early_demux back namespacified.
- net: stmmac: fix dma queue left shift overflow issue
- net/tls: Fix race in TLS device down flow
- igmp: Fix data-races around sysctl_igmp_llm_reports.
- igmp: Fix a data-race around sysctl_igmp_max_memberships.
- igmp: Fix data-races around sysctl_igmp_max_msf.
- igmp: Fix data-races around sysctl_igmp_qrv.
- tcp: Fix data-races around keepalive sysctl knobs.
- tcp: Fix data-races around sysctl_tcp_syn(ack)?_retries.
- tcp: Fix data-races around sysctl_tcp_syncookies.
- tcp: Fix data-races around sysctl_tcp_migrate_req.
- tcp: Fix data-races around sysctl_tcp_reordering.
- tcp: Fix data-races around some timeout sysctl knobs.
- tcp: Fix a data-race around sysctl_tcp_notsent_lowat.
- tcp: Fix a data-race around sysctl_tcp_tw_reuse.
- tcp: Fix data-races around sysctl_max_syn_backlog.
- tcp: Fix data-races around sysctl_tcp_fastopen.
- tcp: Fix data-races around sysctl_tcp_fastopen_blackhole_timeout.
- iavf: Fix VLAN_V2 addition/rejection
- iavf: Disallow changing rx/tx-frames and rx/tx-frames-irq
- iavf: Fix handling of dummy receive descriptors
- iavf: Fix missing state logs
- ACPI: CPPC: Don't require flexible address space if X86_FEATURE_CPPC is
supported
- [arm64] pinctrl: armada-37xx: Reuse GPIO fwnode in
armada_37xx_irqchip_register()
- [arm64] pinctrl: armada-37xx: make irq_lock a raw spinlock to avoid
invalid wait context
- i40e: Fix erroneous adapter reinitialization during recovery process
- ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero
- [arm64,armhf] net: dsa: fix dsa_port_vlan_filtering when global
- [arm64,armhf] net: dsa: move reset of VLAN filtering to
dsa_port_switchdev_unsync_attrs
- [arm64,armhf] net: dsa: fix NULL pointer dereference in
dsa_port_reset_vlan_filtering
- net: stmmac: remove redunctant disable xPCS EEE call
- [arm64,armhf] gpio: pca953x: only use single read/write for No AI mode
- [arm64,armhf] gpio: pca953x: use the correct range when do regmap sync
- [arm64,armhf] gpio: pca953x: use the correct register address when
regcache sync during init
- be2net: Fix buffer overflow in be_get_module_eeprom
- [arm64,armhf] drm/panel-edp: Fix variable typo when saving hpd absent
delay from DT
- [arm64] drm/imx/dcss: Add missing of_node_put() in fail path
- ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh.
- ipv4: Fix data-races around sysctl_fib_multipath_hash_policy.
- ipv4: Fix data-races around sysctl_fib_multipath_hash_fields.
- ip: Fix data-races around sysctl_ip_prot_sock.
- udp: Fix a data-race around sysctl_udp_l3mdev_accept.
- tcp: Fix data-races around sysctl knobs related to SYN option.
- tcp: Fix a data-race around sysctl_tcp_early_retrans.
- tcp: Fix data-races around sysctl_tcp_recovery.
- tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts.
- tcp: Fix data-races around sysctl_tcp_slow_start_after_idle.
- tcp: Fix a data-race around sysctl_tcp_retrans_collapse.
- tcp: Fix a data-race around sysctl_tcp_stdurg.
- tcp: Fix a data-race around sysctl_tcp_rfc1337.
- tcp: Fix a data-race around sysctl_tcp_abort_on_overflow.
- tcp: Fix data-races around sysctl_tcp_max_reordering.
- net/sched: cls_api: Fix flow action initialization
- [arm*] spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for
non DMA transfers
- KVM: Don't null dereference ops->destroy
- mm/mempolicy: fix uninit-value in mpol_rebind_policy()
- bpf: Make sure mac_header was set before using it
- sched/deadline: Fix BUG_ON condition for deboosted tasks
- [x86] perf/x86/intel/lbr: Fix unchecked MSR access error on HSW
- [x86] x86/bugs: Warn when "ibrs" mitigation is selected on Enhanced IBRS
parts
- dlm: fix pending remove if msg allocation fails
- [x86] crypto: qat - set to zero DH parameters before free
- [x86] crypto: qat - use pre-allocated buffers in datapath
- [x86] crypto: qat - refactor submission logic
- [x86] crypto: qat - add backlog mechanism
- [x86] crypto: qat - fix memory leak in RSA
- [x86] crypto: qat - remove dma_free_coherent() for RSA
- [x86] crypto: qat - remove dma_free_coherent() for DH
- [x86] crypto: qat - add param check for RSA
- [x86] crypto: qat - add param check for DH
- [x86] crypto: qat - re-enable registration of algorithms
- exfat: fix referencing wrong parent directory information after renaming
- exfat: use updated exfat_chain directly during renaming
- [x86] amd: Use IBPB for firmware calls
- [x86] alternative: Report missing return thunk details
- watchqueue: make sure to serialize 'wqueue->defunct' properly
- [x86] ASoC: SOF: pm: add explicit behavior for ACPI S1 and S2
- [x86] ASoC: SOF: pm: add definitions for S4 and S5 states
- [x86] ASoC: SOF: Intel: disable IMR boot when resuming from ACPI S4 and S5
states
- watch-queue: remove spurious double semicolon
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.18.16
- Bluetooth: Always set event mask on suspend
- Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
- Revert "ocfs2: mount shared volume without ha stack"
- userfaultfd: provide properly masked address for huge-pages
- fs: sendfile handles O_NONBLOCK of out_fd
- secretmem: fix unhandled fault in truncate
- mm: fix page leak with multiple threads mapping the same page
- mm: fix missing wake-up event for FSDAX pages
- hugetlb: fix memoryleak in hugetlb_mcopy_atomic_pte
- [s390x] archrandom: prevent CPACF trng invocations in interrupt context
- [x86] intel_idle: Fix false positive RCU splats due to incorrect hardirqs
state
- watch_queue: Fix missing rcu annotation
- watch_queue: Fix missing locking in add_watch_to_object()
- tcp: Fix data-races around sysctl_tcp_dsack.
- tcp: Fix a data-race around sysctl_tcp_app_win.
- tcp: Fix a data-race around sysctl_tcp_adv_win_scale.
- tcp: Fix a data-race around sysctl_tcp_frto.
- tcp: Fix a data-race around sysctl_tcp_nometrics_save.
- tcp: Fix data-races around sysctl_tcp_no_ssthresh_metrics_save.
- bridge: Do not send empty IFLA_AF_SPEC attribute
- ice: Fix max VLANs available for VF
- ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS)
- ice: do not setup vlan for loopback VSI
- ice: Fix VSIs unable to share unicast MAC
- Revert "tcp: change pingpong threshold to 3"
- tcp: md5: fix IPv4-mapped support
- tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf.
- tcp: Fix a data-race around sysctl_tcp_limit_output_bytes.
- tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit.
- scsi: core: Fix warning in scsi_alloc_sgtables()
- scsi: mpt3sas: Stop fw fault watchdog work item during system shutdown
- net: ping6: Fix memleak in ipv6_renew_options().
- ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr
- net/tls: Remove the context from the list in tls_device_down
- net: pcs: xpcs: propagate xpcs_read error to xpcs_get_state_c37_sgmii
- net: sungem_phy: Add of_node_put() for reference returned by
of_get_parent()
- tcp: Fix a data-race around sysctl_tcp_min_tso_segs.
- tcp: Fix a data-race around sysctl_tcp_tso_rtt_log.
- tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen.
- tcp: Fix a data-race around sysctl_tcp_autocorking.
- tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit.
- Documentation: fix sctp_wmem in ip-sysctl.rst
- macsec: fix NULL deref in macsec_add_rxsa
- macsec: fix error message in macsec_add_rxsa and _txsa
- macsec: limit replay window size with XPN
- macsec: always read MACSEC_SA_ATTR_PN as a u64
- net: macsec: fix potential resource leak in macsec_add_rxsa() and
macsec_add_txsa()
- net: mld: fix reference count leak in mld_{query | report}_work()
- tcp: Fix data-races around sk_pacing_rate.
- net: Fix data-races around sysctl_[rw]mem(_offset)?.
- tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns.
- tcp: Fix a data-race around sysctl_tcp_comp_sack_slack_ns.
- tcp: Fix a data-race around sysctl_tcp_comp_sack_nr.
- tcp: Fix data-races around sysctl_tcp_reflect_tos.
- ipv4: Fix data-races around sysctl_fib_notify_on_flag_change.
- i40e: Fix interface init with MSI interrupts (no MSI-X)
- [arm64,armhf] net: dsa: fix reference counting for LAG FDBs
- sctp: fix sleep in atomic context bug in timer handlers
- netfilter: nf_queue: do not allow packet truncation below transport header
offset (CVE-2022-36946)
- scsi: ufs: Support clearing multiple commands at once
- scsi: ufs: core: Fix a race condition related to device management
- virtio-net: fix the race between refill work and close
- perf symbol: Correct address for bss symbols
- sfc: disable softirqs for ptp TX
- sctp: leave the err path free in sctp_stream_init to sctp_stream_free
- mm/hmm: fault non-owner device private entries
- page_alloc: fix invalid watermark check on a negative value
- tcp: Fix data-races around sysctl_tcp_workaround_signed_windows.
- [armel,armhf] 9216/1: Fix MAX_DMA_ADDRESS overflow
- docs/kernel-parameters: Update descriptions for "mitigations=" param with
retbleed
- locking/rwsem: Allow slowpath writer to ignore handoff bit if not set by
first waiter
- [x86] bugs: Do not enable IBPB at firmware entry when IBPB is not
available
.
[ Ben Hutchings ]
* d/tests: kbuild test case depends on python3
* d/tests: Run kbuild test with default flavour if quick flavour not defined
* d/lib/python/debian_linux/debian.py: Add Architecture field to TestsControl
* d/tests: Restrict kbuild tests to architectures with default or quick
flavour
* security: Add landlock and bpf to enabled LSM list (Closes: #999551)
.
[ Salvatore Bonaccorso ]
* Bump ABI to 4
* Add mitigations for Post-Barrier Return Stack Buffer Predictions (PBRSB)
issue (CVE-2022-26373):
- x86/speculation: Add RSB VM Exit protections
- x86/speculation: Add LFENCE to RSB fill sequence
* posix-cpu-timers: Cleanup CPU timers before freeing them during exec
(CVE-2022-2585)
* netfilter: nf_tables: do not allow SET_ID to refer to another table
(CVE-2022-2586)
* netfilter: nf_tables: do not allow CHAIN_ID to refer to another table
* netfilter: nf_tables: do not allow RULE_ID to refer to another chain
* net_sched: cls_route: remove from list when handle is 0 (CVE-2022-2588)
* Revert "mm/shmem: unconditionally set pte dirty in mfill_atomic_install_pte"
(CVE-2022-2590)
Checksums-Sha1:
75d1212f650fa5cf7c2ed014f9b1559adb9173ba 251523 linux_5.18.16-1.dsc
76bdfcd4d9fea72565b978449e08455aeb990962 131715024 linux_5.18.16.orig.tar.xz
1e3ac7eba0619d44d867757563f051e614df706f 1350744 linux_5.18.16-1.debian.tar.xz
d17dc82edbfdeec492fe764618e77b5bb6bd0199 6662 linux_5.18.16-1_source.buildinfo
Checksums-Sha256:
079591ebf508f83f627ed07b418d29e950311f8310c4a02f33b09290387fbe48 251523 linux_5.18.16-1.dsc
e736bc70d98025931565d332928324525714a7cf2d9fe01458e11576946a0c2a 131715024 linux_5.18.16.orig.tar.xz
cbc77b10f3413ac7d076c4c74d551b234e1cb5efc17fea7cf96187ddb0f8bf76 1350744 linux_5.18.16-1.debian.tar.xz
72294455a6b72a992c91c6d3709f4d05a13623ae79ed70f92f576cac31c40d28 6662 linux_5.18.16-1_source.buildinfo
Files:
15a3a49dc65f6afeca3238aa991d9af3 251523 kernel optional linux_5.18.16-1.dsc
2acc5acaaeb262aa780138ec09c133a0 131715024 kernel optional linux_5.18.16.orig.tar.xz
01ac675ab6bd46dbaf0240498bdf050f 1350744 kernel optional linux_5.18.16-1.debian.tar.xz
87236609894b218b96ec4ec6e4e1bba4 6662 kernel optional linux_5.18.16-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmLz9cxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E1xcQAJ5r5u9uyTdVibZY+0BDRNWf8ebZjwOr
6iogt1G1ecP2vrsdcB+7HIb71QXEX785Y8j3PoQs8IemNf6mCiyFSLsR2lDtiyUM
4prwlxISdYHJMYSetuFvZNZ5vzeicGXo6d02OwDhLFE3HjYAAdJmBgNhUUm39TfD
Yk2PEwlRuBihI/sYuu7fDz5Lpc9t9/oVs8BwKnsAj7QYbXqBsyQxIjNXyP+4/bAX
+WmtQAil42tX/6hxsJom5Gw5cq00A5oYoas+Ktt/sPDSWbqN3WQ38S+Mf1Xk7MVQ
4JRzKKW457uutdvuB3cRfMB6zcOLxiJmn3OXEqmSlDeW+0o+RMbTkaLXajL3o4oz
6Gv8uvWILRCJv8PgT5lrhE7P6vtYjrKu3cQdJJAV6ni379gIwi0SDr8/l3MgaznB
8CmfxmN/ZfavVUzYFhkLDeKo+Hn+3oJKj9QrQCz+AGnElffgGfOSaTYvigJugc2G
FIHKHN7PwIzcwFiEhIou5BX4RJw61mnt2iPuzUDtverJIojEbtiThBTN+FPU+zxK
Rx81OKJUAAyJNjww2etD5UMOdCmlvsPQ4NqBa1EfKK91inFNvgDi5Cx1gu0jbZtH
MkvxKOI8OpwozLjNqJM6mi7gAcCe9MqCjkNodq6xqeS6jTKp+TFLNL5l1m2lyY7L
GcHTIuKrDWwv
=qrPh
-----END PGP SIGNATURE-----
--- End Message ---