Merge branch 'bug825141' into 'sid'

Disable SECURITY_LOCKDOWN_LSM and MODULE_SIG where we don't sign code

See merge request kernel-team/linux!504

3 files changed, 5 insertions, 2 deletions

diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py
index b62cb400c..0233b01f2 100755
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@@ -619,7 +619,7 @@ class Gencontrol(Base):
         makeflags['KCONFIG'] = ' '.join(kconfig)
         makeflags['KCONFIG_OPTIONS'] = ''
         if build_signed:
-            makeflags['KCONFIG_OPTIONS'] += ' -o MODULE_SIG=y'
+            makeflags['KCONFIG_OPTIONS'] += ' -o SECURITY_LOCKDOWN_LSM=y -o MODULE_SIG=y'
         # Add "salt" to fix #872263
         makeflags['KCONFIG_OPTIONS'] += \
             ' -o "BUILD_SALT=\\"%(abiname)s%(localversion)s\\""' % vars
diff --git a/debian/changelog b/debian/changelog
index 243bc2d85..7a3fa30e6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -288,6 +288,8 @@ linux (5.18.8-1) UNRELEASED; urgency=medium
   * [rt] Update to 5.18-rt11:
     - Revert "softirq: Check preemption after reenabling interrupts"
   * Bump ABI to 3
+  * Disable SECURITY_LOCKDOWN_LSM and MODULE_SIG where we don't sign code
+    (Closes: #825141)
 
  -- Ben Hutchings <benh@debian.org>  Mon, 20 Jun 2022 12:48:13 +0200
 
diff --git a/debian/config/config b/debian/config/config
index 789074230..ff21002cf 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -7776,7 +7776,8 @@ CONFIG_SECURITY_LANDLOCK=y
 ##
 ## file: security/lockdown/Kconfig
 ##
-CONFIG_SECURITY_LOCKDOWN_LSM=y
+#. This is overridden if the [build]signed-code setting is enabled
+# CONFIG_SECURITY_LOCKDOWN_LSM is not set
 ## choice: Kernel default lockdown mode
 CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 ## end choice