diff options
author | Ben Hutchings <benh@debian.org> | 2022-07-05 16:12:29 +0000 |
---|---|---|
committer | Ben Hutchings <benh@debian.org> | 2022-07-05 16:12:29 +0000 |
commit | 7ae17ef63973b13e9f38410c152f376d6dfe203d (patch) | |
tree | 0f35e6c9873aa12f55cf41f1e2c2baa2458fcca7 | |
parent | 39d9cb94be5e2efd578ff4ed6a995cc0c7a636f1 (diff) | |
parent | 2b10c166d0da99f7738fa55e930807b7c3a07fc0 (diff) | |
download | linux-debian-7ae17ef63973b13e9f38410c152f376d6dfe203d.tar.gz |
Merge branch 'bug825141' into 'sid'
Disable SECURITY_LOCKDOWN_LSM and MODULE_SIG where we don't sign code
See merge request kernel-team/linux!504
-rwxr-xr-x | debian/bin/gencontrol.py | 2 | ||||
-rw-r--r-- | debian/changelog | 2 | ||||
-rw-r--r-- | debian/config/config | 3 |
3 files changed, 5 insertions, 2 deletions
diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py index b62cb400c..0233b01f2 100755 --- a/debian/bin/gencontrol.py +++ b/debian/bin/gencontrol.py @@ -619,7 +619,7 @@ class Gencontrol(Base): makeflags['KCONFIG'] = ' '.join(kconfig) makeflags['KCONFIG_OPTIONS'] = '' if build_signed: - makeflags['KCONFIG_OPTIONS'] += ' -o MODULE_SIG=y' + makeflags['KCONFIG_OPTIONS'] += ' -o SECURITY_LOCKDOWN_LSM=y -o MODULE_SIG=y' # Add "salt" to fix #872263 makeflags['KCONFIG_OPTIONS'] += \ ' -o "BUILD_SALT=\\"%(abiname)s%(localversion)s\\""' % vars diff --git a/debian/changelog b/debian/changelog index 243bc2d85..7a3fa30e6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -288,6 +288,8 @@ linux (5.18.8-1) UNRELEASED; urgency=medium * [rt] Update to 5.18-rt11: - Revert "softirq: Check preemption after reenabling interrupts" * Bump ABI to 3 + * Disable SECURITY_LOCKDOWN_LSM and MODULE_SIG where we don't sign code + (Closes: #825141) -- Ben Hutchings <benh@debian.org> Mon, 20 Jun 2022 12:48:13 +0200 diff --git a/debian/config/config b/debian/config/config index 789074230..ff21002cf 100644 --- a/debian/config/config +++ b/debian/config/config @@ -7776,7 +7776,8 @@ CONFIG_SECURITY_LANDLOCK=y ## ## file: security/lockdown/Kconfig ## -CONFIG_SECURITY_LOCKDOWN_LSM=y +#. This is overridden if the [build]signed-code setting is enabled +# CONFIG_SECURITY_LOCKDOWN_LSM is not set ## choice: Kernel default lockdown mode CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y ## end choice |