Ubuntu
linux package

CONFIG_LSM should not specify loadpin since it is not built

Bug #1845383 reported by Tyler Hicks on 2019-09-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Low	Tyler Hicks
	Disco	Won't Fix	Low	Tyler Hicks

Bug Description

[Impact]

While inspecting our kernel configs, I noticed that "loadpin" is present in the CONFIG_LSM string but CONFIG_SECURITY_LOADPIN is not enabled. This is harmless but should be cleaned up.

[Test Case]

Ensure that /sys/kernel/security/lsm still contains "capability,yama,apparmor" after rebooting into the new kernel:

$ cat /sys/kernel/security/lsm
capability,yama,apparmor

Ensure that the current kernel's config does not specify "loadpin" in the CONFIG_LSM value:

$ grep CONFIG_LSM= /boot/config-$(uname -r)
CONFIG_LSM="yama,integrity,apparmor"

[Regression Potential]

Low. This just limits the CONFIG_LSM value to only contain LSMs that are being built.

CVE References

Tyler Hicks (tyhicks) on 2019-09-25

Changed in linux (Ubuntu Disco):
status:	New → Triaged
importance:	Undecided → Low
assignee:	nobody → Tyler Hicks (tyhicks)

Seth Forshee (sforshee) on 2019-09-27

Changed in linux (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-10-10:

Download full text (7.6 KiB)

This bug was fixed in the package linux - 5.3.0-17.18

---------------
linux (5.3.0-17.18) eoan; urgency=medium

* eoan/linux: 5.3.0-17.18 -proposed tracker (LP: #1846641)

* CVE-2019-17056
- nfc: enforce CAP_NET_RAW for raw sockets

* CVE-2019-17055
- mISDN: enforce CAP_NET_RAW for raw sockets

* CVE-2019-17054
- appletalk: enforce CAP_NET_RAW for raw sockets

* CVE-2019-17053
- ieee802154: enforce CAP_NET_RAW for raw sockets

* CVE-2019-17052
- ax25: enforce CAP_NET_RAW for raw sockets

* CVE-2019-15098
- ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()

  * xHCI on AMD Stoney Ridge cannot detect USB 2.0 or 1.1 devices.
    (LP: #1846470)
    - x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect

  * Re-enable linux-libc-dev build on i386 (LP: #1846508)
    - [Packaging] Build only linux-libc-dev for i386
    - [Debian] final-checks -- ignore archtictures with no binaries

  * arm64: loop on boot after installing linux-generic-hwe-18.04-edge/bionic-
    proposed (LP: #1845820)
    - [Config] Disable CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT

* Revert ESE DASD discard support (LP: #1846219)
- SAUCE: Revert "s390/dasd: Add discard support for ESE volumes"

* Miscellaneous Ubuntu changes
- update dkms package versions

linux (5.3.0-16.17) eoan; urgency=medium

* eoan/linux: 5.3.0-16.17 -proposed tracker (LP: #1846204)

* zfs fails to build on s390x with debug symbols enabled (LP: #1846143)
- SAUCE: s390: Mark atomic const ops always inline

linux (5.3.0-15.16) eoan; urgency=medium

* eoan/linux: 5.3.0-15.16 -proposed tracker (LP: #1845987)

  * Drop i386 build for 19.10 (LP: #1845714)
    - [Packaging] Remove x32 arch references from control files
    - [Debian] final-checks -- Get arch list from debian/control

* ZFS kernel modules lack debug symbols (LP: #1840704)
- [Debian] Fix conditional for setting zfs debug package path

  * Use pyhon3-sphinx instead of python-sphinx for building html docs
    (LP: #1845808)
    - [Packaging] Update sphinx build dependencies to python3 packages

  * Kernel panic with 19.10 beta image (LP: #1845454)
    - efi/tpm: Don't access event->count when it isn't mapped.
    - efi/tpm: don't traverse an event log with no events
    - efi/tpm: only set efi_tpm_final_log_size after successful event log parsing

linux (5.3.0-14.15) eoan; urgency=medium

* eoan/linux: 5.3.0-14.15 -proposed tracker (LP: #1845728)

  * Drop i386 build for 19.10 (LP: #1845714)
    - [Debian] Remove support for producing i386 kernels
    - [Debian] Don't use CROSS_COMPILE for i386 configs

  * udevadm trigger will fail when trying to add /sys/devices/vio/
    (LP: #1845572)
    - SAUCE: powerpc/vio: drop bus_type from parent device

  * Trying to online dasd drive results in invalid input/output from the kernel
    on z/VM (LP: #1845323)
    - SAUCE: s390/dasd: Fix error handling during online processing

* intel-lpss driver conflicts with write-combining MTRR region (LP: #1845584)
- SAUCE: mfd: intel-lpss: add quirk for Dell XPS 13 7390 2-in-1

* Support Hi1620 zip hw accelerator (LP: #1845355)
- [Config] Enable HiSilicon QM/ZIP as module...

This bug was fixed in the package linux - 5.3.0-17.18

---------------
linux (5.3.0-17.18) eoan; urgency=medium

* eoan/linux: 5.3.0-17.18 -proposed tracker (LP: #1846641)

* CVE-2019-17056
    - nfc: enforce CAP_NET_RAW for raw sockets

* CVE-2019-17055
    - mISDN: enforce CAP_NET_RAW for raw sockets

* CVE-2019-17054
    - appletalk: enforce CAP_NET_RAW for raw sockets

* CVE-2019-17053
    - ieee802154: enforce CAP_NET_RAW for raw sockets

* CVE-2019-17052
    - ax25: enforce CAP_NET_RAW for raw sockets

* CVE-2019-15098
    - ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()

* xHCI on AMD Stoney Ridge cannot detect USB 2.0 or 1.1 devices.
    (LP: #1846470)
    - x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect

* Re-enable linux-libc-dev build on i386 (LP: #1846508)
    - [Packaging] Build only linux-libc-dev for i386
    - [Debian] final-checks -- ignore archtictures with no binaries

* arm64: loop on boot after installing linux-generic-hwe-18.04-edge/bionic-
    proposed (LP: #1845820)
    - [Config] Disable CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT

* Revert ESE DASD discard support (LP: #1846219)
    - SAUCE: Revert "s390/dasd: Add discard support for ESE volumes"

* Miscellaneous Ubuntu changes
    - update dkms package versions

linux (5.3.0-16.17) eoan; urgency=medium

* eoan/linux: 5.3.0-16.17 -proposed tracker (LP: #1846204)

* zfs fails to build on s390x  with debug symbols enabled (LP: #1846143)
    - SAUCE: s390: Mark atomic const ops always inline

linux (5.3.0-15.16) eoan; urgency=medium

* eoan/linux: 5.3.0-15.16 -proposed tracker (LP: #1845987)

* Drop i386 build for 19.10 (LP: #1845714)
    - [Packaging] Remove x32 arch references from control files
    - [Debian] final-checks -- Get arch list from debian/control

* ZFS kernel modules lack debug symbols (LP: #1840704)
    - [Debian] Fix conditional for setting zfs debug package path

* Use pyhon3-sphinx instead of python-sphinx for building html docs
    (LP: #1845808)
    - [Packaging] Update sphinx build dependencies to python3 packages

linux (5.3.0-14.15) eoan; urgency=medium

* eoan/linux: 5.3.0-14.15 -proposed tracker (LP: #1845728)

* Drop i386 build for 19.10 (LP: #1845714)
    - [Debian] Remove support for producing i386 kernels
    - [Debian] Don't use CROSS_COMPILE for i386 configs

* udevadm trigger will fail when trying to add /sys/devices/vio/
    (LP: #1845572)
    - SAUCE: powerpc/vio: drop bus_type from parent device

* Trying to online dasd drive results in invalid input/output from the kernel
    on z/VM (LP: #1845323)
    - SAUCE: s390/dasd: Fix error handling during online processing

* intel-lpss driver conflicts with write-combining MTRR region (LP: #1845584)
    - SAUCE: mfd: intel-lpss: add quirk for Dell XPS 13 7390 2-in-1

* Support Hi1620 zip hw accelerator (LP: #1845355)
    - [Config] Enable HiSilicon QM/ZIP as modules
    - crypto: hisilicon - add queue management driver for HiSilicon QM module
    - crypto: hisilicon - add hardware SGL support
    - crypto: hisilicon - add HiSilicon ZIP accelerator support
    - crypto: hisilicon - add SRIOV support for ZIP
    - Documentation: Add debugfs doc for hisi_zip
    - crypto: hisilicon - add debugfs for ZIP and QM
    - MAINTAINERS: add maintainer for HiSilicon QM and ZIP controller driver
    - crypto: hisilicon - fix kbuild warnings
    - crypto: hisilicon - add dependency for CRYPTO_DEV_HISI_ZIP
    - crypto: hisilicon - init curr_sgl_dma to fix compile warning
    - crypto: hisilicon - add missing single_release
    - crypto: hisilicon - fix error handle in hisi_zip_create_req_q
    - crypto: hisilicon - Fix warning on printing %p with dma_addr_t
    - crypto: hisilicon - Fix return value check in hisi_zip_acompress()
    - crypto: hisilicon - avoid unused function warning

* SafeSetID LSM should be built but disabled by default (LP: #1845391)
    - LSM: SafeSetID: Stop releasing uninitialized ruleset
    - [Config] Build SafeSetID LSM but don't enable it by default

* CONFIG_LSM should not specify loadpin since it is not built (LP: #1845383)
    - [Config] loadpin shouldn't be in CONFIG_LSM

* Add new pci-id's for CML-S, ICL (LP: #1845317)
    - drm/i915/icl: Add missing device ID
    - drm/i915/cml: Add Missing PCI IDs

* Thunderbolt support for ICL (LP: #1844680)
    - thunderbolt: Correct path indices for PCIe tunnel
    - thunderbolt: Move NVM upgrade support flag to struct icm
    - thunderbolt: Use 32-bit writes when writing ring producer/consumer
    - thunderbolt: Do not fail adding switch if some port is not implemented
    - thunderbolt: Hide switch attributes that are not set
    - thunderbolt: Expose active parts of NVM even if upgrade is not supported
    - thunderbolt: Add support for Intel Ice Lake
    - ACPI / property: Add two new Thunderbolt property GUIDs to the list

* Ubuntu 19.10 -  Additional PCI patch and fix (LP: #1844668)
    - s390/pci: fix MSI message data

* Enhanced Hardware Support - Finalize Naming (LP: #1842774)
    - s390: add support for IBM z15 machines
    - [Config] CONFIG_MARCH_Z15=n, CONFIG_TUNE_Z15=n

* Eoan update: v5.3.1 upstream stable release (LP: #1845642)
    - USB: usbcore: Fix slab-out-of-bounds bug during device reset
    - media: tm6000: double free if usb disconnect while streaming
    - phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current
    - ip6_gre: fix a dst leak in ip6erspan_tunnel_xmit
    - net/sched: fix race between deactivation and dequeue for NOLOCK qdisc
    - net_sched: let qdisc_put() accept NULL pointer
    - udp: correct reuseport selection with connected sockets
    - xen-netfront: do not assume sk_buff_head list is empty in error handling
    - net: dsa: Fix load order between DSA drivers and taggers
    - net: stmmac: Hold rtnl lock in suspend/resume callbacks
    - KVM: coalesced_mmio: add bounds checking
    - Documentation: sphinx: Add missing comma to list of strings
    - firmware: google: check if size is valid when decoding VPD data
    - serial: sprd: correct the wrong sequence of arguments
    - tty/serial: atmel: reschedule TX after RX was started
    - nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds
    - Revert "arm64: Remove unnecessary ISBs from set_{pte,pmd,pud}"
    - ovl: fix regression caused by overlapping layers detection
    - phy: qcom-qmp: Correct ready status, again
    - floppy: fix usercopy direction
    - media: technisat-usb2: break out of loop at end of buffer
    - Linux 5.3.1

* ZFS kernel modules lack debug symbols (LP: #1840704)
    - [Debian]: Remove hardcoded $(pkgdir) in debug symbols handling
    - [Debian]: Handle debug symbols for modules in extras too
    - [Debian]: Check/link modules with debug symbols after DKMS modules
    - [Debian]: Warn about modules without debug symbols
    - [Debian]: dkms-build: new parameter for debug package directory
    - [Debian]: dkms-build: zfs: support for debug symbols
    - [Debian]: dkms-build: Avoid executing post-processor scripts twice
    - [Debian]: dkms-build: Move zfs special-casing into configure script

* /proc/self/maps paths missing on live session (was vlc won't start; eoan
    19.10 & bionic 18.04 ubuntu/lubuntu/kubuntu/xubuntu/ubuntu-mate dailies)
    (LP: #1842382)
    - SAUCE: Revert "UBUNTU: SAUCE: shiftfs: enable overlayfs on shiftfs"

-- Seth Forshee <seth.forshee@canonical.com>  Thu, 03 Oct 2019 16:57:05 -0500

Changed in linux (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2019-11-12: Autopkgtest regression report (linux-gcp-5.3/5.3.0-1008.9~18.04.1)

All autopkgtests for the newly accepted linux-gcp-5.3 (5.3.0-1008.9~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

linux-gcp-5.3/unknown (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-gcp-5.3

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Steve Langasek (vorlon) on 2020-07-02