lockdown: set default (with Secure Boot) to LOCKDOWN_INTEGRITY_MAX (!230) · Merge requests · Debian kernel team / linux

Luca Boccassi requested to merge bluca/linux:lockdown_confidentiality into master Apr 07, 2020

LOCKDOWN_CONFIDENTIALITY_MAX restricts a lot of useful features, even security ones (like monitoring via BPF), while not adding that much value for common use cases. Set the default level to LOCKDOWN_INTEGRITY_MAX as Ubuntu, RedHat and SUSE did recently.

https://github.com/iovisor/bcc/issues/2565#issuecomment-606566675

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1868626

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=ef7c6600bb3e

https://bugzilla.redhat.com/show_bug.cgi?id=1815571

Edited Apr 07, 2020 by Luca Boccassi

lockdown: set default (with Secure Boot) to LOCKDOWN_INTEGRITY_MAX

Merge request reports