[Bug 1219222] New: Disable CONFIG_USELIB
https://bugzilla.suse.com/show_bug.cgi?id=1219222 Bug ID: 1219222 Summary: Disable CONFIG_USELIB Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: jack@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- uselib(2) system call is generally deprecated and was last needed with libc5. Recently there were also issues with this syscall and path-based LSMs [1] so from security POV it makes sense to disable CONFIG_USELIB if we don't need it. [1] https://lore.kernel.org/all/20240124192228.work.788-kees@kernel.org -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219222 https://bugzilla.suse.com/show_bug.cgi?id=1219222#c1 Jan Kara <jack@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de, | |tiwai@suse.com --- Comment #1 from Jan Kara <jack@suse.com> --- Adding security team to CC because disabling CONFIG_USELIB is mostly security motivated. Takashi also had an idea we might want to still disabled this for SLE15-SP6 / ALP as well. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219222 https://bugzilla.suse.com/show_bug.cgi?id=1219222#c2 --- Comment #2 from Marcus Meissner <meissner@suse.com> --- i would say do it. security welcomes reduction of attack surface:) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219222 https://bugzilla.suse.com/show_bug.cgi?id=1219222#c3 --- Comment #3 from Takashi Iwai <tiwai@suse.com> --- OK, I pushed the changes to SLE15-SP6 / ALP-current. Shall I send a PR for stable/master branches? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219222 https://bugzilla.suse.com/show_bug.cgi?id=1219222#c5 --- Comment #5 from Takashi Iwai <tiwai@suse.com> --- I pushed the updates for master and stable branches, too. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219222 https://bugzilla.suse.com/show_bug.cgi?id=1219222#c6 Jiri Slaby <jslaby@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jslaby@suse.com --- Comment #6 from Jiri Slaby <jslaby@suse.com> --- (In reply to Takashi Iwai from comment #5)
I pushed the updates for master and stable branches, too.
Definitely appreciated! Merged. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219222 https://bugzilla.suse.com/show_bug.cgi?id=1219222#c7 Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rfrohl@suse.com --- Comment #7 from Takashi Iwai <tiwai@suse.com> --- The changes have been merged to master and stable branches. I don't think we want to change the config of already released products? Then the only remaining branch would be slowroll. Robert, please update the config. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219222 https://bugzilla.suse.com/show_bug.cgi?id=1219222#c8 --- Comment #8 from Robert Frohl <rfrohl@suse.com> --- (In reply to Takashi Iwai from comment #7)
Then the only remaining branch would be slowroll. Robert, please update the config.
Ack, thanks for keeping me in the loop. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219222 https://bugzilla.suse.com/show_bug.cgi?id=1219222#c9 --- Comment #9 from Robert Frohl <rfrohl@suse.com> --- (In reply to Robert Frohl from comment #8)
(In reply to Takashi Iwai from comment #7)
Then the only remaining branch would be slowroll. Robert, please update the config.
Ack, thanks for keeping me in the loop.
Should reach the test repo tomorrow. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219222 Radoslav Tzvetkov <rtsvetkov@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com