* [d-kernel] [PATCH 0/1] kiosk: change UID_MIN @ 2025-02-20 7:58 mcpain 2025-02-20 7:58 ` [d-kernel] [PATCH 1/1] kiosk: MIN_UID 500 -> 1000 mcpain 2025-02-21 18:11 ` [d-kernel] [PATCH 0/1] kiosk: change UID_MIN Vitaly Chikunov 0 siblings, 2 replies; 8+ messages in thread From: mcpain @ 2025-02-20 7:58 UTC (permalink / raw) To: devel-kernel From: Oleg Solovyov <mcpain@altlinux.org> UID_MIN became 1000 in Sisyphus and p11 kiosk should be aware of this change, otherwise it would block starting lightdm-greeter Oleg Solovyov (1): kiosk: MIN_UID 500 -> 1000 security/kiosk/kiosk_lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.42.4 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [d-kernel] [PATCH 1/1] kiosk: MIN_UID 500 -> 1000 2025-02-20 7:58 [d-kernel] [PATCH 0/1] kiosk: change UID_MIN mcpain @ 2025-02-20 7:58 ` mcpain 2025-02-21 9:32 ` Sergey V Turchin 2025-02-25 1:07 ` Vitaly Chikunov 2025-02-21 18:11 ` [d-kernel] [PATCH 0/1] kiosk: change UID_MIN Vitaly Chikunov 1 sibling, 2 replies; 8+ messages in thread From: mcpain @ 2025-02-20 7:58 UTC (permalink / raw) To: devel-kernel From: Oleg Solovyov <mcpain@altlinux.org> --- security/kiosk/kiosk_lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/kiosk/kiosk_lsm.c b/security/kiosk/kiosk_lsm.c index 3cd4972086a4..18f810a1ce0f 100644 --- a/security/kiosk/kiosk_lsm.c +++ b/security/kiosk/kiosk_lsm.c @@ -282,7 +282,7 @@ static int kiosk_bprm_check_security(struct linux_binprm *bprm) if (kiosk_mode == KIOSK_PERMISSIVE) return 0; - if (cur_uid >= 500) { + if (cur_uid >= 1000) { bprm->secureexec = 1; if (bprm->executable != bprm->interpreter) return 0; -- 2.42.4 ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [d-kernel] [PATCH 1/1] kiosk: MIN_UID 500 -> 1000 2025-02-20 7:58 ` [d-kernel] [PATCH 1/1] kiosk: MIN_UID 500 -> 1000 mcpain @ 2025-02-21 9:32 ` Sergey V Turchin 2025-02-21 11:46 ` Ivan A. Melnikov 2025-02-25 1:07 ` Vitaly Chikunov 1 sibling, 1 reply; 8+ messages in thread From: Sergey V Turchin @ 2025-02-21 9:32 UTC (permalink / raw) To: devel-kernel On Thursday, 20 February 2025 10:58:58 MSK mcpain wrote: > From: Oleg Solovyov <mcpain@altlinux.org> > > --- > security/kiosk/kiosk_lsm.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Главное, чтоб в p10 не попало, а то все киоски разлочит. > diff --git a/security/kiosk/kiosk_lsm.c b/security/kiosk/kiosk_lsm.c > index 3cd4972086a4..18f810a1ce0f 100644 > --- a/security/kiosk/kiosk_lsm.c > +++ b/security/kiosk/kiosk_lsm.c > @@ -282,7 +282,7 @@ static int kiosk_bprm_check_security(struct linux_binprm > *bprm) if (kiosk_mode == KIOSK_PERMISSIVE) > return 0; > > - if (cur_uid >= 500) { > + if (cur_uid >= 1000) { > bprm->secureexec = 1; > if (bprm->executable != bprm->interpreter) > return 0; -- Regards, Sergey. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [d-kernel] [PATCH 1/1] kiosk: MIN_UID 500 -> 1000 2025-02-21 9:32 ` Sergey V Turchin @ 2025-02-21 11:46 ` Ivan A. Melnikov 2025-02-21 13:11 ` Sergey V Turchin 0 siblings, 1 reply; 8+ messages in thread From: Ivan A. Melnikov @ 2025-02-21 11:46 UTC (permalink / raw) To: devel-kernel On Fri, Feb 21, 2025 at 12:32:01PM +0300, Sergey V Turchin wrote: > On Thursday, 20 February 2025 10:58:58 MSK mcpain wrote: > > From: Oleg Solovyov <mcpain@altlinux.org> > > > > --- > > security/kiosk/kiosk_lsm.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > Главное, чтоб в p10 не попало, а то все киоски разлочит. То есть, киоски никто с ветки на ветку не обновляет? -- wbr, iv m. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [d-kernel] [PATCH 1/1] kiosk: MIN_UID 500 -> 1000 2025-02-21 11:46 ` Ivan A. Melnikov @ 2025-02-21 13:11 ` Sergey V Turchin 0 siblings, 0 replies; 8+ messages in thread From: Sergey V Turchin @ 2025-02-21 13:11 UTC (permalink / raw) To: devel-kernel On Friday, 21 February 2025 14:46:30 MSK Ivan Melnikov wrote: > On Fri, Feb 21, 2025 at 12:32:01PM +0300, Sergey V Turchin wrote: > > On Thursday, 20 February 2025 10:58:58 MSK mcpain wrote: > > > From: Oleg Solovyov <mcpain@altlinux.org> > > > > > > --- > > > > > > security/kiosk/kiosk_lsm.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > Главное, чтоб в p10 не попало, а то все киоски разлочит. > > То есть, киоски никто с ветки на ветку не обновляет? Такое происходит не вдруг. -- Regards, Sergey. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [d-kernel] [PATCH 1/1] kiosk: MIN_UID 500 -> 1000 2025-02-20 7:58 ` [d-kernel] [PATCH 1/1] kiosk: MIN_UID 500 -> 1000 mcpain 2025-02-21 9:32 ` Sergey V Turchin @ 2025-02-25 1:07 ` Vitaly Chikunov 2025-02-25 10:40 ` Oleg Solovyov 1 sibling, 1 reply; 8+ messages in thread From: Vitaly Chikunov @ 2025-02-25 1:07 UTC (permalink / raw) To: ALT Linux kernel packages development Oleg, On Thu, Feb 20, 2025 at 10:58:58AM +0300, mcpain@altlinux.org wrote: > From: Oleg Solovyov <mcpain@altlinux.org> > > --- > security/kiosk/kiosk_lsm.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/kiosk/kiosk_lsm.c b/security/kiosk/kiosk_lsm.c > index 3cd4972086a4..18f810a1ce0f 100644 > --- a/security/kiosk/kiosk_lsm.c > +++ b/security/kiosk/kiosk_lsm.c > @@ -282,7 +282,7 @@ static int kiosk_bprm_check_security(struct linux_binprm *bprm) > if (kiosk_mode == KIOSK_PERMISSIVE) > return 0; > > - if (cur_uid >= 500) { > + if (cur_uid >= 1000) { Раз этот параметр зависит от user space, то, возможно, стоило сделать этот параметр управляемым из user space. Пользователи могут экспериментировать с ядрами из других бранчей или заданий, или майнтайнеры могут делать "карманы" с копией ядрам из Сизифа собранного для конкретного бранча. В этом случае они могут не заметить, что защита не работает. Просто мысль, не предлагаю это реализовывать. > bprm->secureexec = 1; > if (bprm->executable != bprm->interpreter) > return 0; > -- > 2.42.4 > > _______________________________________________ > devel-kernel mailing list > devel-kernel@lists.altlinux.org > https://lists.altlinux.org/mailman/listinfo/devel-kernel ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [d-kernel] [PATCH 1/1] kiosk: MIN_UID 500 -> 1000 2025-02-25 1:07 ` Vitaly Chikunov @ 2025-02-25 10:40 ` Oleg Solovyov 0 siblings, 0 replies; 8+ messages in thread From: Oleg Solovyov @ 2025-02-25 10:40 UTC (permalink / raw) To: devel-kernel В письме от вторник, 25 февраля 2025 г. 04:07:09 Москва, стандартное время пользователь Vitaly Chikunov написал: > Oleg, > > On Thu, Feb 20, 2025 at 10:58:58AM +0300, mcpain@altlinux.org wrote: > > From: Oleg Solovyov <mcpain@altlinux.org> > > > > --- > > > > security/kiosk/kiosk_lsm.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/security/kiosk/kiosk_lsm.c b/security/kiosk/kiosk_lsm.c > > index 3cd4972086a4..18f810a1ce0f 100644 > > --- a/security/kiosk/kiosk_lsm.c > > +++ b/security/kiosk/kiosk_lsm.c > > @@ -282,7 +282,7 @@ static int kiosk_bprm_check_security(struct > > linux_binprm *bprm)> > > if (kiosk_mode == KIOSK_PERMISSIVE) > > > > return 0; > > > > - if (cur_uid >= 500) { > > + if (cur_uid >= 1000) { > > Раз этот параметр зависит от user space, то, возможно, стоило сделать > этот параметр управляемым из user space. > > Пользователи могут экспериментировать с ядрами из других бранчей или > заданий, или майнтайнеры могут делать "карманы" с копией ядрам из Сизифа > собранного для конкретного бранча. В этом случае они могут не заметить, > что защита не работает. > > Просто мысль, не предлагаю это реализовывать. Об этом я тоже подумал, но не придумал как реализовать. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [d-kernel] [PATCH 0/1] kiosk: change UID_MIN 2025-02-20 7:58 [d-kernel] [PATCH 0/1] kiosk: change UID_MIN mcpain 2025-02-20 7:58 ` [d-kernel] [PATCH 1/1] kiosk: MIN_UID 500 -> 1000 mcpain @ 2025-02-21 18:11 ` Vitaly Chikunov 1 sibling, 0 replies; 8+ messages in thread From: Vitaly Chikunov @ 2025-02-21 18:11 UTC (permalink / raw) To: ALT Linux kernel packages development On Thu, Feb 20, 2025 at 10:58:57AM +0300, mcpain@altlinux.org wrote: > From: Oleg Solovyov <mcpain@altlinux.org> > > UID_MIN became 1000 in Sisyphus and p11 > kiosk should be aware of this change, otherwise it would block starting > lightdm-greeter > > Oleg Solovyov (1): > kiosk: MIN_UID 500 -> 1000 Applied, thanks. c8978eb0af9d..b216d2ae8b41 6.12/sisyphus -> 6.12/sisyphus cdd8758de4b4..9f88a7c43f7b 6.13/sisyphus -> 6.13/sisyphus a43da59bd8dd..f162b33435c6 6.14/sisyphus -> 6.14/sisyphus 778cd07596b1..467447f2da81 6.6/sisyphus -> 6.6/sisyphus > > security/kiosk/kiosk_lsm.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > -- > 2.42.4 > > _______________________________________________ > devel-kernel mailing list > devel-kernel@lists.altlinux.org > https://lists.altlinux.org/mailman/listinfo/devel-kernel ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-02-25 10:40 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-02-20 7:58 [d-kernel] [PATCH 0/1] kiosk: change UID_MIN mcpain 2025-02-20 7:58 ` [d-kernel] [PATCH 1/1] kiosk: MIN_UID 500 -> 1000 mcpain 2025-02-21 9:32 ` Sergey V Turchin 2025-02-21 11:46 ` Ivan A. Melnikov 2025-02-21 13:11 ` Sergey V Turchin 2025-02-25 1:07 ` Vitaly Chikunov 2025-02-25 10:40 ` Oleg Solovyov 2025-02-21 18:11 ` [d-kernel] [PATCH 0/1] kiosk: change UID_MIN Vitaly Chikunov
ALT Linux kernel packages development This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \ devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com public-inbox-index devel-kernel Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git