Public bug reported: The SafeSetID LSM is unlikely to be useful, by default, for a general purpose OS but a system integrator may want to make use of it in certain cases. We should build SafeSetID but not enable it by default in Ubuntu. The LSM can be put to use using the lsm= kernel boot parameter. For example, lsm=capability,yama,safesetid,apparmor could be specified to make use of SafeSetID in addition to the LSMs that we use by default in Ubuntu 19.10.
You can verify that it is enabled by reading the lsm file in securityfs: $ cat /sys/kernel/security/lsm capability,yama,safesetid,apparmor Documentation on configuring SafeSetID can be found here: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html ** Affects: linux (Ubuntu) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1845391 Title: SafeSetID LSM should be built but disabled by default Status in linux package in Ubuntu: In Progress Bug description: The SafeSetID LSM is unlikely to be useful, by default, for a general purpose OS but a system integrator may want to make use of it in certain cases. We should build SafeSetID but not enable it by default in Ubuntu. The LSM can be put to use using the lsm= kernel boot parameter. For example, lsm=capability,yama,safesetid,apparmor could be specified to make use of SafeSetID in addition to the LSMs that we use by default in Ubuntu 19.10. You can verify that it is enabled by reading the lsm file in securityfs: $ cat /sys/kernel/security/lsm capability,yama,safesetid,apparmor Documentation on configuring SafeSetID can be found here: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1845391/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
