Re: Kernel lockdown patch & IPAddressAllow/IPAddressDeny systemd feature with Secure Boot

From: Alexei Starovoitov
Date: Wed Aug 15 2018 - 22:10:45 EST


On Tue, Aug 14, 2018 at 07:14:00AM -0700, Andrew Lutomirski wrote:
> [Removed Fedora devel list because it's subscriber-only]
>
> > On Aug 8, 2018, at 12:29 AM, Peter Robinson <pbrobinson@xxxxxxxxx> wrote:
> >
> > Probably a good idea to cc: this to the kernel list :-)
> >
> > I suspect it's intentional but with the planned changes for iptables
> > etc to be backed by bpf in the upstream kernel sometime in the future
> > it's likely going to need to be reviewed.
> >
>
> I thought this got covered in review. I think this part of lockdown
> needs to get reverted or fixed ASAP.

I don't see lockdown in Linus's tree. Is this fedora only issue?

> (I definitely brought up multiple issues with the bpf lockdown stuff.
> It's clearly extremely broken right now in the "new kernel breaks
> *current* Linux distro" sense.)

+1