NAK: [SRU] [B/C/D/Unstable] [PATCH 0/1] Make r8822be usable under kernel lockdown
Seth Forshee
seth.forshee at canonical.com
Tue Jan 8 12:50:42 UTC 2019
On Mon, Jan 07, 2019 at 01:20:11AM +0800, Kai Heng Feng wrote:
>
>
> > On Dec 13, 2018, at 1:27 PM, Kai Heng Feng <kai.heng.feng at canonical.com> wrote:
> >
> >
> >
> >> On Dec 11, 2018, at 04:51, Seth Forshee <seth.forshee at canonical.com> wrote:
> >>
> >> On Thu, Dec 06, 2018 at 03:00:40PM +0800, Kai-Heng Feng wrote:
> >>> BugLink: http://bugs.launchpad.net/bugs/1806472
> >>>
> >>> [Impact]
> >>> Realtek 8822be doesn't work under kernel lockdown.
> >>>
> >>> [Fix]
> >>> Add r8822be.ko to signature-inclusion, so it can be signed and be loaded
> >>> when lockdown is enabled.
> >>>
> >>> [Test]
> >>> Since I can't signed the kernel so it's not tested.
> >>>
> >>> [Regression Potential]
> >>> Low. The driver is maintained by a Realtek guy, so bugs are actually
> >>> getting fixed.
> >>
> >> I don't see any indication whether you've inspected the driver to see if
> >> any interfaces are exported to userspace which are unsafe under kernel
> >> lockdown. We're going to need to know that this has been done before
> >> allowing the driver to be signed.
> >
> > I’ve checked the source, the driver uses mac80211 API to talk to userspace (nl80211), which should be safe
> >
> > Other than that it exposes a debugfs with write permission. All of them have input validations, so overall it’s in good shape.
>
> If this isn’t safe enough, I think disabling the debugs of this driver should be good enough.
Yes, I think this is something we ought to do as we turn it of with the
non-staging rtlwifi driver. However the way the config option is done
makes this impossible, so I'm going to send a v2 series with patches to
turn off the debug option. So NAK for this patch without those patches.
Seth
More information about the kernel-team
mailing list