Public bug reported: The SafeSetID LSM is unlikely to be useful, by default, for a general purpose OS but a system integrator may want to make use of it in certain cases. We should build SafeSetID but not enable it by default in Ubuntu. The LSM can be put to use using the lsm= kernel boot parameter. For example, lsm=capability,yama,safesetid,apparmor could be specified to make use of SafeSetID in addition to the LSMs that we use by default in Ubuntu 19.10.
You can verify that it is enabled by reading the lsm file in securityfs: $ cat /sys/kernel/security/lsm capability,yama,safesetid,apparmor Documentation on configuring SafeSetID can be found here: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html ** Affects: linux (Ubuntu) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845391 Title: SafeSetID LSM should be built but disabled by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1845391/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
