Bug 1219222

Summary: Disable CONFIG_USELIB
Product: [openSUSE] openSUSE Tumbleweed Reporter: Jan Kara <jack>
Component: KernelAssignee: openSUSE Kernel Bugs <kernel-bugs>
Status: IN_PROGRESS --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: jslaby, rfrohl, security-team, tiwai
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jan Kara 2024-01-26 10:59:43 UTC 
uselib(2) system call is generally deprecated and was last needed with libc5. Recently there were also issues with this syscall and path-based LSMs [1] so from security POV it makes sense to disable CONFIG_USELIB if we don't need it.

[1] https://lore.kernel.org/all/20240124192228.work.788-kees@kernel.org
Comment 1 Jan Kara 2024-01-29 16:56:00 UTC 
Adding security team to CC because disabling CONFIG_USELIB is mostly security motivated.

Takashi also had an idea we might want to still disabled this for SLE15-SP6 / ALP as well.
Comment 2 Marcus Meissner 2024-01-30 09:39:04 UTC 
i would say do it. security welcomes reduction of attack surface:)
Comment 3 Takashi Iwai 2024-01-30 15:23:01 UTC 
OK, I pushed the changes to SLE15-SP6 / ALP-current.

Shall I send a PR for stable/master branches?
Comment 5 Takashi Iwai 2024-02-02 08:36:40 UTC 
I pushed the updates for master and stable branches, too.
Comment 6 Jiri Slaby 2024-02-02 09:00:39 UTC 
(In reply to Takashi Iwai from comment #5)
> I pushed the updates for master and stable branches, too.

Definitely appreciated! Merged.
Comment 7 Takashi Iwai 2024-02-06 09:00:51 UTC 
The changes have been merged to master and stable branches.

I don't think we want to change the config of already released products?

Then the only remaining branch would be slowroll.  Robert, please update the config.
Comment 8 Robert Frohl 2024-02-06 09:16:56 UTC 
(In reply to Takashi Iwai from comment #7)
> Then the only remaining branch would be slowroll.  Robert, please update the
> config.

Ack, thanks for keeping me in the loop.
Comment 9 Robert Frohl 2024-02-06 11:58:54 UTC 
(In reply to Robert Frohl from comment #8)
> (In reply to Takashi Iwai from comment #7)
> > Then the only remaining branch would be slowroll.  Robert, please update the
> > config.
> 
> Ack, thanks for keeping me in the loop.

Should reach the test repo tomorrow.