You are not logged in.
Okay so I tried following the steps at this man page (Adding lsm=lockdown to kernel parameters). But when I, for example, did "sudo base64 /dev/mem", it worked just fine.
Also, kernel lockdown is supposed to be enabled by default.
$ cat /sys/kernel/security/lsm
capability,landlock,lockdown,yama,bpf
$ cat /sys/kernel/security/lockdown
[none] integrity confidentiality # It's not on!Running "fwupdmgr security" also told me it was disabled.
However, if I add the parameter "lockdown=confidentiality", it works!
$ cat /sys/kernel/security/lockdown
none integrity [confidentiality]
$ sudo base64 /dev/mem
base64: /dev/mem: Operation not permittedreturns an error! "fwupdmgr security" told me it was OK too!
So I don't understand. If I read the man page correctly, it should be enabled on secure-boot systems, which is the one I'm using. Secure boot works.
So why is the man page wrong in two ways?
Offline