I can’t review them. And I haven’t found any other reviewer yet either.
If no upstream wants to take them (in that kernel version), then I can’t
review these patches either.
They’re almost identical to the upstream patches (excluding a different variable name and lockdown-kconfig.patch). The official lockdown patches won’t be coming to LTS anytime soon and there’s no other project I know of I can submit these to.
Similar or even 100% same as upstream patches. As said before backport
something, also the context on where these patches are plugged in have
to be understood which I don’t understand either.
They’re really important. Without them, root can easily escalate to
kernel mode, making “untrusted root” useless.
I’d rather re-consider a different kernel version in this case.
This option allows you to select a number of drivers that are not of the “normal” Linux kernel quality level. These drivers are placed here in order to get a wider audience to make use of them. Please note that these drivers are under heavy development, may or may not work, and may contain userspace interfaces that most likely will be changed in the near future.
Looks like a good candidate to disable. sys_rawio is one of those capabilities that I do not even like when it has to be there. As an example, when building app profiles with Apparmor, I always see if it can run with that one denied. I know it’s just one out of very many caps that could be potentially dangerous, but every bit helps.