]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commitdiff
projects / mirror_ubuntu-eoan-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 29aeae6)
UBUNTU: [Config] Build SafeSetID LSM but don't enable it by default
authorTyler Hicks <tyhicks@canonical.com>
Wed, 25 Sep 2019 21:43:54 +0000 (21:43 +0000)
committerSeth Forshee <seth.forshee@canonical.com>
Fri, 27 Sep 2019 13:11:37 +0000 (08:11 -0500)
BugLink: https://launchpad.net/bugs/1845391
We can safely build the SafeSetID LSM while leaving it turned off by
default. It will be off by default due to CONFIG_LSM not containing
"safesetid" in our kernel configs. A security-minded system integrator
may want to make use of SafeSetID and can do so by enabling it with the
"lsm" kernel command-line parameter.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johnansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
debian.master/config/annotations patch | blob | blame | history
debian.master/config/config.common.ubuntu patch | blob | blame | history

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index ff5c7c95f3dc972900ebf4d88227152d337d8f16..093107b7ea409bb24a9b34cb5dc772a7138efbef 100644 (file)
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -12653,12 +12653,12 @@ CONFIG_SECURITY_APPARMOR_HASH_DEFAULT           policy<{'amd64': 'y', 'arm64': '
 CONFIG_SECURITY_APPARMOR_DEBUG                  policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_SECURITY_LOADPIN                         policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_SECURITY_YAMA                            policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SECURITY_SAFESETID                       policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_SECURITY_SAFESETID                       policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 #
 CONFIG_SECURITY                                 mark<ENFORCED>
 CONFIG_LSM_MMAP_MIN_ADDR                        mark<ENFORCED> flag<REVIEW>
 CONFIG_SECURITY_YAMA                            mark<ENFORCED>
-CONFIG_SECURITY_SAFESETID                       flag<REVIEW>
+CONFIG_SECURITY_SAFESETID                       mark<ENFORCED> note<LP:#1845391>
 
 # Menu: Security options >> Enable different security models >> Integrity subsystem
 CONFIG_INTEGRITY                                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index e441fb91b97def748ea2fdc4f47abb3bf9bfd18b..eca1ff2e3cb5a5d3e949d7b19301336db5a3e00a 100644 (file)
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -8405,7 +8405,7 @@ CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
 CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
Ubuntu Eoan Linux kernel mirror