]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/commitdiff
projects / mirror_ubuntu-zesty-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 53abb04)
UBUNTU: [Config] Update and enforce IMA options
authorSeth Forshee <seth.forshee@canonical.com>
Fri, 6 Jan 2017 15:58:11 +0000 (09:58 -0600)
committerTim Gardner <tim.gardner@canonical.com>
Mon, 20 Feb 2017 03:57:58 +0000 (20:57 -0700)
BugLink: http://bugs.launchpad.net/bugs/1643652
Set CONFIG_IMA_KEXEC=y for supported powerpc architectures.
Update the annotations for this option, and mark all IMA options
for enforcment. Remove notes for options which have no prompt and
are thus not included in the annotations file.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
debian.master/config/annotations patch | blob | blame | history
debian.master/config/config.common.ubuntu patch | blob | blame | history

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 2a5d2b2cf338a75451559ee35dc73fe4808dbf21..50a849171266074800a23c0dc61741d8cce51d04 100644 (file)
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -10662,7 +10662,7 @@ CONFIG_EVM_X509_PATH                            note<LP:1643652>
 
 # Menu: Security options >> Enable different security models >> Integrity subsystem >> Integrity Measurement Architecture(IMA)
 CONFIG_IMA                                      policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc-generic': 'y', 'powerpc-powerpc64-emb': 'n', 'powerpc-powerpc-e500mc': 'y', 'powerpc-powerpc-smp': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_IMA_KEXEC                                policy<{'powerpc': 'n', 'ppc64el': 'n'}>
+CONFIG_IMA_KEXEC                                policy<{'powerpc-generic': 'y', 'ppc64el': 'y'}>
 CONFIG_IMA_WRITE_POLICY                         policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc-generic': 'y', 'powerpc-powerpc-e500mc': 'y', 'powerpc-powerpc-smp': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_IMA_READ_POLICY                          policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc-generic': 'y', 'powerpc-powerpc-e500mc': 'y', 'powerpc-powerpc-smp': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_IMA_APPRAISE                             policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc-generic': 'y', 'powerpc-powerpc-e500mc': 'y', 'powerpc-powerpc-smp': 'y', 'ppc64el': 'y', 's390x': 'y'}>
@@ -10672,17 +10672,13 @@ CONFIG_IMA_LOAD_X509                            policy<{'amd64': 'n', 'arm64': '
 CONFIG_IMA_X509_PATH                            policy<{'ppc64el': '"/etc/keys/x509_ima.der"'}>
 CONFIG_IMA_APPRAISE_SIGNED_INIT                 policy<{'ppc64el': 'y'}>
 #
-CONFIG_IMA                                      note<LP:1643652>
-CONFIG_IMA_KEXEC                                flag<REVIEW>
-CONFIG_IMA_READ_POLICY                          note<LP:1643652>
-CONFIG_IMA_APPRAISE                             note<LP:1643652>
-CONFIG_IMA_TRUSTED_KEYRING                      note<LP:1643652>
-CONFIG_IMA_LOAD_X509                            note<LP:1643652>
-CONFIG_IMA_X509_PATH                            note<LP:1643652>
-CONFIG_IMA_MEASURE_PCR_IDX                      note<LP:1643652>
-CONFIG_IMA_LSM_RULES                            note<LP:1643652>
-CONFIG_IMA_DEFAULT_TEMPLATE                     note<LP:1643652>
-CONFIG_IMA_DEFAULT_HASH                         note<LP:1643652>
+CONFIG_IMA                                      mark<ENFORCED> note<LP:1643652>
+CONFIG_IMA_KEXEC                                mark<ENFORCED> note<LP:1643652>
+CONFIG_IMA_READ_POLICY                          mark<ENFORCED> note<LP:1643652>
+CONFIG_IMA_APPRAISE                             mark<ENFORCED> note<LP:1643652>
+CONFIG_IMA_TRUSTED_KEYRING                      mark<ENFORCED> note<LP:1643652>
+CONFIG_IMA_LOAD_X509                            mark<ENFORCED> note<LP:1643652>
+CONFIG_IMA_X509_PATH                            mark<ENFORCED> note<LP:1643652>
 
 # Menu: Security options >> Enable different security models >> Integrity subsystem >> Integrity Measurement Architecture(IMA) >> Default integrity hash algorithm
 CONFIG_IMA_DEFAULT_HASH_SHA1                    policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc-generic': 'y', 'powerpc-powerpc-e500mc': 'y', 'powerpc-powerpc-smp': 'y', 'ppc64el': 'n', 's390x': 'y'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 73a07820f33f68ee19f71731c629fec60dcae381..f61e0e873798e5b298a444fb314eb2866dc1edaa 100644 (file)
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -3713,7 +3713,7 @@ CONFIG_IMA_APPRAISE_SIGNED_INIT=y
 CONFIG_IMA_BLACKLIST_KEYRING=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
 # CONFIG_IMA_DEFAULT_HASH_WP512 is not set
-# CONFIG_IMA_KEXEC is not set
+CONFIG_IMA_KEXEC=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_LSM_RULES=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
ubuntu-zesty-kernel mirror