From 4840d0d8d014ba95ab5dd63748d7f9e86544ebe3 Mon Sep 17 00:00:00 2001 From: Seth Forshee Date: Fri, 24 Feb 2017 09:46:53 -0600 Subject: [PATCH] UBUNTU: [Config] Disable experimental IMA options BugLink: http://bugs.launchpad.net/bugs/1667490 Signed-off-by: Seth Forshee --- debian.master/config/annotations | 17 +++++++++++------ debian.master/config/config.common.ubuntu | 10 +++++----- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index d6b634156d39..a5315a9f5b04 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -10814,7 +10814,9 @@ CONFIG_INTEGRITY_SIGNATURE policy<{'amd64': 'y', 'arm64': ' CONFIG_INTEGRITY_ASYMMETRIC_KEYS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_INTEGRITY_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_INTEGRITY_AUDIT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}> -CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}> +CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc': 'n', 'ppc64el': 'n', 's390x': 'n'}> +# +CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY mark note # Menu: Security options >> Enable different security models >> Integrity subsystem >> EVM support CONFIG_EVM policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}> @@ -10831,22 +10833,25 @@ CONFIG_EVM_X509_PATH note # Menu: Security options >> Enable different security models >> Integrity subsystem >> Integrity Measurement Architecture(IMA) CONFIG_IMA policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc-generic': 'y', 'powerpc-powerpc64-emb': 'n', 'powerpc-powerpc-e500mc': 'y', 'powerpc-powerpc-smp': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_IMA_KEXEC policy<{'powerpc-generic': 'y', 'ppc64el': 'y'}> -CONFIG_IMA_WRITE_POLICY policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc-generic': 'y', 'powerpc-powerpc-e500mc': 'y', 'powerpc-powerpc-smp': 'y', 'ppc64el': 'y', 's390x': 'y'}> -CONFIG_IMA_READ_POLICY policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc-generic': 'y', 'powerpc-powerpc-e500mc': 'y', 'powerpc-powerpc-smp': 'y', 'ppc64el': 'y', 's390x': 'y'}> +CONFIG_IMA_WRITE_POLICY policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc-generic': 'n', 'powerpc-powerpc-e500mc': 'n', 'powerpc-powerpc-smp': 'n', 'ppc64el': 'n', 's390x': 'n'}> +CONFIG_IMA_READ_POLICY policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc-generic': 'n', 'powerpc-powerpc-e500mc': 'n', 'powerpc-powerpc-smp': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_IMA_APPRAISE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc-generic': 'y', 'powerpc-powerpc-e500mc': 'y', 'powerpc-powerpc-smp': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_IMA_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc-generic': 'y', 'powerpc-powerpc-e500mc': 'y', 'powerpc-powerpc-smp': 'y', 'ppc64el': 'y', 's390x': 'y'}> -CONFIG_IMA_BLACKLIST_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc-generic': 'y', 'powerpc-powerpc-e500mc': 'y', 'powerpc-powerpc-smp': 'y', 'ppc64el': 'y', 's390x': 'y'}> +CONFIG_IMA_BLACKLIST_KEYRING policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc-generic': 'n', 'powerpc-powerpc-e500mc': 'n', 'powerpc-powerpc-smp': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_IMA_LOAD_X509 policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc-generic': 'n', 'powerpc-powerpc-e500mc': 'n', 'powerpc-powerpc-smp': 'n', 'ppc64el': 'y', 's390x': 'n'}> CONFIG_IMA_X509_PATH policy<{'ppc64el': '"/etc/keys/x509_ima.der"'}> -CONFIG_IMA_APPRAISE_SIGNED_INIT policy<{'ppc64el': 'y'}> +CONFIG_IMA_APPRAISE_SIGNED_INIT policy<{'ppc64el': 'n'}> # CONFIG_IMA mark note CONFIG_IMA_KEXEC mark note -CONFIG_IMA_READ_POLICY mark note +CONFIG_IMA_WRITE_POLICY mark note +CONFIG_IMA_READ_POLICY mark note CONFIG_IMA_APPRAISE mark note CONFIG_IMA_TRUSTED_KEYRING mark note +CONFIG_IMA_BLACKLIST_KEYRING mark note CONFIG_IMA_LOAD_X509 mark note CONFIG_IMA_X509_PATH mark note +CONFIG_IMA_APPRAISE_SIGNED_INIT mark note # Menu: Security options >> Enable different security models >> Integrity subsystem >> Integrity Measurement Architecture(IMA) >> Default integrity hash algorithm CONFIG_IMA_DEFAULT_HASH_SHA1 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc-generic': 'y', 'powerpc-powerpc-e500mc': 'y', 'powerpc-powerpc-smp': 'y', 'ppc64el': 'n', 's390x': 'y'}> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index a18fa1ceadce..5f1928bebc60 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -3712,18 +3712,18 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGERED_EVENT=m # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE=y -CONFIG_IMA_APPRAISE_SIGNED_INIT=y -CONFIG_IMA_BLACKLIST_KEYRING=y +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set # CONFIG_IMA_DEFAULT_HASH_WP512 is not set CONFIG_IMA_KEXEC=y -CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 -CONFIG_IMA_READ_POLICY=y +# CONFIG_IMA_READ_POLICY is not set # CONFIG_IMA_TEMPLATE is not set CONFIG_IMA_TRUSTED_KEYRING=y -CONFIG_IMA_WRITE_POLICY=y +# CONFIG_IMA_WRITE_POLICY is not set CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" CONFIG_IMG_ASCII_LCD=m CONFIG_IMX2_WDT=m -- 2.39.2