Message ID | 20180612105315.1954-1-po-hsu.lin@canonical.com |
---|---|
Headers | show |
Series | Enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT and CONFIG_FORTIFY_SOURCE | expand |
On 12.06.2018 12:53, Po-Hsu Lin wrote: > == Justification == > In the Bionic KVM kernel, the CONFIG_FORTIFY_SOURCE and > CONFIG_SECURITY_PERF_EVENTS_RESTRICT were not set, they need to be enabled to > meet the security team's requirement. > > == Test == > Before enabling the config, test case test_190_config_kernel_fortify and > test_250_config_security_perf_events_restrict will fail in the kernel > security testsuite for the kernel SRU regression test. > > It will pass with these two patches applied, tested on a KVM node. > > == Fix == > Set CONFIG_SECURITY_PERF_EVENTS_RESTRICT to "y". > Set CONFIG_FORTIFY_SOURCE to "y". > > == Regression Potential == > Minimal. > No code changes, just two config changes without disabling any other configs. > > BugLink: https://bugs.launchpad.net/bugs/1766780 > BugLink: https://bugs.launchpad.net/bugs/1766774 > > Po-Hsu Lin (2): > UBUNTU: [Config]: enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT > UBUNTU: [Config]: enable CONFIG_FORTIFY_SOURCE > > debian.kvm/config/config.common.ubuntu | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com> See change of subject. I would suggest to commonly use <target series>[/<pkg name if not linux>] to avoid confusion. Especially for those using oem-a when they mean xenial/oem ;-) -Stefan
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
This suggestion (and example) looks good to me. Thanks! On Wed, Jun 13, 2018 at 10:07 PM, Stefan Bader <stefan.bader@canonical.com> wrote: > On 12.06.2018 12:53, Po-Hsu Lin wrote: >> == Justification == >> In the Bionic KVM kernel, the CONFIG_FORTIFY_SOURCE and >> CONFIG_SECURITY_PERF_EVENTS_RESTRICT were not set, they need to be enabled to >> meet the security team's requirement. >> >> == Test == >> Before enabling the config, test case test_190_config_kernel_fortify and >> test_250_config_security_perf_events_restrict will fail in the kernel >> security testsuite for the kernel SRU regression test. >> >> It will pass with these two patches applied, tested on a KVM node. >> >> == Fix == >> Set CONFIG_SECURITY_PERF_EVENTS_RESTRICT to "y". >> Set CONFIG_FORTIFY_SOURCE to "y". >> >> == Regression Potential == >> Minimal. >> No code changes, just two config changes without disabling any other configs. >> >> BugLink: https://bugs.launchpad.net/bugs/1766780 >> BugLink: https://bugs.launchpad.net/bugs/1766774 >> >> Po-Hsu Lin (2): >> UBUNTU: [Config]: enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT >> UBUNTU: [Config]: enable CONFIG_FORTIFY_SOURCE >> >> debian.kvm/config/config.common.ubuntu | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> > Acked-by: Stefan Bader <stefan.bader@canonical.com> > > See change of subject. I would suggest to commonly use <target series>[/<pkg > name if not linux>] to avoid confusion. Especially for those using oem-a when > they mean xenial/oem ;-) > > -Stefan >
Applied to bionic/linux-kvm (in reverse order) On 2018-06-12 18:53:13 , Po-Hsu Lin wrote: > == Justification == > In the Bionic KVM kernel, the CONFIG_FORTIFY_SOURCE and > CONFIG_SECURITY_PERF_EVENTS_RESTRICT were not set, they need to be enabled to > meet the security team's requirement. > > == Test == > Before enabling the config, test case test_190_config_kernel_fortify and > test_250_config_security_perf_events_restrict will fail in the kernel > security testsuite for the kernel SRU regression test. > > It will pass with these two patches applied, tested on a KVM node. > > == Fix == > Set CONFIG_SECURITY_PERF_EVENTS_RESTRICT to "y". > Set CONFIG_FORTIFY_SOURCE to "y". > > == Regression Potential == > Minimal. > No code changes, just two config changes without disabling any other configs. > > BugLink: https://bugs.launchpad.net/bugs/1766780 > BugLink: https://bugs.launchpad.net/bugs/1766774 > > Po-Hsu Lin (2): > UBUNTU: [Config]: enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT > UBUNTU: [Config]: enable CONFIG_FORTIFY_SOURCE > > debian.kvm/config/config.common.ubuntu | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > -- > 2.7.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team