@@ -11507,6 +11507,7 @@ CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT policy<{'amd64': 'y', 'arm64': '
#CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT mark<ENFORCED>
CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ mark<ENFORCED>
#CONFIG_LOCK_DOWN_KERNEL mark<ENFORCED> flag<REVIEW>
+CONFIG_SECURITY_DMESG_RESTRICT note<LP#1696558>
# Menu: Security options >> Default security module
CONFIG_LSM policy<{'amd64': '"yama,loadpin,integrity,apparmor"', 'arm64': '"yama,loadpin,integrity,apparmor"'}>
@@ -7061,7 +7061,7 @@ CONFIG_SECURITY_APPARMOR=y
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
-# CONFIG_SECURITY_DMESG_RESTRICT is not set
+CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY_INFINIBAND=y
# CONFIG_SECURITY_LOADPIN is not set
CONFIG_SECURITY_NETWORK=y
BugLink: https://bugs.launchpad.net/bugs/1696558 There is a request to enable CONFIG_SECURITY_DMESG_RESTRICT for linux-aws. It will restrict unprivileged access to the kernel syslog. Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> --- debian.aws/config/annotations | 1 + debian.aws/config/config.common.ubuntu | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-)