@@ -10625,13 +10625,14 @@ CONFIG_DEBUG_LIST policy<{'amd64': 'y', 'arm64': '
CONFIG_DEBUG_PLIST policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
CONFIG_DEBUG_SG policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
CONFIG_DEBUG_NOTIFIERS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_DEBUG_CREDENTIALS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_DEBUG_CREDENTIALS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_DEBUG_WQ_FORCE_RR_CPU policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
CONFIG_DEBUG_BLOCK_EXT_DEVT policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
CONFIG_CPU_HOTPLUG_STATE_CONTROL policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
CONFIG_LATENCYTOP policy<{'amd64-generic': 'n', 'amd64-lowlatency': 'y', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
#
CONFIG_DEBUG_LIST mark<ENFORCED> note<LP:1855334>
+CONFIG_DEBUG_CREDENTIALS mark<ENFORCED> note<LP:1855335>
CONFIG_LATENCYTOP mark<ENFORCED> note<https://lists.ubuntu.com/archives/kernel-team/2014-July/045006.html, LP#1655986>
# Menu: Kernel hacking >> Kernel debugging >> Architecture: arm
@@ -2304,7 +2304,7 @@ CONFIG_DEBUGGER=y
# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
# CONFIG_DEBUG_BOOT_PARAMS is not set
CONFIG_DEBUG_BUGVERBOSE=y
-# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_DEBUG_CREDENTIALS=y
# CONFIG_DEBUG_DEVRES is not set
# CONFIG_DEBUG_DRIVER is not set
# CONFIG_DEBUG_EFI is not set
BugLink: https://launchpad.net/bugs/1855335 Enable CONFIG_DEBUG_CREDENTIALS to perform sanity checks, such as verifying usage counts and proper magic values, when handling cred structs. If a cred sanity check fails a loud warning is printed to the logs. This change raises the bar on the effort required to implement an exploit based on cred manipulation. CONFIG_DEBUG_CREDENTIALS will not prevent the attack but may aide an administrator in discovering such an attack on the system. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> --- debian.master/config/annotations | 3 ++- debian.master/config/config.common.ubuntu | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-)