[8/8] UBUNTU: [Config] Disable the uselib system call
diff mbox series

Message ID 20200119131029.23160-9-tyhicks@canonical.com
State New
Headers show
Series
  • Kernel hardening config changes
Related show

Commit Message

Tyler Hicks Jan. 19, 2020, 1:10 p.m. UTC
BugLink: https://launchpad.net/bugs/1855341

Disable CONFIG_USELIB to make the uselib(2) system call unreachable in
an effort to reduce the kernel attack surface.

The system call is only used by very old libc implementations and is
unlikely to be used today.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 debian.master/config/annotations          | 3 ++-
 debian.master/config/config.common.ubuntu | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

Patch
diff mbox series

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 064d0d0ed278..07998d2822a1 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -10289,7 +10289,7 @@  CONFIG_SWAP                                     policy<{'amd64': 'y', 'arm64': '
 CONFIG_SYSVIPC                                  policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_POSIX_MQUEUE                             policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_CROSS_MEMORY_ATTACH                      policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_USELIB                                   policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+CONFIG_USELIB                                   policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_AUDIT                                    policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_CPU_ISOLATION                            policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_IKCONFIG                                 policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
@@ -10316,6 +10316,7 @@  CONFIG_SHUFFLE_PAGE_ALLOCATOR                   policy<{'amd64': 'y', 'arm64': '
 CONFIG_SLUB_CPU_PARTIAL                         policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_PROFILING                                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 #
+CONFIG_USELIB                                   mark<ENFORCED> note<LP:1855341>
 CONFIG_SYSFS_DEPRECATED                         mark<ENFORCED> note<ensure nothing is using these deprecated interfaces>
 CONFIG_COMPAT_BRK                               mark<ENFORCED> note<disables brk ASLR>
 CONFIG_NUMA_BALANCING_DEFAULT_ENABLED           note<LP:1557690>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index fe8a065e2262..f2d01e7b1e1b 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -10788,7 +10788,7 @@  CONFIG_USB_ZD1201=m
 CONFIG_USB_ZERO=m
 # CONFIG_USB_ZERO_HNPTEST is not set
 CONFIG_USB_ZR364XX=m
-CONFIG_USELIB=y
+# CONFIG_USELIB is not set
 CONFIG_USERFAULTFD=y
 CONFIG_USERIO=m
 CONFIG_USER_NS=y