From patchwork Fri Jul 20 20:57:38 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: UBUNTU: config: enable DEBUG_CREDENTIALS Date: Fri, 20 Jul 2012 10:57:38 -0000 From: Kees Cook X-Patchwork-Id: 172344 Message-Id: <20120720205738.GH28340@outflux.net> To: kernel-team@lists.ubuntu.com This adds a few bytes of overhead to each credential and adds a tiny amount of CPU overhead when changing credentials. It can catch some types of credential manipulation attacks, so turn it on. Signed-off-by: Kees Cook --- debian.master/config/config.common.ubuntu | 2 +- debian.master/config/enforce | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index a1bcec2..e24e3d00 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -1241,7 +1241,7 @@ CONFIG_DEBUGGER=y # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set # CONFIG_DEBUG_BOOT_PARAMS is not set CONFIG_DEBUG_BUGVERBOSE=y -# CONFIG_DEBUG_CREDENTIALS is not set +CONFIG_DEBUG_CREDENTIALS=y # CONFIG_DEBUG_DEVRES is not set # CONFIG_DEBUG_DRIVER is not set # CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set diff --git a/debian.master/config/enforce b/debian.master/config/enforce index 89c9497..1cb6270 100644 --- a/debian.master/config/enforce +++ b/debian.master/config/enforce @@ -20,6 +20,7 @@ value CONFIG_DEFAULT_SECURITY_APPARMOR y !exists CONFIG_DEBUG_RODATA | value CONFIG_DEBUG_RODATA y !exists CONFIG_DEBUG_SET_MODULE_RONX | value CONFIG_DEBUG_SET_MODULE_RONX y !exists CONFIG_STRICT_DEVMEM | value CONFIG_STRICT_DEVMEM y +!exists CONFIG_DEBUG_CREDENTIALS | value CONFIG_DEBUG_CREDENTIALS y # For architectures which support this option ensure it is disabled. !exists CONFIG_COMPAT_VDSO | value CONFIG_COMPAT_VDSO n !exists CONFIG_ACPI_CUSTOM_METHOD | value CONFIG_ACPI_CUSTOM_METHOD n