From patchwork Mon Jun 10 10:11:03 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Po-Hsu Lin <po-hsu.lin@canonical.com>
X-Patchwork-Id: 1112990
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 45Mpnm5GCyz9sDX;
	Mon, 10 Jun 2019 20:11:40 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1haHH3-00015K-SV; Mon, 10 Jun 2019 10:11:33 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <po-hsu.lin@canonical.com>)
	id 1haHH2-000158-Ay
	for kernel-team@lists.ubuntu.com; Mon, 10 Jun 2019 10:11:32 +0000
Received: from mail-pf1-f199.google.com ([209.85.210.199])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <po-hsu.lin@canonical.com>)
	id 1haHH1-0006v9-SD
	for kernel-team@lists.ubuntu.com; Mon, 10 Jun 2019 10:11:32 +0000
Received: by mail-pf1-f199.google.com with SMTP id x9so6909229pfm.16
	for <kernel-team@lists.ubuntu.com>;
	Mon, 10 Jun 2019 03:11:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id;
	bh=EKPq47YIXf4P0lznSN3F/S/mpNxaJVz7FdNoUQNjx9Y=;
	b=rTWtQTrlRVK3JgDCVJZDP7flU0/VkxNs+o2F09Fb8oIflYd1SANqKLEuXg3WNywOd0
	hEn1zaSjB9/1o1MippypzlsMdZkb/WjHP4kuWUarQKUw3LoY8/paZCURbjpyTxHOdCv2
	mbUdc8AdRwfuo5ha+pzqSvrqS3Tj46KW6XKbWBGHr1veay/XnY7TP4GOsZB4xdz7AV6z
	4ohx9mFqmIA6ApH6abrvvbqZgnwH/guoNxITAfRIvJ9pOb02/j76Fw24wALL1jHt4gE1
	t78GHUzQ6lhuZDoUJ0FfOo/8Keh+R01DivV7bmxSa2McN+EpVkvZn8FJTa+C1fgq8XAv
	bPfg==
X-Gm-Message-State: APjAAAX97AWzqfxrSgrqoJMkWczl64qR1NUSdWPr3dFN/FCmcx+/QUt1
	yoDEzyU00JS41E3pitZUXZ6K2E91Rt+OocAlmIx+EawPyWB8BqriYmRPxFu5kGkBaCnENz3x6Yj
	kbY/jYNiR3q74bwaysnG3Ze5DV3smImtjFe2JB8Rj
X-Received: by 2002:a17:90a:364b:: with SMTP id
	s69mr21328011pjb.15.1560161490366;
	Mon, 10 Jun 2019 03:11:30 -0700 (PDT)
X-Google-Smtp-Source: 
 APXvYqx/ATosZtwM8ebqmMXh7k6xvrW5YfiQHxylnVAGAzye8emM0ndQdEQov4YN/2pymDuX4BhWjw==
X-Received: by 2002:a17:90a:364b:: with SMTP id
	s69mr21327985pjb.15.1560161490006;
	Mon, 10 Jun 2019 03:11:30 -0700 (PDT)
Received: from Leggiero.taipei.internal (61-220-137-37.HINET-IP.hinet.net.
	[61.220.137.37]) by smtp.gmail.com with ESMTPSA id
	k3sm8932154pju.27.2019.06.10.03.11.28
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 10 Jun 2019 03:11:29 -0700 (PDT)
From: Po-Hsu Lin <po-hsu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [B/linux-kvm][C/linux-kvm][D/linux-kvm][SRU][PATCH 0/1] UBUNTU:
	[Config]: enable CONFIG_LOCK_DOWN_KERNEL
Date: Mon, 10 Jun 2019 18:11:03 +0800
Message-Id: <20190610101105.25617-1-po-hsu.lin@canonical.com>
X-Mailer: git-send-email 2.17.1
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/1811981

== SRU Justification ==
Security team requires the CONFIG_LOCK_DOWN_KERNEL to be enabled in
all of our kernels.

== Test ==
Test kernels could be found here:
https://people.canonical.com/~phlin/kernel/lp-1811981-kvm-lockdown/
This issue can be verified with test_410_config_lock_down_kernel
test from q-r-t, the test will pass with the patched kernel.

== Regression Potential ==
Low, we already have this config enabled in the generic kernel.


Po-Hsu Lin (1):
  UBUNTU: [Config]: enable CONFIG_LOCK_DOWN_KERNEL

 debian.kvm/config/config.common.ubuntu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Kamal Mostafa <kamal@canonical.com>