From patchwork Fri Jul 20 20:57:38 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 172344 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id C342D2C03EF for ; Sat, 21 Jul 2012 06:57:57 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1SsKGd-00062D-85; Fri, 20 Jul 2012 20:57:43 +0000 Received: from smtp.outflux.net ([198.145.64.163]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1SsKGa-000628-G4 for kernel-team@lists.ubuntu.com; Fri, 20 Jul 2012 20:57:40 +0000 Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id q6KKvcKg027889 for ; Fri, 20 Jul 2012 13:57:39 -0700 Date: Fri, 20 Jul 2012 13:57:38 -0700 From: Kees Cook To: kernel-team@lists.ubuntu.com Subject: [PATCH] UBUNTU: config: enable DEBUG_CREDENTIALS Message-ID: <20120720205738.GH28340@outflux.net> MIME-Version: 1.0 Content-Disposition: inline Organization: Ubuntu X-MIMEDefang-Filter: outflux$Revision: 1.316 $ X-HELO: www.outflux.net X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com This adds a few bytes of overhead to each credential and adds a tiny amount of CPU overhead when changing credentials. It can catch some types of credential manipulation attacks, so turn it on. Signed-off-by: Kees Cook --- debian.master/config/config.common.ubuntu | 2 +- debian.master/config/enforce | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index a1bcec2..e24e3d00 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -1241,7 +1241,7 @@ CONFIG_DEBUGGER=y # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set # CONFIG_DEBUG_BOOT_PARAMS is not set CONFIG_DEBUG_BUGVERBOSE=y -# CONFIG_DEBUG_CREDENTIALS is not set +CONFIG_DEBUG_CREDENTIALS=y # CONFIG_DEBUG_DEVRES is not set # CONFIG_DEBUG_DRIVER is not set # CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set diff --git a/debian.master/config/enforce b/debian.master/config/enforce index 89c9497..1cb6270 100644 --- a/debian.master/config/enforce +++ b/debian.master/config/enforce @@ -20,6 +20,7 @@ value CONFIG_DEFAULT_SECURITY_APPARMOR y !exists CONFIG_DEBUG_RODATA | value CONFIG_DEBUG_RODATA y !exists CONFIG_DEBUG_SET_MODULE_RONX | value CONFIG_DEBUG_SET_MODULE_RONX y !exists CONFIG_STRICT_DEVMEM | value CONFIG_STRICT_DEVMEM y +!exists CONFIG_DEBUG_CREDENTIALS | value CONFIG_DEBUG_CREDENTIALS y # For architectures which support this option ensure it is disabled. !exists CONFIG_COMPAT_VDSO | value CONFIG_COMPAT_VDSO n !exists CONFIG_ACPI_CUSTOM_METHOD | value CONFIG_ACPI_CUSTOM_METHOD n