From patchwork Mon Jun 10 10:11:05 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Po-Hsu Lin <po-hsu.lin@canonical.com>
X-Patchwork-Id: 1112991
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 45Mpnp4SV3z9sN4;
	Mon, 10 Jun 2019 20:11:42 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1haHH9-00016k-43; Mon, 10 Jun 2019 10:11:39 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <po-hsu.lin@canonical.com>)
	id 1haHH5-00015X-0F
	for kernel-team@lists.ubuntu.com; Mon, 10 Jun 2019 10:11:35 +0000
Received: from mail-pl1-f198.google.com ([209.85.214.198])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <po-hsu.lin@canonical.com>)
	id 1haHH4-0006vN-HN
	for kernel-team@lists.ubuntu.com; Mon, 10 Jun 2019 10:11:34 +0000
Received: by mail-pl1-f198.google.com with SMTP id f10so1891565plr.17
	for <kernel-team@lists.ubuntu.com>;
	Mon, 10 Jun 2019 03:11:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=ZLyfoye/t12/29tF0Ps5mAd9/B4QJ2FvK+VRjjSWDkA=;
	b=GFVeT2CAG2Cu8rdbmrcb//Fkx3MAQGJaZsrQFsMqOgOyan8Odtgq3K/flNhTOCR8si
	mzh2B7yMBaX2NiJEJk0V83tyMq55+rW7jdb2xTG9+c6POiIf60KVkxLvgnfuoHLAIAIG
	A54BkvBhV8ujY3P9BDISapUmL9RUnctJRNMfcnAh7+QHkAGKexQmVvDue4b1LYbmhmQS
	vUhi77IUxfekZqfJSoKyB5EHpxJQ8vn8Sa2xIfVBjw20j9RcndgJTxgXXA6J9MeQTUMj
	9LLSjweAIulGbQhrl9Bwg9TM0GJK9/Q/+chUY9Jhy/WwiRD3ZdDsjsfOmUonEM9lIIAi
	uq7Q==
X-Gm-Message-State: APjAAAUx10f2oYBR7hYJx6ZgB/bCyWzTaDdhMydnVwH1EfduYu0jABAl
	qHc5Z2rksi8rSb3fH6AExdF4Mk91xACns6IU9ggBcLs79bI6W8nJuVTWo/1sRc29xITmld5g7Yi
	rpTBANIX2G5csqjQmohQKLX9nmrqjYwbX0uekkKEM
X-Received: by 2002:a63:4c14:: with SMTP id
	z20mr14964452pga.360.1560161492899;
	Mon, 10 Jun 2019 03:11:32 -0700 (PDT)
X-Google-Smtp-Source: 
 APXvYqyF9kwGQ01Th5sIYpeJAxC61nI/33T1S10kaECo1niVIz8OfELehbpZly+OqrbieG3maw1VQQ==
X-Received: by 2002:a63:4c14:: with SMTP id
	z20mr14964440pga.360.1560161492648;
	Mon, 10 Jun 2019 03:11:32 -0700 (PDT)
Received: from Leggiero.taipei.internal (61-220-137-37.HINET-IP.hinet.net.
	[61.220.137.37]) by smtp.gmail.com with ESMTPSA id
	k3sm8932154pju.27.2019.06.10.03.11.31
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 10 Jun 2019 03:11:32 -0700 (PDT)
From: Po-Hsu Lin <po-hsu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [C/linux-kvm][D/linux-kvm][SRU][PATCH 1/1] UBUNTU: [Config]: enable
	CONFIG_LOCK_DOWN_KERNEL
Date: Mon, 10 Jun 2019 18:11:05 +0800
Message-Id: <20190610101105.25617-3-po-hsu.lin@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20190610101105.25617-1-po-hsu.lin@canonical.com>
References: <20190610101105.25617-1-po-hsu.lin@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/1811981

Security team requires the CONFIG_LOCK_DOWN_KERNEL to be enabled in
all of our kernels.

Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 debian.kvm/config/config.common.ubuntu | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/debian.kvm/config/config.common.ubuntu b/debian.kvm/config/config.common.ubuntu
index 88c196e8..a44b783 100644
--- a/debian.kvm/config/config.common.ubuntu
+++ b/debian.kvm/config/config.common.ubuntu
@@ -1280,7 +1280,8 @@ CONFIG_LOCKDEP_SUPPORT=y
 CONFIG_LOCKD_V4=y
 CONFIG_LOCK_DEBUGGING_SUPPORT=y
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
-# CONFIG_LOCK_DOWN_KERNEL is not set
+CONFIG_LOCK_DOWN_KERNEL=y
+# CONFIG_LOCK_DOWN_MANDATORY is not set
 CONFIG_LOCK_SPIN_ON_OWNER=y
 # CONFIG_LOCK_STAT is not set
 # CONFIG_LOCK_TORTURE_TEST is not set