diff mbox series

[X/linux-aws,SRU,1/1] UBUNTU: [Config] Enable CONFIG_SECURITY_DMESG_RESTRICT

Message ID 20190816093430.17135-3-po-hsu.lin@canonical.com
State New
Headers show
Series [X/linux-aws,SRU,1/1] UBUNTU: [Config] Enable CONFIG_SECURITY_DMESG_RESTRICT | expand

Commit Message

Po-Hsu Lin Aug. 16, 2019, 9:34 a.m. UTC 
BugLink: https://bugs.launchpad.net/bugs/1696558

There is a request to enable CONFIG_SECURITY_DMESG_RESTRICT for linux-aws.
It will restrict unprivileged access to the kernel syslog.

Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 debian.aws/config/annotations          | 2 ++
 debian.aws/config/config.common.ubuntu | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/debian.aws/config/annotations b/debian.aws/config/annotations
index 2ac663c..4d6197d 100644
--- a/debian.aws/config/annotations
+++ b/debian.aws/config/annotations
@@ -9776,6 +9776,8 @@  CONFIG_TUNE_Z13                                 policy<{'s390x': 'n'}>
 CONFIG_SECURITY_DMESG_RESTRICT                  policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_SECURITYFS                               policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_INTEL_TXT                                policy<{'amd64': 'y', 'i386': 'y'}>
+#
+CONFIG_SECURITY_DMESG_RESTRICT                  note<LP#1696558>
 
 # Menu: Security options >> Default security module
 CONFIG_DEFAULT_SECURITY_SELINUX                 policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc': 'n', 'ppc64el': 'n', 's390x': 'n'}>
diff --git a/debian.aws/config/config.common.ubuntu b/debian.aws/config/config.common.ubuntu
index 6d981d1..f51ff7d 100644
--- a/debian.aws/config/config.common.ubuntu
+++ b/debian.aws/config/config.common.ubuntu
@@ -4100,7 +4100,7 @@  CONFIG_SECURITY_APPARMOR_HASH=y
 CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
 # CONFIG_SECURITY_APPARMOR_STATS is not set
 CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y
-# CONFIG_SECURITY_DMESG_RESTRICT is not set
+CONFIG_SECURITY_DMESG_RESTRICT=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y