| Message ID | 20190925214354.1818-4-tyhicks@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | LSM changes for Eoan | expand |
On 9/25/19 2:43 PM, Tyler Hicks wrote: > BugLink: https://launchpad.net/bugs/1845391 > > We can safely build the SafeSetID LSM while leaving it turned off by > default. It will be off by default due to CONFIG_LSM not containing > "safesetid" in our kernel configs. A security-minded system integrator > may want to make use of SafeSetID and can do so by enabling it with the > "lsm" kernel command-line parameter. > > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: John Johansen <john.johnansen@canonical.com> > --- > debian.master/config/annotations | 4 ++-- > debian.master/config/config.common.ubuntu | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/debian.master/config/annotations b/debian.master/config/annotations > index ff5c7c95f3dc..093107b7ea40 100644 > --- a/debian.master/config/annotations > +++ b/debian.master/config/annotations > @@ -12653,12 +12653,12 @@ CONFIG_SECURITY_APPARMOR_HASH_DEFAULT policy<{'amd64': 'y', 'arm64': ' > CONFIG_SECURITY_APPARMOR_DEBUG policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> > CONFIG_SECURITY_LOADPIN policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> > CONFIG_SECURITY_YAMA policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> > -CONFIG_SECURITY_SAFESETID policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> > +CONFIG_SECURITY_SAFESETID policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> > # > CONFIG_SECURITY mark<ENFORCED> > CONFIG_LSM_MMAP_MIN_ADDR mark<ENFORCED> flag<REVIEW> > CONFIG_SECURITY_YAMA mark<ENFORCED> > -CONFIG_SECURITY_SAFESETID flag<REVIEW> > +CONFIG_SECURITY_SAFESETID mark<ENFORCED> note<LP:#1845391> > > # Menu: Security options >> Enable different security models >> Integrity subsystem > CONFIG_INTEGRITY policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> > diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu > index 3fe1950d0fff..9baba5706552 100644 > --- a/debian.master/config/config.common.ubuntu > +++ b/debian.master/config/config.common.ubuntu > @@ -8404,7 +8404,7 @@ CONFIG_SECURITY_NETWORK=y > CONFIG_SECURITY_NETWORK_XFRM=y > CONFIG_SECURITY_PATH=y > CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y > -# CONFIG_SECURITY_SAFESETID is not set > +CONFIG_SECURITY_SAFESETID=y > CONFIG_SECURITY_SELINUX=y > CONFIG_SECURITY_SELINUX_AVC_STATS=y > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 >
diff --git a/debian.master/config/annotations b/debian.master/config/annotations index ff5c7c95f3dc..093107b7ea40 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -12653,12 +12653,12 @@ CONFIG_SECURITY_APPARMOR_HASH_DEFAULT policy<{'amd64': 'y', 'arm64': ' CONFIG_SECURITY_APPARMOR_DEBUG policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_SECURITY_LOADPIN policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_SECURITY_YAMA policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> -CONFIG_SECURITY_SAFESETID policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> +CONFIG_SECURITY_SAFESETID policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> # CONFIG_SECURITY mark<ENFORCED> CONFIG_LSM_MMAP_MIN_ADDR mark<ENFORCED> flag<REVIEW> CONFIG_SECURITY_YAMA mark<ENFORCED> -CONFIG_SECURITY_SAFESETID flag<REVIEW> +CONFIG_SECURITY_SAFESETID mark<ENFORCED> note<LP:#1845391> # Menu: Security options >> Enable different security models >> Integrity subsystem CONFIG_INTEGRITY policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 3fe1950d0fff..9baba5706552 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -8404,7 +8404,7 @@ CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_PATH=y CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y -# CONFIG_SECURITY_SAFESETID is not set +CONFIG_SECURITY_SAFESETID=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
BugLink: https://launchpad.net/bugs/1845391 We can safely build the SafeSetID LSM while leaving it turned off by default. It will be off by default due to CONFIG_LSM not containing "safesetid" in our kernel configs. A security-minded system integrator may want to make use of SafeSetID and can do so by enabling it with the "lsm" kernel command-line parameter. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> --- debian.master/config/annotations | 4 ++-- debian.master/config/config.common.ubuntu | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)