From patchwork Fri Aug 16 09:34:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Po-Hsu Lin X-Patchwork-Id: 1148109 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 468yq10Bkwz9sNp; Fri, 16 Aug 2019 19:35:25 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1hyYdl-0001ze-Gy; Fri, 16 Aug 2019 09:35:21 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1hyYdh-0001xX-Ho for kernel-team@lists.ubuntu.com; Fri, 16 Aug 2019 09:35:17 +0000 Received: from mail-pl1-f199.google.com ([209.85.214.199]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1hyYdh-0005mG-0H for kernel-team@lists.ubuntu.com; Fri, 16 Aug 2019 09:35:17 +0000 Received: by mail-pl1-f199.google.com with SMTP id y22so2899802plr.20 for ; Fri, 16 Aug 2019 02:35:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=5W/pNbhSeEaRCKYKrkb2Vd1x8dm8l+gSsfqVoESOIyA=; b=BC64/vHalALICyds8JQFaftlPikld5e6DzphyHjmBkA1vAgRVsixvLqvg6oXB0314I RuldrfvLGKB0uoz3ZL2OR8FgBXJb2GAlblmahrA4IeiDWFGB3c85UOGTdHiBY/TC8yEv +MlyNZFRNMaWmRyt6J7V2Zga+8DzqDsOV6aKhWGw7XBgXxFiYtnlk1jMH+2Z9DqXt2s/ COQL68MSf+8F11qrgmFrRNcdFY1zCDibJdYqN3Ad6Krhv6dxMcN/xaQxIHjDeNQo2Za3 Doos62szWH0f8o+Nnoakn0O+qM22Sps5PzNM/7m9t4LA7MPrpUSSCeriB4lJpnlO/WNA xflg== X-Gm-Message-State: APjAAAXjpebdbt5NsPLOrCQklReUxT31L9vmmOPRcABXdQ4O2kJ7UvWc XrCDU3aLwKgVFgCa0IqBmxv9KmWuSSNM7Gf3oRwlVi4GD/9Zywq2rH8WX5l7btyf1KQcAeOGo5C 0O3VPdoDnYtqTeiCEwNQcoFbTVDiaL8xfJIVfy4Mb X-Received: by 2002:a63:2026:: with SMTP id g38mr6850046pgg.172.1565948115365; Fri, 16 Aug 2019 02:35:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqwZ6mOMINcR/PFxkrnSdWODH7qHzo8NYDh5Ay/jCzamMghDqNEWw+Gl8yD8cg4fGgVTz7f5xQ== X-Received: by 2002:a63:2026:: with SMTP id g38mr6850030pgg.172.1565948115109; Fri, 16 Aug 2019 02:35:15 -0700 (PDT) Received: from localhost.localdomain (61-220-137-37.HINET-IP.hinet.net. [61.220.137.37]) by smtp.gmail.com with ESMTPSA id f14sm6262866pfn.53.2019.08.16.02.35.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Aug 2019 02:35:14 -0700 (PDT) From: Po-Hsu Lin To: kernel-team@lists.ubuntu.com Subject: [X/linux-aws][SRU][PATCH 1/1] UBUNTU: [Config] Enable CONFIG_SECURITY_DMESG_RESTRICT Date: Fri, 16 Aug 2019 17:34:28 +0800 Message-Id: <20190816093430.17135-3-po-hsu.lin@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190816093430.17135-1-po-hsu.lin@canonical.com> References: <20190816093430.17135-1-po-hsu.lin@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1696558 There is a request to enable CONFIG_SECURITY_DMESG_RESTRICT for linux-aws. It will restrict unprivileged access to the kernel syslog. Signed-off-by: Po-Hsu Lin --- debian.aws/config/annotations | 2 ++ debian.aws/config/config.common.ubuntu | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/debian.aws/config/annotations b/debian.aws/config/annotations index 2ac663c..4d6197d 100644 --- a/debian.aws/config/annotations +++ b/debian.aws/config/annotations @@ -9776,6 +9776,8 @@ CONFIG_TUNE_Z13 policy<{'s390x': 'n'}> CONFIG_SECURITY_DMESG_RESTRICT policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_SECURITYFS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_INTEL_TXT policy<{'amd64': 'y', 'i386': 'y'}> +# +CONFIG_SECURITY_DMESG_RESTRICT note # Menu: Security options >> Default security module CONFIG_DEFAULT_SECURITY_SELINUX policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc': 'n', 'ppc64el': 'n', 's390x': 'n'}> diff --git a/debian.aws/config/config.common.ubuntu b/debian.aws/config/config.common.ubuntu index 6d981d1..f51ff7d 100644 --- a/debian.aws/config/config.common.ubuntu +++ b/debian.aws/config/config.common.ubuntu @@ -4100,7 +4100,7 @@ CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y # CONFIG_SECURITY_APPARMOR_STATS is not set CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y -# CONFIG_SECURITY_DMESG_RESTRICT is not set +CONFIG_SECURITY_DMESG_RESTRICT=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_PATH=y