From patchwork Fri Aug 16 09:34:30 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Po-Hsu Lin X-Patchwork-Id: 1148110 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 468yq51ntYz9sND; Fri, 16 Aug 2019 19:35:29 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1hyYdp-00021t-Th; Fri, 16 Aug 2019 09:35:25 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1hyYdk-0001yc-8p for kernel-team@lists.ubuntu.com; Fri, 16 Aug 2019 09:35:20 +0000 Received: from mail-pl1-f198.google.com ([209.85.214.198]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1hyYdj-0005mT-M7 for kernel-team@lists.ubuntu.com; Fri, 16 Aug 2019 09:35:19 +0000 Received: by mail-pl1-f198.google.com with SMTP id k9so2911153pls.13 for ; Fri, 16 Aug 2019 02:35:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=F5S37IZHDptM2+8IVEPaTjmzlMoGMgmyw8pksgFOgQo=; b=calW3e/n7sFI4hXR/UzYUpp5F/x6qq2qYIsxdqASsSfm/70Carn/D8q5wMQYUiq4a5 cfgGFQl2CWbTC7+FJNlADw3fdiPCP+v9JrzSiUVT4eaKKCq7Kf5L+3LR8/OX5ZRi0hvY QTkXx4HN8C5N6PsAnEuelfGk4b9XPE3o9/X1YHyRuIuouXpJXL+1fOzDC+yT452YAsDE rsp20hUYVwzdIsjAOzW+OvJ5znLIhXo3Iuag0KrOF8BTzSibGJ9lTGPU/HaFAaRf9KS6 8EYmiJ9P3GOkmGpCgbxMH1H8Uh+IuLpwlM0sYdPFTcE95oxvWTf/+PHeV9uwln4HqXIi Pe1w== X-Gm-Message-State: APjAAAWNDi5MS7qF76RqGstTTdTXF7kXSBZQvMW9TQbEXjGfDE8AR69T k5D0b8KRAMjWbSmziTTXYXe+if/KZGvlufVmr1+zbU9A4jCNpSzU5PJqcx1NH/ZU3FlBxxB3gQX mTrO+jCyq1n/8obILaFT9cFdGZILNzNqXkV0Pw/ia X-Received: by 2002:a63:de4c:: with SMTP id y12mr7083408pgi.264.1565948118076; Fri, 16 Aug 2019 02:35:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqwD2qK/h9DEVw2/a9MInstmQ3O9QLWKEv4wMUCqcuShTamojkNuvQcOsG2fFLBiOm23LL0Mgw== X-Received: by 2002:a63:de4c:: with SMTP id y12mr7083393pgi.264.1565948117799; Fri, 16 Aug 2019 02:35:17 -0700 (PDT) Received: from localhost.localdomain (61-220-137-37.HINET-IP.hinet.net. [61.220.137.37]) by smtp.gmail.com with ESMTPSA id f14sm6262866pfn.53.2019.08.16.02.35.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Aug 2019 02:35:17 -0700 (PDT) From: Po-Hsu Lin To: kernel-team@lists.ubuntu.com Subject: [D/linux-aws][SRU][PATCH 1/1] UBUNTU: [Config] Enable CONFIG_SECURITY_DMESG_RESTRICT Date: Fri, 16 Aug 2019 17:34:30 +0800 Message-Id: <20190816093430.17135-5-po-hsu.lin@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190816093430.17135-1-po-hsu.lin@canonical.com> References: <20190816093430.17135-1-po-hsu.lin@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1696558 There is a request to enable CONFIG_SECURITY_DMESG_RESTRICT for linux-aws. It will restrict unprivileged access to the kernel syslog. Signed-off-by: Po-Hsu Lin --- debian.aws/config/annotations | 1 + debian.aws/config/config.common.ubuntu | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/debian.aws/config/annotations b/debian.aws/config/annotations index ddd94a1..edff332 100644 --- a/debian.aws/config/annotations +++ b/debian.aws/config/annotations @@ -11507,6 +11507,7 @@ CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT policy<{'amd64': 'y', 'arm64': ' #CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT mark CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ mark #CONFIG_LOCK_DOWN_KERNEL mark flag +CONFIG_SECURITY_DMESG_RESTRICT note # Menu: Security options >> Default security module CONFIG_LSM policy<{'amd64': '"yama,loadpin,integrity,apparmor"', 'arm64': '"yama,loadpin,integrity,apparmor"'}> diff --git a/debian.aws/config/config.common.ubuntu b/debian.aws/config/config.common.ubuntu index 7502b1e..85b1615 100644 --- a/debian.aws/config/config.common.ubuntu +++ b/debian.aws/config/config.common.ubuntu @@ -7061,7 +7061,7 @@ CONFIG_SECURITY_APPARMOR=y # CONFIG_SECURITY_APPARMOR_DEBUG is not set CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -# CONFIG_SECURITY_DMESG_RESTRICT is not set +CONFIG_SECURITY_DMESG_RESTRICT=y CONFIG_SECURITY_INFINIBAND=y # CONFIG_SECURITY_LOADPIN is not set CONFIG_SECURITY_NETWORK=y