| Message ID | YoeRpePDVNP9L6Hr@arighi-desktop |
|---|---|
| State | New |
| Headers | show |
| Series | [RFC,K/U] UBUNTU: [Config] enable CONFIG_DEVTMPFS_SAFE | expand |
On Fri, May 20, 2022 at 03:03:33PM +0200, Andrea Righi wrote: > BugLink: https://bugs.launchpad.net/bugs/1974442 > > Mount devtmpfs with nosuid,noexec to prevent mmapping special files in > /dev with PROT_EXEC or having executables setuid files. > > This allows to provide a little bit of extra security in the system. > > This change may potentially break some drivers that require to execute > code by mmapping /dev/mem (e.g., non-KSM video drivers). > > Theoretically we shouldn't break any of the officially supported > drivers, because kernel lockdown is already preventing access to > /dev/mem. > > This is just a little more relaxed constraint than kernel lockdown, but > it can still provide a reasonable level of extra security in the system > also when the kernel is not completely locked down. > > Signed-off-by: Andrea Righi <andrea.righi@canonical.com> > --- > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 2 +- > 2 files changed, 2 insertions(+), 1 deletion(-) > > diff --git a/debian.master/config/annotations b/debian.master/config/annotations > index a0920e0f3fad..5a0e1ea742a8 100644 > --- a/debian.master/config/annotations > +++ b/debian.master/config/annotations > @@ -1970,6 +1970,7 @@ CONFIG_UEVENT_HELPER policy<{'amd64': 'y', 'arm64': ' > CONFIG_UEVENT_HELPER_PATH policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'ppc64el': '""', 's390x': '""'}> > CONFIG_DEVTMPFS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_DEVTMPFS_MOUNT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > +CONFIG_DEVTMPFS_SAFE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_STANDALONE policy<{'amd64': 'n', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_PREVENT_FIRMWARE_BUILD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_ALLOW_DEV_COREDUMP policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu > index 28b5e855d7da..e6bf6cca79ce 100644 > --- a/debian.master/config/config.common.ubuntu > +++ b/debian.master/config/config.common.ubuntu > @@ -2782,7 +2782,7 @@ CONFIG_DEVMEM=y > CONFIG_DEVPORT=y > CONFIG_DEVTMPFS=y > CONFIG_DEVTMPFS_MOUNT=y > -# CONFIG_DEVTMPFS_SAFE is not set > +CONFIG_DEVTMPFS_SAFE=y > CONFIG_DEV_APPLETALK=m > CONFIG_DEV_COREDUMP=y > CONFIG_DEV_DAX=m > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Reading your commit message is good enough for me! Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
On 22/05/20 03:03pm, Andrea Righi wrote: > BugLink: https://bugs.launchpad.net/bugs/1974442 > > Mount devtmpfs with nosuid,noexec to prevent mmapping special files in > /dev with PROT_EXEC or having executables setuid files. > > This allows to provide a little bit of extra security in the system. > > This change may potentially break some drivers that require to execute > code by mmapping /dev/mem (e.g., non-KSM video drivers). > > Theoretically we shouldn't break any of the officially supported > drivers, because kernel lockdown is already preventing access to > /dev/mem. > > This is just a little more relaxed constraint than kernel lockdown, but > it can still provide a reasonable level of extra security in the system > also when the kernel is not completely locked down. > > Signed-off-by: Andrea Righi <andrea.righi@canonical.com> Looks good to me. Thanks. Acked-by: Cengiz Can <cengiz.can@canonical.com> > --- > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 2 +- > 2 files changed, 2 insertions(+), 1 deletion(-) > > diff --git a/debian.master/config/annotations b/debian.master/config/annotations > index a0920e0f3fad..5a0e1ea742a8 100644 > --- a/debian.master/config/annotations > +++ b/debian.master/config/annotations > @@ -1970,6 +1970,7 @@ CONFIG_UEVENT_HELPER policy<{'amd64': 'y', 'arm64': ' > CONFIG_UEVENT_HELPER_PATH policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'ppc64el': '""', 's390x': '""'}> > CONFIG_DEVTMPFS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_DEVTMPFS_MOUNT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > +CONFIG_DEVTMPFS_SAFE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_STANDALONE policy<{'amd64': 'n', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_PREVENT_FIRMWARE_BUILD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_ALLOW_DEV_COREDUMP policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu > index 28b5e855d7da..e6bf6cca79ce 100644 > --- a/debian.master/config/config.common.ubuntu > +++ b/debian.master/config/config.common.ubuntu > @@ -2782,7 +2782,7 @@ CONFIG_DEVMEM=y > CONFIG_DEVPORT=y > CONFIG_DEVTMPFS=y > CONFIG_DEVTMPFS_MOUNT=y > -# CONFIG_DEVTMPFS_SAFE is not set > +CONFIG_DEVTMPFS_SAFE=y > CONFIG_DEV_APPLETALK=m > CONFIG_DEV_COREDUMP=y > CONFIG_DEV_DAX=m > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 22/05/20 03:03pm, Andrea Righi wrote: > BugLink: https://bugs.launchpad.net/bugs/1974442 > > Mount devtmpfs with nosuid,noexec to prevent mmapping special files in > /dev with PROT_EXEC or having executables setuid files. > > This allows to provide a little bit of extra security in the system. > > This change may potentially break some drivers that require to execute > code by mmapping /dev/mem (e.g., non-KSM video drivers). > > Theoretically we shouldn't break any of the officially supported > drivers, because kernel lockdown is already preventing access to > /dev/mem. > > This is just a little more relaxed constraint than kernel lockdown, but > it can still provide a reasonable level of extra security in the system > also when the kernel is not completely locked down. > > Signed-off-by: Andrea Righi <andrea.righi@canonical.com> Acked-by: Cengiz Can <cengiz.can@canonical.com> > --- > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 2 +- > 2 files changed, 2 insertions(+), 1 deletion(-) > > diff --git a/debian.master/config/annotations b/debian.master/config/annotations > index a0920e0f3fad..5a0e1ea742a8 100644 > --- a/debian.master/config/annotations > +++ b/debian.master/config/annotations > @@ -1970,6 +1970,7 @@ CONFIG_UEVENT_HELPER policy<{'amd64': 'y', 'arm64': ' > CONFIG_UEVENT_HELPER_PATH policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'ppc64el': '""', 's390x': '""'}> > CONFIG_DEVTMPFS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_DEVTMPFS_MOUNT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > +CONFIG_DEVTMPFS_SAFE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_STANDALONE policy<{'amd64': 'n', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_PREVENT_FIRMWARE_BUILD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_ALLOW_DEV_COREDUMP policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu > index 28b5e855d7da..e6bf6cca79ce 100644 > --- a/debian.master/config/config.common.ubuntu > +++ b/debian.master/config/config.common.ubuntu > @@ -2782,7 +2782,7 @@ CONFIG_DEVMEM=y > CONFIG_DEVPORT=y > CONFIG_DEVTMPFS=y > CONFIG_DEVTMPFS_MOUNT=y > -# CONFIG_DEVTMPFS_SAFE is not set > +CONFIG_DEVTMPFS_SAFE=y > CONFIG_DEV_APPLETALK=m > CONFIG_DEV_COREDUMP=y > CONFIG_DEV_DAX=m > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/debian.master/config/annotations b/debian.master/config/annotations index a0920e0f3fad..5a0e1ea742a8 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -1970,6 +1970,7 @@ CONFIG_UEVENT_HELPER policy<{'amd64': 'y', 'arm64': ' CONFIG_UEVENT_HELPER_PATH policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'ppc64el': '""', 's390x': '""'}> CONFIG_DEVTMPFS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_DEVTMPFS_MOUNT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> +CONFIG_DEVTMPFS_SAFE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_STANDALONE policy<{'amd64': 'n', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_PREVENT_FIRMWARE_BUILD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_ALLOW_DEV_COREDUMP policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 28b5e855d7da..e6bf6cca79ce 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -2782,7 +2782,7 @@ CONFIG_DEVMEM=y CONFIG_DEVPORT=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y -# CONFIG_DEVTMPFS_SAFE is not set +CONFIG_DEVTMPFS_SAFE=y CONFIG_DEV_APPLETALK=m CONFIG_DEV_COREDUMP=y CONFIG_DEV_DAX=m
BugLink: https://bugs.launchpad.net/bugs/1974442 Mount devtmpfs with nosuid,noexec to prevent mmapping special files in /dev with PROT_EXEC or having executables setuid files. This allows to provide a little bit of extra security in the system. This change may potentially break some drivers that require to execute code by mmapping /dev/mem (e.g., non-KSM video drivers). Theoretically we shouldn't break any of the officially supported drivers, because kernel lockdown is already preventing access to /dev/mem. This is just a little more relaxed constraint than kernel lockdown, but it can still provide a reasonable level of extra security in the system also when the kernel is not completely locked down. Signed-off-by: Andrea Righi <andrea.righi@canonical.com> --- debian.master/config/annotations | 1 + debian.master/config/config.common.ubuntu | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-)