[PATCH 0/5] Config Enforcer

[Tim Gardner]

Andy Whitcroft wrote:
> It was proposed that we add a config enforcer build check to the kernel
> build process.  This checker reviews the configuration at build time to
> confirm that specific options have specific values.  This allows us to
> confirm and enforce the values of cirtain values.  Where those values
> are not set the build will fail.
> 
> This patch set adds a new check phase 'prepare-checks' which is triggered
> when the prepare phase is running.  It then adds a new config-prepare-check
> which looks at the newly generated config and checks the specified options.
> 
> The config option checks are specified debian.master/configs/enforce.
> This contains a predicate based language.  Each line represents one
> check, if the the line evaluates false then the check is deemed failed.
> Each line is made up of one or more predicates which are assertions.
> The primary assertions relate to the existance and values of parameters:
> 
>   value CONFIG_SYN_COOKIES y
>   exists CONFIG_SYN_COOKIES
> 
> The rest of the assertions check environmentatal factors such as architecture
> and flavour names:
> 
>   arch armel
>   flavour generic
> 
> These may be combined using and/or and parentheses, the resulting formular
> is then executed and if the overall result is true the line is ok.  This allows us to ensure options are set to different values based on architecture:
> 
>   (( arch armel | arch sparc ) & value CONFIG_DEFAULT_MMAP_MIN_ADDR 32768 ) | \
>        ( value CONFIG_DEFAULT_MMAP_MIN_ADDR 65536)
> 
> Following this email are 5 patches.  The first brings the new checker
> and some basic rules.  The remainder fix up the various violations.
> 
> -apw
> 
> Andy Whitcroft (5):
>   UBUNTU: config-check -- add a configuration enforcer
>   UBUNTU: [Config] Enable CONFIG_SYN_COOKIES for versatile
>   UBUNTU: [Config] Enable CONFIG_SECURITY_SMACK for ports
>   UBUNTU: [Config] Enable CONFIG_SECURITY_FILE_CAPABILITIES for ports
>   UBUNTU: [Config] Disable CONFIG_COMPAT_BRK for ports
> 
>  debian.master/config/amd64/config.common.amd64 |    1 -
>  debian.master/config/armel/config.common.armel |    1 -
>  debian.master/config/config.common.ports       |    7 +-
>  debian.master/config/config.common.ubuntu      |    1 +
>  debian.master/config/enforce                   |   25 ++++
>  debian.master/config/i386/config.common.i386   |    1 -
>  debian.master/config/lpia/config.common.lpia   |    1 -
>  debian.master/rules.d/2-binary-arch.mk         |    2 +-
>  debian.master/rules.d/4-checks.mk              |    8 +
>  debian.master/scripts/config-check             |  168 ++++++++++++++++++++++++
>  debian.master/scripts/misc/kernelconfig        |   25 ++++-
>  11 files changed, 231 insertions(+), 9 deletions(-)
>  create mode 100644 debian.master/config/enforce
>  create mode 100755 debian.master/scripts/config-check
> 
> 

I think this is a great idea.

rtg
-- 
Tim Gardner tim.gardner at canonical.com