[PATCH] UBUNTU: config: enable DEBUG_CREDENTIALS
Kees Cook
kees at ubuntu.com
Fri Jul 20 20:57:38 UTC 2012
This adds a few bytes of overhead to each credential and adds a tiny
amount of CPU overhead when changing credentials. It can catch some
types of credential manipulation attacks, so turn it on.
Signed-off-by: Kees Cook <kees at ubuntu.com>
---
debian.master/config/config.common.ubuntu | 2 +-
debian.master/config/enforce | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index a1bcec2..e24e3d00 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -1241,7 +1241,7 @@ CONFIG_DEBUGGER=y
# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
# CONFIG_DEBUG_BOOT_PARAMS is not set
CONFIG_DEBUG_BUGVERBOSE=y
-# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_DEBUG_CREDENTIALS=y
# CONFIG_DEBUG_DEVRES is not set
# CONFIG_DEBUG_DRIVER is not set
# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
diff --git a/debian.master/config/enforce b/debian.master/config/enforce
index 89c9497..1cb6270 100644
--- a/debian.master/config/enforce
+++ b/debian.master/config/enforce
@@ -20,6 +20,7 @@ value CONFIG_DEFAULT_SECURITY_APPARMOR y
!exists CONFIG_DEBUG_RODATA | value CONFIG_DEBUG_RODATA y
!exists CONFIG_DEBUG_SET_MODULE_RONX | value CONFIG_DEBUG_SET_MODULE_RONX y
!exists CONFIG_STRICT_DEVMEM | value CONFIG_STRICT_DEVMEM y
+!exists CONFIG_DEBUG_CREDENTIALS | value CONFIG_DEBUG_CREDENTIALS y
# For architectures which support this option ensure it is disabled.
!exists CONFIG_COMPAT_VDSO | value CONFIG_COMPAT_VDSO n
!exists CONFIG_ACPI_CUSTOM_METHOD | value CONFIG_ACPI_CUSTOM_METHOD n
--
1.7.9.5
--
Kees Cook
More information about the kernel-team
mailing list