ACK/Cmnt: [bionic/linux-kvm][PATCH 0/2] Enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT and CONFIG_FORTIFY_SOURCE

Po-Hsu Lin po-hsu.lin at canonical.com
Wed Jun 13 14:20:53 UTC 2018


This suggestion (and example) looks good to me.
Thanks!

On Wed, Jun 13, 2018 at 10:07 PM, Stefan Bader
<stefan.bader at canonical.com> wrote:
> On 12.06.2018 12:53, Po-Hsu Lin wrote:
>> == Justification ==
>> In the Bionic KVM kernel, the CONFIG_FORTIFY_SOURCE and
>> CONFIG_SECURITY_PERF_EVENTS_RESTRICT were not set, they need to be enabled to
>> meet the security team's requirement.
>>
>> == Test ==
>> Before enabling the config, test case test_190_config_kernel_fortify and
>> test_250_config_security_perf_events_restrict will fail in the kernel
>> security testsuite for the kernel SRU regression test.
>>
>> It will pass with these two patches applied, tested on a KVM node.
>>
>> == Fix ==
>> Set CONFIG_SECURITY_PERF_EVENTS_RESTRICT to "y".
>> Set CONFIG_FORTIFY_SOURCE to "y".
>>
>> == Regression Potential ==
>> Minimal.
>> No code changes, just two config changes without disabling any other configs.
>>
>> BugLink: https://bugs.launchpad.net/bugs/1766780
>> BugLink: https://bugs.launchpad.net/bugs/1766774
>>
>> Po-Hsu Lin (2):
>>   UBUNTU: [Config]: enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT
>>   UBUNTU: [Config]: enable CONFIG_FORTIFY_SOURCE
>>
>>  debian.kvm/config/config.common.ubuntu | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
> Acked-by: Stefan Bader <stefan.bader at canonical.com>
>
> See change of subject. I would suggest to commonly use <target series>[/<pkg
> name if not linux>] to avoid confusion. Especially for those using oem-a when
> they mean xenial/oem ;-)
>
> -Stefan
>




More information about the kernel-team mailing list