[PATCH 3/3] UBUNTU: [Config] Build SafeSetID LSM but don't enable it by default
Tyler Hicks
tyhicks at canonical.com
Wed Sep 25 21:43:54 UTC 2019
BugLink: https://launchpad.net/bugs/1845391
We can safely build the SafeSetID LSM while leaving it turned off by
default. It will be off by default due to CONFIG_LSM not containing
"safesetid" in our kernel configs. A security-minded system integrator
may want to make use of SafeSetID and can do so by enabling it with the
"lsm" kernel command-line parameter.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
debian.master/config/annotations | 4 ++--
debian.master/config/config.common.ubuntu | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index ff5c7c95f3dc..093107b7ea40 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -12653,12 +12653,12 @@ CONFIG_SECURITY_APPARMOR_HASH_DEFAULT policy<{'amd64': 'y', 'arm64': '
CONFIG_SECURITY_APPARMOR_DEBUG policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
CONFIG_SECURITY_LOADPIN policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
CONFIG_SECURITY_YAMA policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SECURITY_SAFESETID policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_SECURITY_SAFESETID policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
#
CONFIG_SECURITY mark<ENFORCED>
CONFIG_LSM_MMAP_MIN_ADDR mark<ENFORCED> flag<REVIEW>
CONFIG_SECURITY_YAMA mark<ENFORCED>
-CONFIG_SECURITY_SAFESETID flag<REVIEW>
+CONFIG_SECURITY_SAFESETID mark<ENFORCED> note<LP:#1845391>
# Menu: Security options >> Enable different security models >> Integrity subsystem
CONFIG_INTEGRITY policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 3fe1950d0fff..9baba5706552 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -8404,7 +8404,7 @@ CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
--
2.17.1
More information about the kernel-team
mailing list