[PATCH 3/3] UBUNTU: [Config] Build SafeSetID LSM but don't enable it by default
John Johansen
john.johansen at canonical.com
Wed Sep 25 22:25:25 UTC 2019
On 9/25/19 2:43 PM, Tyler Hicks wrote:
> BugLink: https://launchpad.net/bugs/1845391
>
> We can safely build the SafeSetID LSM while leaving it turned off by
> default. It will be off by default due to CONFIG_LSM not containing
> "safesetid" in our kernel configs. A security-minded system integrator
> may want to make use of SafeSetID and can do so by enabling it with the
> "lsm" kernel command-line parameter.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: John Johansen <john.johnansen at canonical.com>
> ---
> debian.master/config/annotations | 4 ++--
> debian.master/config/config.common.ubuntu | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/debian.master/config/annotations b/debian.master/config/annotations
> index ff5c7c95f3dc..093107b7ea40 100644
> --- a/debian.master/config/annotations
> +++ b/debian.master/config/annotations
> @@ -12653,12 +12653,12 @@ CONFIG_SECURITY_APPARMOR_HASH_DEFAULT policy<{'amd64': 'y', 'arm64': '
> CONFIG_SECURITY_APPARMOR_DEBUG policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
> CONFIG_SECURITY_LOADPIN policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
> CONFIG_SECURITY_YAMA policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> -CONFIG_SECURITY_SAFESETID policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
> +CONFIG_SECURITY_SAFESETID policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> #
> CONFIG_SECURITY mark<ENFORCED>
> CONFIG_LSM_MMAP_MIN_ADDR mark<ENFORCED> flag<REVIEW>
> CONFIG_SECURITY_YAMA mark<ENFORCED>
> -CONFIG_SECURITY_SAFESETID flag<REVIEW>
> +CONFIG_SECURITY_SAFESETID mark<ENFORCED> note<LP:#1845391>
>
> # Menu: Security options >> Enable different security models >> Integrity subsystem
> CONFIG_INTEGRITY policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
> index 3fe1950d0fff..9baba5706552 100644
> --- a/debian.master/config/config.common.ubuntu
> +++ b/debian.master/config/config.common.ubuntu
> @@ -8404,7 +8404,7 @@ CONFIG_SECURITY_NETWORK=y
> CONFIG_SECURITY_NETWORK_XFRM=y
> CONFIG_SECURITY_PATH=y
> CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=y
> CONFIG_SECURITY_SELINUX=y
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
>
More information about the kernel-team
mailing list