[PATCH 5/8] UBUNTU: [Config] Enable notifier call chain validations
Tyler Hicks
tyhicks at canonical.com
Sun Jan 19 13:10:26 UTC 2020
BugLink: https://launchpad.net/bugs/1855337
Enable CONFIG_DEBUG_NOTIFIERS to ensure that notifier functions are
present in the core kernel text or module text sections before calling
those functions.
If an invalid function pointer is detected, a warning is issued and the
function is not called. This helps in attack prevention and detection.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
debian.master/config/annotations | 3 ++-
debian.master/config/config.common.ubuntu | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 5bd7b6a2bda2..a2d2f04a83b4 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -10624,7 +10624,7 @@ CONFIG_DEBUG_BUGVERBOSE policy<{'amd64': 'y', 'arm64': '
CONFIG_DEBUG_LIST policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_DEBUG_PLIST policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
CONFIG_DEBUG_SG policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_DEBUG_NOTIFIERS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_DEBUG_NOTIFIERS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_DEBUG_CREDENTIALS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_DEBUG_WQ_FORCE_RR_CPU policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
CONFIG_DEBUG_BLOCK_EXT_DEVT policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
@@ -10634,6 +10634,7 @@ CONFIG_LATENCYTOP policy<{'amd64-generic': 'n', 'a
CONFIG_DEBUG_LIST mark<ENFORCED> note<LP:1855334>
CONFIG_DEBUG_CREDENTIALS mark<ENFORCED> note<LP:1855335>
CONFIG_DEBUG_SG mark<ENFORCED> note<LP:1855336>
+CONFIG_DEBUG_NOTIFIERS mark<ENFORCED> note<LP:1855337>
CONFIG_LATENCYTOP mark<ENFORCED> note<https://lists.ubuntu.com/archives/kernel-team/2014-July/045006.html, LP#1655986>
# Menu: Kernel hacking >> Kernel debugging >> Architecture: arm
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 46309da0e559..a2e5944d3c7a 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -2332,7 +2332,7 @@ CONFIG_DEBUG_LL_INCLUDE="mach/debug-macro.S"
CONFIG_DEBUG_MISC=y
# CONFIG_DEBUG_MUTEXES is not set
# CONFIG_DEBUG_NMI_SELFTEST is not set
-# CONFIG_DEBUG_NOTIFIERS is not set
+CONFIG_DEBUG_NOTIFIERS=y
# CONFIG_DEBUG_OBJECTS is not set
# CONFIG_DEBUG_PAGEALLOC is not set
# CONFIG_DEBUG_PAGE_REF is not set
--
2.17.1
More information about the kernel-team
mailing list