[RFC][K/U][PATCH] UBUNTU: [Config] enable CONFIG_DEVTMPFS_SAFE
Andrea Righi
andrea.righi at canonical.com
Fri May 20 13:03:33 UTC 2022
BugLink: https://bugs.launchpad.net/bugs/1974442
Mount devtmpfs with nosuid,noexec to prevent mmapping special files in
/dev with PROT_EXEC or having executables setuid files.
This allows to provide a little bit of extra security in the system.
This change may potentially break some drivers that require to execute
code by mmapping /dev/mem (e.g., non-KSM video drivers).
Theoretically we shouldn't break any of the officially supported
drivers, because kernel lockdown is already preventing access to
/dev/mem.
This is just a little more relaxed constraint than kernel lockdown, but
it can still provide a reasonable level of extra security in the system
also when the kernel is not completely locked down.
Signed-off-by: Andrea Righi <andrea.righi at canonical.com>
---
debian.master/config/annotations | 1 +
debian.master/config/config.common.ubuntu | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index a0920e0f3fad..5a0e1ea742a8 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -1970,6 +1970,7 @@ CONFIG_UEVENT_HELPER policy<{'amd64': 'y', 'arm64': '
CONFIG_UEVENT_HELPER_PATH policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'ppc64el': '""', 's390x': '""'}>
CONFIG_DEVTMPFS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_DEVTMPFS_MOUNT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+CONFIG_DEVTMPFS_SAFE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_STANDALONE policy<{'amd64': 'n', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_PREVENT_FIRMWARE_BUILD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_ALLOW_DEV_COREDUMP policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 28b5e855d7da..e6bf6cca79ce 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -2782,7 +2782,7 @@ CONFIG_DEVMEM=y
CONFIG_DEVPORT=y
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
-# CONFIG_DEVTMPFS_SAFE is not set
+CONFIG_DEVTMPFS_SAFE=y
CONFIG_DEV_APPLETALK=m
CONFIG_DEV_COREDUMP=y
CONFIG_DEV_DAX=m
--
2.34.1
More information about the kernel-team
mailing list