[linux-kvm-b][PATCH 0/2] Enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT and CONFIG_FORTIFY_SOURCE

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[linux-kvm-b][PATCH 0/2] Enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT and CONFIG_FORTIFY_SOURCE

Po-Hsu Lin (Sam)
== Justification ==
In the Bionic KVM kernel, the CONFIG_FORTIFY_SOURCE and
CONFIG_SECURITY_PERF_EVENTS_RESTRICT were not set, they need to be enabled to
meet the security team's requirement.

== Test ==
Before enabling the config, test case test_190_config_kernel_fortify and
test_250_config_security_perf_events_restrict will fail in the kernel
security testsuite for the kernel SRU regression test.

It will pass with these two patches applied, tested on a KVM node.

== Fix ==
Set CONFIG_SECURITY_PERF_EVENTS_RESTRICT to "y".
Set CONFIG_FORTIFY_SOURCE to "y".

== Regression Potential ==
Minimal.
No code changes, just two config changes without disabling any other configs.

BugLink: https://bugs.launchpad.net/bugs/1766780
BugLink: https://bugs.launchpad.net/bugs/1766774

Po-Hsu Lin (2):
  UBUNTU: [Config]: enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT
  UBUNTU: [Config]: enable CONFIG_FORTIFY_SOURCE

 debian.kvm/config/config.common.ubuntu | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[linux-kvm-b][PATCH 1/2] UBUNTU: [Config]: enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT

Po-Hsu Lin (Sam)
BugLink: https://bugs.launchpad.net/bugs/1766780

Enable the CONFIG_SECURITY_PERF_EVENTS_RESTRICT, which is required by the
kernel security testsuite.

Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 debian.kvm/config/config.common.ubuntu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian.kvm/config/config.common.ubuntu b/debian.kvm/config/config.common.ubuntu
index abb67e4..d4fe1a2 100644
--- a/debian.kvm/config/config.common.ubuntu
+++ b/debian.kvm/config/config.common.ubuntu
@@ -2058,7 +2058,7 @@ CONFIG_SECURITY_DEFAULT_DISPLAY_NAME="apparmor"
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
-# CONFIG_SECURITY_PERF_EVENTS_RESTRICT is not set
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[linux-kvm-b][PATCH 2/2] UBUNTU: [Config]: enable CONFIG_FORTIFY_SOURCE

Po-Hsu Lin (Sam)
In reply to this post by Po-Hsu Lin (Sam)
BugLink: https://bugs.launchpad.net/bugs/1766774

Enable the CONFIG_FORTIFY_SOURCE, which is required by the kernel security
testsuite.

Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 debian.kvm/config/config.common.ubuntu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian.kvm/config/config.common.ubuntu b/debian.kvm/config/config.common.ubuntu
index d4fe1a2..10cf241 100644
--- a/debian.kvm/config/config.common.ubuntu
+++ b/debian.kvm/config/config.common.ubuntu
@@ -723,7 +723,7 @@ CONFIG_FILE_LOCKING=y
 # CONFIG_FIRMWARE_MEMMAP is not set
 CONFIG_FIX_EARLYCON_MEM=y
 # CONFIG_FMC is not set
-# CONFIG_FORTIFY_SOURCE is not set
+CONFIG_FORTIFY_SOURCE=y
 # CONFIG_FPGA is not set
 CONFIG_FRAME_POINTER=y
 CONFIG_FRAME_WARN=2048
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK/Cmnt: [bionic/linux-kvm][PATCH 0/2] Enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT and CONFIG_FORTIFY_SOURCE

Stefan Bader-2
In reply to this post by Po-Hsu Lin (Sam)
On 12.06.2018 12:53, Po-Hsu Lin wrote:

> == Justification ==
> In the Bionic KVM kernel, the CONFIG_FORTIFY_SOURCE and
> CONFIG_SECURITY_PERF_EVENTS_RESTRICT were not set, they need to be enabled to
> meet the security team's requirement.
>
> == Test ==
> Before enabling the config, test case test_190_config_kernel_fortify and
> test_250_config_security_perf_events_restrict will fail in the kernel
> security testsuite for the kernel SRU regression test.
>
> It will pass with these two patches applied, tested on a KVM node.
>
> == Fix ==
> Set CONFIG_SECURITY_PERF_EVENTS_RESTRICT to "y".
> Set CONFIG_FORTIFY_SOURCE to "y".
>
> == Regression Potential ==
> Minimal.
> No code changes, just two config changes without disabling any other configs.
>
> BugLink: https://bugs.launchpad.net/bugs/1766780
> BugLink: https://bugs.launchpad.net/bugs/1766774
>
> Po-Hsu Lin (2):
>   UBUNTU: [Config]: enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT
>   UBUNTU: [Config]: enable CONFIG_FORTIFY_SOURCE
>
>  debian.kvm/config/config.common.ubuntu | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
Acked-by: Stefan Bader <[hidden email]>

See change of subject. I would suggest to commonly use <target series>[/<pkg
name if not linux>] to avoid confusion. Especially for those using oem-a when
they mean xenial/oem ;-)

-Stefan


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [linux-kvm-b][PATCH 0/2] Enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT and CONFIG_FORTIFY_SOURCE

Thadeu Lima de Souza Cascardo-3
In reply to this post by Po-Hsu Lin (Sam)
Acked-by: Thadeu Lima de Souza Cascardo <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: ACK/Cmnt: [bionic/linux-kvm][PATCH 0/2] Enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT and CONFIG_FORTIFY_SOURCE

Po-Hsu Lin (Sam)
In reply to this post by Stefan Bader-2
This suggestion (and example) looks good to me.
Thanks!

On Wed, Jun 13, 2018 at 10:07 PM, Stefan Bader
<[hidden email]> wrote:

> On 12.06.2018 12:53, Po-Hsu Lin wrote:
>> == Justification ==
>> In the Bionic KVM kernel, the CONFIG_FORTIFY_SOURCE and
>> CONFIG_SECURITY_PERF_EVENTS_RESTRICT were not set, they need to be enabled to
>> meet the security team's requirement.
>>
>> == Test ==
>> Before enabling the config, test case test_190_config_kernel_fortify and
>> test_250_config_security_perf_events_restrict will fail in the kernel
>> security testsuite for the kernel SRU regression test.
>>
>> It will pass with these two patches applied, tested on a KVM node.
>>
>> == Fix ==
>> Set CONFIG_SECURITY_PERF_EVENTS_RESTRICT to "y".
>> Set CONFIG_FORTIFY_SOURCE to "y".
>>
>> == Regression Potential ==
>> Minimal.
>> No code changes, just two config changes without disabling any other configs.
>>
>> BugLink: https://bugs.launchpad.net/bugs/1766780
>> BugLink: https://bugs.launchpad.net/bugs/1766774
>>
>> Po-Hsu Lin (2):
>>   UBUNTU: [Config]: enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT
>>   UBUNTU: [Config]: enable CONFIG_FORTIFY_SOURCE
>>
>>  debian.kvm/config/config.common.ubuntu | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
> Acked-by: Stefan Bader <[hidden email]>
>
> See change of subject. I would suggest to commonly use <target series>[/<pkg
> name if not linux>] to avoid confusion. Especially for those using oem-a when
> they mean xenial/oem ;-)
>
> -Stefan
>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [linux-kvm-b][PATCH 0/2] Enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT and CONFIG_FORTIFY_SOURCE

Khaled Elmously
In reply to this post by Po-Hsu Lin (Sam)
Applied to bionic/linux-kvm (in reverse order)


On 2018-06-12 18:53:13 , Po-Hsu Lin wrote:

> == Justification ==
> In the Bionic KVM kernel, the CONFIG_FORTIFY_SOURCE and
> CONFIG_SECURITY_PERF_EVENTS_RESTRICT were not set, they need to be enabled to
> meet the security team's requirement.
>
> == Test ==
> Before enabling the config, test case test_190_config_kernel_fortify and
> test_250_config_security_perf_events_restrict will fail in the kernel
> security testsuite for the kernel SRU regression test.
>
> It will pass with these two patches applied, tested on a KVM node.
>
> == Fix ==
> Set CONFIG_SECURITY_PERF_EVENTS_RESTRICT to "y".
> Set CONFIG_FORTIFY_SOURCE to "y".
>
> == Regression Potential ==
> Minimal.
> No code changes, just two config changes without disabling any other configs.
>
> BugLink: https://bugs.launchpad.net/bugs/1766780
> BugLink: https://bugs.launchpad.net/bugs/1766774
>
> Po-Hsu Lin (2):
>   UBUNTU: [Config]: enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT
>   UBUNTU: [Config]: enable CONFIG_FORTIFY_SOURCE
>
>  debian.kvm/config/config.common.ubuntu | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> --
> 2.7.4
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team