Merge branch 'corsac/linux-hardening-options' into sid

2018-06-06 20:57:40 +01:00 · 2018-06-06 20:57:40 +01:00 · c1ecc67a90
parent 7e35837639 1bdb99105c
commit c1ecc67a90
3 changed files with 7 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -284,6 +284,10 @@ linux (4.16.13-1) UNRELEASED; urgency=medium
  * [armhf] Enable MFD_AC100 and RTC_DRV_AC100, used in allwinner A80/A83t
    systems.

+  [ Yves-Alexis Perez ]
+  * hardening: enable FORTIFY_SOURCE, disable HARDENED_USERCOPY_FALLBACK
+  * [x86] hardening: enable REFCOUNT_FULL
+
 -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 30 May 2018 08:41:30 +0200

 linux (4.16.12-1) unstable; urgency=medium
--- a/debian/config/config
+++ b/debian/config/config
@ -7118,7 +7118,9 @@ CONFIG_SECURITY_NETWORK_XFRM=y
 # CONFIG_INTEL_TXT is not set
 CONFIG_LSM_MMAP_MIN_ADDR=32768
 CONFIG_HARDENED_USERCOPY=y
+# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
 # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
+CONFIG_FORTIFY_SOURCE=y
 CONFIG_LOCK_DOWN_KERNEL=y
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 ## choice: Default security module
--- a/debian/config/kernelarch-x86/config
+++ b/debian/config/kernelarch-x86/config
@ -2,6 +2,7 @@
 ## file: arch/Kconfig
 ##
 # CONFIG_OPROFILE_EVENT_MULTIPLEX is not set
+CONFIG_REFCOUNT_FULL=y

 ##
 ## file: arch/x86/Kconfig