From ab436fc35bfa2720b24b5bebb3af124822f3d7c2 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Sat, 19 May 2018 11:26:45 +0200 Subject: [PATCH 1/4] hardening: enable REFCOUNT_FULL and FORTIFY_SOURCE, disabled HARDENED_USERCOPY_FALLBACK --- debian/changelog | 4 ++++ debian/config/config | 3 +++ 2 files changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 636dfb055..d3d68ec5e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -261,6 +261,10 @@ linux (4.16.8-1) UNRELEASED; urgency=medium * proc: do not access cmdline nor environ from file-backed areas (CVE-2018-1120) + [ Yves-Alexis Perez ] + * hardening: enable REFCOUNT_FULL and FORTIFY_SOURCE, disabled + HARDENED_USERCOPY_FALLBACK + -- Vagrant Cascadian Mon, 30 Apr 2018 11:23:15 -0700 linux (4.16.5-1) unstable; urgency=medium diff --git a/debian/config/config b/debian/config/config index c410470ab..e6a51d85f 100644 --- a/debian/config/config +++ b/debian/config/config @@ -12,6 +12,7 @@ CONFIG_CC_STACKPROTECTOR_STRONG=y ## end choice CONFIG_VMAP_STACK=y CONFIG_STRICT_KERNEL_RWX=y +CONFIG_REFCOUNT_FULL=y ## ## file: block/Kconfig @@ -7118,7 +7119,9 @@ CONFIG_SECURITY_NETWORK_XFRM=y # CONFIG_INTEL_TXT is not set CONFIG_LSM_MMAP_MIN_ADDR=32768 CONFIG_HARDENED_USERCOPY=y +CONFIG_HARDENED_USERCOPY_FALLBACK=n # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set +CONFIG_FORTIFY_SOURCE=y CONFIG_LOCK_DOWN_KERNEL=y CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y ## choice: Default security module From 674ae81ed9adff15e427636a9b085a57371f1de3 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Mon, 21 May 2018 14:41:01 +0200 Subject: [PATCH 2/4] use "is not set" syntax --- debian/config/config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/config/config b/debian/config/config index e6a51d85f..24e7d1656 100644 --- a/debian/config/config +++ b/debian/config/config @@ -7119,7 +7119,7 @@ CONFIG_SECURITY_NETWORK_XFRM=y # CONFIG_INTEL_TXT is not set CONFIG_LSM_MMAP_MIN_ADDR=32768 CONFIG_HARDENED_USERCOPY=y -CONFIG_HARDENED_USERCOPY_FALLBACK=n +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set CONFIG_FORTIFY_SOURCE=y CONFIG_LOCK_DOWN_KERNEL=y From f569e56cd110ed54b974aeb9d9f1b7515bb9c566 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Mon, 21 May 2018 14:44:26 +0200 Subject: [PATCH 3/4] enable REFCOUNT_FULL only on x86 --- debian/config/config | 1 - debian/config/kernelarch-x86/config | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/config/config b/debian/config/config index 24e7d1656..8f71d0f25 100644 --- a/debian/config/config +++ b/debian/config/config @@ -12,7 +12,6 @@ CONFIG_CC_STACKPROTECTOR_STRONG=y ## end choice CONFIG_VMAP_STACK=y CONFIG_STRICT_KERNEL_RWX=y -CONFIG_REFCOUNT_FULL=y ## ## file: block/Kconfig diff --git a/debian/config/kernelarch-x86/config b/debian/config/kernelarch-x86/config index ad64314e2..302409462 100644 --- a/debian/config/kernelarch-x86/config +++ b/debian/config/kernelarch-x86/config @@ -2,6 +2,7 @@ ## file: arch/Kconfig ## # CONFIG_OPROFILE_EVENT_MULTIPLEX is not set +CONFIG_REFCOUNT_FULL=y ## ## file: arch/x86/Kconfig From 1bdb99105c4c3c5d948d435b2f902d5c14ea1317 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Mon, 21 May 2018 16:32:58 +0200 Subject: [PATCH 4/4] tune changelog to fit latest commit --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index d3d68ec5e..de6b7951a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -262,8 +262,8 @@ linux (4.16.8-1) UNRELEASED; urgency=medium (CVE-2018-1120) [ Yves-Alexis Perez ] - * hardening: enable REFCOUNT_FULL and FORTIFY_SOURCE, disabled - HARDENED_USERCOPY_FALLBACK + * hardening: enable FORTIFY_SOURCE, disable HARDENED_USERCOPY_FALLBACK + * [x86] hardening: enable REFCOUNT_FULL -- Vagrant Cascadian Mon, 30 Apr 2018 11:23:15 -0700