Ubuntu
linux package

~tyhicks/ubuntu/+source/linux/+git/unstable:WIP/kconfig-hardening

Git
lp:~tyhicks/ubuntu/+source/linux/+git/unstable
WIP/kconfig-hardening

Last commit made on 2019-10-18

Get this branch:: git clone -b WIP/kconfig-hardening https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/unstable

Only Tyler Hicks can upload to this branch. If you are Tyler Hicks please log in for upload directions.

Branch merges

Branch information

Name:: WIP/kconfig-hardening

Repository:: lp:~tyhicks/ubuntu/+source/linux/+git/unstable

Recent commits

800c41a... by Tyler Hicks on 2019-10-17

UBUNTU: [Config] Disable the hardened usercopy fallback

BugLink: TODO

CONFIG_HARDENED_USERCOPY_FALLBACK has been enabled for a while now and
the only instances of the emitted warning found in Launchpad have been
fixed in Eoan. Lets disable this fallback to strictly enforce hardened
usercopy.

Signed-off-by: Tyler Hicks <email address hidden>

c9daf94... by Tyler Hicks on 2019-10-17

UBUNTU: [Config] Enable kexec image signature verification on arm64

We produce signed kernels for arm64 and should enforce kexec image
verification.

Signed-off-by: Tyler Hicks <email address hidden>

de7c30f... by Tyler Hicks on 2019-10-10

UBUNTU: [Config] Enable refcount protections on non-x86 architectures

BugLink: https://launchpad.net/bugs/1811162

Enable CONFIG_REFCOUNT_FULL on the remaining non-x86 architectures to
ensure that we have refcount_t validation rather than using unchecked
atomic_t implementations.

This change means that armhf, arm64, ppc64el, and s390x kernels will
have stronger validation of refcount_t than i386 and amd64 at the
expense of some performance.

Signed-off-by: Tyler Hicks <email address hidden>

45376f0... by Tyler Hicks on 2019-10-10

UBUNTU: [Config] Disable legacy PTY naming

BugLink: TODO

TODO

Signed-off-by: Tyler Hicks <email address hidden>

59a7b78... by Tyler Hicks on 2019-10-10

UBUNTU: [Config] Enforce filtered access to iomem

BugLink: TODO

Enable CONFIG_IO_STRICT_DEVMEM to restrict userspace access of active
io-memory ranges.

This could impact kernel debugability. In that case, you may reboot with
iomem=relaxed on the kernel commandline to override this setting.

Signed-off-by: Tyler Hicks <email address hidden>

2b44e30... by Tyler Hicks on 2019-10-10

UBUNTU: [Config] Enable notifier call chain validations

BugLink: TODO

Enable CONFIG_DEBUG_NOTIFIERS to ensure that notifier functions are
present in the core kernel text or module text sections before calling
those functions.

Signed-off-by: Tyler Hicks <email address hidden>

6876c81... by Tyler Hicks on 2019-10-10

UBUNTU: [Config] Enable scatterlist validation

BugLink: TODO

Enable CONFIG_DEBUG_SG to detect attacks that rely on scatterlists.

Signed-off-by: Tyler Hicks <email address hidden>

90f8c17... by Tyler Hicks on 2019-10-10

UBUNTU: [Config] Enable cred sanity checks

BugLink: TODO

Enable CONFIG_DEBUG_CREDENTIALS to perform sanity checks, such as
verifying usage counts and proper magic values, when handling cred
structs.

Signed-off-by: Tyler Hicks <email address hidden>

46296c4... by Tyler Hicks on 2019-10-10

UBUNTU: [Config] Enable linked list manipulation checks

BugLink: TODO

Turn on CONFIG_DEBUG_LIST which does some sanity checking on the
surrounding linked list elements when adding or removing an element. If
the sanity check fails, the list manipulation operation is not performed
and a loud warning is printed to the logs.

This may prevent some attacks that involving a linked list.

Signed-off-by: Tyler Hicks <email address hidden>

b6006c2... by Seth Forshee on 2019-10-11

UBUNTU: Ubuntu-5.4.0-0.1

Signed-off-by: Seth Forshee <email address hidden>

»