tmakin/tegra-linux-noble
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

UBUNTU: [Config] enable CONFIG_DEVTMPFS_SAFE

Browse Source 
BugLink: https://bugs.launchpad.net/bugs/1974442

Mount devtmpfs with nosuid,noexec to prevent mmapping special files in
/dev with PROT_EXEC or having executables setuid files.

This allows to provide a little bit of extra security in the system.

This change may potentially break some drivers that require to execute
code by mmapping /dev/mem (e.g., non-KSM video drivers).

Theoretically we shouldn't break any of the officially supported
drivers, because kernel lockdown is already preventing access to
/dev/mem.

This is just a little more relaxed constraint than kernel lockdown, but
it can still provide a reasonable level of extra security in the system
also when the kernel is not completely locked down.

Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
This commit is contained in:
Andrea Righi
2022-05-20 14:55:39 +02:00
committed by Paolo Pisati
parent a7ff8883d2
commit 9d6d28a6c2
2 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
debian.master/config/annotations
+1
View File
@@ -1970,6 +1970,7 @@ CONFIG_UEVENT_HELPER policy<{'amd64': 'y', 'arm64': '
CONFIG_UEVENT_HELPER_PATH policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'ppc64el': '""', 's390x': '""'}>
CONFIG_DEVTMPFS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_DEVTMPFS_MOUNT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_DEVTMPFS_SAFE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_STANDALONE policy<{'amd64': 'n', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_PREVENT_FIRMWARE_BUILD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_ALLOW_DEV_COREDUMP policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
debian.master/config/config.common.ubuntu
+1 -1
View File
@@ -2782,7 +2782,7 @@ CONFIG_DEVMEM=y
CONFIG_DEVPORT=y
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
# CONFIG_DEVTMPFS_SAFE is not set
CONFIG_DEVTMPFS_SAFE=y
CONFIG_DEV_APPLETALK=m
CONFIG_DEV_COREDUMP=y
CONFIG_DEV_DAX=m