aboutsummaryrefslogtreecommitdiff
path: root/debian.linaro/config/enforce
diff options
context:
space:
mode:
Diffstat (limited to 'debian.linaro/config/enforce')
-rw-r--r--debian.linaro/config/enforce115
1 files changed, 115 insertions, 0 deletions
diff --git a/debian.linaro/config/enforce b/debian.linaro/config/enforce
new file mode 100644
index 00000000000..b7c20673449
--- /dev/null
+++ b/debian.linaro/config/enforce
@@ -0,0 +1,115 @@
+#
+# SECURITY items
+#
+# Ensure this option is enabled.
+value CONFIG_COMPAT_BRK n
+value CONFIG_DEVKMEM n
+value CONFIG_LSM_MMAP_MIN_ADDR 0
+value CONFIG_SECURITY y
+!exists CONFIG_SECURITY_FILE_CAPABILITIES | value CONFIG_SECURITY_FILE_CAPABILITIES y
+value CONFIG_SECURITY_SELINUX y
+value CONFIG_SECURITY_SMACK y
+value CONFIG_SECURITY_YAMA y
+value CONFIG_SYN_COOKIES y
+value CONFIG_DEFAULT_SECURITY_APPARMOR y
+# For architectures which support this option ensure it is enabled.
+(arch i386 amd64 & value CONFIG_XEN_ACPI_PROCESSOR y) | !arch i386 amd64
+!exists CONFIG_SECCOMP | value CONFIG_SECCOMP y
+!exists CONFIG_HAVE_ARCH_SECCOMP_FILTER | value CONFIG_SECCOMP_FILTER y
+!exists CONFIG_CC_STACKPROTECTOR | value CONFIG_CC_STACKPROTECTOR y
+!exists CONFIG_DEBUG_RODATA | value CONFIG_DEBUG_RODATA y
+!exists CONFIG_DEBUG_SET_MODULE_RONX | value CONFIG_DEBUG_SET_MODULE_RONX y
+!exists CONFIG_STRICT_DEVMEM | value CONFIG_STRICT_DEVMEM y
+# For architectures which support this option ensure it is disabled.
+!exists CONFIG_COMPAT_VDSO | value CONFIG_COMPAT_VDSO n
+!exists CONFIG_ACPI_CUSTOM_METHOD | value CONFIG_ACPI_CUSTOM_METHOD n
+# Default to 32768 on ARM, 65536 for everything else.
+(arch armel armhf & value CONFIG_DEFAULT_MMAP_MIN_ADDR 32768) | \
+ (!arch armel armhf & value CONFIG_DEFAULT_MMAP_MIN_ADDR 65536)
+
+# CONFIG_USB_DEVICE_FS breaks udev USB firmware loading and is deprecated
+# ensure it is disabled.
+value CONFIG_USB_DEVICEFS n
+
+# upstart requires DEVTMPFS be enabled and mounted by default.
+value CONFIG_DEVTMPFS y
+value CONFIG_DEVTMPFS_MOUNT y
+
+# some /dev nodes require POSIX ACLs, like /dev/dsp
+value CONFIG_TMPFS_POSIX_ACL y
+
+# Ramdisk size should be a minimum of 64M
+value CONFIG_BLK_DEV_RAM_SIZE 65536
+
+# LVM requires dm_mod built in to activate correctly (LP: #560717)
+value CONFIG_BLK_DEV_DM y
+
+# sysfs: ensure all DEPRECATED items are off
+!exists CONFIG_SYSFS_DEPRECATED_V2 | value CONFIG_SYSFS_DEPRECATED_V2 n
+!exists CONFIG_SYSFS_DEPRECATED | value CONFIG_SYSFS_DEPRECATED n
+
+# automatically add local version will cause packaging failure
+value CONFIG_LOCALVERSION_AUTO n
+
+# provide framebuffer console form the start
+# UbuntuSpec:foundations-m-grub2-boot-framebuffer
+value CONFIG_FRAMEBUFFER_CONSOLE y
+
+# GRUB changes will rely on built in vesafb on x86,
+# UbuntuSpec:foundations-m-grub2-boot-framebuffer
+#(( arch i386 | arch amd64 ) & value CONFIG_FB_VESA y) | \
+# value CONFIG_FB_VESA m | !exists CONFIG_FB_VESA
+value CONFIG_FB_VESA m | !exists CONFIG_FB_VESA
+
+# Build in uinput module so that it's always available (LP: 584812)
+value CONFIG_INPUT_UINPUT y
+
+# upstart relies on getting all of the kernel arguments
+value CONFIG_INIT_PASS_ALL_PARAMS y
+
+# Enabling CONFIG_IMA is vastly expensive, ensure it is off
+value CONFIG_IMA n
+
+# Ensure CONFIG_IPV6 is y, if this is a module we get a module load for
+# every ipv6 packet, bad.
+value CONFIG_IPV6 y
+
+# Ensure ECRYPT_FS is y as it cannot be autoloaded and it has complex
+# dependancies which can pull it =m at a whim.
+value CONFIG_ECRYPT_FS y
+
+# Ensure CONFIG_EFI_VARS is y as debian-installer relies on having
+# access to efivars when installing in EFI mode. See LP:837332
+value CONFIG_EFI_VARS y | !exists CONFIG_EFI_VARS
+
+# Ensure CONFIG_FAT_FS is y for arm, needed to ensure we able to replace
+# a kernel with the same version.
+(arch armel armhf & value CONFIG_FAT_FS y) | \
+ (!arch armel armhf & value CONFIG_FAT_FS m)
+
+# Ensure CONFIG_GPIO_TWL4030 is y for arm, LP:921934
+(arch armel armhf & value CONFIG_GPIO_TWL4030 y) | \
+ (!arch armel armhf & (value CONFIG_GPIO_TWL4030 m | !exists CONFIG_GPIO_TWL4030))
+
+# Ensure CONFIG_THERM_ADT746X is y for powerpc and powerpc-smp flavours.
+# See LP:923094
+!exists CONFIG_THERM_ADT746X | \
+ (flavour powerpc powerpc-smp & value CONFIG_THERM_ADT746X y)
+
+# Ensure CONFIG_NVRAM is y for powerpc and powerpc-smp, LP:942193
+(flavour powerpc powerpc-smp & value CONFIG_NVRAM y) | \
+ (value CONFIG_NVRAM m | !exists CONFIG_NVRAM)
+
+# Ensure CONFIG_STUB_POULSBO is disabled if CONFIG_DRM_PSB is enabled
+# See LP:899244
+(!exists CONFIG_DRM_PSB | value CONFIG_DRM_PSB n) | \
+((value CONFIG_DRM_PSB y | value CONFIG_DRM_PSB m) & (value CONFIG_STUB_POULSBO n | !exists CONFIG_STUB_POULSBO))
+
+# Ensure CONFIG_B43_BCMA_EXTRA is disabled if CONFIG_BRCMSMAC is enabled.
+# Otherwise b43 and brcmsmac will overlap in the hardware they claim to
+# support.
+(!exists CONFIG_BRCMSMAC | value CONFIG_BRCMSMAC n) | \
+((value CONFIG_BRCMSMAC y | value CONFIG_BRCMSMAC m) & (value CONFIG_B43_BCMA_EXTRA n | !exists CONFIG_B43_BCMA_EXTRA))
+
+# CONFIG_AUDIT_LOGINUID_IMMUTABLE is not compatible with upstart
+value CONFIG_AUDIT_LOGINUID_IMMUTABLE n
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 22:10:14 +0000