LinuxLists.cc - [PATCH 0/2] Drop obsolete configs from hardening.config

2024-02-08 09:11:07

Subject: [PATCH 0/2] Drop obsolete configs from hardening.config

Dear Kees,

here are two patches cleaning up the hardening config fragment from obsolete
config options.

Feel free to squash them if you think they should not be two separate commits.

Lukas

Lukas Bulwahn (2):
hardening: drop obsolete UBSAN_SANITIZE_ALL from config fragment
hardening: drop obsolete DRM_LEGACY from config fragment

kernel/configs/hardening.config | 4 ----
1 file changed, 4 deletions(-)

--
2.17.1

2024-02-08 09:11:24

by Lukas Bulwahn

[permalink] [raw]

Subject: [PATCH 1/2] hardening: drop obsolete UBSAN_SANITIZE_ALL from config fragment

Commit 7a628f818499 ("ubsan: Remove CONFIG_UBSAN_SANITIZE_ALL") removes the
config UBSAN_SANITIZE_ALL, but one reference to that config is left in the
hardening.config fragment.

Drop this reference in hardening.config fragment.

Note that CONFIG_UBSAN is still enabled in the hardening.config fragment,
so the functionality when using this fragment remains the same.

Signed-off-by: Lukas Bulwahn <[email protected]>
---
kernel/configs/hardening.config | 1 -
1 file changed, 1 deletion(-)

diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config
index 95a400f042b1..4dc0cd342ced 100644
--- a/kernel/configs/hardening.config
+++ b/kernel/configs/hardening.config
@@ -44,7 +44,6 @@ CONFIG_UBSAN_BOUNDS=y
# CONFIG_UBSAN_BOOL
# CONFIG_UBSAN_ENUM
# CONFIG_UBSAN_ALIGNMENT
-CONFIG_UBSAN_SANITIZE_ALL=y

# Linked list integrity checking.
CONFIG_LIST_HARDENED=y
--
2.17.1

2024-02-08 09:11:40

by Lukas Bulwahn

[permalink] [raw]

Subject: [PATCH 2/2] hardening: drop obsolete DRM_LEGACY from config fragment

Commit 94f8f319cbcb ("drm: Remove Kconfig option for legacy support
(CONFIG_DRM_LEGACY)") removes the config DRM_LEGACY, but one reference to
that config is left in the hardening.config fragment.

As there is no drm legacy driver left, we do not need to recommend this
attack surface reduction anymore.

Drop this reference in hardening.config fragment.

Signed-off-by: Lukas Bulwahn <[email protected]>
---
kernel/configs/hardening.config | 3 ---
1 file changed, 3 deletions(-)

diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config
index 4dc0cd342ced..ed126d7b5e83 100644
--- a/kernel/configs/hardening.config
+++ b/kernel/configs/hardening.config
@@ -92,6 +92,3 @@ CONFIG_SYN_COOKIES=y

# Attack surface reduction: Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
-
-# Attack surface reduction: Use only modesetting video drivers.
-# CONFIG_DRM_LEGACY is not set
--
2.17.1

2024-02-10 06:32:40

by Kees Cook

[permalink] [raw]

Subject: Re: [PATCH 0/2] Drop obsolete configs from hardening.config

On Thu, 08 Feb 2024 10:10:43 +0100, Lukas Bulwahn wrote:
> here are two patches cleaning up the hardening config fragment from obsolete
> config options.
>
> Feel free to squash them if you think they should not be two separate commits.
>
> Lukas
>
> [...]

Applied to for-next/hardening, thanks!

[1/2] hardening: drop obsolete UBSAN_SANITIZE_ALL from config fragment
https://git.kernel.org/kees/c/8ab2b5398287
[2/2] hardening: drop obsolete DRM_LEGACY from config fragment
https://git.kernel.org/kees/c/8dafd56868ef

Take care,

--
Kees Cook