summaryrefslogtreecommitdiff
path: root/debian.linaro/config/enforce
blob: 751ede0c7d40dd5c0e022f83bcee11a7872bf168 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#
# SECURITY items
#
# Ensure this option is enabled.
value CONFIG_COMPAT_BRK n
value CONFIG_DEVKMEM n
value CONFIG_LSM_MMAP_MIN_ADDR 0
value CONFIG_SECURITY y
!exists CONFIG_SECURITY_FILE_CAPABILITIES | value CONFIG_SECURITY_FILE_CAPABILITIES y
value CONFIG_SECURITY_SELINUX y
value CONFIG_SECURITY_SMACK y
# value CONFIG_SECURITY_YAMA y
value CONFIG_SYN_COOKIES y
value CONFIG_DEFAULT_SECURITY_APPARMOR y
# For architectures which support this option ensure it is enabled.
!exists CONFIG_SECCOMP | value CONFIG_SECCOMP y
!exists CONFIG_CC_STACKPROTECTOR | value CONFIG_CC_STACKPROTECTOR y
!exists CONFIG_DEBUG_RODATA | value CONFIG_DEBUG_RODATA y
!exists CONFIG_STRICT_DEVMEM | value CONFIG_STRICT_DEVMEM y
# For architectures which support this option ensure it is disabled.
!exists CONFIG_COMPAT_VDSO | value CONFIG_COMPAT_VDSO n
# Default to 32768 for armel, 65536 for everything else.
(( arch armel | arch sparc ) & value CONFIG_DEFAULT_MMAP_MIN_ADDR 32768 ) | \
	( value CONFIG_DEFAULT_MMAP_MIN_ADDR 65536)

# CONFIG_USB_DEVICE_FS breaks udev USB firmware loading and is deprecated
# ensure it is disabled.
value CONFIG_USB_DEVICEFS n

# upstart requires DEVTMPFS be enabled and mounted by default.
value CONFIG_DEVTMPFS y
value CONFIG_DEVTMPFS_MOUNT y

# some /dev nodes require POSIX ACLs, like /dev/dsp
value CONFIG_TMPFS_POSIX_ACL y

# Ramdisk size should be a minimum of 64M
value CONFIG_BLK_DEV_RAM_SIZE 65536

# LVM requires dm_mod built in to activate correctly (LP: #560717)
value CONFIG_BLK_DEV_DM y

# sysfs: ensure all DEPRECATED items are off
# value CONFIG_SYSFS_DEPRECATED_V2 n
!exists CONFIG_SYSFS_DEPRECATED | value CONFIG_SYSFS_DEPRECATED n

# automatically add local version will cause packaging failure
value CONFIG_LOCALVERSION_AUTO n

# provide framebuffer console form the start
# UbuntuSpec:foundations-m-grub2-boot-framebuffer
# value CONFIG_FRAMEBUFFER_CONSOLE y

# GRUB changes will rely on built in vesafb on x86,
# UbuntuSpec:foundations-m-grub2-boot-framebuffer
(( arch i386 | arch amd64 ) & value CONFIG_FB_VESA y) | \
	value CONFIG_FB_VESA m | !exists CONFIG_FB_VESA