It was proposed that we add a config enforcer build check to the kernel
build process. This checker reviews the configuration at build time to
confirm that specific options have specific values. This allows us to
confirm and enforce the values of cirtain values. Where those values
are not set the build will fail.
This patch set adds a new check phase 'prepare-checks' which is triggered
when the prepare phase is running. It then adds a new config-prepare-check
which looks at the newly generated config and checks the specified options.
The config option checks are specified debian.master/configs/enforce.
This contains a predicate based language. Each line represents one
check, if the the line evaluates false then the check is deemed failed.
Each line is made up of one or more predicates which are assertions.
The primary assertions relate to the existance and values of parameters:
value CONFIG_SYN_COOKIES y
exists CONFIG_SYN_COOKIES
The rest of the assertions check environmentatal factors such as architecture
and flavour names:
arch armel
flavour generic
These may be combined using and/or and parentheses, the resulting formular
is then executed and if the overall result is true the line is ok. This allows us to ensure options are set to different values based on architecture:
(( arch armel | arch sparc ) & value CONFIG_DEFAULT_MMAP_MIN_ADDR 32768 ) |
( value CONFIG_DEFAULT_MMAP_MIN_ADDR 65536)
Following this email are 6 patches. The first brings the new checker and
some basic rules. The second a test suite for the parser. The remainder
fix up the various violations this tester detects.
-apw
Andy Whitcroft (6):
UBUNTU: config-check -- add a configuration enforcer
UBUNTU: config-check -- add a unit-test suite to the checker
UBUNTU: [Config] Enable CONFIG_SYN_COOKIES for versatile
UBUNTU: [Config] Enable CONFIG_SECURITY_SMACK for ports
UBUNTU: [Config] Enable CONFIG_SECURITY_FILE_CAPABILITIES for ports
UBUNTU: [Config] Disable CONFIG_COMPAT_BRK for ports
--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
12-16-2009, 07:44 PM
Tim Gardner
Config Enforcer V2
Andy Whitcroft wrote:
> It was proposed that we add a config enforcer build check to the kernel
> build process. This checker reviews the configuration at build time to
> confirm that specific options have specific values. This allows us to
> confirm and enforce the values of cirtain values. Where those values
> are not set the build will fail.
>
> This patch set adds a new check phase 'prepare-checks' which is triggered
> when the prepare phase is running. It then adds a new config-prepare-check
> which looks at the newly generated config and checks the specified options.
>
> The config option checks are specified debian.master/configs/enforce.
> This contains a predicate based language. Each line represents one
> check, if the the line evaluates false then the check is deemed failed.
> Each line is made up of one or more predicates which are assertions.
> The primary assertions relate to the existance and values of parameters:
>
> value CONFIG_SYN_COOKIES y
> exists CONFIG_SYN_COOKIES
>
> The rest of the assertions check environmentatal factors such as architecture
> and flavour names:
>
> arch armel
> flavour generic
>
> These may be combined using and/or and parentheses, the resulting formular
> is then executed and if the overall result is true the line is ok. This allows us to ensure options are set to different values based on architecture:
>
> (( arch armel | arch sparc ) & value CONFIG_DEFAULT_MMAP_MIN_ADDR 32768 ) |
> ( value CONFIG_DEFAULT_MMAP_MIN_ADDR 65536)
>
> Following this email are 6 patches. The first brings the new checker and
> some basic rules. The second a test suite for the parser. The remainder
> fix up the various violations this tester detects.
>
> -apw
>
> Andy Whitcroft (6):
> UBUNTU: config-check -- add a configuration enforcer
> UBUNTU: config-check -- add a unit-test suite to the checker
> UBUNTU: [Config] Enable CONFIG_SYN_COOKIES for versatile
> UBUNTU: [Config] Enable CONFIG_SECURITY_SMACK for ports
> UBUNTU: [Config] Enable CONFIG_SECURITY_FILE_CAPABILITIES for ports
> UBUNTU: [Config] Disable CONFIG_COMPAT_BRK for ports
>
> debian.master/config/amd64/config.common.amd64 | 1 -
> debian.master/config/armel/config.common.armel | 1 -
> debian.master/config/config.common.ports | 7 +-
> debian.master/config/config.common.ubuntu | 1 +
> debian.master/config/enforce | 25 ++
> debian.master/config/i386/config.common.i386 | 1 -
> debian.master/config/lpia/config.common.lpia | 1 -
> debian.master/rules.d/2-binary-arch.mk | 2 +-
> debian.master/rules.d/4-checks.mk | 8 +
> debian.master/scripts/config-check | 389 ++++++++++++++++++++++++
> debian.master/scripts/misc/kernelconfig | 25 ++-
> 11 files changed, 452 insertions(+), 9 deletions(-)
> create mode 100644 debian.master/config/enforce
> create mode 100755 debian.master/scripts/config-check
>
>
Just do it.
--
Tim Gardner tim.gardner@canonical.com
--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
12-17-2009, 08:09 AM
Andy Whitcroft
Config Enforcer V2
Applied to Lucid.
-apw
--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Config Enforcer V2
