UBUNTU: [Config] SECCOMP_FILTER=y

Enable SECCOMP_FILTER for x86 builds, update enforce check.

Signed-off-by: Kees Cook <kees@ubuntu.com>

diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 6c44d65..0e37af7 100644 (file)
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -1879,6 +1879,7 @@ CONFIG_HAVE_ARCH_JUMP_LABEL=y
 CONFIG_HAVE_ARCH_KGDB=y
 CONFIG_HAVE_ARCH_KMEMCHECK=y
 CONFIG_HAVE_ARCH_PFN_VALID=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
 CONFIG_HAVE_ARCH_TRACEHOOK=y
 CONFIG_HAVE_ATOMIC_IOMAP=y
 CONFIG_HAVE_BPF_JIT=y
@@ -4580,6 +4581,7 @@ CONFIG_SDIO_UART=m
 CONFIG_SDLA=m
 CONFIG_SEALEVEL_4021=m
 CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_APPARMOR=y

diff --git a/debian.master/config/enforce b/debian.master/config/enforce
index f728597..4da41d5 100644 (file)
--- a/debian.master/config/enforce
+++ b/debian.master/config/enforce
@@ -14,7 +14,7 @@ value CONFIG_SYN_COOKIES y
 value CONFIG_DEFAULT_SECURITY_APPARMOR y
 # For architectures which support this option ensure it is enabled.
 !exists CONFIG_SECCOMP | value CONFIG_SECCOMP y
-!exists CONFIG_HAVE_SECCOMP_FILTER | value CONFIG_SECCOMP_FILTER y
+!exists CONFIG_HAVE_ARCH_SECCOMP_FILTER | value CONFIG_SECCOMP_FILTER y
 !exists CONFIG_CC_STACKPROTECTOR | value CONFIG_CC_STACKPROTECTOR y
 !exists CONFIG_DEBUG_RODATA | value CONFIG_DEBUG_RODATA y
 !exists CONFIG_DEBUG_SET_MODULE_RONX | value CONFIG_DEBUG_SET_MODULE_RONX y