blob: ed84453b7ffb0e5f7175584268a7bc6bff7dbe23 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
# Protect against ioctl buffer overflows
CONFIG_HARDENED_USERCOPY=y
# Check for memory copies that might overflow a structure in str*() and mem*()
# functions both at build-time and run-time
CONFIG_FORTIFY_SOURCE=y
# Harden the slab free list with randomization
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
# Stack Protector is for buffer overflow detection and hardening
CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y
# Disable to ensure random heap placement to make exploits harder
# CONFIG_COMPAT_BRK is not set
# Increases the low-level kernel attack surface. Disable it instead.
# Removes the modify_ldt system call.
CONFIG_EXPERT=y
CONFIG_MODIFY_LDT_SYSCALL=n
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
# CONFIG_INET_DIAG is not set
# Do not allow direct physical memory access (enable only STRICT mode...)
CONFIG_STRICT_DEVMEM=y
# Perform additional validation of various commonly targeted structures
CONFIG_SCHED_STACK_END_CHECK=y
# Information exposure
CONFIG_PAGE_POISONING=y
# Kernel Address Space Layout Randomization (KASLR)
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y
# Direct kernel overwrite
CONFIG_STRICT_KERNEL_RWX=y
CONFIG_STRICT_MODULE_RWX=y
# Meltdown and Spectre
CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_RETPOLINE=y
|
