-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathhardened-base.config
128 lines (97 loc) · 4.39 KB
/
hardened-base.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
## taken from https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
## and modified to suit our needs
## Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
## Make sure kernel page tables have safe permissions.
CONFIG_STRICT_KERNEL_RWX=y
## Report any dangerous memory permissions (not available on all archs).
CONFIG_DEBUG_WX=y
## Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y
## Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
CONFIG_STRICT_DEVMEM=y
CONFIG_IO_STRICT_DEVMEM=y
## Provides some protections against SYN flooding.
CONFIG_SYN_COOKIES=y
## Perform additional validation of various commonly targeted structures.
CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y
## Provide userspace with seccomp BPF API for syscall attack surface reduction.
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
## Provide userspace with ptrace ancestry protections.
CONFIG_SECURITY=y
CONFIG_SECURITY_YAMA=y
## Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)
CONFIG_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
## Randomize allocator freelists, harden metadata.
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
CONFIG_RANDOM_KMALLOC_CACHES=y
## Randomize high-order page allocation freelist.
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
## Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_SLUB_DEBUG=y
## Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
## (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
CONFIG_PAGE_POISONING=y
CONFIG_PAGE_POISONING_NO_SANITY=y
CONFIG_PAGE_POISONING_ZERO=y
## Wipe slab and page allocations (since v5.3)
## Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.
## The init_on_free is only needed if there is concern about minimizing stale data lifetime.
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
CONFIG_INIT_ON_FREE_DEFAULT_ON=y
## Adds guard pages to kernel stacks (not all architectures support this yet).
CONFIG_VMAP_STACK=y
## Perform extensive checks on reference counting.
CONFIG_REFCOUNT_FULL=y
## Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE=y
## Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
CONFIG_SECURITY_DMESG_RESTRICT=y
## Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set
## Dangerous; enabling this disables brk ASLR.
# CONFIG_COMPAT_BRK is not set
## Dangerous; enabling this allows direct kernel memory writing.
# CONFIG_DEVKMEM is not set
## Dangerous; exposes kernel text image layout.
# CONFIG_PROC_KCORE is not set
## Dangerous; enabling this disables VDSO ASLR.
# CONFIG_COMPAT_VDSO is not set
## Dangerous; enabling this allows replacement of running kernel.
# CONFIG_KEXEC is not set
## Dangerous; enabling this allows replacement of running kernel.
# CONFIG_HIBERNATION is not set
## Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
## If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
## Reboot devices immediately if kernel experiences an Oops.
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1
# Sanity check userspace page table mappings (since v5.17)
CONFIG_PAGE_TABLE_CHECK=y
CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.
CONFIG_UBSAN=y
# TODO: Do we want to enable this? Let's start off with no-trap for now.
# CONFIG_UBSAN_TRAP is not set
CONFIG_UBSAN_BOUNDS=y
CONFIG_UBSAN_SANITIZE_ALL=y
# CONFIG_UBSAN_SHIFT is not set
# CONFIG_UBSAN_DIV_ZERO is not set
# CONFIG_UBSAN_UNREACHABLE is not set
# CONFIG_UBSAN_BOOL is not set
# CONFIG_UBSAN_ENUM is not set
# CONFIG_UBSAN_ALIGNMENT is not set
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:
CONFIG_UBSAN_LOCAL_BOUNDS=y