Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update hardening.config #1113

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+30 −46
Open

Update hardening.config #1113

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 30 additions & 46 deletions kernel/configs/hardening.config
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,107 +1,91 @@
# Help: Basic kernel hardening options
#
# These are considered the basic kernel hardening, self-protection, and
# attack surface reduction options. They are expected to have low (or
# no) performance impact on most workloads, and have a reasonable level
# of legacy API removals.

# Make sure reporting of various hardening actions is possible.
# Kernel Hardening Configuration
# This configuration includes basic kernel hardening, self-protection,
# and attack surface reduction options. These options are expected to
# have minimal performance impact on most workloads and involve
# limited legacy API removals.

# Enable reporting of various hardening actions.
CONFIG_BUG=y

# Basic kernel memory permission enforcement.
# Enforce strict kernel memory permissions.
CONFIG_STRICT_KERNEL_RWX=y
CONFIG_STRICT_MODULE_RWX=y
CONFIG_VMAP_STACK=y

# Kernel image and memory ASLR.
# Enable Address Space Layout Randomization (ASLR) for kernel image and memory.
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y

# Randomize allocator freelists, harden metadata.
# Randomize allocator freelists and harden metadata.
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
CONFIG_SLAB_BUCKETS=y
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
CONFIG_RANDOM_KMALLOC_CACHES=y

# Sanity check userspace page table mappings.
# Sanity checks for userspace page table mappings.
CONFIG_PAGE_TABLE_CHECK=y
CONFIG_PAGE_TABLE_CHECK_ENFORCED=y

# Randomize kernel stack offset on syscall entry.
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y

# Basic stack frame overflow protection.
# Enable basic stack frame overflow protection.
CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y

# Basic buffer length bounds checking.
# Enable bounds checking for buffer lengths and user copy operations.
CONFIG_HARDENED_USERCOPY=y
CONFIG_FORTIFY_SOURCE=y

# Basic array index bounds checking.
# Enable array index bounds checking.
CONFIG_UBSAN=y
CONFIG_UBSAN_TRAP=y
CONFIG_UBSAN_BOUNDS=y
# CONFIG_UBSAN_SHIFT is not set
# CONFIG_UBSAN_DIV_ZERO is not set
# CONFIG_UBSAN_UNREACHABLE is not set
# CONFIG_UBSAN_SIGNED_WRAP is not set
# CONFIG_UBSAN_BOOL is not set
# CONFIG_UBSAN_ENUM is not set
# CONFIG_UBSAN_ALIGNMENT is not set

# Sampling-based heap out-of-bounds and use-after-free detection.
CONFIG_KFENCE=y

# Linked list integrity checking.
# Enable linked list integrity checking.
CONFIG_LIST_HARDENED=y

# Initialize all heap variables to zero on allocation.
# Initialize heap variables to zero upon allocation.
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y

# Initialize all stack variables to zero on function entry.
# Initialize stack variables to zero at function entry.
CONFIG_INIT_STACK_ALL_ZERO=y

# Wipe RAM at reboot via EFI. For more details, see:
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
# Wipe RAM at reboot via EFI.
CONFIG_RESET_ATTACK_MITIGATION=y

# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
# Disable DMA between EFI hand-off and kernel's IOMMU setup.
CONFIG_EFI_DISABLE_PCI_DMA=y

# Force IOMMU TLB invalidation so devices will never be able to access stale
# data content.
# Force IOMMU TLB invalidation to prevent access to stale data.
CONFIG_IOMMU_SUPPORT=y
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

# Do not allow direct physical memory access to non-device memory.
# Restrict direct physical memory access to non-device memory.
CONFIG_STRICT_DEVMEM=y
CONFIG_IO_STRICT_DEVMEM=y

# Provide userspace with seccomp BPF API for syscall attack surface reduction.
# Provide seccomp BPF API for syscall attack surface reduction.
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y

# Provides some protections against SYN flooding.
# Enable SYN cookies to mitigate SYN flooding attacks.
CONFIG_SYN_COOKIES=y

# Enable Kernel Control Flow Integrity (currently Clang only).
# Enable Kernel Control Flow Integrity (requires Clang).
CONFIG_CFI_CLANG=y
# CONFIG_CFI_PERMISSIVE is not set

# Attack surface reduction: do not autoload TTY line disciplines.
# Attack surface reduction: Disable autoloading of TTY line disciplines.
# CONFIG_LDISC_AUTOLOAD is not set

# Dangerous; enabling this disables userspace brk ASLR.
# CONFIG_COMPAT_BRK is not set

# Dangerous; exposes kernel text image layout.
# CONFIG_PROC_KCORE is not set

# Dangerous; enabling this disables userspace VDSO ASLR.
# CONFIG_COMPAT_VDSO is not set
# Dangerous options; consider carefully before enabling:
# CONFIG_COMPAT_BRK is not set # Disables userspace brk ASLR.
# CONFIG_PROC_KCORE is not set # Exposes kernel text image layout.
# CONFIG_COMPAT_VDSO is not set # Disables userspace VDSO ASLR.

# Attack surface reduction: Use the modern PTY interface (devpts) only.
# Attack surface reduction: Use modern PTY interface only (devpts).
# CONFIG_LEGACY_PTYS is not set