path: root/features/security/security.cfg

# SPDX-License-Identifier: MIT
# Protect against ioctl buffer overflows
CONFIG_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set

# Check for memory copies that might overflow a structure in str*() and mem*()
# functions both at build-time and run-time
CONFIG_FORTIFY_SOURCE=y

# Harden the slab free list with randomization
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y

# Stack Protector is for buffer overflow detection and hardening
CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y

# Perform extensive checks on reference counting
CONFIG_REFCOUNT_FULL=y

# Disable to ensure random heap placement to make exploits harder
# CONFIG_COMPAT_BRK is not set

# Disable; exposes kernel text image layout
# CONFIG_PROC_KCORE is not set

# Increases the low-level kernel attack surface. Disable it instead.
# Removes the modify_ldt system call.
CONFIG_EXPERT=y
CONFIG_MODIFY_LDT_SYSCALL=n

# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
# CONFIG_LEGACY_VSYSCALL_EMULATE is not set
CONFIG_LEGACY_VSYSCALL_NONE=y

# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
# CONFIG_INET_DIAG is not set

# Do not allow direct physical memory access (enable only STRICT mode...)
# Note that drivers like uvesafb/v86d depending on direct physical memory
# access would be affected.
# CONFIG_DEVMEM is not set
CONFIG_STRICT_DEVMEM=y
CONFIG_IO_STRICT_DEVMEM=y

# Perform additional validation of various commonly targeted structures
CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_CREDENTIALS=y

# Information exposure
CONFIG_PAGE_POISONING=y

# Kernel Address Space Layout Randomization (KASLR)
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y

# Direct kernel overwrite
CONFIG_STRICT_KERNEL_RWX=y
CONFIG_STRICT_MODULE_RWX=y

# Meltdown and Spectre
CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_RETPOLINE=y