# CONFIGs
-# Linux/x86_64 5.4.0 Kernel Configuration
+# Linux/x86_64 5.14.0 Kernel Configuration
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE=y
+# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
+CONFIG_SECURITY_DMESG_RESTRICT=y
+
# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set
# Disallow allocating the first 64k of memory.
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
+# Disable Model-Specific Register writes.
+# CONFIG_X86_MSR is not set
+
# Randomize position of kernel and memory.
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y
+# Randomize kernel stack offset on syscall entry (since v5.13).
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
+
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
CONFIG_LEGACY_VSYSCALL_NONE=y