-# Linux/x86_64 6.1.5 Kernel Configuration
+# Linux/x86_64 6.6.7 Kernel Configuration
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
CONFIG_SYN_COOKIES=y
# Perform additional validation of various commonly targeted structures.
+CONFIG_LIST_HARDENED=y
CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
# Make sure SELinux cannot be disabled trivially.
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_DEBUG is not set
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory.
# Randomize allocator freelists, harden metadata.
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
+CONFIG_RANDOM_KMALLOC_CACHES=y
-# Randomize high-order page allocation freelist.
+# Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.)
+# CONFIG_SLAB_MERGE_DEFAULT is not set
+
+# Allow for randomization of high-order page allocation freelist. Must be enabled with
+# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
+# Sanity check userspace page table mappings (since v5.17)
+CONFIG_PAGE_TABLE_CHECK=y
+CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
+
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_SLUB_DEBUG=y
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.
CONFIG_KFENCE=y
+CONFIG_KFENCE_SAMPLE_INTERVAL=100
# Randomize kernel stack offset on syscall entry (since v5.13).
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
+# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
+# CONFIG_LEGACY_TIOCSTI is not set
+
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
+
# Keep root from altering kernel memory via loadable modules.
# CONFIG_MODULES is not set
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.
+# See also kernel.modules_disabled sysctl below.
CONFIG_STRICT_MODULE_RWX=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+# CONFIG_MODULE_FORCE_LOAD is not set
# GCC plugins
CONFIG_RANDOMIZE_MEMORY=y
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
+# CONFIG_X86_VSYSCALL_EMULATION is not set
CONFIG_LEGACY_VSYSCALL_NONE=y
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
CONFIG_PAGE_TABLE_ISOLATION=y
+# Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18)
+CONFIG_X86_KERNEL_IBT=y
+
+# Support userspace CET Shadow Stack
+CONFIG_X86_USER_SHADOW_STACK=y
+
# Remove additional (32-bit) attack surface, unless you really need them.
# CONFIG_COMPAT is not set
# CONFIG_IA32_EMULATION is not set
# Straight-Line-Speculation
CONFIG_SLS=y
-# Enable Control Flow Integrity (since v6.1)
+# Enable Control Flow Integrity (since v6.1).
CONFIG_CFI_CLANG=y
# CONFIG_CFI_PERMISSIVE is not set
projects / kconfig-hardened-check.git / blobdiff