X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fconfig_files%2Fkspp-recommendations%2Fkspp-recommendations-x86-64.config;h=c6b08206d53c308f749bb4dcb8f2982039b1f2c4;hb=refs%2Fheads%2Frefactoring;hp=de19f33027526b6f7d305c23d97fd82b17f16146;hpb=1aa2467c554732ba3ac1318d4070817b077645e2;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
index de19f33..c6b0820 100644
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
@@ -1,5 +1,5 @@
 # CONFIGs
-# Linux/x86_64 5.4.0 Kernel Configuration
+# Linux/x86_64 5.14.0 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y
 # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
 CONFIG_FORTIFY_SOURCE=y
 
+# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
+CONFIG_SECURITY_DMESG_RESTRICT=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set
 
@@ -157,10 +160,16 @@ CONFIG_X86_64=y
 # Disallow allocating the first 64k of memory.
 CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 
+# Disable Model-Specific Register writes.
+# CONFIG_X86_MSR is not set
+
 # Randomize position of kernel and memory.
 CONFIG_RANDOMIZE_BASE=y
 CONFIG_RANDOMIZE_MEMORY=y
 
+# Randomize kernel stack offset on syscall entry (since v5.13).
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
+
 # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
 CONFIG_LEGACY_VSYSCALL_NONE=y