X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fconfig_files%2Fkspp-recommendations%2Fkspp-kconfig-arm.config;h=e0818e342a9dd62bc995cb74cdf844cb7c954a2e;hb=b22708589a1f4138db2fbb192cd28b00d046cdaa;hp=c75026046439f27d1423e0358bceb938c669b363;hpb=4586e03b4526a74bcd45662634bf9d76808ae343;p=kconfig-hardened-check.git

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
index c750260..e0818e3 100644
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
@@ -25,6 +25,7 @@ CONFIG_IO_STRICT_DEVMEM=y
 CONFIG_SYN_COOKIES=y
 
 # Perform additional validation of various commonly targeted structures.
+CONFIG_LIST_HARDENED=y
 CONFIG_DEBUG_CREDENTIALS=y
 CONFIG_DEBUG_NOTIFIERS=y
 CONFIG_DEBUG_LIST=y
@@ -52,6 +53,7 @@ CONFIG_SECURITY_LANDLOCK=y
 # Make sure SELinux cannot be disabled trivially.
 # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
 # CONFIG_SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_DEBUG is not set
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set
 
 # Enable "lockdown" LSM for bright line between the root user and kernel memory.
@@ -67,11 +69,19 @@ CONFIG_HARDENED_USERCOPY=y
 # Randomize allocator freelists, harden metadata.
 CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLAB_FREELIST_HARDENED=y
+CONFIG_RANDOM_KMALLOC_CACHES=y
+
+# Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.)
+# CONFIG_SLAB_MERGE_DEFAULT is not set
 
 # Allow for randomization of high-order page allocation freelist. Must be enabled with
 # the "page_alloc.shuffle=1" command line below).
 CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
 
+# Sanity check userspace page table mappings (since v5.17)
+CONFIG_PAGE_TABLE_CHECK=y
+CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
+
 # Allow allocator validation checking to be enabled (see "slub_debug=P" below).
 CONFIG_SLUB_DEBUG=y
 
@@ -118,6 +128,7 @@ CONFIG_UBSAN_LOCAL_BOUNDS=y
 
 # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.
 CONFIG_KFENCE=y
+CONFIG_KFENCE_SAMPLE_INTERVAL=100
 
 # Randomize kernel stack offset on syscall entry (since v5.13).
 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
@@ -196,10 +207,14 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
+
 # Keep root from altering kernel memory via loadable modules.
 # CONFIG_MODULES is not set
 
 # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.
+# See also kernel.modules_disabled sysctl below.
 CONFIG_STRICT_MODULE_RWX=y
 CONFIG_MODULE_SIG=y
 CONFIG_MODULE_SIG_FORCE=y
@@ -207,6 +222,7 @@ CONFIG_MODULE_SIG_ALL=y
 CONFIG_MODULE_SIG_SHA512=y
 CONFIG_MODULE_SIG_HASH="sha512"
 CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+# CONFIG_MODULE_FORCE_LOAD is not set
 
 # GCC plugins