X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fconfig_files%2Fkspp-recommendations%2Fkspp-kconfig-arm.config;h=e0818e342a9dd62bc995cb74cdf844cb7c954a2e;hb=b22708589a1f4138db2fbb192cd28b00d046cdaa;hp=d4493e7eaa3bf932d40904d91f0777afc7366d8e;hpb=35f90af9096a0dad868107ea6dc005468badd5c3;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config index d4493e7..e0818e3 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config @@ -1,4 +1,4 @@ -# Linux/arm 6.1.5 Kernel Configuration +# Linux/arm 6.6.7 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -25,6 +25,7 @@ CONFIG_IO_STRICT_DEVMEM=y CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. +CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y @@ -52,6 +53,7 @@ CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_DEBUG is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. @@ -67,10 +69,19 @@ CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y +CONFIG_RANDOM_KMALLOC_CACHES=y -# Randomize high-order page allocation freelist. +# Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) +# CONFIG_SLAB_MERGE_DEFAULT is not set + +# Allow for randomization of high-order page allocation freelist. Must be enabled with +# the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y +# Sanity check userspace page table mappings (since v5.17) +CONFIG_PAGE_TABLE_CHECK=y +CONFIG_PAGE_TABLE_CHECK_ENFORCED=y + # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y @@ -117,6 +128,7 @@ CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y +CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y @@ -185,6 +197,9 @@ CONFIG_STATIC_USERMODEHELPER=y # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set +# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). +# CONFIG_LEGACY_TIOCSTI is not set + # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set @@ -192,10 +207,14 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 + # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. +# See also kernel.modules_disabled sysctl below. CONFIG_STRICT_MODULE_RWX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -203,6 +222,7 @@ CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +# CONFIG_MODULE_FORCE_LOAD is not set # GCC plugins