X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fconfig_files%2Fkspp-recommendations%2Fkspp-kconfig-x86-64.config;h=f374cda2ba05fc0aed51d73b27a35ed71c8acf1d;hb=b80b8c914fff4b4db88c4d1ea6a9de449ce3dd53;hp=f179b4ead38def7c6cea7ce3ed5aa512f2c1d4fb;hpb=35f90af9096a0dad868107ea6dc005468badd5c3;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config index f179b4e..f374cda 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config @@ -1,4 +1,4 @@ -# Linux/x86_64 6.1.5 Kernel Configuration +# Linux/x86_64 6.6.7 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -68,7 +68,8 @@ CONFIG_HARDENED_USERCOPY=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y -# Randomize high-order page allocation freelist. +# Allow for randomization of high-order page allocation freelist. Must be enabled with +# the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y # Allow allocator validation checking to be enabled (see "slub_debug=P" below). @@ -185,6 +186,9 @@ CONFIG_STATIC_USERMODEHELPER=y # Use the modern PTY interface (devpts) only. # CONFIG_LEGACY_PTYS is not set +# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below). +# CONFIG_LEGACY_TIOCSTI is not set + # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. # CONFIG_SECURITY_SELINUX_DISABLE is not set @@ -243,6 +247,7 @@ CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. +# CONFIG_X86_VSYSCALL_EMULATION is not set CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.