projects / kconfig-hardened-check.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fb4d95b)
Update KSPP recommendations
authorAlexander Popov <alex.popov@linux.com>
Sat, 19 Jun 2021 11:27:21 +0000 (14:27 +0300)
committerAlexander Popov <alex.popov@linux.com>
Sat, 19 Jun 2021 11:27:21 +0000 (14:27 +0300)
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config patch | blob | history
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config patch | blob | history
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config patch | blob | history
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config patch | blob | history

diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
index 3c6c0375e0b86b63e68b9d4f5e99b8b621c60ac1..4271f7db57768d9335204531c8e26ce2a2c53612 100644 (file)
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y
 # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
 CONFIG_FORTIFY_SOURCE=y
 
+# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
+CONFIG_SECURITY_DMESG_RESTRICT=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set
 
diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
index 013263c978684c47f2a2d35c9e342ce99d1d9b7e..50434940534812ec3b65de78754b5c69c4b154be 100644 (file)
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y
 # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
 CONFIG_FORTIFY_SOURCE=y
 
+# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
+CONFIG_SECURITY_DMESG_RESTRICT=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set
 
diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
index 477d75c1dd1608cdc313bb723986657518df10fd..edca82b7414ee94eaa7b3b4d73896d6c70343482 100644 (file)
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y
 # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
 CONFIG_FORTIFY_SOURCE=y
 
+# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
+CONFIG_SECURITY_DMESG_RESTRICT=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set
 
@@ -162,6 +165,9 @@ CONFIG_X86_PAE=y
 # Disallow allocating the first 64k of memory.
 CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 
+# Disable Model-Specific Register writes.
+# CONFIG_X86_MSR is not set
+
 # Randomize position of kernel.
 CONFIG_RANDOMIZE_BASE=y
 
diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
index de19f33027526b6f7d305c23d97fd82b17f16146..799a37db5555b9706f8f487940e991e005088af6 100644 (file)
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
@@ -80,6 +80,9 @@ CONFIG_REFCOUNT_FULL=y
 # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
 CONFIG_FORTIFY_SOURCE=y
 
+# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
+CONFIG_SECURITY_DMESG_RESTRICT=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set
 
@@ -157,6 +160,9 @@ CONFIG_X86_64=y
 # Disallow allocating the first 64k of memory.
 CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 
+# Disable Model-Specific Register writes.
+# CONFIG_X86_MSR is not set
+
 # Randomize position of kernel and memory.
 CONFIG_RANDOMIZE_BASE=y
 CONFIG_RANDOMIZE_MEMORY=y
kconfig-hardened-check