-# Linux/arm 6.1.5 Kernel Configuration
+# Linux/arm 6.6.7 Kernel Configuration
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
-# Randomize high-order page allocation freelist.
+# Allow for randomization of high-order page allocation freelist. Must be enabled with
+# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
+# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
+# CONFIG_LEGACY_TIOCSTI is not set
+
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
-# Linux/arm64 6.1.5 Kernel Configuration
+# Linux/arm64 6.6.7 Kernel Configuration
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
-# Randomize high-order page allocation freelist.
+# Allow for randomization of high-order page allocation freelist. Must be enabled with
+# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
+# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
+# CONFIG_LEGACY_TIOCSTI is not set
+
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
-# Linux/i386 6.1.5 Kernel Configuration
+# Linux/i386 6.6.7 Kernel Configuration
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
-# Randomize high-order page allocation freelist.
+# Allow for randomization of high-order page allocation freelist. Must be enabled with
+# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
+# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
+# CONFIG_LEGACY_TIOCSTI is not set
+
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
-# Linux/x86_64 6.1.5 Kernel Configuration
+# Linux/x86_64 6.6.7 Kernel Configuration
# Report BUG() conditions and kill the offending process.
CONFIG_BUG=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
-# Randomize high-order page allocation freelist.
+# Allow for randomization of high-order page allocation freelist. Must be enabled with
+# the "page_alloc.shuffle=1" command line below).
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
# Use the modern PTY interface (devpts) only.
# CONFIG_LEGACY_PTYS is not set
+# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).
+# CONFIG_LEGACY_TIOCSTI is not set
+
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_RANDOMIZE_MEMORY=y
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
+# CONFIG_X86_VSYSCALL_EMULATION is not set
CONFIG_LEGACY_VSYSCALL_NONE=y
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
projects / kconfig-hardened-check.git / commitdiff