Add a feature that enables/disables configurations that impact kernel security with an aim of decreasing the attack surface.
Signed-off-by: Anuj Mittal <anuj.mit...@intel.com> --- features/security/security.cfg | 48 ++++++++++++++++++++++++++++++++++ features/security/security.scc | 4 +++ 2 files changed, 52 insertions(+) create mode 100644 features/security/security.cfg create mode 100644 features/security/security.scc diff --git a/features/security/security.cfg b/features/security/security.cfg new file mode 100644 index 00000000..efcbe056 --- /dev/null +++ b/features/security/security.cfg @@ -0,0 +1,48 @@ +# Protect against ioctl buffer overflows +CONFIG_HARDENED_USERCOPY=y + +# Check for memory copies that might overflow a structure in str*() and mem*() +# functions both at build-time and run-time +CONFIG_FORTIFY_SOURCE=y + +# Harden the slab free list with randomization +CONFIG_SLAB_FREELIST_RANDOM=y +CONFIG_SLAB_FREELIST_HARDENED=y + +# Stack Protector is for buffer overflow detection and hardening +CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_NONE is not set +CONFIG_CC_STACKPROTECTOR_REGULAR=y + +# Perform extensive checks on reference counting +CONFIG_REFCOUNT_FULL=y + +# Disable to ensure random heap placement to make exploits harder +# CONFIG_COMPAT_BRK is not set + +# Disable; exposes kernel text image layout +# CONFIG_PROC_KCORE is not set + +# Increases the low-level kernel attack surface. Disable it instead. +# Removes the modify_ldt system call. +CONFIG_EXPERT=y +CONFIG_MODIFY_LDT_SYSCALL=n + +# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. +# CONFIG_LEGACY_VSYSCALL_EMULATE is not set +CONFIG_LEGACY_VSYSCALL_NONE=y + +# Prior to v4.1, assists heap memory attacks; best to keep interface disabled. +# CONFIG_INET_DIAG is not set + +# Do not allow direct physical memory access (enable only STRICT mode...) +# CONFIG_DEVMEM is not set +CONFIG_STRICT_DEVMEM=y +CONFIG_IO_STRICT_DEVMEM=y + +# Perform additional validation of various commonly targeted structures +CONFIG_SCHED_STACK_END_CHECK=y +CONFIG_DEBUG_LIST=y +CONFIG_DEBUG_SG=y +CONFIG_DEBUG_NOTIFIERS=y +CONFIG_DEBUG_CREDENTIALS=y diff --git a/features/security/security.scc b/features/security/security.scc new file mode 100644 index 00000000..0864eb7d --- /dev/null +++ b/features/security/security.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Enable/disable configurations that impact kernel security" +define KFEATURE_COMPATIBILITY all + +kconf non-hardware security.cfg -- 2.17.1 -- _______________________________________________ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto