GitList

Browse code

linux-esx: Additional security hardening options in the config

- CONFIG_RANDOMIZE_BASE (Kernel ASLR)
- CONFIG_SECURITY_YAMA
- CONFIG_FORTIFY_SOURCES

Reduced attack surface by disabling:
- CONFIG_BINFMT_MISC
- CONFIG_MODIFY_LDT_SYSCALL

Change-Id: I2e1691b67f4bd6541e32af3ef5b07ac43aa33c19
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6471
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>

Alexey Makhalov authored on 2019/01/09 11:10:15
Showing 2 changed files

SPECS/linux/config-esx index b856ce3..0e19c5c 100644
SPECS/linux/linux-esx.spec index d32989e..7f08a0d 100644

SPECS/linux/config-esx

History View file @ eaae631

@@ -311,7 +311,7 @@ CONFIG_NR_CPUS_RANGE_BEGIN=2
                      CONFIG_NR_CPUS_RANGE_END=512
                      CONFIG_NR_CPUS_DEFAULT=64
                      CONFIG_NR_CPUS=128
                     -# CONFIG_SCHED_SMT is not set
                     +CONFIG_SCHED_SMT=y
                      CONFIG_SCHED_MC=y
                      CONFIG_SCHED_MC_PRIO=y
                      CONFIG_X86_LOCAL_APIC=y
@@ -326,8 +326,6 @@ CONFIG_PERF_EVENTS_INTEL_UNCORE=y
                      # CONFIG_PERF_EVENTS_INTEL_RAPL is not set
                      # CONFIG_PERF_EVENTS_INTEL_CSTATE is not set
                      # CONFIG_PERF_EVENTS_AMD_POWER is not set
                     -CONFIG_X86_16BIT=y
                     -CONFIG_X86_ESPFIX64=y
                      CONFIG_X86_VSYSCALL_EMULATION=y
                      # CONFIG_I8K is not set
                      # CONFIG_MICROCODE is not set
@@ -373,8 +371,12 @@ CONFIG_SCHED_HRTICK=y
                      # CONFIG_CRASH_DUMP is not set
                      CONFIG_PHYSICAL_START=0x1000000
                      CONFIG_RELOCATABLE=y
                     -# CONFIG_RANDOMIZE_BASE is not set
                     +CONFIG_RANDOMIZE_BASE=y
                     +CONFIG_X86_NEED_RELOCS=y
                      CONFIG_PHYSICAL_ALIGN=0x1000000
                     +CONFIG_DYNAMIC_MEMORY_LAYOUT=y
                     +CONFIG_RANDOMIZE_MEMORY=y
                     +CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
                      CONFIG_HOTPLUG_CPU=y
                      # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
                      # CONFIG_DEBUG_HOTPLUG_CPU0 is not set
@@ -382,7 +384,7 @@ CONFIG_HOTPLUG_CPU=y
                      CONFIG_LEGACY_VSYSCALL_EMULATE=y
                      # CONFIG_LEGACY_VSYSCALL_NONE is not set
                      # CONFIG_CMDLINE_BOOL is not set
                     -CONFIG_MODIFY_LDT_SYSCALL=y
                     +# CONFIG_MODIFY_LDT_SYSCALL is not set
                      CONFIG_HAVE_LIVEPATCH=y
                      CONFIG_ARCH_HAS_ADD_PAGES=y
                      CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
@@ -781,7 +783,7 @@ CONFIG_COMPAT_BINFMT_ELF=y
                      CONFIG_ELFCORE=y
                      CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
                      CONFIG_BINFMT_SCRIPT=y
                     -CONFIG_BINFMT_MISC=y
                     +# CONFIG_BINFMT_MISC is not set
                      CONFIG_COREDUMP=y
+                     #
@@ -3118,7 +3120,7 @@ CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
                      CONFIG_HARDENED_USERCOPY=y
                      CONFIG_HARDENED_USERCOPY_FALLBACK=y
                      # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
                     -# CONFIG_FORTIFY_SOURCE is not set
                     +CONFIG_FORTIFY_SOURCE=y
                      # CONFIG_STATIC_USERMODEHELPER is not set
                      # CONFIG_SECURITY_SELINUX is not set
                      # CONFIG_SECURITY_SMACK is not set
@@ -3129,7 +3131,7 @@ CONFIG_SECURITY_APPARMOR_HASH=y
                      CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
                      # CONFIG_SECURITY_APPARMOR_DEBUG is not set
                      # CONFIG_SECURITY_LOADPIN is not set
                     -# CONFIG_SECURITY_YAMA is not set
                     +CONFIG_SECURITY_YAMA=y
                      # CONFIG_INTEGRITY is not set
                      CONFIG_DEFAULT_SECURITY_APPARMOR=y
                      # CONFIG_DEFAULT_SECURITY_DAC is not set

SPECS/linux/linux-esx.spec

History View file @ eaae631

@@ -2,7 +2,7 @@
                      Summary:        Kernel
                      Name:           linux-esx
                      Version:        4.19.6
                     -Release:        3%{?dist}
                     +Release:        4%{?dist}
                      License:        GPLv2
                      URL:            http://www.kernel.org/
                      Group:          System Environment/Kernel
@@ -193,6 +193,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
                      /usr/src/linux-headers-%{uname_r}
                      %changelog
                     +*   Tue Jan 08 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.6-4
                     +-   Additional security hardening options in the config.
                      *   Tue Jan 08 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-3
                      -   Fix crash on cpu hot-add.
                      *   Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-2