- CONFIG_RANDOMIZE_BASE (Kernel ASLR)
- CONFIG_SECURITY_YAMA
- CONFIG_FORTIFY_SOURCES
Reduced attack surface by disabling:
- CONFIG_BINFMT_MISC
- CONFIG_MODIFY_LDT_SYSCALL
Change-Id: I2e1691b67f4bd6541e32af3ef5b07ac43aa33c19
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6471
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
... | ... |
@@ -311,7 +311,7 @@ CONFIG_NR_CPUS_RANGE_BEGIN=2 |
311 | 311 |
CONFIG_NR_CPUS_RANGE_END=512 |
312 | 312 |
CONFIG_NR_CPUS_DEFAULT=64 |
313 | 313 |
CONFIG_NR_CPUS=128 |
314 |
-# CONFIG_SCHED_SMT is not set |
|
314 |
+CONFIG_SCHED_SMT=y |
|
315 | 315 |
CONFIG_SCHED_MC=y |
316 | 316 |
CONFIG_SCHED_MC_PRIO=y |
317 | 317 |
CONFIG_X86_LOCAL_APIC=y |
... | ... |
@@ -326,8 +326,6 @@ CONFIG_PERF_EVENTS_INTEL_UNCORE=y |
326 | 326 |
# CONFIG_PERF_EVENTS_INTEL_RAPL is not set |
327 | 327 |
# CONFIG_PERF_EVENTS_INTEL_CSTATE is not set |
328 | 328 |
# CONFIG_PERF_EVENTS_AMD_POWER is not set |
329 |
-CONFIG_X86_16BIT=y |
|
330 |
-CONFIG_X86_ESPFIX64=y |
|
331 | 329 |
CONFIG_X86_VSYSCALL_EMULATION=y |
332 | 330 |
# CONFIG_I8K is not set |
333 | 331 |
# CONFIG_MICROCODE is not set |
... | ... |
@@ -373,8 +371,12 @@ CONFIG_SCHED_HRTICK=y |
373 | 373 |
# CONFIG_CRASH_DUMP is not set |
374 | 374 |
CONFIG_PHYSICAL_START=0x1000000 |
375 | 375 |
CONFIG_RELOCATABLE=y |
376 |
-# CONFIG_RANDOMIZE_BASE is not set |
|
376 |
+CONFIG_RANDOMIZE_BASE=y |
|
377 |
+CONFIG_X86_NEED_RELOCS=y |
|
377 | 378 |
CONFIG_PHYSICAL_ALIGN=0x1000000 |
379 |
+CONFIG_DYNAMIC_MEMORY_LAYOUT=y |
|
380 |
+CONFIG_RANDOMIZE_MEMORY=y |
|
381 |
+CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa |
|
378 | 382 |
CONFIG_HOTPLUG_CPU=y |
379 | 383 |
# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set |
380 | 384 |
# CONFIG_DEBUG_HOTPLUG_CPU0 is not set |
... | ... |
@@ -382,7 +384,7 @@ CONFIG_HOTPLUG_CPU=y |
382 | 382 |
CONFIG_LEGACY_VSYSCALL_EMULATE=y |
383 | 383 |
# CONFIG_LEGACY_VSYSCALL_NONE is not set |
384 | 384 |
# CONFIG_CMDLINE_BOOL is not set |
385 |
-CONFIG_MODIFY_LDT_SYSCALL=y |
|
385 |
+# CONFIG_MODIFY_LDT_SYSCALL is not set |
|
386 | 386 |
CONFIG_HAVE_LIVEPATCH=y |
387 | 387 |
CONFIG_ARCH_HAS_ADD_PAGES=y |
388 | 388 |
CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y |
... | ... |
@@ -781,7 +783,7 @@ CONFIG_COMPAT_BINFMT_ELF=y |
781 | 781 |
CONFIG_ELFCORE=y |
782 | 782 |
CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y |
783 | 783 |
CONFIG_BINFMT_SCRIPT=y |
784 |
-CONFIG_BINFMT_MISC=y |
|
784 |
+# CONFIG_BINFMT_MISC is not set |
|
785 | 785 |
CONFIG_COREDUMP=y |
786 | 786 |
|
787 | 787 |
# |
... | ... |
@@ -3118,7 +3120,7 @@ CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y |
3118 | 3118 |
CONFIG_HARDENED_USERCOPY=y |
3119 | 3119 |
CONFIG_HARDENED_USERCOPY_FALLBACK=y |
3120 | 3120 |
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set |
3121 |
-# CONFIG_FORTIFY_SOURCE is not set |
|
3121 |
+CONFIG_FORTIFY_SOURCE=y |
|
3122 | 3122 |
# CONFIG_STATIC_USERMODEHELPER is not set |
3123 | 3123 |
# CONFIG_SECURITY_SELINUX is not set |
3124 | 3124 |
# CONFIG_SECURITY_SMACK is not set |
... | ... |
@@ -3129,7 +3131,7 @@ CONFIG_SECURITY_APPARMOR_HASH=y |
3129 | 3129 |
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y |
3130 | 3130 |
# CONFIG_SECURITY_APPARMOR_DEBUG is not set |
3131 | 3131 |
# CONFIG_SECURITY_LOADPIN is not set |
3132 |
-# CONFIG_SECURITY_YAMA is not set |
|
3132 |
+CONFIG_SECURITY_YAMA=y |
|
3133 | 3133 |
# CONFIG_INTEGRITY is not set |
3134 | 3134 |
CONFIG_DEFAULT_SECURITY_APPARMOR=y |
3135 | 3135 |
# CONFIG_DEFAULT_SECURITY_DAC is not set |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 | 4 |
Version: 4.19.6 |
5 |
-Release: 3%{?dist} |
|
5 |
+Release: 4%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -193,6 +193,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
193 | 193 |
/usr/src/linux-headers-%{uname_r} |
194 | 194 |
|
195 | 195 |
%changelog |
196 |
+* Tue Jan 08 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.6-4 |
|
197 |
+- Additional security hardening options in the config. |
|
196 | 198 |
* Tue Jan 08 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-3 |
197 | 199 |
- Fix crash on cpu hot-add. |
198 | 200 |
* Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-2 |