Browse code
linux-secure: extra KSPP hardening
1. Disable slab merging (makes many heap overflow attacks more difficult)
2. Disable /proc/kcore exposing
3. Perform additional validation of various commonly targetted structures
+CONFIG_SCHED_STACK_END_CHECK=y
+CONFIG_DEBUG_SG=y
Change-Id: I8c3b93623aba1de0a51f9c996495c64ae6c10d0a
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4907
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Srivatsa S. Bhat <srivatsab@vmware.com>
Alexey Makhalov authored on 2018/03/20 09:12:59Showing 2 changed files
| ... | ... |
@@ -4109,7 +4109,7 @@ CONFIG_FAT_DEFAULT_IOCHARSET="ascii" |
| 4109 | 4109 |
# Pseudo filesystems |
| 4110 | 4110 |
# |
| 4111 | 4111 |
CONFIG_PROC_FS=y |
| 4112 |
-CONFIG_PROC_KCORE=y |
|
| 4112 |
+# CONFIG_PROC_KCORE is not set |
|
| 4113 | 4113 |
CONFIG_PROC_VMCORE=y |
| 4114 | 4114 |
CONFIG_PROC_SYSCTL=y |
| 4115 | 4115 |
CONFIG_PROC_PAGE_MONITOR=y |
| ... | ... |
@@ -4379,7 +4379,7 @@ CONFIG_PANIC_TIMEOUT=0 |
| 4379 | 4379 |
CONFIG_SCHED_DEBUG=y |
| 4380 | 4380 |
CONFIG_SCHED_INFO=y |
| 4381 | 4381 |
CONFIG_SCHEDSTATS=y |
| 4382 |
-# CONFIG_SCHED_STACK_END_CHECK is not set |
|
| 4382 |
+CONFIG_SCHED_STACK_END_CHECK=y |
|
| 4383 | 4383 |
# CONFIG_DEBUG_TIMEKEEPING is not set |
| 4384 | 4384 |
|
| 4385 | 4385 |
# |
| ... | ... |
@@ -4402,7 +4402,7 @@ CONFIG_STACKTRACE=y |
| 4402 | 4402 |
CONFIG_DEBUG_BUGVERBOSE=y |
| 4403 | 4403 |
CONFIG_DEBUG_LIST=y |
| 4404 | 4404 |
# CONFIG_DEBUG_PI_LIST is not set |
| 4405 |
-# CONFIG_DEBUG_SG is not set |
|
| 4405 |
+CONFIG_DEBUG_SG=y |
|
| 4406 | 4406 |
CONFIG_DEBUG_NOTIFIERS=y |
| 4407 | 4407 |
CONFIG_DEBUG_CREDENTIALS=y |
| 4408 | 4408 |
|
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-secure |
| 4 | 4 |
Version: 4.14.8 |
| 5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -160,7 +160,7 @@ cp -v vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_
|
| 160 | 160 |
# because .ko files will be loaded from the memory (LoadPin: obj=<unknown>) |
| 161 | 161 |
cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF"
|
| 162 | 162 |
# GRUB Environment Block |
| 163 |
-photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 slub_debug=P page_poison=1 |
|
| 163 |
+photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 slub_debug=P page_poison=1 slab_nomerge |
|
| 164 | 164 |
photon_linux=vmlinuz-%{uname_r}
|
| 165 | 165 |
photon_initrd=initrd.img-%{uname_r}
|
| 166 | 166 |
EOF |
| ... | ... |
@@ -222,6 +222,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 222 | 222 |
/usr/src/linux-headers-%{uname_r}
|
| 223 | 223 |
|
| 224 | 224 |
%changelog |
| 225 |
+* Mon Mar 19 2018 Alexey Makhalov <amakhalov@vmware.com> 4.14.8-2 |
|
| 226 |
+- Extra hardening: slab_nomerge and some .config changes |
|
| 225 | 227 |
* Fri Feb 16 2018 Alexey Makhalov <amakhalov@vmware.com> 4.14.8-1 |
| 226 | 228 |
- Version update to v4.14 LTS. Drop aufs support. |
| 227 | 229 |
* Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1 |