1. Disable slab merging (makes many heap overflow attacks more difficult)
2. Disable /proc/kcore exposing
3. Perform additional validation of various commonly targetted structures
+CONFIG_SCHED_STACK_END_CHECK=y
+CONFIG_DEBUG_SG=y
Change-Id: I8c3b93623aba1de0a51f9c996495c64ae6c10d0a
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4907
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Srivatsa S. Bhat <srivatsab@vmware.com>
... | ... |
@@ -4109,7 +4109,7 @@ CONFIG_FAT_DEFAULT_IOCHARSET="ascii" |
4109 | 4109 |
# Pseudo filesystems |
4110 | 4110 |
# |
4111 | 4111 |
CONFIG_PROC_FS=y |
4112 |
-CONFIG_PROC_KCORE=y |
|
4112 |
+# CONFIG_PROC_KCORE is not set |
|
4113 | 4113 |
CONFIG_PROC_VMCORE=y |
4114 | 4114 |
CONFIG_PROC_SYSCTL=y |
4115 | 4115 |
CONFIG_PROC_PAGE_MONITOR=y |
... | ... |
@@ -4379,7 +4379,7 @@ CONFIG_PANIC_TIMEOUT=0 |
4379 | 4379 |
CONFIG_SCHED_DEBUG=y |
4380 | 4380 |
CONFIG_SCHED_INFO=y |
4381 | 4381 |
CONFIG_SCHEDSTATS=y |
4382 |
-# CONFIG_SCHED_STACK_END_CHECK is not set |
|
4382 |
+CONFIG_SCHED_STACK_END_CHECK=y |
|
4383 | 4383 |
# CONFIG_DEBUG_TIMEKEEPING is not set |
4384 | 4384 |
|
4385 | 4385 |
# |
... | ... |
@@ -4402,7 +4402,7 @@ CONFIG_STACKTRACE=y |
4402 | 4402 |
CONFIG_DEBUG_BUGVERBOSE=y |
4403 | 4403 |
CONFIG_DEBUG_LIST=y |
4404 | 4404 |
# CONFIG_DEBUG_PI_LIST is not set |
4405 |
-# CONFIG_DEBUG_SG is not set |
|
4405 |
+CONFIG_DEBUG_SG=y |
|
4406 | 4406 |
CONFIG_DEBUG_NOTIFIERS=y |
4407 | 4407 |
CONFIG_DEBUG_CREDENTIALS=y |
4408 | 4408 |
|
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 | 4 |
Version: 4.14.8 |
5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -160,7 +160,7 @@ cp -v vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_ |
160 | 160 |
# because .ko files will be loaded from the memory (LoadPin: obj=<unknown>) |
161 | 161 |
cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF" |
162 | 162 |
# GRUB Environment Block |
163 |
-photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 slub_debug=P page_poison=1 |
|
163 |
+photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 slub_debug=P page_poison=1 slab_nomerge |
|
164 | 164 |
photon_linux=vmlinuz-%{uname_r} |
165 | 165 |
photon_initrd=initrd.img-%{uname_r} |
166 | 166 |
EOF |
... | ... |
@@ -222,6 +222,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
222 | 222 |
/usr/src/linux-headers-%{uname_r} |
223 | 223 |
|
224 | 224 |
%changelog |
225 |
+* Mon Mar 19 2018 Alexey Makhalov <amakhalov@vmware.com> 4.14.8-2 |
|
226 |
+- Extra hardening: slab_nomerge and some .config changes |
|
225 | 227 |
* Fri Feb 16 2018 Alexey Makhalov <amakhalov@vmware.com> 4.14.8-1 |
226 | 228 |
- Version update to v4.14 LTS. Drop aufs support. |
227 | 229 |
* Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1 |