mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2026-04-12 03:04:21 -04:00
87caef4220
Pull hardening updates from Kees Cook:
"The bulk of the changes here are related to refactoring and expanding
the KUnit tests for string helper and fortify behavior.
Some trivial strncpy replacements in fs/ were carried in my tree. Also
some fixes to SCSI string handling were carried in my tree since the
helper for those was introduce here. Beyond that, just little fixes
all around: objtool getting confused about LKDTM+KCFI, preparing for
future refactors (constification of sysctl tables, additional
__counted_by annotations), a Clang UBSAN+i386 crash fix, and adding
more options in the hardening.config Kconfig fragment.
Summary:
- selftests: Add str*cmp tests (Ivan Orlov)
- __counted_by: provide UAPI for _le/_be variants (Erick Archer)
- Various strncpy deprecation refactors (Justin Stitt)
- stackleak: Use a copy of soon-to-be-const sysctl table (Thomas
Weißschuh)
- UBSAN: Work around i386 -regparm=3 bug with Clang prior to
version 19
- Provide helper to deal with non-NUL-terminated string copying
- SCSI: Fix older string copying bugs (with new helper)
- selftests: Consolidate string helper behavioral tests
- selftests: add memcpy() fortify tests
- string: Add additional __realloc_size() annotations for "dup"
helpers
- LKDTM: Fix KCFI+rodata+objtool confusion
- hardening.config: Enable KCFI"
* tag 'hardening-6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: (29 commits)
uapi: stddef.h: Provide UAPI macros for __counted_by_{le, be}
stackleak: Use a copy of the ctl_table argument
string: Add additional __realloc_size() annotations for "dup" helpers
kunit/fortify: Fix replaced failure path to unbreak __alloc_size
hardening: Enable KCFI and some other options
lkdtm: Disable CFI checking for perms functions
kunit/fortify: Add memcpy() tests
kunit/fortify: Do not spam logs with fortify WARNs
kunit/fortify: Rename tests to use recommended conventions
init: replace deprecated strncpy with strscpy_pad
kunit/fortify: Fix mismatched kvalloc()/vfree() usage
scsi: qla2xxx: Avoid possible run-time warning with long model_num
scsi: mpi3mr: Avoid possible run-time warning with long manufacturer strings
scsi: mptfusion: Avoid possible run-time warning with long manufacturer strings
fs: ecryptfs: replace deprecated strncpy with strscpy
hfsplus: refactor copy_name to not use strncpy
reiserfs: replace deprecated strncpy with scnprintf
virt: acrn: replace deprecated strncpy with strscpy
ubsan: Avoid i386 UBSAN handler crashes with Clang
ubsan: Remove 1-element array usage in debug reporting
...
107 lines
3.1 KiB
Plaintext
107 lines
3.1 KiB
Plaintext
# Help: Basic kernel hardening options
|
|
#
|
|
# These are considered the basic kernel hardening, self-protection, and
|
|
# attack surface reduction options. They are expected to have low (or
|
|
# no) performance impact on most workloads, and have a reasonable level
|
|
# of legacy API removals.
|
|
|
|
# Make sure reporting of various hardening actions is possible.
|
|
CONFIG_BUG=y
|
|
|
|
# Basic kernel memory permission enforcement.
|
|
CONFIG_STRICT_KERNEL_RWX=y
|
|
CONFIG_STRICT_MODULE_RWX=y
|
|
CONFIG_VMAP_STACK=y
|
|
|
|
# Kernel image and memory ASLR.
|
|
CONFIG_RANDOMIZE_BASE=y
|
|
CONFIG_RANDOMIZE_MEMORY=y
|
|
|
|
# Randomize allocator freelists, harden metadata.
|
|
CONFIG_SLAB_FREELIST_RANDOM=y
|
|
CONFIG_SLAB_FREELIST_HARDENED=y
|
|
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
|
|
CONFIG_RANDOM_KMALLOC_CACHES=y
|
|
|
|
# Sanity check userspace page table mappings.
|
|
CONFIG_PAGE_TABLE_CHECK=y
|
|
CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
|
|
|
|
# Randomize kernel stack offset on syscall entry.
|
|
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
|
|
|
|
# Basic stack frame overflow protection.
|
|
CONFIG_STACKPROTECTOR=y
|
|
CONFIG_STACKPROTECTOR_STRONG=y
|
|
|
|
# Basic buffer length bounds checking.
|
|
CONFIG_HARDENED_USERCOPY=y
|
|
CONFIG_FORTIFY_SOURCE=y
|
|
|
|
# Basic array index bounds checking.
|
|
CONFIG_UBSAN=y
|
|
CONFIG_UBSAN_TRAP=y
|
|
CONFIG_UBSAN_BOUNDS=y
|
|
# CONFIG_UBSAN_SHIFT is not set
|
|
# CONFIG_UBSAN_DIV_ZERO is not set
|
|
# CONFIG_UBSAN_UNREACHABLE is not set
|
|
# CONFIG_UBSAN_SIGNED_WRAP is not set
|
|
# CONFIG_UBSAN_BOOL is not set
|
|
# CONFIG_UBSAN_ENUM is not set
|
|
# CONFIG_UBSAN_ALIGNMENT is not set
|
|
|
|
# Sampling-based heap out-of-bounds and use-after-free detection.
|
|
CONFIG_KFENCE=y
|
|
|
|
# Linked list integrity checking.
|
|
CONFIG_LIST_HARDENED=y
|
|
|
|
# Initialize all heap variables to zero on allocation.
|
|
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
|
|
|
|
# Initialize all stack variables to zero on function entry.
|
|
CONFIG_INIT_STACK_ALL_ZERO=y
|
|
|
|
# Wipe RAM at reboot via EFI. For more details, see:
|
|
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
|
|
CONFIG_RESET_ATTACK_MITIGATION=y
|
|
|
|
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
|
|
CONFIG_EFI_DISABLE_PCI_DMA=y
|
|
|
|
# Force IOMMU TLB invalidation so devices will never be able to access stale
|
|
# data content.
|
|
CONFIG_IOMMU_SUPPORT=y
|
|
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
|
|
|
|
# Do not allow direct physical memory access to non-device memory.
|
|
CONFIG_STRICT_DEVMEM=y
|
|
CONFIG_IO_STRICT_DEVMEM=y
|
|
|
|
# Provide userspace with seccomp BPF API for syscall attack surface reduction.
|
|
CONFIG_SECCOMP=y
|
|
CONFIG_SECCOMP_FILTER=y
|
|
|
|
# Provides some protections against SYN flooding.
|
|
CONFIG_SYN_COOKIES=y
|
|
|
|
# Enable Kernel Control Flow Integrity (currently Clang only).
|
|
CONFIG_CFI_CLANG=y
|
|
# CONFIG_CFI_PERMISSIVE is not set
|
|
|
|
# Attack surface reduction: do not autoload TTY line disciplines.
|
|
# CONFIG_LDISC_AUTOLOAD is not set
|
|
|
|
# Dangerous; enabling this disables userspace brk ASLR.
|
|
# CONFIG_COMPAT_BRK is not set
|
|
|
|
# Dangerous; exposes kernel text image layout.
|
|
# CONFIG_PROC_KCORE is not set
|
|
|
|
# Dangerous; enabling this disables userspace VDSO ASLR.
|
|
# CONFIG_COMPAT_VDSO is not set
|
|
|
|
# Attack surface reduction: Use the modern PTY interface (devpts) only.
|
|
# CONFIG_LEGACY_PTYS is not set
|