[linux-yocto] [PATCH 1/1] features/security: add configs to harden protection

Anuj Mittal anuj.mittal at intel.com
Mon Aug 13 20:31:45 PDT 2018

Add a feature that enables/disables configurations that impact kernel
security with an aim of decreasing the attack surface.

Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
 features/security/security.cfg | 48 ++++++++++++++++++++++++++++++++++
 features/security/security.scc |  4 +++
 2 files changed, 52 insertions(+)
 create mode 100644 features/security/security.cfg
 create mode 100644 features/security/security.scc

diff --git a/features/security/security.cfg b/features/security/security.cfg
new file mode 100644
index 00000000..efcbe056
--- /dev/null
+++ b/features/security/security.cfg
@@ -0,0 +1,48 @@
+# Protect against ioctl buffer overflows
+# Check for memory copies that might overflow a structure in str*() and mem*()
+# functions both at build-time and run-time
+# Harden the slab free list with randomization
+# Stack Protector is for buffer overflow detection and hardening
+# Perform extensive checks on reference counting
+# Disable to ensure random heap placement to make exploits harder
+# CONFIG_COMPAT_BRK is not set
+# Disable; exposes kernel text image layout
+# CONFIG_PROC_KCORE is not set
+# Increases the low-level kernel attack surface. Disable it instead.
+# Removes the modify_ldt system call.
+# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
+# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
+# CONFIG_INET_DIAG is not set
+# Do not allow direct physical memory access (enable only STRICT mode...)
+# CONFIG_DEVMEM is not set
+# Perform additional validation of various commonly targeted structures
diff --git a/features/security/security.scc b/features/security/security.scc
new file mode 100644
index 00000000..0864eb7d
--- /dev/null
+++ b/features/security/security.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Enable/disable configurations that impact kernel security"
+kconf non-hardware security.cfg

More information about the linux-yocto mailing list