mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-16 05:26:07 +00:00
7fcb91d94e
kernel/configs/hardening.config turns on UBSAN for the bounds sanitizer,
as that in combination with trapping can stop the exploitation of buffer
overflows within the kernel. At the same time, hardening.config turns
off every other UBSAN sanitizer because trapping means all UBSAN reports
will be fatal and the problems brought up by other sanitizers generally
do not have security implications.
The signed integer overflow sanitizer was recently added back to the
kernel and it is default on with just CONFIG_UBSAN=y, meaning that it
gets enabled when merging hardening.config into another configuration.
While this sanitizer does have security implications like the array
bounds sanitizer, work to clean up enough instances to allow this to run
in production environments is still ramping up, which means regular
users and testers may be broken by these instances with
CONFIG_UBSAN_TRAP=y. Disable CONFIG_UBSAN_SIGNED_WRAP in
hardening.config to avoid this situation.
Fixes: 557f8c582a9b ("ubsan: Reintroduce signed overflow sanitizer")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20240411-fix-ubsan-in-hardening-config-v1-2-e0177c80ffaa@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
99 lines
2.9 KiB
Plaintext
99 lines
2.9 KiB
Plaintext
# Help: Basic kernel hardening options
|
|
#
|
|
# These are considered the basic kernel hardening, self-protection, and
|
|
# attack surface reduction options. They are expected to have low (or
|
|
# no) performance impact on most workloads, and have a reasonable level
|
|
# of legacy API removals.
|
|
|
|
# Make sure reporting of various hardening actions is possible.
|
|
CONFIG_BUG=y
|
|
|
|
# Basic kernel memory permission enforcement.
|
|
CONFIG_STRICT_KERNEL_RWX=y
|
|
CONFIG_STRICT_MODULE_RWX=y
|
|
CONFIG_VMAP_STACK=y
|
|
|
|
# Kernel image and memory ASLR.
|
|
CONFIG_RANDOMIZE_BASE=y
|
|
CONFIG_RANDOMIZE_MEMORY=y
|
|
|
|
# Randomize allocator freelists, harden metadata.
|
|
CONFIG_SLAB_FREELIST_RANDOM=y
|
|
CONFIG_SLAB_FREELIST_HARDENED=y
|
|
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
|
|
CONFIG_RANDOM_KMALLOC_CACHES=y
|
|
|
|
# Randomize kernel stack offset on syscall entry.
|
|
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
|
|
|
|
# Basic stack frame overflow protection.
|
|
CONFIG_STACKPROTECTOR=y
|
|
CONFIG_STACKPROTECTOR_STRONG=y
|
|
|
|
# Basic buffer length bounds checking.
|
|
CONFIG_HARDENED_USERCOPY=y
|
|
CONFIG_FORTIFY_SOURCE=y
|
|
|
|
# Basic array index bounds checking.
|
|
CONFIG_UBSAN=y
|
|
CONFIG_UBSAN_TRAP=y
|
|
CONFIG_UBSAN_BOUNDS=y
|
|
# CONFIG_UBSAN_SHIFT is not set
|
|
# CONFIG_UBSAN_DIV_ZERO is not set
|
|
# CONFIG_UBSAN_UNREACHABLE is not set
|
|
# CONFIG_UBSAN_SIGNED_WRAP is not set
|
|
# CONFIG_UBSAN_BOOL is not set
|
|
# CONFIG_UBSAN_ENUM is not set
|
|
# CONFIG_UBSAN_ALIGNMENT is not set
|
|
|
|
# Sampling-based heap out-of-bounds and use-after-free detection.
|
|
CONFIG_KFENCE=y
|
|
|
|
# Linked list integrity checking.
|
|
CONFIG_LIST_HARDENED=y
|
|
|
|
# Initialize all heap variables to zero on allocation.
|
|
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
|
|
|
|
# Initialize all stack variables to zero on function entry.
|
|
CONFIG_INIT_STACK_ALL_ZERO=y
|
|
|
|
# Wipe RAM at reboot via EFI. For more details, see:
|
|
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
|
|
CONFIG_RESET_ATTACK_MITIGATION=y
|
|
|
|
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
|
|
CONFIG_EFI_DISABLE_PCI_DMA=y
|
|
|
|
# Force IOMMU TLB invalidation so devices will never be able to access stale
|
|
# data content.
|
|
CONFIG_IOMMU_SUPPORT=y
|
|
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
|
|
|
|
# Do not allow direct physical memory access to non-device memory.
|
|
CONFIG_STRICT_DEVMEM=y
|
|
CONFIG_IO_STRICT_DEVMEM=y
|
|
|
|
# Provide userspace with seccomp BPF API for syscall attack surface reduction.
|
|
CONFIG_SECCOMP=y
|
|
CONFIG_SECCOMP_FILTER=y
|
|
|
|
# Provides some protections against SYN flooding.
|
|
CONFIG_SYN_COOKIES=y
|
|
|
|
# Attack surface reduction: do not autoload TTY line disciplines.
|
|
# CONFIG_LDISC_AUTOLOAD is not set
|
|
|
|
# Dangerous; enabling this disables userspace brk ASLR.
|
|
# CONFIG_COMPAT_BRK is not set
|
|
|
|
# Dangerous; exposes kernel text image layout.
|
|
# CONFIG_PROC_KCORE is not set
|
|
|
|
# Dangerous; enabling this disables userspace VDSO ASLR.
|
|
# CONFIG_COMPAT_VDSO is not set
|
|
|
|
# Attack surface reduction: Use the modern PTY interface (devpts) only.
|
|
# CONFIG_LEGACY_PTYS is not set
|