67f2df3b82
Introduce CONFIG_SLAB_BUCKETS which provides the infrastructure to support separated kmalloc buckets (in the following kmem_buckets_create() patches and future codetag-based separation). Since this will provide a mitigation for a very common case of exploits, it is recommended to enable this feature for general purpose distros. By default, the new Kconfig will be enabled if CONFIG_SLAB_FREELIST_HARDENED is enabled (and it is added to the hardening.config Kconfig fragment). To be able to choose which buckets to allocate from, make the buckets available to the internal kmalloc interfaces by adding them as the second argument, rather than depending on the buckets being chosen from the fixed set of global buckets. Where the bucket is not available, pass NULL, which means "use the default system kmalloc bucket set" (the prior existing behavior), as implemented in kmalloc_slab(). To avoid adding the extra argument when !CONFIG_SLAB_BUCKETS, only the top-level macros and static inlines use the buckets argument (where they are stripped out and compiled out respectively). The actual extern functions can then be built without the argument, and the internals fall back to the global kmalloc buckets unconditionally. Co-developed-by: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Kees Cook <kees@kernel.org> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
108 lines
3.1 KiB
Plaintext
108 lines
3.1 KiB
Plaintext
# Help: Basic kernel hardening options
|
|
#
|
|
# These are considered the basic kernel hardening, self-protection, and
|
|
# attack surface reduction options. They are expected to have low (or
|
|
# no) performance impact on most workloads, and have a reasonable level
|
|
# of legacy API removals.
|
|
|
|
# Make sure reporting of various hardening actions is possible.
|
|
CONFIG_BUG=y
|
|
|
|
# Basic kernel memory permission enforcement.
|
|
CONFIG_STRICT_KERNEL_RWX=y
|
|
CONFIG_STRICT_MODULE_RWX=y
|
|
CONFIG_VMAP_STACK=y
|
|
|
|
# Kernel image and memory ASLR.
|
|
CONFIG_RANDOMIZE_BASE=y
|
|
CONFIG_RANDOMIZE_MEMORY=y
|
|
|
|
# Randomize allocator freelists, harden metadata.
|
|
CONFIG_SLAB_FREELIST_RANDOM=y
|
|
CONFIG_SLAB_FREELIST_HARDENED=y
|
|
CONFIG_SLAB_BUCKETS=y
|
|
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
|
|
CONFIG_RANDOM_KMALLOC_CACHES=y
|
|
|
|
# Sanity check userspace page table mappings.
|
|
CONFIG_PAGE_TABLE_CHECK=y
|
|
CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
|
|
|
|
# Randomize kernel stack offset on syscall entry.
|
|
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
|
|
|
|
# Basic stack frame overflow protection.
|
|
CONFIG_STACKPROTECTOR=y
|
|
CONFIG_STACKPROTECTOR_STRONG=y
|
|
|
|
# Basic buffer length bounds checking.
|
|
CONFIG_HARDENED_USERCOPY=y
|
|
CONFIG_FORTIFY_SOURCE=y
|
|
|
|
# Basic array index bounds checking.
|
|
CONFIG_UBSAN=y
|
|
CONFIG_UBSAN_TRAP=y
|
|
CONFIG_UBSAN_BOUNDS=y
|
|
# CONFIG_UBSAN_SHIFT is not set
|
|
# CONFIG_UBSAN_DIV_ZERO is not set
|
|
# CONFIG_UBSAN_UNREACHABLE is not set
|
|
# CONFIG_UBSAN_SIGNED_WRAP is not set
|
|
# CONFIG_UBSAN_BOOL is not set
|
|
# CONFIG_UBSAN_ENUM is not set
|
|
# CONFIG_UBSAN_ALIGNMENT is not set
|
|
|
|
# Sampling-based heap out-of-bounds and use-after-free detection.
|
|
CONFIG_KFENCE=y
|
|
|
|
# Linked list integrity checking.
|
|
CONFIG_LIST_HARDENED=y
|
|
|
|
# Initialize all heap variables to zero on allocation.
|
|
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
|
|
|
|
# Initialize all stack variables to zero on function entry.
|
|
CONFIG_INIT_STACK_ALL_ZERO=y
|
|
|
|
# Wipe RAM at reboot via EFI. For more details, see:
|
|
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
|
|
CONFIG_RESET_ATTACK_MITIGATION=y
|
|
|
|
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
|
|
CONFIG_EFI_DISABLE_PCI_DMA=y
|
|
|
|
# Force IOMMU TLB invalidation so devices will never be able to access stale
|
|
# data content.
|
|
CONFIG_IOMMU_SUPPORT=y
|
|
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
|
|
|
|
# Do not allow direct physical memory access to non-device memory.
|
|
CONFIG_STRICT_DEVMEM=y
|
|
CONFIG_IO_STRICT_DEVMEM=y
|
|
|
|
# Provide userspace with seccomp BPF API for syscall attack surface reduction.
|
|
CONFIG_SECCOMP=y
|
|
CONFIG_SECCOMP_FILTER=y
|
|
|
|
# Provides some protections against SYN flooding.
|
|
CONFIG_SYN_COOKIES=y
|
|
|
|
# Enable Kernel Control Flow Integrity (currently Clang only).
|
|
CONFIG_CFI_CLANG=y
|
|
# CONFIG_CFI_PERMISSIVE is not set
|
|
|
|
# Attack surface reduction: do not autoload TTY line disciplines.
|
|
# CONFIG_LDISC_AUTOLOAD is not set
|
|
|
|
# Dangerous; enabling this disables userspace brk ASLR.
|
|
# CONFIG_COMPAT_BRK is not set
|
|
|
|
# Dangerous; exposes kernel text image layout.
|
|
# CONFIG_PROC_KCORE is not set
|
|
|
|
# Dangerous; enabling this disables userspace VDSO ASLR.
|
|
# CONFIG_COMPAT_VDSO is not set
|
|
|
|
# Attack surface reduction: Use the modern PTY interface (devpts) only.
|
|
# CONFIG_LEGACY_PTYS is not set
|