features/security: add configs to harden protection

Add a feature that enables/disables configurations that impact kernel security with an aim of decreasing the attack surface. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>

features/security: add configs to harden protection
Add a feature that enables/disables configurations that impact kernel security with an aim of decreasing the attack surface. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
4f95b5be · Anuj Mittal · Bruce Ashfield · dfe39fad · 4f95b5be · 4f95b5be
Commit 4f95b5be authored 6 years ago by Anuj Mittal Committed by Bruce Ashfield 6 years ago
--- a/features/security/security.cfg
+++ b/features/security/security.cfg
+# Protect against ioctl buffer overflows
+CONFIG_HARDENED_USERCOPY=y
+# Check for memory copies that might overflow a structure in str*() and mem*()
+# functions both at build-time and run-time
+CONFIG_FORTIFY_SOURCE=y
+# Harden the slab free list with randomization
+CONFIG_SLAB_FREELIST_RANDOM=y
+CONFIG_SLAB_FREELIST_HARDENED=y
+# Stack Protector is for buffer overflow detection and hardening
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# Perform extensive checks on reference counting
+CONFIG_REFCOUNT_FULL=y
+# Disable to ensure random heap placement to make exploits harder
+# CONFIG_COMPAT_BRK is not set
+# Disable; exposes kernel text image layout
+# CONFIG_PROC_KCORE is not set
+# Increases the low-level kernel attack surface. Disable it instead.
+# Removes the modify_ldt system call.
+CONFIG_EXPERT=y
+CONFIG_MODIFY_LDT_SYSCALL=n
+# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
+# CONFIG_LEGACY_VSYSCALL_EMULATE is not set
+CONFIG_LEGACY_VSYSCALL_NONE=y
+# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
+# CONFIG_INET_DIAG is not set
+# Do not allow direct physical memory access (enable only STRICT mode...)
+# CONFIG_DEVMEM is not set
+CONFIG_STRICT_DEVMEM=y
+CONFIG_IO_STRICT_DEVMEM=y
+# Perform additional validation of various commonly targeted structures
+CONFIG_SCHED_STACK_END_CHECK=y
+CONFIG_DEBUG_LIST=y
+CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_NOTIFIERS=y
+CONFIG_DEBUG_CREDENTIALS=y
--- a/features/security/security.scc
+++ b/features/security/security.scc
+define KFEATURE_DESCRIPTION "Enable/disable configurations that impact kernel security"
+define KFEATURE_COMPATIBILITY all
+kconf non-hardware security.cfg