[linux-yocto] [PATCH 1/1] features/security: add configs to harden protection

[Anuj Mittal]

Add a feature that enables/disables configurations that impact kernel
security with an aim of decreasing the attack surface.

Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
---
 features/security/security.cfg | 48 ++++++++++++++++++++++++++++++++++
 features/security/security.scc |  4 +++
 2 files changed, 52 insertions(+)
 create mode 100644 features/security/security.cfg
 create mode 100644 features/security/security.scc

diff --git a/features/security/security.cfg b/features/security/security.cfg
new file mode 100644
index 00000000..efcbe056
--- /dev/null
+++ b/features/security/security.cfg
@@ -0,0 +1,48 @@
+# Protect against ioctl buffer overflows
+CONFIG_HARDENED_USERCOPY=y
+
+# Check for memory copies that might overflow a structure in str*() and mem*()
+# functions both at build-time and run-time
+CONFIG_FORTIFY_SOURCE=y
+
+# Harden the slab free list with randomization
+CONFIG_SLAB_FREELIST_RANDOM=y
+CONFIG_SLAB_FREELIST_HARDENED=y
+
+# Stack Protector is for buffer overflow detection and hardening
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+
+# Perform extensive checks on reference counting
+CONFIG_REFCOUNT_FULL=y
+
+# Disable to ensure random heap placement to make exploits harder
+# CONFIG_COMPAT_BRK is not set
+
+# Disable; exposes kernel text image layout
+# CONFIG_PROC_KCORE is not set
+
+# Increases the low-level kernel attack surface. Disable it instead.
+# Removes the modify_ldt system call.
+CONFIG_EXPERT=y
+CONFIG_MODIFY_LDT_SYSCALL=n
+
+# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
+# CONFIG_LEGACY_VSYSCALL_EMULATE is not set
+CONFIG_LEGACY_VSYSCALL_NONE=y
+
+# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
+# CONFIG_INET_DIAG is not set
+
+# Do not allow direct physical memory access (enable only STRICT mode...)
+# CONFIG_DEVMEM is not set
+CONFIG_STRICT_DEVMEM=y
+CONFIG_IO_STRICT_DEVMEM=y
+
+# Perform additional validation of various commonly targeted structures
+CONFIG_SCHED_STACK_END_CHECK=y
+CONFIG_DEBUG_LIST=y
+CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_NOTIFIERS=y
+CONFIG_DEBUG_CREDENTIALS=y
diff --git a/features/security/security.scc b/features/security/security.scc
new file mode 100644
index 00000000..0864eb7d
--- /dev/null
+++ b/features/security/security.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Enable/disable configurations that impact kernel security"
+define KFEATURE_COMPATIBILITY all
+
+kconf non-hardware security.cfg
-- 
2.17.1