From ee1709b256b2562642334da8cc41478d5bd9f346 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Thu, 4 May 2017 14:18:11 -0700 Subject: [PATCH] sys-kernel/coreos-modules: Enable some kernel hardening features SLAB_FREELIST_RANDOM: Randomize slab allocator freelist order, c7ce4f60ac199fb3521c5fcd64da21cee801ec2b IO_STRICT_DEVMEM: Disallow access to /dev/mem regions that are bound to a kernel driver, 90a545e981267e917b9d698ce07affd69787db87 HARDENED_USERCOPY: Add more address range checks to copy_{from,to}_user(), f5509cc18daa7f82bcc553be70df2117c8eedc16 --- ...eos-kernel-4.11.0.ebuild => coreos-kernel-4.11.0-r1.ebuild} | 0 ...s-modules-4.11.0.ebuild => coreos-modules-4.11.0-r1.ebuild} | 0 .../sys-kernel/coreos-modules/files/commonconfig-4.11 | 3 +++ 3 files changed, 3 insertions(+) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.11.0.ebuild => coreos-kernel-4.11.0-r1.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.11.0.ebuild => coreos-modules-4.11.0-r1.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.0-r1.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.0.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.0-r1.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.0-r1.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.0.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.0-r1.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.11 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.11 index a2a0bec2b0..b5dde6d944 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.11 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.11 @@ -815,12 +815,15 @@ CONFIG_LATENCYTOP=y CONFIG_KPROBE_EVENTS=y CONFIG_BPF_EVENTS=y CONFIG_MEMTEST=y +CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_STRICT_DEVMEM=y +CONFIG_IO_STRICT_DEVMEM=y CONFIG_TRUSTED_KEYS=m CONFIG_ENCRYPTED_KEYS=m CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y +CONFIG_HARDENED_USERCOPY=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_IMA=y