sys-kernel/coreos-modules: Enable some kernel hardening features

SLAB_FREELIST_RANDOM: Randomize slab allocator freelist order, c7ce4f60ac199fb3521c5fcd64da21cee801ec2b IO_STRICT_DEVMEM: Disallow access to /dev/mem regions that are bound to a kernel driver, 90a545e981267e917b9d698ce07affd69787db87 HARDENED_USERCOPY: Add more address range checks to copy_{from,to}_user(), f5509cc18daa7f82bcc553be70df2117c8eedc16
2025-08-22 15:01:00 +02:00 · 2017-05-04 14:18:11 -07:00 · 2017-05-04 14:18:11 -07:00 · ee1709b256
commit ee1709b256
parent e0b7a7a5f1
3 changed files with 3 additions and 0 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.0-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.0-r1.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.0-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.0-r1.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.11
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.11
@ -815,12 +815,15 @@ CONFIG_LATENCYTOP=y
 CONFIG_KPROBE_EVENTS=y
 CONFIG_BPF_EVENTS=y
 CONFIG_MEMTEST=y
+CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_STRICT_DEVMEM=y
+CONFIG_IO_STRICT_DEVMEM=y
 CONFIG_TRUSTED_KEYS=m
 CONFIG_ENCRYPTED_KEYS=m
 CONFIG_SECURITY=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
+CONFIG_HARDENED_USERCOPY=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
 CONFIG_IMA=y