gronod/lfs
1
0
Fork 0
mirror of https://git.linuxfromscratch.org/lfs.git synced 2025-06-18 19:29:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

kernel: enable ASLR and SSP

Browse Source 
It does not make too much sense to protect the userspace with PIE+ASLR
and SSP but leave the kernel alone...
This commit is contained in:
Xi Ruoyao 2022-09-11 12:05:21 +08:00
parent a710d35e1f
commit e5aa02fe17
No known key found for this signature in database
GPG Key ID: ACAAD20E19E710E3
1 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
chapter10/kernel.xml
View File

@ -105,9 +105,15 @@
<para>Be sure to enable/disable/set the following features or the system might
not work correctly or boot at all:</para>
<screen role="nodump" revision="sysv">General setup -->
<screen role="nodump" revision="sysv">Processor type and features ---&gt;
[*] Build a relocatable kernel [CONFIG_RELOCATABLE]
[*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
General setup ---&gt;
[ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
&lt; &gt; Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS]
General architecture-dependent options ---&gt;
[*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
[*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
Device Drivers ---&gt;
Graphics support ---&gt;
Frame buffer Devices ---&gt;
@ -117,7 +123,10 @@ Device Drivers ---&gt;
[*] Maintain a devtmpfs filesystem to mount at /dev [CONFIG_DEVTMPFS]
[*] Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]</screen>
<screen role="nodump" revision="systemd">General setup -->
<screen role="nodump" revision="systemd">Processor type and features ---&gt;
[*] Build a relocatable kernel [CONFIG_RELOCATABLE]
[*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
General setup ---&gt;
[ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
[ ] Auditing Support [CONFIG_AUDIT]
CPU/Task time and stats accounting ---&gt;
@ -130,6 +139,8 @@ Device Drivers ---&gt;
[*] open by fhandle syscalls [CONFIG_FHANDLE]
General architecture-dependent options ---&gt;
[*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP]
[*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
[*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
Networking support ---&gt;
Networking options ---&gt;
&lt;*&gt; The IPv6 protocol [CONFIG_IPV6]
@ -188,6 +199,14 @@ Device Drivers ---&gt;
<variablelist>
<title>The rationale for the above configuration items:</title>
<varlistentry>
<term><parameter>Randomize the address of the kernel image (KASLR)</parameter></term>
<listitem>
<para>Enable ASLR for kernel image, to mitigate some attacks based
on fixed addresses of sensitive data or code in the kernel.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<parameter>
@ -213,6 +232,16 @@ Device Drivers ---&gt;
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>Strong Stack Protector</parameter></term>
<listitem>
<para>Enable SSP for the kernel. We've enabled it for the entire
userspace with <parameter>--enable-default-ssp</parameter>
configuring GCC, but the kernel does not use GCC default setting
for SSP. We enable it explicitly here.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>Support for uevent helper</parameter></term>
<listitem>