Skip to content

Commit

Permalink
Add a couple simple hardening options
Browse files Browse the repository at this point in the history 
This assumes that nobody needs to run software that really needs
CONFIG_MODIFY_LDT_SYSCALL.  Not tested, but should be rather
straightforward.
  • Loading branch information
@DemiMarie
DemiMarie committed Oct 17, 2022
1 parent fb45fcb commit 2b7f102
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion config-qubes
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,10 @@ CONFIG_GCC_PLUGINS=y
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
CONFIG_GCC_PLUGIN_STRUCTLEAK=y
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
## XXX: What's about RANDSTRUCT?
## CONFIG_ZERO_CALL_USED_REGS=y requires too new a toolchain
# CONFIG_SLUB_DEBUG_ON is not set
## XXX: What's about RANDSTRUCT? Answer: not useful against attacks targeting
## Qubes, useful against generic attacks

## Those depend on CONFIG_EXPERT
CONFIG_ARCH_MMAP_RND_BITS=32
Expand All @@ -40,6 +43,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16
# CONFIG_KEXEC is not set

CONFIG_LEGACY_VSYSCALL_NONE=y
# CONFIG_MODIFY_LDT_SYSCALL is not set

# CONFIG_ACPI_CUSTOM_METHOD is not set

Expand Down

0 comments on commit 2b7f102

Please sign in to comment.