Hello,

attached is the current status of security relevant kernel configure flags and other settings. I post this to the mailing list to provide people with better knowledge the ability to comment on it.

The whole issue is filed under #11659, please refer to https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommende... for a list of recommended (= paranoid) settings.

(a) CONFIG flags that differ from recommended settings - CONFIG_DEBUG_WX is disabled on AARCH64 - CONFIG_CC_STACKPROTECTOR_STRONG is unset on i586 PAE in favour of CONFIG_CC_STACKPROTECTOR_REGULAR - CONFIG_DEVMEM is enabled on all architectures (!) - CONFIG_IO_STRICT_DEVMEM is disabled on all architectures (!) - CONFIG_DEBUG_CREDENTIALS is disabled on all architectures - CONFIG_DEBUG_NOTIFIERS is disabled on all architectures - CONFIG_DEBUG_SG is disabled on all architectures - CONFIG_BUG_ON_DATA_CORRUPTION is disabled on all architectures - CONFIG_SCHED_STACK_END_CHECK is disabled on all architectures - CONFIG_SECURITY_YAMA is disabled on AARCH64 and i586 PAE (!) - CONFIG_HARDENED_USERCOPY is disabled on AARCH64 and ARM - CONFIG_SLUB_DEBUG is disabled on AARCH64 and i586 PAE - CONFIG_PAGE_POISONING is disabled on all architectures except i586 PAE (!) - CONFIG_PAGE_POISONING_NO_SANITY is disabled on all architectures - CONFIG_PAGE_POISONING_ZERO is enabled on i586 PAE only (!) - CONFIG_FORTIFY_SOURCE is disabled on AARCH64 - CONFIG_ACPI_CUSTOM_METHOD is enabled on all except ARM and AARCH64 - CONFIG_INET_DIAG is enabled on all architecture - CONFIG_BINFMT_MISC is enabled on all architecture

Some flags have been omitted for the first time going through this on 4.14.x . They will be included as soon as the differences above are fixed or cleared.

(b) GCC plugins flags that differ from recommended settings - CONFIG_GCC_PLUGIN_RANDSTRUCT is disabled on all architectures

(c) Kernel command line options that differ from recommended settings - slub_debug=P is missing - page_poison=1 is missing - slab_nomerge is missing - pti=on is missing

(d) sysctls that differ from recommended settings - user.max_user_namespaces is 15345 (recommended: 0) - kernel.kexec_load_disabled is not found (recommended: 1) -> TBD, patch - kernel.yama.ptrace_scope is not found (recommended: 1) - net.core.bpf_jit_harden is 0 (recommended: 2) - kernel.unprivileged_bpf_disabled is not found (recommended: 1)

Is there any reason why some of these points have to stay this way (compatibility issues, hardware bugs, ...)? If yes, drop me a line. Otherwise I will change them step by step, merging everything in IPFire 3.x if this is finished.

Thanks, and best regards, Peter Müller