linux: Enable HARDENED_USERCOPY

Enabled in [Arch][1], [Debian][2], [Fedora][3]. Recommended by [Kernel
Self Protection Project][4]. Originally [reported to have no noticeable
performance impact][5].

[1]: 66d72ee54a/trunk/config (L10252)
[2]: 07731f5956/debian/config/config (L7710)
[3]: 6d6ad72f0c/f/kernel-x86_64-fedora.config (_2202)
[4]: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[5]: https://lwn.net/Articles/695991/
This commit is contained in:
Andrew Marshall 2022-08-27 11:40:23 -04:00
parent ff346a442d
commit 7c49efdd2a

View File

@ -481,6 +481,7 @@ let
DEBUG_LIST = yes; DEBUG_LIST = yes;
# Detect writes to read-only module pages # Detect writes to read-only module pages
DEBUG_SET_MODULE_RONX = whenOlder "4.11" (option yes); DEBUG_SET_MODULE_RONX = whenOlder "4.11" (option yes);
HARDENED_USERCOPY = yes;
RANDOMIZE_BASE = option yes; RANDOMIZE_BASE = option yes;
STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem
IO_STRICT_DEVMEM = mkDefault yes; IO_STRICT_DEVMEM = mkDefault yes;