15 lines
No EOL
468 B
Text
15 lines
No EOL
468 B
Text
# This is the equivalent of booting with lockdown=integrity
|
|
CONFIG_SECURITY=y
|
|
CONFIG_SECURITYFS=y
|
|
CONFIG_SECURITY_LOCKDOWN_LSM=y
|
|
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
|
|
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
|
|
|
|
# These are some general, reasonably inexpensive hardening options
|
|
CONFIG_HARDENED_USERCOPY=y
|
|
CONFIG_FORTIFY_SOURCE=y
|
|
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
|
|
|
|
# UBSAN bounds checking is very cheap and good for hardening
|
|
CONFIG_UBSAN=y
|
|
# CONFIG_UBSAN_MISC is not set |