acer: Security options

This commit is contained in:
Kolan Sh 2020-09-07 21:44:09 +03:00
parent 18826ff8a4
commit 3987d90fe6
1 changed files with 22 additions and 84 deletions

View File

@ -137,7 +137,6 @@ CONFIG_RCU_NOCB_CPU=y
# CONFIG_TASKS_TRACE_RCU_READ_MB is not set # CONFIG_TASKS_TRACE_RCU_READ_MB is not set
# end of RCU Subsystem # end of RCU Subsystem
CONFIG_BUILD_BIN2C=y
CONFIG_IKCONFIG=y CONFIG_IKCONFIG=y
CONFIG_IKCONFIG_PROC=y CONFIG_IKCONFIG_PROC=y
# CONFIG_IKHEADERS is not set # CONFIG_IKHEADERS is not set
@ -763,7 +762,6 @@ CONFIG_GCC_PLUGINS=y
CONFIG_RT_MUTEXES=y CONFIG_RT_MUTEXES=y
CONFIG_BASE_SMALL=0 CONFIG_BASE_SMALL=0
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULES=y CONFIG_MODULES=y
# CONFIG_MODULE_FORCE_LOAD is not set # CONFIG_MODULE_FORCE_LOAD is not set
CONFIG_MODULE_UNLOAD=y CONFIG_MODULE_UNLOAD=y
@ -8969,7 +8967,6 @@ CONFIG_ND_BLK=m
CONFIG_ND_CLAIM=y CONFIG_ND_CLAIM=y
CONFIG_ND_BTT=m CONFIG_ND_BTT=m
CONFIG_BTT=y CONFIG_BTT=y
CONFIG_NVDIMM_KEYS=y
CONFIG_DAX_DRIVER=y CONFIG_DAX_DRIVER=y
CONFIG_DAX=y CONFIG_DAX=y
CONFIG_DEV_DAX=m CONFIG_DEV_DAX=m
@ -9257,96 +9254,39 @@ CONFIG_IO_WQ=y
# Security options # Security options
# #
CONFIG_KEYS=y CONFIG_KEYS=y
CONFIG_KEYS_REQUEST_CACHE=y # CONFIG_KEYS_REQUEST_CACHE is not set
CONFIG_PERSISTENT_KEYRINGS=y # CONFIG_PERSISTENT_KEYRINGS is not set
CONFIG_TRUSTED_KEYS=y # CONFIG_TRUSTED_KEYS is not set
CONFIG_ENCRYPTED_KEYS=y # CONFIG_ENCRYPTED_KEYS is not set
CONFIG_KEY_DH_OPERATIONS=y CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y CONFIG_SECURITY=y
CONFIG_SECURITYFS=y CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK=y
CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_PAGE_TABLE_ISOLATION is not set
CONFIG_SECURITY_INFINIBAND=y # CONFIG_SECURITY_INFINIBAND is not set
CONFIG_SECURITY_NETWORK_XFRM=y # CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_PATH=y CONFIG_SECURITY_PATH=y
CONFIG_INTEL_TXT=y # CONFIG_INTEL_TXT is not set
CONFIG_LSM_MMAP_MIN_ADDR=0
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY is not set
CONFIG_HARDENED_USERCOPY_FALLBACK=y # CONFIG_FORTIFY_SOURCE is not set
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
CONFIG_FORTIFY_SOURCE=y
# CONFIG_STATIC_USERMODEHELPER is not set # CONFIG_STATIC_USERMODEHELPER is not set
CONFIG_SECURITY_SELINUX=y # CONFIG_SECURITY_SELINUX is not set
CONFIG_SECURITY_SELINUX_BOOTPARAM=y # CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set # CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y # CONFIG_SECURITY_APPARMOR is not set
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
CONFIG_SECURITY_SMACK=y
# CONFIG_SECURITY_SMACK_BRINGUP is not set
CONFIG_SECURITY_SMACK_NETFILTER=y
CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y
CONFIG_SECURITY_TOMOYO=y
CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"
# CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not set
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
# CONFIG_SECURITY_LOADPIN is not set # CONFIG_SECURITY_LOADPIN is not set
CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_YAMA is not set
CONFIG_SECURITY_SAFESETID=y # CONFIG_SECURITY_SAFESETID is not set
# CONFIG_SECURITY_LOCKDOWN_LSM is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set
CONFIG_INTEGRITY=y CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_SIGNATURE=y # CONFIG_INTEGRITY_SIGNATURE is not set
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
CONFIG_LOAD_UEFI_KEYS=y
CONFIG_INTEGRITY_AUDIT=y CONFIG_INTEGRITY_AUDIT=y
CONFIG_IMA=y # CONFIG_IMA is not set
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_LSM_RULES=y
# CONFIG_IMA_TEMPLATE is not set
CONFIG_IMA_NG_TEMPLATE=y
# CONFIG_IMA_SIG_TEMPLATE is not set
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
CONFIG_IMA_DEFAULT_HASH_SHA1=y
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
CONFIG_IMA_DEFAULT_HASH="sha1"
# CONFIG_IMA_WRITE_POLICY is not set
# CONFIG_IMA_READ_POLICY is not set
CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
CONFIG_IMA_APPRAISE_BOOTPARAM=y
CONFIG_IMA_APPRAISE_MODSIG=y
CONFIG_IMA_TRUSTED_KEYRING=y
# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
CONFIG_EVM=y # CONFIG_EVM is not set
CONFIG_EVM_ATTR_FSUUID=y CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_EVM_EXTRA_SMACK_XATTRS=y
CONFIG_EVM_ADD_XATTRS=y
# CONFIG_EVM_LOAD_X509 is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
# CONFIG_DEFAULT_SECURITY_SMACK is not set
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
CONFIG_DEFAULT_SECURITY_APPARMOR=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_LSM="lockdown,yama,integrity,apparmor" CONFIG_LSM="lockdown,yama,integrity,apparmor"
# #
@ -9361,7 +9301,7 @@ CONFIG_INIT_STACK_NONE=y
# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set
# CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set
# CONFIG_GCC_PLUGIN_STACKLEAK is not set # CONFIG_GCC_PLUGIN_STACKLEAK is not set
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y # CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set # CONFIG_INIT_ON_FREE_DEFAULT_ON is not set
# end of Memory initialization # end of Memory initialization
# end of Kernel hardening options # end of Kernel hardening options
@ -9609,10 +9549,8 @@ CONFIG_CRYPTO_DEV_SAFEXCEL=m
# CONFIG_CRYPTO_DEV_AMLOGIC_GXL is not set # CONFIG_CRYPTO_DEV_AMLOGIC_GXL is not set
CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_KEY_TYPE=y
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m
CONFIG_X509_CERTIFICATE_PARSER=y CONFIG_X509_CERTIFICATE_PARSER=y
CONFIG_PKCS8_PRIVATE_KEY_PARSER=m CONFIG_PKCS8_PRIVATE_KEY_PARSER=m
CONFIG_TPM_KEY_PARSER=m
CONFIG_PKCS7_MESSAGE_PARSER=y CONFIG_PKCS7_MESSAGE_PARSER=y
CONFIG_PKCS7_TEST_KEY=m CONFIG_PKCS7_TEST_KEY=m
CONFIG_SIGNED_PE_FILE_VERIFICATION=y CONFIG_SIGNED_PE_FILE_VERIFICATION=y
@ -9723,7 +9661,6 @@ CONFIG_LRU_CACHE=m
CONFIG_CLZ_TAB=y CONFIG_CLZ_TAB=y
CONFIG_IRQ_POLL=y CONFIG_IRQ_POLL=y
CONFIG_MPILIB=y CONFIG_MPILIB=y
CONFIG_SIGNATURE=y
CONFIG_DIMLIB=y CONFIG_DIMLIB=y
CONFIG_OID_REGISTRY=y CONFIG_OID_REGISTRY=y
CONFIG_UCS2_STRING=y CONFIG_UCS2_STRING=y
@ -9980,6 +9917,7 @@ CONFIG_TRACER_SNAPSHOT=y
# CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
CONFIG_BRANCH_PROFILE_NONE=y CONFIG_BRANCH_PROFILE_NONE=y
# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
# CONFIG_PROFILE_ALL_BRANCHES is not set
CONFIG_BLK_DEV_IO_TRACE=y CONFIG_BLK_DEV_IO_TRACE=y
CONFIG_UPROBE_EVENTS=y CONFIG_UPROBE_EVENTS=y
CONFIG_DYNAMIC_EVENTS=y CONFIG_DYNAMIC_EVENTS=y