Merging upstream version 6.10.3.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-08-07 13:18:06 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-08-07 13:18:06 +0000
commit: 638a9e433ecd61e64761352dbec1fa4f5874c941 (patch)
tree: fdbff74a238d7a5a7d1cef071b7230bc064b9f25 /kernel/configs
parent: Releasing progress-linux version 6.9.12-1~progress7.99u1. (diff)
download: linux-638a9e433ecd61e64761352dbec1fa4f5874c941.tar.xz
linux-638a9e433ecd61e64761352dbec1fa4f5874c941.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config
index 4b4cfcba31..8a7ce7a6b3 100644
--- a/kernel/configs/hardening.config
+++ b/kernel/configs/hardening.config
@@ -23,6 +23,10 @@ CONFIG_SLAB_FREELIST_HARDENED=y
 CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
 CONFIG_RANDOM_KMALLOC_CACHES=y
 
+# Sanity check userspace page table mappings.
+CONFIG_PAGE_TABLE_CHECK=y
+CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
+
 # Randomize kernel stack offset on syscall entry.
 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
 
@@ -82,6 +86,10 @@ CONFIG_SECCOMP_FILTER=y
 # Provides some protections against SYN flooding.
 CONFIG_SYN_COOKIES=y
 
+# Enable Kernel Control Flow Integrity (currently Clang only).
+CONFIG_CFI_CLANG=y
+# CONFIG_CFI_PERMISSIVE is not set
+
 # Attack surface reduction: do not autoload TTY line disciplines.
 # CONFIG_LDISC_AUTOLOAD is not set
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-08-07 13:18:06 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-08-07 13:18:06 +0000
commit	638a9e433ecd61e64761352dbec1fa4f5874c941 (patch)
tree	fdbff74a238d7a5a7d1cef071b7230bc064b9f25 /kernel/configs
parent	Releasing progress-linux version 6.9.12-1~progress7.99u1. (diff)
download	linux-638a9e433ecd61e64761352dbec1fa4f5874c941.tar.xz linux-638a9e433ecd61e64761352dbec1fa4f5874c941.zip