# https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

#
# CONFIGs (https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#CONFIGs)
#

# Report BUG() conditions and kill the offending process.
enable BUG

# Make sure kernel page tables have safe permissions.
enable STRICT_KERNEL_RWX

# Report any dangerous memory permissions (not available on all archs).
enable DEBUG_WX

# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
enable CC_STACKPROTECTOR
# By default CONFIG_CC_STACKPROTECTOR_AUTO use best available stack-protector 
# option so we don't need enable it explicit
#enable CC_STACKPROTECTOR_STRONG

# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
disable DEVMEM
enable STRICT_DEVMEM
enable IO_STRICT_DEVMEM

# Provides some protections against SYN flooding.
enable SYN_COOKIES

# Perform additional validation of various commonly targeted structures.
enable DEBUG_CREDENTIALS
enable DEBUG_NOTIFIERS
enable DEBUG_LIST
enable DEBUG_SG
enable BUG_ON_DATA_CORRUPTION
enable SCHED_STACK_END_CHECK

# Provide userspace with seccomp BPF API for syscall attack surface reduction.
enable SECCOMP
enable SECCOMP_FILTER

# Provide userspace with ptrace ancestry protections.
enable SECURITY
enable SECURITY_YAMA

# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)
enable HARDENED_USERCOPY
disable HARDENED_USERCOPY_FALLBACK

# Randomize allocator freelists, harden metadata.
enable SLAB_FREELIST_RANDOM
enable SLAB_FREELIST_HARDENED

# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
enable SLUB_DEBUG

# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
enable PAGE_POISONING
enable PAGE_POISONING_NO_SANITY
enable PAGE_POISONING_ZERO

# Adds guard pages to kernel stacks (not all architectures support this yet).
enable VMAP_STACK

# Perform extensive checks on reference counting.
enable REFCOUNT_FULL

# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
enable FORTIFY_SOURCE

# Dangerous; enabling this allows direct physical memory writing.
disable ACPI_CUSTOM_METHOD

# Dangerous; enabling this disables brk ASLR.
disable COMPAT_BRK

# Dangerous; enabling this allows direct kernel memory writing.
disable DEVKMEM

# Dangerous; exposes kernel text image layout.
disable PROC_KCORE

# Dangerous; enabling this disables VDSO ASLR.
disable COMPAT_VDSO

# Dangerous; enabling this allows replacement of running kernel.
disable KEXEC

# Dangerous; enabling this allows replacement of running kernel.
disable HIBERNATION

# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
disable INET_DIAG

# Easily confused by misconfigured userspace, keep off.
disable BINFMT_MISC

# Use the modern PTY interface (devpts) only.
disable LEGACY_PTYS

# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
disable SECURITY_SELINUX_DISABLE

# Reboot devices immediately if kernel experiences an Oops.
enable PANIC_ON_OOPS
set-val PANIC_TIMEOUT -1

# Keep root from altering kernel memory via loadable modules.
disable MODULES

#
# GCC Plugins (https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#GCC_plugins)
#

# Enable GCC Plugins
enable GCC_PLUGINS

# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
enable GCC_PLUGIN_LATENT_ENTROPY

# Force all structures to be initialized before they are passed to other functions.
enable GCC_PLUGIN_STRUCTLEAK
enable GCC_PLUGIN_STRUCTLEAK_BYREF_ALL

# Randomize the layout of system structures. This may have dramatic performance impact, so
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
enable GCC_PLUGIN_RANDSTRUCT

#
# x86_64 (https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#x86_64)
# 

# Full 64-bit means PAE and NX bit.
enable X86_64

# Disallow allocating the first 64k of memory.
set-val DEFAULT_MMAP_MIN_ADDR 65536

# Randomize position of kernel and memory.
enable RANDOMIZE_BASE
enable RANDOMIZE_MEMORY

# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
disable LEGACY_VSYSCALL_EMULATE
enable LEGACY_VSYSCALL_NONE

# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
enable PAGE_TABLE_ISOLATION

# Remove additional attack surface, unless you really need them.
disable IA32_EMULATION
disable X86_X32
disable MODIFY_LDT_SYSCALL