DRAFT : Proposed kernel configuration improvements to enhance security #1816
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I was looking at heads' kernel config (for nitropad-nv41 in my case), and I thought there might be some options that would be worth changing (“y”->“is not set”, “is not set”->“y” and some literal values).
This idea comes to me from a13xp0p0v's project kernel-hardening-checker, which aims to verify the security of a linux kernel. It's true that this project is more for server or desktop linux, but I think some options could be useful in the case of head.
I'm talking about the following options:
From "y" to "is not set" :
From to "is not set" to "y" :
Literal values :
Please note that some options are changed automatically, but only after running the command “make BOARD=nitropad-nv41 linux.prompt_for_new_config_options_for_kernel_version_bump”.
This is a draft, so I haven't checked whether it's really a problem to change the GCC version, etc, at the moment.
I'm adding a mod.md file here, which lists all the modules and linux CONFIGs required for traceability.
obviously DO NOT merge