Merge pull request #1175 from riyazdf/kern-config-hardening

Kernel config hardening

alpine/cloud/aws/syslinux.cfg

@@ -4,4 +4,4 @@ PROMPT 0
 LABEL linux
     KERNEL /vmlinuz64
     INITRD /initrd.img
-    APPEND root=/dev/xvdb1 console=tty0 console=tty1 console=ttyS0 mobyplatform=aws vsyscall=emulate
+    APPEND root=/dev/xvdb1 console=tty0 console=tty1 console=ttyS0 mobyplatform=aws vsyscall=emulate page_poison=1

alpine/cloud/azure/syslinux.cfg

@@ -2,4 +2,4 @@ DEFAULT linux
 LABEL linux
     KERNEL /vmlinuz64
     INITRD /initrd.img
-    APPEND root=/dev/sda1 rootdelay=300 console=tty1 console=ttyS0 earlyprintk=ttyS0 mobyplatform=azure vsyscall=emulate
+    APPEND root=/dev/sda1 rootdelay=300 console=tty1 console=ttyS0 earlyprintk=ttyS0 mobyplatform=azure vsyscall=emulate page_poison=1

base/mkimage-iso-efi/make-efi

@@ -22,7 +22,7 @@ KERNEL="$(find . -name vmlinuz64 -or -name bzImage)"
 find . -mindepth 1 -maxdepth 1 -type d | xargs rm -rf
 
 # Docker for Windows specific options, should be moved
-WINDOWS_OPTIONS="mobyplatform=windows vsyscall=emulate panic=1 rootdelay=300 noautodetect"
+WINDOWS_OPTIONS="mobyplatform=windows vsyscall=emulate page_poison=1 panic=1 rootdelay=300 noautodetect"
 
 # Create a EFI boot file with kernel and initrd. From:
 # https://github.com/haraldh/mkrescue-uefi/blob/master/mkrescue-uefi.sh

base/test/bin/test.sh

@@ -11,5 +11,5 @@ docker pull armhf/alpine
 docker run --rm armhf/alpine uname -a
 docker swarm init
 docker run mobylinux/check-config:dc29b05bb5cca871f83421e4c4aaa8f5d3c682f4@sha256:5dcdf0e3386ed506a28a59191eaa1ea48261e15199fcbbe8caf8dc1889405b2d
-docker run mobylinux/check-kernel-config:766a83e4b1831bef7f748071d0cd7715935d8be2@sha256:6821a7bce30bd013a6cc190d171228f9b02359e9c792858005f401ab15357575
+docker run mobylinux/check-kernel-config:b7616e925bc58ce9f9cc2b60009a95084ef4ca4a@sha256:0799d81892e65743ea606b4151ae3d13b29b70c0ac6f1636e67d3e8b79541150
 cat /etc/moby

kernel/kernel_config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.5 Kernel Configuration
+# Linux/x86 4.9.9 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -465,8 +465,6 @@ CONFIG_PERF_EVENTS_INTEL_RAPL=y
 CONFIG_PERF_EVENTS_INTEL_CSTATE=y
 # CONFIG_PERF_EVENTS_AMD_POWER is not set
 # CONFIG_VM86 is not set
-CONFIG_X86_16BIT=y
-CONFIG_X86_ESPFIX64=y
 CONFIG_X86_VSYSCALL_EMULATION=y
 # CONFIG_I8K is not set
 CONFIG_MICROCODE=y
@@ -561,8 +559,11 @@ CONFIG_SCHED_HRTICK=y
 # CONFIG_CRASH_DUMP is not set
 CONFIG_PHYSICAL_START=0x1000000
 CONFIG_RELOCATABLE=y
-# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_X86_NEED_RELOCS=y
 CONFIG_PHYSICAL_ALIGN=0x1000000
+CONFIG_RANDOMIZE_MEMORY=y
+CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
 CONFIG_HOTPLUG_CPU=y
 # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
 # CONFIG_DEBUG_HOTPLUG_CPU0 is not set
@@ -571,7 +572,7 @@ CONFIG_HOTPLUG_CPU=y
 # CONFIG_LEGACY_VSYSCALL_EMULATE is not set
 CONFIG_LEGACY_VSYSCALL_NONE=y
 # CONFIG_CMDLINE_BOOL is not set
-CONFIG_MODIFY_LDT_SYSCALL=y
+# CONFIG_MODIFY_LDT_SYSCALL is not set
 CONFIG_HAVE_LIVEPATCH=y
 CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
 CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
@@ -3126,9 +3127,11 @@ CONFIG_DEBUG_KERNEL=y
 #
 # Memory Debugging
 #
-# CONFIG_PAGE_EXTENSION is not set
+CONFIG_PAGE_EXTENSION=y
 # CONFIG_DEBUG_PAGEALLOC is not set
-# CONFIG_PAGE_POISONING is not set
+CONFIG_PAGE_POISONING=y
+CONFIG_PAGE_POISONING_NO_SANITY=y
+CONFIG_PAGE_POISONING_ZERO=y
 # CONFIG_DEBUG_PAGE_REF is not set
 # CONFIG_DEBUG_OBJECTS is not set
 # CONFIG_DEBUG_SLAB is not set

tools/check-kernel-config/check-kernel-config.sh

@@ -20,6 +20,7 @@ cat unzipped_config | grep CONFIG_DEBUG_RODATA=y
 cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR=y
 cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR_STRONG=y
 cat unzipped_config | grep CONFIG_STRICT_DEVMEM=y
+cat unzipped_config | grep CONFIG_IO_STRICT_DEVMEM=y
 cat unzipped_config | grep CONFIG_SYN_COOKIES=y
 cat unzipped_config | grep CONFIG_DEBUG_CREDENTIALS=y
 cat unzipped_config | grep CONFIG_DEBUG_NOTIFIERS=y
@@ -30,6 +31,15 @@ cat unzipped_config | grep CONFIG_SECURITY=y
 cat unzipped_config | grep CONFIG_SECURITY_YAMA=y
 cat unzipped_config | grep CONFIG_PANIC_ON_OOPS=y
 cat unzipped_config | grep CONFIG_DEBUG_SET_MODULE_RONX=y
+cat unzipped_config | grep CONFIG_HARDENED_USERCOPY=y
+cat unzipped_config | grep CONFIG_SYN_COOKIES=y
+cat unzipped_config | grep CONFIG_PAGE_POISONING=y
+cat unzipped_config | grep CONFIG_PAGE_POISONING_NO_SANITY=y
+cat unzipped_config | grep CONFIG_PAGE_POISONING_ZERO=y
+cat unzipped_config | grep CONFIG_LEGACY_VSYSCALL_NONE=y
+cat unzipped_config | grep CONFIG_BUG_ON_DATA_CORRUPTION=y
+cat unzipped_config | grep CONFIG_RANDOMIZE_BASE=y
+cat unzipped_config | grep CONFIG_RANDOMIZE_MEMORY=y
 
 # Conditional on kernel version
 if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 5 ]; then
@@ -51,3 +61,5 @@ cat unzipped_config | grep 'CONFIG_COMPAT_VDSO is not set'
 cat unzipped_config | grep 'CONFIG_KEXEC is not set'
 cat unzipped_config | grep 'CONFIG_HIBERNATION is not set'
 cat unzipped_config | grep 'CONFIG_LEGACY_PTYS is not set'
+cat unzipped_config | grep 'CONFIG_X86_X32 is not set'
+cat unzipped_config | grep 'CONFIG_MODIFY_LDT_SYSCALL is not set'

tools/mkimage-gce/make-gce

@@ -26,7 +26,7 @@ KERNEL="$(find . -name vmlinuz64 -or -name bzImage)"
 find . -mindepth 1 -maxdepth 1 -type d | xargs rm -rf
 
 # should be externally provided as GCE specific
-GCE_CONFIG="earlyprintk=ttyS0,115200 console=ttyS0,115200 mobyplatform=gcp vsyscall=emulate"
+GCE_CONFIG="earlyprintk=ttyS0,115200 console=ttyS0,115200 mobyplatform=gcp vsyscall=emulate page_poison=1"
 
 CFG="DEFAULT linux
 LABEL linux