sevki
c9e1dba412
setup CI/CD for kernel development - added CodeQL for code scanning - every pr is built as an image and is available for 30days on https://oklinux.dev - tagged and released on github for now Signed-off-by: sevki <s@sevki.io>
17 lines
521 B
Text
17 lines
521 B
Text
# Help: Common security options for PowerPC builds
|
|
|
|
# This is the equivalent of booting with lockdown=integrity
|
|
CONFIG_SECURITY=y
|
|
CONFIG_SECURITYFS=y
|
|
CONFIG_SECURITY_LOCKDOWN_LSM=y
|
|
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
|
|
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
|
|
|
|
# These are some general, reasonably inexpensive hardening options
|
|
CONFIG_HARDENED_USERCOPY=y
|
|
CONFIG_FORTIFY_SOURCE=y
|
|
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
|
|
|
|
# UBSAN bounds checking is very cheap and good for hardening
|
|
CONFIG_UBSAN=y
|
|
# CONFIG_UBSAN_MISC is not set
|