From f37786764c281c11e2b6883e52863974d895bbc8 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Tue, 29 Jun 2021 05:08:45 -0400
Subject: [PATCH] Add more hardening Kconfig options

Mostly taken from KSPP.
---
 config-qubes | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/config-qubes b/config-qubes
index 630ee717..e0c29281 100644
--- a/config-qubes
+++ b/config-qubes
@@ -69,6 +69,31 @@ CONFIG_SECURITY_YAMA=y
 CONFIG_STACKPROTECTOR=y
 CONFIG_STACKPROTECTOR_STRONG=y
 
+## Use the SLUB allocator
+CONFIG_SLUB=y
+
+## and turn on debugging checks by default
+CONFIG_SLUB_DEBUG=y
+CONFIG_SLUB_DEBUG_ON=y
+
+## Make some heap exploits harder
+
+# CONFIG_SLAB_MERGE_DEFAULT is not set
+CONFIG_SLAB_FREELIST_RANDOM=y
+CONFIG_SLAB_FREELIST_HARDENED=y
+CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
+
+## Internal consistency checks
+CONFIG_DEBUG_LIST=y
+CONFIG_DEBUG_PLIST=y
+CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_NOTIFIERS=y
+CONFIG_BUG_ON_DATA_CORRUPTION=y
+
+
+## Lots of low-level attack surface; keep off
+# CONFIG_MODIFY_LDT_SYSCALL is not set
+
 
 ################################################################################
 ## Disable PCI hotplug to prevent DMA attacks via ExpressCard or Thunderbolt