Commit 9c8824bd authored by Loic's avatar Loic
Browse files

HBSD: Disable INCLUDE_CONFIG_FILE

It is better to disable the INCLUDE_CONFIG_FILE option
so as not to include the kernel configuration file.
This allows to redure kernel infoleaks and thus to
complicate the life of the attacker which we have already
deprived of direct access to the kernel [1].

[1] commit 394e5e99

 ("HBSD: prevent kernel reading by non-root users")
Signed-off-by: Loic's avatarLoic <loic.f@hardenedbsd.org>
Reported-by: Shawn Webb's avatarShawn Webb <shawn.webb@hardenedbsd.org>
Issue: #47
parent bca7c80f
......@@ -33,6 +33,7 @@ nooptions COMPAT_FREEBSD9
nooptions COMPAT_FREEBSD10
nooptions COMPAT_FREEBSD32
nooptions QUEUE_MACRO_DEBUG_TRASH
nooptions INCLUDE_CONFIG_FILE # reduce kernel infoleaks
# HardenedBSD hardening options
options HARDEN_KLD # Harden the kernel module interface
......
......@@ -14,6 +14,7 @@ options PAX_HARDENING
options PAX_NOEXEC
options PAX_SEGVGUARD
nooptions COMPAT_FREEBSD32
nooptions INCLUDE_CONFIG_FILE # reduce kernel infoleaks
# Needed for ThunderX2 systems
options NUMA
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment