debian.master/config/enforce - chromiumos/third_party/kernel - Git at Google

 #
 # SECURITY items
 #
 # Ensure this option is enabled.
 value CONFIG_COMPAT_BRK n
 value CONFIG_DEVKMEM n
 value CONFIG_LSM_MMAP_MIN_ADDR 0
 value CONFIG_SECURITY y
 !exists CONFIG_SECURITY_FILE_CAPABILITIES | value CONFIG_SECURITY_FILE_CAPABILITIES y
 value CONFIG_SECURITY_SELINUX y
 value CONFIG_SECURITY_SMACK y
 value CONFIG_SYN_COOKIES y
 value CONFIG_DEFAULT_SECURITY_APPARMOR y
 # For architectures which support this option ensure it is enabled.
 !exists CONFIG_SECCOMP | value CONFIG_SECCOMP y
 !exists CONFIG_CC_STACKPROTECTOR | value CONFIG_CC_STACKPROTECTOR y
 !exists CONFIG_DEBUG_RODATA | value CONFIG_DEBUG_RODATA y
 !exists CONFIG_STRICT_DEVMEM | value CONFIG_STRICT_DEVMEM y
 # For architectures which support this option ensure it is disabled.
 !exists CONFIG_COMPAT_VDSO | value CONFIG_COMPAT_VDSO n
 # Default to 32768 for armel, 65536 for everything else.
 (( arch armel | arch sparc ) & value CONFIG_DEFAULT_MMAP_MIN_ADDR 32768 ) | \
 	( value CONFIG_DEFAULT_MMAP_MIN_ADDR 65536)

 # CONFIG_USB_DEVICE_FS breaks udev USB firmware loading and is deprecated
 # ensure it is disabled.
 value CONFIG_USB_DEVICEFS n

 # upstart requires DEVTMPFS be enabled and mounted by default.
 value CONFIG_DEVTMPFS y
 value CONFIG_DEVTMPFS_MOUNT y

 # some /dev nodes require POSIX ACLs, like /dev/dsp
 value CONFIG_TMPFS_POSIX_ACL y

 # Ramdisk size should be a minimum of 64M
 value CONFIG_BLK_DEV_RAM_SIZE 65536

 # LVM requires dm_mod built in to activate correctly (LP: #560717)
 value CONFIG_BLK_DEV_DM y
	#
	# SECURITY items
	#
	# Ensure this option is enabled.
	value CONFIG_COMPAT_BRK n
	value CONFIG_DEVKMEM n
	value CONFIG_LSM_MMAP_MIN_ADDR 0
	value CONFIG_SECURITY y
	!exists CONFIG_SECURITY_FILE_CAPABILITIES \| value CONFIG_SECURITY_FILE_CAPABILITIES y
	value CONFIG_SECURITY_SELINUX y
	value CONFIG_SECURITY_SMACK y
	value CONFIG_SYN_COOKIES y
	value CONFIG_DEFAULT_SECURITY_APPARMOR y
	# For architectures which support this option ensure it is enabled.
	!exists CONFIG_SECCOMP \| value CONFIG_SECCOMP y
	!exists CONFIG_CC_STACKPROTECTOR \| value CONFIG_CC_STACKPROTECTOR y
	!exists CONFIG_DEBUG_RODATA \| value CONFIG_DEBUG_RODATA y
	!exists CONFIG_STRICT_DEVMEM \| value CONFIG_STRICT_DEVMEM y
	# For architectures which support this option ensure it is disabled.
	!exists CONFIG_COMPAT_VDSO \| value CONFIG_COMPAT_VDSO n
	# Default to 32768 for armel, 65536 for everything else.
	(( arch armel \| arch sparc ) & value CONFIG_DEFAULT_MMAP_MIN_ADDR 32768 ) \| \
	( value CONFIG_DEFAULT_MMAP_MIN_ADDR 65536)

	# CONFIG_USB_DEVICE_FS breaks udev USB firmware loading and is deprecated
	# ensure it is disabled.
	value CONFIG_USB_DEVICEFS n

	# upstart requires DEVTMPFS be enabled and mounted by default.
	value CONFIG_DEVTMPFS y
	value CONFIG_DEVTMPFS_MOUNT y

	# some /dev nodes require POSIX ACLs, like /dev/dsp
	value CONFIG_TMPFS_POSIX_ACL y

	# Ramdisk size should be a minimum of 64M
	value CONFIG_BLK_DEV_RAM_SIZE 65536

	# LVM requires dm_mod built in to activate correctly (LP: #560717)
	value CONFIG_BLK_DEV_DM y