CHROMIUM: config: enable dmesg_restrict option on kernel v4.19-manatee
As part of hardening Chrome OS, we would like to enable the
dmesg_restrict kernel option to protect against bypassing ASLR.
Signed-off-by: Nicole Anderson-Au <nvaa@google.com>
BUG=chromium:1129517
TEST=ran test on 5.4 kernel (see chromium:2468199),
but must run on this kernel to fully confirm
echo WARNING > /sys/kernel/debug/provoke-crash/DIRECT
check in /var/spool/crash to make sure that
(a) a log file is generated and
(b) that log file contains relevant content from dmesg
Also check that /proc/sys/kernel/dmesg_restrict is set to 1
Change-Id: Ic9e0cca376f10b9bba7fcd4a454961542a5609f3
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/2485041
Tested-by: Nicole Anderson-Au <nvaa@google.com>
Commit-Queue: Allen Webb <allenwebb@google.com>
Reviewed-by: Allen Webb <allenwebb@google.com>
diff --git a/chromeos/config/base.config b/chromeos/config/base.config
index ca2cf36..1f6da84 100644
--- a/chromeos/config/base.config
+++ b/chromeos/config/base.config
@@ -351,6 +351,7 @@
# CONFIG_SECTION_MISMATCH_WARN_ONLY is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_CHROMIUMOS=y
+CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_LOADPIN_ENABLED=y
CONFIG_SECURITY_NETWORK=y
