Kernel Configuration Glossary

In our post “Millions of Binaries Later: a Look Into Linux Hardening in the Wild”, we examined the security properties of different distributions. In the following, we provide a glossary for the security-relevant kernel configuration options discussed in that post (scraped from the Linux Kernel Driver Database).

Option

Description

Significance

CONFIG_X86_SMAP

Supervisor Mode Access Prevention (SMAP) is a security feature in newer Intel processors. There is a small performance cost if this enabled and turned on; there is also a small increase in the kernel size if this is enabled.

Critical

CONFIG_STRICT_KERNEL_RWX

If this is set kernel text and rodata memory will be made read-only and non-text memory will be made non-executable. This provides protection against certain security exploits (e.g. executing the heap or modifying text)

Critical

CONFIG_RANDOMIZE_BASE

In support of Kernel Address Space Layout Randomization (KASLR) this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is mapped as a security feature that deters exploit attempts relying on knowledge of the location of kernel code internals.

Critical

CONFIG_RANDOMIZE_MEMORY

Randomizes the base virtual address of kernel memory sections (physical memory mapping vmalloc & vmemmap). This security feature makes exploits relying on predictable memory locations less reliable.

Critical

CONFIG_STACKPROTECTOR_STRONG

Functions will have the stack-protector canary logic added in any of the following conditions:

Critical

CONFIG_HARDENED_USERCOPY

This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and copy_from_user() functions) by rejecting memory ranges that are larger than the specified heap object span multiple separately allocated pages are not on the process stack or are part of the kernel text. This kills entire classes of heap overflow exploits and similar kernel memory exposures.

Critical

CONFIG_LOCK_DOWN_KERNEL

Critical

CONFIG_STRICT_MODULE_RWX

If this is set module text and rodata memory will be made read-only and non-text memory will be made non-executable. This provides protection against certain security exploits (e.g. writing to text)

Critical

CONFIG_SECURITY

This allows you to choose different security modules to be configured into your kernel.

Critical

CONFIG_SECCOMP

This kernel feature is useful for number crunching applications that may need to compute untrusted bytecode during their execution. By using pipes or other transports made available to the process as file descriptors supporting the read/write syscalls it's possible to isolate those applications in their own address space using seccomp. Once seccomp is enabled via prctl(PR_SET_SECCOMP) it cannot be disabled and the task is only allowed to execute a few safe syscalls defined by each seccomp mode.

Critical

CONFIG_STRICT_DEVMEM

If this option is disabled you allow userspace (root) access to all of memory including kernel and userspace memory. Accidental access to this is obviously disastrous but specific access can be used by people debugging the kernel.

Critical

CONFIG_DEVKMEM

Say Y here if you want to support the /dev/kmem device. The /dev/kmem device is rarely used but can be used for certain kind of kernel debugging operations. When in doubt say "N".

Critical

CONFIG_X86_INTEL_UMIP

The User Mode Instruction Prevention (UMIP) is a security feature in newer Intel processors. If enabled a general protection fault is issued if the SGDT SLDT SIDT SMSW or STR instructions are executed in user mode. These instructions unnecessarily expose information about the hardware state.

High

CONFIG_VMAP_STACK

Enable this if you want the use virtually-mapped kernel stacks with guard pages. This causes kernel stack overflows to be caught immediately rather than causing difficult-to-diagnose corruption.

High

CONFIG_SLAB_FREELIST_HARDENED

Many kernel heap attacks try to target slab cache metadata and other infrastructure. This options makes minor performance sacrifies to harden the kernel slab allocator against common freelist exploit methods.

High

CONFIG_SLAB_FREELIST_RANDOM

Randomizes the freelist order used on creating new pages. This security feature reduces the predictability of the kernel slab allocator against heap overflows.

High

CONFIG_FORTIFY_SOURCE

Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes.

High

CONFIG_BUG_ON_DATA_CORRUPTION

Select this option if the kernel should BUG when it encounters data corruption in kernel memory structures when they get checked for validity.

High

CONFIG_HARDENED_USERCOPY_FALLBACK

This is a temporary option that allows missing usercopy whitelists to be discovered via a WARN() to the kernel log instead of rejecting the copy falling back to non-whitelisted hardened usercopy that checks the slab allocation size instead of the whitelist size. This option will be removed once it seems like all missing usercopy whitelists have been identified and fixed. Booting with "slab_common.usercopy_fallback=Y/N" can change this setting.

High

CONFIG_SECURITY_DMESG_RESTRICT

This enforces restrictions on unprivileged users reading the kernel syslog via dmesg(8).

High

CONFIG_SECURITY_YAMA

This selects Yama which extends DAC support with additional system-wide security settings beyond regular Linux discretionary access controls. Currently available is ptrace scope restriction. Like capabilities this security module stacks with other LSMs. Further information can be found in Documentation/admin-guide/LSM/Yama.rst.

High

CONFIG_SECURITY_SELINUX_DISABLE

This option enables writing to a selinuxfs node 'disable' which allows SELinux to be disabled at runtime prior to the policy load. SELinux will then remain disabled until the next boot. This option is similar to the selinux=0 boot parameter but is to support runtime disabling of SELinux e.g. from /sbin/init for portability across platforms where boot parameters are difficult to employ.

High

CONFIG_SECCOMP_FILTER

Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement task-defined system call filtering polices.

High

CONFIG_ACPI_CUSTOM_METHOD

This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting the system. For details refer to: Documentation/acpi/method-customizing.txt.

High

CONFIG_COMPAT_BRK

Randomizing heap placement makes heap exploits harder but it also breaks ancient binaries (including anything libc5 based). This option changes the bootup default to heap randomization disabled and can be overridden at runtime by setting /proc/sys/kernel/randomize_va_space to 2.

High

CONFIG_IO_STRICT_DEVMEM

If this option is disabled you allow userspace (root) access to all io-memory regardless of whether a driver is actively using that range. Accidental access to this is obviously disastrous but specific access can be used by people debugging kernel drivers.

High

CONFIG_LEGACY_VSYSCALL_NONE

There will be no vsyscall mapping at all. This will eliminate any risk of ASLR bypass due to the vsyscall fixed address mapping. Attempts to use the vsyscalls will be reported to dmesg so that either old or malicious userspace programs can be identified.

High

CONFIG_USERFAULTFD

Enable the userfaultfd() system call that allows to intercept and handle page faults in userland.

High

CONFIG_LIVEPATCH

Say Y here if you want to support kernel live patching. This option has no runtime impact until a kernel "patch" module uses the interface provided by this option to register a patch causing calls to patched functions to be redirected to new function code contained in the patch module.

High

CONFIG_BPF_JIT

Berkeley Packet Filter filtering capabilities are normally handled by an interpreter. This option allows kernel to generate a native code when filter is loaded in memory. This should speedup packet sniffing (libpcap/tcpdump).

High

CONFIG_PAGE_TABLE_ISOLATION

This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace.

High

CONFIG_RETPOLINE

Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect branches. Requires a compiler with -mindirect-branch=thunk-extern support for full protection. The kernel may run slower.

High

CONFIG_X86_64

Port to the x86-64 architecture. x86-64 is a 64-bit extension to the classical 32-bit x86 architecture. For details see http://www.x86-64.org/.

High

CONFIG_DEBUG_WX

Generate a warning if any W+X mappings are found at boot.

High

CONFIG_SCHED_STACK_END_CHECK

This option checks for a stack overrun on calls to schedule(). If the stack end location is found to be over written always panic as the content of the corrupted region can no longer be trusted. This is to ensure no erroneous behaviour occurs which could result in data corruption or a sporadic crash at a later stage once the region is examined. The runtime overhead introduced is minimal.

High

CONFIG_MODULE_SIG

Check modules for valid signatures upon load: the signature is simply appended to the module. For more information see Documentation/admin-guide/module-signing.rst.

High

CONFIG_REFCOUNT_FULL

Enabling this switches the refcounting infrastructure from a fast unchecked atomic_t implementation to a fully state checked implementation which can be (slightly) slower but provides protections against various use-after-free conditions that can be used in security flaw exploits.

High

CONFIG_STATIC_USERMODEHELPER

By default the kernel can call many different userspace binary programs through the "usermode helper" kernel interface. Some of these binaries are statically defined either in the kernel code itself or as a kernel configuration option. However some of these are dynamically created at runtime or can be modified after the kernel has started up. To provide an additional layer of security route all of these calls through a single executable that can not have its name changed.

High

CONFIG_COMPAT_VDSO

Map the VDSO to the predictable old-style address too. Say N here if you are running a sufficiently recent glibc version (2.3.3 or later) to remove the high-mapped VDSO mapping and to exclusively use the randomized VDSO.

High

CONFIG_BINFMT_MISC

If you say Y here it will be possible to plug wrapper-driven binary formats into the kernel. You will like this especially when you use programs that need an interpreter to run like Java Python .NET or Emacs-Lisp. It's also useful if you often run DOS executables under the Linux DOS emulator DOSEMU (read the DOSEMU-HOWTO available from http://www.tldp.org/docs.html#howto). Once you have registered such a binary class with the kernel you can start one of those programs simply by typing in its name at a shell prompt; Linux will automatically feed it to the correct interpreter.

High

CONFIG_PROC_KCORE

Provides a virtual ELF core file of the live kernel. This can be read with gdb and other ELF tools. No modifications can be made using this mechanism.

High

CONFIG_MODIFY_LDT_SYSCALL

Linux can allow user programs to install a per-process x86 Local Descriptor Table (LDT) using the modify_ldt(2) system call. This is required to run 16-bit or segmented code such as DOSEMU or some Wine programs. It is also used by some very old threading libraries.

High

CONFIG_KPROBES

Kprobes allows you to trap at almost any kernel address and execute a callback function. register_kprobe() establishes a probepoint and specifies the callback. Kprobes is useful for kernel debugging non-intrusive instrumentation and testing. If in doubt say "N".

High

CONFIG_UPROBES

Uprobes is the user-space counterpart to kprobes: they enable instrumentation applications (such as 'perf probe') to establish unintrusive probes in user-space binaries and libraries by executing handler functions when the probes are hit by user-space applications.

High

CONFIG_DEBUG_FS

debugfs is a virtual file system that kernel developers use to put debugging files into. Enable this option to be able to read and write to these files.

High

CONFIG_BPF_SYSCALL

Enable the bpf() system call that allows to manipulate eBPF programs and maps via file descriptors.

High

CONFIG_USER_NS

Support user namespaces. This allows containers i.e. vservers to use user namespaces to provide different user info for different servers. If unsure say N.

High

CONFIG_FTRACE

Enable the kernel to trace every kernel function. This is done by using a compiler feature to insert a small 5-byte No-Operation instruction to the beginning of every kernel function which NOP sequence is then dynamically patched into a tracer call when tracing is enabled by the administrator. If it's runtime disabled (the bootup default) then the overhead of the instructions is very small and not measurable even in micro-benchmarks.

High

CONFIG_ARCH_MMAP_RND_BITS

This value can be used to select the number of bits to use to determine the random offset to the base address of vma regions resulting from mmap allocations. This value will be bounded by the architecture's minimum and maximum supported values.

High

CONFIG_BUG

Disabling this option eliminates support for BUG and WARN reducing the size of your kernel image and potentially quietly ignoring numerous fatal conditions. You should only consider disabling this option for embedded systems with no facilities for reporting errors. Just say Y.

Medium

CONFIG_THREAD_INFO_IN_TASK

Select this to move thread_info off the stack into task_struct. To make this work an arch will need to remove all thread_info fields except flags and fix any runtime bugs.

Medium

CONFIG_MODULE_SIG_ALL

Sign all modules during make modules_install. Without this option modules must be signed manually using the scripts/sign-file tool.

Medium

CONFIG_PAGE_POISONING

Fill the pages with poison patterns after free_pages() and verify the patterns before alloc_pages. The filling of the memory helps reduce the risk of information leaks from freed data. This does have a potential performance impact if enabled with the "page_poison=1" kernel boot option.

Medium

CONFIG_GCC_PLUGIN_RANDSTRUCT

If you say Y here the layouts of structures that are entirely function pointers (and have not been manually annotated with __no_randomize_layout) or structures that have been explicitly marked with __randomize_layout will be randomized at compile-time. This can introduce the requirement of an additional information exposure vulnerability for exploits targeting these structure types.

Medium

CONFIG_HIBERNATION

Enable the suspend to disk (STD) functionality which is usually called "hibernation" in user interfaces. STD checkpoints the system and powers it off; and restores that checkpoint on reboot.

Medium

CONFIG_PROC_VMCORE

Exports the dump image of crashed kernel in ELF format.

Medium

CONFIG_HWPOISON_INJECT

Medium

CONFIG_SLUB_DEBUG

SLUB has extensive debug support features. Disabling these can result in significant savings in code size. This also disables SLUB sysfs support. /sys/slab will not exist and there will be no support for cache validation etc.

Medium

CONFIG_SYN_COOKIES

Normal TCP/IP networking is open to an attack known as "SYN flooding". This denial-of-service attack prevents legitimate remote users from being able to connect to your computer during an ongoing attack and requires very little work from the attacker who can operate from anywhere on the Internet.

Medium

CONFIG_DEFAULT_MMAP_MIN_ADDR

This is the portion of low virtual memory which should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.

Medium

CONFIG_GCC_PLUGIN_LATENT_ENTROPY

By saying Y here the kernel will instrument some kernel code to extract some entropy from both original and artificially created program state. This will help especially embedded systems where there is little 'natural' source of entropy normally. The cost is some slowdown of the boot process (about 0.5%) and fork and irq processing.

Medium

CONFIG_DEBUG_LIST

Enable this to turn on extended checks in the linked-list walking routines.

Medium

CONFIG_DEBUG_CREDENTIALS

Enable this to turn on some debug checking for credential management. The additional code keeps track of the number of pointers from task_structs to any given cred struct and checks to see that this number never exceeds the usage count of the cred struct.

Medium

CONFIG_MODULE_SIG_FORCE

Reject unsigned modules or signed modules for which we don't have a key. Without this such modules will simply taint the kernel.

Medium

CONFIG_GCC_PLUGIN_STACKLEAK

Medium

CONFIG_SECURITY_LOADPIN

Any files read through the kernel file reading interface (kernel modules firmware kexec images security policy) can be pinned to the first filesystem used for loading. When enabled any files that come from other filesystems will be rejected. This is best used on systems without an initrd that have a root filesystem backed by a read-only device such as dm-verity or a CDROM.

Medium

CONFIG_PAGE_POISONING_NO_SANITY

Skip the sanity checking on alloc only fill the pages with poison on free. This reduces some of the overhead of the poisoning feature.

Medium

CONFIG_PAGE_POISONING_ZERO

Instead of using the existing poison value fill the pages with zeros. This makes it harder to detect when errors are occurring due to sanitization but the zeroing at free means that it is no longer necessary to write zeros when GFP_ZERO is used on allocation.

Medium

CONFIG_SLAB_MERGE_DEFAULT

For reduced kernel memory fragmentation slab caches can be merged when they share the same size and other characteristics. This carries a risk of kernel heap overflows being able to overwrite objects from merged caches (and more easily control cache layout) which makes such heap attacks easier to exploit by attackers. By keeping caches unmerged these kinds of exploits can usually only damage objects in the same cache. To disable merging at runtime "slab_nomerge" can be passed on the kernel command line.

Medium

CONFIG_X86_PTDUMP

Say Y here if you want to show the kernel pagetable layout in a debugfs file. This information is only useful for kernel developers who are working in architecture specific areas of the kernel. It is probably not a good idea to enable this feature in a production kernel. If in doubt say "N"

Medium

CONFIG_DEBUG_KMEMLEAK

Say Y here if you want to enable the memory leak detector. The memory allocation/freeing is traced in a way similar to the Boehm's conservative garbage collector the difference being that the orphan objects are not freed but only shown in /sys/kernel/debug/kmemleak. Enabling this feature will introduce an overhead to memory allocations. See Documentation/dev-tools/kmemleak.rst for more details.

Medium

CONFIG_KEXEC

kexec is a system call that implements the ability to shutdown your current kernel and to start another kernel. It is like a reboot but it is independent of the system firmware. And like a reboot you can start any kernel with it not just Linux.

Medium

CONFIG_LEGACY_PTYS

A pseudo terminal (PTY) is a software device consisting of two halves: a master and a slave. The slave device behaves identical to a physical terminal; the master device is used by a process to read data from and write data to the slave thereby emulating a terminal. Typical programs for the master side are telnet servers and xterms.

Medium

CONFIG_IA32_EMULATION

Include code to run legacy 32-bit programs under a 64-bit kernel. You should likely turn this on unless you're 100% sure that you don't have any 32-bit programs left.

Medium

CONFIG_PROC_PAGE_MONITOR

Various /proc files exist to monitor process memory utilization: /proc/pid/smaps /proc/pid/clear_refs /proc/pid/pagemap /proc/kpagecount and /proc/kpageflags. Disabling these interfaces will reduce the size of the kernel by approximately 4kb.

Medium

CONFIG_GCC_PLUGIN_STRUCTLEAK

This plugin zero-initializes any structures containing a __user attribute. This can prevent some classes of information exposures.

Medium

CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL

Zero initialize any struct type local variable that may be passed by reference without having been initialized.

Medium

CONFIG_DEBUG_SG

Enable this to turn on checks on scatter-gather tables. This can help find problems with drivers that do not properly initialize their sg tables.

Medium

CONFIG_SLUB_DEBUG_ON

Boot with debugging on by default. SLUB boots by default with the runtime debug capabilities switched off. Enabling this is equivalent to specifying the "slub_debug" parameter on boot. There is no support for more fine grained debug control like possible with slub_debug=xxx. SLUB debugging may be switched off in a kernel built with SLUB_DEBUG_ON by specifying "slub_debug=-".

Medium

CONFIG_INET_DIAG

Support for INET (TCP DCCP etc) socket monitoring interface used by native Linux tools such as ss. ss is included in iproute2 currently downloadable at:

Medium

CONFIG_X86_X32

Include code to run binaries for the x32 native 32-bit ABI for 64-bit processors. An x32 process gets access to the full 64-bit register file and wide data path while leaving pointers at 32 bits for smaller memory footprint.

Medium

CONFIG_USELIB

This option enables the uselib syscall a system call used in the dynamic linker from libc5 and earlier. glibc does not use this system call. If you intend to run programs built on libc5 or earlier you may need to enable this syscall. Current systems running glibc can safely disable this.

Medium

CONFIG_CHECKPOINT_RESTORE

Enables additional kernel features in a sake of checkpoint/restore. In particular it adds auxiliary prctl codes to setup process text data and heap segment sizes and a few additional /proc filesystem entries.

Medium

CONFIG_MEM_SOFT_DIRTY

This option enables memory changes tracking by introducing a soft-dirty bit on pte-s. This bit it set when someone writes into a page just as regular dirty bit but unlike the latter it can be cleared by hands.

Medium

CONFIG_MMIOTRACE

Mmiotrace traces Memory Mapped I/O access and is meant for debugging and reverse engineering. It is called from the ioremap implementation and works via page faults. Tracing is disabled by default and can be enabled at run-time.

Medium

CONFIG_KEXEC_FILE

This is new version of kexec system call. This system call is file based and takes file descriptors as system call argument for kernel and initramfs as opposed to list of segments as accepted by previous system call.

Medium

CONFIG_DEBUG_NOTIFIERS

Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel developers to make sure that modules properly unregister themselves from notifier chains. This is a relatively cheap check but if you care about maximum performance say N.

Low

CONFIG_ZSMALLOC_STAT

This option enables code in the zsmalloc to collect various statistics about whats happening in zsmalloc and exports that information to userspace via debugfs. If unsure say N.

Low

CONFIG_PAGE_OWNER

This keeps track of what call chain is the owner of a page may help to find bare alloc_page(s) leaks. Even if you include this feature on your build it is disabled in default. You should pass "page_owner=on" to boot parameter in order to enable it. Eats a fair amount of memory if enabled. See tools/vm/page_owner_sort.c for user-space helper.

Low

CONFIG_BINFMT_AOUT

A.out (Assembler.OUTput) is a set of formats for libraries and executables used in the earliest versions of UNIX. Linux used the a.out formats QMAGIC and ZMAGIC until they were replaced with the ELF format.

Low

CONFIG_IP_DCCP

Datagram Congestion Control Protocol (RFC 4340)

Low

CONFIG_IP_SCTP

Stream Control Transmission Protocol

Low

CONFIG_DEVPORT

Say Y here if you want to support the /dev/port device. The /dev/port device is similar to /dev/mem but for I/O ports.

Low

CONFIG_NOTIFIER_ERROR_INJECTION

This option provides the ability to inject artificial errors to specified notifier chain callbacks. It is useful to test the error handling of notifier call chain failures.

Low

CONFIG_ACPI_TABLE_UPGRADE

This option provides functionality to upgrade arbitrary ACPI tables via initrd. No functional change if no ACPI tables are passed via initrd therefore it's safe to say Y. See Documentation/acpi/initrd_table_override.txt for details

Low

CONFIG_ACPI_APEI_EINJ

EINJ provides a hardware error injection mechanism it is mainly used for debugging and testing the other parts of APEI and some other RAS features.

Low

CONFIG_PROFILING

Say Y here to enable the extended profiling support mechanisms used by profilers such as OProfile.

Low

CONFIG_GCC_PLUGINS

GCC plugins are loadable modules that provide extra features to the compiler. They are useful for runtime instrumentation and static analysis.

Low

CONFIG_MMIOTRACE_TEST

This is a dumb module for testing mmiotrace. It is very dangerous as it will write garbage to IO memory starting at a given address. However it should be safe to use on e.g. unused portion of VRAM.

Low