| # |
| # Copyright 2015 The Android Open Source Project |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| |
| CONFIG_PM_AUTOSLEEP=y |
| CONFIG_PM_WAKELOCKS=y |
| CONFIG_PM_RUNTIME=y |
| |
| CONFIG_IPV6=y |
| CONFIG_NETFILTER=y |
| CONFIG_NF_CONNTRACK=y |
| CONFIG_NETFILTER_XT_MATCH_STATE=y |
| CONFIG_NF_CONNTRACK_IPV4=y |
| CONFIG_NF_NAT_IPV4=y |
| CONFIG_NF_NAT_MASQUERADE_IPV4=y |
| CONFIG_IP_NF_IPTABLES=y |
| CONFIG_IP_NF_FILTER=y |
| CONFIG_NF_CONNTRACK_IPV6=y |
| CONFIG_IP6_NF_IPTABLES=y |
| CONFIG_IP6_NF_FILTER=y |
| |
| CONFIG_STAGING=y |
| CONFIG_ANDROID=y |
| CONFIG_ANDROID_BINDER_IPC=y |
| CONFIG_ASHMEM=y |
| |
| # Enable SELinux. |
| CONFIG_SECURITY=y |
| CONFIG_AUDIT=y |
| CONFIG_SECURITY_NETWORK=y |
| CONFIG_SECURITY_SELINUX=y |
| CONFIG_EXT4_FS_SECURITY=y |
| |
| # Require seccomp-bpf. |
| CONFIG_SECCOMP=y |
| CONFIG_SECCOMP_FILTER=y |
| |
| # Turn on all the namespaces, except USER_NS, which is missing in old |
| # kernels, and incomplete or overtly buggy in later ones. |
| CONFIG_NAMESPACES=y |
| CONFIG_PID_NS=y |
| CONFIG_NET_NS=y |
| CONFIG_UTS_NS=y |
| CONFIG_IPC_NS=y |
| |
| # Make sure kernel page tables have safe permissions. |
| CONFIG_DEBUG_KERNEL=y |
| CONFIG_DEBUG_RODATA=y |
| |
| # Blocks direct physical memory access. |
| CONFIG_STRICT_DEVMEM=y |
| |
| # Provides some protections against SYN flooding. |
| CONFIG_SYN_COOKIES=y |
| |
| # Perform additional validation of credentials. |
| CONFIG_DEBUG_CREDENTIALS=y |
| |
| # Use -fstack-protector for stack canary coverage. |
| CONFIG_CC_STACKPROTECTOR=y |
| |
| # Dangerous; allows direct physical memory writing. |
| # CONFIG_ACPI_CUSTOM_METHOD is not set |
| |
| # Dangerous; disables brk ASLR. |
| # CONFIG_COMPAT_BRK is not set |
| |
| # Dangerous; disables VDSO ASLR. |
| # CONFIG_COMPAT_VDSO is not set |
| |
| # Dangerous; allows direct kernel memory writing. |
| # CONFIG_DEVKMEM is not set |
| |
| # Dangerous; allows replacement of running kernel. |
| # CONFIG_KEXEC is not set |
| |
| # Dangerous; allows replacement of running kernel. |
| # CONFIG_HIBERNATION is not set |
| |
| # Assists heap memory attacks; best to keep interface disabled. |
| # CONFIG_INET_DIAG is not set |
| |
| # Easily confused by misconfigured userspace, keep off. |
| # CONFIG_BINFMT_MISC is not set |
| |
| # Always build a monolithic kernel to remove the kernel module attack surface. |
| # CONFIG_MODULES is not set |
| |
| # We use the modern PTY interface (devpts) only. |
| # CONFIG_LEGACY_PTYS is not set |
| |
| # Reboot devices immediately if they experience a kernel Oops. |
| CONFIG_PANIC_ON_OOPS=y |
| CONFIG_PANIC_TIMEOUT=-1 |
| |
| # Provide /proc/config.gz to examine kernel configs on running system. |
| CONFIG_IKCONFIG=y |
| |
| # This helps with debugging by including debug info in the ELF, |
| # but shouldn't affect the runtime code size at all. |
| CONFIG_DEBUG_INFO=y |
| |
| # Enable pstore to allow kernel panic crash collection. |
| CONFIG_PSTORE=y |
| CONFIG_PSTORE_CONSOLE=y |
| CONFIG_PSTORE_FTRACE=y |
| CONFIG_PSTORE_RAM=y |
| |
| # Enable the FTDI driver. |
| CONFIG_USB_SERIAL_FTDI_SIO=y |
| CONFIG_USB_SERIAL=y |