arm64: configs: Disable CONFIG_SECURITY_SMACK and CONFIG_MODULE_FORCE_UNLOAD
Security hardening:
1. unset CONFIG_SECURITY_SMACK which implicitly enable CONFIG_NETLABEL
2. unset CONFIG_MODULE_FORCE_UNLOAD to prevent UAF
3. set CONFIG_SECURITY_NETWORK which CONFIG_SECURITY_SELINUX depends on
Bug: 198690429
Signed-off-by: Roger Liao <rogerliao@google.com>
Change-Id: Iae7ac76d863bca8337ac8d0c608c5a1418c690a4
diff --git a/arch/arm64/configs/floral_defconfig b/arch/arm64/configs/floral_defconfig
index 921510f..ddb9e80 100644
--- a/arch/arm64/configs/floral_defconfig
+++ b/arch/arm64/configs/floral_defconfig
@@ -49,7 +49,6 @@
CONFIG_REFCOUNT_FULL=y
CONFIG_MODULES=y
CONFIG_MODULE_UNLOAD=y
-CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_MODVERSIONS=y
# CONFIG_BLK_DEV_BSG is not set
CONFIG_PARTITION_ADVANCED=y
@@ -726,11 +725,11 @@
CONFIG_PFK_WRAPPED_KEY_SUPPORTED=y
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
CONFIG_SECURITY=y
+CONFIG_SECURITY_NETWORK=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_HARDENED_USERCOPY_PAGESPAN=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_SECURITY_SELINUX=y
-CONFIG_SECURITY_SMACK=y
CONFIG_INIT_STACK_ALL_ZERO=y
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
CONFIG_CRYPTO_NIAP_FPT_TST_EXT_11=y
diff --git a/arch/arm64/configs/sunfish_defconfig b/arch/arm64/configs/sunfish_defconfig
index 1e3356b..1634dfd 100644
--- a/arch/arm64/configs/sunfish_defconfig
+++ b/arch/arm64/configs/sunfish_defconfig
@@ -47,7 +47,6 @@
CONFIG_SHADOW_CALL_STACK=y
CONFIG_MODULES=y
CONFIG_MODULE_UNLOAD=y
-CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_MODVERSIONS=y
# CONFIG_BLK_DEV_BSG is not set
CONFIG_PARTITION_ADVANCED=y
@@ -724,11 +723,11 @@
CONFIG_PFK=y
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
CONFIG_SECURITY=y
+CONFIG_SECURITY_NETWORK=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_HARDENED_USERCOPY_PAGESPAN=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_SECURITY_SELINUX=y
-CONFIG_SECURITY_SMACK=y
CONFIG_CRYPTO_NIAP_FPT_TST_EXT_11=y
CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_CHACHA20POLY1305=y