Add a couple simple hardening options

DemiMarie · DemiMarie · commit e82e4d4f2d63 · 2022-04-06T23:26:26.000-04:00
This assumes that nobody needs to run software that really needs
CONFIG_MODIFY_LDT_SYSCALL.  Not tested, but should be rather
straightforward.
diff --git a/config-qubes b/config-qubes
@@ -31,7 +31,10 @@ CONFIG_GCC_PLUGINS=y
 CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
 CONFIG_GCC_PLUGIN_STRUCTLEAK=y
 CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
-## XXX: What's about RANDSTRUCT?
+CONFIG_ZERO_CALL_USED_REGS=y
+CONFIG_SLUB_DEBUG_ON=y
+## XXX: What's about RANDSTRUCT?  Answer: not useful against attacks targeting
+## Qubes, useful against generic attacks
 
 ## Those depend on CONFIG_EXPERT
 CONFIG_ARCH_MMAP_RND_BITS=32
@@ -41,6 +44,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16
 
 # CONFIG_LEGACY_VSYSCALL_EMULATE is not set
 CONFIG_LEGACY_VSYSCALL_NONE=y
+# CONFIG_MODIFY_LDT_SYSCALL is not set
 
 # CONFIG_ACPI_CUSTOM_METHOD is not set
 
