From 391c8b2e5bb97f8f5d029a17cc4c99e2afaf6709 Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Thu, 16 Apr 2026 21:50:14 +0000 Subject: [PATCH 1/5] security(kernel): enable kernel data-structure corruption detection Enable LIST_HARDENED and BUG_ON_DATA_CORRUPTION on both x86_64 and aarch64, which pulls in DEBUG_LIST, DEBUG_PLIST, DEBUG_SG, and DEBUG_NOTIFIERS. Kernel panics on detected list-head/scatterlist/ notifier/credential corruption; KSPP recommended. --- base/comps/kernel/6.18-aarch64-azl.config | 12 ++++++------ base/comps/kernel/6.18-x86_64-azl.config | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/base/comps/kernel/6.18-aarch64-azl.config b/base/comps/kernel/6.18-aarch64-azl.config index 04b38e40f2c..52e7ebd5e94 100644 --- a/base/comps/kernel/6.18-aarch64-azl.config +++ b/base/comps/kernel/6.18-aarch64-azl.config @@ -13538,8 +13538,8 @@ CONFIG_HARDENED_USERCOPY_DEFAULT_ON=y # # Hardening of kernel data structures # -# CONFIG_LIST_HARDENED is not set -# CONFIG_BUG_ON_DATA_CORRUPTION is not set +CONFIG_LIST_HARDENED=y +CONFIG_BUG_ON_DATA_CORRUPTION=y # end of Hardening of kernel data structures # CONFIG_CFI is not set @@ -14307,10 +14307,10 @@ CONFIG_STACKTRACE=y # # Debug kernel data structures # -# CONFIG_DEBUG_LIST is not set -# CONFIG_DEBUG_PLIST is not set -# CONFIG_DEBUG_SG is not set -# CONFIG_DEBUG_NOTIFIERS is not set +CONFIG_DEBUG_LIST=y +CONFIG_DEBUG_PLIST=y +CONFIG_DEBUG_SG=y +CONFIG_DEBUG_NOTIFIERS=y # CONFIG_DEBUG_CLOSURES is not set # CONFIG_DEBUG_MAPLE_TREE is not set # end of Debug kernel data structures diff --git a/base/comps/kernel/6.18-x86_64-azl.config b/base/comps/kernel/6.18-x86_64-azl.config index b8a4c7590b5..56a9608044e 100644 --- a/base/comps/kernel/6.18-x86_64-azl.config +++ b/base/comps/kernel/6.18-x86_64-azl.config @@ -7666,8 +7666,8 @@ CONFIG_HARDENED_USERCOPY_DEFAULT_ON=y # # Hardening of kernel data structures # -# CONFIG_LIST_HARDENED is not set -# CONFIG_BUG_ON_DATA_CORRUPTION is not set +CONFIG_LIST_HARDENED=y +CONFIG_BUG_ON_DATA_CORRUPTION=y # end of Hardening of kernel data structures # CONFIG_CFI is not set @@ -8353,10 +8353,10 @@ CONFIG_STACKTRACE=y # # Debug kernel data structures # -# CONFIG_DEBUG_LIST is not set -# CONFIG_DEBUG_PLIST is not set -# CONFIG_DEBUG_SG is not set -# CONFIG_DEBUG_NOTIFIERS is not set +CONFIG_DEBUG_LIST=y +CONFIG_DEBUG_PLIST=y +CONFIG_DEBUG_SG=y +CONFIG_DEBUG_NOTIFIERS=y # CONFIG_DEBUG_CLOSURES is not set # CONFIG_DEBUG_MAPLE_TREE is not set # end of Debug kernel data structures From 58d0e57619a2c64f489c9c57e3ffc89542e20002 Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Thu, 16 Apr 2026 21:50:29 +0000 Subject: [PATCH 2/5] security(kernel): disable slab cache merging by default Set CONFIG_SLAB_MERGE_DEFAULT=n on x86_64 and aarch64 so distinct allocation sites get distinct slab caches. Makes heap-spray attacks harder by eliminating cross-site cache aliasing. Small memory overhead (~few MB). Runtime-overridable via the slab_merge= boot parameter if a regression is observed. KSPP recommended. --- base/comps/kernel/6.18-aarch64-azl.config | 2 +- base/comps/kernel/6.18-x86_64-azl.config | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/base/comps/kernel/6.18-aarch64-azl.config b/base/comps/kernel/6.18-aarch64-azl.config index 52e7ebd5e94..28e003a0c6f 100644 --- a/base/comps/kernel/6.18-aarch64-azl.config +++ b/base/comps/kernel/6.18-aarch64-azl.config @@ -1179,7 +1179,7 @@ CONFIG_ZSMALLOC_CHAIN_SIZE=8 CONFIG_SLUB=y CONFIG_KVFREE_RCU_BATCHED=y # CONFIG_SLUB_TINY is not set -CONFIG_SLAB_MERGE_DEFAULT=y +# CONFIG_SLAB_MERGE_DEFAULT is not set CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLAB_BUCKETS=y diff --git a/base/comps/kernel/6.18-x86_64-azl.config b/base/comps/kernel/6.18-x86_64-azl.config index 56a9608044e..44e9237f95a 100644 --- a/base/comps/kernel/6.18-x86_64-azl.config +++ b/base/comps/kernel/6.18-x86_64-azl.config @@ -1195,7 +1195,7 @@ CONFIG_ZSMALLOC_CHAIN_SIZE=8 CONFIG_SLUB=y CONFIG_KVFREE_RCU_BATCHED=y # CONFIG_SLUB_TINY is not set -CONFIG_SLAB_MERGE_DEFAULT=y +# CONFIG_SLAB_MERGE_DEFAULT is not set CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLAB_BUCKETS=y From 83e91bffd355e57a54493946e13603e08e5b9ca7 Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Thu, 16 Apr 2026 21:50:53 +0000 Subject: [PATCH 3/5] security(kernel): enable CET/IBT and remove legacy vsyscall on x86_64 Enable CONFIG_X86_KERNEL_IBT to turn on Indirect Branch Tracking via Intel CET, blocking indirect-branch-based ROP/JOP gadgets at the hardware level. No cost on modern CPUs (Tiger Lake+/Zen3+); gracefully disabled on older CPUs. Switch from LEGACY_VSYSCALL_XONLY to LEGACY_VSYSCALL_NONE to remove the legacy vsyscall page entirely. Userspace has used the vDSO for years; the vsyscall=emulate boot parameter remains available as an escape hatch for very old containers. --- base/comps/kernel/6.18-x86_64-azl.config | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/base/comps/kernel/6.18-x86_64-azl.config b/base/comps/kernel/6.18-x86_64-azl.config index 44e9237f95a..40952b9ab39 100644 --- a/base/comps/kernel/6.18-x86_64-azl.config +++ b/base/comps/kernel/6.18-x86_64-azl.config @@ -493,7 +493,7 @@ CONFIG_X86_PAT=y CONFIG_X86_UMIP=y CONFIG_CC_HAS_IBT=y CONFIG_X86_CET=y -# CONFIG_X86_KERNEL_IBT is not set +CONFIG_X86_KERNEL_IBT=y CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y CONFIG_ARCH_PKEY_BITS=4 CONFIG_X86_INTEL_TSX_MODE_OFF=y @@ -535,8 +535,8 @@ CONFIG_RANDOMIZE_MEMORY=y CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa CONFIG_HOTPLUG_CPU=y # CONFIG_COMPAT_VDSO is not set -CONFIG_LEGACY_VSYSCALL_XONLY=y -# CONFIG_LEGACY_VSYSCALL_NONE is not set +# CONFIG_LEGACY_VSYSCALL_XONLY is not set +CONFIG_LEGACY_VSYSCALL_NONE=y # CONFIG_CMDLINE_BOOL is not set CONFIG_MODIFY_LDT_SYSCALL=y # CONFIG_STRICT_SIGALTSTACK_SIZE is not set From c2f41073ef368a129c62b89d26f8bdc2952f0ce8 Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Thu, 16 Apr 2026 21:51:20 +0000 Subject: [PATCH 4/5] security(kernel): LSM mmap floor on x86_64, SMMU default-deny on aarch64 x86_64: - Raise CONFIG_LSM_MMAP_MIN_ADDR from 0 to 65536 so LSMs enforce the same mmap floor as vm.mmap_min_addr, blocking NULL-deref kernel-exploit primitives. aarch64: - Enable CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT so unassigned devices cannot DMA through the SMMU without an explicit mapping. --- base/comps/kernel/6.18-aarch64-azl.config | 2 +- base/comps/kernel/6.18-x86_64-azl.config | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/base/comps/kernel/6.18-aarch64-azl.config b/base/comps/kernel/6.18-aarch64-azl.config index 28e003a0c6f..feede9602b5 100644 --- a/base/comps/kernel/6.18-aarch64-azl.config +++ b/base/comps/kernel/6.18-aarch64-azl.config @@ -11226,7 +11226,7 @@ CONFIG_IOMMU_SVA=y CONFIG_IOMMU_IOPF=y CONFIG_ARM_SMMU=y # CONFIG_ARM_SMMU_LEGACY_DT_BINDINGS is not set -# CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT is not set +CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT=y CONFIG_ARM_SMMU_MMU_500_CPRE_ERRATA=y CONFIG_ARM_SMMU_QCOM=y # CONFIG_ARM_SMMU_QCOM_DEBUG is not set diff --git a/base/comps/kernel/6.18-x86_64-azl.config b/base/comps/kernel/6.18-x86_64-azl.config index 40952b9ab39..7c4123fd30b 100644 --- a/base/comps/kernel/6.18-x86_64-azl.config +++ b/base/comps/kernel/6.18-x86_64-azl.config @@ -7536,7 +7536,7 @@ CONFIG_SECURITY_INFINIBAND=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_PATH=y CONFIG_INTEL_TXT=y -CONFIG_LSM_MMAP_MIN_ADDR=0 +CONFIG_LSM_MMAP_MIN_ADDR=65536 # CONFIG_STATIC_USERMODEHELPER is not set CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y From bdfb314b21ef76f2133a9346f4b678098a141559 Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Thu, 16 Apr 2026 21:51:34 +0000 Subject: [PATCH 5/5] kernel: bump azl_pkgrelease to 9 for hardening changes Rebuild kernel RPMs to pick up the hardening config changes (data-structure corruption detection, slab de-merge, x86 CET/IBT, LEGACY_VSYSCALL_NONE, LSM mmap floor, SMMU default-deny). --- base/comps/kernel/kernel.comp.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/comps/kernel/kernel.comp.toml b/base/comps/kernel/kernel.comp.toml index 25e4b5dec06..2f4f3fe382c 100644 --- a/base/comps/kernel/kernel.comp.toml +++ b/base/comps/kernel/kernel.comp.toml @@ -6,7 +6,7 @@ without = ["debug"] [components.kernel.build.defines] # RPM release number for the Azure Linux kernel package -azl_pkgrelease = "8" +azl_pkgrelease = "9" # 4th version component from the AZL kernel source (6.18.5.1). Included in specrelease so it appears # in the RPM Release tag, uname -r, and /lib/modules/ path (e.g. 6.18.5-1.3.azl4.aarch64). kextraversion = "1"