security(kernel): enable hardening config defaults

base/comps/kernel/6.18-aarch64-azl.config

@@ -1179,7 +1179,7 @@ CONFIG_ZSMALLOC_CHAIN_SIZE=8
 CONFIG_SLUB=y
 CONFIG_KVFREE_RCU_BATCHED=y
 # CONFIG_SLUB_TINY is not set
-CONFIG_SLAB_MERGE_DEFAULT=y
+# CONFIG_SLAB_MERGE_DEFAULT is not set
 CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLAB_FREELIST_HARDENED=y
 CONFIG_SLAB_BUCKETS=y
@@ -11226,7 +11226,7 @@ CONFIG_IOMMU_SVA=y
 CONFIG_IOMMU_IOPF=y
 CONFIG_ARM_SMMU=y
 # CONFIG_ARM_SMMU_LEGACY_DT_BINDINGS is not set
-# CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT is not set
+CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT=y
 CONFIG_ARM_SMMU_MMU_500_CPRE_ERRATA=y
 CONFIG_ARM_SMMU_QCOM=y
 # CONFIG_ARM_SMMU_QCOM_DEBUG is not set
@@ -13538,8 +13538,8 @@ CONFIG_HARDENED_USERCOPY_DEFAULT_ON=y
 #
 # Hardening of kernel data structures
 #
-# CONFIG_LIST_HARDENED is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_LIST_HARDENED=y
+CONFIG_BUG_ON_DATA_CORRUPTION=y
 # end of Hardening of kernel data structures
 
 # CONFIG_CFI is not set
@@ -14307,10 +14307,10 @@ CONFIG_STACKTRACE=y
 #
 # Debug kernel data structures
 #
-# CONFIG_DEBUG_LIST is not set
-# CONFIG_DEBUG_PLIST is not set
-# CONFIG_DEBUG_SG is not set
-# CONFIG_DEBUG_NOTIFIERS is not set
+CONFIG_DEBUG_LIST=y
+CONFIG_DEBUG_PLIST=y
+CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_NOTIFIERS=y
 # CONFIG_DEBUG_CLOSURES is not set
 # CONFIG_DEBUG_MAPLE_TREE is not set
 # end of Debug kernel data structures

base/comps/kernel/6.18-x86_64-azl.config

@@ -493,7 +493,7 @@ CONFIG_X86_PAT=y
 CONFIG_X86_UMIP=y
 CONFIG_CC_HAS_IBT=y
 CONFIG_X86_CET=y
-# CONFIG_X86_KERNEL_IBT is not set
+CONFIG_X86_KERNEL_IBT=y
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
 CONFIG_ARCH_PKEY_BITS=4
 CONFIG_X86_INTEL_TSX_MODE_OFF=y
@@ -535,8 +535,8 @@ CONFIG_RANDOMIZE_MEMORY=y
 CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
 CONFIG_HOTPLUG_CPU=y
 # CONFIG_COMPAT_VDSO is not set
-CONFIG_LEGACY_VSYSCALL_XONLY=y
-# CONFIG_LEGACY_VSYSCALL_NONE is not set
+# CONFIG_LEGACY_VSYSCALL_XONLY is not set
+CONFIG_LEGACY_VSYSCALL_NONE=y
 # CONFIG_CMDLINE_BOOL is not set
 CONFIG_MODIFY_LDT_SYSCALL=y
 # CONFIG_STRICT_SIGALTSTACK_SIZE is not set
@@ -1195,7 +1195,7 @@ CONFIG_ZSMALLOC_CHAIN_SIZE=8
 CONFIG_SLUB=y
 CONFIG_KVFREE_RCU_BATCHED=y
 # CONFIG_SLUB_TINY is not set
-CONFIG_SLAB_MERGE_DEFAULT=y
+# CONFIG_SLAB_MERGE_DEFAULT is not set
 CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLAB_FREELIST_HARDENED=y
 CONFIG_SLAB_BUCKETS=y
@@ -7536,7 +7536,7 @@ CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
 CONFIG_INTEL_TXT=y
-CONFIG_LSM_MMAP_MIN_ADDR=0
+CONFIG_LSM_MMAP_MIN_ADDR=65536
 # CONFIG_STATIC_USERMODEHELPER is not set
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
@@ -7666,8 +7666,8 @@ CONFIG_HARDENED_USERCOPY_DEFAULT_ON=y
 #
 # Hardening of kernel data structures
 #
-# CONFIG_LIST_HARDENED is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_LIST_HARDENED=y
+CONFIG_BUG_ON_DATA_CORRUPTION=y
 # end of Hardening of kernel data structures
 
 # CONFIG_CFI is not set
@@ -8353,10 +8353,10 @@ CONFIG_STACKTRACE=y
 #
 # Debug kernel data structures
 #
-# CONFIG_DEBUG_LIST is not set
-# CONFIG_DEBUG_PLIST is not set
-# CONFIG_DEBUG_SG is not set
-# CONFIG_DEBUG_NOTIFIERS is not set
+CONFIG_DEBUG_LIST=y
+CONFIG_DEBUG_PLIST=y
+CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_NOTIFIERS=y
 # CONFIG_DEBUG_CLOSURES is not set
 # CONFIG_DEBUG_MAPLE_TREE is not set
 # end of Debug kernel data structures

base/comps/kernel/kernel.comp.toml

@@ -6,7 +6,7 @@ without = ["debug"]
 
 [components.kernel.build.defines]
 # RPM release number for the Azure Linux kernel package
-azl_pkgrelease = "8"
+azl_pkgrelease = "9"
 # 4th version component from the AZL kernel source (6.18.5.1). Included in specrelease so it appears
 # in the RPM Release tag, uname -r, and /lib/modules/ path (e.g. 6.18.5-1.3.azl4.aarch64).
 kextraversion = "1"