1# This is the equivalent of booting with lockdown=integrity 2CONFIG_SECURITY=y 3CONFIG_SECURITYFS=y 4CONFIG_SECURITY_LOCKDOWN_LSM=y 5CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y 6CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y 7 8# These are some general, reasonably inexpensive hardening options 9CONFIG_HARDENED_USERCOPY=y 10CONFIG_FORTIFY_SOURCE=y 11CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y 12 13# UBSAN bounds checking is very cheap and good for hardening 14CONFIG_UBSAN=y 15# CONFIG_UBSAN_MISC is not set