Skip to content

[redhat] New configs in security/Kconfig.hardening

CKI ARK Botrequested to merge
configs/os-build/2025-07-29/security/Kconfig.hardening into os-build

Fixes: RHEL-106306
Hi,

As part of the ongoing rebase effort, the following configuration options need to be reviewed.

As a reminder, the ARK configuration flow involves moving unreviewed configuration options from the pending directory to the ark directory. In the diff below, options are removed from the pending directory and added to the ark hierarchy. The final options that need to be ACKed are the files that are being added to the ark hierarchy.

If the value for a file that is added should be changed, please reply with a better option.

Symbol: KSTACK_ERASE [=n]
Type  : bool
Defined at security/Kconfig.hardening:88
  Prompt: Poison kernel stack before returning from syscalls
  Depends on: HAVE_ARCH_KSTACK_ERASE [=y] && (GCC_PLUGINS [=n] || CC_HAS_SANCOV_STACK_DEPTH_CALLBACK [=y])
  Location:
    -> Security options
      -> Kernel hardening options
        -> Memory initialization
          -> Poison kernel stack before returning from syscalls (KSTACK_ERASE [=n])

Commit: 57fbad15 (stackleak: Rename STACKLEAK to KSTACK_ERASE)

Signed-off-by: Fedora Kernel Team kernel-team@fedoraproject.org

Edited by CKI KWF Bot

Merge request reports