On the occasion of stripping generic kernel to custom I'd like to ask some questions:
1. Option x32 ABI seems useless in distribution without recompilation all packages.
Some non invasive security option:
1. CONFIG_SECURITY_YAMA -Yama switching on /proc/sys/kernel/yama/ptrace_scope /default/ 1 .
https://www.kernel.org/doc/Documenta...urity/Yama.txt
2.CONFIG_DEVKMEM - should be disabled
3. CONFIG_DEBUG_RODATA- This makes sure that certain kernel data sections are marked to block modification
CONFIG_DEBUG_MODULE_RONX - the same for modules
4.CONFIG_CC_STACKPROTECTOR - to strong option from gcc 4.9 /there is 5.3/
5.proc/sys/kernel/kptr_restrict set to "1" to block the reporting of known kernel address leaks to users.
6.MAybe hardlink and symlink restrictions in /proc/sys/fs/ set to 1 but this may break some world writeble shares from samba.
It is only a suggestion to Pat.