diff --git a/kernel/build/config-amd64 b/kernel/build/config-amd64 index f28de44d7..addc568d9 100644 --- a/kernel/build/config-amd64 +++ b/kernel/build/config-amd64 @@ -1163,7 +1163,11 @@ CONFIG_INET_IPCOMP=y CONFIG_INET_TABLE_PERTURB_ORDER=16 CONFIG_INET_XFRM_TUNNEL=y CONFIG_INET_TUNNEL=y -# CONFIG_INET_DIAG is not set +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +CONFIG_INET_UDP_DIAG=y +# CONFIG_INET_RAW_DIAG is not set +CONFIG_INET_DIAG_DESTROY=y CONFIG_TCP_CONG_ADVANCED=y # CONFIG_TCP_CONG_BIC is not set CONFIG_TCP_CONG_CUBIC=y @@ -1564,6 +1568,7 @@ CONFIG_BRIDGE_EBT_LOG=y CONFIG_BRIDGE_EBT_NFLOG=y # CONFIG_BPFILTER is not set CONFIG_IP_DCCP=y +CONFIG_INET_DCCP_DIAG=y # # DCCP CCIDs Configuration @@ -1587,6 +1592,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set CONFIG_SCTP_COOKIE_HMAC_MD5=y # CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set +CONFIG_INET_SCTP_DIAG=y CONFIG_RDS=y # CONFIG_RDS_RDMA is not set # CONFIG_RDS_TCP is not set diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64 index a2ad8ad10..13aa39deb 100644 --- a/kernel/build/config-arm64 +++ b/kernel/build/config-arm64 @@ -1198,7 +1198,11 @@ CONFIG_INET_IPCOMP=y CONFIG_INET_TABLE_PERTURB_ORDER=16 CONFIG_INET_XFRM_TUNNEL=y CONFIG_INET_TUNNEL=y -# CONFIG_INET_DIAG is not set +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +CONFIG_INET_UDP_DIAG=y +# CONFIG_INET_RAW_DIAG is not set +CONFIG_INET_DIAG_DESTROY=y CONFIG_TCP_CONG_ADVANCED=y # CONFIG_TCP_CONG_BIC is not set CONFIG_TCP_CONG_CUBIC=y @@ -1606,6 +1610,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set CONFIG_SCTP_COOKIE_HMAC_MD5=y # CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set +CONFIG_INET_SCTP_DIAG=y CONFIG_RDS=y # CONFIG_RDS_RDMA is not set # CONFIG_RDS_TCP is not set diff --git a/kernel/build/scripts/filter-hardened-check.py b/kernel/build/scripts/filter-hardened-check.py index b13a5d481..7922dd66c 100644 --- a/kernel/build/scripts/filter-hardened-check.py +++ b/kernel/build/scripts/filter-hardened-check.py @@ -31,6 +31,7 @@ 'CONFIG_SECURITY_SELINUX_DEVELOP', # SELinux enabled, but permissive unless enforcing=1. TODO: force enforcing mode when complete 'CONFIG_SPECULATION_MITIGATIONS', # Renamed in the kernel to 'CONFIG_CPU_MITIGATIONS' 'CONFIG_EFI_DISABLE_PCI_DMA', # enabling this breaks boot with no visible error messages to debug (https://github.com/siderolabs/talos/issues/8743) + 'CONFIG_INET_DIAG', # last vulnerability prior to v4.1. Required for CNIs such as Cilium to terminate sockets. (https://github.com/siderolabs/pkgs/issues/1028) } """