diff options
-rw-r--r-- | 4567_distro-Gentoo-Kconfig.patch | 251 |
1 files changed, 149 insertions, 102 deletions
diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch index 24b75095..97665869 100644 --- a/4567_distro-Gentoo-Kconfig.patch +++ b/4567_distro-Gentoo-Kconfig.patch @@ -1,14 +1,19 @@ ---- a/Kconfig 2021-06-04 19:03:33.646823432 -0400 -+++ b/Kconfig 2021-06-04 19:03:40.508892817 -0400 +diff --git a/Kconfig b/Kconfig +index 745bc773f..e306bacea 100644 +--- a/Kconfig ++++ b/Kconfig @@ -30,3 +30,5 @@ source "lib/Kconfig" source "lib/Kconfig.debug" source "Documentation/Kconfig" + +source "distro/Kconfig" ---- /dev/null 2021-12-21 08:57:43.779324794 -0500 -+++ b/distro/Kconfig 2021-12-21 14:12:07.964572417 -0500 -@@ -0,0 +1,283 @@ +diff --git a/distro/Kconfig b/distro/Kconfig +new file mode 100644 +index 000000000..94d6e1886 +--- /dev/null ++++ b/distro/Kconfig +@@ -0,0 +1,295 @@ +menu "Gentoo Linux" + +config GENTOO_LINUX @@ -75,9 +80,8 @@ + CGROUPS (required for FEATURES=cgroup) + IPC_NS (required for FEATURES=ipc-sandbox) + NET_NS (required for FEATURES=network-sandbox) -+ PID_NS (required for FEATURES=pid-sandbox) ++ PID_NS (required for FEATURES=pid-sandbox) + SYSVIPC (required by IPC_NS) -+ + + It is highly recommended that you leave this enabled as these FEATURES + are, or will soon be, enabled by default. @@ -124,7 +128,7 @@ + select BPF_SYSCALL + select CGROUP_BPF + select CGROUPS -+ select CRYPTO_HMAC ++ select CRYPTO_HMAC + select CRYPTO_SHA256 + select CRYPTO_USER_API_HASH + select DEVPTS_MULTIPLE_INSTANCES @@ -166,102 +170,104 @@ + +endmenu + -+menuconfig GENTOO_KERNEL_SELF_PROTECTION -+ bool "Kernel Self Protection Project" -+ depends on GENTOO_LINUX -+ help -+ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project -+ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings -+ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due -+ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_COMMON and search for -+ GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your -+ specific architecture. -+ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 -+ for X86_64 ++menu "Kernel Self Protection Project" ++ visible if GENTOO_LINUX + -+if GENTOO_KERNEL_SELF_PROTECTION -+config GENTOO_KERNEL_SELF_PROTECTION_COMMON ++config GENTOO_KERNEL_SELF_PROTECTION + bool "Enable Kernel Self Protection Project Recommendations" + -+ depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS ++ depends on GENTOO_LINUX && EXPERT && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !MODIFY_LDT_SYSCALL + + select BUG -+ select STRICT_KERNEL_RWX -+ select DEBUG_WX -+ select STACKPROTECTOR -+ select STACKPROTECTOR_STRONG -+ select STRICT_DEVMEM if DEVMEM=y -+ select IO_STRICT_DEVMEM if DEVMEM=y -+ select SYN_COOKIES -+ select DEBUG_CREDENTIALS -+ select DEBUG_NOTIFIERS ++ select STRICT_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX ++ select DEBUG_FS ++ select DEBUG_WX if ARCH_HAS_DEBUG_WX && MMU ++ select STACKPROTECTOR if HAVE_STACKPROTECTOR ++ select STACKPROTECTOR_STRONG if HAVE_STACKPROTECTOR ++ select STRICT_DEVMEM if DEVMEM=y && (ARCH_HAS_DEVMEM_IS_ALLOWED || GENERIC_LIB_DEVMEM_IS_ALLOWED) ++ select IO_STRICT_DEVMEM if STRICT_DEVMEM ++ select SYN_COOKIES if NET && INET ++ select DEBUG_CREDENTIALS if DEBUG_KERNEL ++ select DEBUG_NOTIFIERS if DEBUG_KERNEL + select DEBUG_LIST -+ select DEBUG_SG ++ select DEBUG_SG if DEBUG_KERNEL + select BUG_ON_DATA_CORRUPTION -+ select SCHED_STACK_END_CHECK ++ select SCHED_STACK_END_CHECK if DEBUG_KERNEL + select SECCOMP if HAVE_ARCH_SECCOMP + select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER -+ select SECURITY_YAMA -+ select SLAB_FREELIST_RANDOM -+ select SLAB_FREELIST_HARDENED ++ select SECURITY if SYSFS && MULTIUSER ++ select SECURITY_YAMA if SECURITY ++ select HARDENED_USERCOPY if HAVE_HARDENED_USERCOPY_ALLOCATOR ++ select SLAB_FREELIST_RANDOM if SLAB || SLUB ++ select SLAB_FREELIST_HARDENED if SLAB || SLUB + select SHUFFLE_PAGE_ALLOCATOR -+ select SLUB_DEBUG ++ select SLUB_DEBUG if SLUB && SYSFS ++ select SLUB_DEBUG_ON if SLUB_DEBUG + select PAGE_POISONING + select PAGE_POISONING_NO_SANITY + select PAGE_POISONING_ZERO + select INIT_ON_ALLOC_DEFAULT_ON + select INIT_ON_FREE_DEFAULT_ON -+ select REFCOUNT_FULL -+ select FORTIFY_SOURCE -+ select SECURITY_DMESG_RESTRICT ++ select FORTIFY_SOURCE if ARCH_HAS_FORTIFY_SOURCE && !CC_IS_CLANG ++ select SECURITY_DMESG_RESTRICT + select PANIC_ON_OOPS -+ select GCC_PLUGIN_LATENT_ENTROPY -+ select GCC_PLUGIN_STRUCTLEAK -+ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL -+ select GCC_PLUGIN_RANDSTRUCT -+ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE ++ select DEBUG_STACKOVERFLOW if DEBUG_KERNEL && HAVE_DEBUG_STACKOVERFLOW ++ select VMAP_STACK if HAVE_ARCH_VMAP_STACK ++ select STRICT_MODULE_RWX if ARCH_HAS_STRICT_MODULE_RWX && ARCH_OPTIONAL_KERNEL_RWX && MODULES ++ select ZERO_CALL_USED_REGS if CC_HAS_ZERO_CALL_USED_REGS ++ select INIT_STACK_ALL_PATTERN if CC_HAS_AUTO_VAR_INIT_PATTERN && !CC_HAS_AUTO_VAR_INIT_ZERO ++ select INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO ++ select GCC_PLUGINS if HAVE_GCC_PLUGINS && CC_IS_GCC ++ select GCC_PLUGIN_LATENT_ENTROPY if GCC_PLUGINS ++ select GCC_PLUGIN_STRUCTLEAK if GCC_PLUGINS ++ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GCC_PLUGINS ++ select GCC_PLUGIN_STRUCTLEAK_VERBOSE if GCC_PLUGINS && GCC_PLUGIN_STRUCTLEAK ++ select GCC_PLUGIN_RANDSTRUCT if GCC_PLUGINS ++ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE if GCC_PLUGINS && GCC_PLUGIN_RANDSTRUCT ++ select GCC_PLUGIN_STACKLEAK if GCC_PLUGINS && HAVE_ARCH_STACKLEAK + + help -+ Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency -+ information on your specific architecture. Note 2: Please see the URL above for -+ numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 for X86_64 ++ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project ++ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings ++ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due ++ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION and search for ++ GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your ++ specific architecture. ++ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 ++ for X86_64 + +config GENTOO_KERNEL_SELF_PROTECTION_X86_64 -+ bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION_COMMON ++ bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION ++ ++ depends on X86_64 && GENTOO_KERNEL_SELF_PROTECTION ++ default y if X86_64 && GENTOO_KERNEL_SELF_PROTECTION + -+ depends on !X86_MSR && X86_64 && GENTOO_KERNEL_SELF_PROTECTION -+ default n -+ + select RANDOMIZE_BASE + select RANDOMIZE_MEMORY + select RELOCATABLE + select LEGACY_VSYSCALL_NONE -+ select PAGE_TABLE_ISOLATION -+ select GCC_PLUGIN_STACKLEAK -+ select VMAP_STACK ++ select PAGE_TABLE_ISOLATION + + +config GENTOO_KERNEL_SELF_PROTECTION_ARM64 + bool "ARM64 KSPP Settings" + -+ depends on ARM64 -+ default n ++ depends on ARM64 && GENTOO_KERNEL_SELF_PROTECTION ++ default y if ARM64 && GENTOO_KERNEL_SELF_PROTECTION + + select RANDOMIZE_BASE + select RELOCATABLE + select ARM64_SW_TTBR0_PAN + select CONFIG_UNMAP_KERNEL_AT_EL0 -+ select GCC_PLUGIN_STACKLEAK -+ select VMAP_STACK + +config GENTOO_KERNEL_SELF_PROTECTION_X86_32 + bool "X86_32 KSPP Settings" + -+ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 -+ default n ++ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 && GENTOO_KERNEL_SELF_PROTECTION ++ default y if X86_32 && GENTOO_KERNEL_SELF_PROTECTION + -+ select HIGHMEM64G -+ select X86_PAE ++ #select HIGHMEM64G ++ #select X86_PAE + select RANDOMIZE_BASE + select RELOCATABLE + select PAGE_TABLE_ISOLATION @@ -269,14 +275,25 @@ +config GENTOO_KERNEL_SELF_PROTECTION_ARM + bool "ARM KSPP Settings" + -+ depends on !OABI_COMPAT && ARM -+ default n ++ depends on !OABI_COMPAT && ARM && GENTOO_KERNEL_SELF_PROTECTION ++ default y if ARM && GENTOO_KERNEL_SELF_PROTECTION + + select VMSPLIT_3G + select STRICT_MEMORY_RWX + select CPU_SW_DOMAIN_PAN + -+endif ++config GENTOO_KERNEL_SELF_PROTECTION_PPC ++ bool "PPC KSPP Settings" ++ ++ depends on !SCOM_DEBUGFS && !OPAL_CORE && PPC && GENTOO_KERNEL_SELF_PROTECTION ++ default y if PPC && GENTOO_KERNEL_SELF_PROTECTION ++ ++ select PPC_KUEP if PPC_HAVE_KUEP ++ select PPC_KUAP if PPC_HAVE_KUAP ++ select PPC_MEM_KEYS if PPC_BOOK3S_64 ++ select PPC_SUBPAGE_PROT if PPC_BOOK3S_64 && PPC_64K_PAGES ++ ++endmenu + +config GENTOO_PRINT_FIRMWARE_INFO + bool "Print firmware information that the kernel attempts to load" @@ -292,45 +309,46 @@ + See the settings that become available for more details and fine-tuning. + +endmenu ---- a/security/Kconfig 2021-12-05 18:20:55.655677710 -0500 -+++ b/security/Kconfig 2021-12-05 18:23:42.404251618 -0500 -@@ -167,6 +167,7 @@ config HARDENED_USERCOPY_PAGESPAN - bool "Refuse to copy allocations that span multiple pages" - depends on HARDENED_USERCOPY - depends on EXPERT +diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig +index 1da360c51..70963ba91 100644 +--- a/drivers/acpi/Kconfig ++++ b/drivers/acpi/Kconfig +@@ -445,7 +445,7 @@ config ACPI_HED + + config ACPI_CUSTOM_METHOD + tristate "Allow ACPI methods to be inserted/replaced at run time" +- depends on DEBUG_FS ++ depends on DEBUG_FS && !GENTOO_KERNEL_SELF_PROTECTION + help + This debug facility allows ACPI AML methods to be inserted and/or + replaced without rebooting the system. For details refer to: +diff --git a/init/Kconfig b/init/Kconfig +index 11f8a845f..9f3eff46f 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1879,6 +1879,7 @@ config SLUB_DEBUG + config COMPAT_BRK + bool "Disable heap randomization" + default y + depends on !GENTOO_KERNEL_SELF_PROTECTION help - When a multi-page allocation is done without __GFP_COMP, - hardened usercopy will reject attempts to copy it. There are, -diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig -index 9e921fc72..f29bc13fa 100644 ---- a/security/selinux/Kconfig -+++ b/security/selinux/Kconfig -@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM - config SECURITY_SELINUX_DISABLE - bool "NSA SELinux runtime disable" - depends on SECURITY_SELINUX + Randomizing heap placement makes heap exploits harder, but it + also breaks ancient binaries (including anything libc5 based). +@@ -1925,7 +1926,9 @@ endchoice + + config SLAB_MERGE_DEFAULT + bool "Allow slab caches to be merged" ++ default n if GENTOO_KERNEL_SELF_PROTECTION + default y + depends on !GENTOO_KERNEL_SELF_PROTECTION - select SECURITY_WRITABLE_HOOKS - default n help --- -2.31.1 - -From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001 -From: Georgy Yakovlev <gyakovlev@gentoo.org> -Date: Tue, 8 Jun 2021 13:59:57 -0700 -Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default - ---- - mm/Kconfig | 2 ++ - 1 file changed, 2 insertions(+) - + For reduced kernel memory fragmentation, slab caches can be + merged when they share the same size and other characteristics. diff --git a/mm/Kconfig b/mm/Kconfig -index 24c045b24..e13fc740c 100644 +index c048dea7e..81a1dfd69 100644 --- a/mm/Kconfig +++ b/mm/Kconfig -@@ -321,6 +321,8 @@ config KSM +@@ -305,6 +305,8 @@ config KSM config DEFAULT_MMAP_MIN_ADDR int "Low address space to protect from user allocation" depends on MMU @@ -339,6 +357,35 @@ index 24c045b24..e13fc740c 100644 default 4096 help This is the portion of low virtual memory which should be protected --- -2.31.1 -``` +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 90cbaff86..7b48339e8 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -30,6 +30,7 @@ choice + default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS + default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN + default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN ++ default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GENTOO_KERNEL_SELF_PROTECTION && GCC_PLUGINS + default INIT_STACK_NONE + help + This option enables initialization of stack variables at +@@ -45,6 +46,7 @@ choice + + config INIT_STACK_NONE + bool "no automatic stack variable initialization (weakest)" ++ depends on !GENTOO_KERNEL_SELF_PROTECTION + help + Disable automatic stack variable initialization. + This leaves the kernel vulnerable to the standard +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 9e921fc72..f29bc13fa 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM + config SECURITY_SELINUX_DISABLE + bool "NSA SELinux runtime disable" + depends on SECURITY_SELINUX ++ depends on !GENTOO_KERNEL_SELF_PROTECTION + select SECURITY_WRITABLE_HOOKS + default n + help |