1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
|
--- a/Kconfig 2021-06-04 19:03:33.646823432 -0400
+++ b/Kconfig 2021-06-04 19:03:40.508892817 -0400
@@ -30,3 +30,5 @@ source "lib/Kconfig"
source "lib/Kconfig.debug"
source "Documentation/Kconfig"
+
+source "distro/Kconfig"
--- /dev/null 2021-08-24 15:34:24.700702871 -0400
+++ b/distro/Kconfig 2021-08-24 15:49:16.965525424 -0400
@@ -0,0 +1,281 @@
+menu "Gentoo Linux"
+
+config GENTOO_LINUX
+ bool "Gentoo Linux support"
+
+ default y
+
+ help
+ In order to boot Gentoo Linux a minimal set of config settings needs to
+ be enabled in the kernel; to avoid the users from having to enable them
+ manually as part of a Gentoo Linux installation or a new clean config,
+ we enable these config settings by default for convenience.
+
+ See the settings that become available for more details and fine-tuning.
+
+config GENTOO_LINUX_UDEV
+ bool "Linux dynamic and persistent device naming (userspace devfs) support"
+
+ depends on GENTOO_LINUX
+ default y if GENTOO_LINUX
+
+ select DEVTMPFS
+ select TMPFS
+ select UNIX
+
+ select MMU
+ select SHMEM
+
+ help
+ In order to boot Gentoo Linux a minimal set of config settings needs to
+ be enabled in the kernel; to avoid the users from having to enable them
+ manually as part of a Gentoo Linux installation or a new clean config,
+ we enable these config settings by default for convenience.
+
+ Currently this only selects TMPFS, DEVTMPFS and their dependencies.
+ TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and
+ /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev.
+
+ Some of these are critical files that need to be available early in the
+ boot process; if not available, it causes sysfs and udev to malfunction.
+
+ To ensure Gentoo Linux boots, it is best to leave this setting enabled;
+ if you run a custom setup, you could consider whether to disable this.
+
+config GENTOO_LINUX_PORTAGE
+ bool "Select options required by Portage features"
+
+ depends on GENTOO_LINUX
+ default y if GENTOO_LINUX
+
+ select CGROUPS
+ select NAMESPACES
+ select IPC_NS
+ select NET_NS
+ select PID_NS
+ select SYSVIPC
+ select USER_NS
+ select UTS_NS
+
+ help
+ This enables options required by various Portage FEATURES.
+ Currently this selects:
+
+ CGROUPS (required for FEATURES=cgroup)
+ IPC_NS (required for FEATURES=ipc-sandbox)
+ NET_NS (required for FEATURES=network-sandbox)
+ PID_NS (required for FEATURES=pid-sandbox)
+ SYSVIPC (required by IPC_NS)
+
+
+ It is highly recommended that you leave this enabled as these FEATURES
+ are, or will soon be, enabled by default.
+
+menu "Support for init systems, system and service managers"
+ visible if GENTOO_LINUX
+
+config GENTOO_LINUX_INIT_SCRIPT
+ bool "OpenRC, runit and other script based systems and managers"
+
+ default y if GENTOO_LINUX
+
+ depends on GENTOO_LINUX
+
+ select BINFMT_SCRIPT
+ select CGROUPS
+ select EPOLL
+ select FILE_LOCKING
+ select INOTIFY_USER
+ select SIGNALFD
+ select TIMERFD
+
+ help
+ The init system is the first thing that loads after the kernel booted.
+
+ These config settings allow you to select which init systems to support;
+ instead of having to select all the individual settings all over the
+ place, these settings allows you to select all the settings at once.
+
+ This particular setting enables all the known requirements for OpenRC,
+ runit and similar script based systems and managers.
+
+ If you are unsure about this, it is best to leave this setting enabled.
+
+config GENTOO_LINUX_INIT_SYSTEMD
+ bool "systemd"
+
+ default n
+
+ depends on GENTOO_LINUX && GENTOO_LINUX_UDEV
+
+ select AUTOFS4_FS
+ select BLK_DEV_BSG
+ select BPF_SYSCALL
+ select CGROUP_BPF
+ select CGROUPS
+ select CHECKPOINT_RESTORE
+ select CRYPTO_HMAC
+ select CRYPTO_SHA256
+ select CRYPTO_USER_API_HASH
+ select DEVPTS_MULTIPLE_INSTANCES
+ select DMIID if X86_32 || X86_64 || X86
+ select EPOLL
+ select FANOTIFY
+ select FHANDLE
+ select FILE_LOCKING
+ select INOTIFY_USER
+ select IPV6
+ select NET
+ select NET_NS
+ select PROC_FS
+ select SECCOMP if HAVE_ARCH_SECCOMP
+ select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER
+ select SIGNALFD
+ select SYSFS
+ select TIMERFD
+ select TMPFS_POSIX_ACL
+ select TMPFS_XATTR
+
+ select ANON_INODES
+ select BLOCK
+ select EVENTFD
+ select FSNOTIFY
+ select INET
+ select NLATTR
+
+ help
+ The init system is the first thing that loads after the kernel booted.
+
+ These config settings allow you to select which init systems to support;
+ instead of having to select all the individual settings all over the
+ place, these settings allows you to select all the settings at once.
+
+ This particular setting enables all the known requirements for systemd;
+ it also enables suggested optional settings, as the package suggests to.
+
+endmenu
+
+menuconfig GENTOO_KERNEL_SELF_PROTECTION
+ bool "Kernel Self Protection Project"
+ depends on GENTOO_LINUX
+ help
+ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project
+ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
+ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due
+ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_COMMON and search for
+ GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your
+ specific architecture.
+ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
+ for X86_64
+
+if GENTOO_KERNEL_SELF_PROTECTION
+config GENTOO_KERNEL_SELF_PROTECTION_COMMON
+ bool "Enable Kernel Self Protection Project Recommendations"
+
+ depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS
+
+ select BUG
+ select STRICT_KERNEL_RWX
+ select DEBUG_WX
+ select STACKPROTECTOR
+ select STACKPROTECTOR_STRONG
+ select STRICT_DEVMEM if DEVMEM=y
+ select IO_STRICT_DEVMEM if DEVMEM=y
+ select SYN_COOKIES
+ select DEBUG_CREDENTIALS
+ select DEBUG_NOTIFIERS
+ select DEBUG_LIST
+ select DEBUG_SG
+ select BUG_ON_DATA_CORRUPTION
+ select SCHED_STACK_END_CHECK
+ select SECCOMP if HAVE_ARCH_SECCOMP
+ select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER
+ select SECURITY_YAMA
+ select SLAB_FREELIST_RANDOM
+ select SLAB_FREELIST_HARDENED
+ select SHUFFLE_PAGE_ALLOCATOR
+ select SLUB_DEBUG
+ select PAGE_POISONING
+ select PAGE_POISONING_NO_SANITY
+ select PAGE_POISONING_ZERO
+ select INIT_ON_ALLOC_DEFAULT_ON
+ select INIT_ON_FREE_DEFAULT_ON
+ select VMAP_STACK
+ select REFCOUNT_FULL
+ select FORTIFY_SOURCE
+ select SECURITY_DMESG_RESTRICT
+ select PANIC_ON_OOPS
+ select GCC_PLUGIN_LATENT_ENTROPY
+ select GCC_PLUGIN_STRUCTLEAK
+ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
+ select GCC_PLUGIN_STACKLEAK
+ select GCC_PLUGIN_RANDSTRUCT
+ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
+
+ help
+ Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency
+ information on your specific architecture. Note 2: Please see the URL above for
+ numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 for X86_64
+
+config GENTOO_KERNEL_SELF_PROTECTION_X86_64
+ bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION_COMMON
+
+ depends on !X86_MSR && X86_64 && GENTOO_KERNEL_SELF_PROTECTION
+ default n
+
+ select RANDOMIZE_BASE
+ select RANDOMIZE_MEMORY
+ select RELOCATABLE
+ select LEGACY_VSYSCALL_NONE
+ select PAGE_TABLE_ISOLATION
+
+
+config GENTOO_KERNEL_SELF_PROTECTION_ARM64
+ bool "ARM64 KSPP Settings"
+
+ depends on ARM64
+ default n
+
+ select RANDOMIZE_BASE
+ select RELOCATABLE
+ select ARM64_SW_TTBR0_PAN
+ select CONFIG_UNMAP_KERNEL_AT_EL0
+
+config GENTOO_KERNEL_SELF_PROTECTION_X86_32
+ bool "X86_32 KSPP Settings"
+
+ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32
+ default n
+
+ select HIGHMEM64G
+ select X86_PAE
+ select RANDOMIZE_BASE
+ select RELOCATABLE
+ select PAGE_TABLE_ISOLATION
+
+config GENTOO_KERNEL_SELF_PROTECTION_ARM
+ bool "ARM KSPP Settings"
+
+ depends on !OABI_COMPAT && ARM
+ default n
+
+ select VMSPLIT_3G
+ select STRICT_MEMORY_RWX
+ select CPU_SW_DOMAIN_PAN
+
+endif
+
+config GENTOO_PRINT_FIRMWARE_INFO
+ bool "Print firmware information that the kernel attempts to load"
+
+ depends on GENTOO_LINUX
+ default y
+
+ help
+ Enable this option to print information about firmware that the kernel
+ is attempting to load. This information can be accessible via the
+ dmesg command-line utility
+
+ See the settings that become available for more details and fine-tuning.
+
+endmenu
diff --git a/security/Kconfig b/security/Kconfig
index 7561f6f99..01f0bf73f 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -166,6 +166,7 @@ config HARDENED_USERCOPY
config HARDENED_USERCOPY_FALLBACK
bool "Allow usercopy whitelist violations to fallback to object size"
depends on HARDENED_USERCOPY
+ depends on !GENTOO_KERNEL_SELF_PROTECTION
default y
help
This is a temporary option that allows missing usercopy whitelists
@@ -181,6 +182,7 @@ config HARDENED_USERCOPY_PAGESPAN
bool "Refuse to copy allocations that span multiple pages"
depends on HARDENED_USERCOPY
depends on EXPERT
+ depends on !GENTOO_KERNEL_SELF_PROTECTION
help
When a multi-page allocation is done without __GFP_COMP,
hardened usercopy will reject attempts to copy it. There are,
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 9e921fc72..f29bc13fa 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM
config SECURITY_SELINUX_DISABLE
bool "NSA SELinux runtime disable"
depends on SECURITY_SELINUX
+ depends on !GENTOO_KERNEL_SELF_PROTECTION
select SECURITY_WRITABLE_HOOKS
default n
help
--
2.31.1
From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001
From: Georgy Yakovlev <gyakovlev@gentoo.org>
Date: Tue, 8 Jun 2021 13:59:57 -0700
Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default
---
mm/Kconfig | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/Kconfig b/mm/Kconfig
index 24c045b24..e13fc740c 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -321,6 +321,8 @@ config KSM
config DEFAULT_MMAP_MIN_ADDR
int "Low address space to protect from user allocation"
depends on MMU
+ default 65536 if ( X86_64 || X86_32 || PPC64 || IA64 ) && GENTOO_KERNEL_SELF_PROTECTION
+ default 32768 if ( ARM64 || ARM ) && GENTOO_KERNEL_SELF_PROTECTION
default 4096
help
This is the portion of low virtual memory which should be protected
--
2.31.1
```
|