Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/4567_distro-Gentoo-Kconfig.patch
diff options
context:
space:
mode:
Diffstat (limited to '4567_distro-Gentoo-Kconfig.patch')
-rw-r--r--4567_distro-Gentoo-Kconfig.patch251
1 files changed, 102 insertions, 149 deletions
diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch
index 97665869..24b75095 100644
--- a/4567_distro-Gentoo-Kconfig.patch
+++ b/4567_distro-Gentoo-Kconfig.patch
@@ -1,19 +1,14 @@
-diff --git a/Kconfig b/Kconfig
-index 745bc773f..e306bacea 100644
---- a/Kconfig
-+++ b/Kconfig
+--- a/Kconfig 2021-06-04 19:03:33.646823432 -0400
++++ b/Kconfig 2021-06-04 19:03:40.508892817 -0400
@@ -30,3 +30,5 @@ source "lib/Kconfig"
source "lib/Kconfig.debug"
source "Documentation/Kconfig"
+
+source "distro/Kconfig"
-diff --git a/distro/Kconfig b/distro/Kconfig
-new file mode 100644
-index 000000000..94d6e1886
---- /dev/null
-+++ b/distro/Kconfig
-@@ -0,0 +1,295 @@
+--- /dev/null 2021-12-21 08:57:43.779324794 -0500
++++ b/distro/Kconfig 2021-12-21 14:12:07.964572417 -0500
+@@ -0,0 +1,283 @@
+menu "Gentoo Linux"
+
+config GENTOO_LINUX
@@ -80,8 +75,9 @@ index 000000000..94d6e1886
+ CGROUPS (required for FEATURES=cgroup)
+ IPC_NS (required for FEATURES=ipc-sandbox)
+ NET_NS (required for FEATURES=network-sandbox)
-+ PID_NS (required for FEATURES=pid-sandbox)
++ PID_NS (required for FEATURES=pid-sandbox)
+ SYSVIPC (required by IPC_NS)
++
+
+ It is highly recommended that you leave this enabled as these FEATURES
+ are, or will soon be, enabled by default.
@@ -128,7 +124,7 @@ index 000000000..94d6e1886
+ select BPF_SYSCALL
+ select CGROUP_BPF
+ select CGROUPS
-+ select CRYPTO_HMAC
++ select CRYPTO_HMAC
+ select CRYPTO_SHA256
+ select CRYPTO_USER_API_HASH
+ select DEVPTS_MULTIPLE_INSTANCES
@@ -170,104 +166,102 @@ index 000000000..94d6e1886
+
+endmenu
+
-+menu "Kernel Self Protection Project"
-+ visible if GENTOO_LINUX
++menuconfig GENTOO_KERNEL_SELF_PROTECTION
++ bool "Kernel Self Protection Project"
++ depends on GENTOO_LINUX
++ help
++ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project
++ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
++ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due
++ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_COMMON and search for
++ GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your
++ specific architecture.
++ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
++ for X86_64
+
-+config GENTOO_KERNEL_SELF_PROTECTION
++if GENTOO_KERNEL_SELF_PROTECTION
++config GENTOO_KERNEL_SELF_PROTECTION_COMMON
+ bool "Enable Kernel Self Protection Project Recommendations"
+
-+ depends on GENTOO_LINUX && EXPERT && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !MODIFY_LDT_SYSCALL
++ depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS
+
+ select BUG
-+ select STRICT_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX
-+ select DEBUG_FS
-+ select DEBUG_WX if ARCH_HAS_DEBUG_WX && MMU
-+ select STACKPROTECTOR if HAVE_STACKPROTECTOR
-+ select STACKPROTECTOR_STRONG if HAVE_STACKPROTECTOR
-+ select STRICT_DEVMEM if DEVMEM=y && (ARCH_HAS_DEVMEM_IS_ALLOWED || GENERIC_LIB_DEVMEM_IS_ALLOWED)
-+ select IO_STRICT_DEVMEM if STRICT_DEVMEM
-+ select SYN_COOKIES if NET && INET
-+ select DEBUG_CREDENTIALS if DEBUG_KERNEL
-+ select DEBUG_NOTIFIERS if DEBUG_KERNEL
++ select STRICT_KERNEL_RWX
++ select DEBUG_WX
++ select STACKPROTECTOR
++ select STACKPROTECTOR_STRONG
++ select STRICT_DEVMEM if DEVMEM=y
++ select IO_STRICT_DEVMEM if DEVMEM=y
++ select SYN_COOKIES
++ select DEBUG_CREDENTIALS
++ select DEBUG_NOTIFIERS
+ select DEBUG_LIST
-+ select DEBUG_SG if DEBUG_KERNEL
++ select DEBUG_SG
+ select BUG_ON_DATA_CORRUPTION
-+ select SCHED_STACK_END_CHECK if DEBUG_KERNEL
++ select SCHED_STACK_END_CHECK
+ select SECCOMP if HAVE_ARCH_SECCOMP
+ select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER
-+ select SECURITY if SYSFS && MULTIUSER
-+ select SECURITY_YAMA if SECURITY
-+ select HARDENED_USERCOPY if HAVE_HARDENED_USERCOPY_ALLOCATOR
-+ select SLAB_FREELIST_RANDOM if SLAB || SLUB
-+ select SLAB_FREELIST_HARDENED if SLAB || SLUB
++ select SECURITY_YAMA
++ select SLAB_FREELIST_RANDOM
++ select SLAB_FREELIST_HARDENED
+ select SHUFFLE_PAGE_ALLOCATOR
-+ select SLUB_DEBUG if SLUB && SYSFS
-+ select SLUB_DEBUG_ON if SLUB_DEBUG
++ select SLUB_DEBUG
+ select PAGE_POISONING
+ select PAGE_POISONING_NO_SANITY
+ select PAGE_POISONING_ZERO
+ select INIT_ON_ALLOC_DEFAULT_ON
+ select INIT_ON_FREE_DEFAULT_ON
-+ select FORTIFY_SOURCE if ARCH_HAS_FORTIFY_SOURCE && !CC_IS_CLANG
-+ select SECURITY_DMESG_RESTRICT
++ select REFCOUNT_FULL
++ select FORTIFY_SOURCE
++ select SECURITY_DMESG_RESTRICT
+ select PANIC_ON_OOPS
-+ select DEBUG_STACKOVERFLOW if DEBUG_KERNEL && HAVE_DEBUG_STACKOVERFLOW
-+ select VMAP_STACK if HAVE_ARCH_VMAP_STACK
-+ select STRICT_MODULE_RWX if ARCH_HAS_STRICT_MODULE_RWX && ARCH_OPTIONAL_KERNEL_RWX && MODULES
-+ select ZERO_CALL_USED_REGS if CC_HAS_ZERO_CALL_USED_REGS
-+ select INIT_STACK_ALL_PATTERN if CC_HAS_AUTO_VAR_INIT_PATTERN && !CC_HAS_AUTO_VAR_INIT_ZERO
-+ select INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO
-+ select GCC_PLUGINS if HAVE_GCC_PLUGINS && CC_IS_GCC
-+ select GCC_PLUGIN_LATENT_ENTROPY if GCC_PLUGINS
-+ select GCC_PLUGIN_STRUCTLEAK if GCC_PLUGINS
-+ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GCC_PLUGINS
-+ select GCC_PLUGIN_STRUCTLEAK_VERBOSE if GCC_PLUGINS && GCC_PLUGIN_STRUCTLEAK
-+ select GCC_PLUGIN_RANDSTRUCT if GCC_PLUGINS
-+ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE if GCC_PLUGINS && GCC_PLUGIN_RANDSTRUCT
-+ select GCC_PLUGIN_STACKLEAK if GCC_PLUGINS && HAVE_ARCH_STACKLEAK
++ select GCC_PLUGIN_LATENT_ENTROPY
++ select GCC_PLUGIN_STRUCTLEAK
++ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
++ select GCC_PLUGIN_RANDSTRUCT
++ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
+
+ help
-+ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project
-+ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
-+ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due
-+ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION and search for
-+ GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your
-+ specific architecture.
-+ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
-+ for X86_64
++ Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency
++ information on your specific architecture. Note 2: Please see the URL above for
++ numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 for X86_64
+
+config GENTOO_KERNEL_SELF_PROTECTION_X86_64
-+ bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION
-+
-+ depends on X86_64 && GENTOO_KERNEL_SELF_PROTECTION
-+ default y if X86_64 && GENTOO_KERNEL_SELF_PROTECTION
++ bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION_COMMON
+
++ depends on !X86_MSR && X86_64 && GENTOO_KERNEL_SELF_PROTECTION
++ default n
++
+ select RANDOMIZE_BASE
+ select RANDOMIZE_MEMORY
+ select RELOCATABLE
+ select LEGACY_VSYSCALL_NONE
-+ select PAGE_TABLE_ISOLATION
++ select PAGE_TABLE_ISOLATION
++ select GCC_PLUGIN_STACKLEAK
++ select VMAP_STACK
+
+
+config GENTOO_KERNEL_SELF_PROTECTION_ARM64
+ bool "ARM64 KSPP Settings"
+
-+ depends on ARM64 && GENTOO_KERNEL_SELF_PROTECTION
-+ default y if ARM64 && GENTOO_KERNEL_SELF_PROTECTION
++ depends on ARM64
++ default n
+
+ select RANDOMIZE_BASE
+ select RELOCATABLE
+ select ARM64_SW_TTBR0_PAN
+ select CONFIG_UNMAP_KERNEL_AT_EL0
++ select GCC_PLUGIN_STACKLEAK
++ select VMAP_STACK
+
+config GENTOO_KERNEL_SELF_PROTECTION_X86_32
+ bool "X86_32 KSPP Settings"
+
-+ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 && GENTOO_KERNEL_SELF_PROTECTION
-+ default y if X86_32 && GENTOO_KERNEL_SELF_PROTECTION
++ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32
++ default n
+
-+ #select HIGHMEM64G
-+ #select X86_PAE
++ select HIGHMEM64G
++ select X86_PAE
+ select RANDOMIZE_BASE
+ select RELOCATABLE
+ select PAGE_TABLE_ISOLATION
@@ -275,25 +269,14 @@ index 000000000..94d6e1886
+config GENTOO_KERNEL_SELF_PROTECTION_ARM
+ bool "ARM KSPP Settings"
+
-+ depends on !OABI_COMPAT && ARM && GENTOO_KERNEL_SELF_PROTECTION
-+ default y if ARM && GENTOO_KERNEL_SELF_PROTECTION
++ depends on !OABI_COMPAT && ARM
++ default n
+
+ select VMSPLIT_3G
+ select STRICT_MEMORY_RWX
+ select CPU_SW_DOMAIN_PAN
+
-+config GENTOO_KERNEL_SELF_PROTECTION_PPC
-+ bool "PPC KSPP Settings"
-+
-+ depends on !SCOM_DEBUGFS && !OPAL_CORE && PPC && GENTOO_KERNEL_SELF_PROTECTION
-+ default y if PPC && GENTOO_KERNEL_SELF_PROTECTION
-+
-+ select PPC_KUEP if PPC_HAVE_KUEP
-+ select PPC_KUAP if PPC_HAVE_KUAP
-+ select PPC_MEM_KEYS if PPC_BOOK3S_64
-+ select PPC_SUBPAGE_PROT if PPC_BOOK3S_64 && PPC_64K_PAGES
-+
-+endmenu
++endif
+
+config GENTOO_PRINT_FIRMWARE_INFO
+ bool "Print firmware information that the kernel attempts to load"
@@ -309,46 +292,45 @@ index 000000000..94d6e1886
+ See the settings that become available for more details and fine-tuning.
+
+endmenu
-diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig
-index 1da360c51..70963ba91 100644
---- a/drivers/acpi/Kconfig
-+++ b/drivers/acpi/Kconfig
-@@ -445,7 +445,7 @@ config ACPI_HED
-
- config ACPI_CUSTOM_METHOD
- tristate "Allow ACPI methods to be inserted/replaced at run time"
-- depends on DEBUG_FS
-+ depends on DEBUG_FS && !GENTOO_KERNEL_SELF_PROTECTION
- help
- This debug facility allows ACPI AML methods to be inserted and/or
- replaced without rebooting the system. For details refer to:
-diff --git a/init/Kconfig b/init/Kconfig
-index 11f8a845f..9f3eff46f 100644
---- a/init/Kconfig
-+++ b/init/Kconfig
-@@ -1879,6 +1879,7 @@ config SLUB_DEBUG
- config COMPAT_BRK
- bool "Disable heap randomization"
- default y
+--- a/security/Kconfig 2021-12-05 18:20:55.655677710 -0500
++++ b/security/Kconfig 2021-12-05 18:23:42.404251618 -0500
+@@ -167,6 +167,7 @@ config HARDENED_USERCOPY_PAGESPAN
+ bool "Refuse to copy allocations that span multiple pages"
+ depends on HARDENED_USERCOPY
+ depends on EXPERT
+ depends on !GENTOO_KERNEL_SELF_PROTECTION
help
- Randomizing heap placement makes heap exploits harder, but it
- also breaks ancient binaries (including anything libc5 based).
-@@ -1925,7 +1926,9 @@ endchoice
-
- config SLAB_MERGE_DEFAULT
- bool "Allow slab caches to be merged"
-+ default n if GENTOO_KERNEL_SELF_PROTECTION
- default y
+ When a multi-page allocation is done without __GFP_COMP,
+ hardened usercopy will reject attempts to copy it. There are,
+diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
+index 9e921fc72..f29bc13fa 100644
+--- a/security/selinux/Kconfig
++++ b/security/selinux/Kconfig
+@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM
+ config SECURITY_SELINUX_DISABLE
+ bool "NSA SELinux runtime disable"
+ depends on SECURITY_SELINUX
+ depends on !GENTOO_KERNEL_SELF_PROTECTION
+ select SECURITY_WRITABLE_HOOKS
+ default n
help
- For reduced kernel memory fragmentation, slab caches can be
- merged when they share the same size and other characteristics.
+--
+2.31.1
+
+From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001
+From: Georgy Yakovlev <gyakovlev@gentoo.org>
+Date: Tue, 8 Jun 2021 13:59:57 -0700
+Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default
+
+---
+ mm/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
diff --git a/mm/Kconfig b/mm/Kconfig
-index c048dea7e..81a1dfd69 100644
+index 24c045b24..e13fc740c 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
-@@ -305,6 +305,8 @@ config KSM
+@@ -321,6 +321,8 @@ config KSM
config DEFAULT_MMAP_MIN_ADDR
int "Low address space to protect from user allocation"
depends on MMU
@@ -357,35 +339,6 @@ index c048dea7e..81a1dfd69 100644
default 4096
help
This is the portion of low virtual memory which should be protected
-diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
-index 90cbaff86..7b48339e8 100644
---- a/security/Kconfig.hardening
-+++ b/security/Kconfig.hardening
-@@ -30,6 +30,7 @@ choice
- default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
- default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
- default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN
-+ default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GENTOO_KERNEL_SELF_PROTECTION && GCC_PLUGINS
- default INIT_STACK_NONE
- help
- This option enables initialization of stack variables at
-@@ -45,6 +46,7 @@ choice
-
- config INIT_STACK_NONE
- bool "no automatic stack variable initialization (weakest)"
-+ depends on !GENTOO_KERNEL_SELF_PROTECTION
- help
- Disable automatic stack variable initialization.
- This leaves the kernel vulnerable to the standard
-diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
-index 9e921fc72..f29bc13fa 100644
---- a/security/selinux/Kconfig
-+++ b/security/selinux/Kconfig
-@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM
- config SECURITY_SELINUX_DISABLE
- bool "NSA SELinux runtime disable"
- depends on SECURITY_SELINUX
-+ depends on !GENTOO_KERNEL_SELF_PROTECTION
- select SECURITY_WRITABLE_HOOKS
- default n
- help
+--
+2.31.1
+```