1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
|
diff --git a/Kconfig b/Kconfig
index 745bc773f..e306bacea 100644
--- a/Kconfig
+++ b/Kconfig
@@ -30,3 +30,5 @@ source "lib/Kconfig"
source "lib/Kconfig.debug"
source "Documentation/Kconfig"
+
+source "distro/Kconfig"
diff --git a/distro/Kconfig b/distro/Kconfig
new file mode 100644
index 000000000..94d6e1886
--- /dev/null
+++ b/distro/Kconfig
@@ -0,0 +1,295 @@
+menu "Gentoo Linux"
+
+config GENTOO_LINUX
+ bool "Gentoo Linux support"
+
+ default y
+
+ help
+ In order to boot Gentoo Linux a minimal set of config settings needs to
+ be enabled in the kernel; to avoid the users from having to enable them
+ manually as part of a Gentoo Linux installation or a new clean config,
+ we enable these config settings by default for convenience.
+
+ See the settings that become available for more details and fine-tuning.
+
+config GENTOO_LINUX_UDEV
+ bool "Linux dynamic and persistent device naming (userspace devfs) support"
+
+ depends on GENTOO_LINUX
+ default y if GENTOO_LINUX
+
+ select DEVTMPFS
+ select TMPFS
+ select UNIX
+
+ select MMU
+ select SHMEM
+
+ help
+ In order to boot Gentoo Linux a minimal set of config settings needs to
+ be enabled in the kernel; to avoid the users from having to enable them
+ manually as part of a Gentoo Linux installation or a new clean config,
+ we enable these config settings by default for convenience.
+
+ Currently this only selects TMPFS, DEVTMPFS and their dependencies.
+ TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and
+ /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev.
+
+ Some of these are critical files that need to be available early in the
+ boot process; if not available, it causes sysfs and udev to malfunction.
+
+ To ensure Gentoo Linux boots, it is best to leave this setting enabled;
+ if you run a custom setup, you could consider whether to disable this.
+
+config GENTOO_LINUX_PORTAGE
+ bool "Select options required by Portage features"
+
+ depends on GENTOO_LINUX
+ default y if GENTOO_LINUX
+
+ select CGROUPS
+ select NAMESPACES
+ select IPC_NS
+ select NET_NS
+ select PID_NS
+ select SYSVIPC
+ select USER_NS
+ select UTS_NS
+
+ help
+ This enables options required by various Portage FEATURES.
+ Currently this selects:
+
+ CGROUPS (required for FEATURES=cgroup)
+ IPC_NS (required for FEATURES=ipc-sandbox)
+ NET_NS (required for FEATURES=network-sandbox)
+ PID_NS (required for FEATURES=pid-sandbox)
+ SYSVIPC (required by IPC_NS)
+
+ It is highly recommended that you leave this enabled as these FEATURES
+ are, or will soon be, enabled by default.
+
+menu "Support for init systems, system and service managers"
+ visible if GENTOO_LINUX
+
+config GENTOO_LINUX_INIT_SCRIPT
+ bool "OpenRC, runit and other script based systems and managers"
+
+ default y if GENTOO_LINUX
+
+ depends on GENTOO_LINUX
+
+ select BINFMT_SCRIPT
+ select CGROUPS
+ select EPOLL
+ select FILE_LOCKING
+ select INOTIFY_USER
+ select SIGNALFD
+ select TIMERFD
+
+ help
+ The init system is the first thing that loads after the kernel booted.
+
+ These config settings allow you to select which init systems to support;
+ instead of having to select all the individual settings all over the
+ place, these settings allows you to select all the settings at once.
+
+ This particular setting enables all the known requirements for OpenRC,
+ runit and similar script based systems and managers.
+
+ If you are unsure about this, it is best to leave this setting enabled.
+
+config GENTOO_LINUX_INIT_SYSTEMD
+ bool "systemd"
+
+ default n
+
+ depends on GENTOO_LINUX && GENTOO_LINUX_UDEV
+
+ select AUTOFS4_FS
+ select BLK_DEV_BSG
+ select BPF_SYSCALL
+ select CGROUP_BPF
+ select CGROUPS
+ select CRYPTO_HMAC
+ select CRYPTO_SHA256
+ select CRYPTO_USER_API_HASH
+ select DEVPTS_MULTIPLE_INSTANCES
+ select DMIID if X86_32 || X86_64 || X86
+ select EPOLL
+ select FANOTIFY
+ select FHANDLE
+ select FILE_LOCKING
+ select INOTIFY_USER
+ select IPV6
+ select KCMP
+ select NET
+ select NET_NS
+ select PROC_FS
+ select SECCOMP if HAVE_ARCH_SECCOMP
+ select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER
+ select SIGNALFD
+ select SYSFS
+ select TIMERFD
+ select TMPFS_POSIX_ACL
+ select TMPFS_XATTR
+
+ select ANON_INODES
+ select BLOCK
+ select EVENTFD
+ select FSNOTIFY
+ select INET
+ select NLATTR
+
+ help
+ The init system is the first thing that loads after the kernel booted.
+
+ These config settings allow you to select which init systems to support;
+ instead of having to select all the individual settings all over the
+ place, these settings allows you to select all the settings at once.
+
+ This particular setting enables all the known requirements for systemd;
+ it also enables suggested optional settings, as the package suggests to.
+
+endmenu
+
+menu "Kernel Self Protection Project"
+ visible if GENTOO_LINUX
+
+config GENTOO_KERNEL_SELF_PROTECTION
+ bool "Enable Kernel Self Protection Project Recommendations"
+
+ depends on GENTOO_LINUX && EXPERT && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !MODIFY_LDT_SYSCALL
+
+ select BUG
+ select STRICT_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX
+ select DEBUG_FS
+ select DEBUG_WX if ARCH_HAS_DEBUG_WX && MMU
+ select STACKPROTECTOR if HAVE_STACKPROTECTOR
+ select STACKPROTECTOR_STRONG if HAVE_STACKPROTECTOR
+ select STRICT_DEVMEM if DEVMEM=y && (ARCH_HAS_DEVMEM_IS_ALLOWED || GENERIC_LIB_DEVMEM_IS_ALLOWED)
+ select IO_STRICT_DEVMEM if STRICT_DEVMEM
+ select SYN_COOKIES if NET && INET
+ select DEBUG_CREDENTIALS if DEBUG_KERNEL
+ select DEBUG_NOTIFIERS if DEBUG_KERNEL
+ select DEBUG_LIST
+ select DEBUG_SG if DEBUG_KERNEL
+ select BUG_ON_DATA_CORRUPTION
+ select SCHED_STACK_END_CHECK if DEBUG_KERNEL
+ select SECCOMP if HAVE_ARCH_SECCOMP
+ select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER
+ select SECURITY if SYSFS && MULTIUSER
+ select SECURITY_YAMA if SECURITY
+ select HARDENED_USERCOPY if HAVE_HARDENED_USERCOPY_ALLOCATOR
+ select SLAB_FREELIST_RANDOM if SLAB || SLUB
+ select SLAB_FREELIST_HARDENED if SLAB || SLUB
+ select SHUFFLE_PAGE_ALLOCATOR
+ select SLUB_DEBUG if SLUB && SYSFS
+ select SLUB_DEBUG_ON if SLUB_DEBUG
+ select PAGE_POISONING
+ select PAGE_POISONING_NO_SANITY
+ select PAGE_POISONING_ZERO
+ select INIT_ON_ALLOC_DEFAULT_ON
+ select INIT_ON_FREE_DEFAULT_ON
+ select FORTIFY_SOURCE if ARCH_HAS_FORTIFY_SOURCE && !CC_IS_CLANG
+ select SECURITY_DMESG_RESTRICT
+ select PANIC_ON_OOPS
+ select DEBUG_STACKOVERFLOW if DEBUG_KERNEL && HAVE_DEBUG_STACKOVERFLOW
+ select VMAP_STACK if HAVE_ARCH_VMAP_STACK
+ select STRICT_MODULE_RWX if ARCH_HAS_STRICT_MODULE_RWX && ARCH_OPTIONAL_KERNEL_RWX && MODULES
+ select ZERO_CALL_USED_REGS if CC_HAS_ZERO_CALL_USED_REGS
+ select INIT_STACK_ALL_PATTERN if CC_HAS_AUTO_VAR_INIT_PATTERN && !CC_HAS_AUTO_VAR_INIT_ZERO
+ select INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO
+ select GCC_PLUGINS if HAVE_GCC_PLUGINS && CC_IS_GCC
+ select GCC_PLUGIN_LATENT_ENTROPY if GCC_PLUGINS
+ select GCC_PLUGIN_STRUCTLEAK if GCC_PLUGINS
+ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GCC_PLUGINS
+ select GCC_PLUGIN_STRUCTLEAK_VERBOSE if GCC_PLUGINS && GCC_PLUGIN_STRUCTLEAK
+ select GCC_PLUGIN_RANDSTRUCT if GCC_PLUGINS
+ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE if GCC_PLUGINS && GCC_PLUGIN_RANDSTRUCT
+ select GCC_PLUGIN_STACKLEAK if GCC_PLUGINS && HAVE_ARCH_STACKLEAK
+
+ help
+ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project
+ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
+ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due
+ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION and search for
+ GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your
+ specific architecture.
+ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
+ for X86_64
+
+config GENTOO_KERNEL_SELF_PROTECTION_X86_64
+ bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION
+
+ depends on X86_64 && GENTOO_KERNEL_SELF_PROTECTION
+ default y if X86_64 && GENTOO_KERNEL_SELF_PROTECTION
+
+ select RANDOMIZE_BASE
+ select RANDOMIZE_MEMORY
+ select RELOCATABLE
+ select LEGACY_VSYSCALL_NONE
+ select PAGE_TABLE_ISOLATION
+
+
+config GENTOO_KERNEL_SELF_PROTECTION_ARM64
+ bool "ARM64 KSPP Settings"
+
+ depends on ARM64 && GENTOO_KERNEL_SELF_PROTECTION
+ default y if ARM64 && GENTOO_KERNEL_SELF_PROTECTION
+
+ select RANDOMIZE_BASE
+ select RELOCATABLE
+ select ARM64_SW_TTBR0_PAN
+ select CONFIG_UNMAP_KERNEL_AT_EL0
+
+config GENTOO_KERNEL_SELF_PROTECTION_X86_32
+ bool "X86_32 KSPP Settings"
+
+ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 && GENTOO_KERNEL_SELF_PROTECTION
+ default y if X86_32 && GENTOO_KERNEL_SELF_PROTECTION
+
+ #select HIGHMEM64G
+ #select X86_PAE
+ select RANDOMIZE_BASE
+ select RELOCATABLE
+ select PAGE_TABLE_ISOLATION
+
+config GENTOO_KERNEL_SELF_PROTECTION_ARM
+ bool "ARM KSPP Settings"
+
+ depends on !OABI_COMPAT && ARM && GENTOO_KERNEL_SELF_PROTECTION
+ default y if ARM && GENTOO_KERNEL_SELF_PROTECTION
+
+ select VMSPLIT_3G
+ select STRICT_MEMORY_RWX
+ select CPU_SW_DOMAIN_PAN
+
+config GENTOO_KERNEL_SELF_PROTECTION_PPC
+ bool "PPC KSPP Settings"
+
+ depends on !SCOM_DEBUGFS && !OPAL_CORE && PPC && GENTOO_KERNEL_SELF_PROTECTION
+ default y if PPC && GENTOO_KERNEL_SELF_PROTECTION
+
+ select PPC_KUEP if PPC_HAVE_KUEP
+ select PPC_KUAP if PPC_HAVE_KUAP
+ select PPC_MEM_KEYS if PPC_BOOK3S_64
+ select PPC_SUBPAGE_PROT if PPC_BOOK3S_64 && PPC_64K_PAGES
+
+endmenu
+
+config GENTOO_PRINT_FIRMWARE_INFO
+ bool "Print firmware information that the kernel attempts to load"
+
+ depends on GENTOO_LINUX
+ default y
+
+ help
+ Enable this option to print information about firmware that the kernel
+ is attempting to load. This information can be accessible via the
+ dmesg command-line utility
+
+ See the settings that become available for more details and fine-tuning.
+
+endmenu
diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig
index 1da360c51..70963ba91 100644
--- a/drivers/acpi/Kconfig
+++ b/drivers/acpi/Kconfig
@@ -445,7 +445,7 @@ config ACPI_HED
config ACPI_CUSTOM_METHOD
tristate "Allow ACPI methods to be inserted/replaced at run time"
- depends on DEBUG_FS
+ depends on DEBUG_FS && !GENTOO_KERNEL_SELF_PROTECTION
help
This debug facility allows ACPI AML methods to be inserted and/or
replaced without rebooting the system. For details refer to:
diff --git a/init/Kconfig b/init/Kconfig
index 11f8a845f..9f3eff46f 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1879,6 +1879,7 @@ config SLUB_DEBUG
config COMPAT_BRK
bool "Disable heap randomization"
default y
+ depends on !GENTOO_KERNEL_SELF_PROTECTION
help
Randomizing heap placement makes heap exploits harder, but it
also breaks ancient binaries (including anything libc5 based).
@@ -1925,7 +1926,9 @@ endchoice
config SLAB_MERGE_DEFAULT
bool "Allow slab caches to be merged"
+ default n if GENTOO_KERNEL_SELF_PROTECTION
default y
+ depends on !GENTOO_KERNEL_SELF_PROTECTION
help
For reduced kernel memory fragmentation, slab caches can be
merged when they share the same size and other characteristics.
diff --git a/mm/Kconfig b/mm/Kconfig
index c048dea7e..81a1dfd69 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -305,6 +305,8 @@ config KSM
config DEFAULT_MMAP_MIN_ADDR
int "Low address space to protect from user allocation"
depends on MMU
+ default 65536 if ( X86_64 || X86_32 || PPC64 || IA64 ) && GENTOO_KERNEL_SELF_PROTECTION
+ default 32768 if ( ARM64 || ARM ) && GENTOO_KERNEL_SELF_PROTECTION
default 4096
help
This is the portion of low virtual memory which should be protected
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 90cbaff86..7b48339e8 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -30,6 +30,7 @@ choice
default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN
+ default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GENTOO_KERNEL_SELF_PROTECTION && GCC_PLUGINS
default INIT_STACK_NONE
help
This option enables initialization of stack variables at
@@ -45,6 +46,7 @@ choice
config INIT_STACK_NONE
bool "no automatic stack variable initialization (weakest)"
+ depends on !GENTOO_KERNEL_SELF_PROTECTION
help
Disable automatic stack variable initialization.
This leaves the kernel vulnerable to the standard
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 9e921fc72..f29bc13fa 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM
config SECURITY_SELINUX_DISABLE
bool "NSA SELinux runtime disable"
depends on SECURITY_SELINUX
+ depends on !GENTOO_KERNEL_SELF_PROTECTION
select SECURITY_WRITABLE_HOOKS
default n
help
|
GitWeb