[gentoo-commits] proj/linux-patches:master commit in: / - gentoo-commits

From:	Mike Pagano <mpagano@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/linux-patches:master commit in: /
Date:	Tue, 08 Jun 2021 22:14:57
Message-Id:	`1623190440.ccf130a6c7afbb4715ba52fd6e34b7fb25d1c0fb.mpagano@gentoo`

1

commit:     ccf130a6c7afbb4715ba52fd6e34b7fb25d1c0fb

2

Author:     Mike Pagano <mpagano <AT> gentoo <DOT> org>

3

AuthorDate: Tue Jun  8 22:14:00 2021 +0000

4

Commit:     Mike Pagano <mpagano <AT> gentoo <DOT> org>

5

CommitDate: Tue Jun  8 22:14:00 2021 +0000

6

URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=ccf130a6

7

8

Updates from gyakovlev

9

10

Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>

11

12

 4567_distro-Gentoo-Kconfig.patch | 72 +++++++++++++++++++++++++++++++++++-----

13

 1 file changed, 64 insertions(+), 8 deletions(-)

14

15

diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch

16

index 56adbbd..635de00 100644

17

--- a/4567_distro-Gentoo-Kconfig.patch

18

+++ b/4567_distro-Gentoo-Kconfig.patch

19

@@ -6,9 +6,9 @@

20

  source "Documentation/Kconfig"

21

+

22

 +source "distro/Kconfig"

23

---- /dev/null	2021-06-06 14:01:09.950742356 -0400

24

-+++ b/distro/Kconfig	2021-06-06 17:48:05.912077568 -0400

25

-@@ -0,0 +1,267 @@

26

+--- /dev/null	2021-06-08 16:56:49.698138501 -0400

27

++++ b/distro/Kconfig	2021-06-08 17:11:33.377999003 -0400

28

+@@ -0,0 +1,263 @@

29

 +menu "Gentoo Linux"

30

+

31

 +config GENTOO_LINUX

32

@@ -181,8 +181,7 @@

33

 +		Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

34

 +		for X86_64

35

+

36

-+	depends on GENTOO_LINUX && !HARDENED_USERCOPY_FALLBACK && !HARDENED_USERCOPY_PAGESPAN && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !SECURITY_SELINUX_DISABLE && !X86_X32 && !MODIFY_LDT_SYSCALL

37

-+

38

++	depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL

39

+

40

 +	select BUG

41

 +	select STRICT_KERNEL_RWX

42

@@ -191,7 +190,6 @@

43

 +	select STACKPROTECTOR_STRONG

44

 +	select STRICT_DEVMEM

45

 +	select IO_STRICT_DEVMEM

46

-+

47

 +	select SYN_COOKIES

48

 +	select DEBUG_CREDENTIALS

49

 +	select DEBUG_NOTIFIERS

50

@@ -201,9 +199,7 @@

51

 +	select SCHED_STACK_END_CHECK

52

 +	select SECCOMP

53

 +	select SECCOMP_FILTER

54

-+	select SECURITY

55

 +	select SECURITY_YAMA

56

-+	select HARDENED_USERCOPY

57

 +	select SLAB_FREELIST_RANDOM

58

 +	select SLAB_FREELIST_HARDENED

59

 +	select SHUFFLE_PAGE_ALLOCATOR

60

@@ -276,3 +272,63 @@

61

 +endmenu

62

+

63

 +endmenu

64

+diff --git a/security/Kconfig b/security/Kconfig

65

+index 7561f6f99..01f0bf73f 100644

66

+--- a/security/Kconfig

67

++++ b/security/Kconfig

68

+@@ -166,6 +166,7 @@ config HARDENED_USERCOPY

69

+ config HARDENED_USERCOPY_FALLBACK

70

+ 	bool "Allow usercopy whitelist violations to fallback to object size"

71

+ 	depends on HARDENED_USERCOPY

72

++	depends on !GENTOO_KERNEL_SELF_PROTECTION

73

+ 	default y

74

+ 	help

75

+ 	  This is a temporary option that allows missing usercopy whitelists

76

+@@ -181,6 +182,7 @@ config HARDENED_USERCOPY_PAGESPAN

77

+ 	bool "Refuse to copy allocations that span multiple pages"

78

+ 	depends on HARDENED_USERCOPY

79

+ 	depends on EXPERT

80

++	depends on !GENTOO_KERNEL_SELF_PROTECTION

81

+ 	help

82

+ 	  When a multi-page allocation is done without __GFP_COMP,

83

+ 	  hardened usercopy will reject attempts to copy it. There are,

84

+diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig

85

+index 9e921fc72..f29bc13fa 100644

86

+--- a/security/selinux/Kconfig

87

++++ b/security/selinux/Kconfig

88

+@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM

89

+ config SECURITY_SELINUX_DISABLE

90

+ 	bool "NSA SELinux runtime disable"

91

+ 	depends on SECURITY_SELINUX

92

++	depends on !GENTOO_KERNEL_SELF_PROTECTION

93

+ 	select SECURITY_WRITABLE_HOOKS

94

+ 	default n

95

+ 	help

96

+--

97

+2.31.1

98

+

99

+From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001

100

+From: Georgy Yakovlev <gyakovlev@g.o>

101

+Date: Tue, 8 Jun 2021 13:59:57 -0700

102

+Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default

103

+

104

+---

105

+ mm/Kconfig | 2 ++

106

+ 1 file changed, 2 insertions(+)

107

+

108

+diff --git a/mm/Kconfig b/mm/Kconfig

109

+index 24c045b24..e13fc740c 100644

110

+--- a/mm/Kconfig

111

++++ b/mm/Kconfig

112

+@@ -321,6 +321,8 @@ config KSM

113

+ config DEFAULT_MMAP_MIN_ADDR

114

+ 	int "Low address space to protect from user allocation"

115

+ 	depends on MMU

116

++	default 65536 if ( X86_64 || X86_32 || PPC64 || IA64 ) && GENTOO_KERNEL_SELF_PROTECTION

117

++	default 32768 if ( ARM64 || ARM ) && GENTOO_KERNEL_SELF_PROTECTION

118

+ 	default 4096

119

+ 	help

120

+ 	  This is the portion of low virtual memory which should be protected

121

+--

122

+2.31.1

123

+```

1	commit: ccf130a6c7afbb4715ba52fd6e34b7fb25d1c0fb
2	Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3	AuthorDate: Tue Jun 8 22:14:00 2021 +0000
4	Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5	CommitDate: Tue Jun 8 22:14:00 2021 +0000
6	URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=ccf130a6
7
8	Updates from gyakovlev
9
10	Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12	4567_distro-Gentoo-Kconfig.patch \| 72 +++++++++++++++++++++++++++++++++++-----
13	1 file changed, 64 insertions(+), 8 deletions(-)
14
15	diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch
16	index 56adbbd..635de00 100644
17	--- a/4567_distro-Gentoo-Kconfig.patch
18	+++ b/4567_distro-Gentoo-Kconfig.patch
19	@@ -6,9 +6,9 @@
20	source "Documentation/Kconfig"
21	+
22	+source "distro/Kconfig"
23	---- /dev/null 2021-06-06 14:01:09.950742356 -0400
24	-+++ b/distro/Kconfig 2021-06-06 17:48:05.912077568 -0400
25	-@@ -0,0 +1,267 @@
26	+--- /dev/null 2021-06-08 16:56:49.698138501 -0400
27	++++ b/distro/Kconfig 2021-06-08 17:11:33.377999003 -0400
28	+@@ -0,0 +1,263 @@
29	+menu "Gentoo Linux"
30	+
31	+config GENTOO_LINUX
32	@@ -181,8 +181,7 @@
33	+ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
34	+ for X86_64
35	+
36	-+ depends on GENTOO_LINUX && !HARDENED_USERCOPY_FALLBACK && !HARDENED_USERCOPY_PAGESPAN && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !SECURITY_SELINUX_DISABLE && !X86_X32 && !MODIFY_LDT_SYSCALL
37	-+
38	++ depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL
39	+
40	+ select BUG
41	+ select STRICT_KERNEL_RWX
42	@@ -191,7 +190,6 @@
43	+ select STACKPROTECTOR_STRONG
44	+ select STRICT_DEVMEM
45	+ select IO_STRICT_DEVMEM
46	-+
47	+ select SYN_COOKIES
48	+ select DEBUG_CREDENTIALS
49	+ select DEBUG_NOTIFIERS
50	@@ -201,9 +199,7 @@
51	+ select SCHED_STACK_END_CHECK
52	+ select SECCOMP
53	+ select SECCOMP_FILTER
54	-+ select SECURITY
55	+ select SECURITY_YAMA
56	-+ select HARDENED_USERCOPY
57	+ select SLAB_FREELIST_RANDOM
58	+ select SLAB_FREELIST_HARDENED
59	+ select SHUFFLE_PAGE_ALLOCATOR
60	@@ -276,3 +272,63 @@
61	+endmenu
62	+
63	+endmenu
64	+diff --git a/security/Kconfig b/security/Kconfig
65	+index 7561f6f99..01f0bf73f 100644
66	+--- a/security/Kconfig
67	++++ b/security/Kconfig
68	+@@ -166,6 +166,7 @@ config HARDENED_USERCOPY
69	+ config HARDENED_USERCOPY_FALLBACK
70	+ bool "Allow usercopy whitelist violations to fallback to object size"
71	+ depends on HARDENED_USERCOPY
72	++ depends on !GENTOO_KERNEL_SELF_PROTECTION
73	+ default y
74	+ help
75	+ This is a temporary option that allows missing usercopy whitelists
76	+@@ -181,6 +182,7 @@ config HARDENED_USERCOPY_PAGESPAN
77	+ bool "Refuse to copy allocations that span multiple pages"
78	+ depends on HARDENED_USERCOPY
79	+ depends on EXPERT
80	++ depends on !GENTOO_KERNEL_SELF_PROTECTION
81	+ help
82	+ When a multi-page allocation is done without __GFP_COMP,
83	+ hardened usercopy will reject attempts to copy it. There are,
84	+diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
85	+index 9e921fc72..f29bc13fa 100644
86	+--- a/security/selinux/Kconfig
87	++++ b/security/selinux/Kconfig
88	+@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM
89	+ config SECURITY_SELINUX_DISABLE
90	+ bool "NSA SELinux runtime disable"
91	+ depends on SECURITY_SELINUX
92	++ depends on !GENTOO_KERNEL_SELF_PROTECTION
93	+ select SECURITY_WRITABLE_HOOKS
94	+ default n
95	+ help
96	+--
97	+2.31.1
98	+
99	+From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001
100	+From: Georgy Yakovlev <gyakovlev@g.o>
101	+Date: Tue, 8 Jun 2021 13:59:57 -0700
102	+Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default
103	+
104	+---
105	+ mm/Kconfig \| 2 ++
106	+ 1 file changed, 2 insertions(+)
107	+
108	+diff --git a/mm/Kconfig b/mm/Kconfig
109	+index 24c045b24..e13fc740c 100644
110	+--- a/mm/Kconfig
111	++++ b/mm/Kconfig
112	+@@ -321,6 +321,8 @@ config KSM
113	+ config DEFAULT_MMAP_MIN_ADDR
114	+ int "Low address space to protect from user allocation"
115	+ depends on MMU
116	++ default 65536 if ( X86_64 \|\| X86_32 \|\| PPC64 \|\| IA64 ) && GENTOO_KERNEL_SELF_PROTECTION
117	++ default 32768 if ( ARM64 \|\| ARM ) && GENTOO_KERNEL_SELF_PROTECTION
118	+ default 4096
119	+ help
120	+ This is the portion of low virtual memory which should be protected
121	+--
122	+2.31.1
123	+```

Gentoo Archives: gentoo-commits