1 |
commit: ccf130a6c7afbb4715ba52fd6e34b7fb25d1c0fb |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Jun 8 22:14:00 2021 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Jun 8 22:14:00 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=ccf130a6 |
7 |
|
8 |
Updates from gyakovlev |
9 |
|
10 |
Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> |
11 |
|
12 |
4567_distro-Gentoo-Kconfig.patch | 72 +++++++++++++++++++++++++++++++++++----- |
13 |
1 file changed, 64 insertions(+), 8 deletions(-) |
14 |
|
15 |
diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch |
16 |
index 56adbbd..635de00 100644 |
17 |
--- a/4567_distro-Gentoo-Kconfig.patch |
18 |
+++ b/4567_distro-Gentoo-Kconfig.patch |
19 |
@@ -6,9 +6,9 @@ |
20 |
source "Documentation/Kconfig" |
21 |
+ |
22 |
+source "distro/Kconfig" |
23 |
---- /dev/null 2021-06-06 14:01:09.950742356 -0400 |
24 |
-+++ b/distro/Kconfig 2021-06-06 17:48:05.912077568 -0400 |
25 |
-@@ -0,0 +1,267 @@ |
26 |
+--- /dev/null 2021-06-08 16:56:49.698138501 -0400 |
27 |
++++ b/distro/Kconfig 2021-06-08 17:11:33.377999003 -0400 |
28 |
+@@ -0,0 +1,263 @@ |
29 |
+menu "Gentoo Linux" |
30 |
+ |
31 |
+config GENTOO_LINUX |
32 |
@@ -181,8 +181,7 @@ |
33 |
+ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 |
34 |
+ for X86_64 |
35 |
+ |
36 |
-+ depends on GENTOO_LINUX && !HARDENED_USERCOPY_FALLBACK && !HARDENED_USERCOPY_PAGESPAN && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !SECURITY_SELINUX_DISABLE && !X86_X32 && !MODIFY_LDT_SYSCALL |
37 |
-+ |
38 |
++ depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL |
39 |
+ |
40 |
+ select BUG |
41 |
+ select STRICT_KERNEL_RWX |
42 |
@@ -191,7 +190,6 @@ |
43 |
+ select STACKPROTECTOR_STRONG |
44 |
+ select STRICT_DEVMEM |
45 |
+ select IO_STRICT_DEVMEM |
46 |
-+ |
47 |
+ select SYN_COOKIES |
48 |
+ select DEBUG_CREDENTIALS |
49 |
+ select DEBUG_NOTIFIERS |
50 |
@@ -201,9 +199,7 @@ |
51 |
+ select SCHED_STACK_END_CHECK |
52 |
+ select SECCOMP |
53 |
+ select SECCOMP_FILTER |
54 |
-+ select SECURITY |
55 |
+ select SECURITY_YAMA |
56 |
-+ select HARDENED_USERCOPY |
57 |
+ select SLAB_FREELIST_RANDOM |
58 |
+ select SLAB_FREELIST_HARDENED |
59 |
+ select SHUFFLE_PAGE_ALLOCATOR |
60 |
@@ -276,3 +272,63 @@ |
61 |
+endmenu |
62 |
+ |
63 |
+endmenu |
64 |
+diff --git a/security/Kconfig b/security/Kconfig |
65 |
+index 7561f6f99..01f0bf73f 100644 |
66 |
+--- a/security/Kconfig |
67 |
++++ b/security/Kconfig |
68 |
+@@ -166,6 +166,7 @@ config HARDENED_USERCOPY |
69 |
+ config HARDENED_USERCOPY_FALLBACK |
70 |
+ bool "Allow usercopy whitelist violations to fallback to object size" |
71 |
+ depends on HARDENED_USERCOPY |
72 |
++ depends on !GENTOO_KERNEL_SELF_PROTECTION |
73 |
+ default y |
74 |
+ help |
75 |
+ This is a temporary option that allows missing usercopy whitelists |
76 |
+@@ -181,6 +182,7 @@ config HARDENED_USERCOPY_PAGESPAN |
77 |
+ bool "Refuse to copy allocations that span multiple pages" |
78 |
+ depends on HARDENED_USERCOPY |
79 |
+ depends on EXPERT |
80 |
++ depends on !GENTOO_KERNEL_SELF_PROTECTION |
81 |
+ help |
82 |
+ When a multi-page allocation is done without __GFP_COMP, |
83 |
+ hardened usercopy will reject attempts to copy it. There are, |
84 |
+diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig |
85 |
+index 9e921fc72..f29bc13fa 100644 |
86 |
+--- a/security/selinux/Kconfig |
87 |
++++ b/security/selinux/Kconfig |
88 |
+@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM |
89 |
+ config SECURITY_SELINUX_DISABLE |
90 |
+ bool "NSA SELinux runtime disable" |
91 |
+ depends on SECURITY_SELINUX |
92 |
++ depends on !GENTOO_KERNEL_SELF_PROTECTION |
93 |
+ select SECURITY_WRITABLE_HOOKS |
94 |
+ default n |
95 |
+ help |
96 |
+-- |
97 |
+2.31.1 |
98 |
+ |
99 |
+From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001 |
100 |
+From: Georgy Yakovlev <gyakovlev@g.o> |
101 |
+Date: Tue, 8 Jun 2021 13:59:57 -0700 |
102 |
+Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default |
103 |
+ |
104 |
+--- |
105 |
+ mm/Kconfig | 2 ++ |
106 |
+ 1 file changed, 2 insertions(+) |
107 |
+ |
108 |
+diff --git a/mm/Kconfig b/mm/Kconfig |
109 |
+index 24c045b24..e13fc740c 100644 |
110 |
+--- a/mm/Kconfig |
111 |
++++ b/mm/Kconfig |
112 |
+@@ -321,6 +321,8 @@ config KSM |
113 |
+ config DEFAULT_MMAP_MIN_ADDR |
114 |
+ int "Low address space to protect from user allocation" |
115 |
+ depends on MMU |
116 |
++ default 65536 if ( X86_64 || X86_32 || PPC64 || IA64 ) && GENTOO_KERNEL_SELF_PROTECTION |
117 |
++ default 32768 if ( ARM64 || ARM ) && GENTOO_KERNEL_SELF_PROTECTION |
118 |
+ default 4096 |
119 |
+ help |
120 |
+ This is the portion of low virtual memory which should be protected |
121 |
+-- |
122 |
+2.31.1 |
123 |
+``` |