[gentoo-commits] proj/linux-patches:master commit in: / - gentoo-commits

From:	Mike Pagano <mpagano@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/linux-patches:master commit in: /
Date:	Tue, 04 Jan 2022 12:53:24
Message-Id:	`1641300660.632cc59cc8462f3f01085d1b76cc304488a06394.mpagano@gentoo`

1

commit:     632cc59cc8462f3f01085d1b76cc304488a06394

2

Author:     Mike Pagano <mpagano <AT> gentoo <DOT> org>

3

AuthorDate: Tue Jan  4 12:51:00 2022 +0000

4

Commit:     Mike Pagano <mpagano <AT> gentoo <DOT> org>

5

CommitDate: Tue Jan  4 12:51:00 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=632cc59c

7

8

Update Gentoo Distro patch, thanks to gyakovlev

9

10

Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>

11

12

 4567_distro-Gentoo-Kconfig.patch | 251 +++++++++++++++++++++++----------------

13

 1 file changed, 149 insertions(+), 102 deletions(-)

14

15

diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch

16

index 24b75095..97665869 100644

17

--- a/4567_distro-Gentoo-Kconfig.patch

18

+++ b/4567_distro-Gentoo-Kconfig.patch

19

@@ -1,14 +1,19 @@

20

---- a/Kconfig	2021-06-04 19:03:33.646823432 -0400

21

-+++ b/Kconfig	2021-06-04 19:03:40.508892817 -0400

22

+diff --git a/Kconfig b/Kconfig

23

+index 745bc773f..e306bacea 100644

24

+--- a/Kconfig

25

++++ b/Kconfig

26

 @@ -30,3 +30,5 @@ source "lib/Kconfig"

27

  source "lib/Kconfig.debug"

28

29

  source "Documentation/Kconfig"

30

+

31

 +source "distro/Kconfig"

32

---- /dev/null	2021-12-21 08:57:43.779324794 -0500

33

-+++ b/distro/Kconfig	2021-12-21 14:12:07.964572417 -0500

34

-@@ -0,0 +1,283 @@

35

+diff --git a/distro/Kconfig b/distro/Kconfig

36

+new file mode 100644

37

+index 000000000..94d6e1886

38

+--- /dev/null

39

++++ b/distro/Kconfig

40

+@@ -0,0 +1,295 @@

41

 +menu "Gentoo Linux"

42

+

43

 +config GENTOO_LINUX

44

@@ -75,9 +80,8 @@

45

 +		CGROUPS     (required for FEATURES=cgroup)

46

 +		IPC_NS      (required for FEATURES=ipc-sandbox)

47

 +		NET_NS      (required for FEATURES=network-sandbox)

48

-+		PID_NS		(required for FEATURES=pid-sandbox)

49

++		PID_NS      (required for FEATURES=pid-sandbox)

50

 +		SYSVIPC     (required by IPC_NS)

51

-+

52

+

53

 +		It is highly recommended that you leave this enabled as these FEATURES

54

 +		are, or will soon be, enabled by default.

55

@@ -124,7 +128,7 @@

56

 +	select BPF_SYSCALL

57

 +	select CGROUP_BPF

58

 +	select CGROUPS

59

-+	select CRYPTO_HMAC 

60

++	select CRYPTO_HMAC

61

 +	select CRYPTO_SHA256

62

 +	select CRYPTO_USER_API_HASH

63

 +	select DEVPTS_MULTIPLE_INSTANCES

64

@@ -166,102 +170,104 @@

65

+

66

 +endmenu

67

+

68

-+menuconfig GENTOO_KERNEL_SELF_PROTECTION

69

-+	bool "Kernel Self Protection Project"

70

-+	depends on GENTOO_LINUX

71

-+	help

72

-+		Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project

73

-+		See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

74

-+		Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due 

75

-+		to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_COMMON and search for 

76

-+		GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your 

77

-+		specific architecture.

78

-+		Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 

79

-+		for X86_64

80

++menu "Kernel Self Protection Project"

81

++	visible if GENTOO_LINUX

82

+

83

-+if GENTOO_KERNEL_SELF_PROTECTION

84

-+config GENTOO_KERNEL_SELF_PROTECTION_COMMON

85

++config GENTOO_KERNEL_SELF_PROTECTION

86

 +	bool "Enable Kernel Self Protection Project Recommendations"

87

+

88

-+	depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS

89

++	depends on GENTOO_LINUX && EXPERT && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !MODIFY_LDT_SYSCALL

90

+

91

 +	select BUG

92

-+	select STRICT_KERNEL_RWX

93

-+	select DEBUG_WX

94

-+	select STACKPROTECTOR

95

-+	select STACKPROTECTOR_STRONG

96

-+	select STRICT_DEVMEM if DEVMEM=y

97

-+	select IO_STRICT_DEVMEM if DEVMEM=y

98

-+	select SYN_COOKIES

99

-+	select DEBUG_CREDENTIALS

100

-+	select DEBUG_NOTIFIERS

101

++	select STRICT_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX

102

++	select DEBUG_FS

103

++	select DEBUG_WX if ARCH_HAS_DEBUG_WX && MMU

104

++	select STACKPROTECTOR if HAVE_STACKPROTECTOR

105

++	select STACKPROTECTOR_STRONG if HAVE_STACKPROTECTOR

106

++	select STRICT_DEVMEM if DEVMEM=y && (ARCH_HAS_DEVMEM_IS_ALLOWED || GENERIC_LIB_DEVMEM_IS_ALLOWED)

107

++	select IO_STRICT_DEVMEM if STRICT_DEVMEM

108

++	select SYN_COOKIES if NET && INET

109

++	select DEBUG_CREDENTIALS if DEBUG_KERNEL

110

++	select DEBUG_NOTIFIERS if DEBUG_KERNEL

111

 +	select DEBUG_LIST

112

-+	select DEBUG_SG

113

++	select DEBUG_SG if DEBUG_KERNEL

114

 +	select BUG_ON_DATA_CORRUPTION

115

-+	select SCHED_STACK_END_CHECK

116

++	select SCHED_STACK_END_CHECK if DEBUG_KERNEL

117

 +	select SECCOMP if HAVE_ARCH_SECCOMP

118

 +	select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER

119

-+	select SECURITY_YAMA

120

-+	select SLAB_FREELIST_RANDOM

121

-+	select SLAB_FREELIST_HARDENED

122

++	select SECURITY if SYSFS && MULTIUSER

123

++	select SECURITY_YAMA if SECURITY

124

++	select HARDENED_USERCOPY if HAVE_HARDENED_USERCOPY_ALLOCATOR

125

++	select SLAB_FREELIST_RANDOM if SLAB || SLUB

126

++	select SLAB_FREELIST_HARDENED if SLAB || SLUB

127

 +	select SHUFFLE_PAGE_ALLOCATOR

128

-+	select SLUB_DEBUG

129

++	select SLUB_DEBUG if SLUB && SYSFS

130

++	select SLUB_DEBUG_ON if SLUB_DEBUG

131

 +	select PAGE_POISONING

132

 +	select PAGE_POISONING_NO_SANITY

133

 +	select PAGE_POISONING_ZERO

134

 +	select INIT_ON_ALLOC_DEFAULT_ON

135

 +	select INIT_ON_FREE_DEFAULT_ON

136

-+	select REFCOUNT_FULL

137

-+	select FORTIFY_SOURCE

138

-+	select SECURITY_DMESG_RESTRICT

139

++	select FORTIFY_SOURCE if ARCH_HAS_FORTIFY_SOURCE && !CC_IS_CLANG

140

++	select SECURITY_DMESG_RESTRICT 

141

 +	select PANIC_ON_OOPS

142

-+	select GCC_PLUGIN_LATENT_ENTROPY

143

-+	select GCC_PLUGIN_STRUCTLEAK

144

-+	select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL

145

-+	select GCC_PLUGIN_RANDSTRUCT

146

-+	select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE

147

++	select DEBUG_STACKOVERFLOW if DEBUG_KERNEL && HAVE_DEBUG_STACKOVERFLOW

148

++	select VMAP_STACK if HAVE_ARCH_VMAP_STACK

149

++	select STRICT_MODULE_RWX if ARCH_HAS_STRICT_MODULE_RWX && ARCH_OPTIONAL_KERNEL_RWX && MODULES

150

++	select ZERO_CALL_USED_REGS if CC_HAS_ZERO_CALL_USED_REGS

151

++	select INIT_STACK_ALL_PATTERN if CC_HAS_AUTO_VAR_INIT_PATTERN && !CC_HAS_AUTO_VAR_INIT_ZERO

152

++	select INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO

153

++	select GCC_PLUGINS if HAVE_GCC_PLUGINS && CC_IS_GCC

154

++	select GCC_PLUGIN_LATENT_ENTROPY if GCC_PLUGINS

155

++	select GCC_PLUGIN_STRUCTLEAK if GCC_PLUGINS

156

++	select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GCC_PLUGINS

157

++	select GCC_PLUGIN_STRUCTLEAK_VERBOSE if GCC_PLUGINS && GCC_PLUGIN_STRUCTLEAK

158

++	select GCC_PLUGIN_RANDSTRUCT if GCC_PLUGINS

159

++	select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE if GCC_PLUGINS && GCC_PLUGIN_RANDSTRUCT

160

++	select GCC_PLUGIN_STACKLEAK if GCC_PLUGINS && HAVE_ARCH_STACKLEAK

161

+

162

 +	help

163

-+		Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency 

164

-+		information on your specific architecture.  Note 2: Please see the URL above for 

165

-+		numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 for X86_64

166

++		Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project

167

++		See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

168

++		Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due

169

++		to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION and search for

170

++		GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your

171

++		specific architecture.

172

++		Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

173

++		for X86_64

174

+

175

 +config GENTOO_KERNEL_SELF_PROTECTION_X86_64

176

-+	bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION_COMMON

177

++	bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION

178

++

179

++	depends on X86_64 && GENTOO_KERNEL_SELF_PROTECTION

180

++	default y if X86_64 && GENTOO_KERNEL_SELF_PROTECTION

181

+

182

-+	depends on !X86_MSR && X86_64 && GENTOO_KERNEL_SELF_PROTECTION

183

-+	default n

184

-+

185

 +	select RANDOMIZE_BASE

186

 +	select RANDOMIZE_MEMORY

187

 +	select RELOCATABLE

188

 +	select LEGACY_VSYSCALL_NONE

189

-+ 	select PAGE_TABLE_ISOLATION

190

-+	select GCC_PLUGIN_STACKLEAK

191

-+	select VMAP_STACK

192

++	select PAGE_TABLE_ISOLATION

193

+

194

+

195

 +config GENTOO_KERNEL_SELF_PROTECTION_ARM64

196

 +	bool "ARM64 KSPP Settings"

197

+

198

-+	depends on ARM64

199

-+	default n

200

++	depends on ARM64 && GENTOO_KERNEL_SELF_PROTECTION

201

++	default y if ARM64 && GENTOO_KERNEL_SELF_PROTECTION

202

+

203

 +	select RANDOMIZE_BASE

204

 +	select RELOCATABLE

205

 +	select ARM64_SW_TTBR0_PAN

206

 +	select CONFIG_UNMAP_KERNEL_AT_EL0

207

-+	select GCC_PLUGIN_STACKLEAK

208

-+	select VMAP_STACK

209

+

210

 +config GENTOO_KERNEL_SELF_PROTECTION_X86_32

211

 +	bool "X86_32 KSPP Settings"

212

+

213

-+	depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32

214

-+	default n

215

++	depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 && GENTOO_KERNEL_SELF_PROTECTION

216

++	default y if X86_32 && GENTOO_KERNEL_SELF_PROTECTION

217

+

218

-+	select HIGHMEM64G

219

-+	select X86_PAE

220

++	#select HIGHMEM64G

221

++	#select X86_PAE

222

 +	select RANDOMIZE_BASE

223

 +	select RELOCATABLE

224

 +	select PAGE_TABLE_ISOLATION

225

@@ -269,14 +275,25 @@

226

 +config GENTOO_KERNEL_SELF_PROTECTION_ARM

227

 +	bool "ARM KSPP Settings"

228

+

229

-+	depends on !OABI_COMPAT && ARM

230

-+	default n

231

++	depends on !OABI_COMPAT && ARM && GENTOO_KERNEL_SELF_PROTECTION

232

++	default y if ARM && GENTOO_KERNEL_SELF_PROTECTION

233

+

234

 +	select VMSPLIT_3G

235

 +	select STRICT_MEMORY_RWX

236

 +	select CPU_SW_DOMAIN_PAN

237

+

238

-+endif

239

++config GENTOO_KERNEL_SELF_PROTECTION_PPC

240

++	bool "PPC KSPP Settings"

241

++

242

++	depends on !SCOM_DEBUGFS && !OPAL_CORE && PPC && GENTOO_KERNEL_SELF_PROTECTION

243

++	default y if PPC && GENTOO_KERNEL_SELF_PROTECTION

244

++

245

++	select PPC_KUEP if PPC_HAVE_KUEP

246

++	select PPC_KUAP if PPC_HAVE_KUAP

247

++	select PPC_MEM_KEYS if PPC_BOOK3S_64

248

++	select PPC_SUBPAGE_PROT if PPC_BOOK3S_64 && PPC_64K_PAGES

249

++

250

++endmenu

251

+

252

 +config GENTOO_PRINT_FIRMWARE_INFO

253

 +	bool "Print firmware information that the kernel attempts to load"

254

@@ -292,45 +309,46 @@

255

 +		See the settings that become available for more details and fine-tuning.

256

+

257

 +endmenu

258

---- a/security/Kconfig	2021-12-05 18:20:55.655677710 -0500

259

-+++ b/security/Kconfig	2021-12-05 18:23:42.404251618 -0500

260

-@@ -167,6 +167,7 @@ config HARDENED_USERCOPY_PAGESPAN

261

- 	bool "Refuse to copy allocations that span multiple pages"

262

- 	depends on HARDENED_USERCOPY

263

- 	depends on EXPERT

264

+diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig

265

+index 1da360c51..70963ba91 100644

266

+--- a/drivers/acpi/Kconfig

267

++++ b/drivers/acpi/Kconfig

268

+@@ -445,7 +445,7 @@ config ACPI_HED

269

+

270

+ config ACPI_CUSTOM_METHOD

271

+ 	tristate "Allow ACPI methods to be inserted/replaced at run time"

272

+-	depends on DEBUG_FS

273

++	depends on DEBUG_FS && !GENTOO_KERNEL_SELF_PROTECTION

274

+ 	help

275

+ 	  This debug facility allows ACPI AML methods to be inserted and/or

276

+ 	  replaced without rebooting the system. For details refer to:

277

+diff --git a/init/Kconfig b/init/Kconfig

278

+index 11f8a845f..9f3eff46f 100644

279

+--- a/init/Kconfig

280

++++ b/init/Kconfig

281

+@@ -1879,6 +1879,7 @@ config SLUB_DEBUG

282

+ config COMPAT_BRK

283

+ 	bool "Disable heap randomization"

284

+ 	default y

285

 +	depends on !GENTOO_KERNEL_SELF_PROTECTION

286

  	help

287

- 	  When a multi-page allocation is done without __GFP_COMP,

288

- 	  hardened usercopy will reject attempts to copy it. There are,

289

-diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig

290

-index 9e921fc72..f29bc13fa 100644

291

---- a/security/selinux/Kconfig

292

-+++ b/security/selinux/Kconfig

293

-@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM

294

- config SECURITY_SELINUX_DISABLE

295

- 	bool "NSA SELinux runtime disable"

296

- 	depends on SECURITY_SELINUX

297

+ 	  Randomizing heap placement makes heap exploits harder, but it

298

+ 	  also breaks ancient binaries (including anything libc5 based).

299

+@@ -1925,7 +1926,9 @@ endchoice

300

+

301

+ config SLAB_MERGE_DEFAULT

302

+ 	bool "Allow slab caches to be merged"

303

++	default n if GENTOO_KERNEL_SELF_PROTECTION

304

+ 	default y

305

 +	depends on !GENTOO_KERNEL_SELF_PROTECTION

306

- 	select SECURITY_WRITABLE_HOOKS

307

- 	default n

308

  	help

309

---

310

-2.31.1

311

-

312

-From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001

313

-From: Georgy Yakovlev <gyakovlev@g.o>

314

-Date: Tue, 8 Jun 2021 13:59:57 -0700

315

-Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default

316

-

317

----

318

- mm/Kconfig | 2 ++

319

- 1 file changed, 2 insertions(+)

320

-

321

+ 	  For reduced kernel memory fragmentation, slab caches can be

322

+ 	  merged when they share the same size and other characteristics.

323

 diff --git a/mm/Kconfig b/mm/Kconfig

324

-index 24c045b24..e13fc740c 100644

325

+index c048dea7e..81a1dfd69 100644

326

 --- a/mm/Kconfig

327

 +++ b/mm/Kconfig

328

-@@ -321,6 +321,8 @@ config KSM

329

+@@ -305,6 +305,8 @@ config KSM

330

  config DEFAULT_MMAP_MIN_ADDR

331

  	int "Low address space to protect from user allocation"

332

  	depends on MMU

333

@@ -339,6 +357,35 @@ index 24c045b24..e13fc740c 100644

334

  	default 4096

335

  	help

336

  	  This is the portion of low virtual memory which should be protected

337

---

338

-2.31.1

339

-```

340

+diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening

341

+index 90cbaff86..7b48339e8 100644

342

+--- a/security/Kconfig.hardening

343

++++ b/security/Kconfig.hardening

344

+@@ -30,6 +30,7 @@ choice

345

+ 	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS

346

+ 	default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN

347

+ 	default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN

348

++	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GENTOO_KERNEL_SELF_PROTECTION && GCC_PLUGINS

349

+ 	default INIT_STACK_NONE

350

+ 	help

351

+ 	  This option enables initialization of stack variables at

352

+@@ -45,6 +46,7 @@ choice

353

+

354

+ 	config INIT_STACK_NONE

355

+ 		bool "no automatic stack variable initialization (weakest)"

356

++		depends on !GENTOO_KERNEL_SELF_PROTECTION

357

+ 		help

358

+ 		  Disable automatic stack variable initialization.

359

+ 		  This leaves the kernel vulnerable to the standard

360

+diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig

361

+index 9e921fc72..f29bc13fa 100644

362

+--- a/security/selinux/Kconfig

363

++++ b/security/selinux/Kconfig

364

+@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM

365

+ config SECURITY_SELINUX_DISABLE

366

+ 	bool "NSA SELinux runtime disable"

367

+ 	depends on SECURITY_SELINUX

368

++	depends on !GENTOO_KERNEL_SELF_PROTECTION

369

+ 	select SECURITY_WRITABLE_HOOKS

370

+ 	default n

371

+ 	help

1	commit: 632cc59cc8462f3f01085d1b76cc304488a06394
2	Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3	AuthorDate: Tue Jan 4 12:51:00 2022 +0000
4	Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5	CommitDate: Tue Jan 4 12:51:00 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=632cc59c
7
8	Update Gentoo Distro patch, thanks to gyakovlev
9
10	Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12	4567_distro-Gentoo-Kconfig.patch \| 251 +++++++++++++++++++++++----------------
13	1 file changed, 149 insertions(+), 102 deletions(-)
14
15	diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch
16	index 24b75095..97665869 100644
17	--- a/4567_distro-Gentoo-Kconfig.patch
18	+++ b/4567_distro-Gentoo-Kconfig.patch
19	@@ -1,14 +1,19 @@
20	---- a/Kconfig 2021-06-04 19:03:33.646823432 -0400
21	-+++ b/Kconfig 2021-06-04 19:03:40.508892817 -0400
22	+diff --git a/Kconfig b/Kconfig
23	+index 745bc773f..e306bacea 100644
24	+--- a/Kconfig
25	++++ b/Kconfig
26	@@ -30,3 +30,5 @@ source "lib/Kconfig"
27	source "lib/Kconfig.debug"
28
29	source "Documentation/Kconfig"
30	+
31	+source "distro/Kconfig"
32	---- /dev/null 2021-12-21 08:57:43.779324794 -0500
33	-+++ b/distro/Kconfig 2021-12-21 14:12:07.964572417 -0500
34	-@@ -0,0 +1,283 @@
35	+diff --git a/distro/Kconfig b/distro/Kconfig
36	+new file mode 100644
37	+index 000000000..94d6e1886
38	+--- /dev/null
39	++++ b/distro/Kconfig
40	+@@ -0,0 +1,295 @@
41	+menu "Gentoo Linux"
42	+
43	+config GENTOO_LINUX
44	@@ -75,9 +80,8 @@
45	+ CGROUPS (required for FEATURES=cgroup)
46	+ IPC_NS (required for FEATURES=ipc-sandbox)
47	+ NET_NS (required for FEATURES=network-sandbox)
48	-+ PID_NS (required for FEATURES=pid-sandbox)
49	++ PID_NS (required for FEATURES=pid-sandbox)
50	+ SYSVIPC (required by IPC_NS)
51	-+
52	+
53	+ It is highly recommended that you leave this enabled as these FEATURES
54	+ are, or will soon be, enabled by default.
55	@@ -124,7 +128,7 @@
56	+ select BPF_SYSCALL
57	+ select CGROUP_BPF
58	+ select CGROUPS
59	-+ select CRYPTO_HMAC
60	++ select CRYPTO_HMAC
61	+ select CRYPTO_SHA256
62	+ select CRYPTO_USER_API_HASH
63	+ select DEVPTS_MULTIPLE_INSTANCES
64	@@ -166,102 +170,104 @@
65	+
66	+endmenu
67	+
68	-+menuconfig GENTOO_KERNEL_SELF_PROTECTION
69	-+ bool "Kernel Self Protection Project"
70	-+ depends on GENTOO_LINUX
71	-+ help
72	-+ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project
73	-+ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
74	-+ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due
75	-+ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_COMMON and search for
76	-+ GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your
77	-+ specific architecture.
78	-+ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
79	-+ for X86_64
80	++menu "Kernel Self Protection Project"
81	++ visible if GENTOO_LINUX
82	+
83	-+if GENTOO_KERNEL_SELF_PROTECTION
84	-+config GENTOO_KERNEL_SELF_PROTECTION_COMMON
85	++config GENTOO_KERNEL_SELF_PROTECTION
86	+ bool "Enable Kernel Self Protection Project Recommendations"
87	+
88	-+ depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS
89	++ depends on GENTOO_LINUX && EXPERT && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !MODIFY_LDT_SYSCALL
90	+
91	+ select BUG
92	-+ select STRICT_KERNEL_RWX
93	-+ select DEBUG_WX
94	-+ select STACKPROTECTOR
95	-+ select STACKPROTECTOR_STRONG
96	-+ select STRICT_DEVMEM if DEVMEM=y
97	-+ select IO_STRICT_DEVMEM if DEVMEM=y
98	-+ select SYN_COOKIES
99	-+ select DEBUG_CREDENTIALS
100	-+ select DEBUG_NOTIFIERS
101	++ select STRICT_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX
102	++ select DEBUG_FS
103	++ select DEBUG_WX if ARCH_HAS_DEBUG_WX && MMU
104	++ select STACKPROTECTOR if HAVE_STACKPROTECTOR
105	++ select STACKPROTECTOR_STRONG if HAVE_STACKPROTECTOR
106	++ select STRICT_DEVMEM if DEVMEM=y && (ARCH_HAS_DEVMEM_IS_ALLOWED \|\| GENERIC_LIB_DEVMEM_IS_ALLOWED)
107	++ select IO_STRICT_DEVMEM if STRICT_DEVMEM
108	++ select SYN_COOKIES if NET && INET
109	++ select DEBUG_CREDENTIALS if DEBUG_KERNEL
110	++ select DEBUG_NOTIFIERS if DEBUG_KERNEL
111	+ select DEBUG_LIST
112	-+ select DEBUG_SG
113	++ select DEBUG_SG if DEBUG_KERNEL
114	+ select BUG_ON_DATA_CORRUPTION
115	-+ select SCHED_STACK_END_CHECK
116	++ select SCHED_STACK_END_CHECK if DEBUG_KERNEL
117	+ select SECCOMP if HAVE_ARCH_SECCOMP
118	+ select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER
119	-+ select SECURITY_YAMA
120	-+ select SLAB_FREELIST_RANDOM
121	-+ select SLAB_FREELIST_HARDENED
122	++ select SECURITY if SYSFS && MULTIUSER
123	++ select SECURITY_YAMA if SECURITY
124	++ select HARDENED_USERCOPY if HAVE_HARDENED_USERCOPY_ALLOCATOR
125	++ select SLAB_FREELIST_RANDOM if SLAB \|\| SLUB
126	++ select SLAB_FREELIST_HARDENED if SLAB \|\| SLUB
127	+ select SHUFFLE_PAGE_ALLOCATOR
128	-+ select SLUB_DEBUG
129	++ select SLUB_DEBUG if SLUB && SYSFS
130	++ select SLUB_DEBUG_ON if SLUB_DEBUG
131	+ select PAGE_POISONING
132	+ select PAGE_POISONING_NO_SANITY
133	+ select PAGE_POISONING_ZERO
134	+ select INIT_ON_ALLOC_DEFAULT_ON
135	+ select INIT_ON_FREE_DEFAULT_ON
136	-+ select REFCOUNT_FULL
137	-+ select FORTIFY_SOURCE
138	-+ select SECURITY_DMESG_RESTRICT
139	++ select FORTIFY_SOURCE if ARCH_HAS_FORTIFY_SOURCE && !CC_IS_CLANG
140	++ select SECURITY_DMESG_RESTRICT
141	+ select PANIC_ON_OOPS
142	-+ select GCC_PLUGIN_LATENT_ENTROPY
143	-+ select GCC_PLUGIN_STRUCTLEAK
144	-+ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
145	-+ select GCC_PLUGIN_RANDSTRUCT
146	-+ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
147	++ select DEBUG_STACKOVERFLOW if DEBUG_KERNEL && HAVE_DEBUG_STACKOVERFLOW
148	++ select VMAP_STACK if HAVE_ARCH_VMAP_STACK
149	++ select STRICT_MODULE_RWX if ARCH_HAS_STRICT_MODULE_RWX && ARCH_OPTIONAL_KERNEL_RWX && MODULES
150	++ select ZERO_CALL_USED_REGS if CC_HAS_ZERO_CALL_USED_REGS
151	++ select INIT_STACK_ALL_PATTERN if CC_HAS_AUTO_VAR_INIT_PATTERN && !CC_HAS_AUTO_VAR_INIT_ZERO
152	++ select INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO
153	++ select GCC_PLUGINS if HAVE_GCC_PLUGINS && CC_IS_GCC
154	++ select GCC_PLUGIN_LATENT_ENTROPY if GCC_PLUGINS
155	++ select GCC_PLUGIN_STRUCTLEAK if GCC_PLUGINS
156	++ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GCC_PLUGINS
157	++ select GCC_PLUGIN_STRUCTLEAK_VERBOSE if GCC_PLUGINS && GCC_PLUGIN_STRUCTLEAK
158	++ select GCC_PLUGIN_RANDSTRUCT if GCC_PLUGINS
159	++ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE if GCC_PLUGINS && GCC_PLUGIN_RANDSTRUCT
160	++ select GCC_PLUGIN_STACKLEAK if GCC_PLUGINS && HAVE_ARCH_STACKLEAK
161	+
162	+ help
163	-+ Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency
164	-+ information on your specific architecture. Note 2: Please see the URL above for
165	-+ numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 for X86_64
166	++ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project
167	++ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
168	++ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due
169	++ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION and search for
170	++ GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your
171	++ specific architecture.
172	++ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
173	++ for X86_64
174	+
175	+config GENTOO_KERNEL_SELF_PROTECTION_X86_64
176	-+ bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION_COMMON
177	++ bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION
178	++
179	++ depends on X86_64 && GENTOO_KERNEL_SELF_PROTECTION
180	++ default y if X86_64 && GENTOO_KERNEL_SELF_PROTECTION
181	+
182	-+ depends on !X86_MSR && X86_64 && GENTOO_KERNEL_SELF_PROTECTION
183	-+ default n
184	-+
185	+ select RANDOMIZE_BASE
186	+ select RANDOMIZE_MEMORY
187	+ select RELOCATABLE
188	+ select LEGACY_VSYSCALL_NONE
189	-+ select PAGE_TABLE_ISOLATION
190	-+ select GCC_PLUGIN_STACKLEAK
191	-+ select VMAP_STACK
192	++ select PAGE_TABLE_ISOLATION
193	+
194	+
195	+config GENTOO_KERNEL_SELF_PROTECTION_ARM64
196	+ bool "ARM64 KSPP Settings"
197	+
198	-+ depends on ARM64
199	-+ default n
200	++ depends on ARM64 && GENTOO_KERNEL_SELF_PROTECTION
201	++ default y if ARM64 && GENTOO_KERNEL_SELF_PROTECTION
202	+
203	+ select RANDOMIZE_BASE
204	+ select RELOCATABLE
205	+ select ARM64_SW_TTBR0_PAN
206	+ select CONFIG_UNMAP_KERNEL_AT_EL0
207	-+ select GCC_PLUGIN_STACKLEAK
208	-+ select VMAP_STACK
209	+
210	+config GENTOO_KERNEL_SELF_PROTECTION_X86_32
211	+ bool "X86_32 KSPP Settings"
212	+
213	-+ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32
214	-+ default n
215	++ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 && GENTOO_KERNEL_SELF_PROTECTION
216	++ default y if X86_32 && GENTOO_KERNEL_SELF_PROTECTION
217	+
218	-+ select HIGHMEM64G
219	-+ select X86_PAE
220	++ #select HIGHMEM64G
221	++ #select X86_PAE
222	+ select RANDOMIZE_BASE
223	+ select RELOCATABLE
224	+ select PAGE_TABLE_ISOLATION
225	@@ -269,14 +275,25 @@
226	+config GENTOO_KERNEL_SELF_PROTECTION_ARM
227	+ bool "ARM KSPP Settings"
228	+
229	-+ depends on !OABI_COMPAT && ARM
230	-+ default n
231	++ depends on !OABI_COMPAT && ARM && GENTOO_KERNEL_SELF_PROTECTION
232	++ default y if ARM && GENTOO_KERNEL_SELF_PROTECTION
233	+
234	+ select VMSPLIT_3G
235	+ select STRICT_MEMORY_RWX
236	+ select CPU_SW_DOMAIN_PAN
237	+
238	-+endif
239	++config GENTOO_KERNEL_SELF_PROTECTION_PPC
240	++ bool "PPC KSPP Settings"
241	++
242	++ depends on !SCOM_DEBUGFS && !OPAL_CORE && PPC && GENTOO_KERNEL_SELF_PROTECTION
243	++ default y if PPC && GENTOO_KERNEL_SELF_PROTECTION
244	++
245	++ select PPC_KUEP if PPC_HAVE_KUEP
246	++ select PPC_KUAP if PPC_HAVE_KUAP
247	++ select PPC_MEM_KEYS if PPC_BOOK3S_64
248	++ select PPC_SUBPAGE_PROT if PPC_BOOK3S_64 && PPC_64K_PAGES
249	++
250	++endmenu
251	+
252	+config GENTOO_PRINT_FIRMWARE_INFO
253	+ bool "Print firmware information that the kernel attempts to load"
254	@@ -292,45 +309,46 @@
255	+ See the settings that become available for more details and fine-tuning.
256	+
257	+endmenu
258	---- a/security/Kconfig 2021-12-05 18:20:55.655677710 -0500
259	-+++ b/security/Kconfig 2021-12-05 18:23:42.404251618 -0500
260	-@@ -167,6 +167,7 @@ config HARDENED_USERCOPY_PAGESPAN
261	- bool "Refuse to copy allocations that span multiple pages"
262	- depends on HARDENED_USERCOPY
263	- depends on EXPERT
264	+diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig
265	+index 1da360c51..70963ba91 100644
266	+--- a/drivers/acpi/Kconfig
267	++++ b/drivers/acpi/Kconfig
268	+@@ -445,7 +445,7 @@ config ACPI_HED
269	+
270	+ config ACPI_CUSTOM_METHOD
271	+ tristate "Allow ACPI methods to be inserted/replaced at run time"
272	+- depends on DEBUG_FS
273	++ depends on DEBUG_FS && !GENTOO_KERNEL_SELF_PROTECTION
274	+ help
275	+ This debug facility allows ACPI AML methods to be inserted and/or
276	+ replaced without rebooting the system. For details refer to:
277	+diff --git a/init/Kconfig b/init/Kconfig
278	+index 11f8a845f..9f3eff46f 100644
279	+--- a/init/Kconfig
280	++++ b/init/Kconfig
281	+@@ -1879,6 +1879,7 @@ config SLUB_DEBUG
282	+ config COMPAT_BRK
283	+ bool "Disable heap randomization"
284	+ default y
285	+ depends on !GENTOO_KERNEL_SELF_PROTECTION
286	help
287	- When a multi-page allocation is done without __GFP_COMP,
288	- hardened usercopy will reject attempts to copy it. There are,
289	-diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
290	-index 9e921fc72..f29bc13fa 100644
291	---- a/security/selinux/Kconfig
292	-+++ b/security/selinux/Kconfig
293	-@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM
294	- config SECURITY_SELINUX_DISABLE
295	- bool "NSA SELinux runtime disable"
296	- depends on SECURITY_SELINUX
297	+ Randomizing heap placement makes heap exploits harder, but it
298	+ also breaks ancient binaries (including anything libc5 based).
299	+@@ -1925,7 +1926,9 @@ endchoice
300	+
301	+ config SLAB_MERGE_DEFAULT
302	+ bool "Allow slab caches to be merged"
303	++ default n if GENTOO_KERNEL_SELF_PROTECTION
304	+ default y
305	+ depends on !GENTOO_KERNEL_SELF_PROTECTION
306	- select SECURITY_WRITABLE_HOOKS
307	- default n
308	help
309	---
310	-2.31.1
311	-
312	-From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001
313	-From: Georgy Yakovlev <gyakovlev@g.o>
314	-Date: Tue, 8 Jun 2021 13:59:57 -0700
315	-Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default
316	-
317	----
318	- mm/Kconfig \| 2 ++
319	- 1 file changed, 2 insertions(+)
320	-
321	+ For reduced kernel memory fragmentation, slab caches can be
322	+ merged when they share the same size and other characteristics.
323	diff --git a/mm/Kconfig b/mm/Kconfig
324	-index 24c045b24..e13fc740c 100644
325	+index c048dea7e..81a1dfd69 100644
326	--- a/mm/Kconfig
327	+++ b/mm/Kconfig
328	-@@ -321,6 +321,8 @@ config KSM
329	+@@ -305,6 +305,8 @@ config KSM
330	config DEFAULT_MMAP_MIN_ADDR
331	int "Low address space to protect from user allocation"
332	depends on MMU
333	@@ -339,6 +357,35 @@ index 24c045b24..e13fc740c 100644
334	default 4096
335	help
336	This is the portion of low virtual memory which should be protected
337	---
338	-2.31.1
339	-```
340	+diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
341	+index 90cbaff86..7b48339e8 100644
342	+--- a/security/Kconfig.hardening
343	++++ b/security/Kconfig.hardening
344	+@@ -30,6 +30,7 @@ choice
345	+ default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
346	+ default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
347	+ default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN
348	++ default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GENTOO_KERNEL_SELF_PROTECTION && GCC_PLUGINS
349	+ default INIT_STACK_NONE
350	+ help
351	+ This option enables initialization of stack variables at
352	+@@ -45,6 +46,7 @@ choice
353	+
354	+ config INIT_STACK_NONE
355	+ bool "no automatic stack variable initialization (weakest)"
356	++ depends on !GENTOO_KERNEL_SELF_PROTECTION
357	+ help
358	+ Disable automatic stack variable initialization.
359	+ This leaves the kernel vulnerable to the standard
360	+diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
361	+index 9e921fc72..f29bc13fa 100644
362	+--- a/security/selinux/Kconfig
363	++++ b/security/selinux/Kconfig
364	+@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM
365	+ config SECURITY_SELINUX_DISABLE
366	+ bool "NSA SELinux runtime disable"
367	+ depends on SECURITY_SELINUX
368	++ depends on !GENTOO_KERNEL_SELF_PROTECTION
369	+ select SECURITY_WRITABLE_HOOKS
370	+ default n
371	+ help

Gentoo Archives: gentoo-commits