Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:5.13 commit in: /
Date: Sun, 13 Jun 2021 20:14:47
Message-Id: 1623615262.7fc6a7b27e47caef4143b2b9f84b80a2634f5fe5.mpagano@gentoo
1 commit: 7fc6a7b27e47caef4143b2b9f84b80a2634f5fe5
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sun Jun 13 20:14:22 2021 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sun Jun 13 20:14:22 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=7fc6a7b2
7
8 Update to Kernel Self Protection patch
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 4567_distro-Gentoo-Kconfig.patch | 177 +++++++++++++++++++++++++++++++++++++--
13 1 file changed, 171 insertions(+), 6 deletions(-)
14
15 diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch
16 index e754a3e..337ba12 100644
17 --- a/4567_distro-Gentoo-Kconfig.patch
18 +++ b/4567_distro-Gentoo-Kconfig.patch
19 @@ -1,14 +1,14 @@
20 ---- a/Kconfig 2020-04-15 11:05:30.202413863 -0400
21 -+++ b/Kconfig 2020-04-15 10:37:45.683952949 -0400
22 -@@ -32,3 +32,5 @@ source "lib/Kconfig"
23 +--- a/Kconfig 2021-06-04 19:03:33.646823432 -0400
24 ++++ b/Kconfig 2021-06-04 19:03:40.508892817 -0400
25 +@@ -30,3 +30,5 @@ source "lib/Kconfig"
26 source "lib/Kconfig.debug"
27
28 source "Documentation/Kconfig"
29 +
30 +source "distro/Kconfig"
31 ---- /dev/null 2020-09-24 03:06:47.590000000 -0400
32 -+++ b/distro/Kconfig 2020-09-24 11:31:29.403150624 -0400
33 -@@ -0,0 +1,158 @@
34 +--- /dev/null 2021-06-08 16:56:49.698138501 -0400
35 ++++ b/distro/Kconfig 2021-06-08 17:11:33.377999003 -0400
36 +@@ -0,0 +1,263 @@
37 +menu "Gentoo Linux"
38 +
39 +config GENTOO_LINUX
40 @@ -166,4 +166,169 @@
41 +
42 +endmenu
43 +
44 ++menu "Enable Kernel Self Protection Project Recommendations"
45 ++ visible if GENTOO_LINUX
46 ++
47 ++config GENTOO_KERNEL_SELF_PROTECTION
48 ++ bool "Architecture Independant Kernel Self Protection Project Recommendations"
49 ++
50 ++ help
51 ++ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project
52 ++ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
53 ++ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due
54 ++ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for
55 ++ dependency information on your specific architecture.
56 ++ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
57 ++ for X86_64
58 ++
59 ++ depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL
60 ++
61 ++ select BUG
62 ++ select STRICT_KERNEL_RWX
63 ++ select DEBUG_WX
64 ++ select STACKPROTECTOR
65 ++ select STACKPROTECTOR_STRONG
66 ++ select STRICT_DEVMEM
67 ++ select IO_STRICT_DEVMEM
68 ++ select SYN_COOKIES
69 ++ select DEBUG_CREDENTIALS
70 ++ select DEBUG_NOTIFIERS
71 ++ select DEBUG_LIST
72 ++ select DEBUG_SG
73 ++ select BUG_ON_DATA_CORRUPTION
74 ++ select SCHED_STACK_END_CHECK
75 ++ select SECCOMP
76 ++ select SECCOMP_FILTER
77 ++ select SECURITY_YAMA
78 ++ select SLAB_FREELIST_RANDOM
79 ++ select SLAB_FREELIST_HARDENED
80 ++ select SHUFFLE_PAGE_ALLOCATOR
81 ++ select SLUB_DEBUG
82 ++ select PAGE_POISONING
83 ++ select PAGE_POISONING_NO_SANITY
84 ++ select PAGE_POISONING_ZERO
85 ++ select INIT_ON_ALLOC_DEFAULT_ON
86 ++ select INIT_ON_FREE_DEFAULT_ON
87 ++ select VMAP_STACK
88 ++ select REFCOUNT_FULL
89 ++ select FORTIFY_SOURCE
90 ++ select SECURITY_DMESG_RESTRICT
91 ++ select PANIC_ON_OOPS
92 ++ select CONFIG_GCC_PLUGINS
93 ++ select GCC_PLUGIN_LATENT_ENTROPY
94 ++ select GCC_PLUGIN_STRUCTLEAK
95 ++ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
96 ++ select GCC_PLUGIN_STACKLEAK
97 ++ select GCC_PLUGIN_RANDSTRUCT
98 ++ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
99 ++
100 ++menu "Architecture Specific Self Protection Project Recommendations"
101 ++
102 ++config GENTOO_KERNEL_SELF_PROTECTION_X86_64
103 ++ bool "X86_64 KSPP Settings"
104 ++
105 ++ depends on !X86_MSR && X86_64
106 ++ default n
107 ++
108 ++ select RANDOMIZE_BASE
109 ++ select RANDOMIZE_MEMORY
110 ++ select LEGACY_VSYSCALL_NONE
111 ++ select PAGE_TABLE_ISOLATION
112 ++
113 ++
114 ++config GENTOO_KERNEL_SELF_PROTECTION_ARM64
115 ++ bool "ARM64 KSPP Settings"
116 ++
117 ++ depends on ARM64
118 ++ default n
119 ++
120 ++ select RANDOMIZE_BASE
121 ++ select ARM64_SW_TTBR0_PAN
122 ++ select CONFIG_UNMAP_KERNEL_AT_EL0
123 ++
124 ++config GENTOO_KERNEL_SELF_PROTECTION_X86_32
125 ++ bool "X86_32 KSPP Settings"
126 ++
127 ++ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32
128 ++ default n
129 ++
130 ++ select HIGHMEM64G
131 ++ select X86_PAE
132 ++ select RANDOMIZE_BASE
133 ++ select PAGE_TABLE_ISOLATION
134 ++
135 ++config GENTOO_KERNEL_SELF_PROTECTION_ARM
136 ++ bool "ARM KSPP Settings"
137 ++
138 ++ depends on !OABI_COMPAT && ARM
139 ++ default n
140 ++
141 ++ select VMSPLIT_3G
142 ++ select STRICT_MEMORY_RWX
143 ++ select CPU_SW_DOMAIN_PAN
144 ++
145 ++endmenu
146 ++
147 ++endmenu
148 ++
149 +endmenu
150 +diff --git a/security/Kconfig b/security/Kconfig
151 +index 7561f6f99..01f0bf73f 100644
152 +--- a/security/Kconfig
153 ++++ b/security/Kconfig
154 +@@ -166,6 +166,7 @@ config HARDENED_USERCOPY
155 + config HARDENED_USERCOPY_FALLBACK
156 + bool "Allow usercopy whitelist violations to fallback to object size"
157 + depends on HARDENED_USERCOPY
158 ++ depends on !GENTOO_KERNEL_SELF_PROTECTION
159 + default y
160 + help
161 + This is a temporary option that allows missing usercopy whitelists
162 +@@ -181,6 +182,7 @@ config HARDENED_USERCOPY_PAGESPAN
163 + bool "Refuse to copy allocations that span multiple pages"
164 + depends on HARDENED_USERCOPY
165 + depends on EXPERT
166 ++ depends on !GENTOO_KERNEL_SELF_PROTECTION
167 + help
168 + When a multi-page allocation is done without __GFP_COMP,
169 + hardened usercopy will reject attempts to copy it. There are,
170 +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
171 +index 9e921fc72..f29bc13fa 100644
172 +--- a/security/selinux/Kconfig
173 ++++ b/security/selinux/Kconfig
174 +@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM
175 + config SECURITY_SELINUX_DISABLE
176 + bool "NSA SELinux runtime disable"
177 + depends on SECURITY_SELINUX
178 ++ depends on !GENTOO_KERNEL_SELF_PROTECTION
179 + select SECURITY_WRITABLE_HOOKS
180 + default n
181 + help
182 +--
183 +2.31.1
184 +
185 +From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001
186 +From: Georgy Yakovlev <gyakovlev@g.o>
187 +Date: Tue, 8 Jun 2021 13:59:57 -0700
188 +Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default
189 +
190 +---
191 + mm/Kconfig | 2 ++
192 + 1 file changed, 2 insertions(+)
193 +
194 +diff --git a/mm/Kconfig b/mm/Kconfig
195 +index 24c045b24..e13fc740c 100644
196 +--- a/mm/Kconfig
197 ++++ b/mm/Kconfig
198 +@@ -321,6 +321,8 @@ config KSM
199 + config DEFAULT_MMAP_MIN_ADDR
200 + int "Low address space to protect from user allocation"
201 + depends on MMU
202 ++ default 65536 if ( X86_64 || X86_32 || PPC64 || IA64 ) && GENTOO_KERNEL_SELF_PROTECTION
203 ++ default 32768 if ( ARM64 || ARM ) && GENTOO_KERNEL_SELF_PROTECTION
204 + default 4096
205 + help
206 + This is the portion of low virtual memory which should be protected
207 +--
208 +2.31.1
209 +```
Report Message
Find on MARC Find on Google Groups