1 |
commit: 7fc6a7b27e47caef4143b2b9f84b80a2634f5fe5 |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Jun 13 20:14:22 2021 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jun 13 20:14:22 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=7fc6a7b2 |
7 |
|
8 |
Update to Kernel Self Protection patch |
9 |
|
10 |
Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> |
11 |
|
12 |
4567_distro-Gentoo-Kconfig.patch | 177 +++++++++++++++++++++++++++++++++++++-- |
13 |
1 file changed, 171 insertions(+), 6 deletions(-) |
14 |
|
15 |
diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch |
16 |
index e754a3e..337ba12 100644 |
17 |
--- a/4567_distro-Gentoo-Kconfig.patch |
18 |
+++ b/4567_distro-Gentoo-Kconfig.patch |
19 |
@@ -1,14 +1,14 @@ |
20 |
---- a/Kconfig 2020-04-15 11:05:30.202413863 -0400 |
21 |
-+++ b/Kconfig 2020-04-15 10:37:45.683952949 -0400 |
22 |
-@@ -32,3 +32,5 @@ source "lib/Kconfig" |
23 |
+--- a/Kconfig 2021-06-04 19:03:33.646823432 -0400 |
24 |
++++ b/Kconfig 2021-06-04 19:03:40.508892817 -0400 |
25 |
+@@ -30,3 +30,5 @@ source "lib/Kconfig" |
26 |
source "lib/Kconfig.debug" |
27 |
|
28 |
source "Documentation/Kconfig" |
29 |
+ |
30 |
+source "distro/Kconfig" |
31 |
---- /dev/null 2020-09-24 03:06:47.590000000 -0400 |
32 |
-+++ b/distro/Kconfig 2020-09-24 11:31:29.403150624 -0400 |
33 |
-@@ -0,0 +1,158 @@ |
34 |
+--- /dev/null 2021-06-08 16:56:49.698138501 -0400 |
35 |
++++ b/distro/Kconfig 2021-06-08 17:11:33.377999003 -0400 |
36 |
+@@ -0,0 +1,263 @@ |
37 |
+menu "Gentoo Linux" |
38 |
+ |
39 |
+config GENTOO_LINUX |
40 |
@@ -166,4 +166,169 @@ |
41 |
+ |
42 |
+endmenu |
43 |
+ |
44 |
++menu "Enable Kernel Self Protection Project Recommendations" |
45 |
++ visible if GENTOO_LINUX |
46 |
++ |
47 |
++config GENTOO_KERNEL_SELF_PROTECTION |
48 |
++ bool "Architecture Independant Kernel Self Protection Project Recommendations" |
49 |
++ |
50 |
++ help |
51 |
++ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project |
52 |
++ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings |
53 |
++ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due |
54 |
++ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for |
55 |
++ dependency information on your specific architecture. |
56 |
++ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 |
57 |
++ for X86_64 |
58 |
++ |
59 |
++ depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL |
60 |
++ |
61 |
++ select BUG |
62 |
++ select STRICT_KERNEL_RWX |
63 |
++ select DEBUG_WX |
64 |
++ select STACKPROTECTOR |
65 |
++ select STACKPROTECTOR_STRONG |
66 |
++ select STRICT_DEVMEM |
67 |
++ select IO_STRICT_DEVMEM |
68 |
++ select SYN_COOKIES |
69 |
++ select DEBUG_CREDENTIALS |
70 |
++ select DEBUG_NOTIFIERS |
71 |
++ select DEBUG_LIST |
72 |
++ select DEBUG_SG |
73 |
++ select BUG_ON_DATA_CORRUPTION |
74 |
++ select SCHED_STACK_END_CHECK |
75 |
++ select SECCOMP |
76 |
++ select SECCOMP_FILTER |
77 |
++ select SECURITY_YAMA |
78 |
++ select SLAB_FREELIST_RANDOM |
79 |
++ select SLAB_FREELIST_HARDENED |
80 |
++ select SHUFFLE_PAGE_ALLOCATOR |
81 |
++ select SLUB_DEBUG |
82 |
++ select PAGE_POISONING |
83 |
++ select PAGE_POISONING_NO_SANITY |
84 |
++ select PAGE_POISONING_ZERO |
85 |
++ select INIT_ON_ALLOC_DEFAULT_ON |
86 |
++ select INIT_ON_FREE_DEFAULT_ON |
87 |
++ select VMAP_STACK |
88 |
++ select REFCOUNT_FULL |
89 |
++ select FORTIFY_SOURCE |
90 |
++ select SECURITY_DMESG_RESTRICT |
91 |
++ select PANIC_ON_OOPS |
92 |
++ select CONFIG_GCC_PLUGINS |
93 |
++ select GCC_PLUGIN_LATENT_ENTROPY |
94 |
++ select GCC_PLUGIN_STRUCTLEAK |
95 |
++ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |
96 |
++ select GCC_PLUGIN_STACKLEAK |
97 |
++ select GCC_PLUGIN_RANDSTRUCT |
98 |
++ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE |
99 |
++ |
100 |
++menu "Architecture Specific Self Protection Project Recommendations" |
101 |
++ |
102 |
++config GENTOO_KERNEL_SELF_PROTECTION_X86_64 |
103 |
++ bool "X86_64 KSPP Settings" |
104 |
++ |
105 |
++ depends on !X86_MSR && X86_64 |
106 |
++ default n |
107 |
++ |
108 |
++ select RANDOMIZE_BASE |
109 |
++ select RANDOMIZE_MEMORY |
110 |
++ select LEGACY_VSYSCALL_NONE |
111 |
++ select PAGE_TABLE_ISOLATION |
112 |
++ |
113 |
++ |
114 |
++config GENTOO_KERNEL_SELF_PROTECTION_ARM64 |
115 |
++ bool "ARM64 KSPP Settings" |
116 |
++ |
117 |
++ depends on ARM64 |
118 |
++ default n |
119 |
++ |
120 |
++ select RANDOMIZE_BASE |
121 |
++ select ARM64_SW_TTBR0_PAN |
122 |
++ select CONFIG_UNMAP_KERNEL_AT_EL0 |
123 |
++ |
124 |
++config GENTOO_KERNEL_SELF_PROTECTION_X86_32 |
125 |
++ bool "X86_32 KSPP Settings" |
126 |
++ |
127 |
++ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 |
128 |
++ default n |
129 |
++ |
130 |
++ select HIGHMEM64G |
131 |
++ select X86_PAE |
132 |
++ select RANDOMIZE_BASE |
133 |
++ select PAGE_TABLE_ISOLATION |
134 |
++ |
135 |
++config GENTOO_KERNEL_SELF_PROTECTION_ARM |
136 |
++ bool "ARM KSPP Settings" |
137 |
++ |
138 |
++ depends on !OABI_COMPAT && ARM |
139 |
++ default n |
140 |
++ |
141 |
++ select VMSPLIT_3G |
142 |
++ select STRICT_MEMORY_RWX |
143 |
++ select CPU_SW_DOMAIN_PAN |
144 |
++ |
145 |
++endmenu |
146 |
++ |
147 |
++endmenu |
148 |
++ |
149 |
+endmenu |
150 |
+diff --git a/security/Kconfig b/security/Kconfig |
151 |
+index 7561f6f99..01f0bf73f 100644 |
152 |
+--- a/security/Kconfig |
153 |
++++ b/security/Kconfig |
154 |
+@@ -166,6 +166,7 @@ config HARDENED_USERCOPY |
155 |
+ config HARDENED_USERCOPY_FALLBACK |
156 |
+ bool "Allow usercopy whitelist violations to fallback to object size" |
157 |
+ depends on HARDENED_USERCOPY |
158 |
++ depends on !GENTOO_KERNEL_SELF_PROTECTION |
159 |
+ default y |
160 |
+ help |
161 |
+ This is a temporary option that allows missing usercopy whitelists |
162 |
+@@ -181,6 +182,7 @@ config HARDENED_USERCOPY_PAGESPAN |
163 |
+ bool "Refuse to copy allocations that span multiple pages" |
164 |
+ depends on HARDENED_USERCOPY |
165 |
+ depends on EXPERT |
166 |
++ depends on !GENTOO_KERNEL_SELF_PROTECTION |
167 |
+ help |
168 |
+ When a multi-page allocation is done without __GFP_COMP, |
169 |
+ hardened usercopy will reject attempts to copy it. There are, |
170 |
+diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig |
171 |
+index 9e921fc72..f29bc13fa 100644 |
172 |
+--- a/security/selinux/Kconfig |
173 |
++++ b/security/selinux/Kconfig |
174 |
+@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM |
175 |
+ config SECURITY_SELINUX_DISABLE |
176 |
+ bool "NSA SELinux runtime disable" |
177 |
+ depends on SECURITY_SELINUX |
178 |
++ depends on !GENTOO_KERNEL_SELF_PROTECTION |
179 |
+ select SECURITY_WRITABLE_HOOKS |
180 |
+ default n |
181 |
+ help |
182 |
+-- |
183 |
+2.31.1 |
184 |
+ |
185 |
+From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001 |
186 |
+From: Georgy Yakovlev <gyakovlev@g.o> |
187 |
+Date: Tue, 8 Jun 2021 13:59:57 -0700 |
188 |
+Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default |
189 |
+ |
190 |
+--- |
191 |
+ mm/Kconfig | 2 ++ |
192 |
+ 1 file changed, 2 insertions(+) |
193 |
+ |
194 |
+diff --git a/mm/Kconfig b/mm/Kconfig |
195 |
+index 24c045b24..e13fc740c 100644 |
196 |
+--- a/mm/Kconfig |
197 |
++++ b/mm/Kconfig |
198 |
+@@ -321,6 +321,8 @@ config KSM |
199 |
+ config DEFAULT_MMAP_MIN_ADDR |
200 |
+ int "Low address space to protect from user allocation" |
201 |
+ depends on MMU |
202 |
++ default 65536 if ( X86_64 || X86_32 || PPC64 || IA64 ) && GENTOO_KERNEL_SELF_PROTECTION |
203 |
++ default 32768 if ( ARM64 || ARM ) && GENTOO_KERNEL_SELF_PROTECTION |
204 |
+ default 4096 |
205 |
+ help |
206 |
+ This is the portion of low virtual memory which should be protected |
207 |
+-- |
208 |
+2.31.1 |
209 |
+``` |