[gentoo-commits] proj/linux-patches:master commit in: / - gentoo-commits

From:	Mike Pagano <mpagano@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/linux-patches:master commit in: /
Date:	Sun, 09 Jan 2022 20:04:51
Message-Id:	`1641758644.2261652e5e3a9a61b7147d6e93282bc54833c734.mpagano@gentoo`

1

commit:     2261652e5e3a9a61b7147d6e93282bc54833c734

2

Author:     Mike Pagano <mpagano <AT> gentoo <DOT> org>

3

AuthorDate: Sun Jan  9 20:03:10 2022 +0000

4

Commit:     Mike Pagano <mpagano <AT> gentoo <DOT> org>

5

CommitDate: Sun Jan  9 20:04:04 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=2261652e

7

8

Revert "Update Gentoo Distro patch, thanks to gyakovlev"

9

10

This reverts commit 632cc59cc8462f3f01085d1b76cc304488a06394.

11

12

Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>

13

14

 4567_distro-Gentoo-Kconfig.patch | 251 ++++++++++++++++-----------------------

15

 1 file changed, 102 insertions(+), 149 deletions(-)

16

17

diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch

18

index 97665869..24b75095 100644

19

--- a/4567_distro-Gentoo-Kconfig.patch

20

+++ b/4567_distro-Gentoo-Kconfig.patch

21

@@ -1,19 +1,14 @@

22

-diff --git a/Kconfig b/Kconfig

23

-index 745bc773f..e306bacea 100644

24

---- a/Kconfig

25

-+++ b/Kconfig

26

+--- a/Kconfig	2021-06-04 19:03:33.646823432 -0400

27

++++ b/Kconfig	2021-06-04 19:03:40.508892817 -0400

28

 @@ -30,3 +30,5 @@ source "lib/Kconfig"

29

  source "lib/Kconfig.debug"

30

31

  source "Documentation/Kconfig"

32

+

33

 +source "distro/Kconfig"

34

-diff --git a/distro/Kconfig b/distro/Kconfig

35

-new file mode 100644

36

-index 000000000..94d6e1886

37

---- /dev/null

38

-+++ b/distro/Kconfig

39

-@@ -0,0 +1,295 @@

40

+--- /dev/null	2021-12-21 08:57:43.779324794 -0500

41

++++ b/distro/Kconfig	2021-12-21 14:12:07.964572417 -0500

42

+@@ -0,0 +1,283 @@

43

 +menu "Gentoo Linux"

44

+

45

 +config GENTOO_LINUX

46

@@ -80,8 +75,9 @@ index 000000000..94d6e1886

47

 +		CGROUPS     (required for FEATURES=cgroup)

48

 +		IPC_NS      (required for FEATURES=ipc-sandbox)

49

 +		NET_NS      (required for FEATURES=network-sandbox)

50

-+		PID_NS      (required for FEATURES=pid-sandbox)

51

++		PID_NS		(required for FEATURES=pid-sandbox)

52

 +		SYSVIPC     (required by IPC_NS)

53

++

54

+

55

 +		It is highly recommended that you leave this enabled as these FEATURES

56

 +		are, or will soon be, enabled by default.

57

@@ -128,7 +124,7 @@ index 000000000..94d6e1886

58

 +	select BPF_SYSCALL

59

 +	select CGROUP_BPF

60

 +	select CGROUPS

61

-+	select CRYPTO_HMAC

62

++	select CRYPTO_HMAC 

63

 +	select CRYPTO_SHA256

64

 +	select CRYPTO_USER_API_HASH

65

 +	select DEVPTS_MULTIPLE_INSTANCES

66

@@ -170,104 +166,102 @@ index 000000000..94d6e1886

67

+

68

 +endmenu

69

+

70

-+menu "Kernel Self Protection Project"

71

-+	visible if GENTOO_LINUX

72

++menuconfig GENTOO_KERNEL_SELF_PROTECTION

73

++	bool "Kernel Self Protection Project"

74

++	depends on GENTOO_LINUX

75

++	help

76

++		Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project

77

++		See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

78

++		Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due 

79

++		to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_COMMON and search for 

80

++		GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your 

81

++		specific architecture.

82

++		Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 

83

++		for X86_64

84

+

85

-+config GENTOO_KERNEL_SELF_PROTECTION

86

++if GENTOO_KERNEL_SELF_PROTECTION

87

++config GENTOO_KERNEL_SELF_PROTECTION_COMMON

88

 +	bool "Enable Kernel Self Protection Project Recommendations"

89

+

90

-+	depends on GENTOO_LINUX && EXPERT && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !MODIFY_LDT_SYSCALL

91

++	depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS

92

+

93

 +	select BUG

94

-+	select STRICT_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX

95

-+	select DEBUG_FS

96

-+	select DEBUG_WX if ARCH_HAS_DEBUG_WX && MMU

97

-+	select STACKPROTECTOR if HAVE_STACKPROTECTOR

98

-+	select STACKPROTECTOR_STRONG if HAVE_STACKPROTECTOR

99

-+	select STRICT_DEVMEM if DEVMEM=y && (ARCH_HAS_DEVMEM_IS_ALLOWED || GENERIC_LIB_DEVMEM_IS_ALLOWED)

100

-+	select IO_STRICT_DEVMEM if STRICT_DEVMEM

101

-+	select SYN_COOKIES if NET && INET

102

-+	select DEBUG_CREDENTIALS if DEBUG_KERNEL

103

-+	select DEBUG_NOTIFIERS if DEBUG_KERNEL

104

++	select STRICT_KERNEL_RWX

105

++	select DEBUG_WX

106

++	select STACKPROTECTOR

107

++	select STACKPROTECTOR_STRONG

108

++	select STRICT_DEVMEM if DEVMEM=y

109

++	select IO_STRICT_DEVMEM if DEVMEM=y

110

++	select SYN_COOKIES

111

++	select DEBUG_CREDENTIALS

112

++	select DEBUG_NOTIFIERS

113

 +	select DEBUG_LIST

114

-+	select DEBUG_SG if DEBUG_KERNEL

115

++	select DEBUG_SG

116

 +	select BUG_ON_DATA_CORRUPTION

117

-+	select SCHED_STACK_END_CHECK if DEBUG_KERNEL

118

++	select SCHED_STACK_END_CHECK

119

 +	select SECCOMP if HAVE_ARCH_SECCOMP

120

 +	select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER

121

-+	select SECURITY if SYSFS && MULTIUSER

122

-+	select SECURITY_YAMA if SECURITY

123

-+	select HARDENED_USERCOPY if HAVE_HARDENED_USERCOPY_ALLOCATOR

124

-+	select SLAB_FREELIST_RANDOM if SLAB || SLUB

125

-+	select SLAB_FREELIST_HARDENED if SLAB || SLUB

126

++	select SECURITY_YAMA

127

++	select SLAB_FREELIST_RANDOM

128

++	select SLAB_FREELIST_HARDENED

129

 +	select SHUFFLE_PAGE_ALLOCATOR

130

-+	select SLUB_DEBUG if SLUB && SYSFS

131

-+	select SLUB_DEBUG_ON if SLUB_DEBUG

132

++	select SLUB_DEBUG

133

 +	select PAGE_POISONING

134

 +	select PAGE_POISONING_NO_SANITY

135

 +	select PAGE_POISONING_ZERO

136

 +	select INIT_ON_ALLOC_DEFAULT_ON

137

 +	select INIT_ON_FREE_DEFAULT_ON

138

-+	select FORTIFY_SOURCE if ARCH_HAS_FORTIFY_SOURCE && !CC_IS_CLANG

139

-+	select SECURITY_DMESG_RESTRICT 

140

++	select REFCOUNT_FULL

141

++	select FORTIFY_SOURCE

142

++	select SECURITY_DMESG_RESTRICT

143

 +	select PANIC_ON_OOPS

144

-+	select DEBUG_STACKOVERFLOW if DEBUG_KERNEL && HAVE_DEBUG_STACKOVERFLOW

145

-+	select VMAP_STACK if HAVE_ARCH_VMAP_STACK

146

-+	select STRICT_MODULE_RWX if ARCH_HAS_STRICT_MODULE_RWX && ARCH_OPTIONAL_KERNEL_RWX && MODULES

147

-+	select ZERO_CALL_USED_REGS if CC_HAS_ZERO_CALL_USED_REGS

148

-+	select INIT_STACK_ALL_PATTERN if CC_HAS_AUTO_VAR_INIT_PATTERN && !CC_HAS_AUTO_VAR_INIT_ZERO

149

-+	select INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO

150

-+	select GCC_PLUGINS if HAVE_GCC_PLUGINS && CC_IS_GCC

151

-+	select GCC_PLUGIN_LATENT_ENTROPY if GCC_PLUGINS

152

-+	select GCC_PLUGIN_STRUCTLEAK if GCC_PLUGINS

153

-+	select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GCC_PLUGINS

154

-+	select GCC_PLUGIN_STRUCTLEAK_VERBOSE if GCC_PLUGINS && GCC_PLUGIN_STRUCTLEAK

155

-+	select GCC_PLUGIN_RANDSTRUCT if GCC_PLUGINS

156

-+	select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE if GCC_PLUGINS && GCC_PLUGIN_RANDSTRUCT

157

-+	select GCC_PLUGIN_STACKLEAK if GCC_PLUGINS && HAVE_ARCH_STACKLEAK

158

++	select GCC_PLUGIN_LATENT_ENTROPY

159

++	select GCC_PLUGIN_STRUCTLEAK

160

++	select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL

161

++	select GCC_PLUGIN_RANDSTRUCT

162

++	select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE

163

+

164

 +	help

165

-+		Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project

166

-+		See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

167

-+		Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due

168

-+		to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION and search for

169

-+		GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your

170

-+		specific architecture.

171

-+		Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

172

-+		for X86_64

173

++		Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency 

174

++		information on your specific architecture.  Note 2: Please see the URL above for 

175

++		numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 for X86_64

176

+

177

 +config GENTOO_KERNEL_SELF_PROTECTION_X86_64

178

-+	bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION

179

-+

180

-+	depends on X86_64 && GENTOO_KERNEL_SELF_PROTECTION

181

-+	default y if X86_64 && GENTOO_KERNEL_SELF_PROTECTION

182

++	bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION_COMMON

183

+

184

++	depends on !X86_MSR && X86_64 && GENTOO_KERNEL_SELF_PROTECTION

185

++	default n

186

++

187

 +	select RANDOMIZE_BASE

188

 +	select RANDOMIZE_MEMORY

189

 +	select RELOCATABLE

190

 +	select LEGACY_VSYSCALL_NONE

191

-+	select PAGE_TABLE_ISOLATION

192

++ 	select PAGE_TABLE_ISOLATION

193

++	select GCC_PLUGIN_STACKLEAK

194

++	select VMAP_STACK

195

+

196

+

197

 +config GENTOO_KERNEL_SELF_PROTECTION_ARM64

198

 +	bool "ARM64 KSPP Settings"

199

+

200

-+	depends on ARM64 && GENTOO_KERNEL_SELF_PROTECTION

201

-+	default y if ARM64 && GENTOO_KERNEL_SELF_PROTECTION

202

++	depends on ARM64

203

++	default n

204

+

205

 +	select RANDOMIZE_BASE

206

 +	select RELOCATABLE

207

 +	select ARM64_SW_TTBR0_PAN

208

 +	select CONFIG_UNMAP_KERNEL_AT_EL0

209

++	select GCC_PLUGIN_STACKLEAK

210

++	select VMAP_STACK

211

+

212

 +config GENTOO_KERNEL_SELF_PROTECTION_X86_32

213

 +	bool "X86_32 KSPP Settings"

214

+

215

-+	depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 && GENTOO_KERNEL_SELF_PROTECTION

216

-+	default y if X86_32 && GENTOO_KERNEL_SELF_PROTECTION

217

++	depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32

218

++	default n

219

+

220

-+	#select HIGHMEM64G

221

-+	#select X86_PAE

222

++	select HIGHMEM64G

223

++	select X86_PAE

224

 +	select RANDOMIZE_BASE

225

 +	select RELOCATABLE

226

 +	select PAGE_TABLE_ISOLATION

227

@@ -275,25 +269,14 @@ index 000000000..94d6e1886

228

 +config GENTOO_KERNEL_SELF_PROTECTION_ARM

229

 +	bool "ARM KSPP Settings"

230

+

231

-+	depends on !OABI_COMPAT && ARM && GENTOO_KERNEL_SELF_PROTECTION

232

-+	default y if ARM && GENTOO_KERNEL_SELF_PROTECTION

233

++	depends on !OABI_COMPAT && ARM

234

++	default n

235

+

236

 +	select VMSPLIT_3G

237

 +	select STRICT_MEMORY_RWX

238

 +	select CPU_SW_DOMAIN_PAN

239

+

240

-+config GENTOO_KERNEL_SELF_PROTECTION_PPC

241

-+	bool "PPC KSPP Settings"

242

-+

243

-+	depends on !SCOM_DEBUGFS && !OPAL_CORE && PPC && GENTOO_KERNEL_SELF_PROTECTION

244

-+	default y if PPC && GENTOO_KERNEL_SELF_PROTECTION

245

-+

246

-+	select PPC_KUEP if PPC_HAVE_KUEP

247

-+	select PPC_KUAP if PPC_HAVE_KUAP

248

-+	select PPC_MEM_KEYS if PPC_BOOK3S_64

249

-+	select PPC_SUBPAGE_PROT if PPC_BOOK3S_64 && PPC_64K_PAGES

250

-+

251

-+endmenu

252

++endif

253

+

254

 +config GENTOO_PRINT_FIRMWARE_INFO

255

 +	bool "Print firmware information that the kernel attempts to load"

256

@@ -309,46 +292,45 @@ index 000000000..94d6e1886

257

 +		See the settings that become available for more details and fine-tuning.

258

+

259

 +endmenu

260

-diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig

261

-index 1da360c51..70963ba91 100644

262

---- a/drivers/acpi/Kconfig

263

-+++ b/drivers/acpi/Kconfig

264

-@@ -445,7 +445,7 @@ config ACPI_HED

265

-

266

- config ACPI_CUSTOM_METHOD

267

- 	tristate "Allow ACPI methods to be inserted/replaced at run time"

268

--	depends on DEBUG_FS

269

-+	depends on DEBUG_FS && !GENTOO_KERNEL_SELF_PROTECTION

270

- 	help

271

- 	  This debug facility allows ACPI AML methods to be inserted and/or

272

- 	  replaced without rebooting the system. For details refer to:

273

-diff --git a/init/Kconfig b/init/Kconfig

274

-index 11f8a845f..9f3eff46f 100644

275

---- a/init/Kconfig

276

-+++ b/init/Kconfig

277

-@@ -1879,6 +1879,7 @@ config SLUB_DEBUG

278

- config COMPAT_BRK

279

- 	bool "Disable heap randomization"

280

- 	default y

281

+--- a/security/Kconfig	2021-12-05 18:20:55.655677710 -0500

282

++++ b/security/Kconfig	2021-12-05 18:23:42.404251618 -0500

283

+@@ -167,6 +167,7 @@ config HARDENED_USERCOPY_PAGESPAN

284

+ 	bool "Refuse to copy allocations that span multiple pages"

285

+ 	depends on HARDENED_USERCOPY

286

+ 	depends on EXPERT

287

 +	depends on !GENTOO_KERNEL_SELF_PROTECTION

288

  	help

289

- 	  Randomizing heap placement makes heap exploits harder, but it

290

- 	  also breaks ancient binaries (including anything libc5 based).

291

-@@ -1925,7 +1926,9 @@ endchoice

292

-

293

- config SLAB_MERGE_DEFAULT

294

- 	bool "Allow slab caches to be merged"

295

-+	default n if GENTOO_KERNEL_SELF_PROTECTION

296

- 	default y

297

+ 	  When a multi-page allocation is done without __GFP_COMP,

298

+ 	  hardened usercopy will reject attempts to copy it. There are,

299

+diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig

300

+index 9e921fc72..f29bc13fa 100644

301

+--- a/security/selinux/Kconfig

302

++++ b/security/selinux/Kconfig

303

+@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM

304

+ config SECURITY_SELINUX_DISABLE

305

+ 	bool "NSA SELinux runtime disable"

306

+ 	depends on SECURITY_SELINUX

307

 +	depends on !GENTOO_KERNEL_SELF_PROTECTION

308

+ 	select SECURITY_WRITABLE_HOOKS

309

+ 	default n

310

  	help

311

- 	  For reduced kernel memory fragmentation, slab caches can be

312

- 	  merged when they share the same size and other characteristics.

313

+--

314

+2.31.1

315

+

316

+From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001

317

+From: Georgy Yakovlev <gyakovlev@g.o>

318

+Date: Tue, 8 Jun 2021 13:59:57 -0700

319

+Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default

320

+

321

+---

322

+ mm/Kconfig | 2 ++

323

+ 1 file changed, 2 insertions(+)

324

+

325

 diff --git a/mm/Kconfig b/mm/Kconfig

326

-index c048dea7e..81a1dfd69 100644

327

+index 24c045b24..e13fc740c 100644

328

 --- a/mm/Kconfig

329

 +++ b/mm/Kconfig

330

-@@ -305,6 +305,8 @@ config KSM

331

+@@ -321,6 +321,8 @@ config KSM

332

  config DEFAULT_MMAP_MIN_ADDR

333

  	int "Low address space to protect from user allocation"

334

  	depends on MMU

335

@@ -357,35 +339,6 @@ index c048dea7e..81a1dfd69 100644

336

  	default 4096

337

  	help

338

  	  This is the portion of low virtual memory which should be protected

339

-diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening

340

-index 90cbaff86..7b48339e8 100644

341

---- a/security/Kconfig.hardening

342

-+++ b/security/Kconfig.hardening

343

-@@ -30,6 +30,7 @@ choice

344

- 	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS

345

- 	default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN

346

- 	default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN

347

-+	default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GENTOO_KERNEL_SELF_PROTECTION && GCC_PLUGINS

348

- 	default INIT_STACK_NONE

349

- 	help

350

- 	  This option enables initialization of stack variables at

351

-@@ -45,6 +46,7 @@ choice

352

-

353

- 	config INIT_STACK_NONE

354

- 		bool "no automatic stack variable initialization (weakest)"

355

-+		depends on !GENTOO_KERNEL_SELF_PROTECTION

356

- 		help

357

- 		  Disable automatic stack variable initialization.

358

- 		  This leaves the kernel vulnerable to the standard

359

-diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig

360

-index 9e921fc72..f29bc13fa 100644

361

---- a/security/selinux/Kconfig

362

-+++ b/security/selinux/Kconfig

363

-@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM

364

- config SECURITY_SELINUX_DISABLE

365

- 	bool "NSA SELinux runtime disable"

366

- 	depends on SECURITY_SELINUX

367

-+	depends on !GENTOO_KERNEL_SELF_PROTECTION

368

- 	select SECURITY_WRITABLE_HOOKS

369

- 	default n

370

- 	help

371

+--

372

+2.31.1

373

+```

1	commit: 2261652e5e3a9a61b7147d6e93282bc54833c734
2	Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3	AuthorDate: Sun Jan 9 20:03:10 2022 +0000
4	Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5	CommitDate: Sun Jan 9 20:04:04 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=2261652e
7
8	Revert "Update Gentoo Distro patch, thanks to gyakovlev"
9
10	This reverts commit 632cc59cc8462f3f01085d1b76cc304488a06394.
11
12	Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
13
14	4567_distro-Gentoo-Kconfig.patch \| 251 ++++++++++++++++-----------------------
15	1 file changed, 102 insertions(+), 149 deletions(-)
16
17	diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch
18	index 97665869..24b75095 100644
19	--- a/4567_distro-Gentoo-Kconfig.patch
20	+++ b/4567_distro-Gentoo-Kconfig.patch
21	@@ -1,19 +1,14 @@
22	-diff --git a/Kconfig b/Kconfig
23	-index 745bc773f..e306bacea 100644
24	---- a/Kconfig
25	-+++ b/Kconfig
26	+--- a/Kconfig 2021-06-04 19:03:33.646823432 -0400
27	++++ b/Kconfig 2021-06-04 19:03:40.508892817 -0400
28	@@ -30,3 +30,5 @@ source "lib/Kconfig"
29	source "lib/Kconfig.debug"
30
31	source "Documentation/Kconfig"
32	+
33	+source "distro/Kconfig"
34	-diff --git a/distro/Kconfig b/distro/Kconfig
35	-new file mode 100644
36	-index 000000000..94d6e1886
37	---- /dev/null
38	-+++ b/distro/Kconfig
39	-@@ -0,0 +1,295 @@
40	+--- /dev/null 2021-12-21 08:57:43.779324794 -0500
41	++++ b/distro/Kconfig 2021-12-21 14:12:07.964572417 -0500
42	+@@ -0,0 +1,283 @@
43	+menu "Gentoo Linux"
44	+
45	+config GENTOO_LINUX
46	@@ -80,8 +75,9 @@ index 000000000..94d6e1886
47	+ CGROUPS (required for FEATURES=cgroup)
48	+ IPC_NS (required for FEATURES=ipc-sandbox)
49	+ NET_NS (required for FEATURES=network-sandbox)
50	-+ PID_NS (required for FEATURES=pid-sandbox)
51	++ PID_NS (required for FEATURES=pid-sandbox)
52	+ SYSVIPC (required by IPC_NS)
53	++
54	+
55	+ It is highly recommended that you leave this enabled as these FEATURES
56	+ are, or will soon be, enabled by default.
57	@@ -128,7 +124,7 @@ index 000000000..94d6e1886
58	+ select BPF_SYSCALL
59	+ select CGROUP_BPF
60	+ select CGROUPS
61	-+ select CRYPTO_HMAC
62	++ select CRYPTO_HMAC
63	+ select CRYPTO_SHA256
64	+ select CRYPTO_USER_API_HASH
65	+ select DEVPTS_MULTIPLE_INSTANCES
66	@@ -170,104 +166,102 @@ index 000000000..94d6e1886
67	+
68	+endmenu
69	+
70	-+menu "Kernel Self Protection Project"
71	-+ visible if GENTOO_LINUX
72	++menuconfig GENTOO_KERNEL_SELF_PROTECTION
73	++ bool "Kernel Self Protection Project"
74	++ depends on GENTOO_LINUX
75	++ help
76	++ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project
77	++ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
78	++ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due
79	++ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_COMMON and search for
80	++ GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your
81	++ specific architecture.
82	++ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
83	++ for X86_64
84	+
85	-+config GENTOO_KERNEL_SELF_PROTECTION
86	++if GENTOO_KERNEL_SELF_PROTECTION
87	++config GENTOO_KERNEL_SELF_PROTECTION_COMMON
88	+ bool "Enable Kernel Self Protection Project Recommendations"
89	+
90	-+ depends on GENTOO_LINUX && EXPERT && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !MODIFY_LDT_SYSCALL
91	++ depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS
92	+
93	+ select BUG
94	-+ select STRICT_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX
95	-+ select DEBUG_FS
96	-+ select DEBUG_WX if ARCH_HAS_DEBUG_WX && MMU
97	-+ select STACKPROTECTOR if HAVE_STACKPROTECTOR
98	-+ select STACKPROTECTOR_STRONG if HAVE_STACKPROTECTOR
99	-+ select STRICT_DEVMEM if DEVMEM=y && (ARCH_HAS_DEVMEM_IS_ALLOWED \|\| GENERIC_LIB_DEVMEM_IS_ALLOWED)
100	-+ select IO_STRICT_DEVMEM if STRICT_DEVMEM
101	-+ select SYN_COOKIES if NET && INET
102	-+ select DEBUG_CREDENTIALS if DEBUG_KERNEL
103	-+ select DEBUG_NOTIFIERS if DEBUG_KERNEL
104	++ select STRICT_KERNEL_RWX
105	++ select DEBUG_WX
106	++ select STACKPROTECTOR
107	++ select STACKPROTECTOR_STRONG
108	++ select STRICT_DEVMEM if DEVMEM=y
109	++ select IO_STRICT_DEVMEM if DEVMEM=y
110	++ select SYN_COOKIES
111	++ select DEBUG_CREDENTIALS
112	++ select DEBUG_NOTIFIERS
113	+ select DEBUG_LIST
114	-+ select DEBUG_SG if DEBUG_KERNEL
115	++ select DEBUG_SG
116	+ select BUG_ON_DATA_CORRUPTION
117	-+ select SCHED_STACK_END_CHECK if DEBUG_KERNEL
118	++ select SCHED_STACK_END_CHECK
119	+ select SECCOMP if HAVE_ARCH_SECCOMP
120	+ select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER
121	-+ select SECURITY if SYSFS && MULTIUSER
122	-+ select SECURITY_YAMA if SECURITY
123	-+ select HARDENED_USERCOPY if HAVE_HARDENED_USERCOPY_ALLOCATOR
124	-+ select SLAB_FREELIST_RANDOM if SLAB \|\| SLUB
125	-+ select SLAB_FREELIST_HARDENED if SLAB \|\| SLUB
126	++ select SECURITY_YAMA
127	++ select SLAB_FREELIST_RANDOM
128	++ select SLAB_FREELIST_HARDENED
129	+ select SHUFFLE_PAGE_ALLOCATOR
130	-+ select SLUB_DEBUG if SLUB && SYSFS
131	-+ select SLUB_DEBUG_ON if SLUB_DEBUG
132	++ select SLUB_DEBUG
133	+ select PAGE_POISONING
134	+ select PAGE_POISONING_NO_SANITY
135	+ select PAGE_POISONING_ZERO
136	+ select INIT_ON_ALLOC_DEFAULT_ON
137	+ select INIT_ON_FREE_DEFAULT_ON
138	-+ select FORTIFY_SOURCE if ARCH_HAS_FORTIFY_SOURCE && !CC_IS_CLANG
139	-+ select SECURITY_DMESG_RESTRICT
140	++ select REFCOUNT_FULL
141	++ select FORTIFY_SOURCE
142	++ select SECURITY_DMESG_RESTRICT
143	+ select PANIC_ON_OOPS
144	-+ select DEBUG_STACKOVERFLOW if DEBUG_KERNEL && HAVE_DEBUG_STACKOVERFLOW
145	-+ select VMAP_STACK if HAVE_ARCH_VMAP_STACK
146	-+ select STRICT_MODULE_RWX if ARCH_HAS_STRICT_MODULE_RWX && ARCH_OPTIONAL_KERNEL_RWX && MODULES
147	-+ select ZERO_CALL_USED_REGS if CC_HAS_ZERO_CALL_USED_REGS
148	-+ select INIT_STACK_ALL_PATTERN if CC_HAS_AUTO_VAR_INIT_PATTERN && !CC_HAS_AUTO_VAR_INIT_ZERO
149	-+ select INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO
150	-+ select GCC_PLUGINS if HAVE_GCC_PLUGINS && CC_IS_GCC
151	-+ select GCC_PLUGIN_LATENT_ENTROPY if GCC_PLUGINS
152	-+ select GCC_PLUGIN_STRUCTLEAK if GCC_PLUGINS
153	-+ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GCC_PLUGINS
154	-+ select GCC_PLUGIN_STRUCTLEAK_VERBOSE if GCC_PLUGINS && GCC_PLUGIN_STRUCTLEAK
155	-+ select GCC_PLUGIN_RANDSTRUCT if GCC_PLUGINS
156	-+ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE if GCC_PLUGINS && GCC_PLUGIN_RANDSTRUCT
157	-+ select GCC_PLUGIN_STACKLEAK if GCC_PLUGINS && HAVE_ARCH_STACKLEAK
158	++ select GCC_PLUGIN_LATENT_ENTROPY
159	++ select GCC_PLUGIN_STRUCTLEAK
160	++ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
161	++ select GCC_PLUGIN_RANDSTRUCT
162	++ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
163	+
164	+ help
165	-+ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project
166	-+ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
167	-+ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due
168	-+ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION and search for
169	-+ GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your
170	-+ specific architecture.
171	-+ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
172	-+ for X86_64
173	++ Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency
174	++ information on your specific architecture. Note 2: Please see the URL above for
175	++ numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 for X86_64
176	+
177	+config GENTOO_KERNEL_SELF_PROTECTION_X86_64
178	-+ bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION
179	-+
180	-+ depends on X86_64 && GENTOO_KERNEL_SELF_PROTECTION
181	-+ default y if X86_64 && GENTOO_KERNEL_SELF_PROTECTION
182	++ bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION_COMMON
183	+
184	++ depends on !X86_MSR && X86_64 && GENTOO_KERNEL_SELF_PROTECTION
185	++ default n
186	++
187	+ select RANDOMIZE_BASE
188	+ select RANDOMIZE_MEMORY
189	+ select RELOCATABLE
190	+ select LEGACY_VSYSCALL_NONE
191	-+ select PAGE_TABLE_ISOLATION
192	++ select PAGE_TABLE_ISOLATION
193	++ select GCC_PLUGIN_STACKLEAK
194	++ select VMAP_STACK
195	+
196	+
197	+config GENTOO_KERNEL_SELF_PROTECTION_ARM64
198	+ bool "ARM64 KSPP Settings"
199	+
200	-+ depends on ARM64 && GENTOO_KERNEL_SELF_PROTECTION
201	-+ default y if ARM64 && GENTOO_KERNEL_SELF_PROTECTION
202	++ depends on ARM64
203	++ default n
204	+
205	+ select RANDOMIZE_BASE
206	+ select RELOCATABLE
207	+ select ARM64_SW_TTBR0_PAN
208	+ select CONFIG_UNMAP_KERNEL_AT_EL0
209	++ select GCC_PLUGIN_STACKLEAK
210	++ select VMAP_STACK
211	+
212	+config GENTOO_KERNEL_SELF_PROTECTION_X86_32
213	+ bool "X86_32 KSPP Settings"
214	+
215	-+ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 && GENTOO_KERNEL_SELF_PROTECTION
216	-+ default y if X86_32 && GENTOO_KERNEL_SELF_PROTECTION
217	++ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32
218	++ default n
219	+
220	-+ #select HIGHMEM64G
221	-+ #select X86_PAE
222	++ select HIGHMEM64G
223	++ select X86_PAE
224	+ select RANDOMIZE_BASE
225	+ select RELOCATABLE
226	+ select PAGE_TABLE_ISOLATION
227	@@ -275,25 +269,14 @@ index 000000000..94d6e1886
228	+config GENTOO_KERNEL_SELF_PROTECTION_ARM
229	+ bool "ARM KSPP Settings"
230	+
231	-+ depends on !OABI_COMPAT && ARM && GENTOO_KERNEL_SELF_PROTECTION
232	-+ default y if ARM && GENTOO_KERNEL_SELF_PROTECTION
233	++ depends on !OABI_COMPAT && ARM
234	++ default n
235	+
236	+ select VMSPLIT_3G
237	+ select STRICT_MEMORY_RWX
238	+ select CPU_SW_DOMAIN_PAN
239	+
240	-+config GENTOO_KERNEL_SELF_PROTECTION_PPC
241	-+ bool "PPC KSPP Settings"
242	-+
243	-+ depends on !SCOM_DEBUGFS && !OPAL_CORE && PPC && GENTOO_KERNEL_SELF_PROTECTION
244	-+ default y if PPC && GENTOO_KERNEL_SELF_PROTECTION
245	-+
246	-+ select PPC_KUEP if PPC_HAVE_KUEP
247	-+ select PPC_KUAP if PPC_HAVE_KUAP
248	-+ select PPC_MEM_KEYS if PPC_BOOK3S_64
249	-+ select PPC_SUBPAGE_PROT if PPC_BOOK3S_64 && PPC_64K_PAGES
250	-+
251	-+endmenu
252	++endif
253	+
254	+config GENTOO_PRINT_FIRMWARE_INFO
255	+ bool "Print firmware information that the kernel attempts to load"
256	@@ -309,46 +292,45 @@ index 000000000..94d6e1886
257	+ See the settings that become available for more details and fine-tuning.
258	+
259	+endmenu
260	-diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig
261	-index 1da360c51..70963ba91 100644
262	---- a/drivers/acpi/Kconfig
263	-+++ b/drivers/acpi/Kconfig
264	-@@ -445,7 +445,7 @@ config ACPI_HED
265	-
266	- config ACPI_CUSTOM_METHOD
267	- tristate "Allow ACPI methods to be inserted/replaced at run time"
268	-- depends on DEBUG_FS
269	-+ depends on DEBUG_FS && !GENTOO_KERNEL_SELF_PROTECTION
270	- help
271	- This debug facility allows ACPI AML methods to be inserted and/or
272	- replaced without rebooting the system. For details refer to:
273	-diff --git a/init/Kconfig b/init/Kconfig
274	-index 11f8a845f..9f3eff46f 100644
275	---- a/init/Kconfig
276	-+++ b/init/Kconfig
277	-@@ -1879,6 +1879,7 @@ config SLUB_DEBUG
278	- config COMPAT_BRK
279	- bool "Disable heap randomization"
280	- default y
281	+--- a/security/Kconfig 2021-12-05 18:20:55.655677710 -0500
282	++++ b/security/Kconfig 2021-12-05 18:23:42.404251618 -0500
283	+@@ -167,6 +167,7 @@ config HARDENED_USERCOPY_PAGESPAN
284	+ bool "Refuse to copy allocations that span multiple pages"
285	+ depends on HARDENED_USERCOPY
286	+ depends on EXPERT
287	+ depends on !GENTOO_KERNEL_SELF_PROTECTION
288	help
289	- Randomizing heap placement makes heap exploits harder, but it
290	- also breaks ancient binaries (including anything libc5 based).
291	-@@ -1925,7 +1926,9 @@ endchoice
292	-
293	- config SLAB_MERGE_DEFAULT
294	- bool "Allow slab caches to be merged"
295	-+ default n if GENTOO_KERNEL_SELF_PROTECTION
296	- default y
297	+ When a multi-page allocation is done without __GFP_COMP,
298	+ hardened usercopy will reject attempts to copy it. There are,
299	+diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
300	+index 9e921fc72..f29bc13fa 100644
301	+--- a/security/selinux/Kconfig
302	++++ b/security/selinux/Kconfig
303	+@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM
304	+ config SECURITY_SELINUX_DISABLE
305	+ bool "NSA SELinux runtime disable"
306	+ depends on SECURITY_SELINUX
307	+ depends on !GENTOO_KERNEL_SELF_PROTECTION
308	+ select SECURITY_WRITABLE_HOOKS
309	+ default n
310	help
311	- For reduced kernel memory fragmentation, slab caches can be
312	- merged when they share the same size and other characteristics.
313	+--
314	+2.31.1
315	+
316	+From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001
317	+From: Georgy Yakovlev <gyakovlev@g.o>
318	+Date: Tue, 8 Jun 2021 13:59:57 -0700
319	+Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default
320	+
321	+---
322	+ mm/Kconfig \| 2 ++
323	+ 1 file changed, 2 insertions(+)
324	+
325	diff --git a/mm/Kconfig b/mm/Kconfig
326	-index c048dea7e..81a1dfd69 100644
327	+index 24c045b24..e13fc740c 100644
328	--- a/mm/Kconfig
329	+++ b/mm/Kconfig
330	-@@ -305,6 +305,8 @@ config KSM
331	+@@ -321,6 +321,8 @@ config KSM
332	config DEFAULT_MMAP_MIN_ADDR
333	int "Low address space to protect from user allocation"
334	depends on MMU
335	@@ -357,35 +339,6 @@ index c048dea7e..81a1dfd69 100644
336	default 4096
337	help
338	This is the portion of low virtual memory which should be protected
339	-diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
340	-index 90cbaff86..7b48339e8 100644
341	---- a/security/Kconfig.hardening
342	-+++ b/security/Kconfig.hardening
343	-@@ -30,6 +30,7 @@ choice
344	- default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
345	- default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN
346	- default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN
347	-+ default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GENTOO_KERNEL_SELF_PROTECTION && GCC_PLUGINS
348	- default INIT_STACK_NONE
349	- help
350	- This option enables initialization of stack variables at
351	-@@ -45,6 +46,7 @@ choice
352	-
353	- config INIT_STACK_NONE
354	- bool "no automatic stack variable initialization (weakest)"
355	-+ depends on !GENTOO_KERNEL_SELF_PROTECTION
356	- help
357	- Disable automatic stack variable initialization.
358	- This leaves the kernel vulnerable to the standard
359	-diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
360	-index 9e921fc72..f29bc13fa 100644
361	---- a/security/selinux/Kconfig
362	-+++ b/security/selinux/Kconfig
363	-@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM
364	- config SECURITY_SELINUX_DISABLE
365	- bool "NSA SELinux runtime disable"
366	- depends on SECURITY_SELINUX
367	-+ depends on !GENTOO_KERNEL_SELF_PROTECTION
368	- select SECURITY_WRITABLE_HOOKS
369	- default n
370	- help
371	+--
372	+2.31.1
373	+```

Gentoo Archives: gentoo-commits