├── 0000_README └── 4567_distro-Gentoo-Kconfig.patch /0000_README: -------------------------------------------------------------------------------- 1 | README 2 | -------------------------------------------------------------------------- 3 | This patchset is to be the series of patches for gentoo-sources. 4 | It is designed for cross-compatibility, fixes and stability, with performance 5 | and additional features/driver support being a second. 6 | 7 | Unless otherwise stated and marked as such, this kernel should be suitable for 8 | all environments. 9 | 10 | 11 | Patchset Numbering Scheme 12 | -------------------------------------------------------------------------- 13 | 14 | FIXES 15 | 1000-1400 linux-stable 16 | 1400-1500 linux-stable queue 17 | 1500-1700 security 18 | 1700-1800 architecture-related 19 | 1800-1900 mm/scheduling/misc 20 | 1900-2000 filesystems 21 | 2000-2100 networking core 22 | 2100-2200 storage core 23 | 2200-2300 power management (ACPI, APM) 24 | 2300-2400 bus (USB, IEEE1394, PCI, PCMCIA, ...) 25 | 2400-2500 network drivers 26 | 2500-2600 storage drivers 27 | 2600-2700 input 28 | 2700-2900 media (graphics, sound, tv) 29 | 2900-3000 other 30 | 3000-4000 reserved 31 | 32 | FEATURES 33 | 4000-4100 network 34 | 4100-4200 storage 35 | 4200-4300 graphics 36 | 4300-4400 filesystem 37 | 4400-4500 security enhancement 38 | 4500-4600 other 39 | 40 | EXPERIMENTAL 41 | 5000-5100 experimental patches (BFQ, ...) 42 | 43 | Individual Patch Descriptions: 44 | -------------------------------------------------------------------------- 45 | 46 | Patch: 4567_distro-Gentoo-Kconfig.patch 47 | From: Tom Wijsman 48 | Desc: Add Gentoo Linux support config settings and defaults. 49 | -------------------------------------------------------------------------------- /4567_distro-Gentoo-Kconfig.patch: -------------------------------------------------------------------------------- 1 | --- a/Kconfig 2021-06-04 19:03:33.646823432 -0400 2 | +++ b/Kconfig 2021-06-04 19:03:40.508892817 -0400 3 | @@ -30,3 +30,5 @@ source "lib/Kconfig" 4 | source "lib/Kconfig.debug" 5 | 6 | source "Documentation/Kconfig" 7 | + 8 | +source "distro/Kconfig" 9 | --- /dev/null 2021-06-08 16:56:49.698138501 -0400 10 | +++ b/distro/Kconfig 2021-06-08 17:11:33.377999003 -0400 11 | @@ -0,0 +1,263 @@ 12 | +menu "Gentoo Linux" 13 | + 14 | +config GENTOO_LINUX 15 | + bool "Gentoo Linux support" 16 | + 17 | + default y 18 | + 19 | + help 20 | + In order to boot Gentoo Linux a minimal set of config settings needs to 21 | + be enabled in the kernel; to avoid the users from having to enable them 22 | + manually as part of a Gentoo Linux installation or a new clean config, 23 | + we enable these config settings by default for convenience. 24 | + 25 | + See the settings that become available for more details and fine-tuning. 26 | + 27 | +config GENTOO_LINUX_UDEV 28 | + bool "Linux dynamic and persistent device naming (userspace devfs) support" 29 | + 30 | + depends on GENTOO_LINUX 31 | + default y if GENTOO_LINUX 32 | + 33 | + select DEVTMPFS 34 | + select TMPFS 35 | + select UNIX 36 | + 37 | + select MMU 38 | + select SHMEM 39 | + 40 | + help 41 | + In order to boot Gentoo Linux a minimal set of config settings needs to 42 | + be enabled in the kernel; to avoid the users from having to enable them 43 | + manually as part of a Gentoo Linux installation or a new clean config, 44 | + we enable these config settings by default for convenience. 45 | + 46 | + Currently this only selects TMPFS, DEVTMPFS and their dependencies. 47 | + TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and 48 | + /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev. 49 | + 50 | + Some of these are critical files that need to be available early in the 51 | + boot process; if not available, it causes sysfs and udev to malfunction. 52 | + 53 | + To ensure Gentoo Linux boots, it is best to leave this setting enabled; 54 | + if you run a custom setup, you could consider whether to disable this. 55 | + 56 | +config GENTOO_LINUX_PORTAGE 57 | + bool "Select options required by Portage features" 58 | + 59 | + depends on GENTOO_LINUX 60 | + default y if GENTOO_LINUX 61 | + 62 | + select CGROUPS 63 | + select NAMESPACES 64 | + select IPC_NS 65 | + select NET_NS 66 | + select PID_NS 67 | + select SYSVIPC 68 | + select UTS_NS 69 | + 70 | + help 71 | + This enables options required by various Portage FEATURES. 72 | + Currently this selects: 73 | + 74 | + CGROUPS (required for FEATURES=cgroup) 75 | + IPC_NS (required for FEATURES=ipc-sandbox) 76 | + NET_NS (required for FEATURES=network-sandbox) 77 | + PID_NS (required for FEATURES=pid-sandbox) 78 | + SYSVIPC (required by IPC_NS) 79 | + 80 | + 81 | + It is highly recommended that you leave this enabled as these FEATURES 82 | + are, or will soon be, enabled by default. 83 | + 84 | +menu "Support for init systems, system and service managers" 85 | + visible if GENTOO_LINUX 86 | + 87 | +config GENTOO_LINUX_INIT_SCRIPT 88 | + bool "OpenRC, runit and other script based systems and managers" 89 | + 90 | + default y if GENTOO_LINUX 91 | + 92 | + depends on GENTOO_LINUX 93 | + 94 | + select BINFMT_SCRIPT 95 | + select CGROUPS 96 | + select EPOLL 97 | + select FILE_LOCKING 98 | + select INOTIFY_USER 99 | + select SIGNALFD 100 | + select TIMERFD 101 | + 102 | + help 103 | + The init system is the first thing that loads after the kernel booted. 104 | + 105 | + These config settings allow you to select which init systems to support; 106 | + instead of having to select all the individual settings all over the 107 | + place, these settings allows you to select all the settings at once. 108 | + 109 | + This particular setting enables all the known requirements for OpenRC, 110 | + runit and similar script based systems and managers. 111 | + 112 | + If you are unsure about this, it is best to leave this setting enabled. 113 | + 114 | +config GENTOO_LINUX_INIT_SYSTEMD 115 | + bool "systemd" 116 | + 117 | + default n 118 | + 119 | + depends on GENTOO_LINUX && GENTOO_LINUX_UDEV 120 | + 121 | + select AUTOFS4_FS 122 | + select BLK_DEV_BSG 123 | + select BPF_SYSCALL 124 | + select CGROUP_BPF 125 | + select CGROUPS 126 | + select CHECKPOINT_RESTORE 127 | + select CRYPTO_HMAC 128 | + select CRYPTO_SHA256 129 | + select CRYPTO_USER_API_HASH 130 | + select DEVPTS_MULTIPLE_INSTANCES 131 | + select DMIID if X86_32 || X86_64 || X86 132 | + select EPOLL 133 | + select FANOTIFY 134 | + select FHANDLE 135 | + select FILE_LOCKING 136 | + select INOTIFY_USER 137 | + select IPV6 138 | + select NET 139 | + select NET_NS 140 | + select PROC_FS 141 | + select SECCOMP 142 | + select SECCOMP_FILTER 143 | + select SIGNALFD 144 | + select SYSFS 145 | + select TIMERFD 146 | + select TMPFS_POSIX_ACL 147 | + select TMPFS_XATTR 148 | + select USER_NS 149 | + 150 | + select ANON_INODES 151 | + select BLOCK 152 | + select EVENTFD 153 | + select FSNOTIFY 154 | + select INET 155 | + select NLATTR 156 | + 157 | + help 158 | + The init system is the first thing that loads after the kernel booted. 159 | + 160 | + These config settings allow you to select which init systems to support; 161 | + instead of having to select all the individual settings all over the 162 | + place, these settings allows you to select all the settings at once. 163 | + 164 | + This particular setting enables all the known requirements for systemd; 165 | + it also enables suggested optional settings, as the package suggests to. 166 | + 167 | +endmenu 168 | + 169 | +menu "Enable Kernel Self Protection Project Recommendations" 170 | + visible if GENTOO_LINUX 171 | + 172 | +config GENTOO_KERNEL_SELF_PROTECTION 173 | + bool "Architecture Independant Kernel Self Protection Project Recommendations" 174 | + 175 | + help 176 | + Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project 177 | + See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings 178 | + Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due 179 | + to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for 180 | + dependency information on your specific architecture. 181 | + Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 182 | + for X86_64 183 | + 184 | + depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL 185 | + 186 | + select BUG 187 | + select STRICT_KERNEL_RWX 188 | + select DEBUG_WX 189 | + select STACKPROTECTOR 190 | + select STACKPROTECTOR_STRONG 191 | + select STRICT_DEVMEM 192 | + select IO_STRICT_DEVMEM 193 | + select SYN_COOKIES 194 | + select DEBUG_CREDENTIALS 195 | + select DEBUG_NOTIFIERS 196 | + select DEBUG_LIST 197 | + select DEBUG_SG 198 | + select BUG_ON_DATA_CORRUPTION 199 | + select SCHED_STACK_END_CHECK 200 | + select SECCOMP 201 | + select SECCOMP_FILTER 202 | + select SECURITY_YAMA 203 | + select SLAB_FREELIST_RANDOM 204 | + select SLAB_FREELIST_HARDENED 205 | + select SHUFFLE_PAGE_ALLOCATOR 206 | + select SLUB_DEBUG 207 | + select PAGE_POISONING 208 | + select PAGE_POISONING_NO_SANITY 209 | + select PAGE_POISONING_ZERO 210 | + select INIT_ON_ALLOC_DEFAULT_ON 211 | + select INIT_ON_FREE_DEFAULT_ON 212 | + select VMAP_STACK 213 | + select REFCOUNT_FULL 214 | + select FORTIFY_SOURCE 215 | + select SECURITY_DMESG_RESTRICT 216 | + select PANIC_ON_OOPS 217 | + select CONFIG_GCC_PLUGINS 218 | + select GCC_PLUGIN_LATENT_ENTROPY 219 | + select GCC_PLUGIN_STRUCTLEAK 220 | + select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL 221 | + select GCC_PLUGIN_STACKLEAK 222 | + select GCC_PLUGIN_RANDSTRUCT 223 | + select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE 224 | + 225 | +menu "Architecture Specific Self Protection Project Recommendations" 226 | + 227 | +config GENTOO_KERNEL_SELF_PROTECTION_X86_64 228 | + bool "X86_64 KSPP Settings" 229 | + 230 | + depends on !X86_MSR && X86_64 231 | + default n 232 | + 233 | + select RANDOMIZE_BASE 234 | + select RANDOMIZE_MEMORY 235 | + select LEGACY_VSYSCALL_NONE 236 | + select PAGE_TABLE_ISOLATION 237 | + 238 | + 239 | +config GENTOO_KERNEL_SELF_PROTECTION_ARM64 240 | + bool "ARM64 KSPP Settings" 241 | + 242 | + depends on ARM64 243 | + default n 244 | + 245 | + select RANDOMIZE_BASE 246 | + select ARM64_SW_TTBR0_PAN 247 | + select CONFIG_UNMAP_KERNEL_AT_EL0 248 | + 249 | +config GENTOO_KERNEL_SELF_PROTECTION_X86_32 250 | + bool "X86_32 KSPP Settings" 251 | + 252 | + depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 253 | + default n 254 | + 255 | + select HIGHMEM64G 256 | + select X86_PAE 257 | + select RANDOMIZE_BASE 258 | + select PAGE_TABLE_ISOLATION 259 | + 260 | +config GENTOO_KERNEL_SELF_PROTECTION_ARM 261 | + bool "ARM KSPP Settings" 262 | + 263 | + depends on !OABI_COMPAT && ARM 264 | + default n 265 | + 266 | + select VMSPLIT_3G 267 | + select STRICT_MEMORY_RWX 268 | + select CPU_SW_DOMAIN_PAN 269 | + 270 | +endmenu 271 | + 272 | +endmenu 273 | + 274 | +endmenu 275 | diff --git a/security/Kconfig b/security/Kconfig 276 | index 7561f6f99..01f0bf73f 100644 277 | --- a/security/Kconfig 278 | +++ b/security/Kconfig 279 | @@ -166,6 +166,7 @@ config HARDENED_USERCOPY 280 | config HARDENED_USERCOPY_FALLBACK 281 | bool "Allow usercopy whitelist violations to fallback to object size" 282 | depends on HARDENED_USERCOPY 283 | + depends on !GENTOO_KERNEL_SELF_PROTECTION 284 | default y 285 | help 286 | This is a temporary option that allows missing usercopy whitelists 287 | @@ -181,6 +182,7 @@ config HARDENED_USERCOPY_PAGESPAN 288 | bool "Refuse to copy allocations that span multiple pages" 289 | depends on HARDENED_USERCOPY 290 | depends on EXPERT 291 | + depends on !GENTOO_KERNEL_SELF_PROTECTION 292 | help 293 | When a multi-page allocation is done without __GFP_COMP, 294 | hardened usercopy will reject attempts to copy it. There are, 295 | diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig 296 | index 9e921fc72..f29bc13fa 100644 297 | --- a/security/selinux/Kconfig 298 | +++ b/security/selinux/Kconfig 299 | @@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM 300 | config SECURITY_SELINUX_DISABLE 301 | bool "NSA SELinux runtime disable" 302 | depends on SECURITY_SELINUX 303 | + depends on !GENTOO_KERNEL_SELF_PROTECTION 304 | select SECURITY_WRITABLE_HOOKS 305 | default n 306 | help 307 | -- 308 | 2.31.1 309 | 310 | From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001 311 | From: Georgy Yakovlev 312 | Date: Tue, 8 Jun 2021 13:59:57 -0700 313 | Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default 314 | 315 | --- 316 | mm/Kconfig | 2 ++ 317 | 1 file changed, 2 insertions(+) 318 | 319 | diff --git a/mm/Kconfig b/mm/Kconfig 320 | index 24c045b24..e13fc740c 100644 321 | --- a/mm/Kconfig 322 | +++ b/mm/Kconfig 323 | @@ -321,6 +321,8 @@ config KSM 324 | config DEFAULT_MMAP_MIN_ADDR 325 | int "Low address space to protect from user allocation" 326 | depends on MMU 327 | + default 65536 if ( X86_64 || X86_32 || PPC64 || IA64 ) && GENTOO_KERNEL_SELF_PROTECTION 328 | + default 32768 if ( ARM64 || ARM ) && GENTOO_KERNEL_SELF_PROTECTION 329 | default 4096 330 | help 331 | This is the portion of low virtual memory which should be protected 332 | -- 333 | 2.31.1 334 | ``` 335 | --------------------------------------------------------------------------------