commit: 22f4eb42e182ecb54358b492c391c9e06ee89753 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Tue Jun 8 22:41:36 2021 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Tue Jun 8 22:41:36 2021 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=22f4eb42
CONFIG opt to enable a subset of Kernel Self Protection Project settings Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> 4567_distro-Gentoo-Kconfig.patch | 177 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 171 insertions(+), 6 deletions(-) diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch index e754a3e..635de00 100644 --- a/4567_distro-Gentoo-Kconfig.patch +++ b/4567_distro-Gentoo-Kconfig.patch @@ -1,14 +1,14 @@ ---- a/Kconfig 2020-04-15 11:05:30.202413863 -0400 -+++ b/Kconfig 2020-04-15 10:37:45.683952949 -0400 -@@ -32,3 +32,5 @@ source "lib/Kconfig" +--- a/Kconfig 2021-06-04 19:03:33.646823432 -0400 ++++ b/Kconfig 2021-06-04 19:03:40.508892817 -0400 +@@ -30,3 +30,5 @@ source "lib/Kconfig" source "lib/Kconfig.debug" source "Documentation/Kconfig" + +source "distro/Kconfig" ---- /dev/null 2020-09-24 03:06:47.590000000 -0400 -+++ b/distro/Kconfig 2020-09-24 11:31:29.403150624 -0400 -@@ -0,0 +1,158 @@ +--- /dev/null 2021-06-08 16:56:49.698138501 -0400 ++++ b/distro/Kconfig 2021-06-08 17:11:33.377999003 -0400 +@@ -0,0 +1,263 @@ +menu "Gentoo Linux" + +config GENTOO_LINUX @@ -166,4 +166,169 @@ + +endmenu + ++menu "Enable Kernel Self Protection Project Recommendations" ++ visible if GENTOO_LINUX ++ ++config GENTOO_KERNEL_SELF_PROTECTION ++ bool "Architecture Independent Kernel Self Protection Project Recommendations" ++ ++ help ++ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project ++ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings ++ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due ++ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for ++ dependency information on your specific architecture. ++ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 ++ for X86_64 ++ ++ depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL ++ ++ select BUG ++ select STRICT_KERNEL_RWX ++ select DEBUG_WX ++ select STACKPROTECTOR ++ select STACKPROTECTOR_STRONG ++ select STRICT_DEVMEM ++ select IO_STRICT_DEVMEM ++ select SYN_COOKIES ++ select DEBUG_CREDENTIALS ++ select DEBUG_NOTIFIERS ++ select DEBUG_LIST ++ select DEBUG_SG ++ select BUG_ON_DATA_CORRUPTION ++ select SCHED_STACK_END_CHECK ++ select SECCOMP ++ select SECCOMP_FILTER ++ select SECURITY_YAMA ++ select SLAB_FREELIST_RANDOM ++ select SLAB_FREELIST_HARDENED ++ select SHUFFLE_PAGE_ALLOCATOR ++ select SLUB_DEBUG ++ select PAGE_POISONING ++ select PAGE_POISONING_NO_SANITY ++ select PAGE_POISONING_ZERO ++ select INIT_ON_ALLOC_DEFAULT_ON ++ select INIT_ON_FREE_DEFAULT_ON ++ select VMAP_STACK ++ select REFCOUNT_FULL ++ select FORTIFY_SOURCE ++ select SECURITY_DMESG_RESTRICT ++ select PANIC_ON_OOPS ++ select CONFIG_GCC_PLUGINS ++ select GCC_PLUGIN_LATENT_ENTROPY ++ select GCC_PLUGIN_STRUCTLEAK ++ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL ++ select GCC_PLUGIN_STACKLEAK ++ select GCC_PLUGIN_RANDSTRUCT ++ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE ++ ++menu "Architecture Specific Self Protection Project Recommendations" ++ ++config GENTOO_KERNEL_SELF_PROTECTION_X86_64 ++ bool "X86_64 KSPP Settings" ++ ++ depends on !X86_MSR && X86_64 ++ default n ++ ++ select RANDOMIZE_BASE ++ select RANDOMIZE_MEMORY ++ select LEGACY_VSYSCALL_NONE ++ select PAGE_TABLE_ISOLATION ++ ++ ++config GENTOO_KERNEL_SELF_PROTECTION_ARM64 ++ bool "ARM64 KSPP Settings" ++ ++ depends on ARM64 ++ default n ++ ++ select RANDOMIZE_BASE ++ select ARM64_SW_TTBR0_PAN ++ select CONFIG_UNMAP_KERNEL_AT_EL0 ++ ++config GENTOO_KERNEL_SELF_PROTECTION_X86_32 ++ bool "X86_32 KSPP Settings" ++ ++ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 ++ default n ++ ++ select HIGHMEM64G ++ select X86_PAE ++ select RANDOMIZE_BASE ++ select PAGE_TABLE_ISOLATION ++ ++config GENTOO_KERNEL_SELF_PROTECTION_ARM ++ bool "ARM KSPP Settings" ++ ++ depends on !OABI_COMPAT && ARM ++ default n ++ ++ select VMSPLIT_3G ++ select STRICT_MEMORY_RWX ++ select CPU_SW_DOMAIN_PAN ++ ++endmenu ++ ++endmenu ++ +endmenu +diff --git a/security/Kconfig b/security/Kconfig +index 7561f6f99..01f0bf73f 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -166,6 +166,7 @@ config HARDENED_USERCOPY + config HARDENED_USERCOPY_FALLBACK + bool "Allow usercopy whitelist violations to fallback to object size" + depends on HARDENED_USERCOPY ++ depends on !GENTOO_KERNEL_SELF_PROTECTION + default y + help + This is a temporary option that allows missing usercopy whitelists +@@ -181,6 +182,7 @@ config HARDENED_USERCOPY_PAGESPAN + bool "Refuse to copy allocations that span multiple pages" + depends on HARDENED_USERCOPY + depends on EXPERT ++ depends on !GENTOO_KERNEL_SELF_PROTECTION + help + When a multi-page allocation is done without __GFP_COMP, + hardened usercopy will reject attempts to copy it. There are, +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 9e921fc72..f29bc13fa 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -26,6 +26,7 @@ config SECURITY_SELINUX_BOOTPARAM + config SECURITY_SELINUX_DISABLE + bool "NSA SELinux runtime disable" + depends on SECURITY_SELINUX ++ depends on !GENTOO_KERNEL_SELF_PROTECTION + select SECURITY_WRITABLE_HOOKS + default n + help +-- +2.31.1 + +From bd3ff0b16792c18c0614c2b95e148943209f460a Mon Sep 17 00:00:00 2001 +From: Georgy Yakovlev <[email protected]> +Date: Tue, 8 Jun 2021 13:59:57 -0700 +Subject: [PATCH 2/2] set DEFAULT_MMAP_MIN_ADDR by default + +--- + mm/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/mm/Kconfig b/mm/Kconfig +index 24c045b24..e13fc740c 100644 +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -321,6 +321,8 @@ config KSM + config DEFAULT_MMAP_MIN_ADDR + int "Low address space to protect from user allocation" + depends on MMU ++ default 65536 if ( X86_64 || X86_32 || PPC64 || IA64 ) && GENTOO_KERNEL_SELF_PROTECTION ++ default 32768 if ( ARM64 || ARM ) && GENTOO_KERNEL_SELF_PROTECTION + default 4096 + help + This is the portion of low virtual memory which should be protected +-- +2.31.1 +```
