[gentoo-commits] proj/linux-patches:5.15 commit in: /

Thu, 12 May 2022 04:27:57 -0700 

commit:     8e7a70f33cfa13ed6f4a9f392ad47bd509cee810
Author:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
AuthorDate: Wed May 11 17:04:41 2022 +0000
Commit:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
CommitDate: Wed May 11 17:04:41 2022 +0000
URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=8e7a70f3

Update Gentoo Hardened patchset based on KSPP thanks to Peter Bo

Bug: https://bugs.gentoo.org/841488

Added:
CONFIG_HARDENED_USERCOPY=y
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
CONFIG_KFENCE=y
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
CONFIG_SCHED_CORE=y
CONFIG_ZERO_CALL_USED_REGS=y

Dropped deprecated option:
!DEVKMEM

Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>

 4567_distro-Gentoo-Kconfig.patch | 34 +++++++++++++++-------------------
 1 file changed, 15 insertions(+), 19 deletions(-)

diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch
index ab910775..77ae7dc1 100644
--- a/4567_distro-Gentoo-Kconfig.patch
+++ b/4567_distro-Gentoo-Kconfig.patch
@@ -1,14 +1,14 @@
---- a/Kconfig  2021-06-04 19:03:33.646823432 -0400
-+++ b/Kconfig  2021-06-04 19:03:40.508892817 -0400
+--- a/Kconfig  2022-05-11 08:37:26.685387031 -0400
++++ b/Kconfig  2022-05-11 08:38:35.672171690 -0400
 @@ -30,3 +30,5 @@ source "lib/Kconfig"
  source "lib/Kconfig.debug"
  
  source "Documentation/Kconfig"
 +
 +source "distro/Kconfig"
---- /dev/null  2022-01-30 08:12:05.041788304 -0500
-+++ b/distro/Kconfig   2022-01-30 15:28:10.030352980 -0500
-@@ -0,0 +1,285 @@
+--- /dev/null  2022-05-10 13:47:17.750578524 -0400
++++ b/distro/Kconfig   2022-05-11 12:43:39.114196110 -0400
+@@ -0,0 +1,290 @@
 +menu "Gentoo Linux"
 +
 +config GENTOO_LINUX
@@ -185,7 +185,7 @@
 +config GENTOO_KERNEL_SELF_PROTECTION_COMMON
 +      bool "Enable Kernel Self Protection Project Recommendations"
 +
-+      depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && 
!DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && 
!LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS
++      depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && 
!PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && 
!X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS && !IOMMU_DEFAULT_DMA_LAZY && 
!IOMMU_DEFAULT_PASSTHROUGH && IOMMU_DEFAULT_DMA_STRICT
 +
 +      select BUG
 +      select STRICT_KERNEL_RWX
@@ -199,7 +199,11 @@
 +      select DEBUG_NOTIFIERS
 +      select DEBUG_LIST
 +      select DEBUG_SG
++      select HARDENED_USERCOPY if HAVE_HARDENED_USERCOPY_ALLOCATOR=y
 +      select BUG_ON_DATA_CORRUPTION
++      select KFENCE if HAVE_ARCH_KFENCE && (!SLAB || SLUB)
++      select RANDOMIZE_KSTACK_OFFSET_DEFAULT if 
HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET && (INIT_STACK_NONE || !CC_IS_CLANG || 
CLANG_VERSION>=140000)
++      select SCHED_CORE if SCHED_SMT
 +      select SCHED_STACK_END_CHECK
 +      select SECCOMP if HAVE_ARCH_SECCOMP
 +      select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER
@@ -222,6 +226,7 @@
 +      select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
 +      select GCC_PLUGIN_RANDSTRUCT
 +      select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
++      select ZERO_CALL_USED_REGS if CC_HAS_ZERO_CALL_USED_REGS
 +
 +      help
 +              Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, 
X86_32, ARM} for dependency 
@@ -294,19 +299,9 @@
 +              See the settings that become available for more details and 
fine-tuning.
 +
 +endmenu
-diff --git a/security/Kconfig b/security/Kconfig
-index 7561f6f99..01f0bf73f 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -166,6 +166,7 @@ config HARDENED_USERCOPY
- config HARDENED_USERCOPY_FALLBACK
-       bool "Allow usercopy whitelist violations to fallback to object size"
-       depends on HARDENED_USERCOPY
-+      depends on !GENTOO_KERNEL_SELF_PROTECTION
-       default y
-       help
-         This is a temporary option that allows missing usercopy whitelists
-@@ -181,6 +182,7 @@ config HARDENED_USERCOPY_PAGESPAN
+--- a/security/Kconfig 2021-12-05 18:20:55.655677710 -0500
++++ b/security/Kconfig 2021-12-05 18:23:42.404251618 -0500
+@@ -167,6 +167,7 @@ config HARDENED_USERCOPY_PAGESPAN
        bool "Refuse to copy allocations that span multiple pages"
        depends on HARDENED_USERCOPY
        depends on EXPERT
@@ -353,3 +348,4 @@ index 24c045b24..e13fc740c 100644
          This is the portion of low virtual memory which should be protected
 -- 
 2.31.1
+```

Reply via email to