* [PATCH 00/11] Kernel: Improve hardening
@ 2022-03-19 21:08 Peter Müller
2022-03-19 21:08 ` [PATCH 01/11] Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Peter Müller
` (10 more replies)
0 siblings, 11 replies; 25+ messages in thread
From: Peter Müller @ 2022-03-19 21:08 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2483 bytes --]
This patchset improves hardening of our Linux kernel configurations for all
architectures. Most importantly, it features the activation of the "Linux
Security Module", also known as "kernel lockdown" (a phrase coined before the
pandemic), or LSM for short.
Being set to "integrity" mode for a start, LSM prevents the kernel from being
modified by various mechanisms, of which we have some already covered. However,
it comes as a more holistic approach, which is why enabling it is desirable
for our userbase.
Most of this patchset is based on recommendations by the "kconfig-hardened-check"
tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration
taken directly from KSPP and grsecurity.
Being unable to cross-compile IPFire for non-x86_64-architectures on my own,
and my VM on the Mustang currently being offline, this patchset does not come
with aligned kernel rootfiles for other architectures than x86_64. I am sorry
for any inconvenience and extra workload caused by this.
Also, for the sake of completeness, the effect of LSM on virtualisation has not
been tested due to time constraints, and a lack of oversight _which_ virtualisation
features we officially support and which we don't. In doubt, however, I believe
the security benefit gained from LSM outweighs a partial functional loss of
virtualisation - but that is a highly biased opinion. :-)
Peter Müller (11):
Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits
Kernel: Disable support for tracing block I/O actions
Kernel: Pin loading kernel files to one filesystem
Kernel: Enable undefined behaviour sanity checker
Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities
Kernel: Enable LSM support and set security level to "integrity"
Kernel: Trigger BUG if data corruption is detected
Kernel: Do not automatically load TTY line disciplines, only if
necessary
Kernel: Enable SVA support for both Intel and AMD CPUs
Kernel: Disable function and stack tracers
Kernel: Update rootfile for x86_64
config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++--------
config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++--------
config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++--------
config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++----------
config/rootfiles/common/x86_64/linux | 33 +++++++------
5 files changed, 131 insertions(+), 100 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [PATCH 01/11] Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
@ 2022-03-19 21:08 ` Peter Müller
2022-03-23 11:42 ` Michael Tremer
2022-03-19 21:08 ` [PATCH 02/11] Kernel: Disable support for tracing block I/O actions Peter Müller
` (9 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Peter Müller @ 2022-03-19 21:08 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2672 bytes --]
This follows a recommendation by ClipOS, making ASLR bypassing attempts
harder.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 2 +-
config/kernel/kernel.config.armv6l-ipfire | 2 +-
config/kernel/kernel.config.riscv64-ipfire | 2 +-
config/kernel/kernel.config.x86_64-ipfire | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 6728fa7f3..4205aa5bc 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -702,7 +702,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
CONFIG_MODULES_USE_ELF_RELA=y
CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
-CONFIG_ARCH_MMAP_RND_BITS=18
+CONFIG_ARCH_MMAP_RND_BITS=32
CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
CONFIG_ARCH_MMAP_RND_COMPAT_BITS=11
CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index d8482de92..ef36b8e22 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -778,7 +778,7 @@ CONFIG_MODULES_USE_ELF_REL=y
CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
CONFIG_HAVE_EXIT_THREAD=y
-CONFIG_ARCH_MMAP_RND_BITS=8
+CONFIG_ARCH_MMAP_RND_BITS=32
CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
CONFIG_CLONE_BACKWARDS=y
CONFIG_OLD_SIGSUSPEND3=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 73911b2ab..d8045c15c 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -388,7 +388,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
CONFIG_MODULES_USE_ELF_RELA=y
CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
-CONFIG_ARCH_MMAP_RND_BITS=18
+CONFIG_ARCH_MMAP_RND_BITS=32
CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
CONFIG_CLONE_BACKWARDS=y
CONFIG_COMPAT_32BIT_TIME=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 0f322826e..b14815545 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -742,7 +742,7 @@ CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y
CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
CONFIG_HAVE_EXIT_THREAD=y
-CONFIG_ARCH_MMAP_RND_BITS=28
+CONFIG_ARCH_MMAP_RND_BITS=32
CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [PATCH 02/11] Kernel: Disable support for tracing block I/O actions
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
2022-03-19 21:08 ` [PATCH 01/11] Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Peter Müller
@ 2022-03-19 21:08 ` Peter Müller
2022-03-23 11:44 ` Michael Tremer
2022-03-19 21:09 ` [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem Peter Müller
` (8 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Peter Müller @ 2022-03-19 21:08 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2640 bytes --]
This is not needed on IPFire systems, and grsecurity recommends to turn
this off.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 2 +-
config/kernel/kernel.config.armv6l-ipfire | 2 +-
config/kernel/kernel.config.riscv64-ipfire | 2 +-
config/kernel/kernel.config.x86_64-ipfire | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 4205aa5bc..35c249253 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -8166,7 +8166,7 @@ CONFIG_TRACER_SNAPSHOT=y
# CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
CONFIG_BRANCH_PROFILE_NONE=y
# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
-CONFIG_BLK_DEV_IO_TRACE=y
+# CONFIG_BLK_DEV_IO_TRACE is not set
CONFIG_UPROBE_EVENTS=y
CONFIG_DYNAMIC_EVENTS=y
CONFIG_PROBE_EVENTS=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index ef36b8e22..5b4ff8e20 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -8133,7 +8133,7 @@ CONFIG_TRACER_SNAPSHOT=y
CONFIG_BRANCH_PROFILE_NONE=y
# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
# CONFIG_PROFILE_ALL_BRANCHES is not set
-CONFIG_BLK_DEV_IO_TRACE=y
+# CONFIG_BLK_DEV_IO_TRACE is not set
CONFIG_UPROBE_EVENTS=y
CONFIG_DYNAMIC_EVENTS=y
CONFIG_PROBE_EVENTS=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index d8045c15c..d4c0e0451 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6754,7 +6754,7 @@ CONFIG_TRACER_SNAPSHOT=y
# CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
CONFIG_BRANCH_PROFILE_NONE=y
# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
-CONFIG_BLK_DEV_IO_TRACE=y
+# CONFIG_BLK_DEV_IO_TRACE is not set
CONFIG_UPROBE_EVENTS=y
CONFIG_DYNAMIC_EVENTS=y
CONFIG_PROBE_EVENTS=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index b14815545..8b525ef89 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -7605,7 +7605,7 @@ CONFIG_TRACER_SNAPSHOT=y
# CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
CONFIG_BRANCH_PROFILE_NONE=y
# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
-CONFIG_BLK_DEV_IO_TRACE=y
+# CONFIG_BLK_DEV_IO_TRACE is not set
CONFIG_UPROBE_EVENTS=y
CONFIG_DYNAMIC_EVENTS=y
CONFIG_PROBE_EVENTS=y
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
2022-03-19 21:08 ` [PATCH 01/11] Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Peter Müller
2022-03-19 21:08 ` [PATCH 02/11] Kernel: Disable support for tracing block I/O actions Peter Müller
@ 2022-03-19 21:09 ` Peter Müller
2022-03-21 17:15 ` Arne Fitzenreiter
2022-03-19 21:09 ` [PATCH 04/11] Kernel: Enable undefined behaviour sanity checker Peter Müller
` (7 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Peter Müller @ 2022-03-19 21:09 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2942 bytes --]
This can be safely enabled on IPFire, as we never swap filesystems
during runtime.
Fixes: #12432
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 3 ++-
config/kernel/kernel.config.armv6l-ipfire | 3 ++-
config/kernel/kernel.config.riscv64-ipfire | 3 ++-
config/kernel/kernel.config.x86_64-ipfire | 3 ++-
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 35c249253..d9179c061 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
# CONFIG_SECURITY_SAFESETID is not set
# CONFIG_SECURITY_LOCKDOWN_LSM is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 5b4ff8e20..522278160 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
# CONFIG_SECURITY_SAFESETID is not set
# CONFIG_SECURITY_LOCKDOWN_LSM is not set
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index d4c0e0451..ebb830eb7 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
# CONFIG_SECURITY_SAFESETID is not set
# CONFIG_SECURITY_LOCKDOWN_LSM is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 8b525ef89..675c3ce1e 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
# CONFIG_SECURITY_SAFESETID is not set
# CONFIG_SECURITY_LOCKDOWN_LSM is not set
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [PATCH 04/11] Kernel: Enable undefined behaviour sanity checker
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
` (2 preceding siblings ...)
2022-03-19 21:09 ` [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem Peter Müller
@ 2022-03-19 21:09 ` Peter Müller
2022-03-23 11:45 ` Michael Tremer
2022-03-19 21:09 ` [PATCH 05/11] Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Peter Müller
` (6 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Peter Müller @ 2022-03-19 21:09 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3712 bytes --]
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 13 ++++++++++++-
config/kernel/kernel.config.armv6l-ipfire | 13 ++++++++++++-
config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++-
config/kernel/kernel.config.x86_64-ipfire | 13 ++++++++++++-
4 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index d9179c061..b2ef43e51 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -8008,7 +8008,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
CONFIG_HAVE_ARCH_KGDB=y
# CONFIG_KGDB is not set
CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_TRAP is not set
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_DIV_ZERO is not set
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_TEST_UBSAN is not set
CONFIG_HAVE_KCSAN_COMPILER=y
# end of Generic Kernel Debugging Instruments
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 522278160..13326a29c 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7989,7 +7989,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
# CONFIG_DEBUG_FS_ALLOW_NONE is not set
CONFIG_HAVE_ARCH_KGDB=y
# CONFIG_KGDB is not set
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_TRAP is not set
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_DIV_ZERO is not set
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_TEST_UBSAN is not set
CONFIG_HAVE_KCSAN_COMPILER=y
# end of Generic Kernel Debugging Instruments
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index ebb830eb7..fa4ee46fa 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6597,7 +6597,18 @@ CONFIG_HAVE_ARCH_KGDB=y
CONFIG_HAVE_ARCH_KGDB_QXFER_PKT=y
# CONFIG_KGDB is not set
CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_TRAP is not set
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_DIV_ZERO is not set
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_TEST_UBSAN is not set
CONFIG_HAVE_KCSAN_COMPILER=y
# end of Generic Kernel Debugging Instruments
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 675c3ce1e..e6a03a9e5 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -7430,7 +7430,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
CONFIG_HAVE_ARCH_KGDB=y
# CONFIG_KGDB is not set
CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
-# CONFIG_UBSAN is not set
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_TRAP is not set
+CONFIG_CC_HAS_UBSAN_BOUNDS=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_ONLY_BOUNDS=y
+CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_DIV_ZERO is not set
+CONFIG_UBSAN_BOOL=y
+CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_ALIGNMENT is not set
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_TEST_UBSAN is not set
CONFIG_HAVE_ARCH_KCSAN=y
CONFIG_HAVE_KCSAN_COMPILER=y
# CONFIG_KCSAN is not set
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [PATCH 05/11] Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
` (3 preceding siblings ...)
2022-03-19 21:09 ` [PATCH 04/11] Kernel: Enable undefined behaviour sanity checker Peter Müller
@ 2022-03-19 21:09 ` Peter Müller
2022-03-23 11:46 ` Michael Tremer
2022-03-19 21:10 ` [PATCH 06/11] Kernel: Enable LSM support and set security level to "integrity" Peter Müller
` (5 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Peter Müller @ 2022-03-19 21:09 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2582 bytes --]
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 2 +-
config/kernel/kernel.config.armv6l-ipfire | 2 +-
config/kernel/kernel.config.riscv64-ipfire | 2 +-
config/kernel/kernel.config.x86_64-ipfire | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index b2ef43e51..b485c2fb6 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7558,7 +7558,7 @@ CONFIG_FORTIFY_SOURCE=y
CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
# CONFIG_SECURITY_LOCKDOWN_LSM is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 13326a29c..98b554d91 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7562,7 +7562,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
# CONFIG_SECURITY_LOCKDOWN_LSM is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index fa4ee46fa..b595ae8cd 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6195,7 +6195,7 @@ CONFIG_FORTIFY_SOURCE=y
CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
# CONFIG_SECURITY_LOCKDOWN_LSM is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index e6a03a9e5..b325feb1d 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y
CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_SAFESETID=y
# CONFIG_SECURITY_LOCKDOWN_LSM is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [PATCH 06/11] Kernel: Enable LSM support and set security level to "integrity"
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
` (4 preceding siblings ...)
2022-03-19 21:09 ` [PATCH 05/11] Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Peter Müller
@ 2022-03-19 21:10 ` Peter Müller
2022-03-23 17:50 ` Michael Tremer
2022-03-19 21:10 ` [PATCH 07/11] Kernel: Trigger BUG if data corruption is detected Peter Müller
` (4 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Peter Müller @ 2022-03-19 21:10 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3399 bytes --]
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 6 +++++-
config/kernel/kernel.config.armv6l-ipfire | 6 +++++-
config/kernel/kernel.config.riscv64-ipfire | 6 +++++-
config/kernel/kernel.config.x86_64-ipfire | 6 +++++-
4 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index b485c2fb6..356d9051d 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7559,7 +7559,11 @@ CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 98b554d91..9dab473d4 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7563,7 +7563,11 @@ CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index b595ae8cd..adef88dc9 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6196,7 +6196,11 @@ CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index b325feb1d..222b2dc53 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6972,7 +6972,11 @@ CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_LOADPIN_ENFORCE=y
# CONFIG_SECURITY_YAMA is not set
CONFIG_SECURITY_SAFESETID=y
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
# CONFIG_SECURITY_LANDLOCK is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [PATCH 07/11] Kernel: Trigger BUG if data corruption is detected
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
` (5 preceding siblings ...)
2022-03-19 21:10 ` [PATCH 06/11] Kernel: Enable LSM support and set security level to "integrity" Peter Müller
@ 2022-03-19 21:10 ` Peter Müller
2022-03-23 17:53 ` Michael Tremer
2022-03-19 21:10 ` [PATCH 08/11] Kernel: Do not automatically load TTY line disciplines, only if necessary Peter Müller
` (3 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Peter Müller @ 2022-03-19 21:10 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3081 bytes --]
Since we cannot trust the kernel to do the right thing (tm) in such a
situation anymore, triggering a BUG is less bad than running on a kernel
in an undefined state.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 4 ++--
config/kernel/kernel.config.armv6l-ipfire | 4 ++--
config/kernel/kernel.config.riscv64-ipfire | 4 ++--
config/kernel/kernel.config.x86_64-ipfire | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 356d9051d..06379d544 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -8125,11 +8125,11 @@ CONFIG_STACKTRACE=y
#
# Debug kernel data structures
#
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
# CONFIG_DEBUG_PLIST is not set
# CONFIG_DEBUG_SG is not set
# CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
# end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 9dab473d4..68e37304a 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -8091,11 +8091,11 @@ CONFIG_STACKTRACE=y
#
# Debug kernel data structures
#
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
# CONFIG_DEBUG_PLIST is not set
# CONFIG_DEBUG_SG is not set
# CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
# end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index adef88dc9..8cec9a200 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6714,11 +6714,11 @@ CONFIG_STACKTRACE=y
#
# Debug kernel data structures
#
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
# CONFIG_DEBUG_PLIST is not set
# CONFIG_DEBUG_SG is not set
# CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
# end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 222b2dc53..0c6731bd1 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -7556,11 +7556,11 @@ CONFIG_STACKTRACE=y
#
# Debug kernel data structures
#
-# CONFIG_DEBUG_LIST is not set
+CONFIG_DEBUG_LIST=y
# CONFIG_DEBUG_PLIST is not set
# CONFIG_DEBUG_SG is not set
# CONFIG_DEBUG_NOTIFIERS is not set
-# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+CONFIG_BUG_ON_DATA_CORRUPTION=y
# end of Debug kernel data structures
# CONFIG_DEBUG_CREDENTIALS is not set
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [PATCH 08/11] Kernel: Do not automatically load TTY line disciplines, only if necessary
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
` (6 preceding siblings ...)
2022-03-19 21:10 ` [PATCH 07/11] Kernel: Trigger BUG if data corruption is detected Peter Müller
@ 2022-03-19 21:10 ` Peter Müller
2022-03-23 17:54 ` Michael Tremer
2022-03-19 21:10 ` [PATCH 09/11] Kernel: Enable SVA support for both Intel and AMD CPUs Peter Müller
` (2 subsequent siblings)
10 siblings, 1 reply; 25+ messages in thread
From: Peter Müller @ 2022-03-19 21:10 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2166 bytes --]
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 2 +-
config/kernel/kernel.config.armv6l-ipfire | 2 +-
config/kernel/kernel.config.riscv64-ipfire | 2 +-
config/kernel/kernel.config.x86_64-ipfire | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 06379d544..0fcbed4a2 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -3410,7 +3410,7 @@ CONFIG_HW_CONSOLE=y
CONFIG_VT_HW_CONSOLE_BINDING=y
CONFIG_UNIX98_PTYS=y
# CONFIG_LEGACY_PTYS is not set
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
#
# Serial drivers
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 68e37304a..468c74112 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -3397,7 +3397,7 @@ CONFIG_HW_CONSOLE=y
CONFIG_VT_HW_CONSOLE_BINDING=y
CONFIG_UNIX98_PTYS=y
# CONFIG_LEGACY_PTYS is not set
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
#
# Serial drivers
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 8cec9a200..de975e3f0 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -2915,7 +2915,7 @@ CONFIG_HW_CONSOLE=y
CONFIG_VT_HW_CONSOLE_BINDING=y
CONFIG_UNIX98_PTYS=y
# CONFIG_LEGACY_PTYS is not set
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
#
# Serial drivers
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 0c6731bd1..0b9c79209 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -3382,7 +3382,7 @@ CONFIG_HW_CONSOLE=y
CONFIG_VT_HW_CONSOLE_BINDING=y
CONFIG_UNIX98_PTYS=y
# CONFIG_LEGACY_PTYS is not set
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
#
# Serial drivers
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [PATCH 09/11] Kernel: Enable SVA support for both Intel and AMD CPUs
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
` (7 preceding siblings ...)
2022-03-19 21:10 ` [PATCH 08/11] Kernel: Do not automatically load TTY line disciplines, only if necessary Peter Müller
@ 2022-03-19 21:10 ` Peter Müller
2022-03-23 17:54 ` Michael Tremer
2022-03-19 21:11 ` [PATCH 10/11] Kernel: Disable function and stack tracers Peter Müller
2022-03-19 21:11 ` [PATCH 11/11] Kernel: Update rootfile for x86_64 Peter Müller
10 siblings, 1 reply; 25+ messages in thread
From: Peter Müller @ 2022-03-19 21:10 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1406 bytes --]
Since running virtual machines is one of our legitimate use cases, it
makes sense to provide Qemu with the ability of taking advantage of
IOMMU support for safer virtuall memory allocation, if available.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.x86_64-ipfire | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 0b9c79209..42275d26f 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -6179,6 +6179,7 @@ CONFIG_INTEL_IDMA64=m
CONFIG_INTEL_IDXD_BUS=m
CONFIG_INTEL_IDXD=m
# CONFIG_INTEL_IDXD_COMPAT is not set
+# CONFIG_INTEL_IDXD_SVM is not set
# CONFIG_INTEL_IDXD_PERFMON is not set
CONFIG_INTEL_IOATDMA=m
CONFIG_PLX_DMA=m
@@ -6476,11 +6477,12 @@ CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
# CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set
# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
CONFIG_IOMMU_DMA=y
+CONFIG_IOMMU_SVA_LIB=y
CONFIG_AMD_IOMMU=y
-# CONFIG_AMD_IOMMU_V2 is not set
+CONFIG_AMD_IOMMU_V2=y
CONFIG_DMAR_TABLE=y
CONFIG_INTEL_IOMMU=y
-# CONFIG_INTEL_IOMMU_SVM is not set
+CONFIG_INTEL_IOMMU_SVM=y
# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
CONFIG_INTEL_IOMMU_FLOPPY_WA=y
# CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [PATCH 10/11] Kernel: Disable function and stack tracers
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
` (8 preceding siblings ...)
2022-03-19 21:10 ` [PATCH 09/11] Kernel: Enable SVA support for both Intel and AMD CPUs Peter Müller
@ 2022-03-19 21:11 ` Peter Müller
2022-03-23 17:56 ` Michael Tremer
2022-03-19 21:11 ` [PATCH 11/11] Kernel: Update rootfile for x86_64 Peter Müller
10 siblings, 1 reply; 25+ messages in thread
From: Peter Müller @ 2022-03-19 21:11 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 8523 bytes --]
grsecurity recommends to disable this on non-development systems for
reducing attack surface. Since we never debug the kernel that deeply on
a productive system, it makes sense to follow this recommendation.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/kernel/kernel.config.aarch64-ipfire | 13 ++-----------
config/kernel/kernel.config.armv6l-ipfire | 13 ++-----------
config/kernel/kernel.config.riscv64-ipfire | 13 ++-----------
config/kernel/kernel.config.x86_64-ipfire | 17 ++---------------
4 files changed, 8 insertions(+), 48 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 0fcbed4a2..5bd15cc48 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -126,8 +126,6 @@ CONFIG_TREE_RCU=y
# CONFIG_RCU_EXPERT is not set
CONFIG_SRCU=y
CONFIG_TREE_SRCU=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
CONFIG_RCU_STALL_COMMON=y
CONFIG_RCU_NEED_SEGCBLIST=y
# end of RCU Subsystem
@@ -7410,7 +7408,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
# CONFIG_PSTORE_RAM is not set
# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
@@ -8166,12 +8163,8 @@ CONFIG_GENERIC_TRACER=y
CONFIG_TRACING_SUPPORT=y
CONFIG_FTRACE=y
# CONFIG_BOOTTIME_TRACING is not set
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STACK_TRACER=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_STACK_TRACER is not set
# CONFIG_IRQSOFF_TRACER is not set
CONFIG_SCHED_TRACER=y
# CONFIG_HWLAT_TRACER is not set
@@ -8186,7 +8179,6 @@ CONFIG_BRANCH_PROFILE_NONE=y
CONFIG_UPROBE_EVENTS=y
CONFIG_DYNAMIC_EVENTS=y
CONFIG_PROBE_EVENTS=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y
# CONFIG_SYNTH_EVENTS is not set
# CONFIG_HIST_TRIGGERS is not set
@@ -8194,7 +8186,6 @@ CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y
# CONFIG_TRACEPOINT_BENCHMARK is not set
CONFIG_RING_BUFFER_BENCHMARK=m
# CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_FTRACE_RECORD_RECURSION is not set
# CONFIG_FTRACE_STARTUP_TEST is not set
# CONFIG_RING_BUFFER_STARTUP_TEST is not set
# CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 468c74112..06010f893 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -133,8 +133,6 @@ CONFIG_TREE_RCU=y
# CONFIG_RCU_EXPERT is not set
CONFIG_SRCU=y
CONFIG_TREE_SRCU=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
CONFIG_RCU_STALL_COMMON=y
CONFIG_RCU_NEED_SEGCBLIST=y
# end of RCU Subsystem
@@ -7414,7 +7412,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
# CONFIG_PSTORE_RAM is not set
# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
@@ -8132,12 +8129,8 @@ CONFIG_GENERIC_TRACER=y
CONFIG_TRACING_SUPPORT=y
CONFIG_FTRACE=y
# CONFIG_BOOTTIME_TRACING is not set
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STACK_TRACER=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_STACK_TRACER is not set
# CONFIG_IRQSOFF_TRACER is not set
CONFIG_SCHED_TRACER=y
# CONFIG_HWLAT_TRACER is not set
@@ -8153,7 +8146,6 @@ CONFIG_BRANCH_PROFILE_NONE=y
CONFIG_UPROBE_EVENTS=y
CONFIG_DYNAMIC_EVENTS=y
CONFIG_PROBE_EVENTS=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
# CONFIG_SYNTH_EVENTS is not set
# CONFIG_HIST_TRIGGERS is not set
@@ -8161,7 +8153,6 @@ CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
# CONFIG_TRACEPOINT_BENCHMARK is not set
CONFIG_RING_BUFFER_BENCHMARK=m
# CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_FTRACE_RECORD_RECURSION is not set
# CONFIG_FTRACE_STARTUP_TEST is not set
# CONFIG_RING_BUFFER_STARTUP_TEST is not set
# CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index de975e3f0..6b0aa466f 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -119,8 +119,6 @@ CONFIG_TREE_RCU=y
# CONFIG_RCU_EXPERT is not set
CONFIG_SRCU=y
CONFIG_TREE_SRCU=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
CONFIG_RCU_STALL_COMMON=y
CONFIG_RCU_NEED_SEGCBLIST=y
# end of RCU Subsystem
@@ -6047,7 +6045,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
# CONFIG_PSTORE_RAM is not set
# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
@@ -6754,12 +6751,8 @@ CONFIG_GENERIC_TRACER=y
CONFIG_TRACING_SUPPORT=y
CONFIG_FTRACE=y
# CONFIG_BOOTTIME_TRACING is not set
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STACK_TRACER=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_STACK_TRACER is not set
# CONFIG_IRQSOFF_TRACER is not set
CONFIG_SCHED_TRACER=y
# CONFIG_HWLAT_TRACER is not set
@@ -6774,14 +6767,12 @@ CONFIG_BRANCH_PROFILE_NONE=y
CONFIG_UPROBE_EVENTS=y
CONFIG_DYNAMIC_EVENTS=y
CONFIG_PROBE_EVENTS=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
# CONFIG_SYNTH_EVENTS is not set
# CONFIG_TRACE_EVENT_INJECT is not set
# CONFIG_TRACEPOINT_BENCHMARK is not set
CONFIG_RING_BUFFER_BENCHMARK=m
# CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_FTRACE_RECORD_RECURSION is not set
# CONFIG_FTRACE_STARTUP_TEST is not set
# CONFIG_RING_BUFFER_STARTUP_TEST is not set
# CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 42275d26f..eee5e4a55 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -146,8 +146,6 @@ CONFIG_TREE_RCU=y
# CONFIG_RCU_EXPERT is not set
CONFIG_SRCU=y
CONFIG_TREE_SRCU=y
-CONFIG_TASKS_RCU_GENERIC=y
-CONFIG_TASKS_RUDE_RCU=y
CONFIG_RCU_STALL_COMMON=y
CONFIG_RCU_NEED_SEGCBLIST=y
# end of RCU Subsystem
@@ -476,7 +474,6 @@ CONFIG_LEGACY_VSYSCALL_NONE=y
# CONFIG_CMDLINE_BOOL is not set
# CONFIG_MODIFY_LDT_SYSCALL is not set
CONFIG_HAVE_LIVEPATCH=y
-# CONFIG_LIVEPATCH is not set
# end of Processor type and features
CONFIG_ARCH_HAS_ADD_PAGES=y
@@ -6823,7 +6820,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
# CONFIG_PSTORE_CONSOLE is not set
# CONFIG_PSTORE_PMSG is not set
-# CONFIG_PSTORE_FTRACE is not set
# CONFIG_PSTORE_RAM is not set
# CONFIG_PSTORE_BLK is not set
# CONFIG_SYSV_FS is not set
@@ -7604,14 +7600,8 @@ CONFIG_GENERIC_TRACER=y
CONFIG_TRACING_SUPPORT=y
CONFIG_FTRACE=y
# CONFIG_BOOTTIME_TRACING is not set
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUNCTION_GRAPH_TRACER=y
-CONFIG_DYNAMIC_FTRACE=y
-CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
-CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
-CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y
-CONFIG_FUNCTION_PROFILER=y
-CONFIG_STACK_TRACER=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_STACK_TRACER is not set
# CONFIG_IRQSOFF_TRACER is not set
CONFIG_SCHED_TRACER=y
# CONFIG_HWLAT_TRACER is not set
@@ -7627,15 +7617,12 @@ CONFIG_BRANCH_PROFILE_NONE=y
CONFIG_UPROBE_EVENTS=y
CONFIG_DYNAMIC_EVENTS=y
CONFIG_PROBE_EVENTS=y
-CONFIG_FTRACE_MCOUNT_RECORD=y
-CONFIG_FTRACE_MCOUNT_USE_CC=y
# CONFIG_SYNTH_EVENTS is not set
# CONFIG_HIST_TRIGGERS is not set
# CONFIG_TRACE_EVENT_INJECT is not set
# CONFIG_TRACEPOINT_BENCHMARK is not set
CONFIG_RING_BUFFER_BENCHMARK=m
# CONFIG_TRACE_EVAL_MAP_FILE is not set
-# CONFIG_FTRACE_RECORD_RECURSION is not set
# CONFIG_FTRACE_STARTUP_TEST is not set
# CONFIG_RING_BUFFER_STARTUP_TEST is not set
# CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* [PATCH 11/11] Kernel: Update rootfile for x86_64
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
` (9 preceding siblings ...)
2022-03-19 21:11 ` [PATCH 10/11] Kernel: Disable function and stack tracers Peter Müller
@ 2022-03-19 21:11 ` Peter Müller
10 siblings, 0 replies; 25+ messages in thread
From: Peter Müller @ 2022-03-19 21:11 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 9068 bytes --]
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/rootfiles/common/x86_64/linux | 33 ++++++++++++++++------------
1 file changed, 19 insertions(+), 14 deletions(-)
diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
index a01af1fc4..85d8ffc66 100644
--- a/config/rootfiles/common/x86_64/linux
+++ b/config/rootfiles/common/x86_64/linux
@@ -6408,6 +6408,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/ALX
#lib/modules/KVER-ipfire/build/include/config/AMD8111_ETH
#lib/modules/KVER-ipfire/build/include/config/AMD_IOMMU
+#lib/modules/KVER-ipfire/build/include/config/AMD_IOMMU_V2
#lib/modules/KVER-ipfire/build/include/config/AMD_NB
#lib/modules/KVER-ipfire/build/include/config/AMD_PHY
#lib/modules/KVER-ipfire/build/include/config/AMD_PMC
@@ -6680,7 +6681,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/BLK_DEV_INITRD
#lib/modules/KVER-ipfire/build/include/config/BLK_DEV_INTEGRITY
#lib/modules/KVER-ipfire/build/include/config/BLK_DEV_INTEGRITY_T10
-#lib/modules/KVER-ipfire/build/include/config/BLK_DEV_IO_TRACE
#lib/modules/KVER-ipfire/build/include/config/BLK_DEV_LOOP
#lib/modules/KVER-ipfire/build/include/config/BLK_DEV_LOOP_MIN_COUNT
#lib/modules/KVER-ipfire/build/include/config/BLK_DEV_MD
@@ -6763,6 +6763,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/BTRFS_FS_POSIX_ACL
#lib/modules/KVER-ipfire/build/include/config/BTT
#lib/modules/KVER-ipfire/build/include/config/BUG
+#lib/modules/KVER-ipfire/build/include/config/BUG_ON_DATA_CORRUPTION
#lib/modules/KVER-ipfire/build/include/config/BUILDTIME_TABLE_SORT
#lib/modules/KVER-ipfire/build/include/config/BUILD_SALT
#lib/modules/KVER-ipfire/build/include/config/CACHEFILES
@@ -6786,6 +6787,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_NO_PROFILE_FN_ATTR
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANCOV_TRACE_PC
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANE_STACKPROTECTOR
+#lib/modules/KVER-ipfire/build/include/config/CC_HAS_UBSAN_BOUNDS
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_WORKING_NOSANITIZE_ADDRESS
#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ZERO_CALL_USED_REGS
#lib/modules/KVER-ipfire/build/include/config/CC_IS_GCC
@@ -7086,6 +7088,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/DEBUG_FS
#lib/modules/KVER-ipfire/build/include/config/DEBUG_FS_ALLOW_ALL
#lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL
+#lib/modules/KVER-ipfire/build/include/config/DEBUG_LIST
#lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC
#lib/modules/KVER-ipfire/build/include/config/DEBUG_WX
#lib/modules/KVER-ipfire/build/include/config/DECOMPRESS_BZIP2
@@ -7417,10 +7420,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG
#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_DEBUG_CORE
#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_EVENTS
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_ARGS
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_DIRECT_CALLS
-#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_FTRACE_WITH_REGS
#lib/modules/KVER-ipfire/build/include/config/DYNAMIC_MEMORY_LAYOUT
#lib/modules/KVER-ipfire/build/include/config/E100
#lib/modules/KVER-ipfire/build/include/config/E1000
@@ -7589,14 +7588,9 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/FS_MBCACHE
#lib/modules/KVER-ipfire/build/include/config/FS_POSIX_ACL
#lib/modules/KVER-ipfire/build/include/config/FTRACE
-#lib/modules/KVER-ipfire/build/include/config/FTRACE_MCOUNT_RECORD
-#lib/modules/KVER-ipfire/build/include/config/FTRACE_MCOUNT_USE_CC
#lib/modules/KVER-ipfire/build/include/config/FTRACE_SYSCALLS
#lib/modules/KVER-ipfire/build/include/config/FUJITSU_ES
#lib/modules/KVER-ipfire/build/include/config/FUJITSU_LAPTOP
-#lib/modules/KVER-ipfire/build/include/config/FUNCTION_GRAPH_TRACER
-#lib/modules/KVER-ipfire/build/include/config/FUNCTION_PROFILER
-#lib/modules/KVER-ipfire/build/include/config/FUNCTION_TRACER
#lib/modules/KVER-ipfire/build/include/config/FUSE_FS
#lib/modules/KVER-ipfire/build/include/config/FUSION
#lib/modules/KVER-ipfire/build/include/config/FUSION_CTL
@@ -8070,6 +8064,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/INTEL_IOATDMA
#lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU
#lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU_FLOPPY_WA
+#lib/modules/KVER-ipfire/build/include/config/INTEL_IOMMU_SVM
#lib/modules/KVER-ipfire/build/include/config/INTEL_IPS
#lib/modules/KVER-ipfire/build/include/config/INTEL_ISH_HID
#lib/modules/KVER-ipfire/build/include/config/INTEL_LDMA
@@ -8090,6 +8085,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/IOMMU_IOVA
#lib/modules/KVER-ipfire/build/include/config/IOMMU_IO_PGTABLE
#lib/modules/KVER-ipfire/build/include/config/IOMMU_SUPPORT
+#lib/modules/KVER-ipfire/build/include/config/IOMMU_SVA_LIB
#lib/modules/KVER-ipfire/build/include/config/IONIC
#lib/modules/KVER-ipfire/build/include/config/IOSCHED_BFQ
#lib/modules/KVER-ipfire/build/include/config/IOSF_MBI
@@ -8345,7 +8341,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/LAN743X
#lib/modules/KVER-ipfire/build/include/config/LCD_CLASS_DEVICE
#lib/modules/KVER-ipfire/build/include/config/LCD_PLATFORM
-#lib/modules/KVER-ipfire/build/include/config/LDISC_AUTOLOAD
#lib/modules/KVER-ipfire/build/include/config/LDM_PARTITION
#lib/modules/KVER-ipfire/build/include/config/LD_IS_BFD
#lib/modules/KVER-ipfire/build/include/config/LD_ORPHAN_WARN
@@ -8414,6 +8409,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/LOCKD_V4
#lib/modules/KVER-ipfire/build/include/config/LOCKUP_DETECTOR
#lib/modules/KVER-ipfire/build/include/config/LOCK_DEBUGGING_SUPPORT
+#lib/modules/KVER-ipfire/build/include/config/LOCK_DOWN_KERNEL_FORCE_INTEGRITY
#lib/modules/KVER-ipfire/build/include/config/LOCK_EVENT_COUNTS
#lib/modules/KVER-ipfire/build/include/config/LOCK_SPIN_ON_OWNER
#lib/modules/KVER-ipfire/build/include/config/LOGO
@@ -9867,6 +9863,11 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/SECURITY
#lib/modules/KVER-ipfire/build/include/config/SECURITYFS
#lib/modules/KVER-ipfire/build/include/config/SECURITY_DMESG_RESTRICT
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOADPIN
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOADPIN_ENFORCE
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOCKDOWN_LSM
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_LOCKDOWN_LSM_EARLY
+#lib/modules/KVER-ipfire/build/include/config/SECURITY_SAFESETID
#lib/modules/KVER-ipfire/build/include/config/SELECT_MEMORY_MODEL
#lib/modules/KVER-ipfire/build/include/config/SENSORS_ABITUGURU
#lib/modules/KVER-ipfire/build/include/config/SENSORS_ABITUGURU3
@@ -10345,7 +10346,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/STACKPROTECTOR_STRONG
#lib/modules/KVER-ipfire/build/include/config/STACKTRACE
#lib/modules/KVER-ipfire/build/include/config/STACKTRACE_SUPPORT
-#lib/modules/KVER-ipfire/build/include/config/STACK_TRACER
#lib/modules/KVER-ipfire/build/include/config/STACK_VALIDATION
#lib/modules/KVER-ipfire/build/include/config/STAGING
#lib/modules/KVER-ipfire/build/include/config/STANDALONE
@@ -10395,8 +10395,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/SYS_HYPERVISOR
#lib/modules/KVER-ipfire/build/include/config/TAP
#lib/modules/KVER-ipfire/build/include/config/TASKSTATS
-#lib/modules/KVER-ipfire/build/include/config/TASKS_RCU_GENERIC
-#lib/modules/KVER-ipfire/build/include/config/TASKS_RUDE_RCU
#lib/modules/KVER-ipfire/build/include/config/TASK_DELAY_ACCT
#lib/modules/KVER-ipfire/build/include/config/TASK_IO_ACCOUNTING
#lib/modules/KVER-ipfire/build/include/config/TASK_XACCT
@@ -10502,6 +10500,13 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/TYPEC_TCPM
#lib/modules/KVER-ipfire/build/include/config/TYPEC_UCSI
#lib/modules/KVER-ipfire/build/include/config/TYPHOON
+#lib/modules/KVER-ipfire/build/include/config/UBSAN
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_BOOL
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_BOUNDS
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_ENUM
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_ONLY_BOUNDS
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_SANITIZE_ALL
+#lib/modules/KVER-ipfire/build/include/config/UBSAN_SHIFT
#lib/modules/KVER-ipfire/build/include/config/UCS2_STRING
#lib/modules/KVER-ipfire/build/include/config/UCSI_ACPI
#lib/modules/KVER-ipfire/build/include/config/UDF_FS
--
2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem
2022-03-19 21:09 ` [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem Peter Müller
@ 2022-03-21 17:15 ` Arne Fitzenreiter
2022-03-21 18:50 ` Michael Tremer
0 siblings, 1 reply; 25+ messages in thread
From: Arne Fitzenreiter @ 2022-03-21 17:15 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3313 bytes --]
At my knowledge enforce loadpin is incompatible with initramfs.
https://lwn.net/Articles/682302/
Also we have some older installations that have a seperate /var
partition and /lib/firmware was moved to /var/lib/firmware
so i think we cannot apply this!
Arne
Am 2022-03-19 22:09, schrieb Peter Müller:
> This can be safely enabled on IPFire, as we never swap filesystems
> during runtime.
>
> Fixes: #12432
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 3 ++-
> config/kernel/kernel.config.armv6l-ipfire | 3 ++-
> config/kernel/kernel.config.riscv64-ipfire | 3 ++-
> config/kernel/kernel.config.x86_64-ipfire | 3 ++-
> 4 files changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire
> b/config/kernel/kernel.config.aarch64-ipfire
> index 35c249253..d9179c061 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y
> # CONFIG_SECURITY_SMACK is not set
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> # CONFIG_SECURITY_SAFESETID is not set
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> diff --git a/config/kernel/kernel.config.armv6l-ipfire
> b/config/kernel/kernel.config.armv6l-ipfire
> index 5b4ff8e20..522278160 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
> # CONFIG_SECURITY_SMACK is not set
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> # CONFIG_SECURITY_SAFESETID is not set
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> diff --git a/config/kernel/kernel.config.riscv64-ipfire
> b/config/kernel/kernel.config.riscv64-ipfire
> index d4c0e0451..ebb830eb7 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y
> # CONFIG_SECURITY_SMACK is not set
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> # CONFIG_SECURITY_SAFESETID is not set
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire
> b/config/kernel/kernel.config.x86_64-ipfire
> index 8b525ef89..675c3ce1e 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y
> # CONFIG_SECURITY_SMACK is not set
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> -# CONFIG_SECURITY_LOADPIN is not set
> +CONFIG_SECURITY_LOADPIN=y
> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> # CONFIG_SECURITY_SAFESETID is not set
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem
2022-03-21 17:15 ` Arne Fitzenreiter
@ 2022-03-21 18:50 ` Michael Tremer
2022-03-21 20:24 ` alf
0 siblings, 1 reply; 25+ messages in thread
From: Michael Tremer @ 2022-03-21 18:50 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3850 bytes --]
Hello,
> On 21 Mar 2022, at 17:15, Arne Fitzenreiter <arne_f(a)ipfire.org> wrote:
>
> At my knowledge enforce loadpin is incompatible with initramfs.
> https://lwn.net/Articles/682302/
I cannot find that being mentioned in this article. And I am not sure whether the initramdisk counts as its own file system.
> Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware
> so i think we cannot apply this!
The firmware currently is in /lib/firmware and since we have now a way to compress it, there is no need to move it any more. That should allow us enabling this switch.
Best,
-Michael
> Arne
>
>
> Am 2022-03-19 22:09, schrieb Peter Müller:
>> This can be safely enabled on IPFire, as we never swap filesystems
>> during runtime.
>> Fixes: #12432
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> config/kernel/kernel.config.aarch64-ipfire | 3 ++-
>> config/kernel/kernel.config.armv6l-ipfire | 3 ++-
>> config/kernel/kernel.config.riscv64-ipfire | 3 ++-
>> config/kernel/kernel.config.x86_64-ipfire | 3 ++-
>> 4 files changed, 8 insertions(+), 4 deletions(-)
>> diff --git a/config/kernel/kernel.config.aarch64-ipfire
>> b/config/kernel/kernel.config.aarch64-ipfire
>> index 35c249253..d9179c061 100644
>> --- a/config/kernel/kernel.config.aarch64-ipfire
>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y
>> # CONFIG_SECURITY_SMACK is not set
>> # CONFIG_SECURITY_TOMOYO is not set
>> # CONFIG_SECURITY_APPARMOR is not set
>> -# CONFIG_SECURITY_LOADPIN is not set
>> +CONFIG_SECURITY_LOADPIN=y
>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>> # CONFIG_SECURITY_YAMA is not set
>> # CONFIG_SECURITY_SAFESETID is not set
>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>> diff --git a/config/kernel/kernel.config.armv6l-ipfire
>> b/config/kernel/kernel.config.armv6l-ipfire
>> index 5b4ff8e20..522278160 100644
>> --- a/config/kernel/kernel.config.armv6l-ipfire
>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>> # CONFIG_SECURITY_SMACK is not set
>> # CONFIG_SECURITY_TOMOYO is not set
>> # CONFIG_SECURITY_APPARMOR is not set
>> -# CONFIG_SECURITY_LOADPIN is not set
>> +CONFIG_SECURITY_LOADPIN=y
>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>> # CONFIG_SECURITY_YAMA is not set
>> # CONFIG_SECURITY_SAFESETID is not set
>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>> diff --git a/config/kernel/kernel.config.riscv64-ipfire
>> b/config/kernel/kernel.config.riscv64-ipfire
>> index d4c0e0451..ebb830eb7 100644
>> --- a/config/kernel/kernel.config.riscv64-ipfire
>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y
>> # CONFIG_SECURITY_SMACK is not set
>> # CONFIG_SECURITY_TOMOYO is not set
>> # CONFIG_SECURITY_APPARMOR is not set
>> -# CONFIG_SECURITY_LOADPIN is not set
>> +CONFIG_SECURITY_LOADPIN=y
>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>> # CONFIG_SECURITY_YAMA is not set
>> # CONFIG_SECURITY_SAFESETID is not set
>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>> diff --git a/config/kernel/kernel.config.x86_64-ipfire
>> b/config/kernel/kernel.config.x86_64-ipfire
>> index 8b525ef89..675c3ce1e 100644
>> --- a/config/kernel/kernel.config.x86_64-ipfire
>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y
>> # CONFIG_SECURITY_SMACK is not set
>> # CONFIG_SECURITY_TOMOYO is not set
>> # CONFIG_SECURITY_APPARMOR is not set
>> -# CONFIG_SECURITY_LOADPIN is not set
>> +CONFIG_SECURITY_LOADPIN=y
>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>> # CONFIG_SECURITY_YAMA is not set
>> # CONFIG_SECURITY_SAFESETID is not set
>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem
2022-03-21 18:50 ` Michael Tremer
@ 2022-03-21 20:24 ` alf
2022-03-22 11:17 ` Michael Tremer
0 siblings, 1 reply; 25+ messages in thread
From: alf @ 2022-03-21 20:24 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 5027 bytes --]
Den 2022-03-21 19:50, skrev Michael Tremer:
> Hello,
>
>> On 21 Mar 2022, at 17:15, Arne Fitzenreiter <arne_f(a)ipfire.org> wrote:
>>
>> At my knowledge enforce loadpin is incompatible with initramfs.
>> https://lwn.net/Articles/682302/
>
> I cannot find that being mentioned in this article. And I am not sure
> whether the initramdisk counts as its own file system.
>
Quoting what I think is the relevant section from the article
"
The current module is also likely to run into trouble on systems that
boot with an initramfs image; the first modules will almost certainly be
loaded from that image (that's why it exists, usually), causing loads to
be pinned to a temporary filesystem that will go away at the end of the
bootstrap process. In the current patch, if the filesystem to which
loading is pinned disappears, loading of files will be disabled entirely
— behavior that makes sense, but which may not lead to the desired
results in an initramfs setting.
"
And a somewhat related discussion
https://forums.gentoo.org/viewtopic-p-8686594.html?sid=bbf2ffea6f1ad4a3f69073bfabfdb021
And a patch to the kernel, which I could not figure out if has been
merged
https://lkml.org/lkml/2021/4/8/1446
But it does not seem to be merged to me
https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/security/loadpin/loadpin.c
Alf
>> Also we have some older installations that have a seperate /var
>> partition and /lib/firmware was moved to /var/lib/firmware
>> so i think we cannot apply this!
>
> The firmware currently is in /lib/firmware and since we have now a way
> to compress it, there is no need to move it any more. That should
> allow us enabling this switch.
>
> Best,
> -Michael
>
>> Arne
>>
>>
>> Am 2022-03-19 22:09, schrieb Peter Müller:
>>> This can be safely enabled on IPFire, as we never swap filesystems
>>> during runtime.
>>> Fixes: #12432
>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>> ---
>>> config/kernel/kernel.config.aarch64-ipfire | 3 ++-
>>> config/kernel/kernel.config.armv6l-ipfire | 3 ++-
>>> config/kernel/kernel.config.riscv64-ipfire | 3 ++-
>>> config/kernel/kernel.config.x86_64-ipfire | 3 ++-
>>> 4 files changed, 8 insertions(+), 4 deletions(-)
>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire
>>> b/config/kernel/kernel.config.aarch64-ipfire
>>> index 35c249253..d9179c061 100644
>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_SMACK is not set
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> -# CONFIG_SECURITY_LOADPIN is not set
>>> +CONFIG_SECURITY_LOADPIN=y
>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>> # CONFIG_SECURITY_YAMA is not set
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire
>>> b/config/kernel/kernel.config.armv6l-ipfire
>>> index 5b4ff8e20..522278160 100644
>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>>> # CONFIG_SECURITY_SMACK is not set
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> -# CONFIG_SECURITY_LOADPIN is not set
>>> +CONFIG_SECURITY_LOADPIN=y
>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>> # CONFIG_SECURITY_YAMA is not set
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire
>>> b/config/kernel/kernel.config.riscv64-ipfire
>>> index d4c0e0451..ebb830eb7 100644
>>> --- a/config/kernel/kernel.config.riscv64-ipfire
>>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>>> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_SMACK is not set
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> -# CONFIG_SECURITY_LOADPIN is not set
>>> +CONFIG_SECURITY_LOADPIN=y
>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>> # CONFIG_SECURITY_YAMA is not set
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire
>>> b/config/kernel/kernel.config.x86_64-ipfire
>>> index 8b525ef89..675c3ce1e 100644
>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y
>>> # CONFIG_SECURITY_SMACK is not set
>>> # CONFIG_SECURITY_TOMOYO is not set
>>> # CONFIG_SECURITY_APPARMOR is not set
>>> -# CONFIG_SECURITY_LOADPIN is not set
>>> +CONFIG_SECURITY_LOADPIN=y
>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>> # CONFIG_SECURITY_YAMA is not set
>>> # CONFIG_SECURITY_SAFESETID is not set
>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem
2022-03-21 20:24 ` alf
@ 2022-03-22 11:17 ` Michael Tremer
0 siblings, 0 replies; 25+ messages in thread
From: Michael Tremer @ 2022-03-22 11:17 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 6053 bytes --]
Hello,
Hmm, Peter confirmed to me that this works on the kernel he built.
> On 21 Mar 2022, at 20:24, alf(a)i100.no wrote:
>
> Den 2022-03-21 19:50, skrev Michael Tremer:
>> Hello,
>>> On 21 Mar 2022, at 17:15, Arne Fitzenreiter <arne_f(a)ipfire.org> wrote:
>>> At my knowledge enforce loadpin is incompatible with initramfs.
>>> https://lwn.net/Articles/682302/
>> I cannot find that being mentioned in this article. And I am not sure
>> whether the initramdisk counts as its own file system.
>
> Quoting what I think is the relevant section from the article
> "
> The current module is also likely to run into trouble on systems that boot with an initramfs image; the first modules will almost certainly be loaded from that image (that's why it exists, usually), causing loads to be pinned to a temporary filesystem that will go away at the end of the bootstrap process. In the current patch, if the filesystem to which loading is pinned disappears, loading of files will be disabled entirely — behavior that makes sense, but which may not lead to the desired results in an initramfs setting.
> "
Thank you for helping me finding the correct paragraph.
> And a somewhat related discussion
> https://forums.gentoo.org/viewtopic-p-8686594.html?sid=bbf2ffea6f1ad4a3f69073bfabfdb021
I generally do agree that it does not make a lot of sense for kernel modules to have this enabled. We sign our kernel modules anyways which means that we do not need to trust the filesystem we load them from. However, there is some benefit here for firmware and other files the kernel loads. Those have no protection, and we can slightly mitigate any attacks here. How likely is this? Very unlikely, but still we can protect ourselves against them.
So this means that we potentially cannot enable the ENFORCE mode. But we can boot up the system and very early in the boot process set the loadpin sysctl so that any other file systems being mounted after that point can be used to load any files into the kernel.
@Peter: Would you please change the patch?
-Michael
> And a patch to the kernel, which I could not figure out if has been merged
> https://lkml.org/lkml/2021/4/8/1446
> But it does not seem to be merged to me
> https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/security/loadpin/loadpin.c
>
> Alf
>
>>> Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware
>>> so i think we cannot apply this!
>> The firmware currently is in /lib/firmware and since we have now a way
>> to compress it, there is no need to move it any more. That should
>> allow us enabling this switch.
>> Best,
>> -Michael
>>> Arne
>>> Am 2022-03-19 22:09, schrieb Peter Müller:
>>>> This can be safely enabled on IPFire, as we never swap filesystems
>>>> during runtime.
>>>> Fixes: #12432
>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>> ---
>>>> config/kernel/kernel.config.aarch64-ipfire | 3 ++-
>>>> config/kernel/kernel.config.armv6l-ipfire | 3 ++-
>>>> config/kernel/kernel.config.riscv64-ipfire | 3 ++-
>>>> config/kernel/kernel.config.x86_64-ipfire | 3 ++-
>>>> 4 files changed, 8 insertions(+), 4 deletions(-)
>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire
>>>> b/config/kernel/kernel.config.aarch64-ipfire
>>>> index 35c249253..d9179c061 100644
>>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>>> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y
>>>> # CONFIG_SECURITY_SMACK is not set
>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>> -# CONFIG_SECURITY_LOADPIN is not set
>>>> +CONFIG_SECURITY_LOADPIN=y
>>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>>> # CONFIG_SECURITY_YAMA is not set
>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire
>>>> b/config/kernel/kernel.config.armv6l-ipfire
>>>> index 5b4ff8e20..522278160 100644
>>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>>> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
>>>> # CONFIG_SECURITY_SMACK is not set
>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>> -# CONFIG_SECURITY_LOADPIN is not set
>>>> +CONFIG_SECURITY_LOADPIN=y
>>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>>> # CONFIG_SECURITY_YAMA is not set
>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>>> diff --git a/config/kernel/kernel.config.riscv64-ipfire
>>>> b/config/kernel/kernel.config.riscv64-ipfire
>>>> index d4c0e0451..ebb830eb7 100644
>>>> --- a/config/kernel/kernel.config.riscv64-ipfire
>>>> +++ b/config/kernel/kernel.config.riscv64-ipfire
>>>> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y
>>>> # CONFIG_SECURITY_SMACK is not set
>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>> -# CONFIG_SECURITY_LOADPIN is not set
>>>> +CONFIG_SECURITY_LOADPIN=y
>>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>>> # CONFIG_SECURITY_YAMA is not set
>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire
>>>> b/config/kernel/kernel.config.x86_64-ipfire
>>>> index 8b525ef89..675c3ce1e 100644
>>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>>> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y
>>>> # CONFIG_SECURITY_SMACK is not set
>>>> # CONFIG_SECURITY_TOMOYO is not set
>>>> # CONFIG_SECURITY_APPARMOR is not set
>>>> -# CONFIG_SECURITY_LOADPIN is not set
>>>> +CONFIG_SECURITY_LOADPIN=y
>>>> +CONFIG_SECURITY_LOADPIN_ENFORCE=y
>>>> # CONFIG_SECURITY_YAMA is not set
>>>> # CONFIG_SECURITY_SAFESETID is not set
>>>> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 01/11] Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits
2022-03-19 21:08 ` [PATCH 01/11] Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Peter Müller
@ 2022-03-23 11:42 ` Michael Tremer
0 siblings, 0 replies; 25+ messages in thread
From: Michael Tremer @ 2022-03-23 11:42 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3025 bytes --]
I feel we have talked about this on multiple occasions, yet it never made its way into the repository.
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
> On 19 Mar 2022, at 21:08, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> This follows a recommendation by ClipOS, making ASLR bypassing attempts
> harder.
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv6l-ipfire | 2 +-
> config/kernel/kernel.config.riscv64-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 6728fa7f3..4205aa5bc 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -702,7 +702,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
> CONFIG_MODULES_USE_ELF_RELA=y
> CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
> CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
> -CONFIG_ARCH_MMAP_RND_BITS=18
> +CONFIG_ARCH_MMAP_RND_BITS=32
> CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
> CONFIG_ARCH_MMAP_RND_COMPAT_BITS=11
> CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index d8482de92..ef36b8e22 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -778,7 +778,7 @@ CONFIG_MODULES_USE_ELF_REL=y
> CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
> CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
> CONFIG_HAVE_EXIT_THREAD=y
> -CONFIG_ARCH_MMAP_RND_BITS=8
> +CONFIG_ARCH_MMAP_RND_BITS=32
> CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
> CONFIG_CLONE_BACKWARDS=y
> CONFIG_OLD_SIGSUSPEND3=y
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index 73911b2ab..d8045c15c 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -388,7 +388,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
> CONFIG_MODULES_USE_ELF_RELA=y
> CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
> CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
> -CONFIG_ARCH_MMAP_RND_BITS=18
> +CONFIG_ARCH_MMAP_RND_BITS=32
> CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
> CONFIG_CLONE_BACKWARDS=y
> CONFIG_COMPAT_32BIT_TIME=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 0f322826e..b14815545 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -742,7 +742,7 @@ CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y
> CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
> CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
> CONFIG_HAVE_EXIT_THREAD=y
> -CONFIG_ARCH_MMAP_RND_BITS=28
> +CONFIG_ARCH_MMAP_RND_BITS=32
> CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
> CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
> CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y
> --
> 2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 02/11] Kernel: Disable support for tracing block I/O actions
2022-03-19 21:08 ` [PATCH 02/11] Kernel: Disable support for tracing block I/O actions Peter Müller
@ 2022-03-23 11:44 ` Michael Tremer
0 siblings, 0 replies; 25+ messages in thread
From: Michael Tremer @ 2022-03-23 11:44 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2898 bytes --]
Agreed.
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
> On 19 Mar 2022, at 21:08, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> This is not needed on IPFire systems, and grsecurity recommends to turn
> this off.
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv6l-ipfire | 2 +-
> config/kernel/kernel.config.riscv64-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 4205aa5bc..35c249253 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -8166,7 +8166,7 @@ CONFIG_TRACER_SNAPSHOT=y
> # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
> CONFIG_BRANCH_PROFILE_NONE=y
> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
> -CONFIG_BLK_DEV_IO_TRACE=y
> +# CONFIG_BLK_DEV_IO_TRACE is not set
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index ef36b8e22..5b4ff8e20 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -8133,7 +8133,7 @@ CONFIG_TRACER_SNAPSHOT=y
> CONFIG_BRANCH_PROFILE_NONE=y
> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
> # CONFIG_PROFILE_ALL_BRANCHES is not set
> -CONFIG_BLK_DEV_IO_TRACE=y
> +# CONFIG_BLK_DEV_IO_TRACE is not set
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index d8045c15c..d4c0e0451 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6754,7 +6754,7 @@ CONFIG_TRACER_SNAPSHOT=y
> # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
> CONFIG_BRANCH_PROFILE_NONE=y
> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
> -CONFIG_BLK_DEV_IO_TRACE=y
> +# CONFIG_BLK_DEV_IO_TRACE is not set
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index b14815545..8b525ef89 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -7605,7 +7605,7 @@ CONFIG_TRACER_SNAPSHOT=y
> # CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
> CONFIG_BRANCH_PROFILE_NONE=y
> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
> -CONFIG_BLK_DEV_IO_TRACE=y
> +# CONFIG_BLK_DEV_IO_TRACE is not set
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> --
> 2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 04/11] Kernel: Enable undefined behaviour sanity checker
2022-03-19 21:09 ` [PATCH 04/11] Kernel: Enable undefined behaviour sanity checker Peter Müller
@ 2022-03-23 11:45 ` Michael Tremer
0 siblings, 0 replies; 25+ messages in thread
From: Michael Tremer @ 2022-03-23 11:45 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 4207 bytes --]
Hello,
The documentation for this says that CONFIG_UBSAN_SANITIZE_ALL will massively increase the size of the kernel.
How much is this? A larger kernel generally means slower execution. Did you perform any benchmarks?
> On 19 Mar 2022, at 21:09, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 13 ++++++++++++-
> config/kernel/kernel.config.armv6l-ipfire | 13 ++++++++++++-
> config/kernel/kernel.config.riscv64-ipfire | 13 ++++++++++++-
> config/kernel/kernel.config.x86_64-ipfire | 13 ++++++++++++-
> 4 files changed, 48 insertions(+), 4 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index d9179c061..b2ef43e51 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -8008,7 +8008,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
> CONFIG_HAVE_ARCH_KGDB=y
> # CONFIG_KGDB is not set
> CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
> -# CONFIG_UBSAN is not set
> +CONFIG_UBSAN=y
> +# CONFIG_UBSAN_TRAP is not set
> +CONFIG_CC_HAS_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_ONLY_BOUNDS=y
> +CONFIG_UBSAN_SHIFT=y
> +# CONFIG_UBSAN_DIV_ZERO is not set
> +CONFIG_UBSAN_BOOL=y
> +CONFIG_UBSAN_ENUM=y
> +# CONFIG_UBSAN_ALIGNMENT is not set
> +CONFIG_UBSAN_SANITIZE_ALL=y
> +# CONFIG_TEST_UBSAN is not set
> CONFIG_HAVE_KCSAN_COMPILER=y
> # end of Generic Kernel Debugging Instruments
>
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 522278160..13326a29c 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7989,7 +7989,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
> # CONFIG_DEBUG_FS_ALLOW_NONE is not set
> CONFIG_HAVE_ARCH_KGDB=y
> # CONFIG_KGDB is not set
> -# CONFIG_UBSAN is not set
> +CONFIG_UBSAN=y
> +# CONFIG_UBSAN_TRAP is not set
> +CONFIG_CC_HAS_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_ONLY_BOUNDS=y
> +CONFIG_UBSAN_SHIFT=y
> +# CONFIG_UBSAN_DIV_ZERO is not set
> +CONFIG_UBSAN_BOOL=y
> +CONFIG_UBSAN_ENUM=y
> +# CONFIG_UBSAN_ALIGNMENT is not set
> +CONFIG_UBSAN_SANITIZE_ALL=y
> +# CONFIG_TEST_UBSAN is not set
> CONFIG_HAVE_KCSAN_COMPILER=y
> # end of Generic Kernel Debugging Instruments
>
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index ebb830eb7..fa4ee46fa 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6597,7 +6597,18 @@ CONFIG_HAVE_ARCH_KGDB=y
> CONFIG_HAVE_ARCH_KGDB_QXFER_PKT=y
> # CONFIG_KGDB is not set
> CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
> -# CONFIG_UBSAN is not set
> +CONFIG_UBSAN=y
> +# CONFIG_UBSAN_TRAP is not set
> +CONFIG_CC_HAS_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_ONLY_BOUNDS=y
> +CONFIG_UBSAN_SHIFT=y
> +# CONFIG_UBSAN_DIV_ZERO is not set
> +CONFIG_UBSAN_BOOL=y
> +CONFIG_UBSAN_ENUM=y
> +# CONFIG_UBSAN_ALIGNMENT is not set
> +CONFIG_UBSAN_SANITIZE_ALL=y
> +# CONFIG_TEST_UBSAN is not set
> CONFIG_HAVE_KCSAN_COMPILER=y
> # end of Generic Kernel Debugging Instruments
>
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 675c3ce1e..e6a03a9e5 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -7430,7 +7430,18 @@ CONFIG_DEBUG_FS_ALLOW_ALL=y
> CONFIG_HAVE_ARCH_KGDB=y
> # CONFIG_KGDB is not set
> CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
> -# CONFIG_UBSAN is not set
> +CONFIG_UBSAN=y
> +# CONFIG_UBSAN_TRAP is not set
> +CONFIG_CC_HAS_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_BOUNDS=y
> +CONFIG_UBSAN_ONLY_BOUNDS=y
> +CONFIG_UBSAN_SHIFT=y
> +# CONFIG_UBSAN_DIV_ZERO is not set
> +CONFIG_UBSAN_BOOL=y
> +CONFIG_UBSAN_ENUM=y
> +# CONFIG_UBSAN_ALIGNMENT is not set
> +CONFIG_UBSAN_SANITIZE_ALL=y
> +# CONFIG_TEST_UBSAN is not set
> CONFIG_HAVE_ARCH_KCSAN=y
> CONFIG_HAVE_KCSAN_COMPILER=y
> # CONFIG_KCSAN is not set
> --
> 2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 05/11] Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities
2022-03-19 21:09 ` [PATCH 05/11] Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Peter Müller
@ 2022-03-23 11:46 ` Michael Tremer
0 siblings, 0 replies; 25+ messages in thread
From: Michael Tremer @ 2022-03-23 11:46 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2895 bytes --]
Where is this whitelist defined then?
We use setuid and I would assume that this change will break all misc-progs.
-Michael
> On 19 Mar 2022, at 21:09, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv6l-ipfire | 2 +-
> config/kernel/kernel.config.riscv64-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index b2ef43e51..b485c2fb6 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7558,7 +7558,7 @@ CONFIG_FORTIFY_SOURCE=y
> CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=y
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 13326a29c..98b554d91 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7562,7 +7562,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
> CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=y
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index fa4ee46fa..b595ae8cd 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6195,7 +6195,7 @@ CONFIG_FORTIFY_SOURCE=y
> CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=y
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index e6a03a9e5..b325feb1d 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y
> CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> -# CONFIG_SECURITY_SAFESETID is not set
> +CONFIG_SECURITY_SAFESETID=y
> # CONFIG_SECURITY_LOCKDOWN_LSM is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> --
> 2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 06/11] Kernel: Enable LSM support and set security level to "integrity"
2022-03-19 21:10 ` [PATCH 06/11] Kernel: Enable LSM support and set security level to "integrity" Peter Müller
@ 2022-03-23 17:50 ` Michael Tremer
0 siblings, 0 replies; 25+ messages in thread
From: Michael Tremer @ 2022-03-23 17:50 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3698 bytes --]
This looks good to me.
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
> On 19 Mar 2022, at 21:10, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 6 +++++-
> config/kernel/kernel.config.armv6l-ipfire | 6 +++++-
> config/kernel/kernel.config.riscv64-ipfire | 6 +++++-
> config/kernel/kernel.config.x86_64-ipfire | 6 +++++-
> 4 files changed, 20 insertions(+), 4 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index b485c2fb6..356d9051d 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -7559,7 +7559,11 @@ CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_SECURITY_SAFESETID=y
> -# CONFIG_SECURITY_LOCKDOWN_LSM is not set
> +CONFIG_SECURITY_LOCKDOWN_LSM=y
> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
> +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 98b554d91..9dab473d4 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -7563,7 +7563,11 @@ CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_SECURITY_SAFESETID=y
> -# CONFIG_SECURITY_LOCKDOWN_LSM is not set
> +CONFIG_SECURITY_LOCKDOWN_LSM=y
> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
> +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index b595ae8cd..adef88dc9 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6196,7 +6196,11 @@ CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_SECURITY_SAFESETID=y
> -# CONFIG_SECURITY_LOCKDOWN_LSM is not set
> +CONFIG_SECURITY_LOCKDOWN_LSM=y
> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
> +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> # CONFIG_INTEGRITY_SIGNATURE is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index b325feb1d..222b2dc53 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6972,7 +6972,11 @@ CONFIG_SECURITY_LOADPIN=y
> CONFIG_SECURITY_LOADPIN_ENFORCE=y
> # CONFIG_SECURITY_YAMA is not set
> CONFIG_SECURITY_SAFESETID=y
> -# CONFIG_SECURITY_LOCKDOWN_LSM is not set
> +CONFIG_SECURITY_LOCKDOWN_LSM=y
> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
> +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
> +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
> # CONFIG_SECURITY_LANDLOCK is not set
> CONFIG_INTEGRITY=y
> # CONFIG_INTEGRITY_SIGNATURE is not set
> --
> 2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 07/11] Kernel: Trigger BUG if data corruption is detected
2022-03-19 21:10 ` [PATCH 07/11] Kernel: Trigger BUG if data corruption is detected Peter Müller
@ 2022-03-23 17:53 ` Michael Tremer
0 siblings, 0 replies; 25+ messages in thread
From: Michael Tremer @ 2022-03-23 17:53 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3561 bytes --]
I don’t quite follow what the benefit of this is.
The kernel would log something. That is it. Not bad, but I don’t see how this would help.
> On 19 Mar 2022, at 21:10, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Since we cannot trust the kernel to do the right thing (tm) in such a
> situation anymore, triggering a BUG is less bad than running on a kernel
> in an undefined state.
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 4 ++--
> config/kernel/kernel.config.armv6l-ipfire | 4 ++--
> config/kernel/kernel.config.riscv64-ipfire | 4 ++--
> config/kernel/kernel.config.x86_64-ipfire | 4 ++--
> 4 files changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 356d9051d..06379d544 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -8125,11 +8125,11 @@ CONFIG_STACKTRACE=y
> #
> # Debug kernel data structures
> #
> -# CONFIG_DEBUG_LIST is not set
> +CONFIG_DEBUG_LIST=y
Why did this have to be changed? CONFIG_BUG_ON_DATA_CORRUPTION does not depends on this as far as I can see.
> # CONFIG_DEBUG_PLIST is not set
> # CONFIG_DEBUG_SG is not set
> # CONFIG_DEBUG_NOTIFIERS is not set
> -# CONFIG_BUG_ON_DATA_CORRUPTION is not set
> +CONFIG_BUG_ON_DATA_CORRUPTION=y
> # end of Debug kernel data structures
>
> # CONFIG_DEBUG_CREDENTIALS is not set
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 9dab473d4..68e37304a 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -8091,11 +8091,11 @@ CONFIG_STACKTRACE=y
> #
> # Debug kernel data structures
> #
> -# CONFIG_DEBUG_LIST is not set
> +CONFIG_DEBUG_LIST=y
> # CONFIG_DEBUG_PLIST is not set
> # CONFIG_DEBUG_SG is not set
> # CONFIG_DEBUG_NOTIFIERS is not set
> -# CONFIG_BUG_ON_DATA_CORRUPTION is not set
> +CONFIG_BUG_ON_DATA_CORRUPTION=y
> # end of Debug kernel data structures
>
> # CONFIG_DEBUG_CREDENTIALS is not set
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index adef88dc9..8cec9a200 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -6714,11 +6714,11 @@ CONFIG_STACKTRACE=y
> #
> # Debug kernel data structures
> #
> -# CONFIG_DEBUG_LIST is not set
> +CONFIG_DEBUG_LIST=y
> # CONFIG_DEBUG_PLIST is not set
> # CONFIG_DEBUG_SG is not set
> # CONFIG_DEBUG_NOTIFIERS is not set
> -# CONFIG_BUG_ON_DATA_CORRUPTION is not set
> +CONFIG_BUG_ON_DATA_CORRUPTION=y
> # end of Debug kernel data structures
>
> # CONFIG_DEBUG_CREDENTIALS is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 222b2dc53..0c6731bd1 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -7556,11 +7556,11 @@ CONFIG_STACKTRACE=y
> #
> # Debug kernel data structures
> #
> -# CONFIG_DEBUG_LIST is not set
> +CONFIG_DEBUG_LIST=y
> # CONFIG_DEBUG_PLIST is not set
> # CONFIG_DEBUG_SG is not set
> # CONFIG_DEBUG_NOTIFIERS is not set
> -# CONFIG_BUG_ON_DATA_CORRUPTION is not set
> +CONFIG_BUG_ON_DATA_CORRUPTION=y
> # end of Debug kernel data structures
>
> # CONFIG_DEBUG_CREDENTIALS is not set
> --
> 2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 08/11] Kernel: Do not automatically load TTY line disciplines, only if necessary
2022-03-19 21:10 ` [PATCH 08/11] Kernel: Do not automatically load TTY line disciplines, only if necessary Peter Müller
@ 2022-03-23 17:54 ` Michael Tremer
0 siblings, 0 replies; 25+ messages in thread
From: Michael Tremer @ 2022-03-23 17:54 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2450 bytes --]
This patch has been submitted so many times. *Please* make sure it is not going over my table again.
> On 19 Mar 2022, at 21:10, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 2 +-
> config/kernel/kernel.config.armv6l-ipfire | 2 +-
> config/kernel/kernel.config.riscv64-ipfire | 2 +-
> config/kernel/kernel.config.x86_64-ipfire | 2 +-
> 4 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 06379d544..0fcbed4a2 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -3410,7 +3410,7 @@ CONFIG_HW_CONSOLE=y
> CONFIG_VT_HW_CONSOLE_BINDING=y
> CONFIG_UNIX98_PTYS=y
> # CONFIG_LEGACY_PTYS is not set
> -CONFIG_LDISC_AUTOLOAD=y
> +# CONFIG_LDISC_AUTOLOAD is not set
>
> #
> # Serial drivers
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 68e37304a..468c74112 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -3397,7 +3397,7 @@ CONFIG_HW_CONSOLE=y
> CONFIG_VT_HW_CONSOLE_BINDING=y
> CONFIG_UNIX98_PTYS=y
> # CONFIG_LEGACY_PTYS is not set
> -CONFIG_LDISC_AUTOLOAD=y
> +# CONFIG_LDISC_AUTOLOAD is not set
>
> #
> # Serial drivers
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index 8cec9a200..de975e3f0 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -2915,7 +2915,7 @@ CONFIG_HW_CONSOLE=y
> CONFIG_VT_HW_CONSOLE_BINDING=y
> CONFIG_UNIX98_PTYS=y
> # CONFIG_LEGACY_PTYS is not set
> -CONFIG_LDISC_AUTOLOAD=y
> +# CONFIG_LDISC_AUTOLOAD is not set
>
> #
> # Serial drivers
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 0c6731bd1..0b9c79209 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -3382,7 +3382,7 @@ CONFIG_HW_CONSOLE=y
> CONFIG_VT_HW_CONSOLE_BINDING=y
> CONFIG_UNIX98_PTYS=y
> # CONFIG_LEGACY_PTYS is not set
> -CONFIG_LDISC_AUTOLOAD=y
> +# CONFIG_LDISC_AUTOLOAD is not set
>
> #
> # Serial drivers
> --
> 2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 09/11] Kernel: Enable SVA support for both Intel and AMD CPUs
2022-03-19 21:10 ` [PATCH 09/11] Kernel: Enable SVA support for both Intel and AMD CPUs Peter Müller
@ 2022-03-23 17:54 ` Michael Tremer
0 siblings, 0 replies; 25+ messages in thread
From: Michael Tremer @ 2022-03-23 17:54 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1608 bytes --]
Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>
> On 19 Mar 2022, at 21:10, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Since running virtual machines is one of our legitimate use cases, it
> makes sense to provide Qemu with the ability of taking advantage of
> IOMMU support for safer virtuall memory allocation, if available.
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.x86_64-ipfire | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 0b9c79209..42275d26f 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6179,6 +6179,7 @@ CONFIG_INTEL_IDMA64=m
> CONFIG_INTEL_IDXD_BUS=m
> CONFIG_INTEL_IDXD=m
> # CONFIG_INTEL_IDXD_COMPAT is not set
> +# CONFIG_INTEL_IDXD_SVM is not set
> # CONFIG_INTEL_IDXD_PERFMON is not set
> CONFIG_INTEL_IOATDMA=m
> CONFIG_PLX_DMA=m
> @@ -6476,11 +6477,12 @@ CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
> # CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set
> # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
> CONFIG_IOMMU_DMA=y
> +CONFIG_IOMMU_SVA_LIB=y
> CONFIG_AMD_IOMMU=y
> -# CONFIG_AMD_IOMMU_V2 is not set
> +CONFIG_AMD_IOMMU_V2=y
> CONFIG_DMAR_TABLE=y
> CONFIG_INTEL_IOMMU=y
> -# CONFIG_INTEL_IOMMU_SVM is not set
> +CONFIG_INTEL_IOMMU_SVM=y
> # CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
> CONFIG_INTEL_IOMMU_FLOPPY_WA=y
> # CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set
> --
> 2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 10/11] Kernel: Disable function and stack tracers
2022-03-19 21:11 ` [PATCH 10/11] Kernel: Disable function and stack tracers Peter Müller
@ 2022-03-23 17:56 ` Michael Tremer
0 siblings, 0 replies; 25+ messages in thread
From: Michael Tremer @ 2022-03-23 17:56 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 9008 bytes --]
Could you please verify that powertop does not need any of these?
> On 19 Mar 2022, at 21:11, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> grsecurity recommends to disable this on non-development systems for
> reducing attack surface. Since we never debug the kernel that deeply on
> a productive system, it makes sense to follow this recommendation.
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 13 ++-----------
> config/kernel/kernel.config.armv6l-ipfire | 13 ++-----------
> config/kernel/kernel.config.riscv64-ipfire | 13 ++-----------
> config/kernel/kernel.config.x86_64-ipfire | 17 ++---------------
> 4 files changed, 8 insertions(+), 48 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index 0fcbed4a2..5bd15cc48 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -126,8 +126,6 @@ CONFIG_TREE_RCU=y
> # CONFIG_RCU_EXPERT is not set
> CONFIG_SRCU=y
> CONFIG_TREE_SRCU=y
> -CONFIG_TASKS_RCU_GENERIC=y
> -CONFIG_TASKS_RUDE_RCU=y
> CONFIG_RCU_STALL_COMMON=y
> CONFIG_RCU_NEED_SEGCBLIST=y
> # end of RCU Subsystem
> @@ -7410,7 +7408,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
> CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
> # CONFIG_PSTORE_CONSOLE is not set
> # CONFIG_PSTORE_PMSG is not set
> -# CONFIG_PSTORE_FTRACE is not set
> # CONFIG_PSTORE_RAM is not set
> # CONFIG_PSTORE_BLK is not set
> # CONFIG_SYSV_FS is not set
> @@ -8166,12 +8163,8 @@ CONFIG_GENERIC_TRACER=y
> CONFIG_TRACING_SUPPORT=y
> CONFIG_FTRACE=y
> # CONFIG_BOOTTIME_TRACING is not set
> -CONFIG_FUNCTION_TRACER=y
> -CONFIG_FUNCTION_GRAPH_TRACER=y
> -CONFIG_DYNAMIC_FTRACE=y
> -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
> -CONFIG_FUNCTION_PROFILER=y
> -CONFIG_STACK_TRACER=y
> +# CONFIG_FUNCTION_TRACER is not set
> +# CONFIG_STACK_TRACER is not set
> # CONFIG_IRQSOFF_TRACER is not set
> CONFIG_SCHED_TRACER=y
> # CONFIG_HWLAT_TRACER is not set
> @@ -8186,7 +8179,6 @@ CONFIG_BRANCH_PROFILE_NONE=y
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> -CONFIG_FTRACE_MCOUNT_RECORD=y
> CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y
> # CONFIG_SYNTH_EVENTS is not set
> # CONFIG_HIST_TRIGGERS is not set
> @@ -8194,7 +8186,6 @@ CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y
> # CONFIG_TRACEPOINT_BENCHMARK is not set
> CONFIG_RING_BUFFER_BENCHMARK=m
> # CONFIG_TRACE_EVAL_MAP_FILE is not set
> -# CONFIG_FTRACE_RECORD_RECURSION is not set
> # CONFIG_FTRACE_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 468c74112..06010f893 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -133,8 +133,6 @@ CONFIG_TREE_RCU=y
> # CONFIG_RCU_EXPERT is not set
> CONFIG_SRCU=y
> CONFIG_TREE_SRCU=y
> -CONFIG_TASKS_RCU_GENERIC=y
> -CONFIG_TASKS_RUDE_RCU=y
> CONFIG_RCU_STALL_COMMON=y
> CONFIG_RCU_NEED_SEGCBLIST=y
> # end of RCU Subsystem
> @@ -7414,7 +7412,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
> CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
> # CONFIG_PSTORE_CONSOLE is not set
> # CONFIG_PSTORE_PMSG is not set
> -# CONFIG_PSTORE_FTRACE is not set
> # CONFIG_PSTORE_RAM is not set
> # CONFIG_PSTORE_BLK is not set
> # CONFIG_SYSV_FS is not set
> @@ -8132,12 +8129,8 @@ CONFIG_GENERIC_TRACER=y
> CONFIG_TRACING_SUPPORT=y
> CONFIG_FTRACE=y
> # CONFIG_BOOTTIME_TRACING is not set
> -CONFIG_FUNCTION_TRACER=y
> -CONFIG_FUNCTION_GRAPH_TRACER=y
> -CONFIG_DYNAMIC_FTRACE=y
> -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
> -CONFIG_FUNCTION_PROFILER=y
> -CONFIG_STACK_TRACER=y
> +# CONFIG_FUNCTION_TRACER is not set
> +# CONFIG_STACK_TRACER is not set
> # CONFIG_IRQSOFF_TRACER is not set
> CONFIG_SCHED_TRACER=y
> # CONFIG_HWLAT_TRACER is not set
> @@ -8153,7 +8146,6 @@ CONFIG_BRANCH_PROFILE_NONE=y
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> -CONFIG_FTRACE_MCOUNT_RECORD=y
> CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
> # CONFIG_SYNTH_EVENTS is not set
> # CONFIG_HIST_TRIGGERS is not set
> @@ -8161,7 +8153,6 @@ CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
> # CONFIG_TRACEPOINT_BENCHMARK is not set
> CONFIG_RING_BUFFER_BENCHMARK=m
> # CONFIG_TRACE_EVAL_MAP_FILE is not set
> -# CONFIG_FTRACE_RECORD_RECURSION is not set
> # CONFIG_FTRACE_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
> diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
> index de975e3f0..6b0aa466f 100644
> --- a/config/kernel/kernel.config.riscv64-ipfire
> +++ b/config/kernel/kernel.config.riscv64-ipfire
> @@ -119,8 +119,6 @@ CONFIG_TREE_RCU=y
> # CONFIG_RCU_EXPERT is not set
> CONFIG_SRCU=y
> CONFIG_TREE_SRCU=y
> -CONFIG_TASKS_RCU_GENERIC=y
> -CONFIG_TASKS_RUDE_RCU=y
> CONFIG_RCU_STALL_COMMON=y
> CONFIG_RCU_NEED_SEGCBLIST=y
> # end of RCU Subsystem
> @@ -6047,7 +6045,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
> CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
> # CONFIG_PSTORE_CONSOLE is not set
> # CONFIG_PSTORE_PMSG is not set
> -# CONFIG_PSTORE_FTRACE is not set
> # CONFIG_PSTORE_RAM is not set
> # CONFIG_PSTORE_BLK is not set
> # CONFIG_SYSV_FS is not set
> @@ -6754,12 +6751,8 @@ CONFIG_GENERIC_TRACER=y
> CONFIG_TRACING_SUPPORT=y
> CONFIG_FTRACE=y
> # CONFIG_BOOTTIME_TRACING is not set
> -CONFIG_FUNCTION_TRACER=y
> -CONFIG_FUNCTION_GRAPH_TRACER=y
> -CONFIG_DYNAMIC_FTRACE=y
> -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
> -CONFIG_FUNCTION_PROFILER=y
> -CONFIG_STACK_TRACER=y
> +# CONFIG_FUNCTION_TRACER is not set
> +# CONFIG_STACK_TRACER is not set
> # CONFIG_IRQSOFF_TRACER is not set
> CONFIG_SCHED_TRACER=y
> # CONFIG_HWLAT_TRACER is not set
> @@ -6774,14 +6767,12 @@ CONFIG_BRANCH_PROFILE_NONE=y
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> -CONFIG_FTRACE_MCOUNT_RECORD=y
> CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
> # CONFIG_SYNTH_EVENTS is not set
> # CONFIG_TRACE_EVENT_INJECT is not set
> # CONFIG_TRACEPOINT_BENCHMARK is not set
> CONFIG_RING_BUFFER_BENCHMARK=m
> # CONFIG_TRACE_EVAL_MAP_FILE is not set
> -# CONFIG_FTRACE_RECORD_RECURSION is not set
> # CONFIG_FTRACE_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index 42275d26f..eee5e4a55 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -146,8 +146,6 @@ CONFIG_TREE_RCU=y
> # CONFIG_RCU_EXPERT is not set
> CONFIG_SRCU=y
> CONFIG_TREE_SRCU=y
> -CONFIG_TASKS_RCU_GENERIC=y
> -CONFIG_TASKS_RUDE_RCU=y
> CONFIG_RCU_STALL_COMMON=y
> CONFIG_RCU_NEED_SEGCBLIST=y
> # end of RCU Subsystem
> @@ -476,7 +474,6 @@ CONFIG_LEGACY_VSYSCALL_NONE=y
> # CONFIG_CMDLINE_BOOL is not set
> # CONFIG_MODIFY_LDT_SYSCALL is not set
> CONFIG_HAVE_LIVEPATCH=y
> -# CONFIG_LIVEPATCH is not set
> # end of Processor type and features
>
> CONFIG_ARCH_HAS_ADD_PAGES=y
> @@ -6823,7 +6820,6 @@ CONFIG_PSTORE_DEFLATE_COMPRESS_DEFAULT=y
> CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
> # CONFIG_PSTORE_CONSOLE is not set
> # CONFIG_PSTORE_PMSG is not set
> -# CONFIG_PSTORE_FTRACE is not set
> # CONFIG_PSTORE_RAM is not set
> # CONFIG_PSTORE_BLK is not set
> # CONFIG_SYSV_FS is not set
> @@ -7604,14 +7600,8 @@ CONFIG_GENERIC_TRACER=y
> CONFIG_TRACING_SUPPORT=y
> CONFIG_FTRACE=y
> # CONFIG_BOOTTIME_TRACING is not set
> -CONFIG_FUNCTION_TRACER=y
> -CONFIG_FUNCTION_GRAPH_TRACER=y
> -CONFIG_DYNAMIC_FTRACE=y
> -CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
> -CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
> -CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y
> -CONFIG_FUNCTION_PROFILER=y
> -CONFIG_STACK_TRACER=y
> +# CONFIG_FUNCTION_TRACER is not set
> +# CONFIG_STACK_TRACER is not set
> # CONFIG_IRQSOFF_TRACER is not set
> CONFIG_SCHED_TRACER=y
> # CONFIG_HWLAT_TRACER is not set
> @@ -7627,15 +7617,12 @@ CONFIG_BRANCH_PROFILE_NONE=y
> CONFIG_UPROBE_EVENTS=y
> CONFIG_DYNAMIC_EVENTS=y
> CONFIG_PROBE_EVENTS=y
> -CONFIG_FTRACE_MCOUNT_RECORD=y
> -CONFIG_FTRACE_MCOUNT_USE_CC=y
> # CONFIG_SYNTH_EVENTS is not set
> # CONFIG_HIST_TRIGGERS is not set
> # CONFIG_TRACE_EVENT_INJECT is not set
> # CONFIG_TRACEPOINT_BENCHMARK is not set
> CONFIG_RING_BUFFER_BENCHMARK=m
> # CONFIG_TRACE_EVAL_MAP_FILE is not set
> -# CONFIG_FTRACE_RECORD_RECURSION is not set
> # CONFIG_FTRACE_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_STARTUP_TEST is not set
> # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
> --
> 2.34.1
^ permalink raw reply [flat|nested] 25+ messages in thread
end of thread, other threads:[~2022-03-23 17:56 UTC | newest]
Thread overview: 25+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-19 21:08 [PATCH 00/11] Kernel: Improve hardening Peter Müller
2022-03-19 21:08 ` [PATCH 01/11] Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Peter Müller
2022-03-23 11:42 ` Michael Tremer
2022-03-19 21:08 ` [PATCH 02/11] Kernel: Disable support for tracing block I/O actions Peter Müller
2022-03-23 11:44 ` Michael Tremer
2022-03-19 21:09 ` [PATCH 03/11] Kernel: Pin loading kernel files to one filesystem Peter Müller
2022-03-21 17:15 ` Arne Fitzenreiter
2022-03-21 18:50 ` Michael Tremer
2022-03-21 20:24 ` alf
2022-03-22 11:17 ` Michael Tremer
2022-03-19 21:09 ` [PATCH 04/11] Kernel: Enable undefined behaviour sanity checker Peter Müller
2022-03-23 11:45 ` Michael Tremer
2022-03-19 21:09 ` [PATCH 05/11] Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Peter Müller
2022-03-23 11:46 ` Michael Tremer
2022-03-19 21:10 ` [PATCH 06/11] Kernel: Enable LSM support and set security level to "integrity" Peter Müller
2022-03-23 17:50 ` Michael Tremer
2022-03-19 21:10 ` [PATCH 07/11] Kernel: Trigger BUG if data corruption is detected Peter Müller
2022-03-23 17:53 ` Michael Tremer
2022-03-19 21:10 ` [PATCH 08/11] Kernel: Do not automatically load TTY line disciplines, only if necessary Peter Müller
2022-03-23 17:54 ` Michael Tremer
2022-03-19 21:10 ` [PATCH 09/11] Kernel: Enable SVA support for both Intel and AMD CPUs Peter Müller
2022-03-23 17:54 ` Michael Tremer
2022-03-19 21:11 ` [PATCH 10/11] Kernel: Disable function and stack tracers Peter Müller
2022-03-23 17:56 ` Michael Tremer
2022-03-19 21:11 ` [PATCH 11/11] Kernel: Update rootfile for x86_64 Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox