From b34debedfc978735cb1b4ee9ec000548c90b8c75 Mon Sep 17 00:00:00 2001 From: Andrew Rynhard Date: Fri, 12 Oct 2018 19:02:11 -0700 Subject: [PATCH] feat(kernel): configure Kernel Self Protection Project recommendations (#152) --- src/image/.conform.yaml | 1 - src/image/src/entrypoint.sh | 3 +- .../cmd/init/pkg/rootfs/proc/proc.go | 14 +- src/initramfs/cmd/init/pkg/rootfs/rootfs.go | 53 ++++++- .../cmd/init/pkg/system/services/crt.go | 1 - .../cmd/init/pkg/system/services/kubeadm.go | 7 +- .../cmd/init/pkg/system/services/kubelet.go | 1 - src/initramfs/cmd/osd/pkg/reg/reg.go | 1 - src/kernel/.conform.yaml | 2 - src/kernel/src/linux/config | 147 ++++++------------ 10 files changed, 115 insertions(+), 115 deletions(-) diff --git a/src/image/.conform.yaml b/src/image/.conform.yaml index 382a3d750..672c83503 100644 --- a/src/image/.conform.yaml +++ b/src/image/.conform.yaml @@ -64,5 +64,4 @@ tasks: rootfs: template: | COPY --from=dianemo/rootfs:{{ .Docker.Image.Tag }} /rootfs /generated/rootfs - COPY --from=dianemo/kernel:{{ .Docker.Image.Tag }} /tmp/lib/modules /generated/rootfs/lib/modules RUN {{if .Git.IsClean}}XZ_OPT=-9e{{else}}XZ_OPT=-0{{end}} tar -cvpJf /generated/rootfs.tar.xz -C /generated/rootfs . diff --git a/src/image/src/entrypoint.sh b/src/image/src/entrypoint.sh index 1985152d3..6634c76d5 100755 --- a/src/image/src/entrypoint.sh +++ b/src/image/src/entrypoint.sh @@ -108,7 +108,7 @@ DEFAULT Dianemo LABEL Dianemo KERNEL /boot/vmlinuz INITRD /boot/initramfs.xz - APPEND ip=dhcp consoleblank=0 console=tty0 console=ttyS0,9600 dianemo.autonomy.io/root=${DIANEMO_ROOT} dianemo.autonomy.io/userdata=${DIANEMO_USERDATA} dianemo.autonomy.io/platform=${DIANEMO_PLATFORM} + APPEND ${KERNEL_SELF_PROTECTION_PROJECT_KERNEL_PARAMS} ip=dhcp consoleblank=0 console=tty0 console=ttyS0,9600 dianemo.autonomy.io/root=${DIANEMO_ROOT} dianemo.autonomy.io/userdata=${DIANEMO_USERDATA} dianemo.autonomy.io/platform=${DIANEMO_PLATFORM} EOF } @@ -130,6 +130,7 @@ FULL=false RAW=false ROOTFS_SIZE=$(size_xz /generated/rootfs.tar.xz) INITRAMFS_SIZE=$(size_xz /generated/boot/initramfs.xz) +KERNEL_SELF_PROTECTION_PROJECT_KERNEL_PARAMS="slub_debug=P page_poison=1 slab_nomerge pti=on" case "$1" in image) diff --git a/src/initramfs/cmd/init/pkg/rootfs/proc/proc.go b/src/initramfs/cmd/init/pkg/rootfs/proc/proc.go index 98842d3de..d886cd443 100644 --- a/src/initramfs/cmd/init/pkg/rootfs/proc/proc.go +++ b/src/initramfs/cmd/init/pkg/rootfs/proc/proc.go @@ -6,8 +6,14 @@ import ( "strings" ) -// WriteSystemProperty writes a value to a key under /proc/sys. -func WriteSystemProperty(key, value string) error { - keyPath := strings.Replace(key, ".", "/", -1) - return ioutil.WriteFile(path.Join("/proc/sys", keyPath), []byte(value), 0644) +// SystemProperty represents a kernel system property. +type SystemProperty struct { + Key string + Value string +} + +// WriteSystemProperty writes a value to a key under /proc/sys. +func WriteSystemProperty(prop *SystemProperty) error { + keyPath := path.Join("/proc/sys", strings.Replace(prop.Key, ".", "/", -1)) + return ioutil.WriteFile(keyPath, []byte(prop.Value), 0644) } diff --git a/src/initramfs/cmd/init/pkg/rootfs/rootfs.go b/src/initramfs/cmd/init/pkg/rootfs/rootfs.go index e6b377a99..247d3e171 100644 --- a/src/initramfs/cmd/init/pkg/rootfs/rootfs.go +++ b/src/initramfs/cmd/init/pkg/rootfs/rootfs.go @@ -32,7 +32,11 @@ func ip() string { // Prepare creates the files required by the installed binaries and libraries. func Prepare(s string, userdata userdata.UserData) (err error) { // Enable IP forwarding. - if err = proc.WriteSystemProperty("net.ipv4.ip_forward", "1"); err != nil { + if err = proc.WriteSystemProperty(&proc.SystemProperty{Key: "net.ipv4.ip_forward", Value: "1"}); err != nil { + return + } + // Kernel Self Protection Project recommended settings. + if err = kernelHardening(); err != nil { return } // Create /etc/hosts. @@ -63,3 +67,50 @@ func Prepare(s string, userdata userdata.UserData) (err error) { return nil } + +// We can ignore setting kernel.kexec_load_disabled = 1 because modules are +// disabled in the kernel config. +func kernelHardening() (err error) { + props := []*proc.SystemProperty{ + { + Key: "kernel.kptr_restrict", + Value: "1", + }, + { + Key: "kernel.dmesg_restrict", + Value: "1", + }, + { + Key: "kernel.perf_event_paranoid", + Value: "3", + }, + // { + // Key: "kernel.kexec_load_disabled", + // Value: "1", + // }, + { + Key: "kernel.yama.ptrace_scope", + Value: "1", + }, + { + Key: "user.max_user_namespaces", + Value: "0", + }, + // { + // Key: "kernel.unprivileged_bpf_disabled", + // Value: "1", + // }, + // { + // Key: "net.core.bpf_jit_harden", + // Value: "2", + // }, + } + + for _, prop := range props { + if err = proc.WriteSystemProperty(prop); err != nil { + return + } + } + + return nil +} diff --git a/src/initramfs/cmd/init/pkg/system/services/crt.go b/src/initramfs/cmd/init/pkg/system/services/crt.go index 13dbe3c52..d34ebbf67 100644 --- a/src/initramfs/cmd/init/pkg/system/services/crt.go +++ b/src/initramfs/cmd/init/pkg/system/services/crt.go @@ -88,7 +88,6 @@ func (c *CRT) Start(data *userdata.UserData) error { args runner.Args mounts = []specs.Mount{ {Type: "cgroup", Destination: "/sys/fs/cgroup", Options: []string{"rbind", "rshared", "rw"}}, - {Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "shared", "ro"}}, {Type: "bind", Destination: "/etc/kubernetes", Source: "/var/etc/kubernetes", Options: []string{"bind", "rw"}}, {Type: "bind", Destination: "/etc/cni", Source: "/var/etc/cni", Options: []string{"bind", "rw"}}, {Type: "bind", Destination: "/run", Source: "/run", Options: []string{"rbind", "rshared", "rw"}}, diff --git a/src/initramfs/cmd/init/pkg/system/services/kubeadm.go b/src/initramfs/cmd/init/pkg/system/services/kubeadm.go index f3fc813bf..1cadd3cac 100644 --- a/src/initramfs/cmd/init/pkg/system/services/kubeadm.go +++ b/src/initramfs/cmd/init/pkg/system/services/kubeadm.go @@ -40,11 +40,11 @@ apt-get install -y curl curl -L https://download.docker.com/linux/static/stable/x86_64/docker-17.03.2-ce.tgz | tar -xz --strip-components=1 -C /bin docker/docker chmod +x /bin/docker -trap 'kubeadm reset' ERR +trap 'kubeadm reset --force' ERR {{- if .Init }} {{- if eq .Init.Type "initial" }} -kubeadm init --config=kubeadm-config.yaml --ignore-preflight-errors=cri,kubeletversion --skip-token-print +kubeadm init --config=kubeadm-config.yaml --ignore-preflight-errors=cri,kubeletversion,requiredipvskernelmodulesavailable --skip-token-print {{- else if eq .Init.Type "dependent" }} export KUBECONFIG=/etc/kubernetes/admin.conf kubeadm alpha phase certs all --config kubeadm-config.yaml @@ -71,7 +71,7 @@ kubeadm alpha phase mark-master --config kubeadm-config.yaml echo "successfully joined master node {{ .Hostname }}" {{- end }} {{- else }} -kubeadm join --config=kubeadm-config.yaml --ignore-preflight-errors=cri,kubeletversion +kubeadm join --config=kubeadm-config.yaml --ignore-preflight-errors=cri,kubeletversion,requiredipvskernelmodulesavailable {{- end }} ` @@ -206,7 +206,6 @@ func (k *Kubeadm) Start(data *userdata.UserData) error { {Type: "cgroup", Destination: "/sys/fs/cgroup", Options: []string{"ro"}}, {Type: "bind", Destination: "/var/run", Source: "/run", Options: []string{"rbind", "rshared", "rw"}}, {Type: "bind", Destination: "/var/lib/kubelet", Source: "/var/lib/kubelet", Options: []string{"rbind", "rshared", "rw"}}, - {Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "shared", "ro"}}, {Type: "bind", Destination: "/etc/kubernetes", Source: "/var/etc/kubernetes", Options: []string{"bind", "rw"}}, {Type: "bind", Destination: "/etc/os-release", Source: "/etc/os-release", Options: []string{"bind", "ro"}}, {Type: "bind", Destination: "/bin/crictl", Source: "/bin/crictl", Options: []string{"bind", "ro"}}, diff --git a/src/initramfs/cmd/init/pkg/system/services/kubelet.go b/src/initramfs/cmd/init/pkg/system/services/kubelet.go index 7e9223267..5332b9e6f 100644 --- a/src/initramfs/cmd/init/pkg/system/services/kubelet.go +++ b/src/initramfs/cmd/init/pkg/system/services/kubelet.go @@ -103,7 +103,6 @@ func (k *Kubelet) Start(data *userdata.UserData) error { {Type: "bind", Destination: "/dev", Source: "/dev", Options: []string{"rbind", "rshared", "rw"}}, {Type: "bind", Destination: "/var/run", Source: "/run", Options: []string{"rbind", "rshared", "rw"}}, {Type: "bind", Destination: "/var/lib/kubelet", Source: "/var/lib/kubelet", Options: []string{"rbind", "rshared", "rw"}}, - {Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "shared", "ro"}}, {Type: "bind", Destination: "/etc/kubernetes", Source: "/var/etc/kubernetes", Options: []string{"bind", "rw"}}, {Type: "bind", Destination: "/etc/cni", Source: "/var/etc/cni", Options: []string{"rbind", "rshared", "ro"}}, {Type: "bind", Destination: "/etc/os-release", Source: "/etc/os-release", Options: []string{"bind", "ro"}}, diff --git a/src/initramfs/cmd/osd/pkg/reg/reg.go b/src/initramfs/cmd/osd/pkg/reg/reg.go index 57b8c9222..541ef3997 100644 --- a/src/initramfs/cmd/osd/pkg/reg/reg.go +++ b/src/initramfs/cmd/osd/pkg/reg/reg.go @@ -168,7 +168,6 @@ func (r *Registrator) Reset(ctx context.Context, in *empty.Empty) (reply *proto. {Type: "bind", Destination: "/var/run", Source: "/run", Options: []string{"rbind", "rshared", "rw"}}, {Type: "bind", Destination: "/var/lib/docker", Source: "/var/lib/docker", Options: []string{"rbind", "rshared", "rw"}}, {Type: "bind", Destination: "/var/lib/kubelet", Source: "/var/lib/kubelet", Options: []string{"rbind", "rshared", "rw"}}, - {Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "shared", "ro"}}, {Type: "bind", Destination: "/etc/kubernetes", Source: "/var/etc/kubernetes", Options: []string{"bind", "rw"}}, {Type: "bind", Destination: "/etc/os-release", Source: "/etc/os-release", Options: []string{"bind", "ro"}}, {Type: "bind", Destination: "/bin/crictl", Source: "/bin/crictl", Options: []string{"bind", "ro"}}, diff --git a/src/kernel/.conform.yaml b/src/kernel/.conform.yaml index fbf689c82..4cf02c9c7 100644 --- a/src/kernel/.conform.yaml +++ b/src/kernel/.conform.yaml @@ -29,8 +29,6 @@ tasks: RUN unlink /lib RUN ln -s /tools/lib /lib RUN make -j $(($(nproc) / 2)) - RUN make modules_install DEPMOD=/tools/bin/depmod INSTALL_MOD_PATH=/tmp - RUN depmod -b /tmp 4.18.5-dianemo RUN cp arch/x86/boot/bzImage /tmp/vmlinuz FROM scratch COPY --from={{ .Docker.CurrentStage }} /tmp /tmp diff --git a/src/kernel/src/linux/config b/src/kernel/src/linux/config index 38ed1fdbb..8b4c0922d 100644 --- a/src/kernel/src/linux/config +++ b/src/kernel/src/linux/config @@ -146,7 +146,7 @@ CONFIG_TREE_SRCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y CONFIG_BUILD_BIN2C=y -CONFIG_IKCONFIG=m +CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y CONFIG_LOG_BUF_SHIFT=18 CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 @@ -200,12 +200,10 @@ CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set CONFIG_SYSCTL=y CONFIG_ANON_INODES=y -CONFIG_HAVE_UID16=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_BPF=y # CONFIG_EXPERT is not set -CONFIG_UID16=y CONFIG_MULTIUSER=y CONFIG_SGETMASK_SYSCALL=y CONFIG_SYSFS_SYSCALL=y @@ -249,26 +247,21 @@ CONFIG_SLUB_DEBUG=y # CONFIG_SLAB is not set CONFIG_SLUB=y CONFIG_SLAB_MERGE_DEFAULT=y -# CONFIG_SLAB_FREELIST_RANDOM is not set -# CONFIG_SLAB_FREELIST_HARDENED is not set +CONFIG_SLAB_FREELIST_RANDOM=y +CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLUB_CPU_PARTIAL=y CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_PROFILING=y CONFIG_TRACEPOINTS=y -CONFIG_CRASH_CORE=y -CONFIG_KEXEC_CORE=y CONFIG_HOTPLUG_SMT=y # CONFIG_OPROFILE is not set CONFIG_HAVE_OPROFILE=y CONFIG_OPROFILE_NMI_TIMER=y -CONFIG_KPROBES=y CONFIG_JUMP_LABEL=y # CONFIG_STATIC_KEYS_SELFTEST is not set -CONFIG_OPTPROBES=y CONFIG_UPROBES=y CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y CONFIG_ARCH_USE_BUILTIN_BSWAP=y -CONFIG_KRETPROBES=y CONFIG_HAVE_IOREMAP_PROT=y CONFIG_HAVE_KPROBES=y CONFIG_HAVE_KRETPROBES=y @@ -299,13 +292,15 @@ CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y CONFIG_HAVE_CMPXCHG_LOCAL=y CONFIG_HAVE_CMPXCHG_DOUBLE=y -CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y -CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y CONFIG_PLUGIN_HOSTCC="g++" CONFIG_HAVE_GCC_PLUGINS=y -# CONFIG_GCC_PLUGINS is not set +CONFIG_GCC_PLUGINS=y +CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y +# CONFIG_GCC_PLUGIN_STRUCTLEAK is not set +CONFIG_GCC_PLUGIN_RANDSTRUCT=y +# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set CONFIG_HAVE_STACKPROTECTOR=y CONFIG_CC_HAS_STACKPROTECTOR_NONE=y CONFIG_STACKPROTECTOR=y @@ -325,22 +320,15 @@ CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y CONFIG_HAVE_EXIT_THREAD=y CONFIG_ARCH_MMAP_RND_BITS=28 -CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y -CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 -CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y CONFIG_HAVE_COPY_THREAD_TLS=y CONFIG_HAVE_STACK_VALIDATION=y -CONFIG_OLD_SIGSUSPEND3=y -CONFIG_COMPAT_OLD_SIGACTION=y -CONFIG_COMPAT_32BIT_TIME=y CONFIG_HAVE_ARCH_VMAP_STACK=y CONFIG_VMAP_STACK=y CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y CONFIG_STRICT_KERNEL_RWX=y CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y -CONFIG_STRICT_MODULE_RWX=y CONFIG_ARCH_HAS_REFCOUNT=y -# CONFIG_REFCOUNT_FULL is not set +CONFIG_REFCOUNT_FULL=y # # GCOV-based kernel profiling @@ -349,15 +337,7 @@ CONFIG_ARCH_HAS_REFCOUNT=y CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y CONFIG_RT_MUTEXES=y CONFIG_BASE_SMALL=0 -CONFIG_MODULES=y -# CONFIG_MODULE_FORCE_LOAD is not set -CONFIG_MODULE_UNLOAD=y -CONFIG_MODULE_FORCE_UNLOAD=y -# CONFIG_MODVERSIONS is not set -# CONFIG_MODULE_SRCVERSION_ALL is not set -# CONFIG_MODULE_SIG is not set -# CONFIG_MODULE_COMPRESS is not set -# CONFIG_TRIM_UNUSED_KSYMS is not set +# CONFIG_MODULES is not set CONFIG_MODULES_TREE_LOOKUP=y CONFIG_BLOCK=y CONFIG_BLK_SCSI_REQUEST=y @@ -395,7 +375,6 @@ CONFIG_KARMA_PARTITION=y CONFIG_EFI_PARTITION=y # CONFIG_SYSV68_PARTITION is not set # CONFIG_CMDLINE_PARTITION is not set -CONFIG_BLOCK_COMPAT=y CONFIG_BLK_MQ_PCI=y # @@ -545,7 +524,6 @@ CONFIG_NODES_SHIFT=6 CONFIG_ARCH_SPARSEMEM_ENABLE=y CONFIG_ARCH_SPARSEMEM_DEFAULT=y CONFIG_ARCH_SELECT_MEMORY_MODEL=y -CONFIG_ARCH_PROC_KCORE_TEXT=y CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 CONFIG_SELECT_MEMORY_MODEL=y CONFIG_SPARSEMEM_MANUAL=y @@ -571,7 +549,7 @@ CONFIG_BOUNCE=y CONFIG_VIRT_TO_BUS=y CONFIG_MMU_NOTIFIER=y # CONFIG_KSM is not set -CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y # CONFIG_MEMORY_FAILURE is not set # CONFIG_TRANSPARENT_HUGEPAGE is not set @@ -613,20 +591,22 @@ CONFIG_SECCOMP=y CONFIG_HZ_1000=y CONFIG_HZ=1000 CONFIG_SCHED_HRTICK=y -CONFIG_KEXEC=y +# CONFIG_KEXEC is not set # CONFIG_KEXEC_FILE is not set CONFIG_CRASH_DUMP=y -# CONFIG_KEXEC_JUMP is not set CONFIG_PHYSICAL_START=0x1000000 CONFIG_RELOCATABLE=y -# CONFIG_RANDOMIZE_BASE is not set +CONFIG_RANDOMIZE_BASE=y +CONFIG_X86_NEED_RELOCS=y CONFIG_PHYSICAL_ALIGN=0x200000 +CONFIG_DYNAMIC_MEMORY_LAYOUT=y +CONFIG_RANDOMIZE_MEMORY=y +CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0x0 CONFIG_HOTPLUG_CPU=y # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set # CONFIG_DEBUG_HOTPLUG_CPU0 is not set -# CONFIG_COMPAT_VDSO is not set -CONFIG_LEGACY_VSYSCALL_EMULATE=y -# CONFIG_LEGACY_VSYSCALL_NONE is not set +# CONFIG_LEGACY_VSYSCALL_EMULATE is not set +CONFIG_LEGACY_VSYSCALL_NONE=y # CONFIG_CMDLINE_BOOL is not set CONFIG_MODIFY_LDT_SYSCALL=y CONFIG_HAVE_LIVEPATCH=y @@ -637,12 +617,10 @@ CONFIG_USE_PERCPU_NUMA_NODE_ID=y # # Power management and ACPI options # -CONFIG_ARCH_HIBERNATION_HEADER=y CONFIG_SUSPEND=y CONFIG_SUSPEND_FREEZER=y CONFIG_HIBERNATE_CALLBACKS=y -CONFIG_HIBERNATION=y -CONFIG_PM_STD_PARTITION="" +# CONFIG_HIBERNATION is not set CONFIG_PM_SLEEP=y CONFIG_PM_SLEEP_SMP=y # CONFIG_PM_AUTOSLEEP is not set @@ -837,19 +815,13 @@ CONFIG_PCCARD_NONSTATIC=y # Executable file formats / Emulations # CONFIG_BINFMT_ELF=y -CONFIG_COMPAT_BINFMT_ELF=y CONFIG_ELFCORE=y CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y CONFIG_BINFMT_SCRIPT=y -CONFIG_BINFMT_MISC=y +# CONFIG_BINFMT_MISC is not set CONFIG_COREDUMP=y -CONFIG_IA32_EMULATION=y -# CONFIG_IA32_AOUT is not set +# CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set -CONFIG_COMPAT_32=y -CONFIG_COMPAT=y -CONFIG_COMPAT_FOR_U64_ALIGNMENT=y -CONFIG_SYSVIPC_COMPAT=y CONFIG_X86_DEV_DMA_OPS=y CONFIG_NET=y CONFIG_NET_INGRESS=y @@ -907,11 +879,7 @@ CONFIG_INET_TUNNEL=y CONFIG_INET_XFRM_MODE_TRANSPORT=y CONFIG_INET_XFRM_MODE_TUNNEL=y CONFIG_INET_XFRM_MODE_BEET=y -CONFIG_INET_DIAG=y -CONFIG_INET_TCP_DIAG=y -# CONFIG_INET_UDP_DIAG is not set -# CONFIG_INET_RAW_DIAG is not set -# CONFIG_INET_DIAG_DESTROY is not set +# CONFIG_INET_DIAG is not set CONFIG_TCP_CONG_ADVANCED=y # CONFIG_TCP_CONG_BIC is not set CONFIG_TCP_CONG_CUBIC=y @@ -1307,7 +1275,6 @@ CONFIG_BRIDGE_EBT_LOG=y CONFIG_BRIDGE_EBT_NFLOG=y # CONFIG_BPFILTER is not set CONFIG_IP_DCCP=y -CONFIG_INET_DCCP_DIAG=y # # DCCP CCIDs Configuration @@ -1328,7 +1295,6 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set CONFIG_SCTP_COOKIE_HMAC_MD5=y # CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set -CONFIG_INET_SCTP_DIAG=y CONFIG_RDS=y # CONFIG_RDS_TCP is not set # CONFIG_RDS_DEBUG is not set @@ -1481,8 +1447,8 @@ CONFIG_BATMAN_ADV_BLA=y # CONFIG_BATMAN_ADV_MCAST is not set CONFIG_BATMAN_ADV_DEBUGFS=y # CONFIG_BATMAN_ADV_DEBUG is not set -CONFIG_OPENVSWITCH=m -CONFIG_OPENVSWITCH_VXLAN=m +CONFIG_OPENVSWITCH=y +CONFIG_OPENVSWITCH_VXLAN=y CONFIG_VSOCKETS=y CONFIG_VSOCKETS_DIAG=y CONFIG_NETLINK_DIAG=y @@ -1501,7 +1467,6 @@ CONFIG_CGROUP_NET_PRIO=y CONFIG_CGROUP_NET_CLASSID=y CONFIG_NET_RX_BUSY_POLL=y CONFIG_BQL=y -CONFIG_BPF_JIT=y CONFIG_NET_FLOW_LIMIT=y # @@ -1587,7 +1552,6 @@ CONFIG_ALLOW_DEV_COREDUMP=y # CONFIG_DEBUG_DRIVER is not set CONFIG_DEBUG_DEVRES=y # CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set -# CONFIG_TEST_ASYNC_DRIVER_PROBE is not set CONFIG_SYS_HYPERVISOR=y CONFIG_GENERIC_CPU_AUTOPROBE=y CONFIG_GENERIC_CPU_VULNERABILITIES=y @@ -2497,8 +2461,8 @@ CONFIG_SERIAL_NONSTANDARD=y # CONFIG_N_HDLC is not set # CONFIG_N_GSM is not set # CONFIG_TRACE_SINK is not set -CONFIG_DEVMEM=y -CONFIG_DEVKMEM=y +# CONFIG_DEVMEM is not set +# CONFIG_DEVKMEM is not set # # Serial drivers @@ -2635,7 +2599,6 @@ CONFIG_I2C_I801=y # Other I2C/SMBus bus drivers # # CONFIG_I2C_MLXCPLD is not set -# CONFIG_I2C_STUB is not set # CONFIG_I2C_SLAVE is not set # CONFIG_I2C_DEBUG_CORE is not set # CONFIG_I2C_DEBUG_ALGO is not set @@ -3618,8 +3581,8 @@ CONFIG_XENFS=y CONFIG_XEN_COMPAT_XENFS=y CONFIG_XEN_SYS_HYPERVISOR=y CONFIG_XEN_XENBUS_FRONTEND=y -CONFIG_XEN_GNTDEV=m -CONFIG_XEN_GRANT_DEV_ALLOC=m +CONFIG_XEN_GNTDEV=y +CONFIG_XEN_GRANT_DEV_ALLOC=y CONFIG_SWIOTLB_XEN=y # CONFIG_XEN_PVCALLS_FRONTEND is not set CONFIG_XEN_PRIVCMD=y @@ -3821,7 +3784,6 @@ CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y # CONFIG_EFI_VARS=y CONFIG_EFI_ESRT=y -CONFIG_EFI_RUNTIME_MAP=y # CONFIG_EFI_FAKE_MEMMAP is not set CONFIG_EFI_RUNTIME_WRAPPERS=y # CONFIG_EFI_BOOTLOADER_CONTROL is not set @@ -3880,7 +3842,6 @@ CONFIG_QUOTA_TREE=y # CONFIG_QFMT_V1 is not set CONFIG_QFMT_V2=y CONFIG_QUOTACTL=y -CONFIG_QUOTACTL_COMPAT=y CONFIG_AUTOFS4_FS=y CONFIG_AUTOFS_FS=y # CONFIG_FUSE_FS is not set @@ -3918,7 +3879,7 @@ CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1" # Pseudo filesystems # CONFIG_PROC_FS=y -CONFIG_PROC_KCORE=y +# CONFIG_PROC_KCORE is not set CONFIG_PROC_VMCORE=y # CONFIG_PROC_VMCORE_DEVICE_DUMP is not set CONFIG_PROC_SYSCTL=y @@ -4074,7 +4035,9 @@ CONFIG_DEBUG_KERNEL=y # # CONFIG_PAGE_EXTENSION is not set # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_PAGE_POISONING is not set +CONFIG_PAGE_POISONING=y +# CONFIG_PAGE_POISONING_NO_SANITY is not set +# CONFIG_PAGE_POISONING_ZERO is not set # CONFIG_DEBUG_PAGE_REF is not set # CONFIG_DEBUG_RODATA_TEST is not set # CONFIG_DEBUG_OBJECTS is not set @@ -4105,13 +4068,13 @@ CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y # CONFIG_HARDLOCKUP_DETECTOR is not set # CONFIG_DETECT_HUNG_TASK is not set # CONFIG_WQ_WATCHDOG is not set -# CONFIG_PANIC_ON_OOPS is not set -CONFIG_PANIC_ON_OOPS_VALUE=0 -CONFIG_PANIC_TIMEOUT=0 +CONFIG_PANIC_ON_OOPS=y +CONFIG_PANIC_ON_OOPS_VALUE=1 +CONFIG_PANIC_TIMEOUT=-1 # CONFIG_SCHED_DEBUG is not set CONFIG_SCHED_INFO=y CONFIG_SCHEDSTATS=y -# CONFIG_SCHED_STACK_END_CHECK is not set +CONFIG_SCHED_STACK_END_CHECK=y # CONFIG_DEBUG_TIMEKEEPING is not set # @@ -4134,11 +4097,11 @@ CONFIG_STACKTRACE=y # CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set # CONFIG_DEBUG_KOBJECT is not set CONFIG_DEBUG_BUGVERBOSE=y -# CONFIG_DEBUG_LIST is not set +CONFIG_DEBUG_LIST=y # CONFIG_DEBUG_PI_LIST is not set -# CONFIG_DEBUG_SG is not set -# CONFIG_DEBUG_NOTIFIERS is not set -# CONFIG_DEBUG_CREDENTIALS is not set +CONFIG_DEBUG_SG=y +CONFIG_DEBUG_NOTIFIERS=y +CONFIG_DEBUG_CREDENTIALS=y # # RCU Debugging @@ -4152,7 +4115,6 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=21 # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set # CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set # CONFIG_NOTIFIER_ERROR_INJECTION is not set -CONFIG_FUNCTION_ERROR_INJECTION=y # CONFIG_FAULT_INJECTION is not set # CONFIG_LATENCYTOP is not set CONFIG_USER_STACKTRACE_SUPPORT=y @@ -4182,10 +4144,8 @@ CONFIG_FTRACE=y # CONFIG_TRACER_SNAPSHOT is not set CONFIG_BRANCH_PROFILE_NONE=y # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set -# CONFIG_PROFILE_ALL_BRANCHES is not set # CONFIG_STACK_TRACER is not set CONFIG_BLK_DEV_IO_TRACE=y -CONFIG_KPROBE_EVENTS=y CONFIG_UPROBE_EVENTS=y CONFIG_PROBE_EVENTS=y # CONFIG_FTRACE_STARTUP_TEST is not set @@ -4201,11 +4161,9 @@ CONFIG_RUNTIME_TESTING_MENU=y # CONFIG_LKDTM is not set # CONFIG_TEST_LIST_SORT is not set # CONFIG_TEST_SORT is not set -# CONFIG_KPROBES_SANITY_TEST is not set # CONFIG_BACKTRACE_SELF_TEST is not set # CONFIG_RBTREE_TEST is not set # CONFIG_INTERVAL_TREE_TEST is not set -# CONFIG_PERCPU_TEST is not set # CONFIG_ATOMIC64_SELFTEST is not set # CONFIG_TEST_HEXDUMP is not set # CONFIG_TEST_STRING_HELPERS is not set @@ -4216,37 +4174,31 @@ CONFIG_RUNTIME_TESTING_MENU=y # CONFIG_TEST_OVERFLOW is not set # CONFIG_TEST_RHASHTABLE is not set # CONFIG_TEST_HASH is not set -# CONFIG_TEST_LKM is not set -# CONFIG_TEST_USER_COPY is not set -# CONFIG_TEST_BPF is not set # CONFIG_FIND_BIT_BENCHMARK is not set # CONFIG_TEST_FIRMWARE is not set # CONFIG_TEST_SYSCTL is not set # CONFIG_TEST_UDELAY is not set -# CONFIG_TEST_STATIC_KEYS is not set -# CONFIG_TEST_KMOD is not set # CONFIG_MEMTEST is not set -# CONFIG_BUG_ON_DATA_CORRUPTION is not set +CONFIG_BUG_ON_DATA_CORRUPTION=y # CONFIG_SAMPLES is not set CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN is not set CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y -# CONFIG_STRICT_DEVMEM is not set CONFIG_EARLY_PRINTK_USB=y CONFIG_X86_VERBOSE_BOOTUP=y CONFIG_EARLY_PRINTK=y CONFIG_EARLY_PRINTK_DBGP=y # CONFIG_EARLY_PRINTK_EFI is not set # CONFIG_EARLY_PRINTK_USB_XDBC is not set +CONFIG_X86_PTDUMP_CORE=y # CONFIG_X86_PTDUMP is not set # CONFIG_EFI_PGT_DUMP is not set -# CONFIG_DEBUG_WX is not set +CONFIG_DEBUG_WX=y CONFIG_DOUBLEFAULT=y # CONFIG_DEBUG_TLBFLUSH is not set CONFIG_HAVE_MMIOTRACE_SUPPORT=y -# CONFIG_X86_DECODER_SELFTEST is not set CONFIG_IO_DELAY_TYPE_0X80=0 CONFIG_IO_DELAY_TYPE_0XED=1 CONFIG_IO_DELAY_TYPE_UDELAY=2 @@ -4270,7 +4222,6 @@ CONFIG_UNWINDER_ORC=y # Security options # CONFIG_KEYS=y -CONFIG_KEYS_COMPAT=y # CONFIG_PERSISTENT_KEYRINGS is not set # CONFIG_BIG_KEYS is not set # CONFIG_ENCRYPTED_KEYS is not set @@ -4284,15 +4235,16 @@ CONFIG_SECURITY_NETWORK_XFRM=y # CONFIG_SECURITY_PATH is not set # CONFIG_INTEL_TXT is not set CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y -# CONFIG_HARDENED_USERCOPY is not set -# CONFIG_FORTIFY_SOURCE is not set +CONFIG_HARDENED_USERCOPY=y +CONFIG_HARDENED_USERCOPY_FALLBACK=y +CONFIG_FORTIFY_SOURCE=y # CONFIG_STATIC_USERMODEHELPER is not set # CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set CONFIG_INTEGRITY_AUDIT=y @@ -4335,7 +4287,6 @@ CONFIG_CRYPTO_WORKQUEUE=y # CONFIG_CRYPTO_CRYPTD is not set # CONFIG_CRYPTO_MCRYPTD is not set CONFIG_CRYPTO_AUTHENC=y -# CONFIG_CRYPTO_TEST is not set # # Authenticated Encryption with Associated Data @@ -4534,8 +4485,6 @@ CONFIG_LIBCRC32C=y # CONFIG_RANDOM32_SELFTEST is not set CONFIG_ZLIB_INFLATE=y CONFIG_ZLIB_DEFLATE=y -CONFIG_LZO_COMPRESS=y -CONFIG_LZO_DECOMPRESS=y CONFIG_XZ_DEC=y CONFIG_XZ_DEC_X86=y CONFIG_XZ_DEC_POWERPC=y