mirror of
https://github.com/siderolabs/talos.git
synced 2025-10-17 18:41:16 +02:00
feat(kernel): configure Kernel Self Protection Project recommendations (#152)
This commit is contained in:
Andrew Rynhard
GitHub
parent
e114026b57
commit
b34debedfc
@ -64,5 +64,4 @@ tasks:
|
||||
rootfs:
|
||||
template: |
|
||||
COPY --from=dianemo/rootfs:{{ .Docker.Image.Tag }} /rootfs /generated/rootfs
|
||||
COPY --from=dianemo/kernel:{{ .Docker.Image.Tag }} /tmp/lib/modules /generated/rootfs/lib/modules
|
||||
RUN {{if .Git.IsClean}}XZ_OPT=-9e{{else}}XZ_OPT=-0{{end}} tar -cvpJf /generated/rootfs.tar.xz -C /generated/rootfs .
|
||||
|
||||
@ -108,7 +108,7 @@ DEFAULT Dianemo
|
||||
LABEL Dianemo
|
||||
KERNEL /boot/vmlinuz
|
||||
INITRD /boot/initramfs.xz
|
||||
APPEND ip=dhcp consoleblank=0 console=tty0 console=ttyS0,9600 dianemo.autonomy.io/root=${DIANEMO_ROOT} dianemo.autonomy.io/userdata=${DIANEMO_USERDATA} dianemo.autonomy.io/platform=${DIANEMO_PLATFORM}
|
||||
APPEND ${KERNEL_SELF_PROTECTION_PROJECT_KERNEL_PARAMS} ip=dhcp consoleblank=0 console=tty0 console=ttyS0,9600 dianemo.autonomy.io/root=${DIANEMO_ROOT} dianemo.autonomy.io/userdata=${DIANEMO_USERDATA} dianemo.autonomy.io/platform=${DIANEMO_PLATFORM}
|
||||
EOF
|
||||
}
|
||||
|
||||
@ -130,6 +130,7 @@ FULL=false
|
||||
RAW=false
|
||||
ROOTFS_SIZE=$(size_xz /generated/rootfs.tar.xz)
|
||||
INITRAMFS_SIZE=$(size_xz /generated/boot/initramfs.xz)
|
||||
KERNEL_SELF_PROTECTION_PROJECT_KERNEL_PARAMS="slub_debug=P page_poison=1 slab_nomerge pti=on"
|
||||
|
||||
case "$1" in
|
||||
image)
|
||||
|
||||
@ -6,8 +6,14 @@ import (
|
||||
"strings"
|
||||
)
|
||||
|
||||
// WriteSystemProperty writes a value to a key under /proc/sys.
|
||||
func WriteSystemProperty(key, value string) error {
|
||||
keyPath := strings.Replace(key, ".", "/", -1)
|
||||
return ioutil.WriteFile(path.Join("/proc/sys", keyPath), []byte(value), 0644)
|
||||
// SystemProperty represents a kernel system property.
|
||||
type SystemProperty struct {
|
||||
Key string
|
||||
Value string
|
||||
}
|
||||
|
||||
// WriteSystemProperty writes a value to a key under /proc/sys.
|
||||
func WriteSystemProperty(prop *SystemProperty) error {
|
||||
keyPath := path.Join("/proc/sys", strings.Replace(prop.Key, ".", "/", -1))
|
||||
return ioutil.WriteFile(keyPath, []byte(prop.Value), 0644)
|
||||
}
|
||||
|
||||
@ -32,7 +32,11 @@ func ip() string {
|
||||
// Prepare creates the files required by the installed binaries and libraries.
|
||||
func Prepare(s string, userdata userdata.UserData) (err error) {
|
||||
// Enable IP forwarding.
|
||||
if err = proc.WriteSystemProperty("net.ipv4.ip_forward", "1"); err != nil {
|
||||
if err = proc.WriteSystemProperty(&proc.SystemProperty{Key: "net.ipv4.ip_forward", Value: "1"}); err != nil {
|
||||
return
|
||||
}
|
||||
// Kernel Self Protection Project recommended settings.
|
||||
if err = kernelHardening(); err != nil {
|
||||
return
|
||||
}
|
||||
// Create /etc/hosts.
|
||||
@ -63,3 +67,50 @@ func Prepare(s string, userdata userdata.UserData) (err error) {
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// We can ignore setting kernel.kexec_load_disabled = 1 because modules are
|
||||
// disabled in the kernel config.
|
||||
func kernelHardening() (err error) {
|
||||
props := []*proc.SystemProperty{
|
||||
{
|
||||
Key: "kernel.kptr_restrict",
|
||||
Value: "1",
|
||||
},
|
||||
{
|
||||
Key: "kernel.dmesg_restrict",
|
||||
Value: "1",
|
||||
},
|
||||
{
|
||||
Key: "kernel.perf_event_paranoid",
|
||||
Value: "3",
|
||||
},
|
||||
// {
|
||||
// Key: "kernel.kexec_load_disabled",
|
||||
// Value: "1",
|
||||
// },
|
||||
{
|
||||
Key: "kernel.yama.ptrace_scope",
|
||||
Value: "1",
|
||||
},
|
||||
{
|
||||
Key: "user.max_user_namespaces",
|
||||
Value: "0",
|
||||
},
|
||||
// {
|
||||
// Key: "kernel.unprivileged_bpf_disabled",
|
||||
// Value: "1",
|
||||
// },
|
||||
// {
|
||||
// Key: "net.core.bpf_jit_harden",
|
||||
// Value: "2",
|
||||
// },
|
||||
}
|
||||
|
||||
for _, prop := range props {
|
||||
if err = proc.WriteSystemProperty(prop); err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -88,7 +88,6 @@ func (c *CRT) Start(data *userdata.UserData) error {
|
||||
args runner.Args
|
||||
mounts = []specs.Mount{
|
||||
{Type: "cgroup", Destination: "/sys/fs/cgroup", Options: []string{"rbind", "rshared", "rw"}},
|
||||
{Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "shared", "ro"}},
|
||||
{Type: "bind", Destination: "/etc/kubernetes", Source: "/var/etc/kubernetes", Options: []string{"bind", "rw"}},
|
||||
{Type: "bind", Destination: "/etc/cni", Source: "/var/etc/cni", Options: []string{"bind", "rw"}},
|
||||
{Type: "bind", Destination: "/run", Source: "/run", Options: []string{"rbind", "rshared", "rw"}},
|
||||
|
||||
@ -40,11 +40,11 @@ apt-get install -y curl
|
||||
curl -L https://download.docker.com/linux/static/stable/x86_64/docker-17.03.2-ce.tgz | tar -xz --strip-components=1 -C /bin docker/docker
|
||||
chmod +x /bin/docker
|
||||
|
||||
trap 'kubeadm reset' ERR
|
||||
trap 'kubeadm reset --force' ERR
|
||||
|
||||
{{- if .Init }}
|
||||
{{- if eq .Init.Type "initial" }}
|
||||
kubeadm init --config=kubeadm-config.yaml --ignore-preflight-errors=cri,kubeletversion --skip-token-print
|
||||
kubeadm init --config=kubeadm-config.yaml --ignore-preflight-errors=cri,kubeletversion,requiredipvskernelmodulesavailable --skip-token-print
|
||||
{{- else if eq .Init.Type "dependent" }}
|
||||
export KUBECONFIG=/etc/kubernetes/admin.conf
|
||||
kubeadm alpha phase certs all --config kubeadm-config.yaml
|
||||
@ -71,7 +71,7 @@ kubeadm alpha phase mark-master --config kubeadm-config.yaml
|
||||
echo "successfully joined master node {{ .Hostname }}"
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
kubeadm join --config=kubeadm-config.yaml --ignore-preflight-errors=cri,kubeletversion
|
||||
kubeadm join --config=kubeadm-config.yaml --ignore-preflight-errors=cri,kubeletversion,requiredipvskernelmodulesavailable
|
||||
{{- end }}
|
||||
`
|
||||
|
||||
@ -206,7 +206,6 @@ func (k *Kubeadm) Start(data *userdata.UserData) error {
|
||||
{Type: "cgroup", Destination: "/sys/fs/cgroup", Options: []string{"ro"}},
|
||||
{Type: "bind", Destination: "/var/run", Source: "/run", Options: []string{"rbind", "rshared", "rw"}},
|
||||
{Type: "bind", Destination: "/var/lib/kubelet", Source: "/var/lib/kubelet", Options: []string{"rbind", "rshared", "rw"}},
|
||||
{Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "shared", "ro"}},
|
||||
{Type: "bind", Destination: "/etc/kubernetes", Source: "/var/etc/kubernetes", Options: []string{"bind", "rw"}},
|
||||
{Type: "bind", Destination: "/etc/os-release", Source: "/etc/os-release", Options: []string{"bind", "ro"}},
|
||||
{Type: "bind", Destination: "/bin/crictl", Source: "/bin/crictl", Options: []string{"bind", "ro"}},
|
||||
|
||||
@ -103,7 +103,6 @@ func (k *Kubelet) Start(data *userdata.UserData) error {
|
||||
{Type: "bind", Destination: "/dev", Source: "/dev", Options: []string{"rbind", "rshared", "rw"}},
|
||||
{Type: "bind", Destination: "/var/run", Source: "/run", Options: []string{"rbind", "rshared", "rw"}},
|
||||
{Type: "bind", Destination: "/var/lib/kubelet", Source: "/var/lib/kubelet", Options: []string{"rbind", "rshared", "rw"}},
|
||||
{Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "shared", "ro"}},
|
||||
{Type: "bind", Destination: "/etc/kubernetes", Source: "/var/etc/kubernetes", Options: []string{"bind", "rw"}},
|
||||
{Type: "bind", Destination: "/etc/cni", Source: "/var/etc/cni", Options: []string{"rbind", "rshared", "ro"}},
|
||||
{Type: "bind", Destination: "/etc/os-release", Source: "/etc/os-release", Options: []string{"bind", "ro"}},
|
||||
|
||||
@ -168,7 +168,6 @@ func (r *Registrator) Reset(ctx context.Context, in *empty.Empty) (reply *proto.
|
||||
{Type: "bind", Destination: "/var/run", Source: "/run", Options: []string{"rbind", "rshared", "rw"}},
|
||||
{Type: "bind", Destination: "/var/lib/docker", Source: "/var/lib/docker", Options: []string{"rbind", "rshared", "rw"}},
|
||||
{Type: "bind", Destination: "/var/lib/kubelet", Source: "/var/lib/kubelet", Options: []string{"rbind", "rshared", "rw"}},
|
||||
{Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "shared", "ro"}},
|
||||
{Type: "bind", Destination: "/etc/kubernetes", Source: "/var/etc/kubernetes", Options: []string{"bind", "rw"}},
|
||||
{Type: "bind", Destination: "/etc/os-release", Source: "/etc/os-release", Options: []string{"bind", "ro"}},
|
||||
{Type: "bind", Destination: "/bin/crictl", Source: "/bin/crictl", Options: []string{"bind", "ro"}},
|
||||
|
||||
@ -29,8 +29,6 @@ tasks:
|
||||
RUN unlink /lib
|
||||
RUN ln -s /tools/lib /lib
|
||||
RUN make -j $(($(nproc) / 2))
|
||||
RUN make modules_install DEPMOD=/tools/bin/depmod INSTALL_MOD_PATH=/tmp
|
||||
RUN depmod -b /tmp 4.18.5-dianemo
|
||||
RUN cp arch/x86/boot/bzImage /tmp/vmlinuz
|
||||
FROM scratch
|
||||
COPY --from={{ .Docker.CurrentStage }} /tmp /tmp
|
||||
|
||||
@ -146,7 +146,7 @@ CONFIG_TREE_SRCU=y
|
||||
CONFIG_RCU_STALL_COMMON=y
|
||||
CONFIG_RCU_NEED_SEGCBLIST=y
|
||||
CONFIG_BUILD_BIN2C=y
|
||||
CONFIG_IKCONFIG=m
|
||||
CONFIG_IKCONFIG=y
|
||||
CONFIG_IKCONFIG_PROC=y
|
||||
CONFIG_LOG_BUF_SHIFT=18
|
||||
CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
|
||||
@ -200,12 +200,10 @@ CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
|
||||
# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
|
||||
CONFIG_SYSCTL=y
|
||||
CONFIG_ANON_INODES=y
|
||||
CONFIG_HAVE_UID16=y
|
||||
CONFIG_SYSCTL_EXCEPTION_TRACE=y
|
||||
CONFIG_HAVE_PCSPKR_PLATFORM=y
|
||||
CONFIG_BPF=y
|
||||
# CONFIG_EXPERT is not set
|
||||
CONFIG_UID16=y
|
||||
CONFIG_MULTIUSER=y
|
||||
CONFIG_SGETMASK_SYSCALL=y
|
||||
CONFIG_SYSFS_SYSCALL=y
|
||||
@ -249,26 +247,21 @@ CONFIG_SLUB_DEBUG=y
|
||||
# CONFIG_SLAB is not set
|
||||
CONFIG_SLUB=y
|
||||
CONFIG_SLAB_MERGE_DEFAULT=y
|
||||
# CONFIG_SLAB_FREELIST_RANDOM is not set
|
||||
# CONFIG_SLAB_FREELIST_HARDENED is not set
|
||||
CONFIG_SLAB_FREELIST_RANDOM=y
|
||||
CONFIG_SLAB_FREELIST_HARDENED=y
|
||||
CONFIG_SLUB_CPU_PARTIAL=y
|
||||
CONFIG_SYSTEM_DATA_VERIFICATION=y
|
||||
CONFIG_PROFILING=y
|
||||
CONFIG_TRACEPOINTS=y
|
||||
CONFIG_CRASH_CORE=y
|
||||
CONFIG_KEXEC_CORE=y
|
||||
CONFIG_HOTPLUG_SMT=y
|
||||
# CONFIG_OPROFILE is not set
|
||||
CONFIG_HAVE_OPROFILE=y
|
||||
CONFIG_OPROFILE_NMI_TIMER=y
|
||||
CONFIG_KPROBES=y
|
||||
CONFIG_JUMP_LABEL=y
|
||||
# CONFIG_STATIC_KEYS_SELFTEST is not set
|
||||
CONFIG_OPTPROBES=y
|
||||
CONFIG_UPROBES=y
|
||||
CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
|
||||
CONFIG_ARCH_USE_BUILTIN_BSWAP=y
|
||||
CONFIG_KRETPROBES=y
|
||||
CONFIG_HAVE_IOREMAP_PROT=y
|
||||
CONFIG_HAVE_KPROBES=y
|
||||
CONFIG_HAVE_KRETPROBES=y
|
||||
@ -299,13 +292,15 @@ CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
|
||||
CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y
|
||||
CONFIG_HAVE_CMPXCHG_LOCAL=y
|
||||
CONFIG_HAVE_CMPXCHG_DOUBLE=y
|
||||
CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
|
||||
CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y
|
||||
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
|
||||
CONFIG_SECCOMP_FILTER=y
|
||||
CONFIG_PLUGIN_HOSTCC="g++"
|
||||
CONFIG_HAVE_GCC_PLUGINS=y
|
||||
# CONFIG_GCC_PLUGINS is not set
|
||||
CONFIG_GCC_PLUGINS=y
|
||||
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
|
||||
# CONFIG_GCC_PLUGIN_STRUCTLEAK is not set
|
||||
CONFIG_GCC_PLUGIN_RANDSTRUCT=y
|
||||
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
|
||||
CONFIG_HAVE_STACKPROTECTOR=y
|
||||
CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
|
||||
CONFIG_STACKPROTECTOR=y
|
||||
@ -325,22 +320,15 @@ CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
|
||||
CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
|
||||
CONFIG_HAVE_EXIT_THREAD=y
|
||||
CONFIG_ARCH_MMAP_RND_BITS=28
|
||||
CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
|
||||
CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
|
||||
CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y
|
||||
CONFIG_HAVE_COPY_THREAD_TLS=y
|
||||
CONFIG_HAVE_STACK_VALIDATION=y
|
||||
CONFIG_OLD_SIGSUSPEND3=y
|
||||
CONFIG_COMPAT_OLD_SIGACTION=y
|
||||
CONFIG_COMPAT_32BIT_TIME=y
|
||||
CONFIG_HAVE_ARCH_VMAP_STACK=y
|
||||
CONFIG_VMAP_STACK=y
|
||||
CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
|
||||
CONFIG_STRICT_KERNEL_RWX=y
|
||||
CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
|
||||
CONFIG_STRICT_MODULE_RWX=y
|
||||
CONFIG_ARCH_HAS_REFCOUNT=y
|
||||
# CONFIG_REFCOUNT_FULL is not set
|
||||
CONFIG_REFCOUNT_FULL=y
|
||||
|
||||
#
|
||||
# GCOV-based kernel profiling
|
||||
@ -349,15 +337,7 @@ CONFIG_ARCH_HAS_REFCOUNT=y
|
||||
CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
|
||||
CONFIG_RT_MUTEXES=y
|
||||
CONFIG_BASE_SMALL=0
|
||||
CONFIG_MODULES=y
|
||||
# CONFIG_MODULE_FORCE_LOAD is not set
|
||||
CONFIG_MODULE_UNLOAD=y
|
||||
CONFIG_MODULE_FORCE_UNLOAD=y
|
||||
# CONFIG_MODVERSIONS is not set
|
||||
# CONFIG_MODULE_SRCVERSION_ALL is not set
|
||||
# CONFIG_MODULE_SIG is not set
|
||||
# CONFIG_MODULE_COMPRESS is not set
|
||||
# CONFIG_TRIM_UNUSED_KSYMS is not set
|
||||
# CONFIG_MODULES is not set
|
||||
CONFIG_MODULES_TREE_LOOKUP=y
|
||||
CONFIG_BLOCK=y
|
||||
CONFIG_BLK_SCSI_REQUEST=y
|
||||
@ -395,7 +375,6 @@ CONFIG_KARMA_PARTITION=y
|
||||
CONFIG_EFI_PARTITION=y
|
||||
# CONFIG_SYSV68_PARTITION is not set
|
||||
# CONFIG_CMDLINE_PARTITION is not set
|
||||
CONFIG_BLOCK_COMPAT=y
|
||||
CONFIG_BLK_MQ_PCI=y
|
||||
|
||||
#
|
||||
@ -545,7 +524,6 @@ CONFIG_NODES_SHIFT=6
|
||||
CONFIG_ARCH_SPARSEMEM_ENABLE=y
|
||||
CONFIG_ARCH_SPARSEMEM_DEFAULT=y
|
||||
CONFIG_ARCH_SELECT_MEMORY_MODEL=y
|
||||
CONFIG_ARCH_PROC_KCORE_TEXT=y
|
||||
CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
|
||||
CONFIG_SELECT_MEMORY_MODEL=y
|
||||
CONFIG_SPARSEMEM_MANUAL=y
|
||||
@ -571,7 +549,7 @@ CONFIG_BOUNCE=y
|
||||
CONFIG_VIRT_TO_BUS=y
|
||||
CONFIG_MMU_NOTIFIER=y
|
||||
# CONFIG_KSM is not set
|
||||
CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
|
||||
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
|
||||
CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
|
||||
# CONFIG_MEMORY_FAILURE is not set
|
||||
# CONFIG_TRANSPARENT_HUGEPAGE is not set
|
||||
@ -613,20 +591,22 @@ CONFIG_SECCOMP=y
|
||||
CONFIG_HZ_1000=y
|
||||
CONFIG_HZ=1000
|
||||
CONFIG_SCHED_HRTICK=y
|
||||
CONFIG_KEXEC=y
|
||||
# CONFIG_KEXEC is not set
|
||||
# CONFIG_KEXEC_FILE is not set
|
||||
CONFIG_CRASH_DUMP=y
|
||||
# CONFIG_KEXEC_JUMP is not set
|
||||
CONFIG_PHYSICAL_START=0x1000000
|
||||
CONFIG_RELOCATABLE=y
|
||||
# CONFIG_RANDOMIZE_BASE is not set
|
||||
CONFIG_RANDOMIZE_BASE=y
|
||||
CONFIG_X86_NEED_RELOCS=y
|
||||
CONFIG_PHYSICAL_ALIGN=0x200000
|
||||
CONFIG_DYNAMIC_MEMORY_LAYOUT=y
|
||||
CONFIG_RANDOMIZE_MEMORY=y
|
||||
CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0x0
|
||||
CONFIG_HOTPLUG_CPU=y
|
||||
# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
|
||||
# CONFIG_DEBUG_HOTPLUG_CPU0 is not set
|
||||
# CONFIG_COMPAT_VDSO is not set
|
||||
CONFIG_LEGACY_VSYSCALL_EMULATE=y
|
||||
# CONFIG_LEGACY_VSYSCALL_NONE is not set
|
||||
# CONFIG_LEGACY_VSYSCALL_EMULATE is not set
|
||||
CONFIG_LEGACY_VSYSCALL_NONE=y
|
||||
# CONFIG_CMDLINE_BOOL is not set
|
||||
CONFIG_MODIFY_LDT_SYSCALL=y
|
||||
CONFIG_HAVE_LIVEPATCH=y
|
||||
@ -637,12 +617,10 @@ CONFIG_USE_PERCPU_NUMA_NODE_ID=y
|
||||
#
|
||||
# Power management and ACPI options
|
||||
#
|
||||
CONFIG_ARCH_HIBERNATION_HEADER=y
|
||||
CONFIG_SUSPEND=y
|
||||
CONFIG_SUSPEND_FREEZER=y
|
||||
CONFIG_HIBERNATE_CALLBACKS=y
|
||||
CONFIG_HIBERNATION=y
|
||||
CONFIG_PM_STD_PARTITION=""
|
||||
# CONFIG_HIBERNATION is not set
|
||||
CONFIG_PM_SLEEP=y
|
||||
CONFIG_PM_SLEEP_SMP=y
|
||||
# CONFIG_PM_AUTOSLEEP is not set
|
||||
@ -837,19 +815,13 @@ CONFIG_PCCARD_NONSTATIC=y
|
||||
# Executable file formats / Emulations
|
||||
#
|
||||
CONFIG_BINFMT_ELF=y
|
||||
CONFIG_COMPAT_BINFMT_ELF=y
|
||||
CONFIG_ELFCORE=y
|
||||
CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
|
||||
CONFIG_BINFMT_SCRIPT=y
|
||||
CONFIG_BINFMT_MISC=y
|
||||
# CONFIG_BINFMT_MISC is not set
|
||||
CONFIG_COREDUMP=y
|
||||
CONFIG_IA32_EMULATION=y
|
||||
# CONFIG_IA32_AOUT is not set
|
||||
# CONFIG_IA32_EMULATION is not set
|
||||
# CONFIG_X86_X32 is not set
|
||||
CONFIG_COMPAT_32=y
|
||||
CONFIG_COMPAT=y
|
||||
CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
|
||||
CONFIG_SYSVIPC_COMPAT=y
|
||||
CONFIG_X86_DEV_DMA_OPS=y
|
||||
CONFIG_NET=y
|
||||
CONFIG_NET_INGRESS=y
|
||||
@ -907,11 +879,7 @@ CONFIG_INET_TUNNEL=y
|
||||
CONFIG_INET_XFRM_MODE_TRANSPORT=y
|
||||
CONFIG_INET_XFRM_MODE_TUNNEL=y
|
||||
CONFIG_INET_XFRM_MODE_BEET=y
|
||||
CONFIG_INET_DIAG=y
|
||||
CONFIG_INET_TCP_DIAG=y
|
||||
# CONFIG_INET_UDP_DIAG is not set
|
||||
# CONFIG_INET_RAW_DIAG is not set
|
||||
# CONFIG_INET_DIAG_DESTROY is not set
|
||||
# CONFIG_INET_DIAG is not set
|
||||
CONFIG_TCP_CONG_ADVANCED=y
|
||||
# CONFIG_TCP_CONG_BIC is not set
|
||||
CONFIG_TCP_CONG_CUBIC=y
|
||||
@ -1307,7 +1275,6 @@ CONFIG_BRIDGE_EBT_LOG=y
|
||||
CONFIG_BRIDGE_EBT_NFLOG=y
|
||||
# CONFIG_BPFILTER is not set
|
||||
CONFIG_IP_DCCP=y
|
||||
CONFIG_INET_DCCP_DIAG=y
|
||||
|
||||
#
|
||||
# DCCP CCIDs Configuration
|
||||
@ -1328,7 +1295,6 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
|
||||
# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
|
||||
CONFIG_SCTP_COOKIE_HMAC_MD5=y
|
||||
# CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set
|
||||
CONFIG_INET_SCTP_DIAG=y
|
||||
CONFIG_RDS=y
|
||||
# CONFIG_RDS_TCP is not set
|
||||
# CONFIG_RDS_DEBUG is not set
|
||||
@ -1481,8 +1447,8 @@ CONFIG_BATMAN_ADV_BLA=y
|
||||
# CONFIG_BATMAN_ADV_MCAST is not set
|
||||
CONFIG_BATMAN_ADV_DEBUGFS=y
|
||||
# CONFIG_BATMAN_ADV_DEBUG is not set
|
||||
CONFIG_OPENVSWITCH=m
|
||||
CONFIG_OPENVSWITCH_VXLAN=m
|
||||
CONFIG_OPENVSWITCH=y
|
||||
CONFIG_OPENVSWITCH_VXLAN=y
|
||||
CONFIG_VSOCKETS=y
|
||||
CONFIG_VSOCKETS_DIAG=y
|
||||
CONFIG_NETLINK_DIAG=y
|
||||
@ -1501,7 +1467,6 @@ CONFIG_CGROUP_NET_PRIO=y
|
||||
CONFIG_CGROUP_NET_CLASSID=y
|
||||
CONFIG_NET_RX_BUSY_POLL=y
|
||||
CONFIG_BQL=y
|
||||
CONFIG_BPF_JIT=y
|
||||
CONFIG_NET_FLOW_LIMIT=y
|
||||
|
||||
#
|
||||
@ -1587,7 +1552,6 @@ CONFIG_ALLOW_DEV_COREDUMP=y
|
||||
# CONFIG_DEBUG_DRIVER is not set
|
||||
CONFIG_DEBUG_DEVRES=y
|
||||
# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
|
||||
# CONFIG_TEST_ASYNC_DRIVER_PROBE is not set
|
||||
CONFIG_SYS_HYPERVISOR=y
|
||||
CONFIG_GENERIC_CPU_AUTOPROBE=y
|
||||
CONFIG_GENERIC_CPU_VULNERABILITIES=y
|
||||
@ -2497,8 +2461,8 @@ CONFIG_SERIAL_NONSTANDARD=y
|
||||
# CONFIG_N_HDLC is not set
|
||||
# CONFIG_N_GSM is not set
|
||||
# CONFIG_TRACE_SINK is not set
|
||||
CONFIG_DEVMEM=y
|
||||
CONFIG_DEVKMEM=y
|
||||
# CONFIG_DEVMEM is not set
|
||||
# CONFIG_DEVKMEM is not set
|
||||
|
||||
#
|
||||
# Serial drivers
|
||||
@ -2635,7 +2599,6 @@ CONFIG_I2C_I801=y
|
||||
# Other I2C/SMBus bus drivers
|
||||
#
|
||||
# CONFIG_I2C_MLXCPLD is not set
|
||||
# CONFIG_I2C_STUB is not set
|
||||
# CONFIG_I2C_SLAVE is not set
|
||||
# CONFIG_I2C_DEBUG_CORE is not set
|
||||
# CONFIG_I2C_DEBUG_ALGO is not set
|
||||
@ -3618,8 +3581,8 @@ CONFIG_XENFS=y
|
||||
CONFIG_XEN_COMPAT_XENFS=y
|
||||
CONFIG_XEN_SYS_HYPERVISOR=y
|
||||
CONFIG_XEN_XENBUS_FRONTEND=y
|
||||
CONFIG_XEN_GNTDEV=m
|
||||
CONFIG_XEN_GRANT_DEV_ALLOC=m
|
||||
CONFIG_XEN_GNTDEV=y
|
||||
CONFIG_XEN_GRANT_DEV_ALLOC=y
|
||||
CONFIG_SWIOTLB_XEN=y
|
||||
# CONFIG_XEN_PVCALLS_FRONTEND is not set
|
||||
CONFIG_XEN_PRIVCMD=y
|
||||
@ -3821,7 +3784,6 @@ CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
|
||||
#
|
||||
CONFIG_EFI_VARS=y
|
||||
CONFIG_EFI_ESRT=y
|
||||
CONFIG_EFI_RUNTIME_MAP=y
|
||||
# CONFIG_EFI_FAKE_MEMMAP is not set
|
||||
CONFIG_EFI_RUNTIME_WRAPPERS=y
|
||||
# CONFIG_EFI_BOOTLOADER_CONTROL is not set
|
||||
@ -3880,7 +3842,6 @@ CONFIG_QUOTA_TREE=y
|
||||
# CONFIG_QFMT_V1 is not set
|
||||
CONFIG_QFMT_V2=y
|
||||
CONFIG_QUOTACTL=y
|
||||
CONFIG_QUOTACTL_COMPAT=y
|
||||
CONFIG_AUTOFS4_FS=y
|
||||
CONFIG_AUTOFS_FS=y
|
||||
# CONFIG_FUSE_FS is not set
|
||||
@ -3918,7 +3879,7 @@ CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
|
||||
# Pseudo filesystems
|
||||
#
|
||||
CONFIG_PROC_FS=y
|
||||
CONFIG_PROC_KCORE=y
|
||||
# CONFIG_PROC_KCORE is not set
|
||||
CONFIG_PROC_VMCORE=y
|
||||
# CONFIG_PROC_VMCORE_DEVICE_DUMP is not set
|
||||
CONFIG_PROC_SYSCTL=y
|
||||
@ -4074,7 +4035,9 @@ CONFIG_DEBUG_KERNEL=y
|
||||
#
|
||||
# CONFIG_PAGE_EXTENSION is not set
|
||||
# CONFIG_DEBUG_PAGEALLOC is not set
|
||||
# CONFIG_PAGE_POISONING is not set
|
||||
CONFIG_PAGE_POISONING=y
|
||||
# CONFIG_PAGE_POISONING_NO_SANITY is not set
|
||||
# CONFIG_PAGE_POISONING_ZERO is not set
|
||||
# CONFIG_DEBUG_PAGE_REF is not set
|
||||
# CONFIG_DEBUG_RODATA_TEST is not set
|
||||
# CONFIG_DEBUG_OBJECTS is not set
|
||||
@ -4105,13 +4068,13 @@ CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y
|
||||
# CONFIG_HARDLOCKUP_DETECTOR is not set
|
||||
# CONFIG_DETECT_HUNG_TASK is not set
|
||||
# CONFIG_WQ_WATCHDOG is not set
|
||||
# CONFIG_PANIC_ON_OOPS is not set
|
||||
CONFIG_PANIC_ON_OOPS_VALUE=0
|
||||
CONFIG_PANIC_TIMEOUT=0
|
||||
CONFIG_PANIC_ON_OOPS=y
|
||||
CONFIG_PANIC_ON_OOPS_VALUE=1
|
||||
CONFIG_PANIC_TIMEOUT=-1
|
||||
# CONFIG_SCHED_DEBUG is not set
|
||||
CONFIG_SCHED_INFO=y
|
||||
CONFIG_SCHEDSTATS=y
|
||||
# CONFIG_SCHED_STACK_END_CHECK is not set
|
||||
CONFIG_SCHED_STACK_END_CHECK=y
|
||||
# CONFIG_DEBUG_TIMEKEEPING is not set
|
||||
|
||||
#
|
||||
@ -4134,11 +4097,11 @@ CONFIG_STACKTRACE=y
|
||||
# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set
|
||||
# CONFIG_DEBUG_KOBJECT is not set
|
||||
CONFIG_DEBUG_BUGVERBOSE=y
|
||||
# CONFIG_DEBUG_LIST is not set
|
||||
CONFIG_DEBUG_LIST=y
|
||||
# CONFIG_DEBUG_PI_LIST is not set
|
||||
# CONFIG_DEBUG_SG is not set
|
||||
# CONFIG_DEBUG_NOTIFIERS is not set
|
||||
# CONFIG_DEBUG_CREDENTIALS is not set
|
||||
CONFIG_DEBUG_SG=y
|
||||
CONFIG_DEBUG_NOTIFIERS=y
|
||||
CONFIG_DEBUG_CREDENTIALS=y
|
||||
|
||||
#
|
||||
# RCU Debugging
|
||||
@ -4152,7 +4115,6 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=21
|
||||
# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
|
||||
# CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set
|
||||
# CONFIG_NOTIFIER_ERROR_INJECTION is not set
|
||||
CONFIG_FUNCTION_ERROR_INJECTION=y
|
||||
# CONFIG_FAULT_INJECTION is not set
|
||||
# CONFIG_LATENCYTOP is not set
|
||||
CONFIG_USER_STACKTRACE_SUPPORT=y
|
||||
@ -4182,10 +4144,8 @@ CONFIG_FTRACE=y
|
||||
# CONFIG_TRACER_SNAPSHOT is not set
|
||||
CONFIG_BRANCH_PROFILE_NONE=y
|
||||
# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
|
||||
# CONFIG_PROFILE_ALL_BRANCHES is not set
|
||||
# CONFIG_STACK_TRACER is not set
|
||||
CONFIG_BLK_DEV_IO_TRACE=y
|
||||
CONFIG_KPROBE_EVENTS=y
|
||||
CONFIG_UPROBE_EVENTS=y
|
||||
CONFIG_PROBE_EVENTS=y
|
||||
# CONFIG_FTRACE_STARTUP_TEST is not set
|
||||
@ -4201,11 +4161,9 @@ CONFIG_RUNTIME_TESTING_MENU=y
|
||||
# CONFIG_LKDTM is not set
|
||||
# CONFIG_TEST_LIST_SORT is not set
|
||||
# CONFIG_TEST_SORT is not set
|
||||
# CONFIG_KPROBES_SANITY_TEST is not set
|
||||
# CONFIG_BACKTRACE_SELF_TEST is not set
|
||||
# CONFIG_RBTREE_TEST is not set
|
||||
# CONFIG_INTERVAL_TREE_TEST is not set
|
||||
# CONFIG_PERCPU_TEST is not set
|
||||
# CONFIG_ATOMIC64_SELFTEST is not set
|
||||
# CONFIG_TEST_HEXDUMP is not set
|
||||
# CONFIG_TEST_STRING_HELPERS is not set
|
||||
@ -4216,37 +4174,31 @@ CONFIG_RUNTIME_TESTING_MENU=y
|
||||
# CONFIG_TEST_OVERFLOW is not set
|
||||
# CONFIG_TEST_RHASHTABLE is not set
|
||||
# CONFIG_TEST_HASH is not set
|
||||
# CONFIG_TEST_LKM is not set
|
||||
# CONFIG_TEST_USER_COPY is not set
|
||||
# CONFIG_TEST_BPF is not set
|
||||
# CONFIG_FIND_BIT_BENCHMARK is not set
|
||||
# CONFIG_TEST_FIRMWARE is not set
|
||||
# CONFIG_TEST_SYSCTL is not set
|
||||
# CONFIG_TEST_UDELAY is not set
|
||||
# CONFIG_TEST_STATIC_KEYS is not set
|
||||
# CONFIG_TEST_KMOD is not set
|
||||
# CONFIG_MEMTEST is not set
|
||||
# CONFIG_BUG_ON_DATA_CORRUPTION is not set
|
||||
CONFIG_BUG_ON_DATA_CORRUPTION=y
|
||||
# CONFIG_SAMPLES is not set
|
||||
CONFIG_HAVE_ARCH_KGDB=y
|
||||
# CONFIG_KGDB is not set
|
||||
CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
|
||||
# CONFIG_UBSAN is not set
|
||||
CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
|
||||
# CONFIG_STRICT_DEVMEM is not set
|
||||
CONFIG_EARLY_PRINTK_USB=y
|
||||
CONFIG_X86_VERBOSE_BOOTUP=y
|
||||
CONFIG_EARLY_PRINTK=y
|
||||
CONFIG_EARLY_PRINTK_DBGP=y
|
||||
# CONFIG_EARLY_PRINTK_EFI is not set
|
||||
# CONFIG_EARLY_PRINTK_USB_XDBC is not set
|
||||
CONFIG_X86_PTDUMP_CORE=y
|
||||
# CONFIG_X86_PTDUMP is not set
|
||||
# CONFIG_EFI_PGT_DUMP is not set
|
||||
# CONFIG_DEBUG_WX is not set
|
||||
CONFIG_DEBUG_WX=y
|
||||
CONFIG_DOUBLEFAULT=y
|
||||
# CONFIG_DEBUG_TLBFLUSH is not set
|
||||
CONFIG_HAVE_MMIOTRACE_SUPPORT=y
|
||||
# CONFIG_X86_DECODER_SELFTEST is not set
|
||||
CONFIG_IO_DELAY_TYPE_0X80=0
|
||||
CONFIG_IO_DELAY_TYPE_0XED=1
|
||||
CONFIG_IO_DELAY_TYPE_UDELAY=2
|
||||
@ -4270,7 +4222,6 @@ CONFIG_UNWINDER_ORC=y
|
||||
# Security options
|
||||
#
|
||||
CONFIG_KEYS=y
|
||||
CONFIG_KEYS_COMPAT=y
|
||||
# CONFIG_PERSISTENT_KEYRINGS is not set
|
||||
# CONFIG_BIG_KEYS is not set
|
||||
# CONFIG_ENCRYPTED_KEYS is not set
|
||||
@ -4284,15 +4235,16 @@ CONFIG_SECURITY_NETWORK_XFRM=y
|
||||
# CONFIG_SECURITY_PATH is not set
|
||||
# CONFIG_INTEL_TXT is not set
|
||||
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
|
||||
# CONFIG_HARDENED_USERCOPY is not set
|
||||
# CONFIG_FORTIFY_SOURCE is not set
|
||||
CONFIG_HARDENED_USERCOPY=y
|
||||
CONFIG_HARDENED_USERCOPY_FALLBACK=y
|
||||
CONFIG_FORTIFY_SOURCE=y
|
||||
# CONFIG_STATIC_USERMODEHELPER is not set
|
||||
# CONFIG_SECURITY_SELINUX is not set
|
||||
# CONFIG_SECURITY_SMACK is not set
|
||||
# CONFIG_SECURITY_TOMOYO is not set
|
||||
# CONFIG_SECURITY_APPARMOR is not set
|
||||
# CONFIG_SECURITY_LOADPIN is not set
|
||||
# CONFIG_SECURITY_YAMA is not set
|
||||
CONFIG_SECURITY_YAMA=y
|
||||
CONFIG_INTEGRITY=y
|
||||
# CONFIG_INTEGRITY_SIGNATURE is not set
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
@ -4335,7 +4287,6 @@ CONFIG_CRYPTO_WORKQUEUE=y
|
||||
# CONFIG_CRYPTO_CRYPTD is not set
|
||||
# CONFIG_CRYPTO_MCRYPTD is not set
|
||||
CONFIG_CRYPTO_AUTHENC=y
|
||||
# CONFIG_CRYPTO_TEST is not set
|
||||
|
||||
#
|
||||
# Authenticated Encryption with Associated Data
|
||||
@ -4534,8 +4485,6 @@ CONFIG_LIBCRC32C=y
|
||||
# CONFIG_RANDOM32_SELFTEST is not set
|
||||
CONFIG_ZLIB_INFLATE=y
|
||||
CONFIG_ZLIB_DEFLATE=y
|
||||
CONFIG_LZO_COMPRESS=y
|
||||
CONFIG_LZO_DECOMPRESS=y
|
||||
CONFIG_XZ_DEC=y
|
||||
CONFIG_XZ_DEC_X86=y
|
||||
CONFIG_XZ_DEC_POWERPC=y
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user