From 693de237f790f2c8d0a468dcafc2727fac69bd36 Mon Sep 17 00:00:00 2001
From: André Fabian Silva Delgado <emulatorman@parabola.nu>
Date: Wed, 10 Sep 2014 00:19:18 -0300
Subject: linux-libre-lts-grsec-3.14.18_gnu.201409082127-2: add changes from
 linux-libre-grsec

* enable CONFIG_PAX_CONSTIFY_PLUGIN for i686
* add missing module (CONFIG_CX_ECAT)
* enable CONFIG_RANDOMIZE_BASE
* enable CONFIG_PAX_MEMORY_SANITIZE
* use the higher upstream value for CONFIG_DEFAULT_MMAP_MIN_ADDR
* increase CONFIG_PAX_KERNEXEC_MODULE_TEXT to 12M for the i686 kernel
* enable CONFIG_PAX_MEMORY_UDEREF for the x86_64 kernel + add warning
* enable CONFIG_USER_NS
* regenerate config
* rely on grsecurity to disable unprivileged user namespaces
* enable KERNEXEC on x86_64
---
 kernels/linux-libre-lts-grsec/config.x86_64 | 82 ++++++++---------------------
 1 file changed, 23 insertions(+), 59 deletions(-)

(limited to 'kernels/linux-libre-lts-grsec/config.x86_64')

diff --git a/kernels/linux-libre-lts-grsec/config.x86_64 b/kernels/linux-libre-lts-grsec/config.x86_64
index df9686d9e..64a078a52 100644
--- a/kernels/linux-libre-lts-grsec/config.x86_64
+++ b/kernels/linux-libre-lts-grsec/config.x86_64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.14.18-gnu-201409082127-1-lts-grsec Kernel Configuration
+# Linux/x86 3.14.18-gnu-201409082127-2-lts-grsec Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -163,7 +163,7 @@ CONFIG_BLK_CGROUP=y
 CONFIG_NAMESPACES=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
-# CONFIG_USER_NS is not set
+CONFIG_USER_NS=y
 CONFIG_PID_NS=y
 CONFIG_NET_NS=y
 CONFIG_SCHED_AUTOGROUP=y
@@ -337,6 +337,7 @@ CONFIG_PREEMPT_NOTIFIERS=y
 CONFIG_PADATA=y
 CONFIG_ASN1=m
 CONFIG_UNINLINE_SPIN_UNLOCK=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
 CONFIG_MUTEX_SPIN_ON_OWNER=y
 CONFIG_FREEZER=y
 
@@ -355,14 +356,7 @@ CONFIG_HYPERVISOR_GUEST=y
 CONFIG_PARAVIRT=y
 # CONFIG_PARAVIRT_DEBUG is not set
 # CONFIG_PARAVIRT_SPINLOCKS is not set
-CONFIG_XEN=y
-CONFIG_XEN_DOM0=y
-CONFIG_XEN_PRIVILEGED_GUEST=y
-CONFIG_XEN_PVHVM=y
-CONFIG_XEN_MAX_DOMAIN_MEMORY=500
-CONFIG_XEN_SAVE_RESTORE=y
-# CONFIG_XEN_DEBUG_FS is not set
-CONFIG_XEN_PVH=y
+# CONFIG_XEN is not set
 CONFIG_KVM_GUEST=y
 # CONFIG_KVM_DEBUG_FS is not set
 CONFIG_PARAVIRT_TIME_ACCOUNTING=y
@@ -409,6 +403,8 @@ CONFIG_X86_MCE_AMD=y
 CONFIG_X86_MCE_THRESHOLD=y
 # CONFIG_X86_MCE_INJECT is not set
 CONFIG_X86_THERMAL_VECTOR=y
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
 CONFIG_I8K=m
 CONFIG_MICROCODE=m
 # CONFIG_MICROCODE_INTEL is not set
@@ -455,13 +451,14 @@ CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
 CONFIG_BALLOON_COMPACTION=y
 CONFIG_COMPACTION=y
 CONFIG_MIGRATION=y
+CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
 CONFIG_PHYS_ADDR_T_64BIT=y
 CONFIG_ZONE_DMA_FLAG=1
 CONFIG_BOUNCE=y
 CONFIG_VIRT_TO_BUS=y
 CONFIG_MMU_NOTIFIER=y
 CONFIG_KSM=y
-CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
 CONFIG_MEMORY_FAILURE=y
 CONFIG_TRANSPARENT_HUGEPAGE=y
@@ -498,7 +495,9 @@ CONFIG_SCHED_HRTICK=y
 # CONFIG_CRASH_DUMP is not set
 CONFIG_PHYSICAL_START=0x1000000
 CONFIG_RELOCATABLE=y
-# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_RANDOMIZE_BASE_MAX_OFFSET=0x40000000
+CONFIG_X86_NEED_RELOCS=y
 CONFIG_PHYSICAL_ALIGN=0x1000000
 CONFIG_HOTPLUG_CPU=y
 # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
@@ -513,7 +512,6 @@ CONFIG_USE_PERCPU_NUMA_NODE_ID=y
 #
 CONFIG_SUSPEND=y
 CONFIG_SUSPEND_FREEZER=y
-CONFIG_HIBERNATE_CALLBACKS=y
 CONFIG_PM_SLEEP=y
 CONFIG_PM_SLEEP_SMP=y
 CONFIG_PM_AUTOSLEEP=y
@@ -624,7 +622,6 @@ CONFIG_I7300_IDLE=m
 CONFIG_PCI=y
 CONFIG_PCI_DIRECT=y
 CONFIG_PCI_MMCONFIG=y
-CONFIG_PCI_XEN=y
 CONFIG_PCI_DOMAINS=y
 CONFIG_PCIEPORTBUS=y
 CONFIG_HOTPLUG_PCI_PCIE=y
@@ -641,7 +638,6 @@ CONFIG_PCI_MSI=y
 # CONFIG_PCI_DEBUG is not set
 CONFIG_PCI_REALLOC_ENABLE_AUTO=y
 CONFIG_PCI_STUB=m
-CONFIG_XEN_PCIDEV_FRONTEND=m
 CONFIG_HT_IRQ=y
 CONFIG_PCI_ATS=y
 CONFIG_PCI_IOV=y
@@ -1462,7 +1458,7 @@ CONFIG_EXTRA_FIRMWARE=""
 CONFIG_FW_LOADER_USER_HELPER=y
 # CONFIG_DEBUG_DRIVER is not set
 # CONFIG_DEBUG_DEVRES is not set
-CONFIG_SYS_HYPERVISOR=y
+# CONFIG_SYS_HYPERVISOR is not set
 # CONFIG_GENERIC_CPU_DEVICES is not set
 CONFIG_REGMAP=y
 CONFIG_REGMAP_I2C=m
@@ -1599,8 +1595,8 @@ CONFIG_MTD_UBI_WL_THRESHOLD=4096
 CONFIG_MTD_UBI_BEB_LIMIT=20
 # CONFIG_MTD_UBI_FASTMAP is not set
 # CONFIG_MTD_UBI_GLUEBI is not set
-CONFIG_PARPORT=m
 CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+CONFIG_PARPORT=m
 CONFIG_PARPORT_PC=m
 CONFIG_PARPORT_SERIAL=m
 # CONFIG_PARPORT_PC_FIFO is not set
@@ -1647,8 +1643,6 @@ CONFIG_CDROM_PKTCDVD=m
 CONFIG_CDROM_PKTCDVD_BUFFERS=8
 # CONFIG_CDROM_PKTCDVD_WCACHE is not set
 CONFIG_ATA_OVER_ETH=m
-CONFIG_XEN_BLKDEV_FRONTEND=m
-CONFIG_XEN_BLKDEV_BACKEND=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_BLK_DEV_HD is not set
 CONFIG_BLK_DEV_RBD=m
@@ -2191,6 +2185,7 @@ CONFIG_CHELSIO_T4=m
 CONFIG_CHELSIO_T4VF=m
 CONFIG_NET_VENDOR_CISCO=y
 CONFIG_ENIC=m
+CONFIG_CX_ECAT=m
 CONFIG_DNET=m
 CONFIG_NET_VENDOR_DEC=y
 CONFIG_NET_TULIP=y
@@ -2642,8 +2637,6 @@ CONFIG_IEEE802154_FAKEHARD=m
 CONFIG_IEEE802154_FAKELB=m
 CONFIG_IEEE802154_AT86RF230=m
 # CONFIG_IEEE802154_MRF24J40 is not set
-CONFIG_XEN_NETDEV_FRONTEND=m
-CONFIG_XEN_NETDEV_BACKEND=m
 CONFIG_VMXNET3=m
 CONFIG_HYPERV_NET=m
 CONFIG_ISDN=y
@@ -2983,7 +2976,6 @@ CONFIG_INPUT_ADXL34X_SPI=m
 # CONFIG_INPUT_IMS_PCU is not set
 CONFIG_INPUT_CMA3000=m
 CONFIG_INPUT_CMA3000_I2C=m
-CONFIG_INPUT_XEN_KBDDEV_FRONTEND=m
 CONFIG_INPUT_IDEAPAD_SLIDEBAR=m
 
 #
@@ -3080,9 +3072,6 @@ CONFIG_PRINTER=m
 # CONFIG_LP_CONSOLE is not set
 CONFIG_PPDEV=m
 CONFIG_HVC_DRIVER=y
-CONFIG_HVC_IRQ=y
-CONFIG_HVC_XEN=y
-CONFIG_HVC_XEN_FRONTEND=y
 CONFIG_VIRTIO_CONSOLE=m
 CONFIG_IPMI_HANDLER=m
 # CONFIG_IPMI_PANIC_EVENT is not set
@@ -3126,7 +3115,6 @@ CONFIG_TCG_NSC=m
 CONFIG_TCG_ATMEL=m
 CONFIG_TCG_INFINEON=m
 CONFIG_TCG_ST33_I2C=m
-CONFIG_TCG_XEN=m
 CONFIG_TELCLOCK=m
 CONFIG_I2C=m
 CONFIG_I2C_BOARDINFO=y
@@ -3569,7 +3557,6 @@ CONFIG_W83977F_WDT=m
 CONFIG_MACHZ_WDT=m
 CONFIG_SBC_EPX_C3_WATCHDOG=m
 CONFIG_MEN_A21_WDT=m
-CONFIG_XEN_WDT=m
 
 #
 # PCI-based Watchdog Cards
@@ -4384,7 +4371,6 @@ CONFIG_FB_VT8623=m
 CONFIG_FB_UDL=m
 # CONFIG_FB_GOLDFISH is not set
 CONFIG_FB_VIRTUAL=m
-CONFIG_XEN_FBDEV_FRONTEND=m
 # CONFIG_FB_METRONOME is not set
 # CONFIG_FB_MB862XX is not set
 # CONFIG_FB_BROADSHEET is not set
@@ -5277,29 +5263,6 @@ CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
 CONFIG_HYPERV=m
 CONFIG_HYPERV_UTILS=m
 CONFIG_HYPERV_BALLOON=m
-
-#
-# Xen driver support
-#
-CONFIG_XEN_BALLOON=y
-# CONFIG_XEN_SELFBALLOONING is not set
-CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
-CONFIG_XEN_SCRUB_PAGES=y
-CONFIG_XEN_DEV_EVTCHN=m
-CONFIG_XEN_BACKEND=y
-CONFIG_XENFS=m
-CONFIG_XEN_COMPAT_XENFS=y
-CONFIG_XEN_SYS_HYPERVISOR=y
-CONFIG_XEN_XENBUS_FRONTEND=y
-CONFIG_XEN_GNTDEV=m
-CONFIG_XEN_GRANT_DEV_ALLOC=m
-CONFIG_SWIOTLB_XEN=y
-CONFIG_XEN_TMEM=m
-CONFIG_XEN_PCIDEV_BACKEND=m
-CONFIG_XEN_PRIVCMD=m
-CONFIG_XEN_ACPI_PROCESSOR=m
-# CONFIG_XEN_MCE_LOG is not set
-CONFIG_XEN_HAVE_PVMMU=y
 CONFIG_STAGING=y
 CONFIG_ET131X=m
 CONFIG_SLICOSS=m
@@ -6040,10 +6003,6 @@ CONFIG_TIMER_STATS=y
 # CONFIG_RT_MUTEX_TESTER is not set
 # CONFIG_DEBUG_SPINLOCK is not set
 # CONFIG_DEBUG_MUTEXES is not set
-# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
-# CONFIG_DEBUG_LOCK_ALLOC is not set
-# CONFIG_PROVE_LOCKING is not set
-# CONFIG_LOCK_STAT is not set
 # CONFIG_DEBUG_ATOMIC_SLEEP is not set
 # CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
 CONFIG_STACKTRACE=y
@@ -6172,7 +6131,9 @@ CONFIG_DEFAULT_IO_DELAY_TYPE=0
 #
 # Grsecurity
 #
-CONFIG_TASK_SIZE_MAX_SHIFT=47
+CONFIG_PAX_KERNEXEC_PLUGIN=y
+CONFIG_PAX_PER_CPU_PGD=y
+CONFIG_TASK_SIZE_MAX_SHIFT=42
 CONFIG_PAX_USERCOPY_SLABS=y
 CONFIG_GRKERNSEC=y
 # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
@@ -6209,7 +6170,9 @@ CONFIG_PAX_EMUTRAMP=y
 CONFIG_PAX_MPROTECT=y
 # CONFIG_PAX_MPROTECT_COMPAT is not set
 # CONFIG_PAX_ELFRELOCS is not set
-CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
+CONFIG_PAX_KERNEXEC=y
+CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
+CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
 
 #
 # Address Space Layout Randomization
@@ -6222,10 +6185,12 @@ CONFIG_PAX_RANDMMAP=y
 #
 # Miscellaneous hardening features
 #
-# CONFIG_PAX_MEMORY_SANITIZE is not set
+CONFIG_PAX_MEMORY_SANITIZE=y
 CONFIG_PAX_MEMORY_STACKLEAK=y
 CONFIG_PAX_MEMORY_STRUCTLEAK=y
+CONFIG_PAX_MEMORY_UDEREF=y
 CONFIG_PAX_REFCOUNT=y
+CONFIG_PAX_CONSTIFY_PLUGIN=y
 CONFIG_PAX_USERCOPY=y
 # CONFIG_PAX_USERCOPY_DEBUG is not set
 CONFIG_PAX_SIZE_OVERFLOW=y
@@ -6314,7 +6279,6 @@ CONFIG_GRKERNSEC_TPE_GID=200
 #
 # Network Protections
 #
-CONFIG_GRKERNSEC_RANDNET=y
 CONFIG_GRKERNSEC_BLACKHOLE=y
 CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
 CONFIG_GRKERNSEC_SOCKET=y
-- 
cgit v1.2.3