Attachment 721257 Details for Bug 798315 – distro/Kconfig

distro/Kconfig

Kconfig (text/plain), 7.00 KB, created by Mike Pagano on 2021-07-03 13:50:33 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Mike Pagano

Created: 2021-07-03 13:50:33 UTC

Size: 7.00 KB

patch

obsolete

>menu "Gentoo Linux"
>
>config GENTOO_LINUX
>	bool "Gentoo Linux support"
>
>	default y
>
>	help
>		In order to boot Gentoo Linux a minimal set of config settings needs to
>		be enabled in the kernel; to avoid the users from having to enable them
>		manually as part of a Gentoo Linux installation or a new clean config,
>		we enable these config settings by default for convenience.
>
>		See the settings that become available for more details and fine-tuning.
>
>config GENTOO_LINUX_UDEV
>	bool "Linux dynamic and persistent device naming (userspace devfs) support"
>
>	depends on GENTOO_LINUX
>	default y if GENTOO_LINUX
>
>	select DEVTMPFS
>	select TMPFS
>	select UNIX
>
>	select MMU
>	select SHMEM
>
>	help
>		In order to boot Gentoo Linux a minimal set of config settings needs to
>		be enabled in the kernel; to avoid the users from having to enable them
>		manually as part of a Gentoo Linux installation or a new clean config,
>		we enable these config settings by default for convenience.
>
>		Currently this only selects TMPFS, DEVTMPFS and their dependencies.
>		TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and
>		/sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev.
>
>		Some of these are critical files that need to be available early in the
>		boot process; if not available, it causes sysfs and udev to malfunction.
>
>		To ensure Gentoo Linux boots, it is best to leave this setting enabled;
>		if you run a custom setup, you could consider whether to disable this.
>
>config GENTOO_LINUX_PORTAGE
>	bool "Select options required by Portage features"
>
>	depends on GENTOO_LINUX
>	default y if GENTOO_LINUX
>
>	select CGROUPS
>	select NAMESPACES
>	select IPC_NS
>	select NET_NS
>	select PID_NS
>	select SYSVIPC
>	select UTS_NS
>
>	help
>		This enables options required by various Portage FEATURES.
>		Currently this selects:
>
>		CGROUPS     (required for FEATURES=cgroup)
>		IPC_NS      (required for FEATURES=ipc-sandbox)
>		NET_NS      (required for FEATURES=network-sandbox)
>		PID_NS		(required for FEATURES=pid-sandbox)
>		SYSVIPC     (required by IPC_NS)
>   
>
>		It is highly recommended that you leave this enabled as these FEATURES
>		are, or will soon be, enabled by default.
>
>menu "Support for init systems, system and service managers"
>	visible if GENTOO_LINUX
>
>config GENTOO_LINUX_INIT_SCRIPT
>	bool "OpenRC, runit and other script based systems and managers"
>
>	default y if GENTOO_LINUX
>
>	depends on GENTOO_LINUX
>
>	select BINFMT_SCRIPT
>	select CGROUPS
>	select EPOLL
>	select FILE_LOCKING
>	select INOTIFY_USER
>	select SIGNALFD
>	select TIMERFD
>
>	help
>		The init system is the first thing that loads after the kernel booted.
>
>		These config settings allow you to select which init systems to support;
>		instead of having to select all the individual settings all over the
>		place, these settings allows you to select all the settings at once.
>
>		This particular setting enables all the known requirements for OpenRC,
>		runit and similar script based systems and managers.
>
>		If you are unsure about this, it is best to leave this setting enabled.
>
>config GENTOO_LINUX_INIT_SYSTEMD
>	bool "systemd"
>
>	default n
>
>	depends on GENTOO_LINUX && GENTOO_LINUX_UDEV
>
>	select AUTOFS4_FS
>	select BLK_DEV_BSG
>	select BPF_SYSCALL
>	select CGROUP_BPF
>	select CGROUPS
>	select CHECKPOINT_RESTORE
>	select CRYPTO_HMAC 
>	select CRYPTO_SHA256
>	select CRYPTO_USER_API_HASH
>	select DEVPTS_MULTIPLE_INSTANCES
>	select DMIID if X86_32 || X86_64 || X86
>	select EPOLL
>	select FANOTIFY
>	select FHANDLE
>	select FILE_LOCKING
>	select INOTIFY_USER
>	select IPV6
>	select NET
>	select NET_NS
>	select PROC_FS
>	select SECCOMP
>	select SECCOMP_FILTER
>	select SIGNALFD
>	select SYSFS
>	select TIMERFD
>	select TMPFS_POSIX_ACL
>	select TMPFS_XATTR
>	select USER_NS
>
>	select ANON_INODES
>	select BLOCK
>	select EVENTFD
>	select FSNOTIFY
>	select INET
>	select NLATTR
>
>	help
>		The init system is the first thing that loads after the kernel booted.
>
>		These config settings allow you to select which init systems to support;
>		instead of having to select all the individual settings all over the
>		place, these settings allows you to select all the settings at once.
>
>		This particular setting enables all the known requirements for systemd;
>		it also enables suggested optional settings, as the package suggests to.
>
>endmenu
>
>menu "Enable Kernel Self Protection Project Recommendations"
>	visible if GENTOO_LINUX
>
>config GENTOO_KERNEL_SELF_PROTECTION
>	bool "Architecture Independant Kernel Self Protection Project Recommendations"
>
>	depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL
>
>	select BUG
>	select STRICT_KERNEL_RWX
>	select DEBUG_WX
>	select STACKPROTECTOR
>	select STACKPROTECTOR_STRONG
>	select STRICT_DEVMEM if DEVMEM=y
>	select IO_STRICT_DEVMEM if DEVMEM=y
>	select SYN_COOKIES
>	select DEBUG_CREDENTIALS
>	select DEBUG_NOTIFIERS
>	select DEBUG_LIST
>	select DEBUG_SG
>	select BUG_ON_DATA_CORRUPTION
>	select SCHED_STACK_END_CHECK
>	select SECCOMP
>	select SECCOMP_FILTER
>	select SECURITY_YAMA
>	select SLAB_FREELIST_RANDOM
>	select SLAB_FREELIST_HARDENED
>	select SHUFFLE_PAGE_ALLOCATOR
>	select SLUB_DEBUG
>	select PAGE_POISONING
>	select PAGE_POISONING_NO_SANITY
>	select PAGE_POISONING_ZERO
>	select INIT_ON_ALLOC_DEFAULT_ON
>	select INIT_ON_FREE_DEFAULT_ON
>	select VMAP_STACK
>	select REFCOUNT_FULL
>	select FORTIFY_SOURCE
>	select SECURITY_DMESG_RESTRICT
>	select PANIC_ON_OOPS
>	select CONFIG_GCC_PLUGINS
>	select GCC_PLUGIN_LATENT_ENTROPY
>	select GCC_PLUGIN_STRUCTLEAK
>	select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
>	select GCC_PLUGIN_STACKLEAK
>	select GCC_PLUGIN_RANDSTRUCT
>	select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
>
>	help
>  		Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project
>		See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
>		Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due 
>		to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for 
>		dependency information on your specific architecture.
>		Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 
>		for X86_64
>
>menu "Architecture Specific Self Protection Project Recommendations"
>
>config GENTOO_KERNEL_SELF_PROTECTION_X86_64
>	bool "X86_64 KSPP Settings"
>
>	depends on !X86_MSR && X86_64
>	default n
>	
>	select RANDOMIZE_BASE
>	select RANDOMIZE_MEMORY
>	select LEGACY_VSYSCALL_NONE
> select PAGE_TABLE_ISOLATION
>
>
>config GENTOO_KERNEL_SELF_PROTECTION_ARM64
>	bool "ARM64 KSPP Settings"
>
>	depends on ARM64
>	default n
>
>	select RANDOMIZE_BASE
>	select ARM64_SW_TTBR0_PAN
>	select CONFIG_UNMAP_KERNEL_AT_EL0
>
>config GENTOO_KERNEL_SELF_PROTECTION_X86_32
>	bool "X86_32 KSPP Settings"
>
>	depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32
>	default n
>
>	select HIGHMEM64G
>	select X86_PAE
>	select RANDOMIZE_BASE
>	select PAGE_TABLE_ISOLATION
>
>config GENTOO_KERNEL_SELF_PROTECTION_ARM
>	bool "ARM KSPP Settings"
>
>	depends on !OABI_COMPAT && ARM
>	default n
>
>	select VMSPLIT_3G
>	select STRICT_MEMORY_RWX
>	select CPU_SW_DOMAIN_PAN
>
>endmenu
>
>endmenu
>
>endmenu

Actions: View

Attachments on bug 798315: 721257