--- config-4.8.15-hardened-r2-170106_05 2017-01-08 16:27:05.000000000 +0100 +++ config-4.8.15-hardened-r2-170108_18 2017-01-08 19:26:49.032663085 +0100 @@ -11,8 +11,8 @@ CONFIG_LOCKDEP_SUPPORT=y CONFIG_STACKTRACE_SUPPORT=y CONFIG_MMU=y -CONFIG_ARCH_MMAP_RND_BITS_MIN=27 -CONFIG_ARCH_MMAP_RND_BITS_MAX=27 +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 CONFIG_NEED_DMA_MAP_STATE=y @@ -52,7 +52,7 @@ CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" # CONFIG_COMPILE_TEST is not set -CONFIG_LOCALVERSION="-170106_05" +CONFIG_LOCALVERSION="-170108_18" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y @@ -142,6 +142,7 @@ CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y +CONFIG_ARCH_SUPPORTS_INT128=y # CONFIG_NUMA_BALANCING is not set CONFIG_CGROUPS=y CONFIG_PAGE_COUNTER=y @@ -283,7 +284,7 @@ CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y CONFIG_HAVE_EXIT_THREAD=y -CONFIG_ARCH_MMAP_RND_BITS=27 +CONFIG_ARCH_MMAP_RND_BITS=28 CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 CONFIG_HAVE_COPY_THREAD_TLS=y @@ -532,6 +533,7 @@ CONFIG_HOTPLUG_CPU=y # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set # CONFIG_DEBUG_HOTPLUG_CPU0 is not set +# CONFIG_COMPAT_VDSO is not set CONFIG_LEGACY_VSYSCALL_EMULATE=y # CONFIG_LEGACY_VSYSCALL_NONE is not set # CONFIG_CMDLINE_BOOL is not set @@ -3747,6 +3749,7 @@ # Pseudo filesystems # CONFIG_PROC_FS=y +# CONFIG_PROC_KCORE is not set CONFIG_PROC_SYSCTL=y # CONFIG_PROC_CHILDREN is not set CONFIG_KERNFS=y @@ -3930,6 +3933,7 @@ # Memory Debugging # # CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set # CONFIG_PAGE_POISONING is not set # CONFIG_DEBUG_OBJECTS is not set # CONFIG_SLUB_DEBUG_ON is not set @@ -3973,6 +3977,10 @@ # CONFIG_DEBUG_RT_MUTEXES is not set # CONFIG_DEBUG_SPINLOCK is not set # CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set # CONFIG_DEBUG_ATOMIC_SLEEP is not set # CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set # CONFIG_LOCK_TORTURE_TEST is not set @@ -4001,6 +4009,7 @@ # CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set # CONFIG_NOTIFIER_ERROR_INJECTION is not set # CONFIG_FAULT_INJECTION is not set +# CONFIG_LATENCYTOP is not set CONFIG_USER_STACKTRACE_SUPPORT=y CONFIG_HAVE_FUNCTION_TRACER=y CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y @@ -4104,8 +4113,7 @@ # # Grsecurity # -CONFIG_PAX_PER_CPU_PGD=y -CONFIG_TASK_SIZE_MAX_SHIFT=42 +CONFIG_TASK_SIZE_MAX_SHIFT=47 CONFIG_GRKERNSEC=y CONFIG_GRKERNSEC_CONFIG_AUTO=y # CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set @@ -4138,112 +4146,57 @@ # # PaX # -CONFIG_PAX=y - -# -# PaX Control -# -# CONFIG_PAX_SOFTMODE is not set -# CONFIG_PAX_PT_PAX_FLAGS is not set -CONFIG_PAX_XATTR_PAX_FLAGS=y -CONFIG_PAX_NO_ACL_FLAGS=y -# CONFIG_PAX_HAVE_ACL_FLAGS is not set -# CONFIG_PAX_HOOK_ACL_FLAGS is not set - -# -# Non-executable pages -# -CONFIG_PAX_NOEXEC=y -CONFIG_PAX_PAGEEXEC=y -CONFIG_PAX_EMUTRAMP=y -CONFIG_PAX_MPROTECT=y -# CONFIG_PAX_MPROTECT_COMPAT is not set -# CONFIG_PAX_ELFRELOCS is not set -CONFIG_PAX_KERNEXEC=y -CONFIG_PAX_KERNEXEC_PLUGIN=y -# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set -CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y -# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set - -# -# Address Space Layout Randomization -# -CONFIG_PAX_ASLR=y -CONFIG_PAX_RANDKSTACK=y -CONFIG_PAX_RANDUSTACK=y -CONFIG_PAX_RANDMMAP=y +# CONFIG_PAX is not set # # Miscellaneous hardening features # -CONFIG_PAX_MEMORY_SANITIZE=y -CONFIG_PAX_MEMORY_STACKLEAK=y -CONFIG_PAX_MEMORY_STRUCTLEAK=y +# CONFIG_PAX_MEMORY_SANITIZE is not set +# CONFIG_PAX_MEMORY_STACKLEAK is not set +# CONFIG_PAX_MEMORY_STRUCTLEAK is not set # CONFIG_PAX_MEMORY_UDEREF is not set -CONFIG_PAX_REFCOUNT=y +# CONFIG_PAX_REFCOUNT is not set CONFIG_PAX_USERCOPY=y -CONFIG_PAX_CONSTIFY_PLUGIN=y # CONFIG_PAX_USERCOPY_DEBUG is not set -CONFIG_PAX_SIZE_OVERFLOW=y -CONFIG_PAX_SIZE_OVERFLOW_EXTRA=y +# CONFIG_PAX_SIZE_OVERFLOW is not set # CONFIG_PAX_INITIFY is not set CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y -CONFIG_PAX_LATENT_ENTROPY=y -CONFIG_PAX_RAP=y +# CONFIG_PAX_LATENT_ENTROPY is not set +# CONFIG_PAX_RAP is not set # # Memory Protections # # CONFIG_GRKERNSEC_KMEM is not set # CONFIG_GRKERNSEC_IO is not set -CONFIG_GRKERNSEC_BPF_HARDEN=y -CONFIG_GRKERNSEC_PERF_HARDEN=y -# CONFIG_GRKERNSEC_RAND_THREADSTACK is not set -CONFIG_GRKERNSEC_PROC_MEMMAP=y -CONFIG_GRKERNSEC_KSTACKOVERFLOW=y -CONFIG_GRKERNSEC_BRUTE=y -CONFIG_GRKERNSEC_MODHARDEN=y -CONFIG_GRKERNSEC_HIDESYM=y -CONFIG_GRKERNSEC_RANDSTRUCT=y -CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y -CONFIG_GRKERNSEC_KERN_LOCKOUT=y +# CONFIG_GRKERNSEC_BPF_HARDEN is not set +# CONFIG_GRKERNSEC_PERF_HARDEN is not set +# CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set +# CONFIG_GRKERNSEC_BRUTE is not set +# CONFIG_GRKERNSEC_MODHARDEN is not set +# CONFIG_GRKERNSEC_HIDESYM is not set +# CONFIG_GRKERNSEC_RANDSTRUCT is not set +# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set # # Role Based Access Control Options # # CONFIG_GRKERNSEC_NO_RBAC is not set -CONFIG_GRKERNSEC_ACL_HIDEKERN=y +# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 # # Filesystem Protections # -CONFIG_GRKERNSEC_PROC=y -CONFIG_GRKERNSEC_PROC_USER=y -CONFIG_GRKERNSEC_PROC_ADD=y -CONFIG_GRKERNSEC_LINK=y -CONFIG_GRKERNSEC_SYMLINKOWN=y -CONFIG_GRKERNSEC_FIFO=y -CONFIG_GRKERNSEC_SYSFS_RESTRICT=y +# CONFIG_GRKERNSEC_PROC is not set +# CONFIG_GRKERNSEC_LINK is not set +# CONFIG_GRKERNSEC_SYMLINKOWN is not set +# CONFIG_GRKERNSEC_FIFO is not set +# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set # CONFIG_GRKERNSEC_ROFS is not set -CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y -CONFIG_GRKERNSEC_CHROOT=y -CONFIG_GRKERNSEC_CHROOT_MOUNT=y -CONFIG_GRKERNSEC_CHROOT_DOUBLE=y -CONFIG_GRKERNSEC_CHROOT_PIVOT=y -CONFIG_GRKERNSEC_CHROOT_CHDIR=y -CONFIG_GRKERNSEC_CHROOT_CHMOD=y -CONFIG_GRKERNSEC_CHROOT_FCHDIR=y -CONFIG_GRKERNSEC_CHROOT_MKNOD=y -CONFIG_GRKERNSEC_CHROOT_SHMAT=y -CONFIG_GRKERNSEC_CHROOT_UNIX=y -CONFIG_GRKERNSEC_CHROOT_FINDTASK=y -CONFIG_GRKERNSEC_CHROOT_NICE=y -CONFIG_GRKERNSEC_CHROOT_SYSCTL=y -CONFIG_GRKERNSEC_CHROOT_RENAME=y -CONFIG_GRKERNSEC_CHROOT_CAPS=y -# CONFIG_GRKERNSEC_CHROOT_INITRD is not set +# CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL is not set +# CONFIG_GRKERNSEC_CHROOT is not set # # Kernel Auditing @@ -4259,7 +4212,6 @@ CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y -CONFIG_GRKERNSEC_RWXMAP_LOG=y # # Executable Protections