diff options
Diffstat (limited to 'core')
| -rw-r--r-- | core/conf/sysctl.conf | 67 | ||||
| -rw-r--r-- | core/configure.html | 7 | ||||
| -rw-r--r-- | core/grsecurity.html | 247 | ||||
| -rw-r--r-- | core/hardening.html | 15 | ||||
| -rw-r--r-- | core/index.html | 10 | ||||
| -rw-r--r-- | core/linux.html | 238 | ||||
| -rw-r--r-- | core/ports/linux-blob/.footprint | 95 | ||||
| -rw-r--r-- | core/ports/linux-blob/.md5sum | 10 | ||||
| -rw-r--r-- | core/ports/linux-blob/Pkgfile | 17 | ||||
| -rw-r--r-- | core/ports/linux-blob/config-c9 | 444 | ||||
| -rw-r--r-- | core/ports/linux-blob/port-blob-grsecurity.patch | 8 | ||||
| -rw-r--r-- | core/ports/linux-blob/port-blob-make.patch | 2 | ||||
| -rw-r--r-- | core/ports/linux-libre/.footprint | 95 | ||||
| -rw-r--r-- | core/ports/linux-libre/.md5sum | 10 | ||||
| -rw-r--r-- | core/ports/linux-libre/Pkgfile | 15 | ||||
| -rw-r--r-- | core/ports/linux-libre/config-c9 | 444 | ||||
| -rw-r--r-- | core/ports/linux-libre/port-libre-grsecurity.patch | 4 | ||||
| -rw-r--r-- | core/ports/linux-libre/port-libre-make.patch | 2 | ||||
| -rw-r--r-- | core/reboot.html | 11 | ||||
| -rw-r--r-- | core/samhain.html | 265 | ||||
| -rw-r--r-- | core/sysctl.html | 35 | ||||
| -rw-r--r-- | core/toolchain.html | 4 |
22 files changed, 1445 insertions, 600 deletions
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index d17c0c6..b0972e2 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -20,14 +20,14 @@ kernel.pid_max = 65536 # Ioperm and iopl can be used to modify the running kernel. # Unfortunately, some programs need this access to operate properly, # the most notable of which are XFree86 and hwclock. hwclock can be -# remedied by having RTC support in the kernel, so real-time -# clock support is enabled if this option is enabled, to ensure +# remedied by having RTC support in the kernel, so real-time +# clock support is enabled if this option is enabled, to ensure # that hwclock operates correctly. -# +# # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. -kernel.grsecurity.disable_priv_io = 0 +kernel.grsecurity.disable_priv_io = 1 # If you say Y here, attempts to bruteforce exploits against forking # daemons such as apache or sshd, as well as against suid/sgid binaries @@ -39,7 +39,7 @@ kernel.grsecurity.disable_priv_io = 0 # In the suid/sgid case, the attempt is logged, the user has all their # existing instances of the suid/sgid binary terminated and will # be unable to execute any suid/sgid binaries for 15 minutes. -# +# # It is recommended that you also enable signal logging in the auditing # section so that logs are generated when a process triggers a suspicious # signal. @@ -61,7 +61,7 @@ fs.file-max = 65535 # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. If the sysctl option is # enabled, a sysctl option with name "linking_restrictions" is created. -kernel.grsecurity.linking_restrictions = 0 +kernel.grsecurity.linking_restrictions = 1 # Apache's SymlinksIfOwnerMatch option has an inherent race condition @@ -75,15 +75,15 @@ kernel.grsecurity.linking_restrictions = 0 # will be in place for the group you specify. If the sysctl option # is enabled, a sysctl option with name "enforce_symlinksifowner" is # created. -kernel.grsecurity.enforce_symlinksifowner = 0 -#kernel.grsecurity.symlinkown_gid = 33 +kernel.grsecurity.enforce_symlinksifowner = 1 +kernel.grsecurity.symlinkown_gid = 15 # if you say Y here, users will not be able to write to FIFOs they don't # own in world-writable +t directories (e.g. /tmp), unless the owner of # the FIFO is the same owner of the directory it's held in. If the sysctl # option is enabled, a sysctl option with name "fifo_restrictions" is # created. -kernel.grsecurity.fifo_restrictions = 0 +kernel.grsecurity.fifo_restrictions = 1 # If you say Y here, a sysctl option with name "romount_protect" will # be created. By setting this option to 1 at runtime, filesystems @@ -99,7 +99,7 @@ kernel.grsecurity.fifo_restrictions = 0 # and GRKERNSEC_IO should be enabled and module loading disabled via # config or at runtime. # This feature is mainly intended for secure embedded systems. -#kernel.grsecurity.romount_protect = 0 +#kernel.grsecurity.romount_protect = 1 # if you say Y here, the capabilities on all processes within a # chroot jail will be lowered to stop module insertion, raw i/o, @@ -122,8 +122,8 @@ kernel.grsecurity.chroot_deny_chmod = 1 # If you say Y here, processes inside a chroot will not be able to chroot # again outside the chroot. This is a widely used method of breaking -# out of a chroot jail and should not be allowed. If the sysctl -# option is enabled, a sysctl option with name +# out of a chroot jail and should not be allowed. If the sysctl +# option is enabled, a sysctl option with name # "chroot_deny_chroot" is created. kernel.grsecurity.chroot_deny_chroot = 1 @@ -185,14 +185,14 @@ kernel.grsecurity.chroot_deny_unix = 1 # directory, so that `.' can be outside the tree rooted at # `/'. In particular, the super-user can escape from a # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. -# +# # It is recommended that you say Y here, since it's not known to break # any software. If the sysctl option is enabled, a sysctl option with # name "chroot_enforce_chdir" is created. kernel.grsecurity.chroot_enforce_chdir = 1 # If you say Y here, processes inside a chroot will not be able to -# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, +# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, # getsid, or view any process outside of the chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_findtask" is # created. @@ -215,14 +215,14 @@ kernel.grsecurity.chroot_restrict_nice = 1 # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. -kernel.grsecurity.audit_group = 0 +kernel.grsecurity.audit_group = 1 # If you say Y here, the exec and chdir logging features will only operate # on a group you specify. This option is recommended if you only want to # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. -#kernel.grsecurity.audit_gid = 201 +kernel.grsecurity.audit_gid = 99 # If you say Y here, all execve() calls will be logged (since the # other exec*() calls are frontends to execve(), all execution @@ -231,7 +231,7 @@ kernel.grsecurity.audit_group = 0 # name "exec_logging" is created. # WARNING: This option when enabled will produce a LOT of logs, especially # on an active system. -kernel.grsecurity.exec_logging = 0 +kernel.grsecurity.exec_logging = 0 # If you say Y here, all attempts to overstep resource limits will # be logged with the resource name, the requested size, and the current @@ -245,12 +245,12 @@ kernel.grsecurity.resource_logging = 1 # applications (eg. djb's daemontools) are installed on the system, and # is therefore left as an option. If the sysctl option is enabled, a # sysctl option with name "chroot_execlog" is created. -kernel.grsecurity.chroot_execlog = 0 +kernel.grsecurity.chroot_execlog = 0 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. -kernel.grsecurity.audit_ptrace = 1 +#kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option @@ -273,7 +273,6 @@ kernel.grsecurity.signal_logging = 1 # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. -#kernel.grsecurity.forkfail_logging = 1 kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. @@ -285,7 +284,7 @@ kernel.grsecurity.timechange_logging = 1 # usage of PROT_WRITE and PROT_EXEC together will be logged when # denied by the PAX_MPROTECT feature. This feature will also # log other problematic scenarios that can occur when PAX_MPROTECT -# is enabled on a binary, like textrels and PT_GNU_STACK. If the +# is enabled on a binary, like textrels and PT_GNU_STACK. If the # sysctl option is enabled, a sysctl option with name "rwxmap_logging" # is created. kernel.grsecurity.rwxmap_logging = 1 @@ -305,14 +304,14 @@ kernel.grsecurity.rwxmap_logging = 1 kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms -#kernel.kptr_restrict = 2 +kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you # have been using the RBAC system, this option has already been # enabled for several years for all users, with the ability to make # fine-grained exceptions. -# +# # This option only affects the ability of non-root users to ptrace # processes that are not a descendent of the ptracing process. # This means that strace ./binary and gdb ./binary will still work, @@ -327,7 +326,7 @@ kernel.grsecurity.harden_ptrace = 1 # prevent infoleaking of their contents. This option adds # consistency to the use of that file mode, as the binary could normally # be read out when run without privileges while ptracing. -# +# # If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" # is created. kernel.grsecurity.ptrace_readexec = 1 @@ -341,7 +340,7 @@ kernel.grsecurity.ptrace_readexec = 1 # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. -kernel.grsecurity.consistent_setxid = 0 +kernel.grsecurity.consistent_setxid = 1 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes @@ -359,7 +358,7 @@ kernel.grsecurity.consistent_setxid = 0 # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. -kernel.grsecurity.harden_ipc = 0 +kernel.grsecurity.harden_ipc = 1 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." @@ -367,7 +366,7 @@ kernel.grsecurity.harden_ipc = 0 # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 -kernel.grsecurity.tpe_gid = 4 +kernel.grsecurity.tpe_gid = 100 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This @@ -499,11 +498,11 @@ net.ipv4.tcp_synack_retries = 3 # If you say Y here, neither TCP resets nor ICMP # destination-unreachable packets will be sent in response to packets # sent to ports for which no associated listening process exists. -# This feature supports both IPV4 and IPV6 and exempts the -# loopback interface from blackholing. Enabling this feature +# This feature supports both IPV4 and IPV6 and exempts the +# loopback interface from blackholing. Enabling this feature # makes a host more resilient to DoS attacks and reduces network # visibility against scanners. -# +# # The blackhole feature as-implemented is equivalent to the FreeBSD # blackhole feature, as it prevents RST responses to all packets, not # just SYNs. Under most application behavior this causes no @@ -516,7 +515,7 @@ net.ipv4.tcp_synack_retries = 3 # can spend in LAST_ACK state. If you're using haproxy and not # all servers it connects to have this option enabled, consider # disabling this feature on the haproxy host. -# +# # If the sysctl option is enabled, two sysctl options with names # "ip_blackhole" and "lastack_retries" will be created. # While "ip_blackhole" takes the standard zero/non-zero on/off @@ -531,13 +530,13 @@ kernel.grsecurity.lastack_retries = 4 # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. -kernel.grsecurity.socket_all = 0 +kernel.grsecurity.socket_all = 1 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID # specified here. If the sysctl option is enabled, a sysctl option # with name "socket_all_gid" is created. -#kernel.grsecurity.socket_all_gid = 202 +kernel.grsecurity.socket_all_gid = 200 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be @@ -577,7 +576,7 @@ kernel.grsecurity.socket_server_gid = 99 # device insertion will be logged. This option is intended to be # used against custom USB devices designed to exploit vulnerabilities # in various USB device drivers. -# +# # For greatest effectiveness, this sysctl should be set after any # relevant init scripts. This option is safe to enable in distros # as each user can choose whether or not to toggle the sysctl. diff --git a/core/configure.html b/core/configure.html index 1ca655f..b6b3fb5 100644 --- a/core/configure.html +++ b/core/configure.html @@ -185,7 +185,8 @@ </dl> <pre> - # useradd -m -k /etc/skel -s /bin/bash -U -G adm,wheel,audio,video,users c9admin + # useradd -k /etc/skel -s /bin/bash c9admin + # usermod -G adm,wheel,audio,video # passwd c9admin </pre> @@ -197,10 +198,6 @@ <h3>1.2.4.3 Add Administrator to Wheel group</h3> <pre> - # usermod -a -G wheel c9admin - </pre> - - <pre> bash-4.3# sudoedit /etc/sudoers </pre> diff --git a/core/grsecurity.html b/core/grsecurity.html index adfd292..30ee28c 100644 --- a/core/grsecurity.html +++ b/core/grsecurity.html @@ -2,31 +2,248 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>Grsecurity</title> + <title>2.2.1. Grsecurity</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>Grsecurity</h1> + <h1>2.2.1. Grsecurity</h1> - <p>Grsecurity utilities are installed and configured in - <a href="hardening.html">hardening</a>, kernel witch grsecurity - patch is installed using - <a href="../core/reboot.html#linux">linux port</a>.</p> + <p>Install grsecurity <a href="hardening.html">utilities</a>, kernel + configuration is based on + <a href="../core/reboot.html#linux">port kernel</a>, for manual + configuration check <a href="linux.html">linux kernel</a>. Configuration + is not enable by default, groups with special permissions and other + protections are set with <a href="sysctl.html">sysctl.html</a>;</p> + <dl> + + <dt>proc</dt> + <dd>GID 4 - adm group</dd> + <dd>If you say Y here, you will be able to select a group that will be + able to view all processes and network-related information. + GRKERNSEC_HIDESYM is enabled, kernel and symbol information may still + remain hidden.</dd> + + <dt>symlinks owner match</dt> + <dd>GID 15 - www group</dd> + <dd>Kernel-enforced SymlinksIfOwnerMatch group.</dd> + + <dt>group for auditing</dt> + <dd>GID 99 - nobody group</dd> + <dd>This option is recommended if you only want to watch certain + users exec and chdir logging features instead of having a large + amount of logs from the entire system</dd> + + <dt>tpe</dt> + <dd>GID 100 - users</dd> + <dd>Supplementary groups of users you want to mark as "untrusted". + Invert gid option causes to not apply tpe protection to this group, + allowing to build software with partially restrict all non-root users + enable.</dd> + + <dt>socket all</dt> + <dd>GID 200 - non existent</dd> + <dd>Deny sockets to this group.</dd> + + <dt>socket client</dt> + <dd>GID 15 - www group</dd> + <dd>Deny client sockets to this group.</dd> + + <dt>socket server</dt> + <dd>GID 99 - nobody group</dd> + <dd>Deny server sockets to this group.</dd> + + </dl> + + <p>Kernel configuration related to grsecurity;</p> - <h2>Special Groups</h2> <pre> - getent group tpe >/dev/null || groupadd -g 200 tpe - getent group audit >/dev/null || groupadd -g 201 audit - getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all - getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client - getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server + # + # Grsecurity + # + CONFIG_PAX_PER_CPU_PGD=y + CONFIG_TASK_SIZE_MAX_SHIFT=42 + CONFIG_GRKERNSEC=y + # CONFIG_GRKERNSEC_CONFIG_AUTO is not set + CONFIG_GRKERNSEC_CONFIG_CUSTOM=y + CONFIG_GRKERNSEC_PROC_GID=4 + CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100 + CONFIG_GRKERNSEC_SYMLINKOWN_GID=15 + + # + # PaX + # + CONFIG_PAX=y + + # + # PaX Control + # + # CONFIG_PAX_SOFTMODE is not set + # CONFIG_PAX_EI_PAX is not set + CONFIG_PAX_PT_PAX_FLAGS=y + CONFIG_PAX_XATTR_PAX_FLAGS=y + # CONFIG_PAX_NO_ACL_FLAGS is not set + CONFIG_PAX_HAVE_ACL_FLAGS=y + # CONFIG_PAX_HOOK_ACL_FLAGS is not set + + # + # Non-executable pages + # + CONFIG_PAX_NOEXEC=y + CONFIG_PAX_PAGEEXEC=y + CONFIG_PAX_EMUTRAMP=y + CONFIG_PAX_MPROTECT=y + # CONFIG_PAX_MPROTECT_COMPAT is not set + # CONFIG_PAX_ELFRELOCS is not set + CONFIG_PAX_KERNEXEC=y + CONFIG_PAX_KERNEXEC_PLUGIN=y + # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set + CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y + + # + # Address Space Layout Randomization + # + CONFIG_PAX_ASLR=y + CONFIG_PAX_RANDKSTACK=y + CONFIG_PAX_RANDUSTACK=y + CONFIG_PAX_RANDMMAP=y + + # + # Miscellaneous hardening features + # + CONFIG_PAX_MEMORY_SANITIZE=y + CONFIG_PAX_MEMORY_STACKLEAK=y + CONFIG_PAX_MEMORY_STRUCTLEAK=y + CONFIG_PAX_MEMORY_UDEREF=y + CONFIG_PAX_REFCOUNT=y + CONFIG_PAX_USERCOPY=y + CONFIG_PAX_CONSTIFY_PLUGIN=y + # CONFIG_PAX_USERCOPY_DEBUG is not set + CONFIG_PAX_SIZE_OVERFLOW=y + CONFIG_PAX_SIZE_OVERFLOW_EXTRA=y + # CONFIG_PAX_INITIFY is not set + CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y + CONFIG_PAX_LATENT_ENTROPY=y + CONFIG_PAX_RAP=y + + # + # Memory Protections + # + CONFIG_GRKERNSEC_KMEM=y + CONFIG_GRKERNSEC_IO=y + CONFIG_GRKERNSEC_BPF_HARDEN=y + CONFIG_GRKERNSEC_PERF_HARDEN=y + CONFIG_GRKERNSEC_RAND_THREADSTACK=y + CONFIG_GRKERNSEC_PROC_MEMMAP=y + CONFIG_GRKERNSEC_KSTACKOVERFLOW=y + CONFIG_GRKERNSEC_BRUTE=y + CONFIG_GRKERNSEC_MODHARDEN=y + CONFIG_GRKERNSEC_HIDESYM=y + CONFIG_GRKERNSEC_RANDSTRUCT=y + CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y + CONFIG_GRKERNSEC_KERN_LOCKOUT=y + + # + # Role Based Access Control Options + # + # CONFIG_GRKERNSEC_NO_RBAC is not set + CONFIG_GRKERNSEC_ACL_HIDEKERN=y + CONFIG_GRKERNSEC_ACL_MAXTRIES=3 + CONFIG_GRKERNSEC_ACL_TIMEOUT=30 + + # + # Filesystem Protections + # + CONFIG_GRKERNSEC_PROC=y + # CONFIG_GRKERNSEC_PROC_USER is not set + CONFIG_GRKERNSEC_PROC_USERGROUP=y + CONFIG_GRKERNSEC_PROC_ADD=y + CONFIG_GRKERNSEC_LINK=y + CONFIG_GRKERNSEC_SYMLINKOWN=y + CONFIG_GRKERNSEC_FIFO=y + # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set + CONFIG_GRKERNSEC_ROFS=y + CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y + CONFIG_GRKERNSEC_CHROOT=y + CONFIG_GRKERNSEC_CHROOT_MOUNT=y + CONFIG_GRKERNSEC_CHROOT_DOUBLE=y + CONFIG_GRKERNSEC_CHROOT_PIVOT=y + CONFIG_GRKERNSEC_CHROOT_CHDIR=y + CONFIG_GRKERNSEC_CHROOT_CHMOD=y + CONFIG_GRKERNSEC_CHROOT_FCHDIR=y + CONFIG_GRKERNSEC_CHROOT_MKNOD=y + CONFIG_GRKERNSEC_CHROOT_SHMAT=y + CONFIG_GRKERNSEC_CHROOT_UNIX=y + CONFIG_GRKERNSEC_CHROOT_FINDTASK=y + CONFIG_GRKERNSEC_CHROOT_NICE=y + CONFIG_GRKERNSEC_CHROOT_SYSCTL=y + CONFIG_GRKERNSEC_CHROOT_RENAME=y + CONFIG_GRKERNSEC_CHROOT_CAPS=y + CONFIG_GRKERNSEC_CHROOT_INITRD=y + + # + # Kernel Auditing + # + CONFIG_GRKERNSEC_AUDIT_GROUP=y + CONFIG_GRKERNSEC_AUDIT_GID=99 + CONFIG_GRKERNSEC_EXECLOG=y + CONFIG_GRKERNSEC_RESLOG=y + CONFIG_GRKERNSEC_CHROOT_EXECLOG=y + CONFIG_GRKERNSEC_AUDIT_PTRACE=y + CONFIG_GRKERNSEC_AUDIT_CHDIR=y + CONFIG_GRKERNSEC_AUDIT_MOUNT=y + CONFIG_GRKERNSEC_SIGNAL=y + CONFIG_GRKERNSEC_FORKFAIL=y + CONFIG_GRKERNSEC_TIME=y + CONFIG_GRKERNSEC_PROC_IPADDR=y + CONFIG_GRKERNSEC_RWXMAP_LOG=y + + # + # Executable Protections + # + CONFIG_GRKERNSEC_DMESG=y + CONFIG_GRKERNSEC_HARDEN_PTRACE=y + CONFIG_GRKERNSEC_PTRACE_READEXEC=y + CONFIG_GRKERNSEC_SETXID=y + CONFIG_GRKERNSEC_HARDEN_IPC=y + CONFIG_GRKERNSEC_HARDEN_TTY=y + CONFIG_GRKERNSEC_TPE=y + CONFIG_GRKERNSEC_TPE_ALL=y + CONFIG_GRKERNSEC_TPE_INVERT=y + CONFIG_GRKERNSEC_TPE_GID=100 + + # + # Network Protections + # + CONFIG_GRKERNSEC_BLACKHOLE=y + CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y + CONFIG_GRKERNSEC_SOCKET=y + CONFIG_GRKERNSEC_SOCKET_ALL=y + CONFIG_GRKERNSEC_SOCKET_ALL_GID=200 + CONFIG_GRKERNSEC_SOCKET_CLIENT=y + CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15 + CONFIG_GRKERNSEC_SOCKET_SERVER=y + CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99 + + # + # Physical Protections + # + CONFIG_GRKERNSEC_DENYUSB=y + # CONFIG_GRKERNSEC_DENYUSB_FORCE is not set + + # + # Sysctl Support + # + CONFIG_GRKERNSEC_SYSCTL=y + CONFIG_GRKERNSEC_SYSCTL_DISTRO=y + # CONFIG_GRKERNSEC_SYSCTL_ON is not set + </pre> - <h2>Pax</h2> - + <h2 id="pax">Pax</h2> + <p>Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.</p> /usr/bin/grub-script-check @@ -36,7 +253,7 @@ <h2 id="gradm">Gradm</h2> <p>Gradm is grsecurity access control lists administration utility. Gradm - have a + have a <a href="https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Learning_Mode">learning mode</a> per-subject, per-role or system-wide. Learning mode gather information that RBAC system supports, it reduces policy size, increase readability and enforces diff --git a/core/hardening.html b/core/hardening.html index 024c4c9..91cd8e9 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -11,19 +11,20 @@ <h1>2.2. Hardening</h1> <p>Kernel in ports have upstream linux kernel and - grsecurity patch, it should break some functionality - for the user and pkgmk user if tpe protection is active.</p> + grsecurity patch, it should break building some packages, + install follow tools;</p> <pre> $ sudo prt-get depinst gradm paxtest paxctld checksec lynis </pre> - <p>Check <a href="grsecurity.html">grsecurity</a> on how to setup - kernel, pax and gradm.</p> + <p>Information about <a href="grsecurity.html">grsecurity</a> kernel + configuration, <a href="grsecurity.html#pax">pax</a> and + <a href="grsecurity.html#gradm">gradm</a>.</p> - <p>Lynis tries to give system overall configuration, without - changing default profile run irrelevant tests. Create a lynis - profile by coping default one and run lynis;</p> + <p>Lynis gives a view of system overall configuration, without changing + default profile it runs irrelevant tests. Create a lynis profile by + coping default one and run lynis;</p> <pre> $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf diff --git a/core/index.html b/core/index.html index 8274630..485bf65 100644 --- a/core/index.html +++ b/core/index.html @@ -60,7 +60,7 @@ <li><a href="reboot.html">1.4. Prepare for reboot</a> <ul> - <li><a href="reboot.html#linux">1.4.1. Kernel Ports</a></li> + <li><a href="reboot.html#linux">1.4.1. Port kernel</a></li> <li><a href="reboot.html#grub">1.4.3. Configuring Grub</a></li> <li><a href="reboot.html#checkup">1.4.4. Checkup</a></li> </ul> @@ -81,9 +81,9 @@ </li> <li><a href="hardening.html">2.2. Hardening</a> <ul> - <li><a href="toolchain.html">2.2.1. Toolchain</a></li> - <li><a href="grsecurity.html">2.2.2. Grsecurity</a></li> - <li><a href="sysctl.html">2.2.3. Sysctl</a></li> + <li><a href="grsecurity.html">2.2.1. Grsecurity</a></li> + <li><a href="sysctl.html">2.2.2. Sysctl</a></li> + <li><a href="toolchain.html">2.2.3. Toolchain</a></li> <li><a href="samhain.html">2.2.4. Samhain</a></li> </ul> </li> @@ -116,7 +116,7 @@ </li> <li><a href="exim.html">2.6. Exim</a> <ul> - <li><a href="exim.html#conf">2.6.1. Exim Configuration</a></li> + <li><a href="exim.html#conf">2.6.1. Exim configuration</a></li> <li><a href="exim.html#cert">2.6.2. Certificates</a></li> <li><a href="exim.html#alias">2.6.3. Aliases</a></li> <li><a href="exim.html#smarthost">2.6.4. Smarthost</a></li> diff --git a/core/linux.html b/core/linux.html index 5138676..c52f9b8 100644 --- a/core/linux.html +++ b/core/linux.html @@ -17,9 +17,9 @@ <h2 id="#linuxlibre">2.1.1. Port Linux Libre</h2> - <p>Default crux configuration can be obtained from iso, this port depends - on dracut and grub but is not required to install them. To build and install - this port using prt-get;</p> + <p>Default crux configuration can be obtained from iso, + kernel port depends on dracut and grub but is not required + to install them. To build and install this port using prt-get;</p> <pre> $ prt-get depinst linux-libre @@ -31,26 +31,67 @@ <a href="http://linux-libre.fsfla.org/pub/linux-libre/releases/">linux libre</a>, or using the port system;</p> - <p>Crux iso comes with config that is more generic than used on linux-libre - port, crux default is a good starting point to personalize according to your - needs (build default, detect modules needed);</p> + <p>Crux iso comes with config that is more generic than used on + linux-libre port, crux default is a good starting point to + personalize according to your needs (build default, detect modules + needed);</p> <pre> $ mkdir ~/kernel $ cd ~/kernel - $ cp /usr/ports/distfiles/linux-libre-4.9.11-gnu.tar.xz . - $ tar xf linux-libre-4.9.11-gnu.tar.xz - $ cd linux-4.9.11/ + $ tar xf /usr/ports/distfiles/linux-libre-4.9.12-grsec.tar.xz + $ cd linux-4.9.12/ </pre> - <p><a href="grsecurity.net">Grsecurity</a> patch for - <a href="https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch">4.9.11</a>. + <p><a href="https://grsecurity.net">Grsecurity</a> patch for + <a href="https://grsecurity.net/test/grsecurity-3.1-4.9.12-201702231830.patch">4.9.12</a>. Gcc <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">master.zip</a>) that adds more cpu options (FLAGS native). - Check <a href="ports/linux-libre/Pkgfile">Pkgfile</a> for instructions and - more patches used on linux-libre port. Read patching your kernel with + Check <a href="ports/linux-libre/Pkgfile">Pkgfile</a> + for instructions and more patches used on linux-libre port. + Read patching your kernel with <a href="https://en.wikibooks.org/wiki/Grsecurity/Configuring_and_Installing_grsecurity#Patching_Your_Kernel_with_grsecurity">gresecurity</a>.</p> + <p>Apply grsecurity patch;</p> + + <pre> + $ patch -p1 < ../grsecurity-3.1-4.9.12-201702231830.patch + </pre> + + <p>Set correct version;</p> + + <pre> + $ rm localversion-grsec + </pre> + + <p>Edit Makefile and replace EXTRAVERSION;</p> + + <pre> + VERSION = 4 + PATCHLEVEL = 9 + SUBLEVEL = 12 + EXTRAVERSION = -grsec + NAME = Roaring Lionus + </pre> + + <p>Change cpu optimization patch;</p> + + <pre> + depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX) + </pre> + + <p>to;</p> + + <pre> + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX) + </pre> + + <p>Apply additional cpu optimizations patch;</p> + + <pre> + $ patch -p1 < ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch + </pre> + <p>Configure kernel according to your current kernel hardware support;</p> @@ -58,10 +99,7 @@ $ make localmodconfig </pre> - <p>This will disable all unloaded modules, - you can use localyesconfig mark all loaded - to be built in the kernel. To get information - about your hardware, for example information + <p>Get information about your hardware, for example information about which graphic module (driver) is in use as root run;</p> @@ -76,17 +114,165 @@ $ make nconfig </pre> + <p>Make targets;</p> + <pre> - $ make -j $(nproc) bzImage modules - $ sudo make modules_install - $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.11-gnu - $ sudo cp System.map /boot/System.map-4.9.11-gnu + $ make help + Cleaning targets: + clean - Remove most generated files but keep the config and + enough build support to build external modules + mrproper - Remove all generated files + config + various backup files + distclean - mrproper + remove editor backup and patch files + + Configuration targets: + config - Update current config utilising a line-oriented program + nconfig - Update current config utilising a ncurses menu based + program + menuconfig - Update current config utilising a menu based program + xconfig - Update current config utilising a Qt based front-end + gconfig - Update current config utilising a GTK+ based front-end + oldconfig - Update current config utilising a provided .config as base + localmodconfig - Update current config disabling modules not loaded + localyesconfig - Update current config converting local mods to core + silentoldconfig - Same as oldconfig, but quietly, additionally update deps + defconfig - New config with default from ARCH supplied defconfig + savedefconfig - Save current config as ./defconfig (minimal config) + allnoconfig - New config where all options are answered with no + allyesconfig - New config where all options are accepted with yes + allmodconfig - New config selecting modules when possible + alldefconfig - New config with all symbols set to default + randconfig - New config with random answer to all options + listnewconfig - List new options + olddefconfig - Same as silentoldconfig but sets new symbols to their + default value + kvmconfig - Enable additional options for kvm guest kernel support + xenconfig - Enable additional options for xen dom0 and guest kernel support + tinyconfig - Configure the tiniest possible kernel + + Other generic targets: + all - Build all targets marked with [*] + * vmlinux - Build the bare kernel + * modules - Build all modules + modules_install - Install all modules to INSTALL_MOD_PATH (default: /) + firmware_install- Install all firmware to INSTALL_FW_PATH + (default: $(INSTALL_MOD_PATH)/lib/firmware) + dir/ - Build all files in dir and below + dir/file.[ois] - Build specified target only + dir/file.lst - Build specified mixed source/assembly target only + (requires a recent binutils and recent build (System.map)) + dir/file.ko - Build module including final link + modules_prepare - Set up for building external modules + tags/TAGS - Generate tags file for editors + cscope - Generate cscope index + gtags - Generate GNU GLOBAL index + kernelrelease - Output the release version string (use with make -s) + kernelversion - Output the version stored in Makefile (use with make -s) + image_name - Output the image name (use with make -s) + headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH + (default: ./usr) + + Static analysers + checkstack - Generate a list of stack hogs + namespacecheck - Name space analysis on compiled kernel + versioncheck - Sanity check on version.h usage + includecheck - Check for duplicate included header files + export_report - List the usages of all exported symbols + headers_check - Sanity check on exported headers + headerdep - Detect inclusion cycles in headers + coccicheck - Check with Coccinelle. + + Kernel selftest + kselftest - Build and run kernel selftest (run as root) + Build, install, and boot kernel before + running kselftest on it + kselftest-clean - Remove all generated kselftest files + kselftest-merge - Merge all the config dependencies of kselftest to existed + .config. + + Kernel packaging: + rpm-pkg - Build both source and binary RPM kernel packages + binrpm-pkg - Build only the binary kernel RPM package + deb-pkg - Build both source and binary deb kernel packages + bindeb-pkg - Build only the binary kernel deb package + tar-pkg - Build the kernel as an uncompressed tarball + targz-pkg - Build the kernel as a gzip compressed tarball + tarbz2-pkg - Build the kernel as a bzip2 compressed tarball + tarxz-pkg - Build the kernel as a xz compressed tarball + perf-tar-src-pkg - Build perf-4.9.9-gnu.tar source tarball + perf-targz-src-pkg - Build perf-4.9.9-gnu.tar.gz source tarball + perf-tarbz2-src-pkg - Build perf-4.9.9-gnu.tar.bz2 source tarball + perf-tarxz-src-pkg - Build perf-4.9.9-gnu.tar.xz source tarball + + Documentation targets: + Linux kernel internal documentation in different formats (Sphinx): + htmldocs - HTML + latexdocs - LaTeX + pdfdocs - PDF + epubdocs - EPUB + xmldocs - XML + cleandocs - clean all generated files + + make SPHINXDIRS="s1 s2" [target] Generate only docs of folder s1, s2 + valid values for SPHINXDIRS are: development-process media gpu 80211 + + make SPHINX_CONF={conf-file} [target] use *additional* sphinx-build + configuration. This is e.g. useful to build with nit-picking config. + + Linux kernel internal documentation in different formats (DocBook): + htmldocs - HTML + pdfdocs - PDF + psdocs - Postscript + xmldocs - XML DocBook + mandocs - man pages + installmandocs - install man pages generated by mandocs + cleandocs - clean all generated DocBook files + + make DOCBOOKS="s1.xml s2.xml" [target] Generate only docs s1.xml s2.xml + valid values for DOCBOOKS are: z8530book.xml kernel-hacking.xml kernel-locking.xml deviceiobook.xml writing_usb_driver.xml networking.xml kernel-api.xml filesystems.xml lsm.xml usb.xml kgdb.xml gadget.xml libata.xml mtdnand.xml librs.xml rapidio.xml genericirq.xml s390-drivers.xml uio-howto.xml scsi.xml debugobjects.xml sh.xml regulator.xml alsa-driver-api.xml writing-an-alsa-driver.xml tracepoint.xml w1.xml writing_musb_glue_layer.xml crypto-API.xml iio.xml + + make DOCBOOKS="" [target] Don't generate docs from Docbook + This is useful to generate only the ReST docs (Sphinx) + + Architecture specific targets (x86): + * bzImage - Compressed kernel image (arch/x86/boot/bzImage) + install - Install kernel using + (your) ~/bin/installkernel or + (distribution) /sbin/installkernel or + install to $(INSTALL_PATH) and run lilo + fdimage - Create 1.4MB boot floppy image (arch/x86/boot/fdimage) + fdimage144 - Create 1.4MB boot floppy image (arch/x86/boot/fdimage) + fdimage288 - Create 2.8MB boot floppy image (arch/x86/boot/fdimage) + isoimage - Create a boot CD-ROM image (arch/x86/boot/image.iso) + bzdisk/fdimage*/isoimage also accept: + FDARGS="..." arguments for the booted kernel + FDINITRD=file initrd for the booted kernel + + i386_defconfig - Build for i386 + x86_64_defconfig - Build for x86_64 + + make V=0|1 [targets] 0 => quiet build (default), 1 => verbose build + make V=2 [targets] 2 => give reason for rebuild of target + make O=dir [targets] Locate all output files in "dir", including .config + make C=1 [targets] Check all c source with $CHECK (sparse by default) + make C=2 [targets] Force check of all c source with $CHECK + make RECORDMCOUNT_WARN=1 [targets] Warn about ignored mcount sections + make W=n [targets] Enable extra gcc checks, n=1,2,3 where + 1: warnings which may be relevant and do not occur too often + 2: warnings which occur quite often but may still be relevant + 3: more obscure warnings, can most likely be ignored + Multiple levels can be combined with W=12 or W=123 + + Execute "make" or "make all" to build all targets marked with [*] + For further info see the ./README file + $ </pre> - <p>Create dracut initramfs;</p> <pre> - $sudo dracut --fstab /boot/initramfs-4.9.11-gnu.img 4.9.11-gnu + $ make -j $(nproc) bzImage modules + $ sudo make modules_install + $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.12-grsec + $ sudo cp System.map /boot/System.map-4.9.12-grsec </pre> <p>Update grub;</p> @@ -98,9 +284,9 @@ <h2 id="kuninstall">2.1.3. Manual Remove</h2> <pre> - $ sudo rm -r /lib/modules/4.9.11-gnu - $ sudo rm /boot/vmlinuz-4.9.11-gnu - $ sudo rm /boot/System.map-4.9.11-gnu + $ sudo rm -r /lib/modules/4.9.12-grsec + $ sudo rm /boot/vmlinuz-4.9.12-grsec + $ sudo rm /boot/System.map-4.9.12-grsec </pre> <h2 id="dracut">2.1.4. Dracut</h2> diff --git a/core/ports/linux-blob/.footprint b/core/ports/linux-blob/.footprint index 02c767e..62181ac 100644 --- a/core/ports/linux-blob/.footprint +++ b/core/ports/linux-blob/.footprint @@ -1,56 +1,49 @@ drwxr-xr-x root/root boot/ --rw-r--r-- root/root boot/System.map-4.9.11-blob --rw-r--r-- root/root boot/config-4.9.11-blob --rw-r--r-- root/root boot/vmlinuz-4.9.11-blob +-rw-r--r-- root/root boot/System.map-4.9.12-blob +-rw-r--r-- root/root boot/config-4.9.12-blob +-rw-r--r-- root/root boot/vmlinuz-4.9.12-blob drwxr-xr-x root/root lib/ drwxr-xr-x root/root lib/modules/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/ -lrwxrwxrwx root/root lib/modules/4.9.11-blob/build -> /usr/src/linux-4.9.11 -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_camera.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/gspca/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/gspca/gspca_main.ko -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/uvc/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/uvc/uvcvideo.ko -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf-core.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-core.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-memops.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/dvm/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/mvm/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/fs/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/fs/ntfs/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/fs/ntfs/ntfs.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.alias --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.alias.bin --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.builtin --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.builtin.bin --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.dep --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.dep.bin --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.devname (EMPTY) --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.order --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.softdep --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.symbols --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.symbols.bin -lrwxrwxrwx root/root lib/modules/4.9.11-blob/source -> /usr/src/linux-4.9.11 +drwxr-xr-x root/root lib/modules/4.9.12-blob/ +lrwxrwxrwx root/root lib/modules/4.9.12-blob/build -> /usr/src/linux-4.9.12 +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/ +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/ +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/ +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/platform/ +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/platform/soc_camera/ +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/platform/soc_camera/soc_camera.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/usb/ +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/usb/gspca/ +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/usb/gspca/gspca_main.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/usb/uvc/ +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/usb/uvc/uvcvideo.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/ +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf-core.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf2-core.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf2-memops.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/vhost/ +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/vhost/vhost_scsi.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/fs/ +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/fs/ntfs/ +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/fs/ntfs/ntfs.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.alias +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.alias.bin +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.builtin +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.builtin.bin +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.dep (EMPTY) +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.dep.bin +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.devname (EMPTY) +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.order +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.softdep +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.symbols +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.symbols.bin +lrwxrwxrwx root/root lib/modules/4.9.12-blob/source -> /usr/src/linux-4.9.12 drwxr-xr-x root/root usr/ drwxr-xr-x root/root usr/src/ --rw-r--r-- root/root usr/src/4.9.11-blob-config --rw-r--r-- root/root usr/src/4.9.11-cpu_optimizations.patch --rw-r--r-- root/root usr/src/grsecurity-3.1-4.9.11-201702181444.patch +-rw-r--r-- root/root usr/src/4.9.12-blob-config +-rw-r--r-- root/root usr/src/4.9.12-cpu_optimizations.patch +-rw-r--r-- root/root usr/src/grsecurity-3.1-4.9.12-201702231830.patch diff --git a/core/ports/linux-blob/.md5sum b/core/ports/linux-blob/.md5sum index 8516def..2b23da8 100644 --- a/core/ports/linux-blob/.md5sum +++ b/core/ports/linux-blob/.md5sum @@ -1,7 +1,7 @@ -dc71c8f55df123437c468dad7be88757 config-c9 +4cfe0909ea898be7ccc712ab162be13d config-c9 00bc0d70f200c2673fe7dd6f02053fa4 enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch -e4eb7eab3a40968c3bd4a0a19339a6a1 grsecurity-3.1-4.9.11-201702181444.patch -98761ce71c603199fe6fcce600c60772 linux-4.9.11.tar.xz +83b031b26dc0aeb3ccf8c45785253225 grsecurity-3.1-4.9.12-201702231830.patch +073dfb3a13bf5836ef2d66e24ccf2ceb linux-4.9.12.tar.xz bcf38b0fbf7bd83323f3202ec082b15a port-blob-cpu.patch -48908f447c73e31c2428cb68b00d1e9c port-blob-grsecurity.patch -4a443bf320ede9f5cb183843e85b3b62 port-blob-make.patch +e22c8ae9bf05e1e85f5e6e6827cef368 port-blob-grsecurity.patch +33a67ae0d1cc89895a91ff95e3565b5e port-blob-make.patch diff --git a/core/ports/linux-blob/Pkgfile b/core/ports/linux-blob/Pkgfile index b312361..d9767b1 100644 --- a/core/ports/linux-blob/Pkgfile +++ b/core/ports/linux-blob/Pkgfile @@ -4,11 +4,11 @@ # Depends on: grub2 dracut name=linux-blob -version=4.9.11 -release=3 +version=4.9.12 +release=2 source=(https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-$version.tar.xz \ https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \ - http://grsecurity.net/test/grsecurity-3.1-4.9.11-201702181444.patch \ + http://grsecurity.net/test/grsecurity-3.1-4.9.12-201702231830.patch \ port-blob-grsecurity.patch \ port-blob-make.patch \ port-blob-cpu.patch \ @@ -22,26 +22,31 @@ build() { install -m 0644 $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch # /usr/src/grsecurity-version.patch - install -m 0644 $SRC/grsecurity-3.1-4.9.11-201702181444.patch $PKG/usr/src/ + install -m 0644 $SRC/grsecurity-3.1-4.9.12-201702231830.patch $PKG/usr/src/ patch < port-blob-grsecurity.patch patch < port-blob-cpu.patch + # fix to build under tpe + chmod -R go-w linux-$version + cd linux-$version patch < ${SRC}/port-blob-make.patch make distclean - patch -p1 < $SRC/grsecurity-3.1-4.9.11-201702181444.patch + patch -p1 < $SRC/grsecurity-3.1-4.9.12-201702231830.patch patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch cp $SRC/config-c9 .config make silentoldconfig - make nconfig + # make nconfig # make localmodconfig + make prepare + install -m 0644 .config $PKG/usr/src/${version}-blob-config make LOCALVERSION= bzImage modules diff --git a/core/ports/linux-blob/config-c9 b/core/ports/linux-blob/config-c9 index 2b0bb4b..0bd5108 100644 --- a/core/ports/linux-blob/config-c9 +++ b/core/ports/linux-blob/config-c9 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.9.11-blob Kernel Configuration +# Linux/x86 4.9.12-blob Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -62,10 +62,10 @@ CONFIG_HAVE_KERNEL_LZMA=y CONFIG_HAVE_KERNEL_XZ=y CONFIG_HAVE_KERNEL_LZO=y CONFIG_HAVE_KERNEL_LZ4=y -# CONFIG_KERNEL_GZIP is not set +CONFIG_KERNEL_GZIP=y # CONFIG_KERNEL_BZIP2 is not set # CONFIG_KERNEL_LZMA is not set -CONFIG_KERNEL_XZ=y +# CONFIG_KERNEL_XZ is not set # CONFIG_KERNEL_LZO is not set # CONFIG_KERNEL_LZ4 is not set CONFIG_DEFAULT_HOSTNAME="(none)" @@ -76,11 +76,8 @@ CONFIG_POSIX_MQUEUE=y CONFIG_POSIX_MQUEUE_SYSCTL=y CONFIG_CROSS_MEMORY_ATTACH=y CONFIG_FHANDLE=y -CONFIG_AUDIT=y +# CONFIG_AUDIT is not set CONFIG_HAVE_ARCH_AUDITSYSCALL=y -CONFIG_AUDITSYSCALL=y -CONFIG_AUDIT_WATCH=y -CONFIG_AUDIT_TREE=y # # IRQ subsystem @@ -119,12 +116,13 @@ CONFIG_HIGH_RES_TIMERS=y # CONFIG_TICK_CPU_ACCOUNTING=y # CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set -CONFIG_IRQ_TIME_ACCOUNTING=y +# CONFIG_IRQ_TIME_ACCOUNTING is not set CONFIG_BSD_PROCESS_ACCT=y CONFIG_BSD_PROCESS_ACCT_V3=y CONFIG_TASKSTATS=y CONFIG_TASK_DELAY_ACCT=y -# CONFIG_TASK_XACCT is not set +CONFIG_TASK_XACCT=y +CONFIG_TASK_IO_ACCOUNTING=y # # RCU Subsystem @@ -138,7 +136,7 @@ CONFIG_RCU_STALL_COMMON=y CONFIG_BUILD_BIN2C=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y -CONFIG_LOG_BUF_SHIFT=18 +CONFIG_LOG_BUF_SHIFT=19 CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 CONFIG_NMI_LOG_BUF_SHIFT=13 CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y @@ -149,14 +147,15 @@ CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y CONFIG_CGROUPS=y CONFIG_PAGE_COUNTER=y CONFIG_MEMCG=y -# CONFIG_MEMCG_SWAP is not set +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y CONFIG_BLK_CGROUP=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y CONFIG_CGROUP_WRITEBACK=y CONFIG_CGROUP_SCHED=y CONFIG_FAIR_GROUP_SCHED=y -# CONFIG_CFS_BANDWIDTH is not set -# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CFS_BANDWIDTH=y +CONFIG_RT_GROUP_SCHED=y CONFIG_CGROUP_PIDS=y # CONFIG_CGROUP_FREEZER is not set CONFIG_CPUSETS=y @@ -211,7 +210,7 @@ CONFIG_EPOLL=y CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y -# CONFIG_BPF_SYSCALL is not set +CONFIG_BPF_SYSCALL=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y @@ -234,11 +233,13 @@ CONFIG_SLUB=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLUB_CPU_PARTIAL=y CONFIG_SYSTEM_DATA_VERIFICATION=y -# CONFIG_PROFILING is not set +CONFIG_PROFILING=y +# CONFIG_OPROFILE is not set CONFIG_HAVE_OPROFILE=y CONFIG_OPROFILE_NMI_TIMER=y CONFIG_KPROBES=y -# CONFIG_JUMP_LABEL is not set +CONFIG_JUMP_LABEL=y +# CONFIG_STATIC_KEYS_SELFTEST is not set CONFIG_OPTPROBES=y # CONFIG_UPROBES is not set # CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set @@ -279,8 +280,8 @@ CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y CONFIG_HAVE_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_NONE is not set -CONFIG_CC_STACKPROTECTOR_REGULAR=y -# CONFIG_CC_STACKPROTECTOR_STRONG is not set +# CONFIG_CC_STACKPROTECTOR_REGULAR is not set +CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y CONFIG_HAVE_CONTEXT_TRACKING=y CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y @@ -299,7 +300,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 CONFIG_HAVE_COPY_THREAD_TLS=y CONFIG_HAVE_STACK_VALIDATION=y # CONFIG_HAVE_ARCH_HASH is not set -# CONFIG_ISA_BUS_API is not set +CONFIG_ISA_BUS_API=y CONFIG_OLD_SIGSUSPEND3=y CONFIG_COMPAT_OLD_SIGACTION=y # CONFIG_CPU_NO_EFFICIENT_FFS is not set @@ -328,14 +329,16 @@ CONFIG_MODULE_SIG_SHA256=y # CONFIG_MODULE_SIG_SHA384 is not set # CONFIG_MODULE_SIG_SHA512 is not set CONFIG_MODULE_SIG_HASH="sha256" -# CONFIG_MODULE_COMPRESS is not set +CONFIG_MODULE_COMPRESS=y +CONFIG_MODULE_COMPRESS_GZIP=y +# CONFIG_MODULE_COMPRESS_XZ is not set CONFIG_TRIM_UNUSED_KSYMS=y CONFIG_MODULES_TREE_LOOKUP=y CONFIG_BLOCK=y CONFIG_BLK_DEV_BSG=y CONFIG_BLK_DEV_BSGLIB=y CONFIG_BLK_DEV_INTEGRITY=y -# CONFIG_BLK_DEV_THROTTLING is not set +CONFIG_BLK_DEV_THROTTLING=y # CONFIG_BLK_CMDLINE_PARSER is not set # @@ -399,6 +402,7 @@ CONFIG_ZONE_DMA=y CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y CONFIG_X86_FAST_FEATURE_TESTS=y +CONFIG_X86_X2APIC=y CONFIG_X86_MPPARSE=y # CONFIG_GOLDFISH is not set # CONFIG_X86_EXTENDED_PLATFORM is not set @@ -407,6 +411,14 @@ CONFIG_X86_INTEL_LPSS=y CONFIG_IOSF_MBI=y CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y CONFIG_SCHED_OMIT_FRAME_POINTER=y +CONFIG_HYPERVISOR_GUEST=y +CONFIG_PARAVIRT=y +# CONFIG_PARAVIRT_DEBUG is not set +CONFIG_PARAVIRT_SPINLOCKS=y +# CONFIG_XEN is not set +CONFIG_KVM_GUEST=y +CONFIG_PARAVIRT_TIME_ACCOUNTING=y +CONFIG_PARAVIRT_CLOCK=y CONFIG_NO_BOOTMEM=y # CONFIG_MK8 is not set # CONFIG_MK8SSE3 is not set @@ -457,8 +469,8 @@ CONFIG_IOMMU_HELPER=y CONFIG_NR_CPUS=4 CONFIG_SCHED_SMT=y CONFIG_SCHED_MC=y -CONFIG_PREEMPT_NONE=y -# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT_NONE is not set +CONFIG_PREEMPT_VOLUNTARY=y # CONFIG_PREEMPT is not set CONFIG_X86_LOCAL_APIC=y CONFIG_X86_IO_APIC=y @@ -494,6 +506,7 @@ CONFIG_NODES_SHIFT=6 CONFIG_ARCH_SPARSEMEM_ENABLE=y CONFIG_ARCH_SPARSEMEM_DEFAULT=y CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 CONFIG_SELECT_MEMORY_MODEL=y CONFIG_SPARSEMEM_MANUAL=y @@ -509,8 +522,11 @@ CONFIG_HAVE_MEMBLOCK_NODE_MAP=y CONFIG_ARCH_DISCARD_MEMBLOCK=y CONFIG_MEMORY_ISOLATION=y # CONFIG_MOVABLE_NODE is not set -# CONFIG_HAVE_BOOTMEM_INFO_NODE is not set -# CONFIG_MEMORY_HOTPLUG is not set +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +CONFIG_MEMORY_HOTREMOVE=y CONFIG_SPLIT_PTLOCK_CPUS=4 CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y CONFIG_MEMORY_BALLOON=y @@ -518,18 +534,21 @@ CONFIG_BALLOON_COMPACTION=y CONFIG_COMPACTION=y CONFIG_MIGRATION=y CONFIG_PHYS_ADDR_T_64BIT=y -# CONFIG_BOUNCE is not set +CONFIG_BOUNCE=y CONFIG_VIRT_TO_BUS=y CONFIG_MMU_NOTIFIER=y -# CONFIG_KSM is not set -CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +CONFIG_KSM=y +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y CONFIG_MEMORY_FAILURE=y -# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y +# CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set +CONFIG_TRANSPARENT_HUGE_PAGECACHE=y CONFIG_CLEANCACHE=y CONFIG_FRONTSWAP=y # CONFIG_CMA is not set -# CONFIG_ZSWAP is not set +CONFIG_ZSWAP=y CONFIG_ZPOOL=y CONFIG_ZBUD=y CONFIG_Z3FOLD=y @@ -537,7 +556,9 @@ CONFIG_ZSMALLOC=y # CONFIG_PGTABLE_MAPPING is not set CONFIG_GENERIC_EARLY_IOREMAP=y CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y +# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set # CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ZONE_DEVICE=y CONFIG_FRAME_VECTOR=y CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y CONFIG_ARCH_HAS_PKEYS=y @@ -546,7 +567,9 @@ CONFIG_X86_CHECK_BIOS_CORRUPTION=y CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y CONFIG_X86_RESERVE_LOW=64 CONFIG_MTRR=y -# CONFIG_MTRR_SANITIZER is not set +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 CONFIG_X86_PAT=y CONFIG_ARCH_USES_PG_UNCACHED=y CONFIG_ARCH_RANDOM=y @@ -554,7 +577,8 @@ CONFIG_X86_SMAP=y CONFIG_X86_INTEL_MPX=y CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y CONFIG_EFI=y -# CONFIG_EFI_STUB is not set +CONFIG_EFI_STUB=y +CONFIG_EFI_MIXED=y CONFIG_SECCOMP=y # CONFIG_HZ_100 is not set # CONFIG_HZ_250 is not set @@ -567,7 +591,9 @@ CONFIG_CRASH_DUMP=y CONFIG_PHYSICAL_START=0x1000000 CONFIG_RELOCATABLE=y CONFIG_PHYSICAL_ALIGN=0x1000000 -# CONFIG_HOTPLUG_CPU is not set +CONFIG_HOTPLUG_CPU=y +# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set +# CONFIG_DEBUG_HOTPLUG_CPU0 is not set CONFIG_LEGACY_VSYSCALL_EMULATE=y # CONFIG_LEGACY_VSYSCALL_NONE is not set # CONFIG_CMDLINE_BOOL is not set @@ -575,6 +601,7 @@ CONFIG_LEGACY_VSYSCALL_EMULATE=y # CONFIG_DEFAULT_MODIFY_LDT_SYSCALL is not set CONFIG_HAVE_LIVEPATCH=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y CONFIG_USE_PERCPU_NUMA_NODE_ID=y # @@ -583,6 +610,7 @@ CONFIG_USE_PERCPU_NUMA_NODE_ID=y # CONFIG_SUSPEND is not set CONFIG_PM=y # CONFIG_PM_DEBUG is not set +CONFIG_PM_OPP=y CONFIG_PM_CLK=y # CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set CONFIG_ACPI=y @@ -591,8 +619,8 @@ CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y # CONFIG_ACPI_DEBUGGER is not set # CONFIG_ACPI_PROCFS_POWER is not set -CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y -# CONFIG_ACPI_EC_DEBUGFS is not set +# CONFIG_ACPI_REV_OVERRIDE_POSSIBLE is not set +CONFIG_ACPI_EC_DEBUGFS=y CONFIG_ACPI_AC=y CONFIG_ACPI_BATTERY=y CONFIG_ACPI_BUTTON=y @@ -603,7 +631,8 @@ CONFIG_ACPI_CPU_FREQ_PSS=y CONFIG_ACPI_PROCESSOR_CSTATE=y CONFIG_ACPI_PROCESSOR_IDLE=y CONFIG_ACPI_PROCESSOR=y -# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_HOTPLUG_CPU=y +CONFIG_ACPI_PROCESSOR_AGGREGATOR=y CONFIG_ACPI_THERMAL=y CONFIG_ACPI_NUMA=y # CONFIG_ACPI_CUSTOM_DSDT is not set @@ -613,6 +642,7 @@ CONFIG_ACPI_TABLE_UPGRADE=y CONFIG_ACPI_PCI_SLOT=y CONFIG_X86_PM_TIMER=y CONFIG_ACPI_CONTAINER=y +CONFIG_ACPI_HOTPLUG_MEMORY=y CONFIG_ACPI_HOTPLUG_IOAPIC=y CONFIG_ACPI_SBS=y CONFIG_ACPI_HED=y @@ -626,16 +656,48 @@ CONFIG_ACPI_APEI_GHES=y CONFIG_ACPI_APEI_PCIEAER=y # CONFIG_ACPI_APEI_MEMORY_FAILURE is not set # CONFIG_ACPI_APEI_ERST_DEBUG is not set -# CONFIG_DPTF_POWER is not set +CONFIG_DPTF_POWER=y # CONFIG_ACPI_EXTLOG is not set -# CONFIG_PMIC_OPREGION is not set +CONFIG_PMIC_OPREGION=y CONFIG_ACPI_CONFIGFS=y CONFIG_SFI=y # # CPU Frequency scaling # -# CONFIG_CPU_FREQ is not set +CONFIG_CPU_FREQ=y +CONFIG_CPU_FREQ_GOV_ATTR_SET=y +CONFIG_CPU_FREQ_GOV_COMMON=y +# CONFIG_CPU_FREQ_STAT is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set +CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y +# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL is not set +CONFIG_CPU_FREQ_GOV_PERFORMANCE=y +CONFIG_CPU_FREQ_GOV_POWERSAVE=y +CONFIG_CPU_FREQ_GOV_USERSPACE=y +CONFIG_CPU_FREQ_GOV_ONDEMAND=y +CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y +CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y + +# +# CPU frequency scaling drivers +# +CONFIG_CPUFREQ_DT=y +CONFIG_CPUFREQ_DT_PLATDEV=y +CONFIG_X86_INTEL_PSTATE=y +CONFIG_X86_PCC_CPUFREQ=y +CONFIG_X86_ACPI_CPUFREQ=y +# CONFIG_X86_POWERNOW_K8 is not set +# CONFIG_X86_SPEEDSTEP_CENTRINO is not set +# CONFIG_X86_P4_CLOCKMOD is not set + +# +# shared options +# +# CONFIG_X86_SPEEDSTEP_LIB is not set # # CPU Idle @@ -644,24 +706,25 @@ CONFIG_CPU_IDLE=y CONFIG_CPU_IDLE_GOV_LADDER=y CONFIG_CPU_IDLE_GOV_MENU=y # CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set -# CONFIG_INTEL_IDLE is not set +CONFIG_INTEL_IDLE=y # # Memory power savings # -# CONFIG_I7300_IDLE is not set +CONFIG_I7300_IDLE_IOAT_CHANNEL=y +CONFIG_I7300_IDLE=y # # Bus options (PCI etc.) # CONFIG_PCI=y CONFIG_PCI_DIRECT=y -# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_MMCONFIG=y CONFIG_PCI_DOMAINS=y # CONFIG_PCI_CNB20LE_QUIRK is not set CONFIG_PCIEPORTBUS=y CONFIG_PCIEAER=y -# CONFIG_PCIE_ECRC is not set +CONFIG_PCIE_ECRC=y # CONFIG_PCIEAER_INJECT is not set CONFIG_PCIEASPM=y # CONFIG_PCIEASPM_DEBUG is not set @@ -669,13 +732,13 @@ CONFIG_PCIEASPM_DEFAULT=y # CONFIG_PCIEASPM_POWERSAVE is not set # CONFIG_PCIEASPM_PERFORMANCE is not set CONFIG_PCIE_PME=y -# CONFIG_PCIE_DPC is not set -# CONFIG_PCIE_PTM is not set +CONFIG_PCIE_DPC=y +CONFIG_PCIE_PTM=y CONFIG_PCI_BUS_ADDR_T_64BIT=y CONFIG_PCI_MSI=y CONFIG_PCI_MSI_IRQ_DOMAIN=y # CONFIG_PCI_DEBUG is not set -# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set +CONFIG_PCI_REALLOC_ENABLE_AUTO=y # CONFIG_PCI_STUB is not set CONFIG_HT_IRQ=y CONFIG_PCI_ATS=y @@ -691,11 +754,11 @@ CONFIG_PCI_LABEL=y CONFIG_PCIE_DW_PLAT=y CONFIG_PCIE_DW=y # CONFIG_VMD is not set -# CONFIG_ISA_BUS is not set +CONFIG_ISA_BUS=y CONFIG_ISA_DMA_API=y # CONFIG_PCCARD is not set # CONFIG_RAPIDIO is not set -CONFIG_X86_SYSFB=y +# CONFIG_X86_SYSFB is not set # # Executable file formats / Emulations @@ -706,7 +769,7 @@ CONFIG_ELFCORE=y CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y CONFIG_BINFMT_SCRIPT=y # CONFIG_HAVE_AOUT is not set -# CONFIG_BINFMT_MISC is not set +CONFIG_BINFMT_MISC=y CONFIG_COREDUMP=y CONFIG_IA32_EMULATION=y CONFIG_IA32_AOUT=y @@ -862,7 +925,6 @@ CONFIG_NETFILTER_XT_SET=y # # Xtables targets # -CONFIG_NETFILTER_XT_TARGET_AUDIT=y CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y CONFIG_NETFILTER_XT_TARGET_CONNMARK=y @@ -1242,10 +1304,11 @@ CONFIG_HAVE_EBPF_JIT=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y CONFIG_STANDALONE=y -CONFIG_PREVENT_FIRMWARE_BUILD=y +# CONFIG_PREVENT_FIRMWARE_BUILD is not set CONFIG_FW_LOADER=y CONFIG_FIRMWARE_IN_KERNEL=y -CONFIG_EXTRA_FIRMWARE="" +CONFIG_EXTRA_FIRMWARE="iwlwifi-3160-17.ucode" +CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware" CONFIG_FW_LOADER_USER_HELPER=y CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y CONFIG_WANT_DEV_COREDUMP=y @@ -1318,9 +1381,7 @@ CONFIG_VIRTIO_BLK=y # CONFIG_BLK_DEV_HD is not set # CONFIG_BLK_DEV_RBD is not set # CONFIG_BLK_DEV_RSXX is not set -CONFIG_NVME_CORE=y -CONFIG_BLK_DEV_NVME=y -# CONFIG_BLK_DEV_NVME_SCSI is not set +# CONFIG_BLK_DEV_NVME is not set # CONFIG_NVME_TARGET is not set # @@ -1379,7 +1440,7 @@ CONFIG_INTEL_MEI_TXE=y # # Intel MIC Bus Driver # -CONFIG_INTEL_MIC_BUS=y +# CONFIG_INTEL_MIC_BUS is not set # # SCIF Bus Driver @@ -1537,7 +1598,7 @@ CONFIG_SATA_AHCI_PLATFORM=y CONFIG_MD=y CONFIG_BLK_DEV_MD=y CONFIG_MD_AUTODETECT=y -# CONFIG_MD_LINEAR is not set +CONFIG_MD_LINEAR=y CONFIG_MD_RAID0=y CONFIG_MD_RAID1=y CONFIG_MD_RAID10=y @@ -1571,7 +1632,13 @@ CONFIG_DM_UEVENT=y # CONFIG_DM_VERITY is not set # CONFIG_DM_SWITCH is not set # CONFIG_DM_LOG_WRITES is not set -# CONFIG_TARGET_CORE is not set +CONFIG_TARGET_CORE=y +# CONFIG_TCM_IBLOCK is not set +# CONFIG_TCM_FILEIO is not set +# CONFIG_TCM_PSCSI is not set +# CONFIG_TCM_USER2 is not set +# CONFIG_LOOPBACK_TARGET is not set +# CONFIG_ISCSI_TARGET is not set CONFIG_FUSION=y CONFIG_FUSION_SPI=y CONFIG_FUSION_FC=y @@ -1747,11 +1814,10 @@ CONFIG_WLAN_VENDOR_INTEL=y # CONFIG_IPW2200 is not set # CONFIG_IWL4965 is not set # CONFIG_IWL3945 is not set -CONFIG_IWLWIFI=m +CONFIG_IWLWIFI=y CONFIG_IWLWIFI_LEDS=y -CONFIG_IWLDVM=m -CONFIG_IWLMVM=m -CONFIG_IWLWIFI_OPMODE_MODULAR=y +CONFIG_IWLDVM=y +CONFIG_IWLMVM=y # CONFIG_IWLWIFI_BCAST_FILTERING is not set CONFIG_IWLWIFI_PCIE_RTPM=y @@ -1843,6 +1909,7 @@ CONFIG_MOUSE_PS2_ELANTECH=y # CONFIG_MOUSE_PS2_SENTELIC is not set # CONFIG_MOUSE_PS2_TOUCHKIT is not set CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_PS2_VMMOUSE is not set CONFIG_MOUSE_SERIAL=y # CONFIG_MOUSE_APPLETOUCH is not set # CONFIG_MOUSE_BCM5974 is not set @@ -1962,7 +2029,7 @@ CONFIG_I2C_MUX=y # Multiplexer I2C Chip support # # CONFIG_I2C_ARB_GPIO_CHALLENGE is not set -CONFIG_I2C_MUX_GPIO=y +# CONFIG_I2C_MUX_GPIO is not set # CONFIG_I2C_MUX_PCA9541 is not set # CONFIG_I2C_MUX_PCA954x is not set # CONFIG_I2C_MUX_PINCTRL is not set @@ -1986,7 +2053,7 @@ CONFIG_I2C_ALGOBIT=y # CONFIG_I2C_AMD8111 is not set CONFIG_I2C_I801=y # CONFIG_I2C_ISCH is not set -# CONFIG_I2C_ISMT is not set +CONFIG_I2C_ISMT=y # CONFIG_I2C_PIIX4 is not set # CONFIG_I2C_NFORCE2 is not set # CONFIG_I2C_SIS5595 is not set @@ -2007,7 +2074,7 @@ CONFIG_I2C_SCMI=y CONFIG_I2C_DESIGNWARE_CORE=y CONFIG_I2C_DESIGNWARE_PLATFORM=y CONFIG_I2C_DESIGNWARE_PCI=y -# CONFIG_I2C_DESIGNWARE_BAYTRAIL is not set +CONFIG_I2C_DESIGNWARE_BAYTRAIL=y # CONFIG_I2C_EMEV2 is not set # CONFIG_I2C_GPIO is not set # CONFIG_I2C_OCORES is not set @@ -2048,9 +2115,9 @@ CONFIG_SPI_BITBANG=y # CONFIG_SPI_CADENCE is not set CONFIG_SPI_DESIGNWARE=y CONFIG_SPI_DW_PCI=y -# CONFIG_SPI_DW_MID_DMA is not set +CONFIG_SPI_DW_MID_DMA=y CONFIG_SPI_DW_MMIO=y -CONFIG_SPI_GPIO=y +# CONFIG_SPI_GPIO is not set # CONFIG_SPI_FSL_SPI is not set # CONFIG_SPI_OC_TINY is not set # CONFIG_SPI_PXA2XX is not set @@ -2067,7 +2134,7 @@ CONFIG_SPI_GPIO=y # CONFIG_SPI_SPIDEV is not set # CONFIG_SPI_LOOPBACK_TEST is not set # CONFIG_SPI_TLE62X0 is not set -# CONFIG_SPMI is not set +CONFIG_SPMI=y # CONFIG_HSI is not set # @@ -2108,7 +2175,7 @@ CONFIG_GPIOLIB=y CONFIG_OF_GPIO=y CONFIG_GPIO_ACPI=y # CONFIG_DEBUG_GPIO is not set -CONFIG_GPIO_SYSFS=y +# CONFIG_GPIO_SYSFS is not set # # Memory mapped GPIO drivers @@ -2119,7 +2186,7 @@ CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_DWAPB is not set # CONFIG_GPIO_GENERIC_PLATFORM is not set # CONFIG_GPIO_GRGPIO is not set -CONFIG_GPIO_ICH=y +# CONFIG_GPIO_ICH is not set # CONFIG_GPIO_LYNXPOINT is not set # CONFIG_GPIO_MOCKUP is not set # CONFIG_GPIO_VX855 is not set @@ -2129,10 +2196,15 @@ CONFIG_GPIO_ICH=y # # Port-mapped I/O GPIO drivers # +# CONFIG_GPIO_104_DIO_48E is not set +# CONFIG_GPIO_104_IDIO_16 is not set +# CONFIG_GPIO_104_IDI_48 is not set # CONFIG_GPIO_F7188X is not set +# CONFIG_GPIO_GPIO_MM is not set # CONFIG_GPIO_IT87 is not set # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SCH311X is not set +# CONFIG_GPIO_WS16C48 is not set # # I2C GPIO expanders @@ -2176,7 +2248,34 @@ CONFIG_GPIO_ICH=y # # USB GPIO expanders # -# CONFIG_W1 is not set +CONFIG_W1=y +CONFIG_W1_CON=y + +# +# 1-wire Bus Masters +# +# CONFIG_W1_MASTER_MATROX is not set +# CONFIG_W1_MASTER_DS2490 is not set +# CONFIG_W1_MASTER_DS2482 is not set +# CONFIG_W1_MASTER_DS1WM is not set +# CONFIG_W1_MASTER_GPIO is not set + +# +# 1-wire Slaves +# +CONFIG_W1_SLAVE_THERM=y +# CONFIG_W1_SLAVE_SMEM is not set +# CONFIG_W1_SLAVE_DS2408 is not set +# CONFIG_W1_SLAVE_DS2413 is not set +# CONFIG_W1_SLAVE_DS2406 is not set +# CONFIG_W1_SLAVE_DS2423 is not set +# CONFIG_W1_SLAVE_DS2431 is not set +# CONFIG_W1_SLAVE_DS2433 is not set +# CONFIG_W1_SLAVE_DS2760 is not set +# CONFIG_W1_SLAVE_DS2780 is not set +# CONFIG_W1_SLAVE_DS2781 is not set +# CONFIG_W1_SLAVE_DS28E04 is not set +# CONFIG_W1_SLAVE_BQ27000 is not set # CONFIG_POWER_AVS is not set # CONFIG_POWER_RESET is not set CONFIG_POWER_SUPPLY=y @@ -2190,7 +2289,6 @@ CONFIG_POWER_SUPPLY=y # CONFIG_BATTERY_BQ27XXX is not set # CONFIG_BATTERY_MAX17040 is not set # CONFIG_BATTERY_MAX17042 is not set -# CONFIG_CHARGER_ISP1704 is not set # CONFIG_CHARGER_MAX8903 is not set # CONFIG_CHARGER_LP8727 is not set # CONFIG_CHARGER_GPIO is not set @@ -2361,12 +2459,14 @@ CONFIG_THERMAL_GOV_STEP_WISE=y # CONFIG_THERMAL_GOV_BANG_BANG is not set CONFIG_THERMAL_GOV_USER_SPACE=y CONFIG_THERMAL_GOV_POWER_ALLOCATOR=y +# CONFIG_CPU_THERMAL is not set +# CONFIG_CLOCK_THERMAL is not set +# CONFIG_DEVFREQ_THERMAL is not set # CONFIG_THERMAL_EMULATION is not set # CONFIG_QORIQ_THERMAL is not set # CONFIG_INTEL_POWERCLAMP is not set CONFIG_X86_PKG_TEMP_THERMAL=y -CONFIG_INTEL_SOC_DTS_IOSF_CORE=y -CONFIG_INTEL_SOC_DTS_THERMAL=y +# CONFIG_INTEL_SOC_DTS_THERMAL is not set # # ACPI INT340X thermal drivers @@ -2375,7 +2475,7 @@ CONFIG_INTEL_SOC_DTS_THERMAL=y CONFIG_INTEL_PCH_THERMAL=y CONFIG_WATCHDOG=y CONFIG_WATCHDOG_CORE=y -CONFIG_WATCHDOG_NOWAYOUT=y +# CONFIG_WATCHDOG_NOWAYOUT is not set CONFIG_WATCHDOG_SYSFS=y # @@ -2393,6 +2493,7 @@ CONFIG_WATCHDOG_SYSFS=y # CONFIG_ADVANTECH_WDT is not set # CONFIG_ALIM1535_WDT is not set # CONFIG_ALIM7101_WDT is not set +# CONFIG_EBC_C384_WDT is not set # CONFIG_F71808E_WDT is not set # CONFIG_SP5100_TCO is not set # CONFIG_SBC_FITPC2_WATCHDOG is not set @@ -2444,18 +2545,7 @@ CONFIG_SSB_POSSIBLE=y # # Sonics Silicon Backplane # -CONFIG_SSB=y -CONFIG_SSB_SPROM=y -CONFIG_SSB_PCIHOST_POSSIBLE=y -CONFIG_SSB_PCIHOST=y -# CONFIG_SSB_B43_PCI_BRIDGE is not set -CONFIG_SSB_SDIOHOST_POSSIBLE=y -# CONFIG_SSB_SDIOHOST is not set -# CONFIG_SSB_SILENT is not set -# CONFIG_SSB_DEBUG is not set -CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y -CONFIG_SSB_DRIVER_PCICORE=y -# CONFIG_SSB_DRIVER_GPIO is not set +# CONFIG_SSB is not set CONFIG_BCMA_POSSIBLE=y # @@ -2751,7 +2841,7 @@ CONFIG_AGP_INTEL=y # CONFIG_AGP_VIA is not set CONFIG_INTEL_GTT=y CONFIG_VGA_ARB=y -CONFIG_VGA_ARB_MAX_GPUS=1 +CONFIG_VGA_ARB_MAX_GPUS=2 # CONFIG_VGA_SWITCHEROO is not set CONFIG_DRM=y CONFIG_DRM_MIPI_DSI=y @@ -3047,13 +3137,13 @@ CONFIG_SND_HDA_RECONFIG=y CONFIG_SND_HDA_INPUT_BEEP=y CONFIG_SND_HDA_INPUT_BEEP_MODE=1 # CONFIG_SND_HDA_PATCH_LOADER is not set -CONFIG_SND_HDA_CODEC_REALTEK=y -# CONFIG_SND_HDA_CODEC_ANALOG is not set +# CONFIG_SND_HDA_CODEC_REALTEK is not set +CONFIG_SND_HDA_CODEC_ANALOG=y # CONFIG_SND_HDA_CODEC_SIGMATEL is not set # CONFIG_SND_HDA_CODEC_VIA is not set CONFIG_SND_HDA_CODEC_HDMI=y # CONFIG_SND_HDA_CODEC_CIRRUS is not set -# CONFIG_SND_HDA_CODEC_CONEXANT is not set +CONFIG_SND_HDA_CODEC_CONEXANT=y # CONFIG_SND_HDA_CODEC_CA0110 is not set # CONFIG_SND_HDA_CODEC_CA0132 is not set # CONFIG_SND_HDA_CODEC_CMEDIA is not set @@ -3177,10 +3267,9 @@ CONFIG_USB_ANNOUNCE_NEW_DEVICES=y # CONFIG_USB_DEFAULT_PERSIST=y # CONFIG_USB_DYNAMIC_MINORS is not set -CONFIG_USB_OTG=y +# CONFIG_USB_OTG is not set # CONFIG_USB_OTG_WHITELIST is not set # CONFIG_USB_OTG_BLACKLIST_HUB is not set -CONFIG_USB_OTG_FSM=y # CONFIG_USB_LEDS_TRIGGER_USBPORT is not set CONFIG_USB_MON=y # CONFIG_USB_WUSB_CBAF is not set @@ -3204,12 +3293,10 @@ CONFIG_USB_EHCI_HCD_PLATFORM=y # CONFIG_USB_MAX3421_HCD is not set CONFIG_USB_OHCI_HCD=y CONFIG_USB_OHCI_HCD_PCI=y -# CONFIG_USB_OHCI_HCD_SSB is not set -# CONFIG_USB_OHCI_HCD_PLATFORM is not set +CONFIG_USB_OHCI_HCD_PLATFORM=y CONFIG_USB_UHCI_HCD=y # CONFIG_USB_SL811_HCD is not set # CONFIG_USB_R8A66597_HCD is not set -# CONFIG_USB_HCD_SSB is not set # CONFIG_USB_HCD_TEST_MODE is not set # @@ -3251,23 +3338,8 @@ CONFIG_USB_UAS=y # CONFIG_USB_MICROTEK is not set # CONFIG_USBIP_CORE is not set # CONFIG_USB_MUSB_HDRC is not set -CONFIG_USB_DWC3=y -CONFIG_USB_DWC3_HOST=y - -# -# Platform Glue Driver Support -# -CONFIG_USB_DWC3_PCI=y -CONFIG_USB_DWC3_OF_SIMPLE=y -CONFIG_USB_DWC2=y -CONFIG_USB_DWC2_HOST=y - -# -# Gadget/Dual-role mode requires USB Gadget support to be enabled -# -# CONFIG_USB_DWC2_PCI is not set -# CONFIG_USB_DWC2_DEBUG is not set -# CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set +# CONFIG_USB_DWC3 is not set +# CONFIG_USB_DWC2 is not set # CONFIG_USB_CHIPIDEA is not set # CONFIG_USB_ISP1760 is not set @@ -3359,13 +3431,13 @@ CONFIG_USB_SERIAL_FTDI_SIO=y # # USB Physical Layer drivers # -CONFIG_USB_PHY=y +# CONFIG_USB_PHY is not set # CONFIG_NOP_USB_XCEIV is not set # CONFIG_USB_GPIO_VBUS is not set # CONFIG_USB_ISP1301 is not set # CONFIG_USB_GADGET is not set -# CONFIG_USB_LED_TRIG is not set -# CONFIG_USB_ULPI_BUS is not set +CONFIG_USB_LED_TRIG=y +CONFIG_USB_ULPI_BUS=y # CONFIG_UWB is not set CONFIG_MMC=y # CONFIG_MMC_DEBUG is not set @@ -3398,7 +3470,7 @@ CONFIG_MMC_SPI=y # CONFIG_MMC_CB710 is not set # CONFIG_MMC_VIA_SDMMC is not set # CONFIG_MMC_VUB300 is not set -# CONFIG_MMC_USHC is not set +CONFIG_MMC_USHC=y # CONFIG_MMC_USDHI6ROL0 is not set # CONFIG_MMC_TOSHIBA_PCI is not set # CONFIG_MMC_MTK is not set @@ -3465,7 +3537,24 @@ CONFIG_LEDS_TRIGGERS=y # CONFIG_INFINIBAND is not set CONFIG_EDAC_ATOMIC_SCRUB=y CONFIG_EDAC_SUPPORT=y -# CONFIG_EDAC is not set +CONFIG_EDAC=y +# CONFIG_EDAC_LEGACY_SYSFS is not set +# CONFIG_EDAC_DEBUG is not set +CONFIG_EDAC_MM_EDAC=y +CONFIG_EDAC_GHES=y +# CONFIG_EDAC_E752X is not set +# CONFIG_EDAC_I82975X is not set +# CONFIG_EDAC_I3000 is not set +# CONFIG_EDAC_I3200 is not set +# CONFIG_EDAC_IE31200 is not set +# CONFIG_EDAC_X38 is not set +# CONFIG_EDAC_I5400 is not set +# CONFIG_EDAC_I7CORE is not set +# CONFIG_EDAC_I5000 is not set +# CONFIG_EDAC_I5100 is not set +# CONFIG_EDAC_I7300 is not set +CONFIG_EDAC_SBRIDGE=y +# CONFIG_EDAC_SKX is not set CONFIG_RTC_LIB=y CONFIG_RTC_MC146818_LIB=y CONFIG_RTC_CLASS=y @@ -3581,11 +3670,10 @@ CONFIG_DMA_OF=y # CONFIG_FSL_EDMA is not set CONFIG_INTEL_IDMA64=y CONFIG_INTEL_IOATDMA=y -CONFIG_INTEL_MIC_X100_DMA=y # CONFIG_QCOM_HIDMA_MGMT is not set # CONFIG_QCOM_HIDMA is not set CONFIG_DW_DMAC_CORE=y -# CONFIG_DW_DMAC is not set +CONFIG_DW_DMAC=y CONFIG_DW_DMAC_PCI=y CONFIG_HSU_DMA=y @@ -3601,7 +3689,8 @@ CONFIG_DMA_ENGINE_RAID=y # # CONFIG_SYNC_FILE is not set CONFIG_DCA=y -# CONFIG_AUXDISPLAY is not set +CONFIG_AUXDISPLAY=y +# CONFIG_IMG_ASCII_LCD is not set CONFIG_UIO=y # CONFIG_UIO_CIF is not set # CONFIG_UIO_PDRV_GENIRQ is not set @@ -3621,7 +3710,7 @@ CONFIG_VIRTIO=y # Virtio drivers # CONFIG_VIRTIO_PCI=y -CONFIG_VIRTIO_PCI_LEGACY=y +# CONFIG_VIRTIO_PCI_LEGACY is not set CONFIG_VIRTIO_BALLOON=y CONFIG_VIRTIO_INPUT=y CONFIG_VIRTIO_MMIO=y @@ -3630,6 +3719,7 @@ CONFIG_VIRTIO_MMIO=y # # Microsoft Hyper-V guest support # +# CONFIG_HYPERV is not set # CONFIG_STAGING is not set CONFIG_X86_PLATFORM_DEVICES=y # CONFIG_ACER_WMI is not set @@ -3726,7 +3816,7 @@ CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_FLOPPY_WA=y -# CONFIG_IRQ_REMAP is not set +CONFIG_IRQ_REMAP=y # # Remoteproc drivers @@ -3746,7 +3836,21 @@ CONFIG_INTEL_IOMMU_FLOPPY_WA=y # # CONFIG_SUNXI_SRAM is not set # CONFIG_SOC_TI is not set -# CONFIG_PM_DEVFREQ is not set +CONFIG_PM_DEVFREQ=y + +# +# DEVFREQ Governors +# +# CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND is not set +# CONFIG_DEVFREQ_GOV_PERFORMANCE is not set +# CONFIG_DEVFREQ_GOV_POWERSAVE is not set +# CONFIG_DEVFREQ_GOV_USERSPACE is not set +# CONFIG_DEVFREQ_GOV_PASSIVE is not set + +# +# DEVFREQ Drivers +# +# CONFIG_PM_DEVFREQ_EVENT is not set # CONFIG_EXTCON is not set # CONFIG_MEMORY is not set # CONFIG_IIO is not set @@ -3766,8 +3870,9 @@ CONFIG_GENERIC_PHY=y # CONFIG_PHY_PXA_28NM_HSIC is not set # CONFIG_PHY_PXA_28NM_USB2 is not set # CONFIG_BCM_KONA_USB2_PHY is not set -# CONFIG_PHY_SAMSUNG_USB2 is not set -# CONFIG_POWERCAP is not set +# CONFIG_PHY_TUSB1210 is not set +CONFIG_POWERCAP=y +CONFIG_INTEL_RAPL=y # CONFIG_MCB is not set # @@ -3781,6 +3886,7 @@ CONFIG_RAS=y # # CONFIG_ANDROID is not set # CONFIG_LIBNVDIMM is not set +# CONFIG_DEV_DAX is not set # CONFIG_NVMEM is not set # CONFIG_STM is not set # CONFIG_INTEL_TH is not set @@ -3846,7 +3952,7 @@ CONFIG_BTRFS_FS_POSIX_ACL=y # CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set # CONFIG_BTRFS_DEBUG is not set # CONFIG_BTRFS_ASSERT is not set -CONFIG_NILFS2_FS=y +# CONFIG_NILFS2_FS is not set CONFIG_F2FS_FS=y CONFIG_F2FS_FS_XATTR=y CONFIG_F2FS_FS_POSIX_ACL=y @@ -3866,8 +3972,14 @@ CONFIG_DNOTIFY=y CONFIG_INOTIFY_USER=y CONFIG_FANOTIFY=y # CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set -# CONFIG_QUOTA is not set -# CONFIG_QUOTACTL is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_QUOTACTL_COMPAT=y # CONFIG_AUTOFS4_FS is not set CONFIG_FUSE_FS=y # CONFIG_CUSE is not set @@ -4122,6 +4234,7 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=21 # CONFIG_RCU_EQS_DEBUG is not set # CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set # CONFIG_FAULT_INJECTION is not set CONFIG_USER_STACKTRACE_SUPPORT=y CONFIG_HAVE_FUNCTION_TRACER=y @@ -4195,7 +4308,7 @@ CONFIG_DEFAULT_IO_DELAY_TYPE=0 # CONFIG_OPTIMIZE_INLINING is not set # CONFIG_DEBUG_ENTRY is not set # CONFIG_DEBUG_NMI_SELFTEST is not set -CONFIG_X86_DEBUG_FPU=y +# CONFIG_X86_DEBUG_FPU is not set # # Security options @@ -4207,29 +4320,11 @@ CONFIG_X86_DEBUG_FPU=y CONFIG_PAX_PER_CPU_PGD=y CONFIG_TASK_SIZE_MAX_SHIFT=42 CONFIG_GRKERNSEC=y -CONFIG_GRKERNSEC_CONFIG_AUTO=y -# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set -# CONFIG_GRKERNSEC_CONFIG_SERVER is not set -CONFIG_GRKERNSEC_CONFIG_DESKTOP=y -# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set -CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y -CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y -# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set -CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y -# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set -# CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set -CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y - -# -# Default Special Groups -# -CONFIG_GRKERNSEC_PROC_GID=1001 -CONFIG_GRKERNSEC_TPE_TRUSTED_GID=1005 -CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006 +# CONFIG_GRKERNSEC_CONFIG_AUTO is not set +CONFIG_GRKERNSEC_CONFIG_CUSTOM=y +CONFIG_GRKERNSEC_PROC_GID=4 +CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100 +CONFIG_GRKERNSEC_SYMLINKOWN_GID=15 # # Customize Configuration @@ -4244,7 +4339,7 @@ CONFIG_PAX=y # PaX Control # # CONFIG_PAX_SOFTMODE is not set -CONFIG_PAX_EI_PAX=y +# CONFIG_PAX_EI_PAX is not set CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_XATTR_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set @@ -4264,7 +4359,6 @@ CONFIG_PAX_KERNEXEC=y CONFIG_PAX_KERNEXEC_PLUGIN=y # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y -# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set # # Address Space Layout Randomization @@ -4306,14 +4400,14 @@ CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_MODHARDEN=y CONFIG_GRKERNSEC_HIDESYM=y CONFIG_GRKERNSEC_RANDSTRUCT=y -# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set +CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y CONFIG_GRKERNSEC_KERN_LOCKOUT=y # # Role Based Access Control Options # # CONFIG_GRKERNSEC_NO_RBAC is not set -# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set +CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 @@ -4327,7 +4421,7 @@ CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_SYMLINKOWN=y CONFIG_GRKERNSEC_FIFO=y -CONFIG_GRKERNSEC_SYSFS_RESTRICT=y +# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set CONFIG_GRKERNSEC_ROFS=y CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y CONFIG_GRKERNSEC_CHROOT=y @@ -4351,7 +4445,7 @@ CONFIG_GRKERNSEC_CHROOT_INITRD=y # Kernel Auditing # CONFIG_GRKERNSEC_AUDIT_GROUP=y -CONFIG_GRKERNSEC_AUDIT_GID=1007 +CONFIG_GRKERNSEC_AUDIT_GID=99 CONFIG_GRKERNSEC_EXECLOG=y CONFIG_GRKERNSEC_RESLOG=y CONFIG_GRKERNSEC_CHROOT_EXECLOG=y @@ -4376,7 +4470,7 @@ CONFIG_GRKERNSEC_HARDEN_TTY=y CONFIG_GRKERNSEC_TPE=y CONFIG_GRKERNSEC_TPE_ALL=y CONFIG_GRKERNSEC_TPE_INVERT=y -CONFIG_GRKERNSEC_TPE_GID=1005 +CONFIG_GRKERNSEC_TPE_GID=100 # # Network Protections @@ -4385,24 +4479,24 @@ CONFIG_GRKERNSEC_BLACKHOLE=y CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y CONFIG_GRKERNSEC_SOCKET=y CONFIG_GRKERNSEC_SOCKET_ALL=y -CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004 +CONFIG_GRKERNSEC_SOCKET_ALL_GID=200 CONFIG_GRKERNSEC_SOCKET_CLIENT=y -CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003 +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15 CONFIG_GRKERNSEC_SOCKET_SERVER=y -CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002 +CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99 # # Physical Protections # CONFIG_GRKERNSEC_DENYUSB=y -CONFIG_GRKERNSEC_DENYUSB_FORCE=y +# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set # # Sysctl Support # CONFIG_GRKERNSEC_SYSCTL=y CONFIG_GRKERNSEC_SYSCTL_DISTRO=y -CONFIG_GRKERNSEC_SYSCTL_ON=y +# CONFIG_GRKERNSEC_SYSCTL_ON is not set # # Logging Options @@ -4423,14 +4517,12 @@ CONFIG_SECURITY_PATH=y # CONFIG_INTEL_TXT is not set CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY=y -# CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set -CONFIG_INTEGRITY_AUDIT=y # CONFIG_IMA is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y @@ -4510,7 +4602,7 @@ CONFIG_CRYPTO_HMAC=y # Digest # CONFIG_CRYPTO_CRC32C=y -# CONFIG_CRYPTO_CRC32C_INTEL is not set +CONFIG_CRYPTO_CRC32C_INTEL=y CONFIG_CRYPTO_CRC32=y # CONFIG_CRYPTO_CRC32_PCLMUL is not set CONFIG_CRYPTO_CRCT10DIF=y @@ -4580,7 +4672,7 @@ CONFIG_CRYPTO_DES=y # Compression # CONFIG_CRYPTO_DEFLATE=y -# CONFIG_CRYPTO_LZO is not set +CONFIG_CRYPTO_LZO=y # CONFIG_CRYPTO_842 is not set # CONFIG_CRYPTO_LZ4 is not set # CONFIG_CRYPTO_LZ4HC is not set @@ -4635,6 +4727,7 @@ CONFIG_KVM_INTEL=y # CONFIG_KVM_AMD is not set # CONFIG_KVM_DEVICE_ASSIGNMENT is not set CONFIG_VHOST_NET=y +CONFIG_VHOST_SCSI=m CONFIG_VHOST_VSOCK=y CONFIG_VHOST=y CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y @@ -4678,11 +4771,11 @@ CONFIG_LZO_DECOMPRESS=y CONFIG_LZ4_DECOMPRESS=y CONFIG_XZ_DEC=y CONFIG_XZ_DEC_X86=y -CONFIG_XZ_DEC_POWERPC=y -CONFIG_XZ_DEC_IA64=y -CONFIG_XZ_DEC_ARM=y -CONFIG_XZ_DEC_ARMTHUMB=y -CONFIG_XZ_DEC_SPARC=y +# CONFIG_XZ_DEC_POWERPC is not set +# CONFIG_XZ_DEC_IA64 is not set +# CONFIG_XZ_DEC_ARM is not set +# CONFIG_XZ_DEC_ARMTHUMB is not set +# CONFIG_XZ_DEC_SPARC is not set CONFIG_XZ_DEC_BCJ=y # CONFIG_XZ_DEC_TEST is not set CONFIG_DECOMPRESS_GZIP=y @@ -4697,6 +4790,7 @@ CONFIG_TEXTSEARCH_KMP=y CONFIG_TEXTSEARCH_BM=y CONFIG_TEXTSEARCH_FSM=y CONFIG_INTERVAL_TREE=y +CONFIG_RADIX_TREE_MULTIORDER=y CONFIG_ASSOCIATIVE_ARRAY=y CONFIG_HAS_IOMEM=y CONFIG_HAS_IOPORT_MAP=y diff --git a/core/ports/linux-blob/port-blob-grsecurity.patch b/core/ports/linux-blob/port-blob-grsecurity.patch index 22d4580..ba2fb6d 100644 --- a/core/ports/linux-blob/port-blob-grsecurity.patch +++ b/core/ports/linux-blob/port-blob-grsecurity.patch @@ -1,5 +1,5 @@ ---- grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 05:14:08.682388834 +0000 -+++ grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 05:15:45.579051680 +0000 +--- grsecurity-3.1-4.9.12-201702231830.patch 2017-02-18 05:14:08.682388834 +0000 ++++ grsecurity-3.1-4.9.12-201702231830.patch 2017-02-18 05:15:45.579051680 +0000 -diff --git a/localversion-grsec b/localversion-grsec -new file mode 100644 -index 0000000..7cd6065 @@ -10,8 +10,8 @@ diff --git a/mm/Kconfig b/mm/Kconfig index 86e3e0e..ab679cf 100644 --- a/mm/Kconfig ---- grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 09:07:57.220274062 +0000 -+++ grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 09:08:16.380274647 +0000 +--- grsecurity-3.1-4.9.12-201702231830.patch 2017-02-18 09:07:57.220274062 +0000 ++++ grsecurity-3.1-4.9.12-201702231830.patch 2017-02-18 09:08:16.380274647 +0000 @@ -156547,13 +156547,6 @@ break; } diff --git a/core/ports/linux-blob/port-blob-make.patch b/core/ports/linux-blob/port-blob-make.patch index 368d592..67ee22e 100644 --- a/core/ports/linux-blob/port-blob-make.patch +++ b/core/ports/linux-blob/port-blob-make.patch @@ -3,7 +3,7 @@ @@ -1,7 +1,7 @@ VERSION = 4 PATCHLEVEL = 9 - SUBLEVEL = 11 + SUBLEVEL = 12 -EXTRAVERSION = +EXTRAVERSION = -blob NAME = Roaring Lionus diff --git a/core/ports/linux-libre/.footprint b/core/ports/linux-libre/.footprint index 1279a5d..7532882 100644 --- a/core/ports/linux-libre/.footprint +++ b/core/ports/linux-libre/.footprint @@ -1,59 +1,52 @@ drwxr-xr-x root/root boot/ --rw-r--r-- root/root boot/System.map-4.9.11-grsec --rw-r--r-- root/root boot/config-4.9.11-grsec --rw-r--r-- root/root boot/vmlinuz-4.9.11-grsec +-rw-r--r-- root/root boot/System.map-4.9.12-grsec +-rw-r--r-- root/root boot/config-4.9.12-grsec +-rw-r--r-- root/root boot/vmlinuz-4.9.12-grsec drwxr-xr-x root/root lib/ drwxr-xr-x root/root lib/modules/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/ -lrwxrwxrwx root/root lib/modules/4.9.11-grsec/build -> /usr/src/linux-4.9.11 -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_camera.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/gspca/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/gspca/gspca_main.ko -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/uvc/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/uvc/uvcvideo.ko -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf-core.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-core.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-memops.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/fs/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/fs/ntfs/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/fs/ntfs/ntfs.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.alias --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.alias.bin --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.builtin --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.builtin.bin --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.dep --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.dep.bin --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.devname (EMPTY) --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.order --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.softdep --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.symbols --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.symbols.bin -lrwxrwxrwx root/root lib/modules/4.9.11-grsec/source -> /usr/src/linux-4.9.11 +drwxr-xr-x root/root lib/modules/4.9.12-grsec/ +lrwxrwxrwx root/root lib/modules/4.9.12-grsec/build -> /usr/src/linux-4.9.12 +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/ +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/ +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/ +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/platform/ +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/platform/soc_camera/ +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/platform/soc_camera/soc_camera.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/usb/ +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/usb/gspca/ +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/usb/gspca/gspca_main.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/usb/uvc/ +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/usb/uvc/uvcvideo.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/ +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf-core.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf2-core.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf2-memops.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/vhost/ +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/vhost/vhost_scsi.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/fs/ +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/fs/ntfs/ +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/fs/ntfs/ntfs.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.alias +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.alias.bin +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.builtin +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.builtin.bin +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.dep (EMPTY) +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.dep.bin +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.devname (EMPTY) +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.order +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.softdep +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.symbols +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.symbols.bin +lrwxrwxrwx root/root lib/modules/4.9.12-grsec/source -> /usr/src/linux-4.9.12 drwxr-xr-x root/root usr/ drwxr-xr-x root/root usr/src/ --rw-r--r-- root/root usr/src/4.9.11-cpu_optimizations.patch --rw-r--r-- root/root usr/src/4.9.11-libre-config --rw-r--r-- root/root usr/src/grsecurity-3.1-4.9.11-201702181444.patch +-rw-r--r-- root/root usr/src/4.9.12-cpu_optimizations.patch +-rw-r--r-- root/root usr/src/4.9.12-libre-config +-rw-r--r-- root/root usr/src/grsecurity-3.1-4.9.12-201702231830.patch -rw-r--r-- root/root usr/src/port-libre-cpu.patch -rw-r--r-- root/root usr/src/port-libre-grsecurity.patch -rw-r--r-- root/root usr/src/port-libre-make.patch diff --git a/core/ports/linux-libre/.md5sum b/core/ports/linux-libre/.md5sum index ddd1878..cef0720 100644 --- a/core/ports/linux-libre/.md5sum +++ b/core/ports/linux-libre/.md5sum @@ -1,7 +1,7 @@ -bf30b0af56c2621e317cab5e44d4235e config-c9 +4cfe0909ea898be7ccc712ab162be13d config-c9 00bc0d70f200c2673fe7dd6f02053fa4 enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch -e4eb7eab3a40968c3bd4a0a19339a6a1 grsecurity-3.1-4.9.11-201702181444.patch -2af743d6b73201d5db83c1ccb175ed30 linux-libre-4.9.11-gnu.tar.xz +83b031b26dc0aeb3ccf8c45785253225 grsecurity-3.1-4.9.12-201702231830.patch +5b1128ad1a2b482b03dd20866c095fda linux-libre-4.9.12-gnu.tar.xz bcf38b0fbf7bd83323f3202ec082b15a port-libre-cpu.patch -f9b2f7572adec2c46c1f1be2b784490e port-libre-grsecurity.patch -ce88c28573de7b41ef686f4201d0abfa port-libre-make.patch +3a498293739a8a81f0741aaef9226812 port-libre-grsecurity.patch +74ee54e8604788162c147b7e509b8c34 port-libre-make.patch diff --git a/core/ports/linux-libre/Pkgfile b/core/ports/linux-libre/Pkgfile index 154435f..e7f824d 100644 --- a/core/ports/linux-libre/Pkgfile +++ b/core/ports/linux-libre/Pkgfile @@ -4,11 +4,11 @@ # Depends on: grub2 dracut name=linux-libre -version=4.9.11 -release=2 +version=4.9.12 +release=1 source=(http://linux-libre.fsfla.org/pub/linux-libre/releases/$version-gnu/$name-$version-gnu.tar.xz \ https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \ - http://grsecurity.net/test/grsecurity-3.1-4.9.11-201702181444.patch \ + http://grsecurity.net/test/grsecurity-3.1-4.9.12-201702231830.patch \ port-libre-grsecurity.patch \ port-libre-cpu.patch \ port-libre-make.patch \ @@ -24,7 +24,7 @@ build() { install -m 0644 $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch # /usr/src/grsecurity-version.patch - install -m 0644 $SRC/grsecurity-3.1-4.9.11-201702181444.patch $PKG/usr/src/ + install -m 0644 $SRC/grsecurity-3.1-4.9.12-201702231830.patch $PKG/usr/src/ install -m 0644 $SRC/port-libre-grsecurity.patch $PKG/usr/src/ install -m 0644 $SRC/port-libre-cpu.patch $PKG/usr/src/ install -m 0644 $SRC/port-libre-make.patch $PKG/usr/src/ @@ -32,19 +32,22 @@ build() { patch < port-libre-grsecurity.patch patch < port-libre-cpu.patch + # fix to build under tpe + chmod -R go-w linux-$version + cd linux-$version patch < ${SRC}/port-libre-make.patch make distclean - patch -p1 < $SRC/grsecurity-3.1-4.9.11-201702181444.patch + patch -p1 < $SRC/grsecurity-3.1-4.9.12-201702231830.patch patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch cp $SRC/config-c9 .config make silentoldconfig - make nconfig + # make nconfig # make localmodconfig install -m 0644 .config $PKG/usr/src/${version}-libre-config diff --git a/core/ports/linux-libre/config-c9 b/core/ports/linux-libre/config-c9 index 236d79e..0bd5108 100644 --- a/core/ports/linux-libre/config-c9 +++ b/core/ports/linux-libre/config-c9 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.9.11-grsec Kernel Configuration +# Linux/x86 4.9.12-blob Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -62,10 +62,10 @@ CONFIG_HAVE_KERNEL_LZMA=y CONFIG_HAVE_KERNEL_XZ=y CONFIG_HAVE_KERNEL_LZO=y CONFIG_HAVE_KERNEL_LZ4=y -# CONFIG_KERNEL_GZIP is not set +CONFIG_KERNEL_GZIP=y # CONFIG_KERNEL_BZIP2 is not set # CONFIG_KERNEL_LZMA is not set -CONFIG_KERNEL_XZ=y +# CONFIG_KERNEL_XZ is not set # CONFIG_KERNEL_LZO is not set # CONFIG_KERNEL_LZ4 is not set CONFIG_DEFAULT_HOSTNAME="(none)" @@ -76,11 +76,8 @@ CONFIG_POSIX_MQUEUE=y CONFIG_POSIX_MQUEUE_SYSCTL=y CONFIG_CROSS_MEMORY_ATTACH=y CONFIG_FHANDLE=y -CONFIG_AUDIT=y +# CONFIG_AUDIT is not set CONFIG_HAVE_ARCH_AUDITSYSCALL=y -CONFIG_AUDITSYSCALL=y -CONFIG_AUDIT_WATCH=y -CONFIG_AUDIT_TREE=y # # IRQ subsystem @@ -119,12 +116,13 @@ CONFIG_HIGH_RES_TIMERS=y # CONFIG_TICK_CPU_ACCOUNTING=y # CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set -CONFIG_IRQ_TIME_ACCOUNTING=y +# CONFIG_IRQ_TIME_ACCOUNTING is not set CONFIG_BSD_PROCESS_ACCT=y CONFIG_BSD_PROCESS_ACCT_V3=y CONFIG_TASKSTATS=y CONFIG_TASK_DELAY_ACCT=y -# CONFIG_TASK_XACCT is not set +CONFIG_TASK_XACCT=y +CONFIG_TASK_IO_ACCOUNTING=y # # RCU Subsystem @@ -138,7 +136,7 @@ CONFIG_RCU_STALL_COMMON=y CONFIG_BUILD_BIN2C=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y -CONFIG_LOG_BUF_SHIFT=18 +CONFIG_LOG_BUF_SHIFT=19 CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 CONFIG_NMI_LOG_BUF_SHIFT=13 CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y @@ -149,14 +147,15 @@ CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y CONFIG_CGROUPS=y CONFIG_PAGE_COUNTER=y CONFIG_MEMCG=y -# CONFIG_MEMCG_SWAP is not set +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y CONFIG_BLK_CGROUP=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y CONFIG_CGROUP_WRITEBACK=y CONFIG_CGROUP_SCHED=y CONFIG_FAIR_GROUP_SCHED=y -# CONFIG_CFS_BANDWIDTH is not set -# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CFS_BANDWIDTH=y +CONFIG_RT_GROUP_SCHED=y CONFIG_CGROUP_PIDS=y # CONFIG_CGROUP_FREEZER is not set CONFIG_CPUSETS=y @@ -211,7 +210,7 @@ CONFIG_EPOLL=y CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y -# CONFIG_BPF_SYSCALL is not set +CONFIG_BPF_SYSCALL=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y @@ -234,11 +233,13 @@ CONFIG_SLUB=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLUB_CPU_PARTIAL=y CONFIG_SYSTEM_DATA_VERIFICATION=y -# CONFIG_PROFILING is not set +CONFIG_PROFILING=y +# CONFIG_OPROFILE is not set CONFIG_HAVE_OPROFILE=y CONFIG_OPROFILE_NMI_TIMER=y CONFIG_KPROBES=y -# CONFIG_JUMP_LABEL is not set +CONFIG_JUMP_LABEL=y +# CONFIG_STATIC_KEYS_SELFTEST is not set CONFIG_OPTPROBES=y # CONFIG_UPROBES is not set # CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set @@ -279,8 +280,8 @@ CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y CONFIG_HAVE_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_NONE is not set -CONFIG_CC_STACKPROTECTOR_REGULAR=y -# CONFIG_CC_STACKPROTECTOR_STRONG is not set +# CONFIG_CC_STACKPROTECTOR_REGULAR is not set +CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y CONFIG_HAVE_CONTEXT_TRACKING=y CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y @@ -299,7 +300,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 CONFIG_HAVE_COPY_THREAD_TLS=y CONFIG_HAVE_STACK_VALIDATION=y # CONFIG_HAVE_ARCH_HASH is not set -# CONFIG_ISA_BUS_API is not set +CONFIG_ISA_BUS_API=y CONFIG_OLD_SIGSUSPEND3=y CONFIG_COMPAT_OLD_SIGACTION=y # CONFIG_CPU_NO_EFFICIENT_FFS is not set @@ -328,14 +329,16 @@ CONFIG_MODULE_SIG_SHA256=y # CONFIG_MODULE_SIG_SHA384 is not set # CONFIG_MODULE_SIG_SHA512 is not set CONFIG_MODULE_SIG_HASH="sha256" -# CONFIG_MODULE_COMPRESS is not set +CONFIG_MODULE_COMPRESS=y +CONFIG_MODULE_COMPRESS_GZIP=y +# CONFIG_MODULE_COMPRESS_XZ is not set CONFIG_TRIM_UNUSED_KSYMS=y CONFIG_MODULES_TREE_LOOKUP=y CONFIG_BLOCK=y CONFIG_BLK_DEV_BSG=y CONFIG_BLK_DEV_BSGLIB=y CONFIG_BLK_DEV_INTEGRITY=y -# CONFIG_BLK_DEV_THROTTLING is not set +CONFIG_BLK_DEV_THROTTLING=y # CONFIG_BLK_CMDLINE_PARSER is not set # @@ -399,6 +402,7 @@ CONFIG_ZONE_DMA=y CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y CONFIG_X86_FAST_FEATURE_TESTS=y +CONFIG_X86_X2APIC=y CONFIG_X86_MPPARSE=y # CONFIG_GOLDFISH is not set # CONFIG_X86_EXTENDED_PLATFORM is not set @@ -407,6 +411,14 @@ CONFIG_X86_INTEL_LPSS=y CONFIG_IOSF_MBI=y CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y CONFIG_SCHED_OMIT_FRAME_POINTER=y +CONFIG_HYPERVISOR_GUEST=y +CONFIG_PARAVIRT=y +# CONFIG_PARAVIRT_DEBUG is not set +CONFIG_PARAVIRT_SPINLOCKS=y +# CONFIG_XEN is not set +CONFIG_KVM_GUEST=y +CONFIG_PARAVIRT_TIME_ACCOUNTING=y +CONFIG_PARAVIRT_CLOCK=y CONFIG_NO_BOOTMEM=y # CONFIG_MK8 is not set # CONFIG_MK8SSE3 is not set @@ -457,8 +469,8 @@ CONFIG_IOMMU_HELPER=y CONFIG_NR_CPUS=4 CONFIG_SCHED_SMT=y CONFIG_SCHED_MC=y -CONFIG_PREEMPT_NONE=y -# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT_NONE is not set +CONFIG_PREEMPT_VOLUNTARY=y # CONFIG_PREEMPT is not set CONFIG_X86_LOCAL_APIC=y CONFIG_X86_IO_APIC=y @@ -494,6 +506,7 @@ CONFIG_NODES_SHIFT=6 CONFIG_ARCH_SPARSEMEM_ENABLE=y CONFIG_ARCH_SPARSEMEM_DEFAULT=y CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 CONFIG_SELECT_MEMORY_MODEL=y CONFIG_SPARSEMEM_MANUAL=y @@ -509,8 +522,11 @@ CONFIG_HAVE_MEMBLOCK_NODE_MAP=y CONFIG_ARCH_DISCARD_MEMBLOCK=y CONFIG_MEMORY_ISOLATION=y # CONFIG_MOVABLE_NODE is not set -# CONFIG_HAVE_BOOTMEM_INFO_NODE is not set -# CONFIG_MEMORY_HOTPLUG is not set +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +CONFIG_MEMORY_HOTREMOVE=y CONFIG_SPLIT_PTLOCK_CPUS=4 CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y CONFIG_MEMORY_BALLOON=y @@ -518,18 +534,21 @@ CONFIG_BALLOON_COMPACTION=y CONFIG_COMPACTION=y CONFIG_MIGRATION=y CONFIG_PHYS_ADDR_T_64BIT=y -# CONFIG_BOUNCE is not set +CONFIG_BOUNCE=y CONFIG_VIRT_TO_BUS=y CONFIG_MMU_NOTIFIER=y -# CONFIG_KSM is not set -CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +CONFIG_KSM=y +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y CONFIG_MEMORY_FAILURE=y -# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y +# CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set +CONFIG_TRANSPARENT_HUGE_PAGECACHE=y CONFIG_CLEANCACHE=y CONFIG_FRONTSWAP=y # CONFIG_CMA is not set -# CONFIG_ZSWAP is not set +CONFIG_ZSWAP=y CONFIG_ZPOOL=y CONFIG_ZBUD=y CONFIG_Z3FOLD=y @@ -537,7 +556,9 @@ CONFIG_ZSMALLOC=y # CONFIG_PGTABLE_MAPPING is not set CONFIG_GENERIC_EARLY_IOREMAP=y CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y +# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set # CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ZONE_DEVICE=y CONFIG_FRAME_VECTOR=y CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y CONFIG_ARCH_HAS_PKEYS=y @@ -546,7 +567,9 @@ CONFIG_X86_CHECK_BIOS_CORRUPTION=y CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y CONFIG_X86_RESERVE_LOW=64 CONFIG_MTRR=y -# CONFIG_MTRR_SANITIZER is not set +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 CONFIG_X86_PAT=y CONFIG_ARCH_USES_PG_UNCACHED=y CONFIG_ARCH_RANDOM=y @@ -554,7 +577,8 @@ CONFIG_X86_SMAP=y CONFIG_X86_INTEL_MPX=y CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y CONFIG_EFI=y -# CONFIG_EFI_STUB is not set +CONFIG_EFI_STUB=y +CONFIG_EFI_MIXED=y CONFIG_SECCOMP=y # CONFIG_HZ_100 is not set # CONFIG_HZ_250 is not set @@ -567,7 +591,9 @@ CONFIG_CRASH_DUMP=y CONFIG_PHYSICAL_START=0x1000000 CONFIG_RELOCATABLE=y CONFIG_PHYSICAL_ALIGN=0x1000000 -# CONFIG_HOTPLUG_CPU is not set +CONFIG_HOTPLUG_CPU=y +# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set +# CONFIG_DEBUG_HOTPLUG_CPU0 is not set CONFIG_LEGACY_VSYSCALL_EMULATE=y # CONFIG_LEGACY_VSYSCALL_NONE is not set # CONFIG_CMDLINE_BOOL is not set @@ -575,6 +601,7 @@ CONFIG_LEGACY_VSYSCALL_EMULATE=y # CONFIG_DEFAULT_MODIFY_LDT_SYSCALL is not set CONFIG_HAVE_LIVEPATCH=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y CONFIG_USE_PERCPU_NUMA_NODE_ID=y # @@ -583,6 +610,7 @@ CONFIG_USE_PERCPU_NUMA_NODE_ID=y # CONFIG_SUSPEND is not set CONFIG_PM=y # CONFIG_PM_DEBUG is not set +CONFIG_PM_OPP=y CONFIG_PM_CLK=y # CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set CONFIG_ACPI=y @@ -591,8 +619,8 @@ CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y # CONFIG_ACPI_DEBUGGER is not set # CONFIG_ACPI_PROCFS_POWER is not set -CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y -# CONFIG_ACPI_EC_DEBUGFS is not set +# CONFIG_ACPI_REV_OVERRIDE_POSSIBLE is not set +CONFIG_ACPI_EC_DEBUGFS=y CONFIG_ACPI_AC=y CONFIG_ACPI_BATTERY=y CONFIG_ACPI_BUTTON=y @@ -603,7 +631,8 @@ CONFIG_ACPI_CPU_FREQ_PSS=y CONFIG_ACPI_PROCESSOR_CSTATE=y CONFIG_ACPI_PROCESSOR_IDLE=y CONFIG_ACPI_PROCESSOR=y -# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_HOTPLUG_CPU=y +CONFIG_ACPI_PROCESSOR_AGGREGATOR=y CONFIG_ACPI_THERMAL=y CONFIG_ACPI_NUMA=y # CONFIG_ACPI_CUSTOM_DSDT is not set @@ -613,6 +642,7 @@ CONFIG_ACPI_TABLE_UPGRADE=y CONFIG_ACPI_PCI_SLOT=y CONFIG_X86_PM_TIMER=y CONFIG_ACPI_CONTAINER=y +CONFIG_ACPI_HOTPLUG_MEMORY=y CONFIG_ACPI_HOTPLUG_IOAPIC=y CONFIG_ACPI_SBS=y CONFIG_ACPI_HED=y @@ -626,16 +656,48 @@ CONFIG_ACPI_APEI_GHES=y CONFIG_ACPI_APEI_PCIEAER=y # CONFIG_ACPI_APEI_MEMORY_FAILURE is not set # CONFIG_ACPI_APEI_ERST_DEBUG is not set -# CONFIG_DPTF_POWER is not set +CONFIG_DPTF_POWER=y # CONFIG_ACPI_EXTLOG is not set -# CONFIG_PMIC_OPREGION is not set +CONFIG_PMIC_OPREGION=y CONFIG_ACPI_CONFIGFS=y CONFIG_SFI=y # # CPU Frequency scaling # -# CONFIG_CPU_FREQ is not set +CONFIG_CPU_FREQ=y +CONFIG_CPU_FREQ_GOV_ATTR_SET=y +CONFIG_CPU_FREQ_GOV_COMMON=y +# CONFIG_CPU_FREQ_STAT is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set +CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y +# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL is not set +CONFIG_CPU_FREQ_GOV_PERFORMANCE=y +CONFIG_CPU_FREQ_GOV_POWERSAVE=y +CONFIG_CPU_FREQ_GOV_USERSPACE=y +CONFIG_CPU_FREQ_GOV_ONDEMAND=y +CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y +CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y + +# +# CPU frequency scaling drivers +# +CONFIG_CPUFREQ_DT=y +CONFIG_CPUFREQ_DT_PLATDEV=y +CONFIG_X86_INTEL_PSTATE=y +CONFIG_X86_PCC_CPUFREQ=y +CONFIG_X86_ACPI_CPUFREQ=y +# CONFIG_X86_POWERNOW_K8 is not set +# CONFIG_X86_SPEEDSTEP_CENTRINO is not set +# CONFIG_X86_P4_CLOCKMOD is not set + +# +# shared options +# +# CONFIG_X86_SPEEDSTEP_LIB is not set # # CPU Idle @@ -644,24 +706,25 @@ CONFIG_CPU_IDLE=y CONFIG_CPU_IDLE_GOV_LADDER=y CONFIG_CPU_IDLE_GOV_MENU=y # CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set -# CONFIG_INTEL_IDLE is not set +CONFIG_INTEL_IDLE=y # # Memory power savings # -# CONFIG_I7300_IDLE is not set +CONFIG_I7300_IDLE_IOAT_CHANNEL=y +CONFIG_I7300_IDLE=y # # Bus options (PCI etc.) # CONFIG_PCI=y CONFIG_PCI_DIRECT=y -# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_MMCONFIG=y CONFIG_PCI_DOMAINS=y # CONFIG_PCI_CNB20LE_QUIRK is not set CONFIG_PCIEPORTBUS=y CONFIG_PCIEAER=y -# CONFIG_PCIE_ECRC is not set +CONFIG_PCIE_ECRC=y # CONFIG_PCIEAER_INJECT is not set CONFIG_PCIEASPM=y # CONFIG_PCIEASPM_DEBUG is not set @@ -669,13 +732,13 @@ CONFIG_PCIEASPM_DEFAULT=y # CONFIG_PCIEASPM_POWERSAVE is not set # CONFIG_PCIEASPM_PERFORMANCE is not set CONFIG_PCIE_PME=y -# CONFIG_PCIE_DPC is not set -# CONFIG_PCIE_PTM is not set +CONFIG_PCIE_DPC=y +CONFIG_PCIE_PTM=y CONFIG_PCI_BUS_ADDR_T_64BIT=y CONFIG_PCI_MSI=y CONFIG_PCI_MSI_IRQ_DOMAIN=y # CONFIG_PCI_DEBUG is not set -# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set +CONFIG_PCI_REALLOC_ENABLE_AUTO=y # CONFIG_PCI_STUB is not set CONFIG_HT_IRQ=y CONFIG_PCI_ATS=y @@ -691,11 +754,11 @@ CONFIG_PCI_LABEL=y CONFIG_PCIE_DW_PLAT=y CONFIG_PCIE_DW=y # CONFIG_VMD is not set -# CONFIG_ISA_BUS is not set +CONFIG_ISA_BUS=y CONFIG_ISA_DMA_API=y # CONFIG_PCCARD is not set # CONFIG_RAPIDIO is not set -CONFIG_X86_SYSFB=y +# CONFIG_X86_SYSFB is not set # # Executable file formats / Emulations @@ -706,7 +769,7 @@ CONFIG_ELFCORE=y CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y CONFIG_BINFMT_SCRIPT=y # CONFIG_HAVE_AOUT is not set -# CONFIG_BINFMT_MISC is not set +CONFIG_BINFMT_MISC=y CONFIG_COREDUMP=y CONFIG_IA32_EMULATION=y CONFIG_IA32_AOUT=y @@ -862,7 +925,6 @@ CONFIG_NETFILTER_XT_SET=y # # Xtables targets # -CONFIG_NETFILTER_XT_TARGET_AUDIT=y CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y CONFIG_NETFILTER_XT_TARGET_CONNMARK=y @@ -1242,10 +1304,11 @@ CONFIG_HAVE_EBPF_JIT=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y CONFIG_STANDALONE=y -CONFIG_PREVENT_FIRMWARE_BUILD=y +# CONFIG_PREVENT_FIRMWARE_BUILD is not set CONFIG_FW_LOADER=y CONFIG_FIRMWARE_IN_KERNEL=y -CONFIG_EXTRA_FIRMWARE="" +CONFIG_EXTRA_FIRMWARE="iwlwifi-3160-17.ucode" +CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware" CONFIG_FW_LOADER_USER_HELPER=y CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y CONFIG_WANT_DEV_COREDUMP=y @@ -1318,9 +1381,7 @@ CONFIG_VIRTIO_BLK=y # CONFIG_BLK_DEV_HD is not set # CONFIG_BLK_DEV_RBD is not set # CONFIG_BLK_DEV_RSXX is not set -CONFIG_NVME_CORE=y -CONFIG_BLK_DEV_NVME=y -# CONFIG_BLK_DEV_NVME_SCSI is not set +# CONFIG_BLK_DEV_NVME is not set # CONFIG_NVME_TARGET is not set # @@ -1379,7 +1440,7 @@ CONFIG_INTEL_MEI_TXE=y # # Intel MIC Bus Driver # -CONFIG_INTEL_MIC_BUS=y +# CONFIG_INTEL_MIC_BUS is not set # # SCIF Bus Driver @@ -1537,7 +1598,7 @@ CONFIG_SATA_AHCI_PLATFORM=y CONFIG_MD=y CONFIG_BLK_DEV_MD=y CONFIG_MD_AUTODETECT=y -# CONFIG_MD_LINEAR is not set +CONFIG_MD_LINEAR=y CONFIG_MD_RAID0=y CONFIG_MD_RAID1=y CONFIG_MD_RAID10=y @@ -1571,7 +1632,13 @@ CONFIG_DM_UEVENT=y # CONFIG_DM_VERITY is not set # CONFIG_DM_SWITCH is not set # CONFIG_DM_LOG_WRITES is not set -# CONFIG_TARGET_CORE is not set +CONFIG_TARGET_CORE=y +# CONFIG_TCM_IBLOCK is not set +# CONFIG_TCM_FILEIO is not set +# CONFIG_TCM_PSCSI is not set +# CONFIG_TCM_USER2 is not set +# CONFIG_LOOPBACK_TARGET is not set +# CONFIG_ISCSI_TARGET is not set CONFIG_FUSION=y CONFIG_FUSION_SPI=y CONFIG_FUSION_FC=y @@ -1747,11 +1814,10 @@ CONFIG_WLAN_VENDOR_INTEL=y # CONFIG_IPW2200 is not set # CONFIG_IWL4965 is not set # CONFIG_IWL3945 is not set -CONFIG_IWLWIFI=m +CONFIG_IWLWIFI=y CONFIG_IWLWIFI_LEDS=y -CONFIG_IWLDVM=m -CONFIG_IWLMVM=m -CONFIG_IWLWIFI_OPMODE_MODULAR=y +CONFIG_IWLDVM=y +CONFIG_IWLMVM=y # CONFIG_IWLWIFI_BCAST_FILTERING is not set CONFIG_IWLWIFI_PCIE_RTPM=y @@ -1843,6 +1909,7 @@ CONFIG_MOUSE_PS2_ELANTECH=y # CONFIG_MOUSE_PS2_SENTELIC is not set # CONFIG_MOUSE_PS2_TOUCHKIT is not set CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_PS2_VMMOUSE is not set CONFIG_MOUSE_SERIAL=y # CONFIG_MOUSE_APPLETOUCH is not set # CONFIG_MOUSE_BCM5974 is not set @@ -1962,7 +2029,7 @@ CONFIG_I2C_MUX=y # Multiplexer I2C Chip support # # CONFIG_I2C_ARB_GPIO_CHALLENGE is not set -CONFIG_I2C_MUX_GPIO=y +# CONFIG_I2C_MUX_GPIO is not set # CONFIG_I2C_MUX_PCA9541 is not set # CONFIG_I2C_MUX_PCA954x is not set # CONFIG_I2C_MUX_PINCTRL is not set @@ -1986,7 +2053,7 @@ CONFIG_I2C_ALGOBIT=y # CONFIG_I2C_AMD8111 is not set CONFIG_I2C_I801=y # CONFIG_I2C_ISCH is not set -# CONFIG_I2C_ISMT is not set +CONFIG_I2C_ISMT=y # CONFIG_I2C_PIIX4 is not set # CONFIG_I2C_NFORCE2 is not set # CONFIG_I2C_SIS5595 is not set @@ -2007,7 +2074,7 @@ CONFIG_I2C_SCMI=y CONFIG_I2C_DESIGNWARE_CORE=y CONFIG_I2C_DESIGNWARE_PLATFORM=y CONFIG_I2C_DESIGNWARE_PCI=y -# CONFIG_I2C_DESIGNWARE_BAYTRAIL is not set +CONFIG_I2C_DESIGNWARE_BAYTRAIL=y # CONFIG_I2C_EMEV2 is not set # CONFIG_I2C_GPIO is not set # CONFIG_I2C_OCORES is not set @@ -2048,9 +2115,9 @@ CONFIG_SPI_BITBANG=y # CONFIG_SPI_CADENCE is not set CONFIG_SPI_DESIGNWARE=y CONFIG_SPI_DW_PCI=y -# CONFIG_SPI_DW_MID_DMA is not set +CONFIG_SPI_DW_MID_DMA=y CONFIG_SPI_DW_MMIO=y -CONFIG_SPI_GPIO=y +# CONFIG_SPI_GPIO is not set # CONFIG_SPI_FSL_SPI is not set # CONFIG_SPI_OC_TINY is not set # CONFIG_SPI_PXA2XX is not set @@ -2067,7 +2134,7 @@ CONFIG_SPI_GPIO=y # CONFIG_SPI_SPIDEV is not set # CONFIG_SPI_LOOPBACK_TEST is not set # CONFIG_SPI_TLE62X0 is not set -# CONFIG_SPMI is not set +CONFIG_SPMI=y # CONFIG_HSI is not set # @@ -2108,7 +2175,7 @@ CONFIG_GPIOLIB=y CONFIG_OF_GPIO=y CONFIG_GPIO_ACPI=y # CONFIG_DEBUG_GPIO is not set -CONFIG_GPIO_SYSFS=y +# CONFIG_GPIO_SYSFS is not set # # Memory mapped GPIO drivers @@ -2119,7 +2186,7 @@ CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_DWAPB is not set # CONFIG_GPIO_GENERIC_PLATFORM is not set # CONFIG_GPIO_GRGPIO is not set -CONFIG_GPIO_ICH=y +# CONFIG_GPIO_ICH is not set # CONFIG_GPIO_LYNXPOINT is not set # CONFIG_GPIO_MOCKUP is not set # CONFIG_GPIO_VX855 is not set @@ -2129,10 +2196,15 @@ CONFIG_GPIO_ICH=y # # Port-mapped I/O GPIO drivers # +# CONFIG_GPIO_104_DIO_48E is not set +# CONFIG_GPIO_104_IDIO_16 is not set +# CONFIG_GPIO_104_IDI_48 is not set # CONFIG_GPIO_F7188X is not set +# CONFIG_GPIO_GPIO_MM is not set # CONFIG_GPIO_IT87 is not set # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SCH311X is not set +# CONFIG_GPIO_WS16C48 is not set # # I2C GPIO expanders @@ -2176,7 +2248,34 @@ CONFIG_GPIO_ICH=y # # USB GPIO expanders # -# CONFIG_W1 is not set +CONFIG_W1=y +CONFIG_W1_CON=y + +# +# 1-wire Bus Masters +# +# CONFIG_W1_MASTER_MATROX is not set +# CONFIG_W1_MASTER_DS2490 is not set +# CONFIG_W1_MASTER_DS2482 is not set +# CONFIG_W1_MASTER_DS1WM is not set +# CONFIG_W1_MASTER_GPIO is not set + +# +# 1-wire Slaves +# +CONFIG_W1_SLAVE_THERM=y +# CONFIG_W1_SLAVE_SMEM is not set +# CONFIG_W1_SLAVE_DS2408 is not set +# CONFIG_W1_SLAVE_DS2413 is not set +# CONFIG_W1_SLAVE_DS2406 is not set +# CONFIG_W1_SLAVE_DS2423 is not set +# CONFIG_W1_SLAVE_DS2431 is not set +# CONFIG_W1_SLAVE_DS2433 is not set +# CONFIG_W1_SLAVE_DS2760 is not set +# CONFIG_W1_SLAVE_DS2780 is not set +# CONFIG_W1_SLAVE_DS2781 is not set +# CONFIG_W1_SLAVE_DS28E04 is not set +# CONFIG_W1_SLAVE_BQ27000 is not set # CONFIG_POWER_AVS is not set # CONFIG_POWER_RESET is not set CONFIG_POWER_SUPPLY=y @@ -2190,7 +2289,6 @@ CONFIG_POWER_SUPPLY=y # CONFIG_BATTERY_BQ27XXX is not set # CONFIG_BATTERY_MAX17040 is not set # CONFIG_BATTERY_MAX17042 is not set -# CONFIG_CHARGER_ISP1704 is not set # CONFIG_CHARGER_MAX8903 is not set # CONFIG_CHARGER_LP8727 is not set # CONFIG_CHARGER_GPIO is not set @@ -2361,12 +2459,14 @@ CONFIG_THERMAL_GOV_STEP_WISE=y # CONFIG_THERMAL_GOV_BANG_BANG is not set CONFIG_THERMAL_GOV_USER_SPACE=y CONFIG_THERMAL_GOV_POWER_ALLOCATOR=y +# CONFIG_CPU_THERMAL is not set +# CONFIG_CLOCK_THERMAL is not set +# CONFIG_DEVFREQ_THERMAL is not set # CONFIG_THERMAL_EMULATION is not set # CONFIG_QORIQ_THERMAL is not set # CONFIG_INTEL_POWERCLAMP is not set CONFIG_X86_PKG_TEMP_THERMAL=y -CONFIG_INTEL_SOC_DTS_IOSF_CORE=y -CONFIG_INTEL_SOC_DTS_THERMAL=y +# CONFIG_INTEL_SOC_DTS_THERMAL is not set # # ACPI INT340X thermal drivers @@ -2375,7 +2475,7 @@ CONFIG_INTEL_SOC_DTS_THERMAL=y CONFIG_INTEL_PCH_THERMAL=y CONFIG_WATCHDOG=y CONFIG_WATCHDOG_CORE=y -CONFIG_WATCHDOG_NOWAYOUT=y +# CONFIG_WATCHDOG_NOWAYOUT is not set CONFIG_WATCHDOG_SYSFS=y # @@ -2393,6 +2493,7 @@ CONFIG_WATCHDOG_SYSFS=y # CONFIG_ADVANTECH_WDT is not set # CONFIG_ALIM1535_WDT is not set # CONFIG_ALIM7101_WDT is not set +# CONFIG_EBC_C384_WDT is not set # CONFIG_F71808E_WDT is not set # CONFIG_SP5100_TCO is not set # CONFIG_SBC_FITPC2_WATCHDOG is not set @@ -2444,18 +2545,7 @@ CONFIG_SSB_POSSIBLE=y # # Sonics Silicon Backplane # -CONFIG_SSB=y -CONFIG_SSB_SPROM=y -CONFIG_SSB_PCIHOST_POSSIBLE=y -CONFIG_SSB_PCIHOST=y -# CONFIG_SSB_B43_PCI_BRIDGE is not set -CONFIG_SSB_SDIOHOST_POSSIBLE=y -# CONFIG_SSB_SDIOHOST is not set -# CONFIG_SSB_SILENT is not set -# CONFIG_SSB_DEBUG is not set -CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y -CONFIG_SSB_DRIVER_PCICORE=y -# CONFIG_SSB_DRIVER_GPIO is not set +# CONFIG_SSB is not set CONFIG_BCMA_POSSIBLE=y # @@ -2751,7 +2841,7 @@ CONFIG_AGP_INTEL=y # CONFIG_AGP_VIA is not set CONFIG_INTEL_GTT=y CONFIG_VGA_ARB=y -CONFIG_VGA_ARB_MAX_GPUS=1 +CONFIG_VGA_ARB_MAX_GPUS=2 # CONFIG_VGA_SWITCHEROO is not set CONFIG_DRM=y CONFIG_DRM_MIPI_DSI=y @@ -3047,13 +3137,13 @@ CONFIG_SND_HDA_RECONFIG=y CONFIG_SND_HDA_INPUT_BEEP=y CONFIG_SND_HDA_INPUT_BEEP_MODE=1 # CONFIG_SND_HDA_PATCH_LOADER is not set -CONFIG_SND_HDA_CODEC_REALTEK=y -# CONFIG_SND_HDA_CODEC_ANALOG is not set +# CONFIG_SND_HDA_CODEC_REALTEK is not set +CONFIG_SND_HDA_CODEC_ANALOG=y # CONFIG_SND_HDA_CODEC_SIGMATEL is not set # CONFIG_SND_HDA_CODEC_VIA is not set CONFIG_SND_HDA_CODEC_HDMI=y # CONFIG_SND_HDA_CODEC_CIRRUS is not set -# CONFIG_SND_HDA_CODEC_CONEXANT is not set +CONFIG_SND_HDA_CODEC_CONEXANT=y # CONFIG_SND_HDA_CODEC_CA0110 is not set # CONFIG_SND_HDA_CODEC_CA0132 is not set # CONFIG_SND_HDA_CODEC_CMEDIA is not set @@ -3177,10 +3267,9 @@ CONFIG_USB_ANNOUNCE_NEW_DEVICES=y # CONFIG_USB_DEFAULT_PERSIST=y # CONFIG_USB_DYNAMIC_MINORS is not set -CONFIG_USB_OTG=y +# CONFIG_USB_OTG is not set # CONFIG_USB_OTG_WHITELIST is not set # CONFIG_USB_OTG_BLACKLIST_HUB is not set -CONFIG_USB_OTG_FSM=y # CONFIG_USB_LEDS_TRIGGER_USBPORT is not set CONFIG_USB_MON=y # CONFIG_USB_WUSB_CBAF is not set @@ -3204,12 +3293,10 @@ CONFIG_USB_EHCI_HCD_PLATFORM=y # CONFIG_USB_MAX3421_HCD is not set CONFIG_USB_OHCI_HCD=y CONFIG_USB_OHCI_HCD_PCI=y -# CONFIG_USB_OHCI_HCD_SSB is not set -# CONFIG_USB_OHCI_HCD_PLATFORM is not set +CONFIG_USB_OHCI_HCD_PLATFORM=y CONFIG_USB_UHCI_HCD=y # CONFIG_USB_SL811_HCD is not set # CONFIG_USB_R8A66597_HCD is not set -# CONFIG_USB_HCD_SSB is not set # CONFIG_USB_HCD_TEST_MODE is not set # @@ -3251,23 +3338,8 @@ CONFIG_USB_UAS=y # CONFIG_USB_MICROTEK is not set # CONFIG_USBIP_CORE is not set # CONFIG_USB_MUSB_HDRC is not set -CONFIG_USB_DWC3=y -CONFIG_USB_DWC3_HOST=y - -# -# Platform Glue Driver Support -# -CONFIG_USB_DWC3_PCI=y -CONFIG_USB_DWC3_OF_SIMPLE=y -CONFIG_USB_DWC2=y -CONFIG_USB_DWC2_HOST=y - -# -# Gadget/Dual-role mode requires USB Gadget support to be enabled -# -# CONFIG_USB_DWC2_PCI is not set -# CONFIG_USB_DWC2_DEBUG is not set -# CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set +# CONFIG_USB_DWC3 is not set +# CONFIG_USB_DWC2 is not set # CONFIG_USB_CHIPIDEA is not set # CONFIG_USB_ISP1760 is not set @@ -3359,13 +3431,13 @@ CONFIG_USB_SERIAL_FTDI_SIO=y # # USB Physical Layer drivers # -CONFIG_USB_PHY=y +# CONFIG_USB_PHY is not set # CONFIG_NOP_USB_XCEIV is not set # CONFIG_USB_GPIO_VBUS is not set # CONFIG_USB_ISP1301 is not set # CONFIG_USB_GADGET is not set -# CONFIG_USB_LED_TRIG is not set -# CONFIG_USB_ULPI_BUS is not set +CONFIG_USB_LED_TRIG=y +CONFIG_USB_ULPI_BUS=y # CONFIG_UWB is not set CONFIG_MMC=y # CONFIG_MMC_DEBUG is not set @@ -3398,7 +3470,7 @@ CONFIG_MMC_SPI=y # CONFIG_MMC_CB710 is not set # CONFIG_MMC_VIA_SDMMC is not set # CONFIG_MMC_VUB300 is not set -# CONFIG_MMC_USHC is not set +CONFIG_MMC_USHC=y # CONFIG_MMC_USDHI6ROL0 is not set # CONFIG_MMC_TOSHIBA_PCI is not set # CONFIG_MMC_MTK is not set @@ -3465,7 +3537,24 @@ CONFIG_LEDS_TRIGGERS=y # CONFIG_INFINIBAND is not set CONFIG_EDAC_ATOMIC_SCRUB=y CONFIG_EDAC_SUPPORT=y -# CONFIG_EDAC is not set +CONFIG_EDAC=y +# CONFIG_EDAC_LEGACY_SYSFS is not set +# CONFIG_EDAC_DEBUG is not set +CONFIG_EDAC_MM_EDAC=y +CONFIG_EDAC_GHES=y +# CONFIG_EDAC_E752X is not set +# CONFIG_EDAC_I82975X is not set +# CONFIG_EDAC_I3000 is not set +# CONFIG_EDAC_I3200 is not set +# CONFIG_EDAC_IE31200 is not set +# CONFIG_EDAC_X38 is not set +# CONFIG_EDAC_I5400 is not set +# CONFIG_EDAC_I7CORE is not set +# CONFIG_EDAC_I5000 is not set +# CONFIG_EDAC_I5100 is not set +# CONFIG_EDAC_I7300 is not set +CONFIG_EDAC_SBRIDGE=y +# CONFIG_EDAC_SKX is not set CONFIG_RTC_LIB=y CONFIG_RTC_MC146818_LIB=y CONFIG_RTC_CLASS=y @@ -3581,11 +3670,10 @@ CONFIG_DMA_OF=y # CONFIG_FSL_EDMA is not set CONFIG_INTEL_IDMA64=y CONFIG_INTEL_IOATDMA=y -CONFIG_INTEL_MIC_X100_DMA=y # CONFIG_QCOM_HIDMA_MGMT is not set # CONFIG_QCOM_HIDMA is not set CONFIG_DW_DMAC_CORE=y -# CONFIG_DW_DMAC is not set +CONFIG_DW_DMAC=y CONFIG_DW_DMAC_PCI=y CONFIG_HSU_DMA=y @@ -3601,7 +3689,8 @@ CONFIG_DMA_ENGINE_RAID=y # # CONFIG_SYNC_FILE is not set CONFIG_DCA=y -# CONFIG_AUXDISPLAY is not set +CONFIG_AUXDISPLAY=y +# CONFIG_IMG_ASCII_LCD is not set CONFIG_UIO=y # CONFIG_UIO_CIF is not set # CONFIG_UIO_PDRV_GENIRQ is not set @@ -3621,7 +3710,7 @@ CONFIG_VIRTIO=y # Virtio drivers # CONFIG_VIRTIO_PCI=y -CONFIG_VIRTIO_PCI_LEGACY=y +# CONFIG_VIRTIO_PCI_LEGACY is not set CONFIG_VIRTIO_BALLOON=y CONFIG_VIRTIO_INPUT=y CONFIG_VIRTIO_MMIO=y @@ -3630,6 +3719,7 @@ CONFIG_VIRTIO_MMIO=y # # Microsoft Hyper-V guest support # +# CONFIG_HYPERV is not set # CONFIG_STAGING is not set CONFIG_X86_PLATFORM_DEVICES=y # CONFIG_ACER_WMI is not set @@ -3726,7 +3816,7 @@ CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_FLOPPY_WA=y -# CONFIG_IRQ_REMAP is not set +CONFIG_IRQ_REMAP=y # # Remoteproc drivers @@ -3746,7 +3836,21 @@ CONFIG_INTEL_IOMMU_FLOPPY_WA=y # # CONFIG_SUNXI_SRAM is not set # CONFIG_SOC_TI is not set -# CONFIG_PM_DEVFREQ is not set +CONFIG_PM_DEVFREQ=y + +# +# DEVFREQ Governors +# +# CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND is not set +# CONFIG_DEVFREQ_GOV_PERFORMANCE is not set +# CONFIG_DEVFREQ_GOV_POWERSAVE is not set +# CONFIG_DEVFREQ_GOV_USERSPACE is not set +# CONFIG_DEVFREQ_GOV_PASSIVE is not set + +# +# DEVFREQ Drivers +# +# CONFIG_PM_DEVFREQ_EVENT is not set # CONFIG_EXTCON is not set # CONFIG_MEMORY is not set # CONFIG_IIO is not set @@ -3766,8 +3870,9 @@ CONFIG_GENERIC_PHY=y # CONFIG_PHY_PXA_28NM_HSIC is not set # CONFIG_PHY_PXA_28NM_USB2 is not set # CONFIG_BCM_KONA_USB2_PHY is not set -# CONFIG_PHY_SAMSUNG_USB2 is not set -# CONFIG_POWERCAP is not set +# CONFIG_PHY_TUSB1210 is not set +CONFIG_POWERCAP=y +CONFIG_INTEL_RAPL=y # CONFIG_MCB is not set # @@ -3781,6 +3886,7 @@ CONFIG_RAS=y # # CONFIG_ANDROID is not set # CONFIG_LIBNVDIMM is not set +# CONFIG_DEV_DAX is not set # CONFIG_NVMEM is not set # CONFIG_STM is not set # CONFIG_INTEL_TH is not set @@ -3846,7 +3952,7 @@ CONFIG_BTRFS_FS_POSIX_ACL=y # CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set # CONFIG_BTRFS_DEBUG is not set # CONFIG_BTRFS_ASSERT is not set -CONFIG_NILFS2_FS=y +# CONFIG_NILFS2_FS is not set CONFIG_F2FS_FS=y CONFIG_F2FS_FS_XATTR=y CONFIG_F2FS_FS_POSIX_ACL=y @@ -3866,8 +3972,14 @@ CONFIG_DNOTIFY=y CONFIG_INOTIFY_USER=y CONFIG_FANOTIFY=y # CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set -# CONFIG_QUOTA is not set -# CONFIG_QUOTACTL is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_QUOTACTL_COMPAT=y # CONFIG_AUTOFS4_FS is not set CONFIG_FUSE_FS=y # CONFIG_CUSE is not set @@ -4122,6 +4234,7 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=21 # CONFIG_RCU_EQS_DEBUG is not set # CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set # CONFIG_FAULT_INJECTION is not set CONFIG_USER_STACKTRACE_SUPPORT=y CONFIG_HAVE_FUNCTION_TRACER=y @@ -4195,7 +4308,7 @@ CONFIG_DEFAULT_IO_DELAY_TYPE=0 # CONFIG_OPTIMIZE_INLINING is not set # CONFIG_DEBUG_ENTRY is not set # CONFIG_DEBUG_NMI_SELFTEST is not set -CONFIG_X86_DEBUG_FPU=y +# CONFIG_X86_DEBUG_FPU is not set # # Security options @@ -4207,29 +4320,11 @@ CONFIG_X86_DEBUG_FPU=y CONFIG_PAX_PER_CPU_PGD=y CONFIG_TASK_SIZE_MAX_SHIFT=42 CONFIG_GRKERNSEC=y -CONFIG_GRKERNSEC_CONFIG_AUTO=y -# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set -# CONFIG_GRKERNSEC_CONFIG_SERVER is not set -CONFIG_GRKERNSEC_CONFIG_DESKTOP=y -# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set -CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y -CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y -# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set -CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y -# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set -# CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set -CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y - -# -# Default Special Groups -# -CONFIG_GRKERNSEC_PROC_GID=1001 -CONFIG_GRKERNSEC_TPE_TRUSTED_GID=1005 -CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006 +# CONFIG_GRKERNSEC_CONFIG_AUTO is not set +CONFIG_GRKERNSEC_CONFIG_CUSTOM=y +CONFIG_GRKERNSEC_PROC_GID=4 +CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100 +CONFIG_GRKERNSEC_SYMLINKOWN_GID=15 # # Customize Configuration @@ -4244,7 +4339,7 @@ CONFIG_PAX=y # PaX Control # # CONFIG_PAX_SOFTMODE is not set -CONFIG_PAX_EI_PAX=y +# CONFIG_PAX_EI_PAX is not set CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_XATTR_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set @@ -4264,7 +4359,6 @@ CONFIG_PAX_KERNEXEC=y CONFIG_PAX_KERNEXEC_PLUGIN=y # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y -# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set # # Address Space Layout Randomization @@ -4306,14 +4400,14 @@ CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_MODHARDEN=y CONFIG_GRKERNSEC_HIDESYM=y CONFIG_GRKERNSEC_RANDSTRUCT=y -# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set +CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y CONFIG_GRKERNSEC_KERN_LOCKOUT=y # # Role Based Access Control Options # # CONFIG_GRKERNSEC_NO_RBAC is not set -# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set +CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 @@ -4327,7 +4421,7 @@ CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_SYMLINKOWN=y CONFIG_GRKERNSEC_FIFO=y -CONFIG_GRKERNSEC_SYSFS_RESTRICT=y +# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set CONFIG_GRKERNSEC_ROFS=y CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y CONFIG_GRKERNSEC_CHROOT=y @@ -4351,7 +4445,7 @@ CONFIG_GRKERNSEC_CHROOT_INITRD=y # Kernel Auditing # CONFIG_GRKERNSEC_AUDIT_GROUP=y -CONFIG_GRKERNSEC_AUDIT_GID=1007 +CONFIG_GRKERNSEC_AUDIT_GID=99 CONFIG_GRKERNSEC_EXECLOG=y CONFIG_GRKERNSEC_RESLOG=y CONFIG_GRKERNSEC_CHROOT_EXECLOG=y @@ -4376,7 +4470,7 @@ CONFIG_GRKERNSEC_HARDEN_TTY=y CONFIG_GRKERNSEC_TPE=y CONFIG_GRKERNSEC_TPE_ALL=y CONFIG_GRKERNSEC_TPE_INVERT=y -CONFIG_GRKERNSEC_TPE_GID=1005 +CONFIG_GRKERNSEC_TPE_GID=100 # # Network Protections @@ -4385,24 +4479,24 @@ CONFIG_GRKERNSEC_BLACKHOLE=y CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y CONFIG_GRKERNSEC_SOCKET=y CONFIG_GRKERNSEC_SOCKET_ALL=y -CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004 +CONFIG_GRKERNSEC_SOCKET_ALL_GID=200 CONFIG_GRKERNSEC_SOCKET_CLIENT=y -CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003 +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15 CONFIG_GRKERNSEC_SOCKET_SERVER=y -CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002 +CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99 # # Physical Protections # CONFIG_GRKERNSEC_DENYUSB=y -CONFIG_GRKERNSEC_DENYUSB_FORCE=y +# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set # # Sysctl Support # CONFIG_GRKERNSEC_SYSCTL=y CONFIG_GRKERNSEC_SYSCTL_DISTRO=y -CONFIG_GRKERNSEC_SYSCTL_ON=y +# CONFIG_GRKERNSEC_SYSCTL_ON is not set # # Logging Options @@ -4423,14 +4517,12 @@ CONFIG_SECURITY_PATH=y # CONFIG_INTEL_TXT is not set CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY=y -# CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set -CONFIG_INTEGRITY_AUDIT=y # CONFIG_IMA is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y @@ -4510,7 +4602,7 @@ CONFIG_CRYPTO_HMAC=y # Digest # CONFIG_CRYPTO_CRC32C=y -# CONFIG_CRYPTO_CRC32C_INTEL is not set +CONFIG_CRYPTO_CRC32C_INTEL=y CONFIG_CRYPTO_CRC32=y # CONFIG_CRYPTO_CRC32_PCLMUL is not set CONFIG_CRYPTO_CRCT10DIF=y @@ -4580,7 +4672,7 @@ CONFIG_CRYPTO_DES=y # Compression # CONFIG_CRYPTO_DEFLATE=y -# CONFIG_CRYPTO_LZO is not set +CONFIG_CRYPTO_LZO=y # CONFIG_CRYPTO_842 is not set # CONFIG_CRYPTO_LZ4 is not set # CONFIG_CRYPTO_LZ4HC is not set @@ -4635,6 +4727,7 @@ CONFIG_KVM_INTEL=y # CONFIG_KVM_AMD is not set # CONFIG_KVM_DEVICE_ASSIGNMENT is not set CONFIG_VHOST_NET=y +CONFIG_VHOST_SCSI=m CONFIG_VHOST_VSOCK=y CONFIG_VHOST=y CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y @@ -4678,11 +4771,11 @@ CONFIG_LZO_DECOMPRESS=y CONFIG_LZ4_DECOMPRESS=y CONFIG_XZ_DEC=y CONFIG_XZ_DEC_X86=y -CONFIG_XZ_DEC_POWERPC=y -CONFIG_XZ_DEC_IA64=y -CONFIG_XZ_DEC_ARM=y -CONFIG_XZ_DEC_ARMTHUMB=y -CONFIG_XZ_DEC_SPARC=y +# CONFIG_XZ_DEC_POWERPC is not set +# CONFIG_XZ_DEC_IA64 is not set +# CONFIG_XZ_DEC_ARM is not set +# CONFIG_XZ_DEC_ARMTHUMB is not set +# CONFIG_XZ_DEC_SPARC is not set CONFIG_XZ_DEC_BCJ=y # CONFIG_XZ_DEC_TEST is not set CONFIG_DECOMPRESS_GZIP=y @@ -4697,6 +4790,7 @@ CONFIG_TEXTSEARCH_KMP=y CONFIG_TEXTSEARCH_BM=y CONFIG_TEXTSEARCH_FSM=y CONFIG_INTERVAL_TREE=y +CONFIG_RADIX_TREE_MULTIORDER=y CONFIG_ASSOCIATIVE_ARRAY=y CONFIG_HAS_IOMEM=y CONFIG_HAS_IOPORT_MAP=y diff --git a/core/ports/linux-libre/port-libre-grsecurity.patch b/core/ports/linux-libre/port-libre-grsecurity.patch index cecd956..981257a 100644 --- a/core/ports/linux-libre/port-libre-grsecurity.patch +++ b/core/ports/linux-libre/port-libre-grsecurity.patch @@ -1,5 +1,5 @@ ---- grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 05:14:08.682388834 +0000 -+++ grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 05:15:45.579051680 +0000 +--- grsecurity-3.1-4.9.12-201702231830.patch 2017-02-18 05:14:08.682388834 +0000 ++++ grsecurity-3.1-4.9.12-201702231830.patch 2017-02-18 05:15:45.579051680 +0000 @@ -90805,59 +90805,6 @@ if (!file->private_data) return -ENOMEM; diff --git a/core/ports/linux-libre/port-libre-make.patch b/core/ports/linux-libre/port-libre-make.patch index dfbd8af..51bf8b6 100644 --- a/core/ports/linux-libre/port-libre-make.patch +++ b/core/ports/linux-libre/port-libre-make.patch @@ -3,7 +3,7 @@ @@ -1,7 +1,7 @@ VERSION = 4 PATCHLEVEL = 9 - SUBLEVEL = 11 + SUBLEVEL = 12 -EXTRAVERSION = -gnu +EXTRAVERSION = -grsec NAME = Roaring Lionus diff --git a/core/reboot.html b/core/reboot.html index 23e2996..fd1adfc 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -31,7 +31,7 @@ /bin/bash --login </pre> - <h2 id="linux">1.4.1. Linux Kernel</h2> + <h2 id="linux">1.4.1. Port kernel</h2> <p>Core ports have two <a href="linux.html">linux kernels</a>, @@ -43,11 +43,10 @@ correct graphic driver and disk. Port linux-blob is dangerous, contain blobs (from bad corporations).</p> - <p>Addition to upstream kernel is applied a patch with - more cpu families gcc optimizations and grsecurity patch. - Check tpe protection configuration on - <a href="linux.html#sysctl">sysctl</a> if breaks functionality - during initial configuration.</p> + <p>Both ports apply grsecurity patch and are configured in + a way that break building some packages and have performance + impact in building process. Solution is to have several kernels, + production, testing, debug with one of them without grsecurity.</p> <pre> # cd /usr/ports/c9-ports/linux-libre diff --git a/core/samhain.html b/core/samhain.html new file mode 100644 index 0000000..74f88fd --- /dev/null +++ b/core/samhain.html @@ -0,0 +1,265 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>2.2.4. Samhain</title> + </head> + <body> + + <a href="index.html">Core OS Index</a> + + <h1 id="samhain">2.2.4. Samhain</h1> + + <p>Read + <a href="http://www.la-samhna.de/samhain/manual/">Samhain Manual</a>, + samhain is a file and host integrity and intrusion alert system + suitable for single hosts as well as for large, UNIX-based networks. + samhain offers advanced features to support and facilitate + centralized monitoring.</p> + + <p>The client (or standalone) part is called samhain, while the + server is referred to as yule. Both can run as daemon processes.</p> + + <p>Most of the options require being defined at compile time, is + easy to start with basic and then compile as more features are + required.</p> + + <pre> + $ sudo prt-get depinst samhain + </pre> + + <dl> + <dt>/var/lib/samhain/samhain_file</dt> + <dd>signature database</dd> + <dt>/etc/samhainrc</dt> + <dd>configuration file</dd> + <dt>/var/log/samhain.log</dt> + <dd>log file</dd> + </dl> + + <h2 id="conf">2.2.4.1. Configure</h2> + + <p>For more information on configuration check + <a href="http://www.la-samhna.de/samhain/manual/filedef.htm">Monitoring Policies</a>. + Description of section headings;</p> + + <dl> + <dt>ReadOnly</dt> + + <dd>All modifications except access times will be + reported for these files.</dd> + <dd>Checked: owner, group, permissions, file type, device number, + hardlinks, links, inode, checksum, size, mtime, ctime.</dd> + + <dt>LogFiles</dt> + + <dd>Modifications of timestamps, file size, and signature will be + ignored.</dd> + <dd>Checked: owner, group, permissions, file type, device number, + hardlinks, links, inode.<dd> + + <dt>GrowingLogFiles</dt> + + <dd>Modifications of timestamps, and signature will be ignored. + Modification of the file size will only be ignored if the file size + has increased.</dd> + <dd>Checked: owner, group, permissions, file type, device number, + hardlinks, links, inode, size >= previous_size, checksum(file start + up to previous size) equals previous checksum.</dd> + + <dt>Attributes</dt> + + <dd>Only modifications of ownership, access permissions, and device + number will be checked.</dd> + <dd>Checked: owner, group, permissions, file type, device number.</dd> + + <dt>IgnoreAll</dt> + + <dd>No modifications will be reported. However, the existence of the + specified file or directory will still be checked.</dd> + + <dt>IgnoreNone</dt> + + <dd>All modifications, including access time, but excluding ctime, will + be reported - checking atime and ctime would require to play with + the system clock.</dd> + <dd>Checked: owner, group, permissions, file type, device number, + hardlinks, links, inode, checksum, size, mtime, atime.</dd> + + </dl> + + <pre> + $ vim /etc/samhainrc + </pre> + + <p>This is just a resume, there is a complete template + on crux ports?.</p> + + <pre> + [Misc] + + [ReadOnly] + dir = 0/ + + [Attributes] + file = /tmp + file = /dev + file = /media + file = /proc + file = /sys + + [ReadOnly] + dir = 99/etc + + [Attributes] + file = /etc/mtab + file = /etc/adjtime + file = /etc/motd + file = /etc/fstab + + file = /etc + + [ReadOnly] + dir = 99/boot + + [ReadOnly] + dir = 99/bin + dir = 99/sbin + + [ReadOnly] + dir = 99/lib + + [Attributes] + dir = 99/dev + + [IgnoreAll] + dir = -1/dev/pts + + [ReadOnly] + dir = 99/usr + + [IgnoreAll] + dir = -1/usr/ports/core + dir = -1/usr/ports/opt + dir = -1/usr/ports/contrib + dir = -1/usr/ports/work + dir = -1/usr/ports/distfiles + + [ReadOnly] + dir = 99/var + + [IgnoreAll] + dir = -1/var/cache + dir = -1/var/lock + dir = -1/var/mail + dir = -1/var/run + dir = -1/var/spool + dir = -1/var/tmp + + [Attributes] + + file = /var/lib/mlocate + file = /var/lib/mlocate/mlocate.db + file = /var/lib/urandom + file = /var/lib/urandom/seed + + [GrowingLogFiles] + dir = 99/var/log + + file = /var/log/samhain.log.lock + + [Attributes] + file = /var/log/old/*.[0-9].gz + + [Misc] + IgnoreAdded = /var/log/.*\.[0-9]+$ + IgnoreAdded = /var/log/.*\.[0-9]+\.gz$ + IgnoreAdded = /var/log/.*\.[0-9]+\.log$ + IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$ + IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$ + IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$ + IgnoreAdded = /var/lib/slocate/slocate.db.tmp + IgnoreMissing = /var/lib/slocate/slocate.db.tmp + + [IgnoreNone] + + [Prelink] + + [User0] + + [User1] + + [EventSeverity] + + [Log] + MailSeverity=notice + PrintSeverity=none + + [Misc] + Daemon = yes + ChecksumTest=check + SetNiceLevel = 19 + SetIOLimit = 500 + SetLoopTime = 600 + SetFileCheckTime = 7200 + ReportOnlyOnce = True + SetMailTime = 86400 + SetMailNum = 10 + SetMailAddress=root@localhost + SyslogFacility=LOG_LOCAL2 + + </pre> + + <p>Initialize database;</p> + + <pre> + # samhain -t init -p notice + </pre> + + <p>If you want to "restart" remove samhain_file and run again + the command above. If daemon is set on config file you just + need to run;</p> + + <pre> + # samhain -t check -p notice + </pre> + + <p>To control daemon;</p> + + <pre> + # samhain stop + # samhain start + # samhain restart + # samhain reload or force-reload + # samhain status + </pre> + + <h2 id="updatedb">2.2.4.2. Update database</h2> + + <p><a href="http://www.la-samhna.de/samhain/manual/updating-the-file-signature-database.html">Manual</a>, + You can update the database while the daemon is running, as long + as you don't interfere with its logging. Using flag -l like this + samhain -t update -l none make sure the log file is not accessed.</p> + + <pre> + # samhain -t update -l none --interactive + </pre> + + <p>Interactive update are supported with the command line flag + --interactive. A file with a list of good files, absolute path, + one per line, can be passed with flag --listfile. Example;</p> + + <pre> + # samhain -t update -l none --listfile=/root/list_of_files + </pre> + + <a href="index.html">Core OS Index</a> + <p> + This is part of the c9-doc Manual. + Copyright (C) 2017 + c9 team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + </body> +</html> diff --git a/core/sysctl.html b/core/sysctl.html index 4e13209..d85aca4 100644 --- a/core/sysctl.html +++ b/core/sysctl.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.2.3. Sysctl</title> + <title>2.2.2. Sysctl</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1 id="sysctl">2.2.3. Sysctl</h1> + <h1 id="sysctl">2.2.2. Sysctl</h1> <p>Sysctl references <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>, @@ -51,7 +51,7 @@ # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. - kernel.grsecurity.disable_priv_io = 0 + kernel.grsecurity.disable_priv_io = 1 # If you say Y here, attempts to bruteforce exploits against forking # daemons such as apache or sshd, as well as against suid/sgid binaries @@ -85,7 +85,7 @@ # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. If the sysctl option is # enabled, a sysctl option with name "linking_restrictions" is created. - kernel.grsecurity.linking_restrictions = 0 + kernel.grsecurity.linking_restrictions = 1 # Apache's SymlinksIfOwnerMatch option has an inherent race condition @@ -99,15 +99,15 @@ # will be in place for the group you specify. If the sysctl option # is enabled, a sysctl option with name "enforce_symlinksifowner" is # created. - kernel.grsecurity.enforce_symlinksifowner = 0 - #kernel.grsecurity.symlinkown_gid = 33 + kernel.grsecurity.enforce_symlinksifowner = 1 + kernel.grsecurity.symlinkown_gid = 15 # if you say Y here, users will not be able to write to FIFOs they don't # own in world-writable +t directories (e.g. /tmp), unless the owner of # the FIFO is the same owner of the directory it's held in. If the sysctl # option is enabled, a sysctl option with name "fifo_restrictions" is # created. - kernel.grsecurity.fifo_restrictions = 0 + kernel.grsecurity.fifo_restrictions = 1 # If you say Y here, a sysctl option with name "romount_protect" will # be created. By setting this option to 1 at runtime, filesystems @@ -123,7 +123,7 @@ # and GRKERNSEC_IO should be enabled and module loading disabled via # config or at runtime. # This feature is mainly intended for secure embedded systems. - #kernel.grsecurity.romount_protect = 0 + #kernel.grsecurity.romount_protect = 1 # if you say Y here, the capabilities on all processes within a # chroot jail will be lowered to stop module insertion, raw i/o, @@ -239,14 +239,14 @@ # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. - kernel.grsecurity.audit_group = 0 + kernel.grsecurity.audit_group = 1 # If you say Y here, the exec and chdir logging features will only operate # on a group you specify. This option is recommended if you only want to # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. - #kernel.grsecurity.audit_gid = 201 + kernel.grsecurity.audit_gid = 99 # If you say Y here, all execve() calls will be logged (since the # other exec*() calls are frontends to execve(), all execution @@ -274,7 +274,7 @@ # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. - kernel.grsecurity.audit_ptrace = 1 + #kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option @@ -297,7 +297,6 @@ # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. - #kernel.grsecurity.forkfail_logging = 1 kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. @@ -329,7 +328,7 @@ kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms - #kernel.kptr_restrict = 2 + kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you @@ -365,7 +364,7 @@ # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. - kernel.grsecurity.consistent_setxid = 0 + kernel.grsecurity.consistent_setxid = 1 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes @@ -383,7 +382,7 @@ # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. - kernel.grsecurity.harden_ipc = 0 + kernel.grsecurity.harden_ipc = 1 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." @@ -391,7 +390,7 @@ # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 - kernel.grsecurity.tpe_gid = 4 + kernel.grsecurity.tpe_gid = 100 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This @@ -555,13 +554,13 @@ # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. - kernel.grsecurity.socket_all = 0 + kernel.grsecurity.socket_all = 1 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID # specified here. If the sysctl option is enabled, a sysctl option # with name "socket_all_gid" is created. - #kernel.grsecurity.socket_all_gid = 202 + kernel.grsecurity.socket_all_gid = 200 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be diff --git a/core/toolchain.html b/core/toolchain.html index e4a8f84..b5d4bb1 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.2.1. Toolchain</title> + <title>2.2.3. Toolchain</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1 id="toolchain">2.2.1. Toolchain</h1> + <h1 id="toolchain">2.2.3. Toolchain</h1> <p>Add flags to pkgmk configuration and change specific ports that don't build with hardening flags. More information about |