From d26a4e12deafade205d37a9fda748a6b78dfdb6a Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 25 Feb 2017 18:40:03 +0000 Subject: overall revesion --- core/grsecurity.html | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 core/grsecurity.html (limited to 'core/grsecurity.html') diff --git a/core/grsecurity.html b/core/grsecurity.html new file mode 100644 index 0000000..cda9bfb --- /dev/null +++ b/core/grsecurity.html @@ -0,0 +1,85 @@ + + + + + Grsecurity + + + + Tools Index + +

Grsecurity

+ +

Grsecurity utilities are installed and configured in + hardening, kernel witch grsecurity + patch is installed using + linux port.

+ + +

Special Groups

+ 
+        getent group tpe >/dev/null || groupadd -g 200 tpe
+        getent group audit >/dev/null || groupadd -g 201 audit
+        getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all
+        getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client
+        getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server
+
+ +

Pax

+ +

Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.

+ + /usr/bin/grub-script-check + /usr/sbin/grub-probe + /usr/sbin/grub-mkdevicemap + +

Gradm

+ +

Gradm is grsecurity access control lists administration utility. Gradm + have a + learning mode + per-subject, per-role or system-wide. Learning mode gather information that + RBAC system supports, it reduces policy size, increase readability and enforces + that is configurable. Protected resources can be added to /etc/grsec/learn_cong + to learning system.

+ +

Entering in learning mode;

+ + 
+        # gradm -F -L /etc/grsec/learning.log
+
+ +

To perform administrative tasks while system learning is running, + authenticate to admin role;

+ + 
+        # gradm -a admin
+
+ +

When learning system have gather sufficient data disable RBAC system;

+ + 
+        # gradm -D
+
+ +

Now that RBAC is disable data collected can be used to generate ACLs;

+ + 
+        # gradm -F -L /etc/grsec/learning.logs -O /etc/grset/policy
+
+ +

Start RBAC with policy;

+ + 
+        # gradm -E
+
+ + Tools Index +

This is part of the c9-doc Manual. + Copyright (C) 2017 + c9 team. + See the file Gnu Free Documentation License + for copying conditions.

+ + + -- cgit 1.4.1-2-gfad0 From 4cc6765e1332b7bbef89091a3a3d4f055a60cebf Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 25 Feb 2017 20:17:55 +0000 Subject: core index correction --- core/grsecurity.html | 6 +- core/hardening.html | 157 +---------- core/index.html | 8 +- core/linux.html | 608 ---------------------------------------- core/scripts/backup-system.sh | 79 ++++-- core/sysctl.html | 627 ++++++++++++++++++++++++++++++++++++++++++ core/toolchain.html | 165 +++++++++++ 7 files changed, 868 insertions(+), 782 deletions(-) create mode 100644 core/sysctl.html create mode 100644 core/toolchain.html (limited to 'core/grsecurity.html') diff --git a/core/grsecurity.html b/core/grsecurity.html index cda9bfb..adfd292 100644 --- a/core/grsecurity.html +++ b/core/grsecurity.html @@ -6,7 +6,7 @@ - Tools Index + Core OS Index

Grsecurity

@@ -74,8 +74,8 @@ # gradm -E - Tools Index -

This is part of the c9-doc Manual. + Core OS Index +

This is part of the c9 Manual. Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License diff --git a/core/hardening.html b/core/hardening.html index 478c911..024c4c9 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -2,20 +2,20 @@ - Hardening + 2.2. Hardening - Tools Index + Core OS Index -

Hardening

+

2.2. Hardening

Kernel in ports have upstream linux kernel and grsecurity patch, it should break some functionality for the user and pkgmk user if tpe protection is active.

-        $ sudo prt-get depinst gradm paxtest paxd checksec lynis
+        $ sudo prt-get depinst gradm paxtest paxctld checksec lynis

Check grsecurity on how to setup @@ -40,154 +40,9 @@

Add unnecessary tests to profile to have less noise.

-

Rebuild Toolchain

-

Add flags to pkgmk configuration and change specific ports that - don't build with hardening flags. More information about - arch security, - gentoo security, - gcc instrumentation-options - and glibc - configuring and compiling. Edit /etc/pkgmk.conf;

- - 
-        export CPPFLAGS="-D_FORTIFY_SOURCE=2"
-        export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4"
-        export CXXFLAGS="${CFLAGS}"
-        export LDFLAGS="-z relro"
-
- -

Core

- -

Ports in core collection that need to be changed in order - to build with pkgmk harden configuration.

- -

Glibc

- - - - 
-        export CPPFLAGS=""
-        export CFLAGS="-O2 -march=native -mtune=native"
-        export CXXFLAGS="${CFLAGS}"
-        export LDFLAGS=""
-
- - 
-        ../$name-${version:0:4}/configure --prefix=/usr \
-                --libexecdir=/usr/lib \
-                --with-headers=$PKG/usr/include \
-                --enable-kernel=3.12 \
-                --enable-add-ons \
-                --enable-static-nss \
-                --disable-profile \
-                --disable-werror \
-                --without-gd \
-                --enable-obsolete-rpc \
-                --enable-multi-arch \
-                --enable-stackguard-randomization \
-                --enable-stack-protector=strong
-
- -

Gcc

- - - - 
-        export CPPFLAGS=""
-        export CFLAGS="-O2 -march=native -mtune=native"
-        export CXXFLAGS="${CFLAGS}"
-        export LDFLAGS=""
-
- -

libcap

- - - -

bzip2

- - - -

hdparm

- - - -

Opt

- -

lsof

- - - -

python

- - - -

zip

- - - -

glew

- - - -

dmenu

- - - -

Boost

- - - - 
-        export CPPFLAGS=""
-        export CFLAGS="-O2 -march=native -mtune=native"
-        export CXXFLAGS="${CFLAGS}"
-        export LDFLAGS=""
-
- -

Contrib

- -

gsl

- - - - - Tools Index -

This is part of the c9-doc Manual. + Core OS Index +

This is part of the c9 Manual. Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License diff --git a/core/index.html b/core/index.html index 97376f4..8274630 100644 --- a/core/index.html +++ b/core/index.html @@ -5,6 +5,7 @@ c9 Core OS + Documentation Index

c9 Core OS

@@ -76,13 +77,14 @@
  • 2.1.2. Manual install
  • 2.1.3. Manual remove
  • 2.1.4. Dracut
    • -
  • 2.1.5. Sysctl
  • 2.2. Hardening
  • 2.3. Network diff --git a/core/linux.html b/core/linux.html index 888b916..5138676 100644 --- a/core/linux.html +++ b/core/linux.html @@ -144,614 +144,6 @@ # dracut -v /boot/initramfs-4.9.11-blob.img 4.9.11-blob -

    2.1.4. Sysctl

    - -

    Sysctl references - Arch TCP/IP stack hardening, - Cyberciti Nginx Hardning, - Cyberciti Security Hardening, - Grsecurity and PaX Configuration.

    - -

    Since kernels on c9-ports have PaX - and grsecurity, - /etc/sysctl.conf can have follow - values;

    - - 
    -        #
-        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
-        #
-
-        kernel.printk = 7 1 1 4
-        kernel.randomize_va_space = 2
-        # Shared Memory
-        #kernel.shmmax = 500000000
-        # Total allocated file handlers that can be allocated
-        # fs.file-nr=
-        vm.mmap_min_addr=65536
-        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
-        kernel.pid_max = 65536
-
-        #
-        # Memory Protections
-        #
-
-        #  If you say Y here, all ioperm and iopl calls will return an error.
-        #  Ioperm and iopl can be used to modify the running kernel.
-        #  Unfortunately, some programs need this access to operate properly,
-        #  the most notable of which are XFree86 and hwclock.  hwclock can be
-        #  remedied by having RTC support in the kernel, so real-time
-        #  clock support is enabled if this option is enabled, to ensure
-        #  that hwclock operates correctly.
-        #
-        #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
-        #  you may not be able to boot into a graphical environment with this
-        #  option enabled.  In this case, you should use the RBAC system instead.
-        kernel.grsecurity.disable_priv_io = 0
-
-        #  If you say Y here, attempts to bruteforce exploits against forking
-        #  daemons such as apache or sshd, as well as against suid/sgid binaries
-        #  will be deterred.  When a child of a forking daemon is killed by PaX
-        #  or crashes due to an illegal instruction or other suspicious signal,
-        #  the parent process will be delayed 30 seconds upon every subsequent
-        #  fork until the administrator is able to assess the situation and
-        #  restart the daemon.
-        #  In the suid/sgid case, the attempt is logged, the user has all their
-        #  existing instances of the suid/sgid binary terminated and will
-        #  be unable to execute any suid/sgid binaries for 15 minutes.
-        #
-        #  It is recommended that you also enable signal logging in the auditing
-        #  section so that logs are generated when a process triggers a suspicious
-        #  signal.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "deter_bruteforce" is created.
-        kernel.grsecurity.deter_bruteforce = 1
-
-        #
-        # Filesystem Protections
-        #
-
-        # Optimization for port usefor LBs
-        # Increase system file descriptor limit
-        fs.file-max = 65535
-
-        #  If you say Y here, /tmp race exploits will be prevented, since users
-        #  will no longer be able to follow symlinks owned by other users in
-        #  world-writable +t directories (e.g. /tmp), unless the owner of the
-        #  symlink is the owner of the directory. users will also not be
-        #  able to hardlink to files they do not own.  If the sysctl option is
-        #  enabled, a sysctl option with name "linking_restrictions" is created.
-        kernel.grsecurity.linking_restrictions = 0
-
-
-        #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
-        #  that prevents it from being used as a security feature.  As Apache
-        #  verifies the symlink by performing a stat() against the target of
-        #  the symlink before it is followed, an attacker can setup a symlink
-        #  to point to a same-owned file, then replace the symlink with one
-        #  that targets another user's file just after Apache "validates" the
-        #  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
-        #  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
-        #  will be in place for the group you specify. If the sysctl option
-        #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
-        #  created.
-        kernel.grsecurity.enforce_symlinksifowner = 0
-        #kernel.grsecurity.symlinkown_gid = 33
-
-        #  if you say Y here, users will not be able to write to FIFOs they don't
-        #  own in world-writable +t directories (e.g. /tmp), unless the owner of
-        #  the FIFO is the same owner of the directory it's held in.  If the sysctl
-        #  option is enabled, a sysctl option with name "fifo_restrictions" is
-        #  created.
-        kernel.grsecurity.fifo_restrictions = 0
-
-        #  If you say Y here, a sysctl option with name "romount_protect" will
-        #  be created.  By setting this option to 1 at runtime, filesystems
-        #  will be protected in the following ways:
-        #  * No new writable mounts will be allowed
-        #  * Existing read-only mounts won't be able to be remounted read/write
-        #  * Write operations will be denied on all block devices
-        #  This option acts independently of grsec_lock: once it is set to 1,
-        #  it cannot be turned off.  Therefore, please be mindful of the resulting
-        #  behavior if this option is enabled in an init script on a read-only
-        #  filesystem.
-        #  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
-        #  and GRKERNSEC_IO should be enabled and module loading disabled via
-        #  config or at runtime.
-        #  This feature is mainly intended for secure embedded systems.
-        #kernel.grsecurity.romount_protect = 0
-
-        #  if you say Y here, the capabilities on all processes within a
-        #  chroot jail will be lowered to stop module insertion, raw i/o,
-        #  system and net admin tasks, rebooting the system, modifying immutable
-        #  files, modifying IPC owned by another, and changing the system time.
-        #  This is left an option because it can break some apps.  Disable this
-        #  if your chrooted apps are having problems performing those kinds of
-        #  tasks.  If the sysctl option is enabled, a sysctl option with
-        #  name "chroot_caps" is created.
-        kernel.grsecurity.chroot_caps = 1
-
-        #kernel.grsecurity.chroot_deny_bad_rename = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to chmod
-        #  or fchmod files to make them have suid or sgid bits.  This protects
-        #  against another published method of breaking a chroot.  If the sysctl
-        #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
-        #  created.
-        kernel.grsecurity.chroot_deny_chmod = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to chroot
-        #  again outside the chroot.  This is a widely used method of breaking
-        #  out of a chroot jail and should not be allowed.  If the sysctl
-        #  option is enabled, a sysctl option with name
-        #  "chroot_deny_chroot" is created.
-        kernel.grsecurity.chroot_deny_chroot = 1
-
-        #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
-        #  to a file descriptor of the chrooting process that points to a directory
-        #  outside the filesystem will be stopped.  If the sysctl option
-        #  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
-        kernel.grsecurity.chroot_deny_fchdir = 1
-
-        #  If you say Y here, processes inside a chroot will not be allowed to
-        #  mknod.  The problem with using mknod inside a chroot is that it
-        #  would allow an attacker to create a device entry that is the same
-        #  as one on the physical root of your system, which could range from
-        #  anything from the console device to a device for your harddrive (which
-        #  they could then use to wipe the drive or steal data).  It is recommended
-        #  that you say Y here, unless you run into software incompatibilities.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "chroot_deny_mknod" is created.
-        kernel.grsecurity.chroot_deny_mknod = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to
-        #  mount or remount filesystems.  If the sysctl option is enabled, a
-        #  sysctl option with name "chroot_deny_mount" is created.
-        kernel.grsecurity.chroot_deny_mount = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to use
-        #  a function called pivot_root() that was introduced in Linux 2.3.41.  It
-        #  works similar to chroot in that it changes the root filesystem.  This
-        #  function could be misused in a chrooted process to attempt to break out
-        #  of the chroot, and therefore should not be allowed.  If the sysctl
-        #  option is enabled, a sysctl option with name "chroot_deny_pivot" is
-        #  created.
-        kernel.grsecurity.chroot_deny_pivot     = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to attach
-        #  to shared memory segments that were created outside of the chroot jail.
-        #  It is recommended that you say Y here.  If the sysctl option is enabled,
-        #  a sysctl option with name "chroot_deny_shmat" is created.
-        kernel.grsecurity.chroot_deny_shmat = 1
-
-        #  If you say Y here, an attacker in a chroot will not be able to
-        #  write to sysctl entries, either by sysctl(2) or through a /proc
-        #  interface.  It is strongly recommended that you say Y here. If the
-        #  sysctl option is enabled, a sysctl option with name
-        #  "chroot_deny_sysctl" is created.
-        kernel.grsecurity.chroot_deny_sysctl = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to
-        #  connect to abstract (meaning not belonging to a filesystem) Unix
-        #  domain sockets that were bound outside of a chroot.  It is recommended
-        #  that you say Y here.  If the sysctl option is enabled, a sysctl option
-        #  with name "chroot_deny_unix" is created.
-        kernel.grsecurity.chroot_deny_unix = 1
-
-        #  If you say Y here, the current working directory of all newly-chrooted
-        #  applications will be set to the the root directory of the chroot.
-        #  The man page on chroot(2) states:
-        #  Note that usually chhroot does not change  the  current  working
-        #  directory,  so  that `.' can be outside the tree rooted at
-        #  `/'.  In particular, the  super-user  can  escape  from  a
-        #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
-        #
-        #  It is recommended that you say Y here, since it's not known to break
-        #  any software.  If the sysctl option is enabled, a sysctl option with
-        #  name "chroot_enforce_chdir" is created.
-        kernel.grsecurity.chroot_enforce_chdir  = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to
-        #  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
-        #  getsid, or view any process outside of the chroot.  If the sysctl
-        #  option is enabled, a sysctl option with name "chroot_findtask" is
-        #  created.
-        kernel.grsecurity.chroot_findtask = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to raise
-        #  the priority of processes in the chroot, or alter the priority of
-        #  processes outside the chroot.  This provides more security than simply
-        #  removing CAP_SYS_NICE from the process' capability set.  If the
-        #  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
-        #  is created.
-        kernel.grsecurity.chroot_restrict_nice = 1
-
-        #
-        # Kernel Auditing
-        #
-
-        #  If you say Y here, the exec and chdir logging features will only operate
-        #  on a group you specify.  This option is recommended if you only want to
-        #  watch certain users instead of having a large amount of logs from the
-        #  entire system.  If the sysctl option is enabled, a sysctl option with
-        #  name "audit_group" is created.
-        kernel.grsecurity.audit_group = 0
-
-        #  If you say Y here, the exec and chdir logging features will only operate
-        #  on a group you specify.  This option is recommended if you only want to
-        #  watch certain users instead of having a large amount of logs from the
-        #  entire system.  If the sysctl option is enabled, a sysctl option with
-        #  name "audit_group" is created.
-        #kernel.grsecurity.audit_gid = 201
-
-        #  If you say Y here, all execve() calls will be logged (since the
-        #  other exec*() calls are frontends to execve(), all execution
-        #  will be logged).  Useful for shell-servers that like to keep track
-        #  of their users.  If the sysctl option is enabled, a sysctl option with
-        #  name "exec_logging" is created.
-        #  WARNING: This option when enabled will produce a LOT of logs, especially
-        #  on an active system.
-        kernel.grsecurity.exec_logging = 0
-
-        #  If you say Y here, all attempts to overstep resource limits will
-        #  be logged with the resource name, the requested size, and the current
-        #  limit.  It is highly recommended that you say Y here.  If the sysctl
-        #  option is enabled, a sysctl option with name "resource_logging" is
-        #  created.  If the RBAC system is enabled, the sysctl value is ignored.
-        kernel.grsecurity.resource_logging = 1
-
-        #  If you say Y here, all executions inside a chroot jail will be logged
-        #  to syslog.  This can cause a large amount of logs if certain
-        #  applications (eg. djb's daemontools) are installed on the system, and
-        #  is therefore left as an option.  If the sysctl option is enabled, a
-        #  sysctl option with name "chroot_execlog" is created.
-        kernel.grsecurity.chroot_execlog = 0
-
-        #  If you say Y here, all attempts to attach to a process via ptrace
-        #  will be logged.  If the sysctl option is enabled, a sysctl option
-        #  with name "audit_ptrace" is created.
-        kernel.grsecurity.audit_ptrace = 1
-
-        #  If you say Y here, all attempts to attach to a process via ptrace
-        #  will be logged.  If the sysctl option is enabled, a sysctl option
-        #  with name "audit_ptrace" is created.
-        kernel.grsecurity.audit_chdir = 0
-
-        #  If you say Y here, all mounts and unmounts will be logged.  If the
-        #  sysctl option is enabled, a sysctl option with name "audit_mount" is
-        #  created.
-        kernel.grsecurity.audit_mount = 1
-
-        #  If you say Y here, certain important signals will be logged, such as
-        #  SIGSEGV, which will as a result inform you of when a error in a program
-        #  occurred, which in some cases could mean a possible exploit attempt.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "signal_logging" is created.
-        kernel.grsecurity.signal_logging = 1
-
-        #  If you say Y here, all failed fork() attempts will be logged.
-        #  This could suggest a fork bomb, or someone attempting to overstep
-        #  their process limit.  If the sysctl option is enabled, a sysctl option
-        #  with name "forkfail_logging" is created.
-        #kernel.grsecurity.forkfail_logging = 1
-        kernel.grsecurity.forkfail_logging = 1
-
-        #  If you say Y here, any changes of the system clock will be logged.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "timechange_logging" is created.
-        kernel.grsecurity.timechange_logging = 1
-
-        #  if you say Y here, calls to mmap() and mprotect() with explicit
-        #  usage of PROT_WRITE and PROT_EXEC together will be logged when
-        #  denied by the PAX_MPROTECT feature.  This feature will also
-        #  log other problematic scenarios that can occur when PAX_MPROTECT
-        #  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
-        #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
-        #  is created.
-        kernel.grsecurity.rwxmap_logging = 1
-
-        #
-        # Executable Protections
-        #
-
-
-        #  if you say Y here, non-root users will not be able to use dmesg(8)
-        #  to view the contents of the kernel's circular log buffer.
-        #  The kernel's log buffer often contains kernel addresses and other
-        #  identifying information useful to an attacker in fingerprinting a
-        #  system for a targeted exploit.
-        #  If the sysctl option is enabled, a sysctl option with name "dmesg" is
-        #  created.
-        kernel.grsecurity.dmesg = 1
-
-        # Hide symbol addresses in /proc/kallsyms
-        #kernel.kptr_restrict = 2
-
-        #  If you say Y here, TTY sniffers and other malicious monitoring
-        #  programs implemented through ptrace will be defeated.  If you
-        #  have been using the RBAC system, this option has already been
-        #  enabled for several years for all users, with the ability to make
-        #  fine-grained exceptions.
-        #
-        #  This option only affects the ability of non-root users to ptrace
-        #  processes that are not a descendent of the ptracing process.
-        #  This means that strace ./binary and gdb ./binary will still work,
-        #  but attaching to arbitrary processes will not.  If the sysctl
-        #  option is enabled, a sysctl option with name "harden_ptrace" is
-        #  created.
-        kernel.grsecurity.harden_ptrace = 1
-
-        #  If you say Y here, unprivileged users will not be able to ptrace unreadable
-        #  binaries.  This option is useful in environments that
-        #  remove the read bits (e.g. file mode 4711) from suid binaries to
-        #  prevent infoleaking of their contents.  This option adds
-        #  consistency to the use of that file mode, as the binary could normally
-        #  be read out when run without privileges while ptracing.
-        #
-        #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
-        #  is created.
-        kernel.grsecurity.ptrace_readexec = 1
-
-        #  If you say Y here, a change from a root uid to a non-root uid
-        #  in a multithreaded application will cause the resulting uids,
-        #  gids, supplementary groups, and capabilities in that thread
-        #  to be propagated to the other threads of the process.  In most
-        #  cases this is unnecessary, as glibc will emulate this behavior
-        #  on behalf of the application.  Other libcs do not act in the
-        #  same way, allowing the other threads of the process to continue
-        #  running with root privileges.  If the sysctl option is enabled,
-        #  a sysctl option with name "consistent_setxid" is created.
-        kernel.grsecurity.consistent_setxid = 0
-
-        #  If you say Y here, access to overly-permissive IPC objects (shared
-        #  memory, message queues, and semaphores) will be denied for processes
-        #  given the following criteria beyond normal permission checks:
-        #  1) If the IPC object is world-accessible and the euid doesn't match
-        #     that of the creator or current uid for the IPC object
-        #  2) If the IPC object is group-accessible and the egid doesn't
-        #     match that of the creator or current gid for the IPC object
-        #  It's a common error to grant too much permission to these objects,
-        #  with impact ranging from denial of service and information leaking to
-        #  privilege escalation.  This feature was developed in response to
-        #  research by Tim Brown:
-        #  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
-        #  who found hundreds of such insecure usages.  Processes with
-        #  CAP_IPC_OWNER are still permitted to access these IPC objects.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "harden_ipc" is created.
-        kernel.grsecurity.harden_ipc = 0
-
-        #  If you say Y here, you will be able to choose a gid to add to the
-        #  supplementary groups of users you want to mark as "untrusted."
-        #  These users will not be able to execute any files that are not in
-        #  root-owned directories writable only by root.  If the sysctl option
-        #  is enabled, a sysctl option with name "tpe" is created.
-        kernel.grsecurity.tpe = 1
-        kernel.grsecurity.tpe_gid = 4
-
-        #  If you say Y here, the group you specify in the TPE configuration will
-        #  decide what group TPE restrictions will be *disabled* for.  This
-        #  option is useful if you want TPE restrictions to be applied to most
-        #  users on the system.  If the sysctl option is enabled, a sysctl option
-        #  with name "tpe_invert" is created.  Unlike other sysctl options, this
-        #  entry will default to on for backward-compatibility.
-        kernel.grsecurity.tpe_invert = 1
-
-        #  If you say Y here, all non-root users will be covered under
-        #  a weaker TPE restriction.  This is separate from, and in addition to,
-        #  the main TPE options that you have selected elsewhere.  Thus, if a
-        #  "trusted" GID is chosen, this restriction applies to even that GID.
-        #  Under this restriction, all non-root users will only be allowed to
-        #  execute files in directories they own that are not group or
-        #  world-writable, or in directories owned by root and writable only by
-        #  root.  If the sysctl option is enabled, a sysctl option with name
-        #  "tpe_restrict_all" is created.
-        kernel.grsecurity.tpe_restrict_all = 1
-
-
-        kernel.grsecurity.harden_tty = 1
-
-        #
-        # Network Protections
-        #
-
-        # Increase Linux auto tuning TCP buffer limits
-        # min, default, and max number of bytes to use
-        # set max to at least 4MB, or higher if you use very high BDP paths
-        # Tcp Windows etc
-        net.core.rmem_max = 8388608
-        net.core.wmem_max = 8388608
-        net.core.netdev_max_backlog = 5000
-        net.ipv4.tcp_window_scaling = 1
-
-        # Both ports linux-blob and linux-libre don't build with ipv6
-        # Disable ipv6
-        net.ipv6.conf.all.disable_ipv6 = 1
-        net.ipv6.conf.default.disable_ipv6 = 1
-        net.ipv6.conf.lo.disable_ipv6 = 1
-
-        # Tuen IPv6
-        #net.ipv6.conf.default.router_solicitations = 0
-        #net.ipv6.conf.default.accept_ra_rtr_pref = 0
-        #net.ipv6.conf.default.accept_ra_pinfo = 0
-        #net.ipv6.conf.default.accept_ra_defrtr = 0
-        #net.ipv6.conf.default.autoconf = 0
-        #net.ipv6.conf.default.dad_transmits = 0
-        #net.ipv6.conf.default.max_addresses = 0
-
-        # Avoid a smurf attack, ping scanning
-        net.ipv4.icmp_echo_ignore_broadcasts = 1
-
-        # Turn on protection for bad icmp error messages
-        net.ipv4.icmp_ignore_bogus_error_responses = 1
-
-        # Turn on syncookies for SYN flood attack protection
-        net.ipv4.tcp_syncookies = 1
-
-        ## protect against tcp time-wait assassination hazards
-        ## drop RST packets for sockets in the time-wait state
-        ## (not widely supported outside of linux, but conforms to RFC)
-        net.ipv4.tcp_rfc1337 = 1
-
-        ## tcp timestamps
-        ## + protect against wrapping sequence numbers (at gigabit speeds)
-        ## + round trip time calculation implemented in TCP
-        ## - causes extra overhead and allows uptime detection by scanners like nmap
-        ## enable @ gigabit speeds
-        net.ipv4.tcp_timestamps = 0
-        #net.ipv4.tcp_timestamps = 1
-
-        # Turn on and log spoofed, source routed, and redirect packets
-        net.ipv4.conf.all.log_martians = 1
-        net.ipv4.conf.default.log_martians = 1
-
-        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
-        net.ipv4.icmp_echo_ignore_broadcasts = 1
-
-        ## sets the kernels reverse path filtering mechanism to value 1(on)
-        ## will do source validation of the packet's recieved from all the interfaces on the machine
-        ## protects from attackers that are using ip spoofing methods to do harm
-        net.ipv4.conf.all.rp_filter = 1
-        net.ipv4.conf.default.rp_filter = 1
-        #net.ipv6.conf.default.rp_filter = 1
-        #net.ipv6.conf.all.rp_filter = 1
-
-
-        # Make sure no one can alter the routing tables
-        # Act as a router, necessary for Access Point
-        net.ipv4.conf.all.accept_redirects = 0
-        net.ipv4.conf.default.accept_redirects = 0
-        net.ipv4.conf.all.secure_redirects = 0
-        net.ipv4.conf.default.secure_redirects = 0
-        # No source routed packets here
-        # Discard packets with source routes, ip spoofing
-        net.ipv4.conf.all.accept_source_route = 0
-        net.ipv4.conf.default.accept_source_route = 0
-
-
-        net.ipv4.conf.all.send_redirects = 0
-        net.ipv4.conf.default.send_redirects = 0
-
-        net.ipv4.ip_forward = 0
-
-        # Increase system IP port limits
-        net.ipv4.ip_local_port_range = 2000 65000
-
-        # Increase TCP max buffer size setable using setsockopt()
-        net.ipv4.tcp_rmem = 4096 87380 8388608
-        net.ipv4.tcp_wmem = 4096 87380 8388608
-
-        # Disable proxy_arp
-        net.ipv4.conf.default.proxy_arp = 0
-        net.ipv4.conf.all.proxy_arp = 0
-
-        # Disable bootp_relay
-        net.ipv4.conf.default.bootp_relay = 0
-        net.ipv4.conf.all.bootp_relay = 0
-
-        # Decrease TCP fin timeout
-        net.ipv4.tcp_fin_timeout = 30
-        # Decrease TCP keep alive time
-        net.ipv4.tcp_keepalive_time = 1800
-        # Sen SynAck retries to 3
-        net.ipv4.tcp_synack_retries = 3
-
-        #  If you say Y here, neither TCP resets nor ICMP
-        #  destination-unreachable packets will be sent in response to packets
-        #  sent to ports for which no associated listening process exists.
-        #  This feature supports both IPV4 and IPV6 and exempts the
-        #  loopback interface from blackholing.  Enabling this feature
-        #  makes a host more resilient to DoS attacks and reduces network
-        #  visibility against scanners.
-        #
-        #  The blackhole feature as-implemented is equivalent to the FreeBSD
-        #  blackhole feature, as it prevents RST responses to all packets, not
-        #  just SYNs.  Under most application behavior this causes no
-        #  problems, but applications (like haproxy) may not close certain
-        #  connections in a way that cleanly terminates them on the remote
-        #  end, leaving the remote host in LAST_ACK state.  Because of this
-        #  side-effect and to prevent intentional LAST_ACK DoSes, this
-        #  feature also adds automatic mitigation against such attacks.
-        #  The mitigation drastically reduces the amount of time a socket
-        #  can spend in LAST_ACK state.  If you're using haproxy and not
-        #  all servers it connects to have this option enabled, consider
-        #  disabling this feature on the haproxy host.
-        #
-        #  If the sysctl option is enabled, two sysctl options with names
-        #  "ip_blackhole" and "lastack_retries" will be created.
-        #  While "ip_blackhole" takes the standard zero/non-zero on/off
-        #  toggle, "lastack_retries" uses the same kinds of values as
-        #  "tcp_retries1" and "tcp_retries2".  The default value of 4
-        #  prevents a socket from lasting more than 45 seconds in LAST_ACK
-        #  state.
-        kernel.grsecurity.ip_blackhole = 1
-        kernel.grsecurity.lastack_retries = 4
-
-        #  If you say Y here, you will be able to choose a GID of whose users will
-        #  be unable to connect to other hosts from your machine or run server
-        #  applications from your machine.  If the sysctl option is enabled, a
-        #  sysctl option with name "socket_all" is created.
-        kernel.grsecurity.socket_all = 0
-
-        #  Here you can choose the GID to disable socket access for. Remember to
-        #  add the users you want socket access disabled for to the GID
-        #  specified here.  If the sysctl option is enabled, a sysctl option
-        #  with name "socket_all_gid" is created.
-        #kernel.grsecurity.socket_all_gid = 202
-
-        #  If you say Y here, you will be able to choose a GID of whose users will
-        #  be unable to connect to other hosts from your machine, but will be
-        #  able to run servers.  If this option is enabled, all users in the group
-        #  you specify will have to use passive mode when initiating ftp transfers
-        #  from the shell on your machine.  If the sysctl option is enabled, a
-        #  sysctl option with name "socket_client" is created.
-        kernel.grsecurity.socket_client = 1
-
-        #  Here you can choose the GID to disable client socket access for.
-        #  Remember to add the users you want client socket access disabled for to
-        #  the GID specified here.  If the sysctl option is enabled, a sysctl
-        #  option with name "socket_client_gid" is created.
-        kernel.grsecurity.socket_client_gid = 15
-
-        #  If you say Y here, you will be able to choose a GID of whose users will
-        #  be unable to connect to other hosts from your machine, but will be
-        #  able to run servers.  If this option is enabled, all users in the group
-        #  you specify will have to use passive mode when initiating ftp transfers
-        #  from the shell on your machine.  If the sysctl option is enabled, a
-        #  sysctl option with name "socket_client" is created.
-        kernel.grsecurity.socket_server = 1
-
-        #  Here you can choose the GID to disable server socket access for.
-        #  Remember to add the users you want server socket access disabled for to
-        #  the GID specified here.  If the sysctl option is enabled, a sysctl
-        #  option with name "socket_server_gid" is created.
-        kernel.grsecurity.socket_server_gid = 99
-
-        #
-        # Physical Protections
-        #
-
-        #  If you say Y here, a new sysctl option with name "deny_new_usb"
-        #  will be created.  Setting its value to 1 will prevent any new
-        #  USB devices from being recognized by the OS.  Any attempted USB
-        #  device insertion will be logged.  This option is intended to be
-        #  used against custom USB devices designed to exploit vulnerabilities
-        #  in various USB device drivers.
-        #
-        #  For greatest effectiveness, this sysctl should be set after any
-        #  relevant init scripts.  This option is safe to enable in distros
-        #  as each user can choose whether or not to toggle the sysctl.
-        kernel.grsecurity.deny_new_usb = 0
-
-        #
-        # Restrict grsec sysctl changes after this was set
-        #
-        kernel.grsecurity.grsec_lock = 0
-
-        # End of file
-
    - - Core OS Index

    This is part of the c9-doc Manual. Copyright (C) 2017 diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh index 854a221..379e449 100644 --- a/core/scripts/backup-system.sh +++ b/core/scripts/backup-system.sh @@ -6,20 +6,65 @@ read ROOT_DIR echo -n "where you want to save (/home/user): " read DEST_DIR -echo $DES_DIR -echo $ROOT_DIR - -tar --xattrs -zcpf $DEST_DIR/system-backup-`date '+%Y-%j-%H-%M-%S'`.tar.gz \ - --directory=$ROOT_DIR \ - --exclude=usr/ports \ - --exclude=usr/src \ - --exclude=var/run \ - --exclude=var/lock \ - --exclude=srv \ - --exclude=mnt \ - --exclude=home \ - --exclude=dev \ - --exclude=run \ - --exclude=tmp \ - --exclude=proc \ - --exclude=sys . +bk_coll() { + col=$1 + # make copy of packages + mkdir ${BKDIR}/${col} + while read line; do + if [ ! -f /usr/ports/packages/${line} ]; then + echo "Building package: ${line};\n" + name=$(echo ${line} | cut -d "#" -f 1) + sudo prt-get update -fr ${name} + fi + + if [ -f /usr/ports/packages/${line} ]; then + echo "Backing up package: ${line}" + echo ${line} >> ${BKDIR}/backup.pkg + cp /usr/ports/packages/${line} ${BKDIR}/${col}/ + else + echo "Package not found: ${line}" + echo ${line} >> ${BKDIR}/${col}-notfound.pkg + fi + done < $BKDIR/${col}.pkg +} + +# Temporary directory +BKDIR=$(pwd)/bkdir +mkdir -p ${BKDIR} + +# must be using gwak instead of sed, xargs and echo +prt-get listinst -v | sed -s s/" "/#/g | xargs -i echo {}.pkg.tar.gz > ${BKDIR}/installed.pkg + +# make list and copy installed core packages +prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/core" | cut -d " " -f 3 > ${BKDIR}/core.pkg +bk_coll "core" + + +prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/opt" | cut -d " " -f 3 > $BKDIR/opt.pkg +bk_coll "opt" + +prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/contrib" | cut -d " " -f 3 > $BKDIR/contrib.pkg +bk_coll "contrib" + +prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/xorg" | cut -d " " -f 3 > $BKDIR/xorg.pkg +bk_coll "xorg" + +prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep -v "yes /usr/ports/core" | grep -v "yes /usr/ports/opt" | grep -v "yes /usr/ports/contrib" | grep -v "yes /usr/ports/xorg" | grep "yes " | cut -d " " -f 3 > $BKDIR/other.pkg + +#echo $DES_DIR +#echo $ROOT_DIR +# +#tar --xattrs -zcpf $DEST_DIR/system-backup-`date '+%Y-%j-%H-%M-%S'`.tar.gz \ +# --directory=$ROOT_DIR \ +# --exclude=usr/ports \ +# --exclude=usr/src \ +# --exclude=var/run \ +# --exclude=var/lock \ +# --exclude=srv \ +# --exclude=mnt \ +# --exclude=home \ +# --exclude=dev \ +# --exclude=run \ +# --exclude=tmp \ +# --exclude=proc \ +# --exclude=sys . diff --git a/core/sysctl.html b/core/sysctl.html new file mode 100644 index 0000000..4e13209 --- /dev/null +++ b/core/sysctl.html @@ -0,0 +1,627 @@ + + + + + 2.2.3. Sysctl + + + + Core OS Index + +

    2.2.3. Sysctl

    + +

    Sysctl references + Arch TCP/IP stack hardening, + Cyberciti Nginx Hardning, + Cyberciti Security Hardening, + Grsecurity and PaX Configuration.

    + +

    Since kernels on c9-ports have PaX + and grsecurity, + /etc/sysctl.conf can have follow + values;

    + + 
    +        #
+        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
+        #
+
+        kernel.printk = 7 1 1 4
+        kernel.randomize_va_space = 2
+        # Shared Memory
+        #kernel.shmmax = 500000000
+        # Total allocated file handlers that can be allocated
+        # fs.file-nr=
+        vm.mmap_min_addr=65536
+        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
+        kernel.pid_max = 65536
+
+        #
+        # Memory Protections
+        #
+
+        #  If you say Y here, all ioperm and iopl calls will return an error.
+        #  Ioperm and iopl can be used to modify the running kernel.
+        #  Unfortunately, some programs need this access to operate properly,
+        #  the most notable of which are XFree86 and hwclock.  hwclock can be
+        #  remedied by having RTC support in the kernel, so real-time
+        #  clock support is enabled if this option is enabled, to ensure
+        #  that hwclock operates correctly.
+        #
+        #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
+        #  you may not be able to boot into a graphical environment with this
+        #  option enabled.  In this case, you should use the RBAC system instead.
+        kernel.grsecurity.disable_priv_io = 0
+
+        #  If you say Y here, attempts to bruteforce exploits against forking
+        #  daemons such as apache or sshd, as well as against suid/sgid binaries
+        #  will be deterred.  When a child of a forking daemon is killed by PaX
+        #  or crashes due to an illegal instruction or other suspicious signal,
+        #  the parent process will be delayed 30 seconds upon every subsequent
+        #  fork until the administrator is able to assess the situation and
+        #  restart the daemon.
+        #  In the suid/sgid case, the attempt is logged, the user has all their
+        #  existing instances of the suid/sgid binary terminated and will
+        #  be unable to execute any suid/sgid binaries for 15 minutes.
+        #
+        #  It is recommended that you also enable signal logging in the auditing
+        #  section so that logs are generated when a process triggers a suspicious
+        #  signal.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "deter_bruteforce" is created.
+        kernel.grsecurity.deter_bruteforce = 1
+
+        #
+        # Filesystem Protections
+        #
+
+        # Optimization for port usefor LBs
+        # Increase system file descriptor limit
+        fs.file-max = 65535
+
+        #  If you say Y here, /tmp race exploits will be prevented, since users
+        #  will no longer be able to follow symlinks owned by other users in
+        #  world-writable +t directories (e.g. /tmp), unless the owner of the
+        #  symlink is the owner of the directory. users will also not be
+        #  able to hardlink to files they do not own.  If the sysctl option is
+        #  enabled, a sysctl option with name "linking_restrictions" is created.
+        kernel.grsecurity.linking_restrictions = 0
+
+
+        #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
+        #  that prevents it from being used as a security feature.  As Apache
+        #  verifies the symlink by performing a stat() against the target of
+        #  the symlink before it is followed, an attacker can setup a symlink
+        #  to point to a same-owned file, then replace the symlink with one
+        #  that targets another user's file just after Apache "validates" the
+        #  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
+        #  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
+        #  will be in place for the group you specify. If the sysctl option
+        #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
+        #  created.
+        kernel.grsecurity.enforce_symlinksifowner = 0
+        #kernel.grsecurity.symlinkown_gid = 33
+
+        #  if you say Y here, users will not be able to write to FIFOs they don't
+        #  own in world-writable +t directories (e.g. /tmp), unless the owner of
+        #  the FIFO is the same owner of the directory it's held in.  If the sysctl
+        #  option is enabled, a sysctl option with name "fifo_restrictions" is
+        #  created.
+        kernel.grsecurity.fifo_restrictions = 0
+
+        #  If you say Y here, a sysctl option with name "romount_protect" will
+        #  be created.  By setting this option to 1 at runtime, filesystems
+        #  will be protected in the following ways:
+        #  * No new writable mounts will be allowed
+        #  * Existing read-only mounts won't be able to be remounted read/write
+        #  * Write operations will be denied on all block devices
+        #  This option acts independently of grsec_lock: once it is set to 1,
+        #  it cannot be turned off.  Therefore, please be mindful of the resulting
+        #  behavior if this option is enabled in an init script on a read-only
+        #  filesystem.
+        #  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
+        #  and GRKERNSEC_IO should be enabled and module loading disabled via
+        #  config or at runtime.
+        #  This feature is mainly intended for secure embedded systems.
+        #kernel.grsecurity.romount_protect = 0
+
+        #  if you say Y here, the capabilities on all processes within a
+        #  chroot jail will be lowered to stop module insertion, raw i/o,
+        #  system and net admin tasks, rebooting the system, modifying immutable
+        #  files, modifying IPC owned by another, and changing the system time.
+        #  This is left an option because it can break some apps.  Disable this
+        #  if your chrooted apps are having problems performing those kinds of
+        #  tasks.  If the sysctl option is enabled, a sysctl option with
+        #  name "chroot_caps" is created.
+        kernel.grsecurity.chroot_caps = 1
+
+        #kernel.grsecurity.chroot_deny_bad_rename = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to chmod
+        #  or fchmod files to make them have suid or sgid bits.  This protects
+        #  against another published method of breaking a chroot.  If the sysctl
+        #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
+        #  created.
+        kernel.grsecurity.chroot_deny_chmod = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to chroot
+        #  again outside the chroot.  This is a widely used method of breaking
+        #  out of a chroot jail and should not be allowed.  If the sysctl
+        #  option is enabled, a sysctl option with name
+        #  "chroot_deny_chroot" is created.
+        kernel.grsecurity.chroot_deny_chroot = 1
+
+        #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
+        #  to a file descriptor of the chrooting process that points to a directory
+        #  outside the filesystem will be stopped.  If the sysctl option
+        #  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
+        kernel.grsecurity.chroot_deny_fchdir = 1
+
+        #  If you say Y here, processes inside a chroot will not be allowed to
+        #  mknod.  The problem with using mknod inside a chroot is that it
+        #  would allow an attacker to create a device entry that is the same
+        #  as one on the physical root of your system, which could range from
+        #  anything from the console device to a device for your harddrive (which
+        #  they could then use to wipe the drive or steal data).  It is recommended
+        #  that you say Y here, unless you run into software incompatibilities.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "chroot_deny_mknod" is created.
+        kernel.grsecurity.chroot_deny_mknod = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to
+        #  mount or remount filesystems.  If the sysctl option is enabled, a
+        #  sysctl option with name "chroot_deny_mount" is created.
+        kernel.grsecurity.chroot_deny_mount = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to use
+        #  a function called pivot_root() that was introduced in Linux 2.3.41.  It
+        #  works similar to chroot in that it changes the root filesystem.  This
+        #  function could be misused in a chrooted process to attempt to break out
+        #  of the chroot, and therefore should not be allowed.  If the sysctl
+        #  option is enabled, a sysctl option with name "chroot_deny_pivot" is
+        #  created.
+        kernel.grsecurity.chroot_deny_pivot     = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to attach
+        #  to shared memory segments that were created outside of the chroot jail.
+        #  It is recommended that you say Y here.  If the sysctl option is enabled,
+        #  a sysctl option with name "chroot_deny_shmat" is created.
+        kernel.grsecurity.chroot_deny_shmat = 1
+
+        #  If you say Y here, an attacker in a chroot will not be able to
+        #  write to sysctl entries, either by sysctl(2) or through a /proc
+        #  interface.  It is strongly recommended that you say Y here. If the
+        #  sysctl option is enabled, a sysctl option with name
+        #  "chroot_deny_sysctl" is created.
+        kernel.grsecurity.chroot_deny_sysctl = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to
+        #  connect to abstract (meaning not belonging to a filesystem) Unix
+        #  domain sockets that were bound outside of a chroot.  It is recommended
+        #  that you say Y here.  If the sysctl option is enabled, a sysctl option
+        #  with name "chroot_deny_unix" is created.
+        kernel.grsecurity.chroot_deny_unix = 1
+
+        #  If you say Y here, the current working directory of all newly-chrooted
+        #  applications will be set to the the root directory of the chroot.
+        #  The man page on chroot(2) states:
+        #  Note that usually chhroot does not change  the  current  working
+        #  directory,  so  that `.' can be outside the tree rooted at
+        #  `/'.  In particular, the  super-user  can  escape  from  a
+        #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
+        #
+        #  It is recommended that you say Y here, since it's not known to break
+        #  any software.  If the sysctl option is enabled, a sysctl option with
+        #  name "chroot_enforce_chdir" is created.
+        kernel.grsecurity.chroot_enforce_chdir  = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to
+        #  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
+        #  getsid, or view any process outside of the chroot.  If the sysctl
+        #  option is enabled, a sysctl option with name "chroot_findtask" is
+        #  created.
+        kernel.grsecurity.chroot_findtask = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to raise
+        #  the priority of processes in the chroot, or alter the priority of
+        #  processes outside the chroot.  This provides more security than simply
+        #  removing CAP_SYS_NICE from the process' capability set.  If the
+        #  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
+        #  is created.
+        kernel.grsecurity.chroot_restrict_nice = 1
+
+        #
+        # Kernel Auditing
+        #
+
+        #  If you say Y here, the exec and chdir logging features will only operate
+        #  on a group you specify.  This option is recommended if you only want to
+        #  watch certain users instead of having a large amount of logs from the
+        #  entire system.  If the sysctl option is enabled, a sysctl option with
+        #  name "audit_group" is created.
+        kernel.grsecurity.audit_group = 0
+
+        #  If you say Y here, the exec and chdir logging features will only operate
+        #  on a group you specify.  This option is recommended if you only want to
+        #  watch certain users instead of having a large amount of logs from the
+        #  entire system.  If the sysctl option is enabled, a sysctl option with
+        #  name "audit_group" is created.
+        #kernel.grsecurity.audit_gid = 201
+
+        #  If you say Y here, all execve() calls will be logged (since the
+        #  other exec*() calls are frontends to execve(), all execution
+        #  will be logged).  Useful for shell-servers that like to keep track
+        #  of their users.  If the sysctl option is enabled, a sysctl option with
+        #  name "exec_logging" is created.
+        #  WARNING: This option when enabled will produce a LOT of logs, especially
+        #  on an active system.
+        kernel.grsecurity.exec_logging = 0
+
+        #  If you say Y here, all attempts to overstep resource limits will
+        #  be logged with the resource name, the requested size, and the current
+        #  limit.  It is highly recommended that you say Y here.  If the sysctl
+        #  option is enabled, a sysctl option with name "resource_logging" is
+        #  created.  If the RBAC system is enabled, the sysctl value is ignored.
+        kernel.grsecurity.resource_logging = 1
+
+        #  If you say Y here, all executions inside a chroot jail will be logged
+        #  to syslog.  This can cause a large amount of logs if certain
+        #  applications (eg. djb's daemontools) are installed on the system, and
+        #  is therefore left as an option.  If the sysctl option is enabled, a
+        #  sysctl option with name "chroot_execlog" is created.
+        kernel.grsecurity.chroot_execlog = 0
+
+        #  If you say Y here, all attempts to attach to a process via ptrace
+        #  will be logged.  If the sysctl option is enabled, a sysctl option
+        #  with name "audit_ptrace" is created.
+        kernel.grsecurity.audit_ptrace = 1
+
+        #  If you say Y here, all attempts to attach to a process via ptrace
+        #  will be logged.  If the sysctl option is enabled, a sysctl option
+        #  with name "audit_ptrace" is created.
+        kernel.grsecurity.audit_chdir = 0
+
+        #  If you say Y here, all mounts and unmounts will be logged.  If the
+        #  sysctl option is enabled, a sysctl option with name "audit_mount" is
+        #  created.
+        kernel.grsecurity.audit_mount = 1
+
+        #  If you say Y here, certain important signals will be logged, such as
+        #  SIGSEGV, which will as a result inform you of when a error in a program
+        #  occurred, which in some cases could mean a possible exploit attempt.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "signal_logging" is created.
+        kernel.grsecurity.signal_logging = 1
+
+        #  If you say Y here, all failed fork() attempts will be logged.
+        #  This could suggest a fork bomb, or someone attempting to overstep
+        #  their process limit.  If the sysctl option is enabled, a sysctl option
+        #  with name "forkfail_logging" is created.
+        #kernel.grsecurity.forkfail_logging = 1
+        kernel.grsecurity.forkfail_logging = 1
+
+        #  If you say Y here, any changes of the system clock will be logged.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "timechange_logging" is created.
+        kernel.grsecurity.timechange_logging = 1
+
+        #  if you say Y here, calls to mmap() and mprotect() with explicit
+        #  usage of PROT_WRITE and PROT_EXEC together will be logged when
+        #  denied by the PAX_MPROTECT feature.  This feature will also
+        #  log other problematic scenarios that can occur when PAX_MPROTECT
+        #  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
+        #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
+        #  is created.
+        kernel.grsecurity.rwxmap_logging = 1
+
+        #
+        # Executable Protections
+        #
+
+
+        #  if you say Y here, non-root users will not be able to use dmesg(8)
+        #  to view the contents of the kernel's circular log buffer.
+        #  The kernel's log buffer often contains kernel addresses and other
+        #  identifying information useful to an attacker in fingerprinting a
+        #  system for a targeted exploit.
+        #  If the sysctl option is enabled, a sysctl option with name "dmesg" is
+        #  created.
+        kernel.grsecurity.dmesg = 1
+
+        # Hide symbol addresses in /proc/kallsyms
+        #kernel.kptr_restrict = 2
+
+        #  If you say Y here, TTY sniffers and other malicious monitoring
+        #  programs implemented through ptrace will be defeated.  If you
+        #  have been using the RBAC system, this option has already been
+        #  enabled for several years for all users, with the ability to make
+        #  fine-grained exceptions.
+        #
+        #  This option only affects the ability of non-root users to ptrace
+        #  processes that are not a descendent of the ptracing process.
+        #  This means that strace ./binary and gdb ./binary will still work,
+        #  but attaching to arbitrary processes will not.  If the sysctl
+        #  option is enabled, a sysctl option with name "harden_ptrace" is
+        #  created.
+        kernel.grsecurity.harden_ptrace = 1
+
+        #  If you say Y here, unprivileged users will not be able to ptrace unreadable
+        #  binaries.  This option is useful in environments that
+        #  remove the read bits (e.g. file mode 4711) from suid binaries to
+        #  prevent infoleaking of their contents.  This option adds
+        #  consistency to the use of that file mode, as the binary could normally
+        #  be read out when run without privileges while ptracing.
+        #
+        #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
+        #  is created.
+        kernel.grsecurity.ptrace_readexec = 1
+
+        #  If you say Y here, a change from a root uid to a non-root uid
+        #  in a multithreaded application will cause the resulting uids,
+        #  gids, supplementary groups, and capabilities in that thread
+        #  to be propagated to the other threads of the process.  In most
+        #  cases this is unnecessary, as glibc will emulate this behavior
+        #  on behalf of the application.  Other libcs do not act in the
+        #  same way, allowing the other threads of the process to continue
+        #  running with root privileges.  If the sysctl option is enabled,
+        #  a sysctl option with name "consistent_setxid" is created.
+        kernel.grsecurity.consistent_setxid = 0
+
+        #  If you say Y here, access to overly-permissive IPC objects (shared
+        #  memory, message queues, and semaphores) will be denied for processes
+        #  given the following criteria beyond normal permission checks:
+        #  1) If the IPC object is world-accessible and the euid doesn't match
+        #     that of the creator or current uid for the IPC object
+        #  2) If the IPC object is group-accessible and the egid doesn't
+        #     match that of the creator or current gid for the IPC object
+        #  It's a common error to grant too much permission to these objects,
+        #  with impact ranging from denial of service and information leaking to
+        #  privilege escalation.  This feature was developed in response to
+        #  research by Tim Brown:
+        #  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
+        #  who found hundreds of such insecure usages.  Processes with
+        #  CAP_IPC_OWNER are still permitted to access these IPC objects.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "harden_ipc" is created.
+        kernel.grsecurity.harden_ipc = 0
+
+        #  If you say Y here, you will be able to choose a gid to add to the
+        #  supplementary groups of users you want to mark as "untrusted."
+        #  These users will not be able to execute any files that are not in
+        #  root-owned directories writable only by root.  If the sysctl option
+        #  is enabled, a sysctl option with name "tpe" is created.
+        kernel.grsecurity.tpe = 1
+        kernel.grsecurity.tpe_gid = 4
+
+        #  If you say Y here, the group you specify in the TPE configuration will
+        #  decide what group TPE restrictions will be *disabled* for.  This
+        #  option is useful if you want TPE restrictions to be applied to most
+        #  users on the system.  If the sysctl option is enabled, a sysctl option
+        #  with name "tpe_invert" is created.  Unlike other sysctl options, this
+        #  entry will default to on for backward-compatibility.
+        kernel.grsecurity.tpe_invert = 1
+
+        #  If you say Y here, all non-root users will be covered under
+        #  a weaker TPE restriction.  This is separate from, and in addition to,
+        #  the main TPE options that you have selected elsewhere.  Thus, if a
+        #  "trusted" GID is chosen, this restriction applies to even that GID.
+        #  Under this restriction, all non-root users will only be allowed to
+        #  execute files in directories they own that are not group or
+        #  world-writable, or in directories owned by root and writable only by
+        #  root.  If the sysctl option is enabled, a sysctl option with name
+        #  "tpe_restrict_all" is created.
+        kernel.grsecurity.tpe_restrict_all = 1
+
+
+        kernel.grsecurity.harden_tty = 1
+
+        #
+        # Network Protections
+        #
+
+        # Increase Linux auto tuning TCP buffer limits
+        # min, default, and max number of bytes to use
+        # set max to at least 4MB, or higher if you use very high BDP paths
+        # Tcp Windows etc
+        net.core.rmem_max = 8388608
+        net.core.wmem_max = 8388608
+        net.core.netdev_max_backlog = 5000
+        net.ipv4.tcp_window_scaling = 1
+
+        # Both ports linux-blob and linux-libre don't build with ipv6
+        # Disable ipv6
+        net.ipv6.conf.all.disable_ipv6 = 1
+        net.ipv6.conf.default.disable_ipv6 = 1
+        net.ipv6.conf.lo.disable_ipv6 = 1
+
+        # Tuen IPv6
+        #net.ipv6.conf.default.router_solicitations = 0
+        #net.ipv6.conf.default.accept_ra_rtr_pref = 0
+        #net.ipv6.conf.default.accept_ra_pinfo = 0
+        #net.ipv6.conf.default.accept_ra_defrtr = 0
+        #net.ipv6.conf.default.autoconf = 0
+        #net.ipv6.conf.default.dad_transmits = 0
+        #net.ipv6.conf.default.max_addresses = 0
+
+        # Avoid a smurf attack, ping scanning
+        net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+        # Turn on protection for bad icmp error messages
+        net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+        # Turn on syncookies for SYN flood attack protection
+        net.ipv4.tcp_syncookies = 1
+
+        ## protect against tcp time-wait assassination hazards
+        ## drop RST packets for sockets in the time-wait state
+        ## (not widely supported outside of linux, but conforms to RFC)
+        net.ipv4.tcp_rfc1337 = 1
+
+        ## tcp timestamps
+        ## + protect against wrapping sequence numbers (at gigabit speeds)
+        ## + round trip time calculation implemented in TCP
+        ## - causes extra overhead and allows uptime detection by scanners like nmap
+        ## enable @ gigabit speeds
+        net.ipv4.tcp_timestamps = 0
+        #net.ipv4.tcp_timestamps = 1
+
+        # Turn on and log spoofed, source routed, and redirect packets
+        net.ipv4.conf.all.log_martians = 1
+        net.ipv4.conf.default.log_martians = 1
+
+        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
+        net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+        ## sets the kernels reverse path filtering mechanism to value 1(on)
+        ## will do source validation of the packet's recieved from all the interfaces on the machine
+        ## protects from attackers that are using ip spoofing methods to do harm
+        net.ipv4.conf.all.rp_filter = 1
+        net.ipv4.conf.default.rp_filter = 1
+        #net.ipv6.conf.default.rp_filter = 1
+        #net.ipv6.conf.all.rp_filter = 1
+
+
+        # Make sure no one can alter the routing tables
+        # Act as a router, necessary for Access Point
+        net.ipv4.conf.all.accept_redirects = 0
+        net.ipv4.conf.default.accept_redirects = 0
+        net.ipv4.conf.all.secure_redirects = 0
+        net.ipv4.conf.default.secure_redirects = 0
+        # No source routed packets here
+        # Discard packets with source routes, ip spoofing
+        net.ipv4.conf.all.accept_source_route = 0
+        net.ipv4.conf.default.accept_source_route = 0
+
+
+        net.ipv4.conf.all.send_redirects = 0
+        net.ipv4.conf.default.send_redirects = 0
+
+        net.ipv4.ip_forward = 0
+
+        # Increase system IP port limits
+        net.ipv4.ip_local_port_range = 2000 65000
+
+        # Increase TCP max buffer size setable using setsockopt()
+        net.ipv4.tcp_rmem = 4096 87380 8388608
+        net.ipv4.tcp_wmem = 4096 87380 8388608
+
+        # Disable proxy_arp
+        net.ipv4.conf.default.proxy_arp = 0
+        net.ipv4.conf.all.proxy_arp = 0
+
+        # Disable bootp_relay
+        net.ipv4.conf.default.bootp_relay = 0
+        net.ipv4.conf.all.bootp_relay = 0
+
+        # Decrease TCP fin timeout
+        net.ipv4.tcp_fin_timeout = 30
+        # Decrease TCP keep alive time
+        net.ipv4.tcp_keepalive_time = 1800
+        # Sen SynAck retries to 3
+        net.ipv4.tcp_synack_retries = 3
+
+        #  If you say Y here, neither TCP resets nor ICMP
+        #  destination-unreachable packets will be sent in response to packets
+        #  sent to ports for which no associated listening process exists.
+        #  This feature supports both IPV4 and IPV6 and exempts the
+        #  loopback interface from blackholing.  Enabling this feature
+        #  makes a host more resilient to DoS attacks and reduces network
+        #  visibility against scanners.
+        #
+        #  The blackhole feature as-implemented is equivalent to the FreeBSD
+        #  blackhole feature, as it prevents RST responses to all packets, not
+        #  just SYNs.  Under most application behavior this causes no
+        #  problems, but applications (like haproxy) may not close certain
+        #  connections in a way that cleanly terminates them on the remote
+        #  end, leaving the remote host in LAST_ACK state.  Because of this
+        #  side-effect and to prevent intentional LAST_ACK DoSes, this
+        #  feature also adds automatic mitigation against such attacks.
+        #  The mitigation drastically reduces the amount of time a socket
+        #  can spend in LAST_ACK state.  If you're using haproxy and not
+        #  all servers it connects to have this option enabled, consider
+        #  disabling this feature on the haproxy host.
+        #
+        #  If the sysctl option is enabled, two sysctl options with names
+        #  "ip_blackhole" and "lastack_retries" will be created.
+        #  While "ip_blackhole" takes the standard zero/non-zero on/off
+        #  toggle, "lastack_retries" uses the same kinds of values as
+        #  "tcp_retries1" and "tcp_retries2".  The default value of 4
+        #  prevents a socket from lasting more than 45 seconds in LAST_ACK
+        #  state.
+        kernel.grsecurity.ip_blackhole = 1
+        kernel.grsecurity.lastack_retries = 4
+
+        #  If you say Y here, you will be able to choose a GID of whose users will
+        #  be unable to connect to other hosts from your machine or run server
+        #  applications from your machine.  If the sysctl option is enabled, a
+        #  sysctl option with name "socket_all" is created.
+        kernel.grsecurity.socket_all = 0
+
+        #  Here you can choose the GID to disable socket access for. Remember to
+        #  add the users you want socket access disabled for to the GID
+        #  specified here.  If the sysctl option is enabled, a sysctl option
+        #  with name "socket_all_gid" is created.
+        #kernel.grsecurity.socket_all_gid = 202
+
+        #  If you say Y here, you will be able to choose a GID of whose users will
+        #  be unable to connect to other hosts from your machine, but will be
+        #  able to run servers.  If this option is enabled, all users in the group
+        #  you specify will have to use passive mode when initiating ftp transfers
+        #  from the shell on your machine.  If the sysctl option is enabled, a
+        #  sysctl option with name "socket_client" is created.
+        kernel.grsecurity.socket_client = 1
+
+        #  Here you can choose the GID to disable client socket access for.
+        #  Remember to add the users you want client socket access disabled for to
+        #  the GID specified here.  If the sysctl option is enabled, a sysctl
+        #  option with name "socket_client_gid" is created.
+        kernel.grsecurity.socket_client_gid = 15
+
+        #  If you say Y here, you will be able to choose a GID of whose users will
+        #  be unable to connect to other hosts from your machine, but will be
+        #  able to run servers.  If this option is enabled, all users in the group
+        #  you specify will have to use passive mode when initiating ftp transfers
+        #  from the shell on your machine.  If the sysctl option is enabled, a
+        #  sysctl option with name "socket_client" is created.
+        kernel.grsecurity.socket_server = 1
+
+        #  Here you can choose the GID to disable server socket access for.
+        #  Remember to add the users you want server socket access disabled for to
+        #  the GID specified here.  If the sysctl option is enabled, a sysctl
+        #  option with name "socket_server_gid" is created.
+        kernel.grsecurity.socket_server_gid = 99
+
+        #
+        # Physical Protections
+        #
+
+        #  If you say Y here, a new sysctl option with name "deny_new_usb"
+        #  will be created.  Setting its value to 1 will prevent any new
+        #  USB devices from being recognized by the OS.  Any attempted USB
+        #  device insertion will be logged.  This option is intended to be
+        #  used against custom USB devices designed to exploit vulnerabilities
+        #  in various USB device drivers.
+        #
+        #  For greatest effectiveness, this sysctl should be set after any
+        #  relevant init scripts.  This option is safe to enable in distros
+        #  as each user can choose whether or not to toggle the sysctl.
+        kernel.grsecurity.deny_new_usb = 0
+
+        #
+        # Restrict grsec sysctl changes after this was set
+        #
+        kernel.grsecurity.grsec_lock = 0
+
+        # End of file
+
    + + + Core OS Index +

    This is part of the c9 Manual. + Copyright (C) 2017 + c9 team. + See the file Gnu Free Documentation License + for copying conditions.

    + + + diff --git a/core/toolchain.html b/core/toolchain.html new file mode 100644 index 0000000..e4a8f84 --- /dev/null +++ b/core/toolchain.html @@ -0,0 +1,165 @@ + + + + + 2.2.1. Toolchain + + + + Core OS Index + +

    2.2.1. Toolchain

    + +

    Add flags to pkgmk configuration and change specific ports that + don't build with hardening flags. More information about + arch security, + gentoo security, + gcc instrumentation-options + and glibc + configuring and compiling. Edit /etc/pkgmk.conf;

    + + 
    +        export CPPFLAGS="-D_FORTIFY_SOURCE=2"
+        export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS="-z relro"
+
    + +

    Core

    + +

    Ports in core collection that need to be changed in order + to build with pkgmk harden configuration.

    + +

    Glibc

    + + + + 
    +        export CPPFLAGS=""
+        export CFLAGS="-O2 -march=native -mtune=native"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS=""
+
    + + 
    +        ../$name-${version:0:4}/configure --prefix=/usr \
+                --libexecdir=/usr/lib \
+                --with-headers=$PKG/usr/include \
+                --enable-kernel=3.12 \
+                --enable-add-ons \
+                --enable-static-nss \
+                --disable-profile \
+                --disable-werror \
+                --without-gd \
+                --enable-obsolete-rpc \
+                --enable-multi-arch \
+                --enable-stackguard-randomization \
+                --enable-stack-protector=strong
+
    + +

    Gcc

    + + + + 
    +        export CPPFLAGS=""
+        export CFLAGS="-O2 -march=native -mtune=native"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS=""
+
    + +

    libcap

    + + + +

    bzip2

    + + + +

    hdparm

    + + + +

    Opt

    + +

    lsof

    + + + +

    python

    + + + +

    zip

    + + + +

    glew

    + + + +

    dmenu

    + + + +

    Boost

    + + + + 
    +        export CPPFLAGS=""
+        export CFLAGS="-O2 -march=native -mtune=native"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS=""
+
    + +

    Contrib

    + +

    gsl

    + + + + + Core OS Index +

    This is part of the c9 Manual. + Copyright (C) 2017 + c9 team. + See the file Gnu Free Documentation License + for copying conditions.

    + + + -- cgit 1.4.1-2-gfad0 From 9069537d8cfe308836864ef0be7c2a1e359d5a4b Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Mon, 27 Feb 2017 21:56:53 +0000 Subject: core and tools revision --- core/conf/sysctl.conf | 67 ++-- core/configure.html | 7 +- core/grsecurity.html | 247 +++++++++++- core/hardening.html | 15 +- core/index.html | 10 +- core/linux.html | 238 +++++++++-- core/ports/linux-blob/.footprint | 95 ++--- core/ports/linux-blob/.md5sum | 10 +- core/ports/linux-blob/Pkgfile | 17 +- core/ports/linux-blob/config-c9 | 444 +++++++++++++-------- core/ports/linux-blob/port-blob-grsecurity.patch | 8 +- core/ports/linux-blob/port-blob-make.patch | 2 +- core/ports/linux-libre/.footprint | 95 ++--- core/ports/linux-libre/.md5sum | 10 +- core/ports/linux-libre/Pkgfile | 15 +- core/ports/linux-libre/config-c9 | 444 +++++++++++++-------- core/ports/linux-libre/port-libre-grsecurity.patch | 4 +- core/ports/linux-libre/port-libre-make.patch | 2 +- core/reboot.html | 11 +- core/samhain.html | 265 ++++++++++++ core/sysctl.html | 35 +- core/toolchain.html | 4 +- tools/conf/etc/asound.conf | 1 + tools/x.html | 6 + 24 files changed, 1452 insertions(+), 600 deletions(-) create mode 100644 core/samhain.html create mode 100644 tools/conf/etc/asound.conf (limited to 'core/grsecurity.html') diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index d17c0c6..b0972e2 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -20,14 +20,14 @@ kernel.pid_max = 65536 # Ioperm and iopl can be used to modify the running kernel. # Unfortunately, some programs need this access to operate properly, # the most notable of which are XFree86 and hwclock. hwclock can be -# remedied by having RTC support in the kernel, so real-time -# clock support is enabled if this option is enabled, to ensure +# remedied by having RTC support in the kernel, so real-time +# clock support is enabled if this option is enabled, to ensure # that hwclock operates correctly. -# +# # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. -kernel.grsecurity.disable_priv_io = 0 +kernel.grsecurity.disable_priv_io = 1 # If you say Y here, attempts to bruteforce exploits against forking # daemons such as apache or sshd, as well as against suid/sgid binaries @@ -39,7 +39,7 @@ kernel.grsecurity.disable_priv_io = 0 # In the suid/sgid case, the attempt is logged, the user has all their # existing instances of the suid/sgid binary terminated and will # be unable to execute any suid/sgid binaries for 15 minutes. -# +# # It is recommended that you also enable signal logging in the auditing # section so that logs are generated when a process triggers a suspicious # signal. @@ -61,7 +61,7 @@ fs.file-max = 65535 # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. If the sysctl option is # enabled, a sysctl option with name "linking_restrictions" is created. -kernel.grsecurity.linking_restrictions = 0 +kernel.grsecurity.linking_restrictions = 1 # Apache's SymlinksIfOwnerMatch option has an inherent race condition @@ -75,15 +75,15 @@ kernel.grsecurity.linking_restrictions = 0 # will be in place for the group you specify. If the sysctl option # is enabled, a sysctl option with name "enforce_symlinksifowner" is # created. -kernel.grsecurity.enforce_symlinksifowner = 0 -#kernel.grsecurity.symlinkown_gid = 33 +kernel.grsecurity.enforce_symlinksifowner = 1 +kernel.grsecurity.symlinkown_gid = 15 # if you say Y here, users will not be able to write to FIFOs they don't # own in world-writable +t directories (e.g. /tmp), unless the owner of # the FIFO is the same owner of the directory it's held in. If the sysctl # option is enabled, a sysctl option with name "fifo_restrictions" is # created. -kernel.grsecurity.fifo_restrictions = 0 +kernel.grsecurity.fifo_restrictions = 1 # If you say Y here, a sysctl option with name "romount_protect" will # be created. By setting this option to 1 at runtime, filesystems @@ -99,7 +99,7 @@ kernel.grsecurity.fifo_restrictions = 0 # and GRKERNSEC_IO should be enabled and module loading disabled via # config or at runtime. # This feature is mainly intended for secure embedded systems. -#kernel.grsecurity.romount_protect = 0 +#kernel.grsecurity.romount_protect = 1 # if you say Y here, the capabilities on all processes within a # chroot jail will be lowered to stop module insertion, raw i/o, @@ -122,8 +122,8 @@ kernel.grsecurity.chroot_deny_chmod = 1 # If you say Y here, processes inside a chroot will not be able to chroot # again outside the chroot. This is a widely used method of breaking -# out of a chroot jail and should not be allowed. If the sysctl -# option is enabled, a sysctl option with name +# out of a chroot jail and should not be allowed. If the sysctl +# option is enabled, a sysctl option with name # "chroot_deny_chroot" is created. kernel.grsecurity.chroot_deny_chroot = 1 @@ -185,14 +185,14 @@ kernel.grsecurity.chroot_deny_unix = 1 # directory, so that `.' can be outside the tree rooted at # `/'. In particular, the super-user can escape from a # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. -# +# # It is recommended that you say Y here, since it's not known to break # any software. If the sysctl option is enabled, a sysctl option with # name "chroot_enforce_chdir" is created. kernel.grsecurity.chroot_enforce_chdir = 1 # If you say Y here, processes inside a chroot will not be able to -# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, +# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, # getsid, or view any process outside of the chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_findtask" is # created. @@ -215,14 +215,14 @@ kernel.grsecurity.chroot_restrict_nice = 1 # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. -kernel.grsecurity.audit_group = 0 +kernel.grsecurity.audit_group = 1 # If you say Y here, the exec and chdir logging features will only operate # on a group you specify. This option is recommended if you only want to # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. -#kernel.grsecurity.audit_gid = 201 +kernel.grsecurity.audit_gid = 99 # If you say Y here, all execve() calls will be logged (since the # other exec*() calls are frontends to execve(), all execution @@ -231,7 +231,7 @@ kernel.grsecurity.audit_group = 0 # name "exec_logging" is created. # WARNING: This option when enabled will produce a LOT of logs, especially # on an active system. -kernel.grsecurity.exec_logging = 0 +kernel.grsecurity.exec_logging = 0 # If you say Y here, all attempts to overstep resource limits will # be logged with the resource name, the requested size, and the current @@ -245,12 +245,12 @@ kernel.grsecurity.resource_logging = 1 # applications (eg. djb's daemontools) are installed on the system, and # is therefore left as an option. If the sysctl option is enabled, a # sysctl option with name "chroot_execlog" is created. -kernel.grsecurity.chroot_execlog = 0 +kernel.grsecurity.chroot_execlog = 0 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. -kernel.grsecurity.audit_ptrace = 1 +#kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option @@ -273,7 +273,6 @@ kernel.grsecurity.signal_logging = 1 # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. -#kernel.grsecurity.forkfail_logging = 1 kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. @@ -285,7 +284,7 @@ kernel.grsecurity.timechange_logging = 1 # usage of PROT_WRITE and PROT_EXEC together will be logged when # denied by the PAX_MPROTECT feature. This feature will also # log other problematic scenarios that can occur when PAX_MPROTECT -# is enabled on a binary, like textrels and PT_GNU_STACK. If the +# is enabled on a binary, like textrels and PT_GNU_STACK. If the # sysctl option is enabled, a sysctl option with name "rwxmap_logging" # is created. kernel.grsecurity.rwxmap_logging = 1 @@ -305,14 +304,14 @@ kernel.grsecurity.rwxmap_logging = 1 kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms -#kernel.kptr_restrict = 2 +kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you # have been using the RBAC system, this option has already been # enabled for several years for all users, with the ability to make # fine-grained exceptions. -# +# # This option only affects the ability of non-root users to ptrace # processes that are not a descendent of the ptracing process. # This means that strace ./binary and gdb ./binary will still work, @@ -327,7 +326,7 @@ kernel.grsecurity.harden_ptrace = 1 # prevent infoleaking of their contents. This option adds # consistency to the use of that file mode, as the binary could normally # be read out when run without privileges while ptracing. -# +# # If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" # is created. kernel.grsecurity.ptrace_readexec = 1 @@ -341,7 +340,7 @@ kernel.grsecurity.ptrace_readexec = 1 # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. -kernel.grsecurity.consistent_setxid = 0 +kernel.grsecurity.consistent_setxid = 1 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes @@ -359,7 +358,7 @@ kernel.grsecurity.consistent_setxid = 0 # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. -kernel.grsecurity.harden_ipc = 0 +kernel.grsecurity.harden_ipc = 1 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." @@ -367,7 +366,7 @@ kernel.grsecurity.harden_ipc = 0 # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 -kernel.grsecurity.tpe_gid = 4 +kernel.grsecurity.tpe_gid = 100 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This @@ -499,11 +498,11 @@ net.ipv4.tcp_synack_retries = 3 # If you say Y here, neither TCP resets nor ICMP # destination-unreachable packets will be sent in response to packets # sent to ports for which no associated listening process exists. -# This feature supports both IPV4 and IPV6 and exempts the -# loopback interface from blackholing. Enabling this feature +# This feature supports both IPV4 and IPV6 and exempts the +# loopback interface from blackholing. Enabling this feature # makes a host more resilient to DoS attacks and reduces network # visibility against scanners. -# +# # The blackhole feature as-implemented is equivalent to the FreeBSD # blackhole feature, as it prevents RST responses to all packets, not # just SYNs. Under most application behavior this causes no @@ -516,7 +515,7 @@ net.ipv4.tcp_synack_retries = 3 # can spend in LAST_ACK state. If you're using haproxy and not # all servers it connects to have this option enabled, consider # disabling this feature on the haproxy host. -# +# # If the sysctl option is enabled, two sysctl options with names # "ip_blackhole" and "lastack_retries" will be created. # While "ip_blackhole" takes the standard zero/non-zero on/off @@ -531,13 +530,13 @@ kernel.grsecurity.lastack_retries = 4 # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. -kernel.grsecurity.socket_all = 0 +kernel.grsecurity.socket_all = 1 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID # specified here. If the sysctl option is enabled, a sysctl option # with name "socket_all_gid" is created. -#kernel.grsecurity.socket_all_gid = 202 +kernel.grsecurity.socket_all_gid = 200 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be @@ -577,7 +576,7 @@ kernel.grsecurity.socket_server_gid = 99 # device insertion will be logged. This option is intended to be # used against custom USB devices designed to exploit vulnerabilities # in various USB device drivers. -# +# # For greatest effectiveness, this sysctl should be set after any # relevant init scripts. This option is safe to enable in distros # as each user can choose whether or not to toggle the sysctl. diff --git a/core/configure.html b/core/configure.html index 1ca655f..b6b3fb5 100644 --- a/core/configure.html +++ b/core/configure.html @@ -185,7 +185,8 @@ 
    -        # useradd -m -k /etc/skel -s /bin/bash -U -G adm,wheel,audio,video,users c9admin
+        # useradd -k /etc/skel -s /bin/bash c9admin
+        # usermod -G adm,wheel,audio,video
         # passwd c9admin
    @@ -196,10 +197,6 @@

    1.2.4.3 Add Administrator to Wheel group

    - 
    -        # usermod -a -G wheel c9admin
-
    - 
             bash-4.3# sudoedit /etc/sudoers
    diff --git a/core/grsecurity.html b/core/grsecurity.html index adfd292..30ee28c 100644 --- a/core/grsecurity.html +++ b/core/grsecurity.html @@ -2,31 +2,248 @@ - Grsecurity + 2.2.1. Grsecurity Core OS Index -

    Grsecurity

    +

    2.2.1. Grsecurity

    -

    Grsecurity utilities are installed and configured in - hardening, kernel witch grsecurity - patch is installed using - linux port.

    +

    Install grsecurity utilities, kernel + configuration is based on + port kernel, for manual + configuration check linux kernel. Configuration + is not enable by default, groups with special permissions and other + protections are set with sysctl.html;

    +
    + +
    proc
    +
    GID 4 - adm group
    +
    If you say Y here, you will be able to select a group that will be + able to view all processes and network-related information. + GRKERNSEC_HIDESYM is enabled, kernel and symbol information may still + remain hidden.
    + +
    symlinks owner match
    +
    GID 15 - www group
    +
    Kernel-enforced SymlinksIfOwnerMatch group.
    + +
    group for auditing
    +
    GID 99 - nobody group
    +
    This option is recommended if you only want to watch certain + users exec and chdir logging features instead of having a large + amount of logs from the entire system
    + +
    tpe
    +
    GID 100 - users
    +
    Supplementary groups of users you want to mark as "untrusted". + Invert gid option causes to not apply tpe protection to this group, + allowing to build software with partially restrict all non-root users + enable.
    + +
    socket all
    +
    GID 200 - non existent
    +
    Deny sockets to this group.
    + +
    socket client
    +
    GID 15 - www group
    +
    Deny client sockets to this group.
    + +
    socket server
    +
    GID 99 - nobody group
    +
    Deny server sockets to this group.
    + +
    + +

    Kernel configuration related to grsecurity;

    -

    Special Groups

    -        getent group tpe >/dev/null || groupadd -g 200 tpe
-        getent group audit >/dev/null || groupadd -g 201 audit
-        getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all
-        getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client
-        getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server
+        #
+        # Grsecurity
+        #
+        CONFIG_PAX_PER_CPU_PGD=y
+        CONFIG_TASK_SIZE_MAX_SHIFT=42
+        CONFIG_GRKERNSEC=y
+        # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
+        CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
+        CONFIG_GRKERNSEC_PROC_GID=4
+        CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100
+        CONFIG_GRKERNSEC_SYMLINKOWN_GID=15
+
+        #
+        # PaX
+        #
+        CONFIG_PAX=y
+
+        #
+        # PaX Control
+        #
+        # CONFIG_PAX_SOFTMODE is not set
+        # CONFIG_PAX_EI_PAX is not set
+        CONFIG_PAX_PT_PAX_FLAGS=y
+        CONFIG_PAX_XATTR_PAX_FLAGS=y
+        # CONFIG_PAX_NO_ACL_FLAGS is not set
+        CONFIG_PAX_HAVE_ACL_FLAGS=y
+        # CONFIG_PAX_HOOK_ACL_FLAGS is not set
+
+        #
+        # Non-executable pages
+        #
+        CONFIG_PAX_NOEXEC=y
+        CONFIG_PAX_PAGEEXEC=y
+        CONFIG_PAX_EMUTRAMP=y
+        CONFIG_PAX_MPROTECT=y
+        # CONFIG_PAX_MPROTECT_COMPAT is not set
+        # CONFIG_PAX_ELFRELOCS is not set
+        CONFIG_PAX_KERNEXEC=y
+        CONFIG_PAX_KERNEXEC_PLUGIN=y
+        # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set
+        CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
+
+        #
+        # Address Space Layout Randomization
+        #
+        CONFIG_PAX_ASLR=y
+        CONFIG_PAX_RANDKSTACK=y
+        CONFIG_PAX_RANDUSTACK=y
+        CONFIG_PAX_RANDMMAP=y
+
+        #
+        # Miscellaneous hardening features
+        #
+        CONFIG_PAX_MEMORY_SANITIZE=y
+        CONFIG_PAX_MEMORY_STACKLEAK=y
+        CONFIG_PAX_MEMORY_STRUCTLEAK=y
+        CONFIG_PAX_MEMORY_UDEREF=y
+        CONFIG_PAX_REFCOUNT=y
+        CONFIG_PAX_USERCOPY=y
+        CONFIG_PAX_CONSTIFY_PLUGIN=y
+        # CONFIG_PAX_USERCOPY_DEBUG is not set
+        CONFIG_PAX_SIZE_OVERFLOW=y
+        CONFIG_PAX_SIZE_OVERFLOW_EXTRA=y
+        # CONFIG_PAX_INITIFY is not set
+        CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y
+        CONFIG_PAX_LATENT_ENTROPY=y
+        CONFIG_PAX_RAP=y
+
+        #
+        # Memory Protections
+        #
+        CONFIG_GRKERNSEC_KMEM=y
+        CONFIG_GRKERNSEC_IO=y
+        CONFIG_GRKERNSEC_BPF_HARDEN=y
+        CONFIG_GRKERNSEC_PERF_HARDEN=y
+        CONFIG_GRKERNSEC_RAND_THREADSTACK=y
+        CONFIG_GRKERNSEC_PROC_MEMMAP=y
+        CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
+        CONFIG_GRKERNSEC_BRUTE=y
+        CONFIG_GRKERNSEC_MODHARDEN=y
+        CONFIG_GRKERNSEC_HIDESYM=y
+        CONFIG_GRKERNSEC_RANDSTRUCT=y
+        CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
+        CONFIG_GRKERNSEC_KERN_LOCKOUT=y
+
+        #
+        # Role Based Access Control Options
+        #
+        # CONFIG_GRKERNSEC_NO_RBAC is not set
+        CONFIG_GRKERNSEC_ACL_HIDEKERN=y
+        CONFIG_GRKERNSEC_ACL_MAXTRIES=3
+        CONFIG_GRKERNSEC_ACL_TIMEOUT=30
+
+        #
+        # Filesystem Protections
+        #
+        CONFIG_GRKERNSEC_PROC=y
+        # CONFIG_GRKERNSEC_PROC_USER is not set
+        CONFIG_GRKERNSEC_PROC_USERGROUP=y
+        CONFIG_GRKERNSEC_PROC_ADD=y
+        CONFIG_GRKERNSEC_LINK=y
+        CONFIG_GRKERNSEC_SYMLINKOWN=y
+        CONFIG_GRKERNSEC_FIFO=y
+        # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
+        CONFIG_GRKERNSEC_ROFS=y
+        CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
+        CONFIG_GRKERNSEC_CHROOT=y
+        CONFIG_GRKERNSEC_CHROOT_MOUNT=y
+        CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
+        CONFIG_GRKERNSEC_CHROOT_PIVOT=y
+        CONFIG_GRKERNSEC_CHROOT_CHDIR=y
+        CONFIG_GRKERNSEC_CHROOT_CHMOD=y
+        CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
+        CONFIG_GRKERNSEC_CHROOT_MKNOD=y
+        CONFIG_GRKERNSEC_CHROOT_SHMAT=y
+        CONFIG_GRKERNSEC_CHROOT_UNIX=y
+        CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
+        CONFIG_GRKERNSEC_CHROOT_NICE=y
+        CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
+        CONFIG_GRKERNSEC_CHROOT_RENAME=y
+        CONFIG_GRKERNSEC_CHROOT_CAPS=y
+        CONFIG_GRKERNSEC_CHROOT_INITRD=y
+
+        #
+        # Kernel Auditing
+        #
+        CONFIG_GRKERNSEC_AUDIT_GROUP=y
+        CONFIG_GRKERNSEC_AUDIT_GID=99
+        CONFIG_GRKERNSEC_EXECLOG=y
+        CONFIG_GRKERNSEC_RESLOG=y
+        CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
+        CONFIG_GRKERNSEC_AUDIT_PTRACE=y
+        CONFIG_GRKERNSEC_AUDIT_CHDIR=y
+        CONFIG_GRKERNSEC_AUDIT_MOUNT=y
+        CONFIG_GRKERNSEC_SIGNAL=y
+        CONFIG_GRKERNSEC_FORKFAIL=y
+        CONFIG_GRKERNSEC_TIME=y
+        CONFIG_GRKERNSEC_PROC_IPADDR=y
+        CONFIG_GRKERNSEC_RWXMAP_LOG=y
+
+        #
+        # Executable Protections
+        #
+        CONFIG_GRKERNSEC_DMESG=y
+        CONFIG_GRKERNSEC_HARDEN_PTRACE=y
+        CONFIG_GRKERNSEC_PTRACE_READEXEC=y
+        CONFIG_GRKERNSEC_SETXID=y
+        CONFIG_GRKERNSEC_HARDEN_IPC=y
+        CONFIG_GRKERNSEC_HARDEN_TTY=y
+        CONFIG_GRKERNSEC_TPE=y
+        CONFIG_GRKERNSEC_TPE_ALL=y
+        CONFIG_GRKERNSEC_TPE_INVERT=y
+        CONFIG_GRKERNSEC_TPE_GID=100
+
+        #
+        # Network Protections
+        #
+        CONFIG_GRKERNSEC_BLACKHOLE=y
+        CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
+        CONFIG_GRKERNSEC_SOCKET=y
+        CONFIG_GRKERNSEC_SOCKET_ALL=y
+        CONFIG_GRKERNSEC_SOCKET_ALL_GID=200
+        CONFIG_GRKERNSEC_SOCKET_CLIENT=y
+        CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15
+        CONFIG_GRKERNSEC_SOCKET_SERVER=y
+        CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99
+
+        #
+        # Physical Protections
+        #
+        CONFIG_GRKERNSEC_DENYUSB=y
+        # CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
+
+        #
+        # Sysctl Support
+        #
+        CONFIG_GRKERNSEC_SYSCTL=y
+        CONFIG_GRKERNSEC_SYSCTL_DISTRO=y
+        # CONFIG_GRKERNSEC_SYSCTL_ON is not set
+
    -

    Pax

    - +

    Pax

    +

    Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.

    /usr/bin/grub-script-check @@ -36,7 +253,7 @@

    Gradm

    Gradm is grsecurity access control lists administration utility. Gradm - have a + have a learning mode per-subject, per-role or system-wide. Learning mode gather information that RBAC system supports, it reduces policy size, increase readability and enforces diff --git a/core/hardening.html b/core/hardening.html index 024c4c9..91cd8e9 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -11,19 +11,20 @@

    2.2. Hardening

    Kernel in ports have upstream linux kernel and - grsecurity patch, it should break some functionality - for the user and pkgmk user if tpe protection is active.

    + grsecurity patch, it should break building some packages, + install follow tools;

             $ sudo prt-get depinst gradm paxtest paxctld checksec lynis
    -

    Check grsecurity on how to setup - kernel, pax and gradm.

    +

    Information about grsecurity kernel + configuration, pax and + gradm.

    -

    Lynis tries to give system overall configuration, without - changing default profile run irrelevant tests. Create a lynis - profile by coping default one and run lynis;

    +

    Lynis gives a view of system overall configuration, without changing + default profile it runs irrelevant tests. Create a lynis profile by + coping default one and run lynis;

             $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
diff --git a/core/index.html b/core/index.html
index 8274630..485bf65 100644
--- a/core/index.html
+++ b/core/index.html
@@ -60,7 +60,7 @@
 
             
  • 1.4. Prepare for reboot
                 
@@ -81,9 +81,9 @@
             
    • 
             
  • 2.2. Hardening
                 
             
    • 
@@ -116,7 +116,7 @@
  • 2.6. Exim
      -
    • 2.6.1. Exim Configuration
      • +
    • 2.6.1. Exim configuration
    • 2.6.2. Certificates
    • 2.6.3. Aliases
    • 2.6.4. Smarthost
      • diff --git a/core/linux.html b/core/linux.html index 5138676..c52f9b8 100644 --- a/core/linux.html +++ b/core/linux.html @@ -17,9 +17,9 @@

      2.1.1. Port Linux Libre

      -

      Default crux configuration can be obtained from iso, this port depends - on dracut and grub but is not required to install them. To build and install - this port using prt-get;

      +

      Default crux configuration can be obtained from iso, + kernel port depends on dracut and grub but is not required + to install them. To build and install this port using prt-get;

               $ prt-get depinst linux-libre
@@ -31,26 +31,67 @@
         linux libre,
         or using the port system;
      
 
-        
      Crux iso comes with config that is more generic than used on linux-libre
-        port, crux default is a good starting point to personalize according to your
-        needs (build default, detect modules needed);
      
+        
      Crux iso comes with config that is more generic than used on
+        linux-libre port, crux default is a good starting point to
+        personalize according to your needs (build default, detect modules
+        needed);
      
 
         
               $ mkdir ~/kernel
         $ cd ~/kernel
-        $ cp /usr/ports/distfiles/linux-libre-4.9.11-gnu.tar.xz .
-        $ tar xf linux-libre-4.9.11-gnu.tar.xz
-        $ cd linux-4.9.11/
+        $ tar xf /usr/ports/distfiles/linux-libre-4.9.12-grsec.tar.xz
+        $ cd linux-4.9.12/
         
      
 
-        
      Grsecurity patch for
-        4.9.11.
+        
      Grsecurity patch for
+        4.9.12.
         Gcc graysky2 kernel_gcc_patch (master.zip)
         that adds more cpu options (FLAGS native).
-        Check Pkgfile for instructions and
-        more patches used on linux-libre port. Read patching your kernel with
+        Check Pkgfile
+        for instructions and more patches used on linux-libre port.
+        Read patching your kernel with
         gresecurity.
      
 
+        
      Apply grsecurity patch;
      
+
+        
      +        $ patch -p1 < ../grsecurity-3.1-4.9.12-201702231830.patch
+        
      
+
+        
      Set correct version;
      
+
+        
      +        $ rm localversion-grsec
+        
      
+
+        
      Edit Makefile and replace EXTRAVERSION;
      
+
+        
      +        VERSION = 4
+        PATCHLEVEL = 9
+        SUBLEVEL = 12
+        EXTRAVERSION = -grsec
+        NAME = Roaring Lionus
+        
      
+
+        
      Change cpu optimization patch;
      
+
+        
      +        depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
+        
      
+
+        
      to;
      
+
+        
      +        depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
+        
      
+
+        
      Apply additional cpu optimizations patch;
      
+
+        
      +        $ patch -p1 < ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
+        
      
+
         
      Configure kernel according to your current kernel
         hardware support;
      
 
@@ -58,10 +99,7 @@
         $ make localmodconfig
      -

      This will disable all unloaded modules, - you can use localyesconfig mark all loaded - to be built in the kernel. To get information - about your hardware, for example information +

      Get information about your hardware, for example information about which graphic module (driver) is in use as root run;

      @@ -76,17 +114,165 @@ $ make nconfig +

      Make targets;

      + 
      -        $ make -j $(nproc) bzImage modules
-        $ sudo make modules_install
-        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.11-gnu
-        $ sudo cp System.map /boot/System.map-4.9.11-gnu
+        $ make help
+        Cleaning targets:
+          clean           - Remove most generated files but keep the config and
+                            enough build support to build external modules
+          mrproper        - Remove all generated files + config + various backup files
+          distclean       - mrproper + remove editor backup and patch files
+
+        Configuration targets:
+          config          - Update current config utilising a line-oriented program
+          nconfig         - Update current config utilising a ncurses menu based
+                            program
+          menuconfig      - Update current config utilising a menu based program
+          xconfig         - Update current config utilising a Qt based front-end
+          gconfig         - Update current config utilising a GTK+ based front-end
+          oldconfig       - Update current config utilising a provided .config as base
+          localmodconfig  - Update current config disabling modules not loaded
+          localyesconfig  - Update current config converting local mods to core
+          silentoldconfig - Same as oldconfig, but quietly, additionally update deps
+          defconfig       - New config with default from ARCH supplied defconfig
+          savedefconfig   - Save current config as ./defconfig (minimal config)
+          allnoconfig     - New config where all options are answered with no
+          allyesconfig    - New config where all options are accepted with yes
+          allmodconfig    - New config selecting modules when possible
+          alldefconfig    - New config with all symbols set to default
+          randconfig      - New config with random answer to all options
+          listnewconfig   - List new options
+          olddefconfig    - Same as silentoldconfig but sets new symbols to their
+                            default value
+          kvmconfig       - Enable additional options for kvm guest kernel support
+          xenconfig       - Enable additional options for xen dom0 and guest kernel support
+          tinyconfig      - Configure the tiniest possible kernel
+
+        Other generic targets:
+          all             - Build all targets marked with [*]
+        * vmlinux         - Build the bare kernel
+        * modules         - Build all modules
+          modules_install - Install all modules to INSTALL_MOD_PATH (default: /)
+          firmware_install- Install all firmware to INSTALL_FW_PATH
+                            (default: $(INSTALL_MOD_PATH)/lib/firmware)
+          dir/            - Build all files in dir and below
+          dir/file.[ois]  - Build specified target only
+          dir/file.lst    - Build specified mixed source/assembly target only
+                            (requires a recent binutils and recent build (System.map))
+          dir/file.ko     - Build module including final link
+          modules_prepare - Set up for building external modules
+          tags/TAGS       - Generate tags file for editors
+          cscope          - Generate cscope index
+          gtags           - Generate GNU GLOBAL index
+          kernelrelease   - Output the release version string (use with make -s)
+          kernelversion   - Output the version stored in Makefile (use with make -s)
+          image_name      - Output the image name (use with make -s)
+          headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH
+                            (default: ./usr)
+
+        Static analysers
+          checkstack      - Generate a list of stack hogs
+          namespacecheck  - Name space analysis on compiled kernel
+          versioncheck    - Sanity check on version.h usage
+          includecheck    - Check for duplicate included header files
+          export_report   - List the usages of all exported symbols
+          headers_check   - Sanity check on exported headers
+          headerdep       - Detect inclusion cycles in headers
+          coccicheck      - Check with Coccinelle.
+
+        Kernel selftest
+          kselftest       - Build and run kernel selftest (run as root)
+                            Build, install, and boot kernel before
+                            running kselftest on it
+          kselftest-clean - Remove all generated kselftest files
+          kselftest-merge - Merge all the config dependencies of kselftest to existed
+                            .config.
+
+        Kernel packaging:
+          rpm-pkg             - Build both source and binary RPM kernel packages
+          binrpm-pkg          - Build only the binary kernel RPM package
+          deb-pkg             - Build both source and binary deb kernel packages
+          bindeb-pkg          - Build only the binary kernel deb package
+          tar-pkg             - Build the kernel as an uncompressed tarball
+          targz-pkg           - Build the kernel as a gzip compressed tarball
+          tarbz2-pkg          - Build the kernel as a bzip2 compressed tarball
+          tarxz-pkg           - Build the kernel as a xz compressed tarball
+          perf-tar-src-pkg    - Build perf-4.9.9-gnu.tar source tarball
+          perf-targz-src-pkg  - Build perf-4.9.9-gnu.tar.gz source tarball
+          perf-tarbz2-src-pkg - Build perf-4.9.9-gnu.tar.bz2 source tarball
+          perf-tarxz-src-pkg  - Build perf-4.9.9-gnu.tar.xz source tarball
+
+        Documentation targets:
+         Linux kernel internal documentation in different formats (Sphinx):
+          htmldocs        - HTML
+          latexdocs       - LaTeX
+          pdfdocs         - PDF
+          epubdocs        - EPUB
+          xmldocs         - XML
+          cleandocs       - clean all generated files
+
+          make SPHINXDIRS="s1 s2" [target] Generate only docs of folder s1, s2
+          valid values for SPHINXDIRS are: development-process media gpu 80211
+
+          make SPHINX_CONF={conf-file} [target] use *additional* sphinx-build
+          configuration. This is e.g. useful to build with nit-picking config.
+
+         Linux kernel internal documentation in different formats (DocBook):
+          htmldocs        - HTML
+          pdfdocs         - PDF
+          psdocs          - Postscript
+          xmldocs         - XML DocBook
+          mandocs         - man pages
+          installmandocs  - install man pages generated by mandocs
+          cleandocs       - clean all generated DocBook files
+
+          make DOCBOOKS="s1.xml s2.xml" [target] Generate only docs s1.xml s2.xml
+          valid values for DOCBOOKS are: z8530book.xml kernel-hacking.xml kernel-locking.xml deviceiobook.xml writing_usb_driver.xml networking.xml kernel-api.xml filesystems.xml lsm.xml usb.xml kgdb.xml gadget.xml libata.xml mtdnand.xml librs.xml rapidio.xml genericirq.xml s390-drivers.xml uio-howto.xml scsi.xml debugobjects.xml sh.xml regulator.xml alsa-driver-api.xml writing-an-alsa-driver.xml tracepoint.xml w1.xml writing_musb_glue_layer.xml crypto-API.xml iio.xml
+
+          make DOCBOOKS="" [target] Don't generate docs from Docbook
+             This is useful to generate only the ReST docs (Sphinx)
+
+        Architecture specific targets (x86):
+        * bzImage      - Compressed kernel image (arch/x86/boot/bzImage)
+          install      - Install kernel using
+                          (your) ~/bin/installkernel or
+                          (distribution) /sbin/installkernel or
+                          install to $(INSTALL_PATH) and run lilo
+          fdimage      - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
+          fdimage144   - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
+          fdimage288   - Create 2.8MB boot floppy image (arch/x86/boot/fdimage)
+          isoimage     - Create a boot CD-ROM image (arch/x86/boot/image.iso)
+                          bzdisk/fdimage*/isoimage also accept:
+                          FDARGS="..."  arguments for the booted kernel
+                          FDINITRD=file initrd for the booted kernel
+
+          i386_defconfig           - Build for i386
+          x86_64_defconfig         - Build for x86_64
+
+          make V=0|1 [targets] 0 => quiet build (default), 1 => verbose build
+          make V=2   [targets] 2 => give reason for rebuild of target
+          make O=dir [targets] Locate all output files in "dir", including .config
+          make C=1   [targets] Check all c source with $CHECK (sparse by default)
+          make C=2   [targets] Force check of all c source with $CHECK
+          make RECORDMCOUNT_WARN=1 [targets] Warn about ignored mcount sections
+          make W=n   [targets] Enable extra gcc checks, n=1,2,3 where
+                        1: warnings which may be relevant and do not occur too often
+                        2: warnings which occur quite often but may still be relevant
+                        3: more obscure warnings, can most likely be ignored
+                        Multiple levels can be combined with W=12 or W=123
+
+        Execute "make" or "make all" to build all targets marked with [*]
+        For further info see the ./README file
+        $
      -

      Create dracut initramfs;

      -        $sudo dracut --fstab /boot/initramfs-4.9.11-gnu.img 4.9.11-gnu
+        $ make -j $(nproc) bzImage modules
+        $ sudo make modules_install
+        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.12-grsec
+        $ sudo cp System.map /boot/System.map-4.9.12-grsec

      Update grub;

      @@ -98,9 +284,9 @@

      2.1.3. Manual Remove

      -        $ sudo rm -r /lib/modules/4.9.11-gnu
-        $ sudo rm /boot/vmlinuz-4.9.11-gnu
-        $ sudo rm /boot/System.map-4.9.11-gnu
+        $ sudo rm -r /lib/modules/4.9.12-grsec
+        $ sudo rm /boot/vmlinuz-4.9.12-grsec
+        $ sudo rm /boot/System.map-4.9.12-grsec

      2.1.4. Dracut

      diff --git a/core/ports/linux-blob/.footprint b/core/ports/linux-blob/.footprint index 02c767e..62181ac 100644 --- a/core/ports/linux-blob/.footprint +++ b/core/ports/linux-blob/.footprint @@ -1,56 +1,49 @@ drwxr-xr-x root/root boot/ --rw-r--r-- root/root boot/System.map-4.9.11-blob --rw-r--r-- root/root boot/config-4.9.11-blob --rw-r--r-- root/root boot/vmlinuz-4.9.11-blob +-rw-r--r-- root/root boot/System.map-4.9.12-blob +-rw-r--r-- root/root boot/config-4.9.12-blob +-rw-r--r-- root/root boot/vmlinuz-4.9.12-blob drwxr-xr-x root/root lib/ drwxr-xr-x root/root lib/modules/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/ -lrwxrwxrwx root/root lib/modules/4.9.11-blob/build -> /usr/src/linux-4.9.11 -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_camera.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/gspca/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/gspca/gspca_main.ko -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/uvc/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/uvc/uvcvideo.ko -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf-core.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-core.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-memops.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/dvm/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/mvm/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/fs/ -drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/fs/ntfs/ --rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/fs/ntfs/ntfs.ko --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.alias --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.alias.bin --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.builtin --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.builtin.bin --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.dep --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.dep.bin --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.devname (EMPTY) --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.order --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.softdep --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.symbols --rw-r--r-- root/root lib/modules/4.9.11-blob/modules.symbols.bin -lrwxrwxrwx root/root lib/modules/4.9.11-blob/source -> /usr/src/linux-4.9.11 +drwxr-xr-x root/root lib/modules/4.9.12-blob/ +lrwxrwxrwx root/root lib/modules/4.9.12-blob/build -> /usr/src/linux-4.9.12 +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/ +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/ +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/ +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/platform/ +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/platform/soc_camera/ +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/platform/soc_camera/soc_camera.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/usb/ +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/usb/gspca/ +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/usb/gspca/gspca_main.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/usb/uvc/ +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/usb/uvc/uvcvideo.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/ +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf-core.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf2-core.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf2-memops.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/drivers/vhost/ +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/drivers/vhost/vhost_scsi.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/fs/ +drwxr-xr-x root/root lib/modules/4.9.12-blob/kernel/fs/ntfs/ +-rw-r--r-- root/root lib/modules/4.9.12-blob/kernel/fs/ntfs/ntfs.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.alias +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.alias.bin +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.builtin +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.builtin.bin +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.dep (EMPTY) +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.dep.bin +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.devname (EMPTY) +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.order +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.softdep +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.symbols +-rw-r--r-- root/root lib/modules/4.9.12-blob/modules.symbols.bin +lrwxrwxrwx root/root lib/modules/4.9.12-blob/source -> /usr/src/linux-4.9.12 drwxr-xr-x root/root usr/ drwxr-xr-x root/root usr/src/ --rw-r--r-- root/root usr/src/4.9.11-blob-config --rw-r--r-- root/root usr/src/4.9.11-cpu_optimizations.patch --rw-r--r-- root/root usr/src/grsecurity-3.1-4.9.11-201702181444.patch +-rw-r--r-- root/root usr/src/4.9.12-blob-config +-rw-r--r-- root/root usr/src/4.9.12-cpu_optimizations.patch +-rw-r--r-- root/root usr/src/grsecurity-3.1-4.9.12-201702231830.patch diff --git a/core/ports/linux-blob/.md5sum b/core/ports/linux-blob/.md5sum index 8516def..2b23da8 100644 --- a/core/ports/linux-blob/.md5sum +++ b/core/ports/linux-blob/.md5sum @@ -1,7 +1,7 @@ -dc71c8f55df123437c468dad7be88757 config-c9 +4cfe0909ea898be7ccc712ab162be13d config-c9 00bc0d70f200c2673fe7dd6f02053fa4 enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch -e4eb7eab3a40968c3bd4a0a19339a6a1 grsecurity-3.1-4.9.11-201702181444.patch -98761ce71c603199fe6fcce600c60772 linux-4.9.11.tar.xz +83b031b26dc0aeb3ccf8c45785253225 grsecurity-3.1-4.9.12-201702231830.patch +073dfb3a13bf5836ef2d66e24ccf2ceb linux-4.9.12.tar.xz bcf38b0fbf7bd83323f3202ec082b15a port-blob-cpu.patch -48908f447c73e31c2428cb68b00d1e9c port-blob-grsecurity.patch -4a443bf320ede9f5cb183843e85b3b62 port-blob-make.patch +e22c8ae9bf05e1e85f5e6e6827cef368 port-blob-grsecurity.patch +33a67ae0d1cc89895a91ff95e3565b5e port-blob-make.patch diff --git a/core/ports/linux-blob/Pkgfile b/core/ports/linux-blob/Pkgfile index b312361..d9767b1 100644 --- a/core/ports/linux-blob/Pkgfile +++ b/core/ports/linux-blob/Pkgfile @@ -4,11 +4,11 @@ # Depends on: grub2 dracut name=linux-blob -version=4.9.11 -release=3 +version=4.9.12 +release=2 source=(https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-$version.tar.xz \ https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \ - http://grsecurity.net/test/grsecurity-3.1-4.9.11-201702181444.patch \ + http://grsecurity.net/test/grsecurity-3.1-4.9.12-201702231830.patch \ port-blob-grsecurity.patch \ port-blob-make.patch \ port-blob-cpu.patch \ @@ -22,26 +22,31 @@ build() { install -m 0644 $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch # /usr/src/grsecurity-version.patch - install -m 0644 $SRC/grsecurity-3.1-4.9.11-201702181444.patch $PKG/usr/src/ + install -m 0644 $SRC/grsecurity-3.1-4.9.12-201702231830.patch $PKG/usr/src/ patch < port-blob-grsecurity.patch patch < port-blob-cpu.patch + # fix to build under tpe + chmod -R go-w linux-$version + cd linux-$version patch < ${SRC}/port-blob-make.patch make distclean - patch -p1 < $SRC/grsecurity-3.1-4.9.11-201702181444.patch + patch -p1 < $SRC/grsecurity-3.1-4.9.12-201702231830.patch patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch cp $SRC/config-c9 .config make silentoldconfig - make nconfig + # make nconfig # make localmodconfig + make prepare + install -m 0644 .config $PKG/usr/src/${version}-blob-config make LOCALVERSION= bzImage modules diff --git a/core/ports/linux-blob/config-c9 b/core/ports/linux-blob/config-c9 index 2b0bb4b..0bd5108 100644 --- a/core/ports/linux-blob/config-c9 +++ b/core/ports/linux-blob/config-c9 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.9.11-blob Kernel Configuration +# Linux/x86 4.9.12-blob Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -62,10 +62,10 @@ CONFIG_HAVE_KERNEL_LZMA=y CONFIG_HAVE_KERNEL_XZ=y CONFIG_HAVE_KERNEL_LZO=y CONFIG_HAVE_KERNEL_LZ4=y -# CONFIG_KERNEL_GZIP is not set +CONFIG_KERNEL_GZIP=y # CONFIG_KERNEL_BZIP2 is not set # CONFIG_KERNEL_LZMA is not set -CONFIG_KERNEL_XZ=y +# CONFIG_KERNEL_XZ is not set # CONFIG_KERNEL_LZO is not set # CONFIG_KERNEL_LZ4 is not set CONFIG_DEFAULT_HOSTNAME="(none)" @@ -76,11 +76,8 @@ CONFIG_POSIX_MQUEUE=y CONFIG_POSIX_MQUEUE_SYSCTL=y CONFIG_CROSS_MEMORY_ATTACH=y CONFIG_FHANDLE=y -CONFIG_AUDIT=y +# CONFIG_AUDIT is not set CONFIG_HAVE_ARCH_AUDITSYSCALL=y -CONFIG_AUDITSYSCALL=y -CONFIG_AUDIT_WATCH=y -CONFIG_AUDIT_TREE=y # # IRQ subsystem @@ -119,12 +116,13 @@ CONFIG_HIGH_RES_TIMERS=y # CONFIG_TICK_CPU_ACCOUNTING=y # CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set -CONFIG_IRQ_TIME_ACCOUNTING=y +# CONFIG_IRQ_TIME_ACCOUNTING is not set CONFIG_BSD_PROCESS_ACCT=y CONFIG_BSD_PROCESS_ACCT_V3=y CONFIG_TASKSTATS=y CONFIG_TASK_DELAY_ACCT=y -# CONFIG_TASK_XACCT is not set +CONFIG_TASK_XACCT=y +CONFIG_TASK_IO_ACCOUNTING=y # # RCU Subsystem @@ -138,7 +136,7 @@ CONFIG_RCU_STALL_COMMON=y CONFIG_BUILD_BIN2C=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y -CONFIG_LOG_BUF_SHIFT=18 +CONFIG_LOG_BUF_SHIFT=19 CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 CONFIG_NMI_LOG_BUF_SHIFT=13 CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y @@ -149,14 +147,15 @@ CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y CONFIG_CGROUPS=y CONFIG_PAGE_COUNTER=y CONFIG_MEMCG=y -# CONFIG_MEMCG_SWAP is not set +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y CONFIG_BLK_CGROUP=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y CONFIG_CGROUP_WRITEBACK=y CONFIG_CGROUP_SCHED=y CONFIG_FAIR_GROUP_SCHED=y -# CONFIG_CFS_BANDWIDTH is not set -# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CFS_BANDWIDTH=y +CONFIG_RT_GROUP_SCHED=y CONFIG_CGROUP_PIDS=y # CONFIG_CGROUP_FREEZER is not set CONFIG_CPUSETS=y @@ -211,7 +210,7 @@ CONFIG_EPOLL=y CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y -# CONFIG_BPF_SYSCALL is not set +CONFIG_BPF_SYSCALL=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y @@ -234,11 +233,13 @@ CONFIG_SLUB=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLUB_CPU_PARTIAL=y CONFIG_SYSTEM_DATA_VERIFICATION=y -# CONFIG_PROFILING is not set +CONFIG_PROFILING=y +# CONFIG_OPROFILE is not set CONFIG_HAVE_OPROFILE=y CONFIG_OPROFILE_NMI_TIMER=y CONFIG_KPROBES=y -# CONFIG_JUMP_LABEL is not set +CONFIG_JUMP_LABEL=y +# CONFIG_STATIC_KEYS_SELFTEST is not set CONFIG_OPTPROBES=y # CONFIG_UPROBES is not set # CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set @@ -279,8 +280,8 @@ CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y CONFIG_HAVE_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_NONE is not set -CONFIG_CC_STACKPROTECTOR_REGULAR=y -# CONFIG_CC_STACKPROTECTOR_STRONG is not set +# CONFIG_CC_STACKPROTECTOR_REGULAR is not set +CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y CONFIG_HAVE_CONTEXT_TRACKING=y CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y @@ -299,7 +300,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 CONFIG_HAVE_COPY_THREAD_TLS=y CONFIG_HAVE_STACK_VALIDATION=y # CONFIG_HAVE_ARCH_HASH is not set -# CONFIG_ISA_BUS_API is not set +CONFIG_ISA_BUS_API=y CONFIG_OLD_SIGSUSPEND3=y CONFIG_COMPAT_OLD_SIGACTION=y # CONFIG_CPU_NO_EFFICIENT_FFS is not set @@ -328,14 +329,16 @@ CONFIG_MODULE_SIG_SHA256=y # CONFIG_MODULE_SIG_SHA384 is not set # CONFIG_MODULE_SIG_SHA512 is not set CONFIG_MODULE_SIG_HASH="sha256" -# CONFIG_MODULE_COMPRESS is not set +CONFIG_MODULE_COMPRESS=y +CONFIG_MODULE_COMPRESS_GZIP=y +# CONFIG_MODULE_COMPRESS_XZ is not set CONFIG_TRIM_UNUSED_KSYMS=y CONFIG_MODULES_TREE_LOOKUP=y CONFIG_BLOCK=y CONFIG_BLK_DEV_BSG=y CONFIG_BLK_DEV_BSGLIB=y CONFIG_BLK_DEV_INTEGRITY=y -# CONFIG_BLK_DEV_THROTTLING is not set +CONFIG_BLK_DEV_THROTTLING=y # CONFIG_BLK_CMDLINE_PARSER is not set # @@ -399,6 +402,7 @@ CONFIG_ZONE_DMA=y CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y CONFIG_X86_FAST_FEATURE_TESTS=y +CONFIG_X86_X2APIC=y CONFIG_X86_MPPARSE=y # CONFIG_GOLDFISH is not set # CONFIG_X86_EXTENDED_PLATFORM is not set @@ -407,6 +411,14 @@ CONFIG_X86_INTEL_LPSS=y CONFIG_IOSF_MBI=y CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y CONFIG_SCHED_OMIT_FRAME_POINTER=y +CONFIG_HYPERVISOR_GUEST=y +CONFIG_PARAVIRT=y +# CONFIG_PARAVIRT_DEBUG is not set +CONFIG_PARAVIRT_SPINLOCKS=y +# CONFIG_XEN is not set +CONFIG_KVM_GUEST=y +CONFIG_PARAVIRT_TIME_ACCOUNTING=y +CONFIG_PARAVIRT_CLOCK=y CONFIG_NO_BOOTMEM=y # CONFIG_MK8 is not set # CONFIG_MK8SSE3 is not set @@ -457,8 +469,8 @@ CONFIG_IOMMU_HELPER=y CONFIG_NR_CPUS=4 CONFIG_SCHED_SMT=y CONFIG_SCHED_MC=y -CONFIG_PREEMPT_NONE=y -# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT_NONE is not set +CONFIG_PREEMPT_VOLUNTARY=y # CONFIG_PREEMPT is not set CONFIG_X86_LOCAL_APIC=y CONFIG_X86_IO_APIC=y @@ -494,6 +506,7 @@ CONFIG_NODES_SHIFT=6 CONFIG_ARCH_SPARSEMEM_ENABLE=y CONFIG_ARCH_SPARSEMEM_DEFAULT=y CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 CONFIG_SELECT_MEMORY_MODEL=y CONFIG_SPARSEMEM_MANUAL=y @@ -509,8 +522,11 @@ CONFIG_HAVE_MEMBLOCK_NODE_MAP=y CONFIG_ARCH_DISCARD_MEMBLOCK=y CONFIG_MEMORY_ISOLATION=y # CONFIG_MOVABLE_NODE is not set -# CONFIG_HAVE_BOOTMEM_INFO_NODE is not set -# CONFIG_MEMORY_HOTPLUG is not set +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +CONFIG_MEMORY_HOTREMOVE=y CONFIG_SPLIT_PTLOCK_CPUS=4 CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y CONFIG_MEMORY_BALLOON=y @@ -518,18 +534,21 @@ CONFIG_BALLOON_COMPACTION=y CONFIG_COMPACTION=y CONFIG_MIGRATION=y CONFIG_PHYS_ADDR_T_64BIT=y -# CONFIG_BOUNCE is not set +CONFIG_BOUNCE=y CONFIG_VIRT_TO_BUS=y CONFIG_MMU_NOTIFIER=y -# CONFIG_KSM is not set -CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +CONFIG_KSM=y +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y CONFIG_MEMORY_FAILURE=y -# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y +# CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set +CONFIG_TRANSPARENT_HUGE_PAGECACHE=y CONFIG_CLEANCACHE=y CONFIG_FRONTSWAP=y # CONFIG_CMA is not set -# CONFIG_ZSWAP is not set +CONFIG_ZSWAP=y CONFIG_ZPOOL=y CONFIG_ZBUD=y CONFIG_Z3FOLD=y @@ -537,7 +556,9 @@ CONFIG_ZSMALLOC=y # CONFIG_PGTABLE_MAPPING is not set CONFIG_GENERIC_EARLY_IOREMAP=y CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y +# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set # CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ZONE_DEVICE=y CONFIG_FRAME_VECTOR=y CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y CONFIG_ARCH_HAS_PKEYS=y @@ -546,7 +567,9 @@ CONFIG_X86_CHECK_BIOS_CORRUPTION=y CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y CONFIG_X86_RESERVE_LOW=64 CONFIG_MTRR=y -# CONFIG_MTRR_SANITIZER is not set +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 CONFIG_X86_PAT=y CONFIG_ARCH_USES_PG_UNCACHED=y CONFIG_ARCH_RANDOM=y @@ -554,7 +577,8 @@ CONFIG_X86_SMAP=y CONFIG_X86_INTEL_MPX=y CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y CONFIG_EFI=y -# CONFIG_EFI_STUB is not set +CONFIG_EFI_STUB=y +CONFIG_EFI_MIXED=y CONFIG_SECCOMP=y # CONFIG_HZ_100 is not set # CONFIG_HZ_250 is not set @@ -567,7 +591,9 @@ CONFIG_CRASH_DUMP=y CONFIG_PHYSICAL_START=0x1000000 CONFIG_RELOCATABLE=y CONFIG_PHYSICAL_ALIGN=0x1000000 -# CONFIG_HOTPLUG_CPU is not set +CONFIG_HOTPLUG_CPU=y +# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set +# CONFIG_DEBUG_HOTPLUG_CPU0 is not set CONFIG_LEGACY_VSYSCALL_EMULATE=y # CONFIG_LEGACY_VSYSCALL_NONE is not set # CONFIG_CMDLINE_BOOL is not set @@ -575,6 +601,7 @@ CONFIG_LEGACY_VSYSCALL_EMULATE=y # CONFIG_DEFAULT_MODIFY_LDT_SYSCALL is not set CONFIG_HAVE_LIVEPATCH=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y CONFIG_USE_PERCPU_NUMA_NODE_ID=y # @@ -583,6 +610,7 @@ CONFIG_USE_PERCPU_NUMA_NODE_ID=y # CONFIG_SUSPEND is not set CONFIG_PM=y # CONFIG_PM_DEBUG is not set +CONFIG_PM_OPP=y CONFIG_PM_CLK=y # CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set CONFIG_ACPI=y @@ -591,8 +619,8 @@ CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y # CONFIG_ACPI_DEBUGGER is not set # CONFIG_ACPI_PROCFS_POWER is not set -CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y -# CONFIG_ACPI_EC_DEBUGFS is not set +# CONFIG_ACPI_REV_OVERRIDE_POSSIBLE is not set +CONFIG_ACPI_EC_DEBUGFS=y CONFIG_ACPI_AC=y CONFIG_ACPI_BATTERY=y CONFIG_ACPI_BUTTON=y @@ -603,7 +631,8 @@ CONFIG_ACPI_CPU_FREQ_PSS=y CONFIG_ACPI_PROCESSOR_CSTATE=y CONFIG_ACPI_PROCESSOR_IDLE=y CONFIG_ACPI_PROCESSOR=y -# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_HOTPLUG_CPU=y +CONFIG_ACPI_PROCESSOR_AGGREGATOR=y CONFIG_ACPI_THERMAL=y CONFIG_ACPI_NUMA=y # CONFIG_ACPI_CUSTOM_DSDT is not set @@ -613,6 +642,7 @@ CONFIG_ACPI_TABLE_UPGRADE=y CONFIG_ACPI_PCI_SLOT=y CONFIG_X86_PM_TIMER=y CONFIG_ACPI_CONTAINER=y +CONFIG_ACPI_HOTPLUG_MEMORY=y CONFIG_ACPI_HOTPLUG_IOAPIC=y CONFIG_ACPI_SBS=y CONFIG_ACPI_HED=y @@ -626,16 +656,48 @@ CONFIG_ACPI_APEI_GHES=y CONFIG_ACPI_APEI_PCIEAER=y # CONFIG_ACPI_APEI_MEMORY_FAILURE is not set # CONFIG_ACPI_APEI_ERST_DEBUG is not set -# CONFIG_DPTF_POWER is not set +CONFIG_DPTF_POWER=y # CONFIG_ACPI_EXTLOG is not set -# CONFIG_PMIC_OPREGION is not set +CONFIG_PMIC_OPREGION=y CONFIG_ACPI_CONFIGFS=y CONFIG_SFI=y # # CPU Frequency scaling # -# CONFIG_CPU_FREQ is not set +CONFIG_CPU_FREQ=y +CONFIG_CPU_FREQ_GOV_ATTR_SET=y +CONFIG_CPU_FREQ_GOV_COMMON=y +# CONFIG_CPU_FREQ_STAT is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set +CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y +# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL is not set +CONFIG_CPU_FREQ_GOV_PERFORMANCE=y +CONFIG_CPU_FREQ_GOV_POWERSAVE=y +CONFIG_CPU_FREQ_GOV_USERSPACE=y +CONFIG_CPU_FREQ_GOV_ONDEMAND=y +CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y +CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y + +# +# CPU frequency scaling drivers +# +CONFIG_CPUFREQ_DT=y +CONFIG_CPUFREQ_DT_PLATDEV=y +CONFIG_X86_INTEL_PSTATE=y +CONFIG_X86_PCC_CPUFREQ=y +CONFIG_X86_ACPI_CPUFREQ=y +# CONFIG_X86_POWERNOW_K8 is not set +# CONFIG_X86_SPEEDSTEP_CENTRINO is not set +# CONFIG_X86_P4_CLOCKMOD is not set + +# +# shared options +# +# CONFIG_X86_SPEEDSTEP_LIB is not set # # CPU Idle @@ -644,24 +706,25 @@ CONFIG_CPU_IDLE=y CONFIG_CPU_IDLE_GOV_LADDER=y CONFIG_CPU_IDLE_GOV_MENU=y # CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set -# CONFIG_INTEL_IDLE is not set +CONFIG_INTEL_IDLE=y # # Memory power savings # -# CONFIG_I7300_IDLE is not set +CONFIG_I7300_IDLE_IOAT_CHANNEL=y +CONFIG_I7300_IDLE=y # # Bus options (PCI etc.) # CONFIG_PCI=y CONFIG_PCI_DIRECT=y -# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_MMCONFIG=y CONFIG_PCI_DOMAINS=y # CONFIG_PCI_CNB20LE_QUIRK is not set CONFIG_PCIEPORTBUS=y CONFIG_PCIEAER=y -# CONFIG_PCIE_ECRC is not set +CONFIG_PCIE_ECRC=y # CONFIG_PCIEAER_INJECT is not set CONFIG_PCIEASPM=y # CONFIG_PCIEASPM_DEBUG is not set @@ -669,13 +732,13 @@ CONFIG_PCIEASPM_DEFAULT=y # CONFIG_PCIEASPM_POWERSAVE is not set # CONFIG_PCIEASPM_PERFORMANCE is not set CONFIG_PCIE_PME=y -# CONFIG_PCIE_DPC is not set -# CONFIG_PCIE_PTM is not set +CONFIG_PCIE_DPC=y +CONFIG_PCIE_PTM=y CONFIG_PCI_BUS_ADDR_T_64BIT=y CONFIG_PCI_MSI=y CONFIG_PCI_MSI_IRQ_DOMAIN=y # CONFIG_PCI_DEBUG is not set -# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set +CONFIG_PCI_REALLOC_ENABLE_AUTO=y # CONFIG_PCI_STUB is not set CONFIG_HT_IRQ=y CONFIG_PCI_ATS=y @@ -691,11 +754,11 @@ CONFIG_PCI_LABEL=y CONFIG_PCIE_DW_PLAT=y CONFIG_PCIE_DW=y # CONFIG_VMD is not set -# CONFIG_ISA_BUS is not set +CONFIG_ISA_BUS=y CONFIG_ISA_DMA_API=y # CONFIG_PCCARD is not set # CONFIG_RAPIDIO is not set -CONFIG_X86_SYSFB=y +# CONFIG_X86_SYSFB is not set # # Executable file formats / Emulations @@ -706,7 +769,7 @@ CONFIG_ELFCORE=y CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y CONFIG_BINFMT_SCRIPT=y # CONFIG_HAVE_AOUT is not set -# CONFIG_BINFMT_MISC is not set +CONFIG_BINFMT_MISC=y CONFIG_COREDUMP=y CONFIG_IA32_EMULATION=y CONFIG_IA32_AOUT=y @@ -862,7 +925,6 @@ CONFIG_NETFILTER_XT_SET=y # # Xtables targets # -CONFIG_NETFILTER_XT_TARGET_AUDIT=y CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y CONFIG_NETFILTER_XT_TARGET_CONNMARK=y @@ -1242,10 +1304,11 @@ CONFIG_HAVE_EBPF_JIT=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y CONFIG_STANDALONE=y -CONFIG_PREVENT_FIRMWARE_BUILD=y +# CONFIG_PREVENT_FIRMWARE_BUILD is not set CONFIG_FW_LOADER=y CONFIG_FIRMWARE_IN_KERNEL=y -CONFIG_EXTRA_FIRMWARE="" +CONFIG_EXTRA_FIRMWARE="iwlwifi-3160-17.ucode" +CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware" CONFIG_FW_LOADER_USER_HELPER=y CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y CONFIG_WANT_DEV_COREDUMP=y @@ -1318,9 +1381,7 @@ CONFIG_VIRTIO_BLK=y # CONFIG_BLK_DEV_HD is not set # CONFIG_BLK_DEV_RBD is not set # CONFIG_BLK_DEV_RSXX is not set -CONFIG_NVME_CORE=y -CONFIG_BLK_DEV_NVME=y -# CONFIG_BLK_DEV_NVME_SCSI is not set +# CONFIG_BLK_DEV_NVME is not set # CONFIG_NVME_TARGET is not set # @@ -1379,7 +1440,7 @@ CONFIG_INTEL_MEI_TXE=y # # Intel MIC Bus Driver # -CONFIG_INTEL_MIC_BUS=y +# CONFIG_INTEL_MIC_BUS is not set # # SCIF Bus Driver @@ -1537,7 +1598,7 @@ CONFIG_SATA_AHCI_PLATFORM=y CONFIG_MD=y CONFIG_BLK_DEV_MD=y CONFIG_MD_AUTODETECT=y -# CONFIG_MD_LINEAR is not set +CONFIG_MD_LINEAR=y CONFIG_MD_RAID0=y CONFIG_MD_RAID1=y CONFIG_MD_RAID10=y @@ -1571,7 +1632,13 @@ CONFIG_DM_UEVENT=y # CONFIG_DM_VERITY is not set # CONFIG_DM_SWITCH is not set # CONFIG_DM_LOG_WRITES is not set -# CONFIG_TARGET_CORE is not set +CONFIG_TARGET_CORE=y +# CONFIG_TCM_IBLOCK is not set +# CONFIG_TCM_FILEIO is not set +# CONFIG_TCM_PSCSI is not set +# CONFIG_TCM_USER2 is not set +# CONFIG_LOOPBACK_TARGET is not set +# CONFIG_ISCSI_TARGET is not set CONFIG_FUSION=y CONFIG_FUSION_SPI=y CONFIG_FUSION_FC=y @@ -1747,11 +1814,10 @@ CONFIG_WLAN_VENDOR_INTEL=y # CONFIG_IPW2200 is not set # CONFIG_IWL4965 is not set # CONFIG_IWL3945 is not set -CONFIG_IWLWIFI=m +CONFIG_IWLWIFI=y CONFIG_IWLWIFI_LEDS=y -CONFIG_IWLDVM=m -CONFIG_IWLMVM=m -CONFIG_IWLWIFI_OPMODE_MODULAR=y +CONFIG_IWLDVM=y +CONFIG_IWLMVM=y # CONFIG_IWLWIFI_BCAST_FILTERING is not set CONFIG_IWLWIFI_PCIE_RTPM=y @@ -1843,6 +1909,7 @@ CONFIG_MOUSE_PS2_ELANTECH=y # CONFIG_MOUSE_PS2_SENTELIC is not set # CONFIG_MOUSE_PS2_TOUCHKIT is not set CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_PS2_VMMOUSE is not set CONFIG_MOUSE_SERIAL=y # CONFIG_MOUSE_APPLETOUCH is not set # CONFIG_MOUSE_BCM5974 is not set @@ -1962,7 +2029,7 @@ CONFIG_I2C_MUX=y # Multiplexer I2C Chip support # # CONFIG_I2C_ARB_GPIO_CHALLENGE is not set -CONFIG_I2C_MUX_GPIO=y +# CONFIG_I2C_MUX_GPIO is not set # CONFIG_I2C_MUX_PCA9541 is not set # CONFIG_I2C_MUX_PCA954x is not set # CONFIG_I2C_MUX_PINCTRL is not set @@ -1986,7 +2053,7 @@ CONFIG_I2C_ALGOBIT=y # CONFIG_I2C_AMD8111 is not set CONFIG_I2C_I801=y # CONFIG_I2C_ISCH is not set -# CONFIG_I2C_ISMT is not set +CONFIG_I2C_ISMT=y # CONFIG_I2C_PIIX4 is not set # CONFIG_I2C_NFORCE2 is not set # CONFIG_I2C_SIS5595 is not set @@ -2007,7 +2074,7 @@ CONFIG_I2C_SCMI=y CONFIG_I2C_DESIGNWARE_CORE=y CONFIG_I2C_DESIGNWARE_PLATFORM=y CONFIG_I2C_DESIGNWARE_PCI=y -# CONFIG_I2C_DESIGNWARE_BAYTRAIL is not set +CONFIG_I2C_DESIGNWARE_BAYTRAIL=y # CONFIG_I2C_EMEV2 is not set # CONFIG_I2C_GPIO is not set # CONFIG_I2C_OCORES is not set @@ -2048,9 +2115,9 @@ CONFIG_SPI_BITBANG=y # CONFIG_SPI_CADENCE is not set CONFIG_SPI_DESIGNWARE=y CONFIG_SPI_DW_PCI=y -# CONFIG_SPI_DW_MID_DMA is not set +CONFIG_SPI_DW_MID_DMA=y CONFIG_SPI_DW_MMIO=y -CONFIG_SPI_GPIO=y +# CONFIG_SPI_GPIO is not set # CONFIG_SPI_FSL_SPI is not set # CONFIG_SPI_OC_TINY is not set # CONFIG_SPI_PXA2XX is not set @@ -2067,7 +2134,7 @@ CONFIG_SPI_GPIO=y # CONFIG_SPI_SPIDEV is not set # CONFIG_SPI_LOOPBACK_TEST is not set # CONFIG_SPI_TLE62X0 is not set -# CONFIG_SPMI is not set +CONFIG_SPMI=y # CONFIG_HSI is not set # @@ -2108,7 +2175,7 @@ CONFIG_GPIOLIB=y CONFIG_OF_GPIO=y CONFIG_GPIO_ACPI=y # CONFIG_DEBUG_GPIO is not set -CONFIG_GPIO_SYSFS=y +# CONFIG_GPIO_SYSFS is not set # # Memory mapped GPIO drivers @@ -2119,7 +2186,7 @@ CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_DWAPB is not set # CONFIG_GPIO_GENERIC_PLATFORM is not set # CONFIG_GPIO_GRGPIO is not set -CONFIG_GPIO_ICH=y +# CONFIG_GPIO_ICH is not set # CONFIG_GPIO_LYNXPOINT is not set # CONFIG_GPIO_MOCKUP is not set # CONFIG_GPIO_VX855 is not set @@ -2129,10 +2196,15 @@ CONFIG_GPIO_ICH=y # # Port-mapped I/O GPIO drivers # +# CONFIG_GPIO_104_DIO_48E is not set +# CONFIG_GPIO_104_IDIO_16 is not set +# CONFIG_GPIO_104_IDI_48 is not set # CONFIG_GPIO_F7188X is not set +# CONFIG_GPIO_GPIO_MM is not set # CONFIG_GPIO_IT87 is not set # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SCH311X is not set +# CONFIG_GPIO_WS16C48 is not set # # I2C GPIO expanders @@ -2176,7 +2248,34 @@ CONFIG_GPIO_ICH=y # # USB GPIO expanders # -# CONFIG_W1 is not set +CONFIG_W1=y +CONFIG_W1_CON=y + +# +# 1-wire Bus Masters +# +# CONFIG_W1_MASTER_MATROX is not set +# CONFIG_W1_MASTER_DS2490 is not set +# CONFIG_W1_MASTER_DS2482 is not set +# CONFIG_W1_MASTER_DS1WM is not set +# CONFIG_W1_MASTER_GPIO is not set + +# +# 1-wire Slaves +# +CONFIG_W1_SLAVE_THERM=y +# CONFIG_W1_SLAVE_SMEM is not set +# CONFIG_W1_SLAVE_DS2408 is not set +# CONFIG_W1_SLAVE_DS2413 is not set +# CONFIG_W1_SLAVE_DS2406 is not set +# CONFIG_W1_SLAVE_DS2423 is not set +# CONFIG_W1_SLAVE_DS2431 is not set +# CONFIG_W1_SLAVE_DS2433 is not set +# CONFIG_W1_SLAVE_DS2760 is not set +# CONFIG_W1_SLAVE_DS2780 is not set +# CONFIG_W1_SLAVE_DS2781 is not set +# CONFIG_W1_SLAVE_DS28E04 is not set +# CONFIG_W1_SLAVE_BQ27000 is not set # CONFIG_POWER_AVS is not set # CONFIG_POWER_RESET is not set CONFIG_POWER_SUPPLY=y @@ -2190,7 +2289,6 @@ CONFIG_POWER_SUPPLY=y # CONFIG_BATTERY_BQ27XXX is not set # CONFIG_BATTERY_MAX17040 is not set # CONFIG_BATTERY_MAX17042 is not set -# CONFIG_CHARGER_ISP1704 is not set # CONFIG_CHARGER_MAX8903 is not set # CONFIG_CHARGER_LP8727 is not set # CONFIG_CHARGER_GPIO is not set @@ -2361,12 +2459,14 @@ CONFIG_THERMAL_GOV_STEP_WISE=y # CONFIG_THERMAL_GOV_BANG_BANG is not set CONFIG_THERMAL_GOV_USER_SPACE=y CONFIG_THERMAL_GOV_POWER_ALLOCATOR=y +# CONFIG_CPU_THERMAL is not set +# CONFIG_CLOCK_THERMAL is not set +# CONFIG_DEVFREQ_THERMAL is not set # CONFIG_THERMAL_EMULATION is not set # CONFIG_QORIQ_THERMAL is not set # CONFIG_INTEL_POWERCLAMP is not set CONFIG_X86_PKG_TEMP_THERMAL=y -CONFIG_INTEL_SOC_DTS_IOSF_CORE=y -CONFIG_INTEL_SOC_DTS_THERMAL=y +# CONFIG_INTEL_SOC_DTS_THERMAL is not set # # ACPI INT340X thermal drivers @@ -2375,7 +2475,7 @@ CONFIG_INTEL_SOC_DTS_THERMAL=y CONFIG_INTEL_PCH_THERMAL=y CONFIG_WATCHDOG=y CONFIG_WATCHDOG_CORE=y -CONFIG_WATCHDOG_NOWAYOUT=y +# CONFIG_WATCHDOG_NOWAYOUT is not set CONFIG_WATCHDOG_SYSFS=y # @@ -2393,6 +2493,7 @@ CONFIG_WATCHDOG_SYSFS=y # CONFIG_ADVANTECH_WDT is not set # CONFIG_ALIM1535_WDT is not set # CONFIG_ALIM7101_WDT is not set +# CONFIG_EBC_C384_WDT is not set # CONFIG_F71808E_WDT is not set # CONFIG_SP5100_TCO is not set # CONFIG_SBC_FITPC2_WATCHDOG is not set @@ -2444,18 +2545,7 @@ CONFIG_SSB_POSSIBLE=y # # Sonics Silicon Backplane # -CONFIG_SSB=y -CONFIG_SSB_SPROM=y -CONFIG_SSB_PCIHOST_POSSIBLE=y -CONFIG_SSB_PCIHOST=y -# CONFIG_SSB_B43_PCI_BRIDGE is not set -CONFIG_SSB_SDIOHOST_POSSIBLE=y -# CONFIG_SSB_SDIOHOST is not set -# CONFIG_SSB_SILENT is not set -# CONFIG_SSB_DEBUG is not set -CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y -CONFIG_SSB_DRIVER_PCICORE=y -# CONFIG_SSB_DRIVER_GPIO is not set +# CONFIG_SSB is not set CONFIG_BCMA_POSSIBLE=y # @@ -2751,7 +2841,7 @@ CONFIG_AGP_INTEL=y # CONFIG_AGP_VIA is not set CONFIG_INTEL_GTT=y CONFIG_VGA_ARB=y -CONFIG_VGA_ARB_MAX_GPUS=1 +CONFIG_VGA_ARB_MAX_GPUS=2 # CONFIG_VGA_SWITCHEROO is not set CONFIG_DRM=y CONFIG_DRM_MIPI_DSI=y @@ -3047,13 +3137,13 @@ CONFIG_SND_HDA_RECONFIG=y CONFIG_SND_HDA_INPUT_BEEP=y CONFIG_SND_HDA_INPUT_BEEP_MODE=1 # CONFIG_SND_HDA_PATCH_LOADER is not set -CONFIG_SND_HDA_CODEC_REALTEK=y -# CONFIG_SND_HDA_CODEC_ANALOG is not set +# CONFIG_SND_HDA_CODEC_REALTEK is not set +CONFIG_SND_HDA_CODEC_ANALOG=y # CONFIG_SND_HDA_CODEC_SIGMATEL is not set # CONFIG_SND_HDA_CODEC_VIA is not set CONFIG_SND_HDA_CODEC_HDMI=y # CONFIG_SND_HDA_CODEC_CIRRUS is not set -# CONFIG_SND_HDA_CODEC_CONEXANT is not set +CONFIG_SND_HDA_CODEC_CONEXANT=y # CONFIG_SND_HDA_CODEC_CA0110 is not set # CONFIG_SND_HDA_CODEC_CA0132 is not set # CONFIG_SND_HDA_CODEC_CMEDIA is not set @@ -3177,10 +3267,9 @@ CONFIG_USB_ANNOUNCE_NEW_DEVICES=y # CONFIG_USB_DEFAULT_PERSIST=y # CONFIG_USB_DYNAMIC_MINORS is not set -CONFIG_USB_OTG=y +# CONFIG_USB_OTG is not set # CONFIG_USB_OTG_WHITELIST is not set # CONFIG_USB_OTG_BLACKLIST_HUB is not set -CONFIG_USB_OTG_FSM=y # CONFIG_USB_LEDS_TRIGGER_USBPORT is not set CONFIG_USB_MON=y # CONFIG_USB_WUSB_CBAF is not set @@ -3204,12 +3293,10 @@ CONFIG_USB_EHCI_HCD_PLATFORM=y # CONFIG_USB_MAX3421_HCD is not set CONFIG_USB_OHCI_HCD=y CONFIG_USB_OHCI_HCD_PCI=y -# CONFIG_USB_OHCI_HCD_SSB is not set -# CONFIG_USB_OHCI_HCD_PLATFORM is not set +CONFIG_USB_OHCI_HCD_PLATFORM=y CONFIG_USB_UHCI_HCD=y # CONFIG_USB_SL811_HCD is not set # CONFIG_USB_R8A66597_HCD is not set -# CONFIG_USB_HCD_SSB is not set # CONFIG_USB_HCD_TEST_MODE is not set # @@ -3251,23 +3338,8 @@ CONFIG_USB_UAS=y # CONFIG_USB_MICROTEK is not set # CONFIG_USBIP_CORE is not set # CONFIG_USB_MUSB_HDRC is not set -CONFIG_USB_DWC3=y -CONFIG_USB_DWC3_HOST=y - -# -# Platform Glue Driver Support -# -CONFIG_USB_DWC3_PCI=y -CONFIG_USB_DWC3_OF_SIMPLE=y -CONFIG_USB_DWC2=y -CONFIG_USB_DWC2_HOST=y - -# -# Gadget/Dual-role mode requires USB Gadget support to be enabled -# -# CONFIG_USB_DWC2_PCI is not set -# CONFIG_USB_DWC2_DEBUG is not set -# CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set +# CONFIG_USB_DWC3 is not set +# CONFIG_USB_DWC2 is not set # CONFIG_USB_CHIPIDEA is not set # CONFIG_USB_ISP1760 is not set @@ -3359,13 +3431,13 @@ CONFIG_USB_SERIAL_FTDI_SIO=y # # USB Physical Layer drivers # -CONFIG_USB_PHY=y +# CONFIG_USB_PHY is not set # CONFIG_NOP_USB_XCEIV is not set # CONFIG_USB_GPIO_VBUS is not set # CONFIG_USB_ISP1301 is not set # CONFIG_USB_GADGET is not set -# CONFIG_USB_LED_TRIG is not set -# CONFIG_USB_ULPI_BUS is not set +CONFIG_USB_LED_TRIG=y +CONFIG_USB_ULPI_BUS=y # CONFIG_UWB is not set CONFIG_MMC=y # CONFIG_MMC_DEBUG is not set @@ -3398,7 +3470,7 @@ CONFIG_MMC_SPI=y # CONFIG_MMC_CB710 is not set # CONFIG_MMC_VIA_SDMMC is not set # CONFIG_MMC_VUB300 is not set -# CONFIG_MMC_USHC is not set +CONFIG_MMC_USHC=y # CONFIG_MMC_USDHI6ROL0 is not set # CONFIG_MMC_TOSHIBA_PCI is not set # CONFIG_MMC_MTK is not set @@ -3465,7 +3537,24 @@ CONFIG_LEDS_TRIGGERS=y # CONFIG_INFINIBAND is not set CONFIG_EDAC_ATOMIC_SCRUB=y CONFIG_EDAC_SUPPORT=y -# CONFIG_EDAC is not set +CONFIG_EDAC=y +# CONFIG_EDAC_LEGACY_SYSFS is not set +# CONFIG_EDAC_DEBUG is not set +CONFIG_EDAC_MM_EDAC=y +CONFIG_EDAC_GHES=y +# CONFIG_EDAC_E752X is not set +# CONFIG_EDAC_I82975X is not set +# CONFIG_EDAC_I3000 is not set +# CONFIG_EDAC_I3200 is not set +# CONFIG_EDAC_IE31200 is not set +# CONFIG_EDAC_X38 is not set +# CONFIG_EDAC_I5400 is not set +# CONFIG_EDAC_I7CORE is not set +# CONFIG_EDAC_I5000 is not set +# CONFIG_EDAC_I5100 is not set +# CONFIG_EDAC_I7300 is not set +CONFIG_EDAC_SBRIDGE=y +# CONFIG_EDAC_SKX is not set CONFIG_RTC_LIB=y CONFIG_RTC_MC146818_LIB=y CONFIG_RTC_CLASS=y @@ -3581,11 +3670,10 @@ CONFIG_DMA_OF=y # CONFIG_FSL_EDMA is not set CONFIG_INTEL_IDMA64=y CONFIG_INTEL_IOATDMA=y -CONFIG_INTEL_MIC_X100_DMA=y # CONFIG_QCOM_HIDMA_MGMT is not set # CONFIG_QCOM_HIDMA is not set CONFIG_DW_DMAC_CORE=y -# CONFIG_DW_DMAC is not set +CONFIG_DW_DMAC=y CONFIG_DW_DMAC_PCI=y CONFIG_HSU_DMA=y @@ -3601,7 +3689,8 @@ CONFIG_DMA_ENGINE_RAID=y # # CONFIG_SYNC_FILE is not set CONFIG_DCA=y -# CONFIG_AUXDISPLAY is not set +CONFIG_AUXDISPLAY=y +# CONFIG_IMG_ASCII_LCD is not set CONFIG_UIO=y # CONFIG_UIO_CIF is not set # CONFIG_UIO_PDRV_GENIRQ is not set @@ -3621,7 +3710,7 @@ CONFIG_VIRTIO=y # Virtio drivers # CONFIG_VIRTIO_PCI=y -CONFIG_VIRTIO_PCI_LEGACY=y +# CONFIG_VIRTIO_PCI_LEGACY is not set CONFIG_VIRTIO_BALLOON=y CONFIG_VIRTIO_INPUT=y CONFIG_VIRTIO_MMIO=y @@ -3630,6 +3719,7 @@ CONFIG_VIRTIO_MMIO=y # # Microsoft Hyper-V guest support # +# CONFIG_HYPERV is not set # CONFIG_STAGING is not set CONFIG_X86_PLATFORM_DEVICES=y # CONFIG_ACER_WMI is not set @@ -3726,7 +3816,7 @@ CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_FLOPPY_WA=y -# CONFIG_IRQ_REMAP is not set +CONFIG_IRQ_REMAP=y # # Remoteproc drivers @@ -3746,7 +3836,21 @@ CONFIG_INTEL_IOMMU_FLOPPY_WA=y # # CONFIG_SUNXI_SRAM is not set # CONFIG_SOC_TI is not set -# CONFIG_PM_DEVFREQ is not set +CONFIG_PM_DEVFREQ=y + +# +# DEVFREQ Governors +# +# CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND is not set +# CONFIG_DEVFREQ_GOV_PERFORMANCE is not set +# CONFIG_DEVFREQ_GOV_POWERSAVE is not set +# CONFIG_DEVFREQ_GOV_USERSPACE is not set +# CONFIG_DEVFREQ_GOV_PASSIVE is not set + +# +# DEVFREQ Drivers +# +# CONFIG_PM_DEVFREQ_EVENT is not set # CONFIG_EXTCON is not set # CONFIG_MEMORY is not set # CONFIG_IIO is not set @@ -3766,8 +3870,9 @@ CONFIG_GENERIC_PHY=y # CONFIG_PHY_PXA_28NM_HSIC is not set # CONFIG_PHY_PXA_28NM_USB2 is not set # CONFIG_BCM_KONA_USB2_PHY is not set -# CONFIG_PHY_SAMSUNG_USB2 is not set -# CONFIG_POWERCAP is not set +# CONFIG_PHY_TUSB1210 is not set +CONFIG_POWERCAP=y +CONFIG_INTEL_RAPL=y # CONFIG_MCB is not set # @@ -3781,6 +3886,7 @@ CONFIG_RAS=y # # CONFIG_ANDROID is not set # CONFIG_LIBNVDIMM is not set +# CONFIG_DEV_DAX is not set # CONFIG_NVMEM is not set # CONFIG_STM is not set # CONFIG_INTEL_TH is not set @@ -3846,7 +3952,7 @@ CONFIG_BTRFS_FS_POSIX_ACL=y # CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set # CONFIG_BTRFS_DEBUG is not set # CONFIG_BTRFS_ASSERT is not set -CONFIG_NILFS2_FS=y +# CONFIG_NILFS2_FS is not set CONFIG_F2FS_FS=y CONFIG_F2FS_FS_XATTR=y CONFIG_F2FS_FS_POSIX_ACL=y @@ -3866,8 +3972,14 @@ CONFIG_DNOTIFY=y CONFIG_INOTIFY_USER=y CONFIG_FANOTIFY=y # CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set -# CONFIG_QUOTA is not set -# CONFIG_QUOTACTL is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_QUOTACTL_COMPAT=y # CONFIG_AUTOFS4_FS is not set CONFIG_FUSE_FS=y # CONFIG_CUSE is not set @@ -4122,6 +4234,7 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=21 # CONFIG_RCU_EQS_DEBUG is not set # CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set # CONFIG_FAULT_INJECTION is not set CONFIG_USER_STACKTRACE_SUPPORT=y CONFIG_HAVE_FUNCTION_TRACER=y @@ -4195,7 +4308,7 @@ CONFIG_DEFAULT_IO_DELAY_TYPE=0 # CONFIG_OPTIMIZE_INLINING is not set # CONFIG_DEBUG_ENTRY is not set # CONFIG_DEBUG_NMI_SELFTEST is not set -CONFIG_X86_DEBUG_FPU=y +# CONFIG_X86_DEBUG_FPU is not set # # Security options @@ -4207,29 +4320,11 @@ CONFIG_X86_DEBUG_FPU=y CONFIG_PAX_PER_CPU_PGD=y CONFIG_TASK_SIZE_MAX_SHIFT=42 CONFIG_GRKERNSEC=y -CONFIG_GRKERNSEC_CONFIG_AUTO=y -# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set -# CONFIG_GRKERNSEC_CONFIG_SERVER is not set -CONFIG_GRKERNSEC_CONFIG_DESKTOP=y -# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set -CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y -CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y -# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set -CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y -# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set -# CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set -CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y - -# -# Default Special Groups -# -CONFIG_GRKERNSEC_PROC_GID=1001 -CONFIG_GRKERNSEC_TPE_TRUSTED_GID=1005 -CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006 +# CONFIG_GRKERNSEC_CONFIG_AUTO is not set +CONFIG_GRKERNSEC_CONFIG_CUSTOM=y +CONFIG_GRKERNSEC_PROC_GID=4 +CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100 +CONFIG_GRKERNSEC_SYMLINKOWN_GID=15 # # Customize Configuration @@ -4244,7 +4339,7 @@ CONFIG_PAX=y # PaX Control # # CONFIG_PAX_SOFTMODE is not set -CONFIG_PAX_EI_PAX=y +# CONFIG_PAX_EI_PAX is not set CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_XATTR_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set @@ -4264,7 +4359,6 @@ CONFIG_PAX_KERNEXEC=y CONFIG_PAX_KERNEXEC_PLUGIN=y # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y -# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set # # Address Space Layout Randomization @@ -4306,14 +4400,14 @@ CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_MODHARDEN=y CONFIG_GRKERNSEC_HIDESYM=y CONFIG_GRKERNSEC_RANDSTRUCT=y -# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set +CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y CONFIG_GRKERNSEC_KERN_LOCKOUT=y # # Role Based Access Control Options # # CONFIG_GRKERNSEC_NO_RBAC is not set -# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set +CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 @@ -4327,7 +4421,7 @@ CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_SYMLINKOWN=y CONFIG_GRKERNSEC_FIFO=y -CONFIG_GRKERNSEC_SYSFS_RESTRICT=y +# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set CONFIG_GRKERNSEC_ROFS=y CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y CONFIG_GRKERNSEC_CHROOT=y @@ -4351,7 +4445,7 @@ CONFIG_GRKERNSEC_CHROOT_INITRD=y # Kernel Auditing # CONFIG_GRKERNSEC_AUDIT_GROUP=y -CONFIG_GRKERNSEC_AUDIT_GID=1007 +CONFIG_GRKERNSEC_AUDIT_GID=99 CONFIG_GRKERNSEC_EXECLOG=y CONFIG_GRKERNSEC_RESLOG=y CONFIG_GRKERNSEC_CHROOT_EXECLOG=y @@ -4376,7 +4470,7 @@ CONFIG_GRKERNSEC_HARDEN_TTY=y CONFIG_GRKERNSEC_TPE=y CONFIG_GRKERNSEC_TPE_ALL=y CONFIG_GRKERNSEC_TPE_INVERT=y -CONFIG_GRKERNSEC_TPE_GID=1005 +CONFIG_GRKERNSEC_TPE_GID=100 # # Network Protections @@ -4385,24 +4479,24 @@ CONFIG_GRKERNSEC_BLACKHOLE=y CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y CONFIG_GRKERNSEC_SOCKET=y CONFIG_GRKERNSEC_SOCKET_ALL=y -CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004 +CONFIG_GRKERNSEC_SOCKET_ALL_GID=200 CONFIG_GRKERNSEC_SOCKET_CLIENT=y -CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003 +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15 CONFIG_GRKERNSEC_SOCKET_SERVER=y -CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002 +CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99 # # Physical Protections # CONFIG_GRKERNSEC_DENYUSB=y -CONFIG_GRKERNSEC_DENYUSB_FORCE=y +# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set # # Sysctl Support # CONFIG_GRKERNSEC_SYSCTL=y CONFIG_GRKERNSEC_SYSCTL_DISTRO=y -CONFIG_GRKERNSEC_SYSCTL_ON=y +# CONFIG_GRKERNSEC_SYSCTL_ON is not set # # Logging Options @@ -4423,14 +4517,12 @@ CONFIG_SECURITY_PATH=y # CONFIG_INTEL_TXT is not set CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY=y -# CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set -CONFIG_INTEGRITY_AUDIT=y # CONFIG_IMA is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y @@ -4510,7 +4602,7 @@ CONFIG_CRYPTO_HMAC=y # Digest # CONFIG_CRYPTO_CRC32C=y -# CONFIG_CRYPTO_CRC32C_INTEL is not set +CONFIG_CRYPTO_CRC32C_INTEL=y CONFIG_CRYPTO_CRC32=y # CONFIG_CRYPTO_CRC32_PCLMUL is not set CONFIG_CRYPTO_CRCT10DIF=y @@ -4580,7 +4672,7 @@ CONFIG_CRYPTO_DES=y # Compression # CONFIG_CRYPTO_DEFLATE=y -# CONFIG_CRYPTO_LZO is not set +CONFIG_CRYPTO_LZO=y # CONFIG_CRYPTO_842 is not set # CONFIG_CRYPTO_LZ4 is not set # CONFIG_CRYPTO_LZ4HC is not set @@ -4635,6 +4727,7 @@ CONFIG_KVM_INTEL=y # CONFIG_KVM_AMD is not set # CONFIG_KVM_DEVICE_ASSIGNMENT is not set CONFIG_VHOST_NET=y +CONFIG_VHOST_SCSI=m CONFIG_VHOST_VSOCK=y CONFIG_VHOST=y CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y @@ -4678,11 +4771,11 @@ CONFIG_LZO_DECOMPRESS=y CONFIG_LZ4_DECOMPRESS=y CONFIG_XZ_DEC=y CONFIG_XZ_DEC_X86=y -CONFIG_XZ_DEC_POWERPC=y -CONFIG_XZ_DEC_IA64=y -CONFIG_XZ_DEC_ARM=y -CONFIG_XZ_DEC_ARMTHUMB=y -CONFIG_XZ_DEC_SPARC=y +# CONFIG_XZ_DEC_POWERPC is not set +# CONFIG_XZ_DEC_IA64 is not set +# CONFIG_XZ_DEC_ARM is not set +# CONFIG_XZ_DEC_ARMTHUMB is not set +# CONFIG_XZ_DEC_SPARC is not set CONFIG_XZ_DEC_BCJ=y # CONFIG_XZ_DEC_TEST is not set CONFIG_DECOMPRESS_GZIP=y @@ -4697,6 +4790,7 @@ CONFIG_TEXTSEARCH_KMP=y CONFIG_TEXTSEARCH_BM=y CONFIG_TEXTSEARCH_FSM=y CONFIG_INTERVAL_TREE=y +CONFIG_RADIX_TREE_MULTIORDER=y CONFIG_ASSOCIATIVE_ARRAY=y CONFIG_HAS_IOMEM=y CONFIG_HAS_IOPORT_MAP=y diff --git a/core/ports/linux-blob/port-blob-grsecurity.patch b/core/ports/linux-blob/port-blob-grsecurity.patch index 22d4580..ba2fb6d 100644 --- a/core/ports/linux-blob/port-blob-grsecurity.patch +++ b/core/ports/linux-blob/port-blob-grsecurity.patch @@ -1,5 +1,5 @@ ---- grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 05:14:08.682388834 +0000 -+++ grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 05:15:45.579051680 +0000 +--- grsecurity-3.1-4.9.12-201702231830.patch 2017-02-18 05:14:08.682388834 +0000 ++++ grsecurity-3.1-4.9.12-201702231830.patch 2017-02-18 05:15:45.579051680 +0000 -diff --git a/localversion-grsec b/localversion-grsec -new file mode 100644 -index 0000000..7cd6065 @@ -10,8 +10,8 @@ diff --git a/mm/Kconfig b/mm/Kconfig index 86e3e0e..ab679cf 100644 --- a/mm/Kconfig ---- grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 09:07:57.220274062 +0000 -+++ grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 09:08:16.380274647 +0000 +--- grsecurity-3.1-4.9.12-201702231830.patch 2017-02-18 09:07:57.220274062 +0000 ++++ grsecurity-3.1-4.9.12-201702231830.patch 2017-02-18 09:08:16.380274647 +0000 @@ -156547,13 +156547,6 @@ break; } diff --git a/core/ports/linux-blob/port-blob-make.patch b/core/ports/linux-blob/port-blob-make.patch index 368d592..67ee22e 100644 --- a/core/ports/linux-blob/port-blob-make.patch +++ b/core/ports/linux-blob/port-blob-make.patch @@ -3,7 +3,7 @@ @@ -1,7 +1,7 @@ VERSION = 4 PATCHLEVEL = 9 - SUBLEVEL = 11 + SUBLEVEL = 12 -EXTRAVERSION = +EXTRAVERSION = -blob NAME = Roaring Lionus diff --git a/core/ports/linux-libre/.footprint b/core/ports/linux-libre/.footprint index 1279a5d..7532882 100644 --- a/core/ports/linux-libre/.footprint +++ b/core/ports/linux-libre/.footprint @@ -1,59 +1,52 @@ drwxr-xr-x root/root boot/ --rw-r--r-- root/root boot/System.map-4.9.11-grsec --rw-r--r-- root/root boot/config-4.9.11-grsec --rw-r--r-- root/root boot/vmlinuz-4.9.11-grsec +-rw-r--r-- root/root boot/System.map-4.9.12-grsec +-rw-r--r-- root/root boot/config-4.9.12-grsec +-rw-r--r-- root/root boot/vmlinuz-4.9.12-grsec drwxr-xr-x root/root lib/ drwxr-xr-x root/root lib/modules/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/ -lrwxrwxrwx root/root lib/modules/4.9.11-grsec/build -> /usr/src/linux-4.9.11 -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_camera.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/gspca/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/gspca/gspca_main.ko -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/uvc/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/uvc/uvcvideo.ko -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf-core.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-core.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-memops.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/fs/ -drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/fs/ntfs/ --rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/fs/ntfs/ntfs.ko --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.alias --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.alias.bin --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.builtin --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.builtin.bin --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.dep --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.dep.bin --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.devname (EMPTY) --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.order --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.softdep --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.symbols --rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.symbols.bin -lrwxrwxrwx root/root lib/modules/4.9.11-grsec/source -> /usr/src/linux-4.9.11 +drwxr-xr-x root/root lib/modules/4.9.12-grsec/ +lrwxrwxrwx root/root lib/modules/4.9.12-grsec/build -> /usr/src/linux-4.9.12 +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/ +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/ +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/ +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/platform/ +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/platform/soc_camera/ +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/platform/soc_camera/soc_camera.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/usb/ +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/usb/gspca/ +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/usb/gspca/gspca_main.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/usb/uvc/ +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/usb/uvc/uvcvideo.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/ +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf-core.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf2-core.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf2-memops.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/drivers/vhost/ +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/drivers/vhost/vhost_scsi.ko.gz +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/fs/ +drwxr-xr-x root/root lib/modules/4.9.12-grsec/kernel/fs/ntfs/ +-rw-r--r-- root/root lib/modules/4.9.12-grsec/kernel/fs/ntfs/ntfs.ko.gz +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.alias +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.alias.bin +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.builtin +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.builtin.bin +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.dep (EMPTY) +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.dep.bin +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.devname (EMPTY) +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.order +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.softdep +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.symbols +-rw-r--r-- root/root lib/modules/4.9.12-grsec/modules.symbols.bin +lrwxrwxrwx root/root lib/modules/4.9.12-grsec/source -> /usr/src/linux-4.9.12 drwxr-xr-x root/root usr/ drwxr-xr-x root/root usr/src/ --rw-r--r-- root/root usr/src/4.9.11-cpu_optimizations.patch --rw-r--r-- root/root usr/src/4.9.11-libre-config --rw-r--r-- root/root usr/src/grsecurity-3.1-4.9.11-201702181444.patch +-rw-r--r-- root/root usr/src/4.9.12-cpu_optimizations.patch +-rw-r--r-- root/root usr/src/4.9.12-libre-config +-rw-r--r-- root/root usr/src/grsecurity-3.1-4.9.12-201702231830.patch -rw-r--r-- root/root usr/src/port-libre-cpu.patch -rw-r--r-- root/root usr/src/port-libre-grsecurity.patch -rw-r--r-- root/root usr/src/port-libre-make.patch diff --git a/core/ports/linux-libre/.md5sum b/core/ports/linux-libre/.md5sum index ddd1878..cef0720 100644 --- a/core/ports/linux-libre/.md5sum +++ b/core/ports/linux-libre/.md5sum @@ -1,7 +1,7 @@ -bf30b0af56c2621e317cab5e44d4235e config-c9 +4cfe0909ea898be7ccc712ab162be13d config-c9 00bc0d70f200c2673fe7dd6f02053fa4 enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch -e4eb7eab3a40968c3bd4a0a19339a6a1 grsecurity-3.1-4.9.11-201702181444.patch -2af743d6b73201d5db83c1ccb175ed30 linux-libre-4.9.11-gnu.tar.xz +83b031b26dc0aeb3ccf8c45785253225 grsecurity-3.1-4.9.12-201702231830.patch +5b1128ad1a2b482b03dd20866c095fda linux-libre-4.9.12-gnu.tar.xz bcf38b0fbf7bd83323f3202ec082b15a port-libre-cpu.patch -f9b2f7572adec2c46c1f1be2b784490e port-libre-grsecurity.patch -ce88c28573de7b41ef686f4201d0abfa port-libre-make.patch +3a498293739a8a81f0741aaef9226812 port-libre-grsecurity.patch +74ee54e8604788162c147b7e509b8c34 port-libre-make.patch diff --git a/core/ports/linux-libre/Pkgfile b/core/ports/linux-libre/Pkgfile index 154435f..e7f824d 100644 --- a/core/ports/linux-libre/Pkgfile +++ b/core/ports/linux-libre/Pkgfile @@ -4,11 +4,11 @@ # Depends on: grub2 dracut name=linux-libre -version=4.9.11 -release=2 +version=4.9.12 +release=1 source=(http://linux-libre.fsfla.org/pub/linux-libre/releases/$version-gnu/$name-$version-gnu.tar.xz \ https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \ - http://grsecurity.net/test/grsecurity-3.1-4.9.11-201702181444.patch \ + http://grsecurity.net/test/grsecurity-3.1-4.9.12-201702231830.patch \ port-libre-grsecurity.patch \ port-libre-cpu.patch \ port-libre-make.patch \ @@ -24,7 +24,7 @@ build() { install -m 0644 $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch # /usr/src/grsecurity-version.patch - install -m 0644 $SRC/grsecurity-3.1-4.9.11-201702181444.patch $PKG/usr/src/ + install -m 0644 $SRC/grsecurity-3.1-4.9.12-201702231830.patch $PKG/usr/src/ install -m 0644 $SRC/port-libre-grsecurity.patch $PKG/usr/src/ install -m 0644 $SRC/port-libre-cpu.patch $PKG/usr/src/ install -m 0644 $SRC/port-libre-make.patch $PKG/usr/src/ @@ -32,19 +32,22 @@ build() { patch < port-libre-grsecurity.patch patch < port-libre-cpu.patch + # fix to build under tpe + chmod -R go-w linux-$version + cd linux-$version patch < ${SRC}/port-libre-make.patch make distclean - patch -p1 < $SRC/grsecurity-3.1-4.9.11-201702181444.patch + patch -p1 < $SRC/grsecurity-3.1-4.9.12-201702231830.patch patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch cp $SRC/config-c9 .config make silentoldconfig - make nconfig + # make nconfig # make localmodconfig install -m 0644 .config $PKG/usr/src/${version}-libre-config diff --git a/core/ports/linux-libre/config-c9 b/core/ports/linux-libre/config-c9 index 236d79e..0bd5108 100644 --- a/core/ports/linux-libre/config-c9 +++ b/core/ports/linux-libre/config-c9 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.9.11-grsec Kernel Configuration +# Linux/x86 4.9.12-blob Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -62,10 +62,10 @@ CONFIG_HAVE_KERNEL_LZMA=y CONFIG_HAVE_KERNEL_XZ=y CONFIG_HAVE_KERNEL_LZO=y CONFIG_HAVE_KERNEL_LZ4=y -# CONFIG_KERNEL_GZIP is not set +CONFIG_KERNEL_GZIP=y # CONFIG_KERNEL_BZIP2 is not set # CONFIG_KERNEL_LZMA is not set -CONFIG_KERNEL_XZ=y +# CONFIG_KERNEL_XZ is not set # CONFIG_KERNEL_LZO is not set # CONFIG_KERNEL_LZ4 is not set CONFIG_DEFAULT_HOSTNAME="(none)" @@ -76,11 +76,8 @@ CONFIG_POSIX_MQUEUE=y CONFIG_POSIX_MQUEUE_SYSCTL=y CONFIG_CROSS_MEMORY_ATTACH=y CONFIG_FHANDLE=y -CONFIG_AUDIT=y +# CONFIG_AUDIT is not set CONFIG_HAVE_ARCH_AUDITSYSCALL=y -CONFIG_AUDITSYSCALL=y -CONFIG_AUDIT_WATCH=y -CONFIG_AUDIT_TREE=y # # IRQ subsystem @@ -119,12 +116,13 @@ CONFIG_HIGH_RES_TIMERS=y # CONFIG_TICK_CPU_ACCOUNTING=y # CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set -CONFIG_IRQ_TIME_ACCOUNTING=y +# CONFIG_IRQ_TIME_ACCOUNTING is not set CONFIG_BSD_PROCESS_ACCT=y CONFIG_BSD_PROCESS_ACCT_V3=y CONFIG_TASKSTATS=y CONFIG_TASK_DELAY_ACCT=y -# CONFIG_TASK_XACCT is not set +CONFIG_TASK_XACCT=y +CONFIG_TASK_IO_ACCOUNTING=y # # RCU Subsystem @@ -138,7 +136,7 @@ CONFIG_RCU_STALL_COMMON=y CONFIG_BUILD_BIN2C=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y -CONFIG_LOG_BUF_SHIFT=18 +CONFIG_LOG_BUF_SHIFT=19 CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 CONFIG_NMI_LOG_BUF_SHIFT=13 CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y @@ -149,14 +147,15 @@ CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y CONFIG_CGROUPS=y CONFIG_PAGE_COUNTER=y CONFIG_MEMCG=y -# CONFIG_MEMCG_SWAP is not set +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y CONFIG_BLK_CGROUP=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y CONFIG_CGROUP_WRITEBACK=y CONFIG_CGROUP_SCHED=y CONFIG_FAIR_GROUP_SCHED=y -# CONFIG_CFS_BANDWIDTH is not set -# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CFS_BANDWIDTH=y +CONFIG_RT_GROUP_SCHED=y CONFIG_CGROUP_PIDS=y # CONFIG_CGROUP_FREEZER is not set CONFIG_CPUSETS=y @@ -211,7 +210,7 @@ CONFIG_EPOLL=y CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y -# CONFIG_BPF_SYSCALL is not set +CONFIG_BPF_SYSCALL=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y @@ -234,11 +233,13 @@ CONFIG_SLUB=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLUB_CPU_PARTIAL=y CONFIG_SYSTEM_DATA_VERIFICATION=y -# CONFIG_PROFILING is not set +CONFIG_PROFILING=y +# CONFIG_OPROFILE is not set CONFIG_HAVE_OPROFILE=y CONFIG_OPROFILE_NMI_TIMER=y CONFIG_KPROBES=y -# CONFIG_JUMP_LABEL is not set +CONFIG_JUMP_LABEL=y +# CONFIG_STATIC_KEYS_SELFTEST is not set CONFIG_OPTPROBES=y # CONFIG_UPROBES is not set # CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set @@ -279,8 +280,8 @@ CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y CONFIG_HAVE_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_NONE is not set -CONFIG_CC_STACKPROTECTOR_REGULAR=y -# CONFIG_CC_STACKPROTECTOR_STRONG is not set +# CONFIG_CC_STACKPROTECTOR_REGULAR is not set +CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y CONFIG_HAVE_CONTEXT_TRACKING=y CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y @@ -299,7 +300,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 CONFIG_HAVE_COPY_THREAD_TLS=y CONFIG_HAVE_STACK_VALIDATION=y # CONFIG_HAVE_ARCH_HASH is not set -# CONFIG_ISA_BUS_API is not set +CONFIG_ISA_BUS_API=y CONFIG_OLD_SIGSUSPEND3=y CONFIG_COMPAT_OLD_SIGACTION=y # CONFIG_CPU_NO_EFFICIENT_FFS is not set @@ -328,14 +329,16 @@ CONFIG_MODULE_SIG_SHA256=y # CONFIG_MODULE_SIG_SHA384 is not set # CONFIG_MODULE_SIG_SHA512 is not set CONFIG_MODULE_SIG_HASH="sha256" -# CONFIG_MODULE_COMPRESS is not set +CONFIG_MODULE_COMPRESS=y +CONFIG_MODULE_COMPRESS_GZIP=y +# CONFIG_MODULE_COMPRESS_XZ is not set CONFIG_TRIM_UNUSED_KSYMS=y CONFIG_MODULES_TREE_LOOKUP=y CONFIG_BLOCK=y CONFIG_BLK_DEV_BSG=y CONFIG_BLK_DEV_BSGLIB=y CONFIG_BLK_DEV_INTEGRITY=y -# CONFIG_BLK_DEV_THROTTLING is not set +CONFIG_BLK_DEV_THROTTLING=y # CONFIG_BLK_CMDLINE_PARSER is not set # @@ -399,6 +402,7 @@ CONFIG_ZONE_DMA=y CONFIG_SMP=y CONFIG_X86_FEATURE_NAMES=y CONFIG_X86_FAST_FEATURE_TESTS=y +CONFIG_X86_X2APIC=y CONFIG_X86_MPPARSE=y # CONFIG_GOLDFISH is not set # CONFIG_X86_EXTENDED_PLATFORM is not set @@ -407,6 +411,14 @@ CONFIG_X86_INTEL_LPSS=y CONFIG_IOSF_MBI=y CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y CONFIG_SCHED_OMIT_FRAME_POINTER=y +CONFIG_HYPERVISOR_GUEST=y +CONFIG_PARAVIRT=y +# CONFIG_PARAVIRT_DEBUG is not set +CONFIG_PARAVIRT_SPINLOCKS=y +# CONFIG_XEN is not set +CONFIG_KVM_GUEST=y +CONFIG_PARAVIRT_TIME_ACCOUNTING=y +CONFIG_PARAVIRT_CLOCK=y CONFIG_NO_BOOTMEM=y # CONFIG_MK8 is not set # CONFIG_MK8SSE3 is not set @@ -457,8 +469,8 @@ CONFIG_IOMMU_HELPER=y CONFIG_NR_CPUS=4 CONFIG_SCHED_SMT=y CONFIG_SCHED_MC=y -CONFIG_PREEMPT_NONE=y -# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT_NONE is not set +CONFIG_PREEMPT_VOLUNTARY=y # CONFIG_PREEMPT is not set CONFIG_X86_LOCAL_APIC=y CONFIG_X86_IO_APIC=y @@ -494,6 +506,7 @@ CONFIG_NODES_SHIFT=6 CONFIG_ARCH_SPARSEMEM_ENABLE=y CONFIG_ARCH_SPARSEMEM_DEFAULT=y CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 CONFIG_SELECT_MEMORY_MODEL=y CONFIG_SPARSEMEM_MANUAL=y @@ -509,8 +522,11 @@ CONFIG_HAVE_MEMBLOCK_NODE_MAP=y CONFIG_ARCH_DISCARD_MEMBLOCK=y CONFIG_MEMORY_ISOLATION=y # CONFIG_MOVABLE_NODE is not set -# CONFIG_HAVE_BOOTMEM_INFO_NODE is not set -# CONFIG_MEMORY_HOTPLUG is not set +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +CONFIG_MEMORY_HOTREMOVE=y CONFIG_SPLIT_PTLOCK_CPUS=4 CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y CONFIG_MEMORY_BALLOON=y @@ -518,18 +534,21 @@ CONFIG_BALLOON_COMPACTION=y CONFIG_COMPACTION=y CONFIG_MIGRATION=y CONFIG_PHYS_ADDR_T_64BIT=y -# CONFIG_BOUNCE is not set +CONFIG_BOUNCE=y CONFIG_VIRT_TO_BUS=y CONFIG_MMU_NOTIFIER=y -# CONFIG_KSM is not set -CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +CONFIG_KSM=y +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y CONFIG_MEMORY_FAILURE=y -# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y +# CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set +CONFIG_TRANSPARENT_HUGE_PAGECACHE=y CONFIG_CLEANCACHE=y CONFIG_FRONTSWAP=y # CONFIG_CMA is not set -# CONFIG_ZSWAP is not set +CONFIG_ZSWAP=y CONFIG_ZPOOL=y CONFIG_ZBUD=y CONFIG_Z3FOLD=y @@ -537,7 +556,9 @@ CONFIG_ZSMALLOC=y # CONFIG_PGTABLE_MAPPING is not set CONFIG_GENERIC_EARLY_IOREMAP=y CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y +# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set # CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ZONE_DEVICE=y CONFIG_FRAME_VECTOR=y CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y CONFIG_ARCH_HAS_PKEYS=y @@ -546,7 +567,9 @@ CONFIG_X86_CHECK_BIOS_CORRUPTION=y CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y CONFIG_X86_RESERVE_LOW=64 CONFIG_MTRR=y -# CONFIG_MTRR_SANITIZER is not set +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 CONFIG_X86_PAT=y CONFIG_ARCH_USES_PG_UNCACHED=y CONFIG_ARCH_RANDOM=y @@ -554,7 +577,8 @@ CONFIG_X86_SMAP=y CONFIG_X86_INTEL_MPX=y CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y CONFIG_EFI=y -# CONFIG_EFI_STUB is not set +CONFIG_EFI_STUB=y +CONFIG_EFI_MIXED=y CONFIG_SECCOMP=y # CONFIG_HZ_100 is not set # CONFIG_HZ_250 is not set @@ -567,7 +591,9 @@ CONFIG_CRASH_DUMP=y CONFIG_PHYSICAL_START=0x1000000 CONFIG_RELOCATABLE=y CONFIG_PHYSICAL_ALIGN=0x1000000 -# CONFIG_HOTPLUG_CPU is not set +CONFIG_HOTPLUG_CPU=y +# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set +# CONFIG_DEBUG_HOTPLUG_CPU0 is not set CONFIG_LEGACY_VSYSCALL_EMULATE=y # CONFIG_LEGACY_VSYSCALL_NONE is not set # CONFIG_CMDLINE_BOOL is not set @@ -575,6 +601,7 @@ CONFIG_LEGACY_VSYSCALL_EMULATE=y # CONFIG_DEFAULT_MODIFY_LDT_SYSCALL is not set CONFIG_HAVE_LIVEPATCH=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y CONFIG_USE_PERCPU_NUMA_NODE_ID=y # @@ -583,6 +610,7 @@ CONFIG_USE_PERCPU_NUMA_NODE_ID=y # CONFIG_SUSPEND is not set CONFIG_PM=y # CONFIG_PM_DEBUG is not set +CONFIG_PM_OPP=y CONFIG_PM_CLK=y # CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set CONFIG_ACPI=y @@ -591,8 +619,8 @@ CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y # CONFIG_ACPI_DEBUGGER is not set # CONFIG_ACPI_PROCFS_POWER is not set -CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y -# CONFIG_ACPI_EC_DEBUGFS is not set +# CONFIG_ACPI_REV_OVERRIDE_POSSIBLE is not set +CONFIG_ACPI_EC_DEBUGFS=y CONFIG_ACPI_AC=y CONFIG_ACPI_BATTERY=y CONFIG_ACPI_BUTTON=y @@ -603,7 +631,8 @@ CONFIG_ACPI_CPU_FREQ_PSS=y CONFIG_ACPI_PROCESSOR_CSTATE=y CONFIG_ACPI_PROCESSOR_IDLE=y CONFIG_ACPI_PROCESSOR=y -# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_HOTPLUG_CPU=y +CONFIG_ACPI_PROCESSOR_AGGREGATOR=y CONFIG_ACPI_THERMAL=y CONFIG_ACPI_NUMA=y # CONFIG_ACPI_CUSTOM_DSDT is not set @@ -613,6 +642,7 @@ CONFIG_ACPI_TABLE_UPGRADE=y CONFIG_ACPI_PCI_SLOT=y CONFIG_X86_PM_TIMER=y CONFIG_ACPI_CONTAINER=y +CONFIG_ACPI_HOTPLUG_MEMORY=y CONFIG_ACPI_HOTPLUG_IOAPIC=y CONFIG_ACPI_SBS=y CONFIG_ACPI_HED=y @@ -626,16 +656,48 @@ CONFIG_ACPI_APEI_GHES=y CONFIG_ACPI_APEI_PCIEAER=y # CONFIG_ACPI_APEI_MEMORY_FAILURE is not set # CONFIG_ACPI_APEI_ERST_DEBUG is not set -# CONFIG_DPTF_POWER is not set +CONFIG_DPTF_POWER=y # CONFIG_ACPI_EXTLOG is not set -# CONFIG_PMIC_OPREGION is not set +CONFIG_PMIC_OPREGION=y CONFIG_ACPI_CONFIGFS=y CONFIG_SFI=y # # CPU Frequency scaling # -# CONFIG_CPU_FREQ is not set +CONFIG_CPU_FREQ=y +CONFIG_CPU_FREQ_GOV_ATTR_SET=y +CONFIG_CPU_FREQ_GOV_COMMON=y +# CONFIG_CPU_FREQ_STAT is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set +CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y +# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL is not set +CONFIG_CPU_FREQ_GOV_PERFORMANCE=y +CONFIG_CPU_FREQ_GOV_POWERSAVE=y +CONFIG_CPU_FREQ_GOV_USERSPACE=y +CONFIG_CPU_FREQ_GOV_ONDEMAND=y +CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y +CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y + +# +# CPU frequency scaling drivers +# +CONFIG_CPUFREQ_DT=y +CONFIG_CPUFREQ_DT_PLATDEV=y +CONFIG_X86_INTEL_PSTATE=y +CONFIG_X86_PCC_CPUFREQ=y +CONFIG_X86_ACPI_CPUFREQ=y +# CONFIG_X86_POWERNOW_K8 is not set +# CONFIG_X86_SPEEDSTEP_CENTRINO is not set +# CONFIG_X86_P4_CLOCKMOD is not set + +# +# shared options +# +# CONFIG_X86_SPEEDSTEP_LIB is not set # # CPU Idle @@ -644,24 +706,25 @@ CONFIG_CPU_IDLE=y CONFIG_CPU_IDLE_GOV_LADDER=y CONFIG_CPU_IDLE_GOV_MENU=y # CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set -# CONFIG_INTEL_IDLE is not set +CONFIG_INTEL_IDLE=y # # Memory power savings # -# CONFIG_I7300_IDLE is not set +CONFIG_I7300_IDLE_IOAT_CHANNEL=y +CONFIG_I7300_IDLE=y # # Bus options (PCI etc.) # CONFIG_PCI=y CONFIG_PCI_DIRECT=y -# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_MMCONFIG=y CONFIG_PCI_DOMAINS=y # CONFIG_PCI_CNB20LE_QUIRK is not set CONFIG_PCIEPORTBUS=y CONFIG_PCIEAER=y -# CONFIG_PCIE_ECRC is not set +CONFIG_PCIE_ECRC=y # CONFIG_PCIEAER_INJECT is not set CONFIG_PCIEASPM=y # CONFIG_PCIEASPM_DEBUG is not set @@ -669,13 +732,13 @@ CONFIG_PCIEASPM_DEFAULT=y # CONFIG_PCIEASPM_POWERSAVE is not set # CONFIG_PCIEASPM_PERFORMANCE is not set CONFIG_PCIE_PME=y -# CONFIG_PCIE_DPC is not set -# CONFIG_PCIE_PTM is not set +CONFIG_PCIE_DPC=y +CONFIG_PCIE_PTM=y CONFIG_PCI_BUS_ADDR_T_64BIT=y CONFIG_PCI_MSI=y CONFIG_PCI_MSI_IRQ_DOMAIN=y # CONFIG_PCI_DEBUG is not set -# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set +CONFIG_PCI_REALLOC_ENABLE_AUTO=y # CONFIG_PCI_STUB is not set CONFIG_HT_IRQ=y CONFIG_PCI_ATS=y @@ -691,11 +754,11 @@ CONFIG_PCI_LABEL=y CONFIG_PCIE_DW_PLAT=y CONFIG_PCIE_DW=y # CONFIG_VMD is not set -# CONFIG_ISA_BUS is not set +CONFIG_ISA_BUS=y CONFIG_ISA_DMA_API=y # CONFIG_PCCARD is not set # CONFIG_RAPIDIO is not set -CONFIG_X86_SYSFB=y +# CONFIG_X86_SYSFB is not set # # Executable file formats / Emulations @@ -706,7 +769,7 @@ CONFIG_ELFCORE=y CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y CONFIG_BINFMT_SCRIPT=y # CONFIG_HAVE_AOUT is not set -# CONFIG_BINFMT_MISC is not set +CONFIG_BINFMT_MISC=y CONFIG_COREDUMP=y CONFIG_IA32_EMULATION=y CONFIG_IA32_AOUT=y @@ -862,7 +925,6 @@ CONFIG_NETFILTER_XT_SET=y # # Xtables targets # -CONFIG_NETFILTER_XT_TARGET_AUDIT=y CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y CONFIG_NETFILTER_XT_TARGET_CONNMARK=y @@ -1242,10 +1304,11 @@ CONFIG_HAVE_EBPF_JIT=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y CONFIG_STANDALONE=y -CONFIG_PREVENT_FIRMWARE_BUILD=y +# CONFIG_PREVENT_FIRMWARE_BUILD is not set CONFIG_FW_LOADER=y CONFIG_FIRMWARE_IN_KERNEL=y -CONFIG_EXTRA_FIRMWARE="" +CONFIG_EXTRA_FIRMWARE="iwlwifi-3160-17.ucode" +CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware" CONFIG_FW_LOADER_USER_HELPER=y CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y CONFIG_WANT_DEV_COREDUMP=y @@ -1318,9 +1381,7 @@ CONFIG_VIRTIO_BLK=y # CONFIG_BLK_DEV_HD is not set # CONFIG_BLK_DEV_RBD is not set # CONFIG_BLK_DEV_RSXX is not set -CONFIG_NVME_CORE=y -CONFIG_BLK_DEV_NVME=y -# CONFIG_BLK_DEV_NVME_SCSI is not set +# CONFIG_BLK_DEV_NVME is not set # CONFIG_NVME_TARGET is not set # @@ -1379,7 +1440,7 @@ CONFIG_INTEL_MEI_TXE=y # # Intel MIC Bus Driver # -CONFIG_INTEL_MIC_BUS=y +# CONFIG_INTEL_MIC_BUS is not set # # SCIF Bus Driver @@ -1537,7 +1598,7 @@ CONFIG_SATA_AHCI_PLATFORM=y CONFIG_MD=y CONFIG_BLK_DEV_MD=y CONFIG_MD_AUTODETECT=y -# CONFIG_MD_LINEAR is not set +CONFIG_MD_LINEAR=y CONFIG_MD_RAID0=y CONFIG_MD_RAID1=y CONFIG_MD_RAID10=y @@ -1571,7 +1632,13 @@ CONFIG_DM_UEVENT=y # CONFIG_DM_VERITY is not set # CONFIG_DM_SWITCH is not set # CONFIG_DM_LOG_WRITES is not set -# CONFIG_TARGET_CORE is not set +CONFIG_TARGET_CORE=y +# CONFIG_TCM_IBLOCK is not set +# CONFIG_TCM_FILEIO is not set +# CONFIG_TCM_PSCSI is not set +# CONFIG_TCM_USER2 is not set +# CONFIG_LOOPBACK_TARGET is not set +# CONFIG_ISCSI_TARGET is not set CONFIG_FUSION=y CONFIG_FUSION_SPI=y CONFIG_FUSION_FC=y @@ -1747,11 +1814,10 @@ CONFIG_WLAN_VENDOR_INTEL=y # CONFIG_IPW2200 is not set # CONFIG_IWL4965 is not set # CONFIG_IWL3945 is not set -CONFIG_IWLWIFI=m +CONFIG_IWLWIFI=y CONFIG_IWLWIFI_LEDS=y -CONFIG_IWLDVM=m -CONFIG_IWLMVM=m -CONFIG_IWLWIFI_OPMODE_MODULAR=y +CONFIG_IWLDVM=y +CONFIG_IWLMVM=y # CONFIG_IWLWIFI_BCAST_FILTERING is not set CONFIG_IWLWIFI_PCIE_RTPM=y @@ -1843,6 +1909,7 @@ CONFIG_MOUSE_PS2_ELANTECH=y # CONFIG_MOUSE_PS2_SENTELIC is not set # CONFIG_MOUSE_PS2_TOUCHKIT is not set CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_PS2_VMMOUSE is not set CONFIG_MOUSE_SERIAL=y # CONFIG_MOUSE_APPLETOUCH is not set # CONFIG_MOUSE_BCM5974 is not set @@ -1962,7 +2029,7 @@ CONFIG_I2C_MUX=y # Multiplexer I2C Chip support # # CONFIG_I2C_ARB_GPIO_CHALLENGE is not set -CONFIG_I2C_MUX_GPIO=y +# CONFIG_I2C_MUX_GPIO is not set # CONFIG_I2C_MUX_PCA9541 is not set # CONFIG_I2C_MUX_PCA954x is not set # CONFIG_I2C_MUX_PINCTRL is not set @@ -1986,7 +2053,7 @@ CONFIG_I2C_ALGOBIT=y # CONFIG_I2C_AMD8111 is not set CONFIG_I2C_I801=y # CONFIG_I2C_ISCH is not set -# CONFIG_I2C_ISMT is not set +CONFIG_I2C_ISMT=y # CONFIG_I2C_PIIX4 is not set # CONFIG_I2C_NFORCE2 is not set # CONFIG_I2C_SIS5595 is not set @@ -2007,7 +2074,7 @@ CONFIG_I2C_SCMI=y CONFIG_I2C_DESIGNWARE_CORE=y CONFIG_I2C_DESIGNWARE_PLATFORM=y CONFIG_I2C_DESIGNWARE_PCI=y -# CONFIG_I2C_DESIGNWARE_BAYTRAIL is not set +CONFIG_I2C_DESIGNWARE_BAYTRAIL=y # CONFIG_I2C_EMEV2 is not set # CONFIG_I2C_GPIO is not set # CONFIG_I2C_OCORES is not set @@ -2048,9 +2115,9 @@ CONFIG_SPI_BITBANG=y # CONFIG_SPI_CADENCE is not set CONFIG_SPI_DESIGNWARE=y CONFIG_SPI_DW_PCI=y -# CONFIG_SPI_DW_MID_DMA is not set +CONFIG_SPI_DW_MID_DMA=y CONFIG_SPI_DW_MMIO=y -CONFIG_SPI_GPIO=y +# CONFIG_SPI_GPIO is not set # CONFIG_SPI_FSL_SPI is not set # CONFIG_SPI_OC_TINY is not set # CONFIG_SPI_PXA2XX is not set @@ -2067,7 +2134,7 @@ CONFIG_SPI_GPIO=y # CONFIG_SPI_SPIDEV is not set # CONFIG_SPI_LOOPBACK_TEST is not set # CONFIG_SPI_TLE62X0 is not set -# CONFIG_SPMI is not set +CONFIG_SPMI=y # CONFIG_HSI is not set # @@ -2108,7 +2175,7 @@ CONFIG_GPIOLIB=y CONFIG_OF_GPIO=y CONFIG_GPIO_ACPI=y # CONFIG_DEBUG_GPIO is not set -CONFIG_GPIO_SYSFS=y +# CONFIG_GPIO_SYSFS is not set # # Memory mapped GPIO drivers @@ -2119,7 +2186,7 @@ CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_DWAPB is not set # CONFIG_GPIO_GENERIC_PLATFORM is not set # CONFIG_GPIO_GRGPIO is not set -CONFIG_GPIO_ICH=y +# CONFIG_GPIO_ICH is not set # CONFIG_GPIO_LYNXPOINT is not set # CONFIG_GPIO_MOCKUP is not set # CONFIG_GPIO_VX855 is not set @@ -2129,10 +2196,15 @@ CONFIG_GPIO_ICH=y # # Port-mapped I/O GPIO drivers # +# CONFIG_GPIO_104_DIO_48E is not set +# CONFIG_GPIO_104_IDIO_16 is not set +# CONFIG_GPIO_104_IDI_48 is not set # CONFIG_GPIO_F7188X is not set +# CONFIG_GPIO_GPIO_MM is not set # CONFIG_GPIO_IT87 is not set # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SCH311X is not set +# CONFIG_GPIO_WS16C48 is not set # # I2C GPIO expanders @@ -2176,7 +2248,34 @@ CONFIG_GPIO_ICH=y # # USB GPIO expanders # -# CONFIG_W1 is not set +CONFIG_W1=y +CONFIG_W1_CON=y + +# +# 1-wire Bus Masters +# +# CONFIG_W1_MASTER_MATROX is not set +# CONFIG_W1_MASTER_DS2490 is not set +# CONFIG_W1_MASTER_DS2482 is not set +# CONFIG_W1_MASTER_DS1WM is not set +# CONFIG_W1_MASTER_GPIO is not set + +# +# 1-wire Slaves +# +CONFIG_W1_SLAVE_THERM=y +# CONFIG_W1_SLAVE_SMEM is not set +# CONFIG_W1_SLAVE_DS2408 is not set +# CONFIG_W1_SLAVE_DS2413 is not set +# CONFIG_W1_SLAVE_DS2406 is not set +# CONFIG_W1_SLAVE_DS2423 is not set +# CONFIG_W1_SLAVE_DS2431 is not set +# CONFIG_W1_SLAVE_DS2433 is not set +# CONFIG_W1_SLAVE_DS2760 is not set +# CONFIG_W1_SLAVE_DS2780 is not set +# CONFIG_W1_SLAVE_DS2781 is not set +# CONFIG_W1_SLAVE_DS28E04 is not set +# CONFIG_W1_SLAVE_BQ27000 is not set # CONFIG_POWER_AVS is not set # CONFIG_POWER_RESET is not set CONFIG_POWER_SUPPLY=y @@ -2190,7 +2289,6 @@ CONFIG_POWER_SUPPLY=y # CONFIG_BATTERY_BQ27XXX is not set # CONFIG_BATTERY_MAX17040 is not set # CONFIG_BATTERY_MAX17042 is not set -# CONFIG_CHARGER_ISP1704 is not set # CONFIG_CHARGER_MAX8903 is not set # CONFIG_CHARGER_LP8727 is not set # CONFIG_CHARGER_GPIO is not set @@ -2361,12 +2459,14 @@ CONFIG_THERMAL_GOV_STEP_WISE=y # CONFIG_THERMAL_GOV_BANG_BANG is not set CONFIG_THERMAL_GOV_USER_SPACE=y CONFIG_THERMAL_GOV_POWER_ALLOCATOR=y +# CONFIG_CPU_THERMAL is not set +# CONFIG_CLOCK_THERMAL is not set +# CONFIG_DEVFREQ_THERMAL is not set # CONFIG_THERMAL_EMULATION is not set # CONFIG_QORIQ_THERMAL is not set # CONFIG_INTEL_POWERCLAMP is not set CONFIG_X86_PKG_TEMP_THERMAL=y -CONFIG_INTEL_SOC_DTS_IOSF_CORE=y -CONFIG_INTEL_SOC_DTS_THERMAL=y +# CONFIG_INTEL_SOC_DTS_THERMAL is not set # # ACPI INT340X thermal drivers @@ -2375,7 +2475,7 @@ CONFIG_INTEL_SOC_DTS_THERMAL=y CONFIG_INTEL_PCH_THERMAL=y CONFIG_WATCHDOG=y CONFIG_WATCHDOG_CORE=y -CONFIG_WATCHDOG_NOWAYOUT=y +# CONFIG_WATCHDOG_NOWAYOUT is not set CONFIG_WATCHDOG_SYSFS=y # @@ -2393,6 +2493,7 @@ CONFIG_WATCHDOG_SYSFS=y # CONFIG_ADVANTECH_WDT is not set # CONFIG_ALIM1535_WDT is not set # CONFIG_ALIM7101_WDT is not set +# CONFIG_EBC_C384_WDT is not set # CONFIG_F71808E_WDT is not set # CONFIG_SP5100_TCO is not set # CONFIG_SBC_FITPC2_WATCHDOG is not set @@ -2444,18 +2545,7 @@ CONFIG_SSB_POSSIBLE=y # # Sonics Silicon Backplane # -CONFIG_SSB=y -CONFIG_SSB_SPROM=y -CONFIG_SSB_PCIHOST_POSSIBLE=y -CONFIG_SSB_PCIHOST=y -# CONFIG_SSB_B43_PCI_BRIDGE is not set -CONFIG_SSB_SDIOHOST_POSSIBLE=y -# CONFIG_SSB_SDIOHOST is not set -# CONFIG_SSB_SILENT is not set -# CONFIG_SSB_DEBUG is not set -CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y -CONFIG_SSB_DRIVER_PCICORE=y -# CONFIG_SSB_DRIVER_GPIO is not set +# CONFIG_SSB is not set CONFIG_BCMA_POSSIBLE=y # @@ -2751,7 +2841,7 @@ CONFIG_AGP_INTEL=y # CONFIG_AGP_VIA is not set CONFIG_INTEL_GTT=y CONFIG_VGA_ARB=y -CONFIG_VGA_ARB_MAX_GPUS=1 +CONFIG_VGA_ARB_MAX_GPUS=2 # CONFIG_VGA_SWITCHEROO is not set CONFIG_DRM=y CONFIG_DRM_MIPI_DSI=y @@ -3047,13 +3137,13 @@ CONFIG_SND_HDA_RECONFIG=y CONFIG_SND_HDA_INPUT_BEEP=y CONFIG_SND_HDA_INPUT_BEEP_MODE=1 # CONFIG_SND_HDA_PATCH_LOADER is not set -CONFIG_SND_HDA_CODEC_REALTEK=y -# CONFIG_SND_HDA_CODEC_ANALOG is not set +# CONFIG_SND_HDA_CODEC_REALTEK is not set +CONFIG_SND_HDA_CODEC_ANALOG=y # CONFIG_SND_HDA_CODEC_SIGMATEL is not set # CONFIG_SND_HDA_CODEC_VIA is not set CONFIG_SND_HDA_CODEC_HDMI=y # CONFIG_SND_HDA_CODEC_CIRRUS is not set -# CONFIG_SND_HDA_CODEC_CONEXANT is not set +CONFIG_SND_HDA_CODEC_CONEXANT=y # CONFIG_SND_HDA_CODEC_CA0110 is not set # CONFIG_SND_HDA_CODEC_CA0132 is not set # CONFIG_SND_HDA_CODEC_CMEDIA is not set @@ -3177,10 +3267,9 @@ CONFIG_USB_ANNOUNCE_NEW_DEVICES=y # CONFIG_USB_DEFAULT_PERSIST=y # CONFIG_USB_DYNAMIC_MINORS is not set -CONFIG_USB_OTG=y +# CONFIG_USB_OTG is not set # CONFIG_USB_OTG_WHITELIST is not set # CONFIG_USB_OTG_BLACKLIST_HUB is not set -CONFIG_USB_OTG_FSM=y # CONFIG_USB_LEDS_TRIGGER_USBPORT is not set CONFIG_USB_MON=y # CONFIG_USB_WUSB_CBAF is not set @@ -3204,12 +3293,10 @@ CONFIG_USB_EHCI_HCD_PLATFORM=y # CONFIG_USB_MAX3421_HCD is not set CONFIG_USB_OHCI_HCD=y CONFIG_USB_OHCI_HCD_PCI=y -# CONFIG_USB_OHCI_HCD_SSB is not set -# CONFIG_USB_OHCI_HCD_PLATFORM is not set +CONFIG_USB_OHCI_HCD_PLATFORM=y CONFIG_USB_UHCI_HCD=y # CONFIG_USB_SL811_HCD is not set # CONFIG_USB_R8A66597_HCD is not set -# CONFIG_USB_HCD_SSB is not set # CONFIG_USB_HCD_TEST_MODE is not set # @@ -3251,23 +3338,8 @@ CONFIG_USB_UAS=y # CONFIG_USB_MICROTEK is not set # CONFIG_USBIP_CORE is not set # CONFIG_USB_MUSB_HDRC is not set -CONFIG_USB_DWC3=y -CONFIG_USB_DWC3_HOST=y - -# -# Platform Glue Driver Support -# -CONFIG_USB_DWC3_PCI=y -CONFIG_USB_DWC3_OF_SIMPLE=y -CONFIG_USB_DWC2=y -CONFIG_USB_DWC2_HOST=y - -# -# Gadget/Dual-role mode requires USB Gadget support to be enabled -# -# CONFIG_USB_DWC2_PCI is not set -# CONFIG_USB_DWC2_DEBUG is not set -# CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set +# CONFIG_USB_DWC3 is not set +# CONFIG_USB_DWC2 is not set # CONFIG_USB_CHIPIDEA is not set # CONFIG_USB_ISP1760 is not set @@ -3359,13 +3431,13 @@ CONFIG_USB_SERIAL_FTDI_SIO=y # # USB Physical Layer drivers # -CONFIG_USB_PHY=y +# CONFIG_USB_PHY is not set # CONFIG_NOP_USB_XCEIV is not set # CONFIG_USB_GPIO_VBUS is not set # CONFIG_USB_ISP1301 is not set # CONFIG_USB_GADGET is not set -# CONFIG_USB_LED_TRIG is not set -# CONFIG_USB_ULPI_BUS is not set +CONFIG_USB_LED_TRIG=y +CONFIG_USB_ULPI_BUS=y # CONFIG_UWB is not set CONFIG_MMC=y # CONFIG_MMC_DEBUG is not set @@ -3398,7 +3470,7 @@ CONFIG_MMC_SPI=y # CONFIG_MMC_CB710 is not set # CONFIG_MMC_VIA_SDMMC is not set # CONFIG_MMC_VUB300 is not set -# CONFIG_MMC_USHC is not set +CONFIG_MMC_USHC=y # CONFIG_MMC_USDHI6ROL0 is not set # CONFIG_MMC_TOSHIBA_PCI is not set # CONFIG_MMC_MTK is not set @@ -3465,7 +3537,24 @@ CONFIG_LEDS_TRIGGERS=y # CONFIG_INFINIBAND is not set CONFIG_EDAC_ATOMIC_SCRUB=y CONFIG_EDAC_SUPPORT=y -# CONFIG_EDAC is not set +CONFIG_EDAC=y +# CONFIG_EDAC_LEGACY_SYSFS is not set +# CONFIG_EDAC_DEBUG is not set +CONFIG_EDAC_MM_EDAC=y +CONFIG_EDAC_GHES=y +# CONFIG_EDAC_E752X is not set +# CONFIG_EDAC_I82975X is not set +# CONFIG_EDAC_I3000 is not set +# CONFIG_EDAC_I3200 is not set +# CONFIG_EDAC_IE31200 is not set +# CONFIG_EDAC_X38 is not set +# CONFIG_EDAC_I5400 is not set +# CONFIG_EDAC_I7CORE is not set +# CONFIG_EDAC_I5000 is not set +# CONFIG_EDAC_I5100 is not set +# CONFIG_EDAC_I7300 is not set +CONFIG_EDAC_SBRIDGE=y +# CONFIG_EDAC_SKX is not set CONFIG_RTC_LIB=y CONFIG_RTC_MC146818_LIB=y CONFIG_RTC_CLASS=y @@ -3581,11 +3670,10 @@ CONFIG_DMA_OF=y # CONFIG_FSL_EDMA is not set CONFIG_INTEL_IDMA64=y CONFIG_INTEL_IOATDMA=y -CONFIG_INTEL_MIC_X100_DMA=y # CONFIG_QCOM_HIDMA_MGMT is not set # CONFIG_QCOM_HIDMA is not set CONFIG_DW_DMAC_CORE=y -# CONFIG_DW_DMAC is not set +CONFIG_DW_DMAC=y CONFIG_DW_DMAC_PCI=y CONFIG_HSU_DMA=y @@ -3601,7 +3689,8 @@ CONFIG_DMA_ENGINE_RAID=y # # CONFIG_SYNC_FILE is not set CONFIG_DCA=y -# CONFIG_AUXDISPLAY is not set +CONFIG_AUXDISPLAY=y +# CONFIG_IMG_ASCII_LCD is not set CONFIG_UIO=y # CONFIG_UIO_CIF is not set # CONFIG_UIO_PDRV_GENIRQ is not set @@ -3621,7 +3710,7 @@ CONFIG_VIRTIO=y # Virtio drivers # CONFIG_VIRTIO_PCI=y -CONFIG_VIRTIO_PCI_LEGACY=y +# CONFIG_VIRTIO_PCI_LEGACY is not set CONFIG_VIRTIO_BALLOON=y CONFIG_VIRTIO_INPUT=y CONFIG_VIRTIO_MMIO=y @@ -3630,6 +3719,7 @@ CONFIG_VIRTIO_MMIO=y # # Microsoft Hyper-V guest support # +# CONFIG_HYPERV is not set # CONFIG_STAGING is not set CONFIG_X86_PLATFORM_DEVICES=y # CONFIG_ACER_WMI is not set @@ -3726,7 +3816,7 @@ CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU_SVM=y CONFIG_INTEL_IOMMU_DEFAULT_ON=y CONFIG_INTEL_IOMMU_FLOPPY_WA=y -# CONFIG_IRQ_REMAP is not set +CONFIG_IRQ_REMAP=y # # Remoteproc drivers @@ -3746,7 +3836,21 @@ CONFIG_INTEL_IOMMU_FLOPPY_WA=y # # CONFIG_SUNXI_SRAM is not set # CONFIG_SOC_TI is not set -# CONFIG_PM_DEVFREQ is not set +CONFIG_PM_DEVFREQ=y + +# +# DEVFREQ Governors +# +# CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND is not set +# CONFIG_DEVFREQ_GOV_PERFORMANCE is not set +# CONFIG_DEVFREQ_GOV_POWERSAVE is not set +# CONFIG_DEVFREQ_GOV_USERSPACE is not set +# CONFIG_DEVFREQ_GOV_PASSIVE is not set + +# +# DEVFREQ Drivers +# +# CONFIG_PM_DEVFREQ_EVENT is not set # CONFIG_EXTCON is not set # CONFIG_MEMORY is not set # CONFIG_IIO is not set @@ -3766,8 +3870,9 @@ CONFIG_GENERIC_PHY=y # CONFIG_PHY_PXA_28NM_HSIC is not set # CONFIG_PHY_PXA_28NM_USB2 is not set # CONFIG_BCM_KONA_USB2_PHY is not set -# CONFIG_PHY_SAMSUNG_USB2 is not set -# CONFIG_POWERCAP is not set +# CONFIG_PHY_TUSB1210 is not set +CONFIG_POWERCAP=y +CONFIG_INTEL_RAPL=y # CONFIG_MCB is not set # @@ -3781,6 +3886,7 @@ CONFIG_RAS=y # # CONFIG_ANDROID is not set # CONFIG_LIBNVDIMM is not set +# CONFIG_DEV_DAX is not set # CONFIG_NVMEM is not set # CONFIG_STM is not set # CONFIG_INTEL_TH is not set @@ -3846,7 +3952,7 @@ CONFIG_BTRFS_FS_POSIX_ACL=y # CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set # CONFIG_BTRFS_DEBUG is not set # CONFIG_BTRFS_ASSERT is not set -CONFIG_NILFS2_FS=y +# CONFIG_NILFS2_FS is not set CONFIG_F2FS_FS=y CONFIG_F2FS_FS_XATTR=y CONFIG_F2FS_FS_POSIX_ACL=y @@ -3866,8 +3972,14 @@ CONFIG_DNOTIFY=y CONFIG_INOTIFY_USER=y CONFIG_FANOTIFY=y # CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set -# CONFIG_QUOTA is not set -# CONFIG_QUOTACTL is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_QUOTACTL_COMPAT=y # CONFIG_AUTOFS4_FS is not set CONFIG_FUSE_FS=y # CONFIG_CUSE is not set @@ -4122,6 +4234,7 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=21 # CONFIG_RCU_EQS_DEBUG is not set # CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set # CONFIG_FAULT_INJECTION is not set CONFIG_USER_STACKTRACE_SUPPORT=y CONFIG_HAVE_FUNCTION_TRACER=y @@ -4195,7 +4308,7 @@ CONFIG_DEFAULT_IO_DELAY_TYPE=0 # CONFIG_OPTIMIZE_INLINING is not set # CONFIG_DEBUG_ENTRY is not set # CONFIG_DEBUG_NMI_SELFTEST is not set -CONFIG_X86_DEBUG_FPU=y +# CONFIG_X86_DEBUG_FPU is not set # # Security options @@ -4207,29 +4320,11 @@ CONFIG_X86_DEBUG_FPU=y CONFIG_PAX_PER_CPU_PGD=y CONFIG_TASK_SIZE_MAX_SHIFT=42 CONFIG_GRKERNSEC=y -CONFIG_GRKERNSEC_CONFIG_AUTO=y -# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set -# CONFIG_GRKERNSEC_CONFIG_SERVER is not set -CONFIG_GRKERNSEC_CONFIG_DESKTOP=y -# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set -CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y -CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y -# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set -CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y -# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set -# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set -# CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set -CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y - -# -# Default Special Groups -# -CONFIG_GRKERNSEC_PROC_GID=1001 -CONFIG_GRKERNSEC_TPE_TRUSTED_GID=1005 -CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006 +# CONFIG_GRKERNSEC_CONFIG_AUTO is not set +CONFIG_GRKERNSEC_CONFIG_CUSTOM=y +CONFIG_GRKERNSEC_PROC_GID=4 +CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100 +CONFIG_GRKERNSEC_SYMLINKOWN_GID=15 # # Customize Configuration @@ -4244,7 +4339,7 @@ CONFIG_PAX=y # PaX Control # # CONFIG_PAX_SOFTMODE is not set -CONFIG_PAX_EI_PAX=y +# CONFIG_PAX_EI_PAX is not set CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_XATTR_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set @@ -4264,7 +4359,6 @@ CONFIG_PAX_KERNEXEC=y CONFIG_PAX_KERNEXEC_PLUGIN=y # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y -# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set # # Address Space Layout Randomization @@ -4306,14 +4400,14 @@ CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_MODHARDEN=y CONFIG_GRKERNSEC_HIDESYM=y CONFIG_GRKERNSEC_RANDSTRUCT=y -# CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE is not set +CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y CONFIG_GRKERNSEC_KERN_LOCKOUT=y # # Role Based Access Control Options # # CONFIG_GRKERNSEC_NO_RBAC is not set -# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set +CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 @@ -4327,7 +4421,7 @@ CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_SYMLINKOWN=y CONFIG_GRKERNSEC_FIFO=y -CONFIG_GRKERNSEC_SYSFS_RESTRICT=y +# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set CONFIG_GRKERNSEC_ROFS=y CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y CONFIG_GRKERNSEC_CHROOT=y @@ -4351,7 +4445,7 @@ CONFIG_GRKERNSEC_CHROOT_INITRD=y # Kernel Auditing # CONFIG_GRKERNSEC_AUDIT_GROUP=y -CONFIG_GRKERNSEC_AUDIT_GID=1007 +CONFIG_GRKERNSEC_AUDIT_GID=99 CONFIG_GRKERNSEC_EXECLOG=y CONFIG_GRKERNSEC_RESLOG=y CONFIG_GRKERNSEC_CHROOT_EXECLOG=y @@ -4376,7 +4470,7 @@ CONFIG_GRKERNSEC_HARDEN_TTY=y CONFIG_GRKERNSEC_TPE=y CONFIG_GRKERNSEC_TPE_ALL=y CONFIG_GRKERNSEC_TPE_INVERT=y -CONFIG_GRKERNSEC_TPE_GID=1005 +CONFIG_GRKERNSEC_TPE_GID=100 # # Network Protections @@ -4385,24 +4479,24 @@ CONFIG_GRKERNSEC_BLACKHOLE=y CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y CONFIG_GRKERNSEC_SOCKET=y CONFIG_GRKERNSEC_SOCKET_ALL=y -CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004 +CONFIG_GRKERNSEC_SOCKET_ALL_GID=200 CONFIG_GRKERNSEC_SOCKET_CLIENT=y -CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003 +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15 CONFIG_GRKERNSEC_SOCKET_SERVER=y -CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002 +CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99 # # Physical Protections # CONFIG_GRKERNSEC_DENYUSB=y -CONFIG_GRKERNSEC_DENYUSB_FORCE=y +# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set # # Sysctl Support # CONFIG_GRKERNSEC_SYSCTL=y CONFIG_GRKERNSEC_SYSCTL_DISTRO=y -CONFIG_GRKERNSEC_SYSCTL_ON=y +# CONFIG_GRKERNSEC_SYSCTL_ON is not set # # Logging Options @@ -4423,14 +4517,12 @@ CONFIG_SECURITY_PATH=y # CONFIG_INTEL_TXT is not set CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY=y -# CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set -CONFIG_INTEGRITY_AUDIT=y # CONFIG_IMA is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y @@ -4510,7 +4602,7 @@ CONFIG_CRYPTO_HMAC=y # Digest # CONFIG_CRYPTO_CRC32C=y -# CONFIG_CRYPTO_CRC32C_INTEL is not set +CONFIG_CRYPTO_CRC32C_INTEL=y CONFIG_CRYPTO_CRC32=y # CONFIG_CRYPTO_CRC32_PCLMUL is not set CONFIG_CRYPTO_CRCT10DIF=y @@ -4580,7 +4672,7 @@ CONFIG_CRYPTO_DES=y # Compression # CONFIG_CRYPTO_DEFLATE=y -# CONFIG_CRYPTO_LZO is not set +CONFIG_CRYPTO_LZO=y # CONFIG_CRYPTO_842 is not set # CONFIG_CRYPTO_LZ4 is not set # CONFIG_CRYPTO_LZ4HC is not set @@ -4635,6 +4727,7 @@ CONFIG_KVM_INTEL=y # CONFIG_KVM_AMD is not set # CONFIG_KVM_DEVICE_ASSIGNMENT is not set CONFIG_VHOST_NET=y +CONFIG_VHOST_SCSI=m CONFIG_VHOST_VSOCK=y CONFIG_VHOST=y CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y @@ -4678,11 +4771,11 @@ CONFIG_LZO_DECOMPRESS=y CONFIG_LZ4_DECOMPRESS=y CONFIG_XZ_DEC=y CONFIG_XZ_DEC_X86=y -CONFIG_XZ_DEC_POWERPC=y -CONFIG_XZ_DEC_IA64=y -CONFIG_XZ_DEC_ARM=y -CONFIG_XZ_DEC_ARMTHUMB=y -CONFIG_XZ_DEC_SPARC=y +# CONFIG_XZ_DEC_POWERPC is not set +# CONFIG_XZ_DEC_IA64 is not set +# CONFIG_XZ_DEC_ARM is not set +# CONFIG_XZ_DEC_ARMTHUMB is not set +# CONFIG_XZ_DEC_SPARC is not set CONFIG_XZ_DEC_BCJ=y # CONFIG_XZ_DEC_TEST is not set CONFIG_DECOMPRESS_GZIP=y @@ -4697,6 +4790,7 @@ CONFIG_TEXTSEARCH_KMP=y CONFIG_TEXTSEARCH_BM=y CONFIG_TEXTSEARCH_FSM=y CONFIG_INTERVAL_TREE=y +CONFIG_RADIX_TREE_MULTIORDER=y CONFIG_ASSOCIATIVE_ARRAY=y CONFIG_HAS_IOMEM=y CONFIG_HAS_IOPORT_MAP=y diff --git a/core/ports/linux-libre/port-libre-grsecurity.patch b/core/ports/linux-libre/port-libre-grsecurity.patch index cecd956..981257a 100644 --- a/core/ports/linux-libre/port-libre-grsecurity.patch +++ b/core/ports/linux-libre/port-libre-grsecurity.patch @@ -1,5 +1,5 @@ ---- grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 05:14:08.682388834 +0000 -+++ grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 05:15:45.579051680 +0000 +--- grsecurity-3.1-4.9.12-201702231830.patch 2017-02-18 05:14:08.682388834 +0000 ++++ grsecurity-3.1-4.9.12-201702231830.patch 2017-02-18 05:15:45.579051680 +0000 @@ -90805,59 +90805,6 @@ if (!file->private_data) return -ENOMEM; diff --git a/core/ports/linux-libre/port-libre-make.patch b/core/ports/linux-libre/port-libre-make.patch index dfbd8af..51bf8b6 100644 --- a/core/ports/linux-libre/port-libre-make.patch +++ b/core/ports/linux-libre/port-libre-make.patch @@ -3,7 +3,7 @@ @@ -1,7 +1,7 @@ VERSION = 4 PATCHLEVEL = 9 - SUBLEVEL = 11 + SUBLEVEL = 12 -EXTRAVERSION = -gnu +EXTRAVERSION = -grsec NAME = Roaring Lionus diff --git a/core/reboot.html b/core/reboot.html index 23e2996..fd1adfc 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -31,7 +31,7 @@ /bin/bash --login -

      1.4.1. Linux Kernel

      +

      1.4.1. Port kernel

      Core ports have two linux kernels, @@ -43,11 +43,10 @@ correct graphic driver and disk. Port linux-blob is dangerous, contain blobs (from bad corporations).

      -

      Addition to upstream kernel is applied a patch with - more cpu families gcc optimizations and grsecurity patch. - Check tpe protection configuration on - sysctl if breaks functionality - during initial configuration.

      +

      Both ports apply grsecurity patch and are configured in + a way that break building some packages and have performance + impact in building process. Solution is to have several kernels, + production, testing, debug with one of them without grsecurity.

               # cd /usr/ports/c9-ports/linux-libre
diff --git a/core/samhain.html b/core/samhain.html
new file mode 100644
index 0000000..74f88fd
--- /dev/null
+++ b/core/samhain.html
@@ -0,0 +1,265 @@
+
+
+    
+        
+        2.2.4. Samhain
+    
+    
+
+        Core OS Index
+
+        
      2.2.4. Samhain
      
+
+        
      Read 
+        Samhain Manual,
+        samhain is a file and host integrity and intrusion alert system 
+        suitable for single hosts as well as for large, UNIX-based networks. 
+        samhain offers advanced features to support and facilitate 
+        centralized monitoring.
      
+
+        
      The client (or standalone) part is called samhain, while the 
+        server is referred to as yule. Both can run as daemon processes.
      
+
+        
      Most of the options require being defined at compile time, is
+        easy to start with basic and then compile as more features are
+        required.
      
+
+        
      +        $ sudo prt-get depinst samhain
+        
      
+
+        
      
+            
      /var/lib/samhain/samhain_file
      
+            
      signature database
      
+            
      /etc/samhainrc
      
+            
      configuration file
      
+            
      /var/log/samhain.log
      
+            
      log file
      
+        
      
+
+        
      2.2.4.1. Configure
      
+
+        
      For more information on configuration check 
+        Monitoring Policies.
+        Description of section headings;
      
+
+        
      
+            
      ReadOnly
      
+
+            
      All modifications except access times will be 
+            reported for these files.
      
+            
      Checked: owner, group, permissions, file type, device number,
+            hardlinks, links, inode, checksum, size, mtime, ctime.
      
+
+            
      LogFiles
      
+
+            
      Modifications of timestamps, file size, and signature will be
+            ignored.
      
+            
      Checked: owner, group, permissions, file type, device number,
+            hardlinks, links, inode.
      
+
+            
      GrowingLogFiles
      
+
+            
      Modifications of timestamps, and signature will be ignored.
+            Modification of the file size will only be ignored if the file size
+            has increased.
      
+            
      Checked: owner, group, permissions, file type, device number,
+            hardlinks, links, inode, size >= previous_size, checksum(file start
+            up to previous size) equals previous checksum.
      
+
+            
      Attributes
      
+
+            
      Only modifications of ownership, access permissions, and device
+            number will be checked.
      
+            
      Checked: owner, group, permissions, file type, device number.
      
+
+            
      IgnoreAll
      
+
+            
      No modifications will be reported. However, the existence of the
+            specified file or directory will still be checked.
      
+
+            
      IgnoreNone
      
+
+            
      All modifications, including access time, but excluding ctime, will
+            be reported - checking atime and ctime would require to play with
+            the system clock.
      
+            
      Checked: owner, group, permissions, file type, device number,
+            hardlinks, links, inode, checksum, size, mtime, atime.
      
+
+        
      
+
+        
      +        $ vim /etc/samhainrc
+        
      
+
+        
      This is just a resume, there is a complete template
+        on crux ports?.
      
+
+        
      +        [Misc]
+
+        [ReadOnly]
+        dir = 0/
+
+        [Attributes]
+        file = /tmp
+        file = /dev
+        file = /media
+        file = /proc
+        file = /sys
+
+        [ReadOnly]
+        dir = 99/etc
+
+        [Attributes]
+        file = /etc/mtab
+        file = /etc/adjtime
+        file = /etc/motd
+        file = /etc/fstab
+
+        file = /etc
+
+        [ReadOnly]
+        dir = 99/boot
+
+        [ReadOnly]
+        dir = 99/bin
+        dir = 99/sbin
+
+        [ReadOnly]
+        dir = 99/lib
+
+        [Attributes]
+        dir = 99/dev
+
+        [IgnoreAll]
+        dir = -1/dev/pts
+
+        [ReadOnly]
+        dir = 99/usr
+
+        [IgnoreAll]
+        dir = -1/usr/ports/core
+        dir = -1/usr/ports/opt
+        dir = -1/usr/ports/contrib
+        dir = -1/usr/ports/work
+        dir = -1/usr/ports/distfiles
+
+        [ReadOnly]
+        dir = 99/var
+
+        [IgnoreAll]
+        dir = -1/var/cache
+        dir = -1/var/lock
+        dir = -1/var/mail
+        dir = -1/var/run
+        dir = -1/var/spool
+        dir = -1/var/tmp
+
+        [Attributes]
+
+        file = /var/lib/mlocate
+        file = /var/lib/mlocate/mlocate.db
+        file = /var/lib/urandom
+        file = /var/lib/urandom/seed
+
+        [GrowingLogFiles]
+        dir = 99/var/log
+
+        file = /var/log/samhain.log.lock
+
+        [Attributes]
+        file = /var/log/old/*.[0-9].gz
+
+        [Misc]
+        IgnoreAdded = /var/log/.*\.[0-9]+$
+        IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
+        IgnoreAdded = /var/log/.*\.[0-9]+\.log$
+        IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
+        IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
+        IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
+        IgnoreAdded = /var/lib/slocate/slocate.db.tmp
+        IgnoreMissing = /var/lib/slocate/slocate.db.tmp
+
+        [IgnoreNone]
+
+        [Prelink]
+
+        [User0]
+
+        [User1]
+
+        [EventSeverity]
+
+        [Log]
+        MailSeverity=notice
+        PrintSeverity=none
+
+        [Misc]
+        Daemon = yes
+        ChecksumTest=check
+        SetNiceLevel = 19
+        SetIOLimit = 500
+        SetLoopTime = 600
+        SetFileCheckTime = 7200
+        ReportOnlyOnce = True
+        SetMailTime = 86400
+        SetMailNum = 10
+        SetMailAddress=root@localhost
+        SyslogFacility=LOG_LOCAL2
+
+        
      
+
+        
      Initialize database;
      
+
+        
      +        # samhain -t init -p notice
+        
      
+
+        
      If you want to "restart" remove samhain_file and run again 
+        the command above. If daemon is set on config file you just 
+        need to run;
      
+
+        
      +        # samhain -t check -p notice
+        
      
+
+        
      To control daemon;
      
+
+        
      +        # samhain stop
+        # samhain start
+        # samhain restart
+        # samhain reload or force-reload
+        # samhain status
+        
      
+
+        
      2.2.4.2. Update database
      
+
+        
      Manual,
+        You can update the database while the daemon is running, as long
+        as you don't interfere with its logging. Using flag -l like this
+        samhain -t update -l none make sure the log file is not accessed.
      
+
+        
      +        # samhain -t update -l none --interactive
+        
      
+
+        
      Interactive update are supported with the command line flag
+        --interactive. A file with a list of good files, absolute path, 
+        one per line, can be passed with flag --listfile. Example;
      
+
+        
      +        # samhain -t update -l none --listfile=/root/list_of_files
+        
      
+
+        Core OS Index
+        
      
+        This is part of the c9-doc Manual.
+        Copyright (C) 2017
+        c9 team.
+        See the file Gnu Free Documentation License
+        for copying conditions.
      
+
+    
+
diff --git a/core/sysctl.html b/core/sysctl.html
index 4e13209..d85aca4 100644
--- a/core/sysctl.html
+++ b/core/sysctl.html
@@ -2,13 +2,13 @@
 
     
         
-        2.2.3. Sysctl
+        2.2.2. Sysctl
     
     
 
         Core OS Index
 
-        
      2.2.3. Sysctl
      
+        
      2.2.2. Sysctl
      
 
         
      Sysctl references
         Arch TCP/IP stack hardening,
@@ -51,7 +51,7 @@
         #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
         #  you may not be able to boot into a graphical environment with this
         #  option enabled.  In this case, you should use the RBAC system instead.
-        kernel.grsecurity.disable_priv_io = 0
+        kernel.grsecurity.disable_priv_io = 1
 
         #  If you say Y here, attempts to bruteforce exploits against forking
         #  daemons such as apache or sshd, as well as against suid/sgid binaries
@@ -85,7 +85,7 @@
         #  symlink is the owner of the directory. users will also not be
         #  able to hardlink to files they do not own.  If the sysctl option is
         #  enabled, a sysctl option with name "linking_restrictions" is created.
-        kernel.grsecurity.linking_restrictions = 0
+        kernel.grsecurity.linking_restrictions = 1
 
 
         #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
@@ -99,15 +99,15 @@
         #  will be in place for the group you specify. If the sysctl option
         #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
         #  created.
-        kernel.grsecurity.enforce_symlinksifowner = 0
-        #kernel.grsecurity.symlinkown_gid = 33
+        kernel.grsecurity.enforce_symlinksifowner = 1
+        kernel.grsecurity.symlinkown_gid = 15
 
         #  if you say Y here, users will not be able to write to FIFOs they don't
         #  own in world-writable +t directories (e.g. /tmp), unless the owner of
         #  the FIFO is the same owner of the directory it's held in.  If the sysctl
         #  option is enabled, a sysctl option with name "fifo_restrictions" is
         #  created.
-        kernel.grsecurity.fifo_restrictions = 0
+        kernel.grsecurity.fifo_restrictions = 1
 
         #  If you say Y here, a sysctl option with name "romount_protect" will
         #  be created.  By setting this option to 1 at runtime, filesystems
@@ -123,7 +123,7 @@
         #  and GRKERNSEC_IO should be enabled and module loading disabled via
         #  config or at runtime.
         #  This feature is mainly intended for secure embedded systems.
-        #kernel.grsecurity.romount_protect = 0
+        #kernel.grsecurity.romount_protect = 1
 
         #  if you say Y here, the capabilities on all processes within a
         #  chroot jail will be lowered to stop module insertion, raw i/o,
@@ -239,14 +239,14 @@
         #  watch certain users instead of having a large amount of logs from the
         #  entire system.  If the sysctl option is enabled, a sysctl option with
         #  name "audit_group" is created.
-        kernel.grsecurity.audit_group = 0
+        kernel.grsecurity.audit_group = 1
 
         #  If you say Y here, the exec and chdir logging features will only operate
         #  on a group you specify.  This option is recommended if you only want to
         #  watch certain users instead of having a large amount of logs from the
         #  entire system.  If the sysctl option is enabled, a sysctl option with
         #  name "audit_group" is created.
-        #kernel.grsecurity.audit_gid = 201
+        kernel.grsecurity.audit_gid = 99
 
         #  If you say Y here, all execve() calls will be logged (since the
         #  other exec*() calls are frontends to execve(), all execution
@@ -274,7 +274,7 @@
         #  If you say Y here, all attempts to attach to a process via ptrace
         #  will be logged.  If the sysctl option is enabled, a sysctl option
         #  with name "audit_ptrace" is created.
-        kernel.grsecurity.audit_ptrace = 1
+        #kernel.grsecurity.audit_ptrace = 1
 
         #  If you say Y here, all attempts to attach to a process via ptrace
         #  will be logged.  If the sysctl option is enabled, a sysctl option
@@ -297,7 +297,6 @@
         #  This could suggest a fork bomb, or someone attempting to overstep
         #  their process limit.  If the sysctl option is enabled, a sysctl option
         #  with name "forkfail_logging" is created.
-        #kernel.grsecurity.forkfail_logging = 1
         kernel.grsecurity.forkfail_logging = 1
 
         #  If you say Y here, any changes of the system clock will be logged.
@@ -329,7 +328,7 @@
         kernel.grsecurity.dmesg = 1
 
         # Hide symbol addresses in /proc/kallsyms
-        #kernel.kptr_restrict = 2
+        kernel.kptr_restrict = 2
 
         #  If you say Y here, TTY sniffers and other malicious monitoring
         #  programs implemented through ptrace will be defeated.  If you
@@ -365,7 +364,7 @@
         #  same way, allowing the other threads of the process to continue
         #  running with root privileges.  If the sysctl option is enabled,
         #  a sysctl option with name "consistent_setxid" is created.
-        kernel.grsecurity.consistent_setxid = 0
+        kernel.grsecurity.consistent_setxid = 1
 
         #  If you say Y here, access to overly-permissive IPC objects (shared
         #  memory, message queues, and semaphores) will be denied for processes
@@ -383,7 +382,7 @@
         #  CAP_IPC_OWNER are still permitted to access these IPC objects.
         #  If the sysctl option is enabled, a sysctl option with name
         #  "harden_ipc" is created.
-        kernel.grsecurity.harden_ipc = 0
+        kernel.grsecurity.harden_ipc = 1
 
         #  If you say Y here, you will be able to choose a gid to add to the
         #  supplementary groups of users you want to mark as "untrusted."
@@ -391,7 +390,7 @@
         #  root-owned directories writable only by root.  If the sysctl option
         #  is enabled, a sysctl option with name "tpe" is created.
         kernel.grsecurity.tpe = 1
-        kernel.grsecurity.tpe_gid = 4
+        kernel.grsecurity.tpe_gid = 100
 
         #  If you say Y here, the group you specify in the TPE configuration will
         #  decide what group TPE restrictions will be *disabled* for.  This
@@ -555,13 +554,13 @@
         #  be unable to connect to other hosts from your machine or run server
         #  applications from your machine.  If the sysctl option is enabled, a
         #  sysctl option with name "socket_all" is created.
-        kernel.grsecurity.socket_all = 0
+        kernel.grsecurity.socket_all = 1
 
         #  Here you can choose the GID to disable socket access for. Remember to
         #  add the users you want socket access disabled for to the GID
         #  specified here.  If the sysctl option is enabled, a sysctl option
         #  with name "socket_all_gid" is created.
-        #kernel.grsecurity.socket_all_gid = 202
+        kernel.grsecurity.socket_all_gid = 200
 
         #  If you say Y here, you will be able to choose a GID of whose users will
         #  be unable to connect to other hosts from your machine, but will be
diff --git a/core/toolchain.html b/core/toolchain.html
index e4a8f84..b5d4bb1 100644
--- a/core/toolchain.html
+++ b/core/toolchain.html
@@ -2,13 +2,13 @@
 
     
         
-        2.2.1. Toolchain
+        2.2.3. Toolchain
     
     
 
         Core OS Index
 
-        
      2.2.1. Toolchain
      
+        
      2.2.3. Toolchain
      
 
         
      Add flags to pkgmk configuration and change specific ports that
         don't build with hardening flags. More information about
diff --git a/tools/conf/etc/asound.conf b/tools/conf/etc/asound.conf
new file mode 100644
index 0000000..adbae67
--- /dev/null
+++ b/tools/conf/etc/asound.conf
@@ -0,0 +1 @@
+defaults.ctl.card 1;defaults.pcm.card 1;
diff --git a/tools/x.html b/tools/x.html
index ad5ea6d..027d58a 100644
--- a/tools/x.html
+++ b/tools/x.html
@@ -28,6 +28,8 @@
              xkeyboard-config
      +

      Fonts

      + 
               $ sudo prt-get depinst xorg-font-util \
              xorg-font-alias \
@@ -43,6 +45,7 @@
         
      From 6c37 collection;
      
 
         
      +        $ prt-get search otf- | xargs sudo prt-get depinst
         $ prt-get depinst otf-sourcecode
         
      
 
@@ -187,6 +190,9 @@
             gstreamer-vaapi \
             gst-plugins-base \
             gst-plugins-good \
+            gst-plugins-bad \
+            gst-plugins-ugly \
+            cmus \
             adwaita-icon-theme \
             dmenu \
             st \
-- 
cgit 1.4.1-2-gfad0


From 079066bc153f3a6fe84b5da0b8fa8e584641b46d Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Wed, 1 Mar 2017 21:27:03 +0000
Subject: overall revision

---
 core/conf/iptables/iptables-lan.sh | 578 +++++++++++++++++++------------------
 core/configure.html                |   1 +
 core/grsecurity.html               |   7 +-
 core/reboot.html                   |   2 +-
 core/toolchain.html                |  19 ++
 dev/php/index.html                 |  23 +-
 legal/index.html                   |   2 +-
 tools/conf/etc/nginx/nginx.conf    |  13 +-
 tools/conf/etc/rc.d/git-daemon     |  42 +++
 tools/gitolite.html                |  23 +-
 tools/network.html                 |   7 +-
 tools/nginx.html                   |  19 ++
 tools/nmap.html                    |   2 +-
 tools/scripts/pkgmk-test.conf      |   2 +-
 tools/scripts/setup-nginx.sh       |  22 +-
 tools/x.html                       |   3 +-
 16 files changed, 443 insertions(+), 322 deletions(-)
 create mode 100755 tools/conf/etc/rc.d/git-daemon

(limited to 'core/grsecurity.html')

diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh
index 58d92c3..491bc3b 100644
--- a/core/conf/iptables/iptables-lan.sh
+++ b/core/conf/iptables/iptables-lan.sh
@@ -1,322 +1,336 @@
 #!/bin/sh
 
-#------------------------------------------------------------------------------
 #
-# File: iptables_mint17.sh
+#                                XXXXXXXXXXXXXXXXX
+#                                XXXX Network XXXX
+#                                XXXXXXXXXXXXXXXXX
+#                                        +
+#                                        |
+#                                        v
+#  +-------------+              +------------------+
+#  |table: filter| <---+        | table: nat       |
+#  |chain: INPUT |     |        | chain: PREROUTING|
+#  +-----+-------+     |        +--------+---------+
+#        |             |                 |
+#        v             |                 v
+#  [local process]     |           ****************          +--------------+
+#        |             +---------+ Routing decision +------> |table: filter |
+#        v                         ****************          |chain: FORWARD|
+# ****************                                           +------+-------+
+# Routing decision                                                  |
+# ****************                                                  |
+#        |                                                          |
+#        v                        ****************                  |
+# +-------------+       +------>  Routing decision  <---------------+
+# |table: nat   |       |         ****************
+# |chain: OUTPUT|       |               +
+# +-----+-------+       |               |
+#       |               |               v
+#       v               |      +-------------------+
+# +--------------+      |      | table: nat        |
+# |table: filter | +----+      | chain: POSTROUTING|
+# |chain: OUTPUT |             +--------+----------+
+# +--------------+                      |
+#                                       v
+#                               XXXXXXXXXXXXXXXXX
+#                               XXXX Network XXXX
+#                               XXXXXXXXXXXXXXXXX
 #
-# http://www.hardenedlinux.org
+# iptables [-t table] {-A|-C|-D} chain rule-specification
 #
-# Reference: Ruslan Abuzant ,  http://www.hackersgarage.com/
-# Changed by: Silvino Silva 
+# iptables [-t table] {-A|-C|-D} chain  rule-specification
 #
-# License: GNU GPL (version 2, or any later version).
+# iptables  [-t table] -I chain [rulenum] rule-specification
 #
-# Configuration.
-#------------------------------------------------------------------------------
-
-# For debugging use iptables -v.
-IPTABLES="/usr/sbin/iptables"
-IP6TABLES="/usr/sbin/ip6tables"
-MODPROBE="/sbin/modprobe"
-RMMOD="/sbin/rmmod"
-ARP="/usr/sbin/arp"
-
-# NIC interfaces
-NIC_NAME="enp8s0 wlp7s0"
-
-# Logging options.
-#------------------------------------------------------------------------------
-LOG="LOG --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options"
-
-
-# Defaults for rate limiting
-#------------------------------------------------------------------------------
-RLIMIT="-m limit --limit 3/s --limit-burst 8"
-
-
-# Unprivileged ports.
-#------------------------------------------------------------------------------
-PHIGH="1024:65535"
-PSSH="1000:1023"
-
-
-# Load required kernel modules
-#------------------------------------------------------------------------------
-$MODPROBE ip_conntrack_ftp
-$MODPROBE ip_conntrack_irc
-
-
-# Mitigate ARP spoofing/poisoning and similar attacks.
-#------------------------------------------------------------------------------
-# Hardcode static ARP cache entries here
-# $ARP -s IP-ADDRESS MAC-ADDRESS
-
-
-# Default policies.
-#------------------------------------------------------------------------------
-
-# Drop everything by default.
-$IPTABLES -P INPUT DROP
-$IPTABLES -P FORWARD DROP
-$IPTABLES -P OUTPUT DROP
-
-# Set the nat/mangle/raw tables' chains to DROP
-
-$IPTABLES -t mangle -P PREROUTING ACCEPT
-$IPTABLES -t mangle -P INPUT ACCEPT
-$IPTABLES -t mangle -P FORWARD ACCEPT
-$IPTABLES -t mangle -P OUTPUT ACCEPT
-$IPTABLES -t mangle -P POSTROUTING ACCEPT
-
-# Cleanup.
-#------------------------------------------------------------------------------
-
-# Delete all
-$IPTABLES -F
-$IPTABLES -t mangle -F
-
-# Delete all
-$IPTABLES -X
-$IPTABLES -t mangle -X
-
-# Zero all packets and counters.
-$IPTABLES -Z
-$IPTABLES -t mangle -Z
-
-# Completely disable IPv6.
-#------------------------------------------------------------------------------
-
-# Block all IPv6 traffic
-# If the ip6tables command is available, try to block all IPv6 traffic.
-#if test -x $IP6TABLES; then
-# Set the default policies
-# drop everything
-#$IP6TABLES -P INPUT DROP
-#$IP6TABLES -P FORWARD DROP
-#$IP6TABLES -P OUTPUT DROP
+# iptables [-t table] -R chain rulenum  rule-specification
+#
+# iptables [-t table] -D chain rulenum
 #
-## The mangle table can pass everything
-#$IP6TABLES -t mangle -P PREROUTING ACCEPT
-#$IP6TABLES -t mangle -P INPUT ACCEPT
-#$IP6TABLES -t mangle -P FORWARD ACCEPT
-#$IP6TABLES -t mangle -P OUTPUT ACCEPT
-#$IP6TABLES -t mangle -P POSTROUTING ACCEPT
-
-# Delete all rules.
-#$IP6TABLES -F 2>/dev/null
-#$IP6TABLES -t mangle -F 2>/dev/null
+# iptables [-t table] -S [chain [rulenum]]
 #
-## Delete all chains.
-#$IP6TABLES -X 2>/dev/null
-#$IP6TABLES -t mangle -X 2>/dev/null
+# iptables  [-t  table]  {-F|-L|-Z} [chain [rulenum]] [options...]
 #
-## Zero all packets and counters.
-#$IP6TABLES -Z 2>/dev/null
-#$IP6TABLES -t mangle -Z 2>/dev/null
-#fi
-
-# Custom user-defined chains.
-#------------------------------------------------------------------------------
-
-# LOG packets, then ACCEPT.
-$IPTABLES -N ACCEPTLOG
-$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "iptables: ACCEPT "
-$IPTABLES -A ACCEPTLOG -j ACCEPT
-
-# LOG packets, then DROP.
-$IPTABLES -N DROPLOG
-$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "iptables: DROP "
-$IPTABLES -A DROPLOG -j DROP
-
-# LOG packets, then REJECT.
-# TCP packets are rejected with a TCP reset.
-$IPTABLES -N REJECTLOG
-$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "iptables: REJECT "
-$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
-$IPTABLES -A REJECTLOG -j REJECT
-
-# Allow loopback interface to do anything.
-$IPTABLES -A INPUT -i lo -j ACCEPT
-$IPTABLES -A OUTPUT -o lo -j ACCEPT
-
-
-# Only allows RELATED ICMP types
-# (destination-unreachable, time-exceeded, and parameter-problem).
-# TODO: Rate-limit this traffic?
-# TODO: Allow fragmentation-needed?
-# TODO: Test.
-$IPTABLES -N RELATED_ICMP
-$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
-$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
-$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
-$IPTABLES -A RELATED_ICMP -j DROPLOG
-
-# Make It Even Harder To Multi-PING
-$IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
-$IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP:
-$IPTABLES  -A INPUT -p icmp -j DROP
-$IPTABLES  -A OUTPUT -p icmp -j ACCEPT
+# iptables [-t table] -N chain
+#
+# iptables [-t table] -X [chain]
+#
+# iptables [-t table] -P chain target
+#
+# iptables [-t table]  -E  old-chain-name  new-chain-name
+#
+# rule-specification = [matches...] [target]
+#
+# match = -m matchname [per-match-options]
+#
+#
+# Targets
+#
+# can be a user defined chain
+#
+# ACCEPT - accepts the packet
+# DROP   - drop the packet on the floor
+# QUEUE  - packet will be stent to queue
+# RETURN - stop traversing this chain and
+#          resume ate the next rule in the
+#          previeus (calling) chain.
+#
+# if packet reach the end of the chain or
+# a target RETURN, default policy for that
+# chain is applayed.
+#
+# Target Extensions
+#
+# AUDIT
+# CHECKSUM
+# CLASSIFY
+# DNAT
+# DSCP
+# LOG
+#     Torn on kernel logging, will print some
+#     some information on all matching packets.
+#     Log data can be read with dmesg or syslogd.
+#     This is a non-terminating target and a rule
+#     should be created with matching criteria.
+#
+#     --log-level level
+#           Level of logging (numeric or see sys-
+#           log.conf(5)
+#
+#     --log-prefix prefix
+#           Prefix log messages with specified prefix
+#           up to 29 chars log
+#
+#     --log-uid
+#           Log the userid of the process with gener-
+#           ated the packet
+# NFLOG
+#     This target pass the packet to loaded logging
+#     backend to log the packet. One or more userspace
+#     processes may subscribe to the group to receive
+#     the packets.
+#
+# ULOG
+#     This target provides userspace logging of maching
+#     packets. One or more userspace processes may then
+#     then subscribe to various multicast groups and
+#     then receive the packets.
+#
+#
+# Commands
+#
+# -A, --append chain rule-specification
+# -C, --check chain rule-specification
+# -D, --delete chain rule-specification
+# -D, --delete chain rulenum
+# -I, --insert chain [rulenum] rule-specification
+# -R, --replace chain rulenum rule-specification
+# -L, --list [chain]
+# -P, --policy chain target
+#
+# Parameters
+#
+# -p, --protocol protocol
+#       tcp, udp, udplite, icmp, esp, ah, sctp, all
+# -s, --source address[/mask][,...]
+# -d, --destination address[/mask][,...]
+# -j, --jump target
+# -g, --goto chain
+# -i, --in-interface name
+# -o, --out-interface name
+# -f, --fragment
+# -m, --match options module-name
+#       iptables can use extended packet matching
+#       modules.
+# -c, --set-counters packets bytes
+
+IPT="/usr/sbin/iptables"
+SPAMLIST="blockedip"
+SPAMDROPMSG="BLOCKED IP DROP"
+PUB_IF="wlp7s0"
+DHCP_SERV="192.168.1.1"
+PUB_IP="192.168.1.33"
+PRIV_IF="br0"
+
+modprobe ip_conntrack
+modprobe ip_conntrack_ftp
+
+echo "Stopping ipv4 firewall and deny everyone..."
+
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -t raw -F
+iptables -t raw -X
+iptables -t security -F
+iptables -t security -X
+
+
+echo "Starting ipv4 firewall filter table..."
+
+# Set Default Rules
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
+
+# Unlimited on local
+$IPT -A INPUT -i lo -j ACCEPT
+$IPT -A OUTPUT -o lo -j ACCEPT
+
+# Block sync
+$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
+$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+
+# Block Fragments
+$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
+$IPT -A INPUT -f -j DROP
+
+# Block bad stuff
+$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+
+$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
+$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
+
+$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
+$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+
+$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
+$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
+
+$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
+$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
+
+$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+##### Add your AP rules below ######
+
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT
+$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT
+
+$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP}
+$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT
+$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT
+#
+##### Server rules below ######
 
-# Only allow the minimally required/recommended parts of ICMP. Block the rest.
-#------------------------------------------------------------------------------
+#echo "Allow ICMP"
+$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT
 
-# TODO: This section needs a lot of testing!
+#echo "Allow DNS Server"
+#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53  -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT
 
-# First, drop all fragmented ICMP packets (almost always malicious).
-$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
-$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
-$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG
+echo "Allow HTTP and HTTPS server"
+#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
-# Allow all ESTABLISHED ICMP traffic.
-$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
-$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
+#echo "Allow ssh server"
+#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+#$IPT -A INPUT  -i ${PUB_IF} -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
+#$IPT -A INPUT  -i ${PUB_IF} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
 
-# Allow some parts of the RELATED ICMP traffic, block the rest.
-$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
-$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
+##### Add your rules below ######
 
-# Allow incoming ICMP echo requests (ping), but only rate-limited.
-$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
+echo "Allow DNS Client"
 
-# Allow outgoing ICMP echo requests (ping), but only rate-limited.
-$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 
-# Drop any other ICMP traffic.
-$IPTABLES -A INPUT -p icmp -j DROPLOG
-$IPTABLES -A OUTPUT -p icmp -j DROPLOG
-$IPTABLES -A FORWARD -p icmp -j DROPLOG
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 
-# Selectively allow certain special types of traffic.
-#------------------------------------------------------------------------------
+echo "Allow Whois Client"
 
-# Allow incoming connections related to existing allowed connections.
-$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT
 
-# Allow outgoing connections EXCEPT invalid
-$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+echo "Allow HTTP Client"
 
-# Miscellaneous.
-#------------------------------------------------------------------------------
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 
-# We don't care about Milkosoft, Drop SMB/CIFS/etc..
-#                     ^ greedyevilsoft
-$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
-$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
+echo "Allow Rsync Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
 
-# Explicitly drop invalid incoming traffic
-$IPTABLES -A INPUT -m state --state INVALID -j DROP
+echo "Allow POP3S Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
 
-# Drop invalid outgoing traffic, too.
-$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+echo "Allow SMTPS Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT
 
-# If we would use NAT, INVALID packets would pass - BLOCK them anyways
-$IPTABLES -A FORWARD -m state --state INVALID -j DROP
+echo "Allow NTP Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
 
-# PORT Scanners (stealth also)
-$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
-$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 
-# TODO: Some more anti-spoofing rules? For example:
-$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG
-$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG
+echo "Allow IRC Client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW -j ACCEPT
 
-$IPTABLES -N SYN_FLOOD
-$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
-$IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
+echo "Allow Active FTP Client"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
 
-$IPTABLES -A SYN_FLOOD -j DROP
+echo "Allow Git"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9418 -m state --state NEW -j ACCEPT
 
-#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 30/min --limit-burst 7 -j DROPLOG --log-prefix "iptables: drop sync: " --log-level 7
-#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG
+echo "Allow ssh client"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A INPUT  -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
 
-#$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
-#$IPTABLES -A INPUT -f -j DROP
-$IPTABLES -A INPUT -f -j DROPLOG
+#echo "Allow Passive Connections"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
 
-# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
 
-# Selectively allow certain inbound connections, block the rest.
-#------------------------------------------------------------------------------
+# echo "Allow FairCoin"
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT
+# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT
+# 
+# echo "Allow Dashcoin"
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT
+# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT
+# 
+# echo "Allow warzone2100"
+# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT
+# 
+# echo "Allow wesnoth"
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT
+# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT
 
-# Allow incoming SSH requests.
-#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
+##### END your rules ############
+# Less log of known traffic
 
-# Allow incoming https server
-#$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --sport $PHIGH -m state --state NEW,ESTABLISHED -j ACCEPT
+# RIP protocol
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP
 
+# DHCP
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 67 --dport 68 -s $DHCP_SERV -j ACCEPT
 
-# Selectively allow certain outbound connections, block the rest.
-#------------------------------------------------------------------------------
-#
+# log everything else and drop
+$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
 
-# Allow ping
-$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-# Allow to ssh clients
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-
-# Allow to dns
-$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow irc
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to xmmp
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-# Allow to rsync server
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to pop3s server
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to smtps server
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to ntp server
-$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to ftp server
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to https server
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-#$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to http server
-$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-# Selectively allow certain outbound server connections, block the rest.
-#------------------------------------------------------------------------------
-
-# Allow from https server
-#$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT
-
-# Allow from dns server
-#$IPTABLES -A OUTPUT -p udp -m udp --sport 53 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT
-
-# Explicitly log and reject everything else.
-#------------------------------------------------------------------------------
-# Use REJECT instead of REJECTLOG if you don't need/want logging.
-$IPTABLES -A INPUT -j DROPLOG
-$IPTABLES -A OUTPUT -j DROPLOG
-$IPTABLES -A FORWARD -j REJECTLOG
-
-# Counter hits
-
-#for i in $NIC_NAME
-#do
-#	iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set
-#	iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP
-#done
-
-#------------------------------------------------------------------------------
-# Testing the firewall.
-#------------------------------------------------------------------------------
-
-# You should check/test that the firewall really works, using
-# iptables -vnL, nmap, ping, telnet, ...
-
-# Exit gracefully.
-#------------------------------------------------------------------------------
 exit 0
diff --git a/core/configure.html b/core/configure.html
index 6349b65..b3ca259 100644
--- a/core/configure.html
+++ b/core/configure.html
@@ -253,6 +253,7 @@
         pkgmk                                      /usr/ports/work tmpfs        size=30G,gid=101,uid=100,defaults       0       0
         UUID=36e9e1d5-8356-451e-a301-81098b9a15ea  /srv		ext4	        defaults,nodev,errors=remount-ro	0	0
         UUID=cd15196a-69f1-4fb4-9730-a384c62add91  /home        ext4            defaults,nodev,nosuid,errors=remount-ro	0	0
+        #UUID=04f07488ce7b36205acc6d404dcf924643660ac5
 
         # End of file
      diff --git a/core/grsecurity.html b/core/grsecurity.html index 30ee28c..48ac2b2 100644 --- a/core/grsecurity.html +++ b/core/grsecurity.html @@ -15,7 +15,7 @@ port kernel, for manual configuration check linux kernel. Configuration is not enable by default, groups with special permissions and other - protections are set with sysctl.html;

      + protections are set with sysctl;

      @@ -56,6 +56,11 @@
      Deny server sockets to this group.
      +

      At run time you can change some configurations;

      + + 
      +        # cat /proc/sys/kernel/grsecurity/what_ever_setting
+

      Kernel configuration related to grsecurity;

      diff --git a/core/reboot.html b/core/reboot.html index c60265a..aa45a0f 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -99,7 +99,7 @@ # grub-probe --target=hints_string / -

      Rescue iso

      +

      1.4.3.1. Rescue iso

      Simple way to have "resque" system is to mount boot as read only, this assures that even as root nothing can be changed without remount. diff --git a/core/toolchain.html b/core/toolchain.html index b5d4bb1..04b58e3 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -74,6 +74,25 @@ export LDFLAGS="" +

      Openssl

      + +

      Replace openssl by libressl, view if + libressl port from 6c37-dropin is updated with + latest libressl upstream. First install libressl + to ensure it gets all the sources; + + 

      +        $ sudo prt-get depinst libressl
+
      + +

      After complaining about openssl files remove openssl; + + 

      +        $ sudo prt-get remove openssl
+        $ sudo prt-get depinst libressl
+
      + +

      libcap

        diff --git a/dev/php/index.html b/dev/php/index.html index 2a44270..a4549f1 100644 --- a/dev/php/index.html +++ b/dev/php/index.html @@ -9,10 +9,31 @@

        c9 PHP

        + +

        Hello World

        + +

        PHP comes with a built in server that helps to speed up + developing by not having to configure a system web server, + first create file index.php;

        + + 
        +        <?php
+           echo "Hello World";
+
        + +

        Now run the server;

        + + 
        +        $ php -S localhost:8000
+
        + +

        Open your browser and browse http://localhost:8000, + you should see "Hello World".

        + Development Index

        This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License for copying conditions.

        diff --git a/legal/index.html b/legal/index.html index 0912ad8..677a540 100644 --- a/legal/index.html +++ b/legal/index.html @@ -19,7 +19,7 @@
        • Brasil
          • -
        • Portugal
          • +
        • Portugal (lost case, completed owned by corporations interests)
        Documentation Index diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf index ddbdee6..8fca293 100644 --- a/tools/conf/etc/nginx/nginx.conf +++ b/tools/conf/etc/nginx/nginx.conf @@ -3,7 +3,7 @@ # -user nginx; +user www; worker_processes auto; error_log /var/log/nginx/error.log; @@ -20,16 +20,6 @@ http { include mime.types; default_type application/octet-stream; - ## - # SSL Settings - ## - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - - # ssl on; - ssl_certificate /etc/ssl/certs/nginx.crt; - ssl_certificate_key /etc/ssl/keys/nginx.key; - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; @@ -40,6 +30,7 @@ http { sendfile on; #tcp_nopush on; + client_max_body_size 8M; keepalive_timeout 65; client_body_timeout 12; client_header_timeout 12; diff --git a/tools/conf/etc/rc.d/git-daemon b/tools/conf/etc/rc.d/git-daemon new file mode 100755 index 0000000..8aa9d81 --- /dev/null +++ b/tools/conf/etc/rc.d/git-daemon @@ -0,0 +1,42 @@ +#!/bin/sh + +SSD=/sbin/start-stop-daemon +NAME=git-daemon +PROG=$(git --exec-path)/${NAME} +USER=www +GROUP=www +PIDFILE=/var/run/git-daemon.pid +OPTS="--verbose --reuseaddr --base-path=/srv/gitolite/repositories" + +case $1 in + start) + echo "Starting ${NAME}..." + $SSD --start \ + --pidfile ${PIDFILE} \ + --exec ${PROG} -- ${OPTS} \ + --detach --pid-file=${PIDFILE} \ + --user=${USER} --group=${GROUP} + + ;; + stop) + echo "Stopping ${NAME}..." + $SSD --stop --quiet --name git-daemon \ + --pidfile ${PIDFILE} + ;; + restart) + echo "Restarting ${NAME}..." + $0 stop + $0 start + ;; + status) + $SSD --status --pidfile $PIDFILE + case $? in + 0) echo "$PROG is running with pid $(cat $PIDFILE )" ;; + 3) echo "$PROG is not running" ;; + 4) echo "Unable to determine the program status" ;; + esac + ;; + *) + echo "usage: $0 [start|stop|restart|status]" + ;; +esac diff --git a/tools/gitolite.html b/tools/gitolite.html index ab1ad3a..a275c23 100644 --- a/tools/gitolite.html +++ b/tools/gitolite.html @@ -552,24 +552,35 @@

        5.2. Configure nginx

        -

        Edit /etc/rc.d/fcgiwrap to run as nginx user member of gitolite - and www group;

        +

        Edit /etc/rc.d/fcgiwrap to run as www user member of www group;

        -        USER=nginx
-        GROUP=nginx
+        USER=www
+        GROUP=www
        +

        Permissions for /srv/gitolite/repositories directories should be + 0750/drwxr-x---.

        + 
        -        # usermod -G www,gitolite nginx
+        $ chown gitolite:www /srv/gitolite
+        $ chown -R gitolite:www /srv/gitolite/projects.list
+        $ chown -R gitolite:www /srv/gitolite/repositories
        -

        Create link from gitweb to web server folder;

        +

        A link from gitweb don't work under grsecurity since user www can't + follow simlink to root. Make a copy, later deploy via gitolite hook.

        +

        Link;

                 # ln -s /usr/share/gitweb /srv/www
        +

        Copy;

        + 
        +        # cp -r /usr/share/gitweb /srv/www
+
        +

        Add this to default or main nginx virtual host;

        diff --git a/tools/network.html b/tools/network.html index 9cf5395..c4e99f6 100644 --- a/tools/network.html +++ b/tools/network.html @@ -22,15 +22,12 @@ generate cron job to update ip every 5 minutes, check about dynamic interface. To run as system cron job add as root and remove path line from example;

        - 
        -        PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
-
        - 
                 # crontab -e
        -

        Example from afraid uses curl and will log output to /tmp/freedns*

        +

        Example from afraid uses curl and will log output to /tmp/freedns*, + change to /var/log/freedns

        Bridges

        diff --git a/tools/nginx.html b/tools/nginx.html index 6d4f355..a85cf0e 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -43,6 +43,25 @@

        2. Certificates

        +

        2.1. Lets encrypt

        + +

        Example of nginx location block on public pmwiki setup;

        + + 
        +        #ACME challenge
+        location ^~ /.well-known {
+              allow all;
+              alias /srv/www/c9-pmwiki/pub/cert/.well-known/;
+              default_type "text/plain";
+              try_files $uri =404;
+        }
+
        + + 
        +        # certbot certonly --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d c9.root.sx
+
        + +

        2.2. Self certificate

        Certificates allow a more secure connection. Lets create self-signed certificate;

        diff --git a/tools/nmap.html b/tools/nmap.html index c07ec0f..c3d5316 100644 --- a/tools/nmap.html +++ b/tools/nmap.html @@ -24,7 +24,7 @@

        Or by hostname;

        -        # nmap -v c9.root.cx
+        # nmap -v c9.root.sx

        Check OS and version detection;

        diff --git a/tools/scripts/pkgmk-test.conf b/tools/scripts/pkgmk-test.conf index 623c52c..db9978d 100644 --- a/tools/scripts/pkgmk-test.conf +++ b/tools/scripts/pkgmk-test.conf @@ -22,7 +22,7 @@ case ${PKGMK_ARCH} in ;; esac -PKGMK_SOURCE_MIRRORS=(https://c9.root.cx/ports/distfiles/) +PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/) # PKGMK_SOURCE_DIR="$PWD" # PKGMK_PACKAGE_DIR="$PWD" # PKGMK_WORK_DIR="$PWD/work" diff --git a/tools/scripts/setup-nginx.sh b/tools/scripts/setup-nginx.sh index decacc1..11065d2 100644 --- a/tools/scripts/setup-nginx.sh +++ b/tools/scripts/setup-nginx.sh @@ -1,16 +1,16 @@ #!/bin/sh -. `dirname $0`/config-install.sh - -prt-get depinst nginx - -cp -R $CONF_DIR/etc/nginx/* /etc/nginx/ - -mkdir /srv/www -chown nginx:www /srv/www - -usermod -a -G www nginx -usermod -m -d /srv/www nginx +#. `dirname $0`/config-install.sh +# +#prt-get depinst nginx +# +#cp -R $CONF_DIR/etc/nginx/* /etc/nginx/ +# +#mkdir /srv/www +#chown www:www /srv/www +# +#usermod -a -g www nginx +#usermod -m -d /srv/www nginx openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048 openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr diff --git a/tools/x.html b/tools/x.html index 027d58a..8a68c5b 100644 --- a/tools/x.html +++ b/tools/x.html @@ -36,13 +36,14 @@ xorg-font-dejavu-ttf \ xorg-font-cursor-misc \ xorg-font-misc-misc \ + console-font-terminus \ + xorg-font-terminus \ xorg-font-mutt-misc $ prt-get search xorg-font-bitstream | xargs sudo prt-get depinst $ prt-get search xorg-font-bh | xargs sudo prt-get depinst -

        From 6c37 collection;

                 $ prt-get search otf- | xargs sudo prt-get depinst
-- 
cgit 1.4.1-2-gfad0