diff --git a/projects/README.md b/projects/README.md index 4f054e546..dad33ac05 100644 --- a/projects/README.md +++ b/projects/README.md @@ -17,6 +17,7 @@ If you want to create a project, please submit a pull request to create a new di - [eBPF](ebpf/) iovisor eBPF tools - [AWS](aws/) AWS build support - [Swarmd](swarmd) Standalone swarmkit based orchestrator +- [Landlock LSM](landlock/) programmatic access control ## Current projects not yet documented - Clear Linux integration (Intel) diff --git a/projects/landlock/kernel-landlock/kernel_config b/projects/landlock/kernel-landlock/kernel_config new file mode 100644 index 000000000..f74776998 --- /dev/null +++ b/projects/landlock/kernel-landlock/kernel_config @@ -0,0 +1,3658 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 4.9.20 Kernel Configuration +# +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_MMU=y +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_GENERIC_HWEIGHT=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_RWSEM_XCHGADD_ALGORITHM=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ZONE_DMA32=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_X86_64_SMP=y +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_DEBUG_RODATA=y +CONFIG_PGTABLE_LEVELS=4 +CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_EXTABLE_SORT=y +CONFIG_THREAD_INFO_IN_TASK=y + +# +# General setup +# +CONFIG_INIT_ENV_ARG_LIMIT=32 +CONFIG_CROSS_COMPILE="" +# CONFIG_COMPILE_TEST is not set +CONFIG_LOCALVERSION="-moby" +# CONFIG_LOCALVERSION_AUTO is not set +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +CONFIG_DEFAULT_HOSTNAME="moby" +CONFIG_SWAP=y +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +CONFIG_CROSS_MEMORY_ATTACH=y +CONFIG_FHANDLE=y +# CONFIG_USELIB is not set +CONFIG_AUDIT=y +CONFIG_HAVE_ARCH_AUDITSYSCALL=y +CONFIG_AUDITSYSCALL=y +CONFIG_AUDIT_WATCH=y +CONFIG_AUDIT_TREE=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_GENERIC_PENDING_IRQ=y +CONFIG_IRQ_DOMAIN=y +CONFIG_IRQ_DOMAIN_HIERARCHY=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_GENERIC_MSI_IRQ_DOMAIN=y +# CONFIG_IRQ_DOMAIN_DEBUG is not set +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_DATA=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +# CONFIG_NO_HZ_FULL is not set +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +CONFIG_BSD_PROCESS_ACCT_V3=y +CONFIG_TASKSTATS=y +CONFIG_TASK_DELAY_ACCT=y +# CONFIG_TASK_XACCT is not set + +# +# RCU Subsystem +# +CONFIG_TREE_RCU=y +# CONFIG_RCU_EXPERT is not set +CONFIG_SRCU=y +# CONFIG_TASKS_RCU is not set +CONFIG_RCU_STALL_COMMON=y +# CONFIG_TREE_RCU_TRACE is not set +# CONFIG_RCU_EXPEDITE_BOOT is not set +CONFIG_BUILD_BIN2C=y +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_LOG_BUF_SHIFT=17 +CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 +CONFIG_NMI_LOG_BUF_SHIFT=13 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y +CONFIG_ARCH_SUPPORTS_INT128=y +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y +CONFIG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +CONFIG_RT_GROUP_SCHED=y +CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_HUGETLB=y +CONFIG_CPUSETS=y +CONFIG_PROC_PID_CPUSET=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_DEBUG is not set +CONFIG_CHECKPOINT_RESTORE=y +CONFIG_NAMESPACES=y +CONFIG_UTS_NS=y +CONFIG_IPC_NS=y +CONFIG_USER_NS=y +CONFIG_PID_NS=y +CONFIG_NET_NS=y +CONFIG_SCHED_AUTOGROUP=y +# CONFIG_SYSFS_DEPRECATED is not set +CONFIG_RELAY=y +CONFIG_BLK_DEV_INITRD=y +CONFIG_INITRAMFS_SOURCE="" +CONFIG_RD_GZIP=y +# CONFIG_RD_BZIP2 is not set +# CONFIG_RD_LZMA is not set +# CONFIG_RD_XZ is not set +# CONFIG_RD_LZO is not set +# CONFIG_RD_LZ4 is not set +# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_SYSCTL=y +CONFIG_ANON_INODES=y +CONFIG_HAVE_UID16=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +CONFIG_BPF=y +CONFIG_EXPERT=y +CONFIG_UID16=y +CONFIG_MULTIUSER=y +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +# CONFIG_SYSCTL_SYSCALL is not set +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_ALL is not set +CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y +CONFIG_KALLSYMS_BASE_RELATIVE=y +CONFIG_PRINTK=y +CONFIG_PRINTK_NMI=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +CONFIG_BPF_SYSCALL=y +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_ADVISE_SYSCALLS=y +# CONFIG_USERFAULTFD is not set +CONFIG_PCI_QUIRKS=y +CONFIG_MEMBARRIER=y +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_VM_EVENT_COUNTERS=y +# CONFIG_COMPAT_BRK is not set +CONFIG_SLAB=y +# CONFIG_SLUB is not set +# CONFIG_SLOB is not set +CONFIG_SLAB_FREELIST_RANDOM=y +# CONFIG_SYSTEM_DATA_VERIFICATION is not set +CONFIG_PROFILING=y +CONFIG_TRACEPOINTS=y +CONFIG_OPROFILE=y +# CONFIG_OPROFILE_EVENT_MULTIPLEX is not set +CONFIG_HAVE_OPROFILE=y +CONFIG_OPROFILE_NMI_TIMER=y +CONFIG_KPROBES=y +CONFIG_JUMP_LABEL=y +# CONFIG_STATIC_KEYS_SELFTEST is not set +CONFIG_OPTPROBES=y +CONFIG_KPROBES_ON_FTRACE=y +CONFIG_UPROBES=y +# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_KRETPROBES=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_HAVE_NMI=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_DMA_API_DEBUG=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y +CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP_FILTER=y +CONFIG_HAVE_GCC_PLUGINS=y +# CONFIG_GCC_PLUGINS is not set +CONFIG_HAVE_CC_STACKPROTECTOR=y +CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_NONE is not set +# CONFIG_CC_STACKPROTECTOR_REGULAR is not set +CONFIG_CC_STACKPROTECTOR_STRONG=y +CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y +CONFIG_HAVE_CONTEXT_TRACKING=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_HUGE_VMAP=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y +CONFIG_ARCH_HAS_ELF_RANDOMIZE=y +CONFIG_HAVE_ARCH_MMAP_RND_BITS=y +CONFIG_HAVE_EXIT_THREAD=y +CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y +CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 +CONFIG_HAVE_COPY_THREAD_TLS=y +CONFIG_HAVE_STACK_VALIDATION=y +# CONFIG_HAVE_ARCH_HASH is not set +# CONFIG_ISA_BUS_API is not set +CONFIG_OLD_SIGSUSPEND3=y +CONFIG_COMPAT_OLD_SIGACTION=y +# CONFIG_CPU_NO_EFFICIENT_FFS is not set +CONFIG_HAVE_ARCH_VMAP_STACK=y +CONFIG_VMAP_STACK=y + +# +# GCOV-based kernel profiling +# +# CONFIG_GCOV_KERNEL is not set +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set +CONFIG_SLABINFO=y +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +CONFIG_MODULES=y +# CONFIG_MODULE_FORCE_LOAD is not set +CONFIG_MODULE_UNLOAD=y +# CONFIG_MODULE_FORCE_UNLOAD is not set +# CONFIG_MODVERSIONS is not set +# CONFIG_MODULE_SRCVERSION_ALL is not set +# CONFIG_MODULE_SIG is not set +# CONFIG_MODULE_COMPRESS is not set +# CONFIG_TRIM_UNUSED_KSYMS is not set +CONFIG_MODULES_TREE_LOOKUP=y +CONFIG_BLOCK=y +CONFIG_BLK_DEV_BSG=y +# CONFIG_BLK_DEV_BSGLIB is not set +CONFIG_BLK_DEV_INTEGRITY=y +CONFIG_BLK_DEV_THROTTLING=y +# CONFIG_BLK_CMDLINE_PARSER is not set + +# +# Partition Types +# +CONFIG_PARTITION_ADVANCED=y +# CONFIG_ACORN_PARTITION is not set +# CONFIG_AIX_PARTITION is not set +# CONFIG_OSF_PARTITION is not set +# CONFIG_AMIGA_PARTITION is not set +# CONFIG_ATARI_PARTITION is not set +# CONFIG_MAC_PARTITION is not set +CONFIG_MSDOS_PARTITION=y +# CONFIG_BSD_DISKLABEL is not set +# CONFIG_MINIX_SUBPARTITION is not set +# CONFIG_SOLARIS_X86_PARTITION is not set +# CONFIG_UNIXWARE_DISKLABEL is not set +# CONFIG_LDM_PARTITION is not set +# CONFIG_SGI_PARTITION is not set +# CONFIG_ULTRIX_PARTITION is not set +# CONFIG_SUN_PARTITION is not set +# CONFIG_KARMA_PARTITION is not set +CONFIG_EFI_PARTITION=y +# CONFIG_SYSV68_PARTITION is not set +# CONFIG_CMDLINE_PARTITION is not set +CONFIG_BLOCK_COMPAT=y +CONFIG_BLK_MQ_PCI=y + +# +# IO Schedulers +# +CONFIG_IOSCHED_NOOP=y +CONFIG_IOSCHED_DEADLINE=y +CONFIG_IOSCHED_CFQ=y +CONFIG_CFQ_GROUP_IOSCHED=y +CONFIG_DEFAULT_DEADLINE=y +# CONFIG_DEFAULT_CFQ is not set +# CONFIG_DEFAULT_NOOP is not set +CONFIG_DEFAULT_IOSCHED="deadline" +CONFIG_ASN1=y +CONFIG_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_INLINE_READ_UNLOCK=y +CONFIG_INLINE_READ_UNLOCK_IRQ=y +CONFIG_INLINE_WRITE_UNLOCK=y +CONFIG_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_MUTEX_SPIN_ON_OWNER=y +CONFIG_RWSEM_SPIN_ON_OWNER=y +CONFIG_LOCK_SPIN_ON_OWNER=y +CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y +CONFIG_QUEUED_SPINLOCKS=y +CONFIG_ARCH_USE_QUEUED_RWLOCKS=y +CONFIG_QUEUED_RWLOCKS=y +CONFIG_FREEZER=y + +# +# Processor type and features +# +CONFIG_ZONE_DMA=y +CONFIG_SMP=y +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_FAST_FEATURE_TESTS=y +# CONFIG_X86_X2APIC is not set +CONFIG_X86_MPPARSE=y +# CONFIG_GOLDFISH is not set +# CONFIG_X86_EXTENDED_PLATFORM is not set +# CONFIG_X86_INTEL_LPSS is not set +# CONFIG_X86_AMD_PLATFORM_DEVICE is not set +# CONFIG_IOSF_MBI is not set +CONFIG_SCHED_OMIT_FRAME_POINTER=y +CONFIG_HYPERVISOR_GUEST=y +CONFIG_PARAVIRT=y +# CONFIG_PARAVIRT_DEBUG is not set +CONFIG_PARAVIRT_SPINLOCKS=y +# CONFIG_QUEUED_LOCK_STAT is not set +CONFIG_XEN=y +CONFIG_XEN_DOM0=y +CONFIG_XEN_PVHVM=y +CONFIG_XEN_512GB=y +CONFIG_XEN_SAVE_RESTORE=y +# CONFIG_XEN_DEBUG_FS is not set +CONFIG_XEN_PVH=y +CONFIG_KVM_GUEST=y +# CONFIG_KVM_DEBUG_FS is not set +# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set +CONFIG_PARAVIRT_CLOCK=y +CONFIG_NO_BOOTMEM=y +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +# CONFIG_MCORE2 is not set +# CONFIG_MATOM is not set +CONFIG_GENERIC_CPU=y +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +# CONFIG_PROCESSOR_SELECT is not set +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_HPET_TIMER=y +CONFIG_HPET_EMULATE_RTC=y +CONFIG_DMI=y +# CONFIG_GART_IOMMU is not set +# CONFIG_CALGARY_IOMMU is not set +CONFIG_SWIOTLB=y +CONFIG_IOMMU_HELPER=y +# CONFIG_MAXSMP is not set +CONFIG_NR_CPUS=128 +# CONFIG_SCHED_SMT is not set +CONFIG_SCHED_MC=y +# CONFIG_PREEMPT_NONE is not set +CONFIG_PREEMPT_VOLUNTARY=y +# CONFIG_PREEMPT is not set +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y +# CONFIG_X86_MCE is not set + +# +# Performance monitoring +# +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_PERF_EVENTS_INTEL_RAPL=y +CONFIG_PERF_EVENTS_INTEL_CSTATE=y +# CONFIG_PERF_EVENTS_AMD_POWER is not set +# CONFIG_VM86 is not set +CONFIG_X86_VSYSCALL_EMULATION=y +# CONFIG_I8K is not set +CONFIG_MICROCODE=y +CONFIG_MICROCODE_INTEL=y +CONFIG_MICROCODE_AMD=y +CONFIG_MICROCODE_OLD_INTERFACE=y +CONFIG_X86_MSR=y +CONFIG_X86_CPUID=y +CONFIG_ARCH_PHYS_ADDR_T_64BIT=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_X86_DIRECT_GBPAGES=y +# CONFIG_NUMA is not set +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_SELECT_MEMORY_MODEL=y +# CONFIG_ARCH_MEMORY_PROBE is not set +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +CONFIG_SELECT_MEMORY_MODEL=y +CONFIG_SPARSEMEM_MANUAL=y +CONFIG_SPARSEMEM=y +CONFIG_HAVE_MEMORY_PRESENT=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_MEMBLOCK=y +CONFIG_HAVE_MEMBLOCK_NODE_MAP=y +CONFIG_ARCH_DISCARD_MEMBLOCK=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y +CONFIG_MEMORY_BALLOON=y +CONFIG_BALLOON_COMPACTION=y +CONFIG_COMPACTION=y +CONFIG_MIGRATION=y +CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +CONFIG_BOUNCE=y +CONFIG_VIRT_TO_BUS=y +CONFIG_MMU_NOTIFIER=y +CONFIG_KSM=y +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y +# CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set +CONFIG_TRANSPARENT_HUGE_PAGECACHE=y +# CONFIG_CLEANCACHE is not set +# CONFIG_FRONTSWAP is not set +# CONFIG_CMA is not set +# CONFIG_MEM_SOFT_DIRTY is not set +# CONFIG_ZPOOL is not set +# CONFIG_ZBUD is not set +# CONFIG_ZSMALLOC is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y +# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set +# CONFIG_IDLE_PAGE_TRACKING is not set +# CONFIG_ZONE_DEVICE is not set +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y +CONFIG_ARCH_HAS_PKEYS=y +# CONFIG_X86_PMEM_LEGACY is not set +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_X86_RESERVE_LOW=64 +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_ARCH_RANDOM=y +CONFIG_X86_SMAP=y +# CONFIG_X86_INTEL_MPX is not set +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +CONFIG_EFI=y +CONFIG_EFI_STUB=y +# CONFIG_EFI_MIXED is not set +CONFIG_SECCOMP=y +CONFIG_HZ_100=y +# CONFIG_HZ_250 is not set +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=100 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_KEXEC_FILE is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +CONFIG_RANDOMIZE_BASE=y +CONFIG_X86_NEED_RELOCS=y +CONFIG_PHYSICAL_ALIGN=0x1000000 +CONFIG_RANDOMIZE_MEMORY=y +CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa +CONFIG_HOTPLUG_CPU=y +# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set +# CONFIG_DEBUG_HOTPLUG_CPU0 is not set +# CONFIG_COMPAT_VDSO is not set +# CONFIG_LEGACY_VSYSCALL_NATIVE is not set +# CONFIG_LEGACY_VSYSCALL_EMULATE is not set +CONFIG_LEGACY_VSYSCALL_NONE=y +# CONFIG_CMDLINE_BOOL is not set +# CONFIG_MODIFY_LDT_SYSCALL is not set +CONFIG_HAVE_LIVEPATCH=y +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y + +# +# Power management and ACPI options +# +# CONFIG_SUSPEND is not set +CONFIG_HIBERNATE_CALLBACKS=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +CONFIG_PM_SLEEP_SMP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y +# CONFIG_ACPI_DEBUGGER is not set +# CONFIG_ACPI_PROCFS_POWER is not set +# CONFIG_ACPI_REV_OVERRIDE_POSSIBLE is not set +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_FAN=y +CONFIG_ACPI_DOCK=y +CONFIG_ACPI_CPU_FREQ_PSS=y +CONFIG_ACPI_PROCESSOR_CSTATE=y +CONFIG_ACPI_PROCESSOR_IDLE=y +CONFIG_ACPI_PROCESSOR=y +CONFIG_ACPI_HOTPLUG_CPU=y +CONFIG_ACPI_PROCESSOR_AGGREGATOR=y +CONFIG_ACPI_THERMAL=y +# CONFIG_ACPI_CUSTOM_DSDT is not set +CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y +CONFIG_ACPI_TABLE_UPGRADE=y +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +CONFIG_X86_PM_TIMER=y +CONFIG_ACPI_CONTAINER=y +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +CONFIG_ACPI_HOTPLUG_IOAPIC=y +CONFIG_ACPI_SBS=y +CONFIG_ACPI_HED=y +# CONFIG_ACPI_CUSTOM_METHOD is not set +# CONFIG_ACPI_BGRT is not set +# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set +# CONFIG_ACPI_NFIT is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +CONFIG_ACPI_APEI=y +CONFIG_ACPI_APEI_GHES=y +# CONFIG_ACPI_APEI_EINJ is not set +# CONFIG_ACPI_APEI_ERST_DEBUG is not set +# CONFIG_DPTF_POWER is not set +# CONFIG_PMIC_OPREGION is not set +# CONFIG_ACPI_CONFIGFS is not set +# CONFIG_SFI is not set + +# +# CPU Frequency scaling +# +CONFIG_CPU_FREQ=y +CONFIG_CPU_FREQ_GOV_ATTR_SET=y +CONFIG_CPU_FREQ_GOV_COMMON=y +CONFIG_CPU_FREQ_STAT=y +# CONFIG_CPU_FREQ_STAT_DETAILS is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set +CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y +# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL is not set +CONFIG_CPU_FREQ_GOV_PERFORMANCE=y +CONFIG_CPU_FREQ_GOV_POWERSAVE=y +CONFIG_CPU_FREQ_GOV_USERSPACE=y +CONFIG_CPU_FREQ_GOV_ONDEMAND=y +CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y +# CONFIG_CPU_FREQ_GOV_SCHEDUTIL is not set + +# +# CPU frequency scaling drivers +# +# CONFIG_X86_INTEL_PSTATE is not set +CONFIG_X86_PCC_CPUFREQ=y +CONFIG_X86_ACPI_CPUFREQ=y +CONFIG_X86_ACPI_CPUFREQ_CPB=y +CONFIG_X86_POWERNOW_K8=y +# CONFIG_X86_AMD_FREQ_SENSITIVITY is not set +# CONFIG_X86_SPEEDSTEP_CENTRINO is not set +CONFIG_X86_P4_CLOCKMOD=y + +# +# shared options +# +CONFIG_X86_SPEEDSTEP_LIB=y + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set +CONFIG_INTEL_IDLE=y + +# +# Memory power savings +# +# CONFIG_I7300_IDLE is not set + +# +# Bus options (PCI etc.) +# +CONFIG_PCI=y +CONFIG_PCI_DIRECT=y +CONFIG_PCI_MMCONFIG=y +CONFIG_PCI_XEN=y +CONFIG_PCI_DOMAINS=y +# CONFIG_PCI_CNB20LE_QUIRK is not set +CONFIG_PCIEPORTBUS=y +CONFIG_HOTPLUG_PCI_PCIE=y +# CONFIG_PCIEAER is not set +CONFIG_PCIEASPM=y +# CONFIG_PCIEASPM_DEBUG is not set +CONFIG_PCIEASPM_DEFAULT=y +# CONFIG_PCIEASPM_POWERSAVE is not set +# CONFIG_PCIEASPM_PERFORMANCE is not set +CONFIG_PCIE_PME=y +# CONFIG_PCIE_DPC is not set +# CONFIG_PCIE_PTM is not set +CONFIG_PCI_BUS_ADDR_T_64BIT=y +CONFIG_PCI_MSI=y +CONFIG_PCI_MSI_IRQ_DOMAIN=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set +CONFIG_PCI_STUB=y +CONFIG_XEN_PCIDEV_FRONTEND=y +CONFIG_HT_IRQ=y +CONFIG_PCI_ATS=y +CONFIG_PCI_IOV=y +CONFIG_PCI_PRI=y +CONFIG_PCI_PASID=y +CONFIG_PCI_LABEL=y +# CONFIG_PCI_HYPERV is not set +CONFIG_HOTPLUG_PCI=y +# CONFIG_HOTPLUG_PCI_ACPI is not set +# CONFIG_HOTPLUG_PCI_CPCI is not set +CONFIG_HOTPLUG_PCI_SHPC=y + +# +# PCI host controller drivers +# +# CONFIG_PCIE_DW_PLAT is not set +# CONFIG_VMD is not set +# CONFIG_ISA_BUS is not set +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# CONFIG_PCCARD is not set +# CONFIG_RAPIDIO is not set +# CONFIG_X86_SYSFB is not set + +# +# Executable file formats / Emulations +# +CONFIG_BINFMT_ELF=y +CONFIG_COMPAT_BINFMT_ELF=y +CONFIG_ELFCORE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_HAVE_AOUT is not set +CONFIG_BINFMT_MISC=y +CONFIG_COREDUMP=y +CONFIG_IA32_EMULATION=y +# CONFIG_IA32_AOUT is not set +# CONFIG_X86_X32 is not set +CONFIG_COMPAT=y +CONFIG_COMPAT_FOR_U64_ALIGNMENT=y +CONFIG_SYSVIPC_COMPAT=y +CONFIG_KEYS_COMPAT=y +CONFIG_X86_DEV_DMA_OPS=y +CONFIG_PMC_ATOM=y +CONFIG_NET=y +CONFIG_NET_INGRESS=y +CONFIG_NET_EGRESS=y + +# +# Networking options +# +CONFIG_PACKET=y +CONFIG_PACKET_DIAG=y +CONFIG_UNIX=y +CONFIG_UNIX_DIAG=y +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_INET=y +CONFIG_IP_MULTICAST=y +CONFIG_IP_ADVANCED_ROUTER=y +CONFIG_IP_FIB_TRIE_STATS=y +CONFIG_IP_MULTIPLE_TABLES=y +CONFIG_IP_ROUTE_MULTIPATH=y +CONFIG_IP_ROUTE_VERBOSE=y +CONFIG_IP_ROUTE_CLASSID=y +CONFIG_IP_PNP=y +CONFIG_IP_PNP_DHCP=y +# CONFIG_IP_PNP_BOOTP is not set +# CONFIG_IP_PNP_RARP is not set +CONFIG_NET_IPIP=y +CONFIG_NET_IPGRE_DEMUX=y +CONFIG_NET_IP_TUNNEL=y +CONFIG_NET_IPGRE=y +CONFIG_NET_IPGRE_BROADCAST=y +CONFIG_IP_MROUTE=y +CONFIG_IP_MROUTE_MULTIPLE_TABLES=y +CONFIG_IP_PIMSM_V1=y +CONFIG_IP_PIMSM_V2=y +CONFIG_SYN_COOKIES=y +CONFIG_NET_IPVTI=y +CONFIG_NET_UDP_TUNNEL=y +CONFIG_NET_FOU=y +CONFIG_NET_FOU_IP_TUNNELS=y +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +CONFIG_INET_IPCOMP=y +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_XFRM_MODE_TRANSPORT=y +CONFIG_INET_XFRM_MODE_TUNNEL=y +CONFIG_INET_XFRM_MODE_BEET=y +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +CONFIG_INET_UDP_DIAG=y +# CONFIG_INET_DIAG_DESTROY is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +CONFIG_TCP_MD5SIG=y +CONFIG_IPV6=y +CONFIG_IPV6_ROUTER_PREF=y +# CONFIG_IPV6_ROUTE_INFO is not set +# CONFIG_IPV6_OPTIMISTIC_DAD is not set +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +CONFIG_IPV6_ILA=y +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_INET6_XFRM_MODE_TRANSPORT=y +CONFIG_INET6_XFRM_MODE_TUNNEL=y +CONFIG_INET6_XFRM_MODE_BEET=y +CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=y +CONFIG_IPV6_VTI=y +CONFIG_IPV6_SIT=y +CONFIG_IPV6_SIT_6RD=y +CONFIG_IPV6_NDISC_NODETYPE=y +CONFIG_IPV6_TUNNEL=y +CONFIG_IPV6_GRE=y +CONFIG_IPV6_FOU=y +CONFIG_IPV6_FOU_TUNNEL=y +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +CONFIG_NETLABEL=y +CONFIG_NETWORK_SECMARK=y +CONFIG_NET_PTP_CLASSIFY=y +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +# CONFIG_NETFILTER_DEBUG is not set +CONFIG_NETFILTER_ADVANCED=y +CONFIG_BRIDGE_NETFILTER=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_NETLINK=y +CONFIG_NETFILTER_NETLINK_ACCT=y +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_COMMON=y +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_SECMARK is not set +CONFIG_NF_CONNTRACK_ZONES=y +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +CONFIG_NF_CONNTRACK_TIMEOUT=y +CONFIG_NF_CONNTRACK_TIMESTAMP=y +CONFIG_NF_CONNTRACK_LABELS=y +CONFIG_NF_CT_PROTO_DCCP=y +CONFIG_NF_CT_PROTO_GRE=y +CONFIG_NF_CT_PROTO_SCTP=y +CONFIG_NF_CT_PROTO_UDPLITE=y +CONFIG_NF_CONNTRACK_AMANDA=y +CONFIG_NF_CONNTRACK_FTP=y +CONFIG_NF_CONNTRACK_H323=y +CONFIG_NF_CONNTRACK_IRC=y +CONFIG_NF_CONNTRACK_BROADCAST=y +CONFIG_NF_CONNTRACK_NETBIOS_NS=y +CONFIG_NF_CONNTRACK_SNMP=y +CONFIG_NF_CONNTRACK_PPTP=y +CONFIG_NF_CONNTRACK_SANE=y +CONFIG_NF_CONNTRACK_SIP=y +CONFIG_NF_CONNTRACK_TFTP=y +CONFIG_NF_CT_NETLINK=y +CONFIG_NF_CT_NETLINK_TIMEOUT=y +CONFIG_NF_CT_NETLINK_HELPER=y +CONFIG_NETFILTER_NETLINK_GLUE_CT=y +CONFIG_NF_NAT=y +CONFIG_NF_NAT_NEEDED=y +CONFIG_NF_NAT_PROTO_DCCP=y +CONFIG_NF_NAT_PROTO_UDPLITE=y +CONFIG_NF_NAT_PROTO_SCTP=y +CONFIG_NF_NAT_AMANDA=y +CONFIG_NF_NAT_FTP=y +CONFIG_NF_NAT_IRC=y +CONFIG_NF_NAT_SIP=y +CONFIG_NF_NAT_TFTP=y +CONFIG_NF_NAT_REDIRECT=y +CONFIG_NETFILTER_SYNPROXY=y +CONFIG_NF_TABLES=y +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y +CONFIG_NFT_EXTHDR=y +CONFIG_NFT_META=y +# CONFIG_NFT_NUMGEN is not set +CONFIG_NFT_CT=y +# CONFIG_NFT_SET_RBTREE is not set +# CONFIG_NFT_SET_HASH is not set +CONFIG_NFT_COUNTER=y +CONFIG_NFT_LOG=y +CONFIG_NFT_LIMIT=y +CONFIG_NFT_MASQ=y +CONFIG_NFT_REDIR=y +CONFIG_NFT_NAT=y +CONFIG_NFT_QUEUE=y +# CONFIG_NFT_QUOTA is not set +CONFIG_NFT_REJECT=y +CONFIG_NFT_REJECT_INET=y +CONFIG_NFT_COMPAT=y +CONFIG_NFT_HASH=y +CONFIG_NF_DUP_NETDEV=y +CONFIG_NFT_DUP_NETDEV=y +CONFIG_NFT_FWD_NETDEV=y +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set +CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +CONFIG_NETFILTER_XT_TARGET_HMARK=y +CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +CONFIG_NETFILTER_XT_TARGET_RATEEST=y +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +CONFIG_NETFILTER_XT_TARGET_TEE=y +CONFIG_NETFILTER_XT_TARGET_TPROXY=y +CONFIG_NETFILTER_XT_TARGET_TRACE=y +# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_BPF=y +CONFIG_NETFILTER_XT_MATCH_CGROUP=y +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +CONFIG_NETFILTER_XT_MATCH_CONNLABEL=y +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_CPU=y +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +CONFIG_NETFILTER_XT_MATCH_IPCOMP=y +CONFIG_NETFILTER_XT_MATCH_IPRANGE=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +CONFIG_NETFILTER_XT_MATCH_NFACCT=y +CONFIG_NETFILTER_XT_MATCH_OSF=y +CONFIG_NETFILTER_XT_MATCH_OWNER=y +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +CONFIG_NETFILTER_XT_MATCH_RATEEST=y +CONFIG_NETFILTER_XT_MATCH_REALM=y +CONFIG_NETFILTER_XT_MATCH_RECENT=y +CONFIG_NETFILTER_XT_MATCH_SCTP=y +CONFIG_NETFILTER_XT_MATCH_SOCKET=y +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +CONFIG_NETFILTER_XT_MATCH_TIME=y +CONFIG_NETFILTER_XT_MATCH_U32=y +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +CONFIG_IP_SET_HASH_NETIFACE=y +CONFIG_IP_SET_LIST_SET=y +CONFIG_IP_VS=y +CONFIG_IP_VS_IPV6=y +CONFIG_IP_VS_DEBUG=y +CONFIG_IP_VS_TAB_BITS=12 + +# +# IPVS transport protocol load balancing support +# +CONFIG_IP_VS_PROTO_TCP=y +CONFIG_IP_VS_PROTO_UDP=y +CONFIG_IP_VS_PROTO_AH_ESP=y +CONFIG_IP_VS_PROTO_ESP=y +CONFIG_IP_VS_PROTO_AH=y +CONFIG_IP_VS_PROTO_SCTP=y + +# +# IPVS scheduler +# +CONFIG_IP_VS_RR=y +CONFIG_IP_VS_WRR=y +CONFIG_IP_VS_LC=y +CONFIG_IP_VS_WLC=y +CONFIG_IP_VS_FO=y +CONFIG_IP_VS_OVF=y +CONFIG_IP_VS_LBLC=y +CONFIG_IP_VS_LBLCR=y +CONFIG_IP_VS_DH=y +CONFIG_IP_VS_SH=y +CONFIG_IP_VS_SED=y +CONFIG_IP_VS_NQ=y + +# +# IPVS SH scheduler +# +CONFIG_IP_VS_SH_TAB_BITS=8 + +# +# IPVS application helper +# +CONFIG_IP_VS_FTP=y +CONFIG_IP_VS_NFCT=y +# CONFIG_IP_VS_PE_SIP is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_CONNTRACK_IPV4=y +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_CHAIN_ROUTE_IPV4=y +CONFIG_NFT_REJECT_IPV4=y +CONFIG_NFT_DUP_IPV4=y +CONFIG_NF_TABLES_ARP=y +CONFIG_NF_DUP_IPV4=y +CONFIG_NF_LOG_ARP=y +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_NAT_IPV4=y +CONFIG_NFT_CHAIN_NAT_IPV4=y +CONFIG_NF_NAT_MASQUERADE_IPV4=y +CONFIG_NFT_MASQ_IPV4=y +CONFIG_NFT_REDIR_IPV4=y +CONFIG_NF_NAT_SNMP_BASIC=y +CONFIG_NF_NAT_PROTO_GRE=y +CONFIG_NF_NAT_PPTP=y +CONFIG_NF_NAT_H323=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +CONFIG_IP_NF_MATCH_RPFILTER=y +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +CONFIG_IP_NF_TARGET_SYNPROXY=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_SECURITY=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y + +# +# IPv6: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_CONNTRACK_IPV6=y +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_CHAIN_ROUTE_IPV6=y +CONFIG_NFT_REJECT_IPV6=y +CONFIG_NFT_DUP_IPV6=y +CONFIG_NF_DUP_IPV6=y +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_NAT_IPV6=y +CONFIG_NFT_CHAIN_NAT_IPV6=y +CONFIG_NF_NAT_MASQUERADE_IPV6=y +CONFIG_NFT_MASQ_IPV6=y +CONFIG_NFT_REDIR_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +CONFIG_IP6_NF_MATCH_RPFILTER=y +CONFIG_IP6_NF_MATCH_RT=y +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +CONFIG_IP6_NF_TARGET_SYNPROXY=y +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +CONFIG_IP6_NF_SECURITY=y +CONFIG_IP6_NF_NAT=y +CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_TARGET_NPT=y +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_BRIDGE_META=y +CONFIG_NFT_BRIDGE_REJECT=y +CONFIG_NF_LOG_BRIDGE=y +CONFIG_BRIDGE_NF_EBTABLES=y +CONFIG_BRIDGE_EBT_BROUTE=y +CONFIG_BRIDGE_EBT_T_FILTER=y +CONFIG_BRIDGE_EBT_T_NAT=y +CONFIG_BRIDGE_EBT_802_3=y +CONFIG_BRIDGE_EBT_AMONG=y +CONFIG_BRIDGE_EBT_ARP=y +CONFIG_BRIDGE_EBT_IP=y +CONFIG_BRIDGE_EBT_IP6=y +CONFIG_BRIDGE_EBT_LIMIT=y +CONFIG_BRIDGE_EBT_MARK=y +CONFIG_BRIDGE_EBT_PKTTYPE=y +CONFIG_BRIDGE_EBT_STP=y +CONFIG_BRIDGE_EBT_VLAN=y +CONFIG_BRIDGE_EBT_ARPREPLY=y +CONFIG_BRIDGE_EBT_DNAT=y +CONFIG_BRIDGE_EBT_MARK_T=y +CONFIG_BRIDGE_EBT_REDIRECT=y +CONFIG_BRIDGE_EBT_SNAT=y +CONFIG_BRIDGE_EBT_LOG=y +CONFIG_BRIDGE_EBT_NFLOG=y +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_DEBUGFS is not set +# CONFIG_L2TP_V3 is not set +CONFIG_STP=y +CONFIG_BRIDGE=y +CONFIG_BRIDGE_IGMP_SNOOPING=y +CONFIG_BRIDGE_VLAN_FILTERING=y +CONFIG_HAVE_NET_DSA=y +# CONFIG_NET_DSA is not set +CONFIG_VLAN_8021Q=y +# CONFIG_VLAN_8021Q_GVRP is not set +# CONFIG_VLAN_8021Q_MVRP is not set +# CONFIG_DECNET is not set +CONFIG_LLC=y +# CONFIG_LLC2 is not set +# CONFIG_IPX is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +CONFIG_NET_SCHED=y + +# +# Queueing/Scheduling +# +CONFIG_NET_SCH_CBQ=y +CONFIG_NET_SCH_HTB=y +CONFIG_NET_SCH_HFSC=y +CONFIG_NET_SCH_PRIO=y +CONFIG_NET_SCH_MULTIQ=y +CONFIG_NET_SCH_RED=y +CONFIG_NET_SCH_SFB=y +CONFIG_NET_SCH_SFQ=y +CONFIG_NET_SCH_TEQL=y +CONFIG_NET_SCH_TBF=y +CONFIG_NET_SCH_GRED=y +CONFIG_NET_SCH_DSMARK=y +CONFIG_NET_SCH_NETEM=y +CONFIG_NET_SCH_DRR=y +CONFIG_NET_SCH_MQPRIO=y +CONFIG_NET_SCH_CHOKE=y +CONFIG_NET_SCH_QFQ=y +# CONFIG_NET_SCH_CODEL is not set +# CONFIG_NET_SCH_FQ_CODEL is not set +# CONFIG_NET_SCH_FQ is not set +# CONFIG_NET_SCH_HHF is not set +# CONFIG_NET_SCH_PIE is not set +CONFIG_NET_SCH_INGRESS=y +# CONFIG_NET_SCH_PLUG is not set + +# +# Classification +# +CONFIG_NET_CLS=y +CONFIG_NET_CLS_BASIC=y +CONFIG_NET_CLS_TCINDEX=y +CONFIG_NET_CLS_ROUTE4=y +CONFIG_NET_CLS_FW=y +CONFIG_NET_CLS_U32=y +CONFIG_CLS_U32_PERF=y +CONFIG_CLS_U32_MARK=y +CONFIG_NET_CLS_RSVP=y +CONFIG_NET_CLS_RSVP6=y +CONFIG_NET_CLS_FLOW=y +CONFIG_NET_CLS_CGROUP=y +CONFIG_NET_CLS_BPF=y +# CONFIG_NET_CLS_FLOWER is not set +CONFIG_NET_CLS_MATCHALL=y +CONFIG_NET_EMATCH=y +CONFIG_NET_EMATCH_STACK=32 +CONFIG_NET_EMATCH_CMP=y +CONFIG_NET_EMATCH_NBYTE=y +CONFIG_NET_EMATCH_U32=y +CONFIG_NET_EMATCH_META=y +CONFIG_NET_EMATCH_TEXT=y +CONFIG_NET_EMATCH_IPSET=y +CONFIG_NET_CLS_ACT=y +CONFIG_NET_ACT_POLICE=y +CONFIG_NET_ACT_GACT=y +CONFIG_GACT_PROB=y +CONFIG_NET_ACT_MIRRED=y +CONFIG_NET_ACT_IPT=y +CONFIG_NET_ACT_NAT=y +CONFIG_NET_ACT_PEDIT=y +CONFIG_NET_ACT_SIMP=y +CONFIG_NET_ACT_SKBEDIT=y +CONFIG_NET_ACT_CSUM=y +# CONFIG_NET_ACT_VLAN is not set +CONFIG_NET_ACT_BPF=y +# CONFIG_NET_ACT_CONNMARK is not set +# CONFIG_NET_ACT_SKBMOD is not set +# CONFIG_NET_ACT_IFE is not set +# CONFIG_NET_ACT_TUNNEL_KEY is not set +CONFIG_NET_CLS_IND=y +CONFIG_NET_SCH_FIFO=y +# CONFIG_DCB is not set +CONFIG_DNS_RESOLVER=y +# CONFIG_BATMAN_ADV is not set +CONFIG_OPENVSWITCH=y +CONFIG_OPENVSWITCH_GRE=y +CONFIG_OPENVSWITCH_VXLAN=y +CONFIG_OPENVSWITCH_GENEVE=y +CONFIG_VSOCKETS=y +CONFIG_VIRTIO_VSOCKETS=y +CONFIG_VIRTIO_VSOCKETS_COMMON=y +CONFIG_NETLINK_DIAG=y +CONFIG_MPLS=y +CONFIG_NET_MPLS_GSO=y +# CONFIG_MPLS_ROUTING is not set +# CONFIG_HSR is not set +CONFIG_NET_SWITCHDEV=y +CONFIG_NET_L3_MASTER_DEV=y +# CONFIG_NET_NCSI is not set +CONFIG_RPS=y +CONFIG_RFS_ACCEL=y +CONFIG_XPS=y +CONFIG_SOCK_CGROUP_DATA=y +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_NET_CLASSID=y +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y +CONFIG_BPF_JIT=y +CONFIG_NET_FLOW_LIMIT=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# CONFIG_NET_TCPPROBE is not set +# CONFIG_NET_DROP_MONITOR is not set +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_IRDA is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +# CONFIG_AF_KCM is not set +# CONFIG_STREAM_PARSER is not set +CONFIG_FIB_RULES=y +# CONFIG_WIRELESS is not set +# CONFIG_WIMAX is not set +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +CONFIG_LWTUNNEL=y +CONFIG_DST_CACHE=y +# CONFIG_NET_DEVLINK is not set +CONFIG_MAY_USE_DEVLINK=y +CONFIG_HAVE_EBPF_JIT=y + +# +# Device Drivers +# + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="" +CONFIG_DEVTMPFS=y +# CONFIG_DEVTMPFS_MOUNT is not set +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y +CONFIG_FW_LOADER=y +CONFIG_FIRMWARE_IN_KERNEL=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set +CONFIG_SYS_HYPERVISOR=y +# CONFIG_GENERIC_CPU_DEVICES is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +CONFIG_REGMAP=y +CONFIG_REGMAP_I2C=y +# CONFIG_DMA_SHARED_BUFFER is not set + +# +# Bus devices +# +CONFIG_CONNECTOR=y +CONFIG_PROC_EVENTS=y +# CONFIG_MTD is not set +# CONFIG_OF is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +# CONFIG_PNP_DEBUG_MESSAGES is not set + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_BLK_CPQ_CISS_DA is not set +# CONFIG_BLK_DEV_DAC960 is not set +# CONFIG_BLK_DEV_UMEM is not set +# CONFIG_BLK_DEV_COW_COMMON is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +CONFIG_BLK_DEV_CRYPTOLOOP=y +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_SKD is not set +# CONFIG_BLK_DEV_SX8 is not set +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_CDROM_PKTCDVD is not set +CONFIG_ATA_OVER_ETH=y +CONFIG_XEN_BLKDEV_FRONTEND=y +CONFIG_VIRTIO_BLK=y +# CONFIG_BLK_DEV_HD is not set +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_RSXX is not set +# CONFIG_BLK_DEV_NVME is not set + +# +# Misc devices +# +# CONFIG_SENSORS_LIS3LV02D is not set +# CONFIG_AD525X_DPOT is not set +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_SGI_IOC4 is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ICS932S401 is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_APDS9802ALS is not set +# CONFIG_ISL29003 is not set +# CONFIG_ISL29020 is not set +# CONFIG_SENSORS_TSL2550 is not set +# CONFIG_SENSORS_BH1770 is not set +# CONFIG_SENSORS_APDS990X is not set +# CONFIG_HMC6352 is not set +# CONFIG_DS1682 is not set +# CONFIG_USB_SWITCH_FSA9480 is not set +# CONFIG_SRAM is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_AT24 is not set +# CONFIG_EEPROM_LEGACY is not set +# CONFIG_EEPROM_MAX6875 is not set +# CONFIG_EEPROM_93CX6 is not set +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# +# CONFIG_SENSORS_LIS3_I2C is not set + +# +# Altera FPGA firmware download module +# +# CONFIG_ALTERA_STAPL is not set +# CONFIG_INTEL_MEI is not set +# CONFIG_INTEL_MEI_ME is not set +# CONFIG_INTEL_MEI_TXE is not set +# CONFIG_VMWARE_VMCI is not set + +# +# Intel MIC Bus Driver +# +# CONFIG_INTEL_MIC_BUS is not set + +# +# SCIF Bus Driver +# +# CONFIG_SCIF_BUS is not set + +# +# VOP Bus Driver +# +# CONFIG_VOP_BUS is not set + +# +# Intel MIC Host Driver +# + +# +# Intel MIC Card Driver +# + +# +# SCIF Driver +# + +# +# Intel MIC Coprocessor State Management (COSM) Drivers +# + +# +# VOP Driver +# +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_CXL_BASE is not set +# CONFIG_CXL_AFU_DRIVER_OPS is not set +CONFIG_HAVE_IDE=y +# CONFIG_IDE is not set + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +CONFIG_SCSI=y +CONFIG_SCSI_DMA=y +# CONFIG_SCSI_NETLINK is not set +# CONFIG_SCSI_MQ_DEFAULT is not set +CONFIG_SCSI_PROC_FS=y + +# +# SCSI support type (disk, tape, CD-ROM) +# +CONFIG_BLK_DEV_SD=y +# CONFIG_CHR_DEV_ST is not set +# CONFIG_CHR_DEV_OSST is not set +CONFIG_BLK_DEV_SR=y +# CONFIG_BLK_DEV_SR_VENDOR is not set +CONFIG_CHR_DEV_SG=y +# CONFIG_CHR_DEV_SCH is not set +# CONFIG_SCSI_CONSTANTS is not set +# CONFIG_SCSI_LOGGING is not set +# CONFIG_SCSI_SCAN_ASYNC is not set + +# +# SCSI Transports +# +CONFIG_SCSI_SPI_ATTRS=y +# CONFIG_SCSI_FC_ATTRS is not set +# CONFIG_SCSI_ISCSI_ATTRS is not set +# CONFIG_SCSI_SAS_ATTRS is not set +# CONFIG_SCSI_SAS_LIBSAS is not set +# CONFIG_SCSI_SRP_ATTRS is not set +CONFIG_SCSI_LOWLEVEL=y +# CONFIG_ISCSI_TCP is not set +# CONFIG_ISCSI_BOOT_SYSFS is not set +# CONFIG_SCSI_CXGB3_ISCSI is not set +# CONFIG_SCSI_CXGB4_ISCSI is not set +# CONFIG_SCSI_BNX2_ISCSI is not set +# CONFIG_BE2ISCSI is not set +# CONFIG_BLK_DEV_3W_XXXX_RAID is not set +# CONFIG_SCSI_HPSA is not set +# CONFIG_SCSI_3W_9XXX is not set +# CONFIG_SCSI_3W_SAS is not set +# CONFIG_SCSI_ACARD is not set +# CONFIG_SCSI_AACRAID is not set +# CONFIG_SCSI_AIC7XXX is not set +# CONFIG_SCSI_AIC79XX is not set +# CONFIG_SCSI_AIC94XX is not set +# CONFIG_SCSI_MVSAS is not set +# CONFIG_SCSI_MVUMI is not set +# CONFIG_SCSI_DPT_I2O is not set +# CONFIG_SCSI_ADVANSYS is not set +# CONFIG_SCSI_ARCMSR is not set +# CONFIG_SCSI_ESAS2R is not set +# CONFIG_MEGARAID_NEWGEN is not set +# CONFIG_MEGARAID_LEGACY is not set +# CONFIG_MEGARAID_SAS is not set +# CONFIG_SCSI_MPT3SAS is not set +# CONFIG_SCSI_MPT2SAS is not set +# CONFIG_SCSI_SMARTPQI is not set +# CONFIG_SCSI_UFSHCD is not set +# CONFIG_SCSI_HPTIOP is not set +# CONFIG_SCSI_BUSLOGIC is not set +CONFIG_VMWARE_PVSCSI=y +CONFIG_XEN_SCSI_FRONTEND=y +CONFIG_HYPERV_STORAGE=y +# CONFIG_SCSI_SNIC is not set +# CONFIG_SCSI_DMX3191D is not set +# CONFIG_SCSI_EATA is not set +# CONFIG_SCSI_FUTURE_DOMAIN is not set +# CONFIG_SCSI_GDTH is not set +# CONFIG_SCSI_ISCI is not set +# CONFIG_SCSI_IPS is not set +# CONFIG_SCSI_INITIO is not set +# CONFIG_SCSI_INIA100 is not set +# CONFIG_SCSI_STEX is not set +# CONFIG_SCSI_SYM53C8XX_2 is not set +# CONFIG_SCSI_IPR is not set +# CONFIG_SCSI_QLOGIC_1280 is not set +# CONFIG_SCSI_QLA_ISCSI is not set +# CONFIG_SCSI_DC395x is not set +# CONFIG_SCSI_AM53C974 is not set +# CONFIG_SCSI_WD719X is not set +# CONFIG_SCSI_DEBUG is not set +# CONFIG_SCSI_PMCRAID is not set +# CONFIG_SCSI_PM8001 is not set +CONFIG_SCSI_VIRTIO=y +# CONFIG_SCSI_DH is not set +# CONFIG_SCSI_OSD_INITIATOR is not set +CONFIG_ATA=y +# CONFIG_ATA_NONSTANDARD is not set +# CONFIG_ATA_VERBOSE_ERROR is not set +CONFIG_ATA_ACPI=y +# CONFIG_SATA_ZPODD is not set +# CONFIG_SATA_PMP is not set + +# +# Controllers with non-SFF native interface +# +CONFIG_SATA_AHCI=y +# CONFIG_SATA_AHCI_PLATFORM is not set +# CONFIG_SATA_INIC162X is not set +# CONFIG_SATA_ACARD_AHCI is not set +# CONFIG_SATA_SIL24 is not set +CONFIG_ATA_SFF=y + +# +# SFF controllers with custom DMA interface +# +# CONFIG_PDC_ADMA is not set +# CONFIG_SATA_QSTOR is not set +# CONFIG_SATA_SX4 is not set +CONFIG_ATA_BMDMA=y + +# +# SATA SFF controllers with BMDMA +# +CONFIG_ATA_PIIX=y +CONFIG_SATA_MV=y +CONFIG_SATA_NV=y +CONFIG_SATA_PROMISE=y +CONFIG_SATA_SIL=y +CONFIG_SATA_SIS=y +CONFIG_SATA_SVW=y +CONFIG_SATA_ULI=y +CONFIG_SATA_VIA=y +CONFIG_SATA_VITESSE=y + +# +# PATA SFF controllers with BMDMA +# +# CONFIG_PATA_ALI is not set +# CONFIG_PATA_AMD is not set +# CONFIG_PATA_ARTOP is not set +# CONFIG_PATA_ATIIXP is not set +# CONFIG_PATA_ATP867X is not set +# CONFIG_PATA_CMD64X is not set +# CONFIG_PATA_CYPRESS is not set +# CONFIG_PATA_EFAR is not set +# CONFIG_PATA_HPT366 is not set +# CONFIG_PATA_HPT37X is not set +# CONFIG_PATA_HPT3X2N is not set +# CONFIG_PATA_HPT3X3 is not set +# CONFIG_PATA_IT8213 is not set +# CONFIG_PATA_IT821X is not set +# CONFIG_PATA_JMICRON is not set +# CONFIG_PATA_MARVELL is not set +# CONFIG_PATA_NETCELL is not set +# CONFIG_PATA_NINJA32 is not set +# CONFIG_PATA_NS87415 is not set +# CONFIG_PATA_OLDPIIX is not set +# CONFIG_PATA_OPTIDMA is not set +# CONFIG_PATA_PDC2027X is not set +# CONFIG_PATA_PDC_OLD is not set +# CONFIG_PATA_RADISYS is not set +# CONFIG_PATA_RDC is not set +# CONFIG_PATA_SCH is not set +# CONFIG_PATA_SERVERWORKS is not set +# CONFIG_PATA_SIL680 is not set +CONFIG_PATA_SIS=y +# CONFIG_PATA_TOSHIBA is not set +# CONFIG_PATA_TRIFLEX is not set +# CONFIG_PATA_VIA is not set +# CONFIG_PATA_WINBOND is not set + +# +# PIO-only SFF controllers +# +# CONFIG_PATA_CMD640_PCI is not set +# CONFIG_PATA_MPIIX is not set +# CONFIG_PATA_NS87410 is not set +# CONFIG_PATA_OPTI is not set +# CONFIG_PATA_PLATFORM is not set +# CONFIG_PATA_RZ1000 is not set + +# +# Generic fallback / legacy drivers +# +# CONFIG_PATA_ACPI is not set +CONFIG_ATA_GENERIC=y +# CONFIG_PATA_LEGACY is not set +# CONFIG_MD is not set +# CONFIG_TARGET_CORE is not set +CONFIG_FUSION=y +CONFIG_FUSION_SPI=y +# CONFIG_FUSION_SAS is not set +CONFIG_FUSION_MAX_SGE=128 +# CONFIG_FUSION_CTL is not set +# CONFIG_FUSION_LOGGING is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_MII=y +CONFIG_NET_CORE=y +CONFIG_BONDING=y +CONFIG_DUMMY=y +# CONFIG_EQUALIZER is not set +# CONFIG_NET_FC is not set +# CONFIG_IFB is not set +# CONFIG_NET_TEAM is not set +CONFIG_MACVLAN=y +CONFIG_MACVTAP=y +CONFIG_IPVLAN=y +CONFIG_VXLAN=y +CONFIG_GENEVE=y +# CONFIG_GTP is not set +# CONFIG_MACSEC is not set +# CONFIG_NETCONSOLE is not set +# CONFIG_NETPOLL is not set +# CONFIG_NET_POLL_CONTROLLER is not set +CONFIG_TUN=y +# CONFIG_TUN_VNET_CROSS_LE is not set +CONFIG_VETH=y +CONFIG_VIRTIO_NET=y +CONFIG_NLMON=y +# CONFIG_NET_VRF is not set +# CONFIG_ARCNET is not set + +# +# CAIF transport drivers +# + +# +# Distributed Switch Architecture drivers +# +CONFIG_ETHERNET=y +CONFIG_MDIO=y +# CONFIG_NET_VENDOR_3COM is not set +# CONFIG_NET_VENDOR_ADAPTEC is not set +# CONFIG_NET_VENDOR_AGERE is not set +# CONFIG_NET_VENDOR_ALTEON is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMAZON=y +CONFIG_ENA_ETHERNET=y +# CONFIG_NET_VENDOR_AMD is not set +# CONFIG_NET_VENDOR_ARC is not set +# CONFIG_NET_VENDOR_ATHEROS is not set +# CONFIG_NET_VENDOR_AURORA is not set +# CONFIG_NET_CADENCE is not set +# CONFIG_NET_VENDOR_BROADCOM is not set +# CONFIG_NET_VENDOR_BROCADE is not set +# CONFIG_NET_VENDOR_CAVIUM is not set +# CONFIG_NET_VENDOR_CHELSIO is not set +# CONFIG_NET_VENDOR_CISCO is not set +# CONFIG_CX_ECAT is not set +# CONFIG_DNET is not set +# CONFIG_NET_VENDOR_DEC is not set +# CONFIG_NET_VENDOR_DLINK is not set +# CONFIG_NET_VENDOR_EMULEX is not set +# CONFIG_NET_VENDOR_EZCHIP is not set +# CONFIG_NET_VENDOR_EXAR is not set +# CONFIG_NET_VENDOR_HP is not set +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +CONFIG_E1000=y +CONFIG_E1000E=y +CONFIG_E1000E_HWTS=y +CONFIG_IGB=y +CONFIG_IGB_HWMON=y +CONFIG_IGBVF=y +CONFIG_IXGB=y +CONFIG_IXGBE=y +CONFIG_IXGBE_HWMON=y +CONFIG_IXGBEVF=y +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_FM10K is not set +# CONFIG_NET_VENDOR_I825XX is not set +# CONFIG_JME is not set +# CONFIG_NET_VENDOR_MARVELL is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX4_CORE is not set +# CONFIG_MLX5_CORE is not set +# CONFIG_MLXSW_CORE is not set +# CONFIG_NET_VENDOR_MICREL is not set +# CONFIG_NET_VENDOR_MYRI is not set +# CONFIG_FEALNX is not set +# CONFIG_NET_VENDOR_NATSEMI is not set +CONFIG_NET_VENDOR_NETRONOME=y +# CONFIG_NFP_NETVF is not set +# CONFIG_NET_VENDOR_NVIDIA is not set +# CONFIG_NET_VENDOR_OKI is not set +# CONFIG_ETHOC is not set +# CONFIG_NET_PACKET_ENGINE is not set +# CONFIG_NET_VENDOR_QLOGIC is not set +# CONFIG_NET_VENDOR_QUALCOMM is not set +CONFIG_NET_VENDOR_REALTEK=y +CONFIG_8139CP=y +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +# CONFIG_NET_VENDOR_RENESAS is not set +# CONFIG_NET_VENDOR_RDC is not set +# CONFIG_NET_VENDOR_ROCKER is not set +# CONFIG_NET_VENDOR_SAMSUNG is not set +# CONFIG_NET_VENDOR_SEEQ is not set +# CONFIG_NET_VENDOR_SILAN is not set +# CONFIG_NET_VENDOR_SIS is not set +# CONFIG_SFC is not set +# CONFIG_NET_VENDOR_SMSC is not set +# CONFIG_NET_VENDOR_STMICRO is not set +# CONFIG_NET_VENDOR_SUN is not set +# CONFIG_NET_VENDOR_SYNOPSYS is not set +# CONFIG_NET_VENDOR_TEHUTI is not set +# CONFIG_NET_VENDOR_TI is not set +# CONFIG_NET_VENDOR_VIA is not set +# CONFIG_NET_VENDOR_WIZNET is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_PHYLIB is not set +CONFIG_PPP=y +CONFIG_PPP_BSDCOMP=y +CONFIG_PPP_DEFLATE=y +CONFIG_PPP_FILTER=y +CONFIG_PPP_MPPE=y +CONFIG_PPP_MULTILINK=y +CONFIG_PPPOE=y +CONFIG_PPTP=y +CONFIG_PPPOL2TP=y +CONFIG_PPP_ASYNC=y +CONFIG_PPP_SYNC_TTY=y +# CONFIG_SLIP is not set +CONFIG_SLHC=y + +# +# Host-side USB support is needed for USB Network Adapter support +# +# CONFIG_WLAN is not set + +# +# Enable WiMAX (Networking options) to see the WiMAX drivers +# +# CONFIG_WAN is not set +CONFIG_XEN_NETDEV_FRONTEND=y +CONFIG_VMXNET3=y +# CONFIG_FUJITSU_ES is not set +CONFIG_HYPERV_NET=y +# CONFIG_ISDN is not set +# CONFIG_NVM is not set + +# +# Input device support +# +CONFIG_INPUT=y +CONFIG_INPUT_FF_MEMLESS=y +CONFIG_INPUT_POLLDEV=y +CONFIG_INPUT_SPARSEKMAP=y +# CONFIG_INPUT_MATRIXKMAP is not set + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +CONFIG_INPUT_JOYDEV=y +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +# CONFIG_KEYBOARD_ADP5588 is not set +# CONFIG_KEYBOARD_ADP5589 is not set +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_QT1070 is not set +# CONFIG_KEYBOARD_QT2160 is not set +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_TCA6416 is not set +# CONFIG_KEYBOARD_TCA8418 is not set +# CONFIG_KEYBOARD_LM8333 is not set +# CONFIG_KEYBOARD_MAX7359 is not set +# CONFIG_KEYBOARD_MCS is not set +# CONFIG_KEYBOARD_MPR121 is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +# CONFIG_INPUT_MOUSE is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +CONFIG_INPUT_MISC=y +# CONFIG_INPUT_AD714X is not set +# CONFIG_INPUT_BMA150 is not set +# CONFIG_INPUT_E3X0_BUTTON is not set +CONFIG_INPUT_PCSPKR=y +# CONFIG_INPUT_MMA8450 is not set +# CONFIG_INPUT_MPU3050 is not set +CONFIG_INPUT_ATLAS_BTNS=y +# CONFIG_INPUT_KXTJ9 is not set +CONFIG_INPUT_UINPUT=y +# CONFIG_INPUT_PCF8574 is not set +# CONFIG_INPUT_ADXL34X is not set +# CONFIG_INPUT_CMA3000 is not set +CONFIG_INPUT_XEN_KBDDEV_FRONTEND=y +# CONFIG_INPUT_IDEAPAD_SLIDEBAR is not set +# CONFIG_INPUT_DRV2665_HAPTICS is not set +# CONFIG_INPUT_DRV2667_HAPTICS is not set +# CONFIG_RMI4_CORE is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +CONFIG_SERIO_PCIPS2=y +CONFIG_SERIO_LIBPS2=y +CONFIG_SERIO_RAW=y +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +CONFIG_HYPERV_KEYBOARD=y +# CONFIG_USERIO is not set +# CONFIG_GAMEPORT is not set + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +CONFIG_VT_HW_CONSOLE_BINDING=y +CONFIG_UNIX98_PTYS=y +# CONFIG_LEGACY_PTYS is not set +# CONFIG_SERIAL_NONSTANDARD is not set +CONFIG_NOZOMI=y +# CONFIG_N_GSM is not set +# CONFIG_TRACE_SINK is not set +CONFIG_DEVMEM=y +# CONFIG_DEVKMEM is not set + +# +# Serial drivers +# +CONFIG_SERIAL_EARLYCON=y +CONFIG_SERIAL_8250=y +CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y +CONFIG_SERIAL_8250_PNP=y +# CONFIG_SERIAL_8250_FINTEK is not set +CONFIG_SERIAL_8250_CONSOLE=y +CONFIG_SERIAL_8250_PCI=y +CONFIG_SERIAL_8250_NR_UARTS=32 +CONFIG_SERIAL_8250_RUNTIME_UARTS=4 +# CONFIG_SERIAL_8250_EXTENDED is not set +# CONFIG_SERIAL_8250_FSL is not set +# CONFIG_SERIAL_8250_DW is not set +# CONFIG_SERIAL_8250_RT288X is not set +CONFIG_SERIAL_8250_LPSS=y +# CONFIG_SERIAL_8250_MID is not set +# CONFIG_SERIAL_8250_MOXA is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_UARTLITE is not set +CONFIG_SERIAL_CORE=y +CONFIG_SERIAL_CORE_CONSOLE=y +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_SC16IS7XX is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +# CONFIG_TTY_PRINTK is not set +CONFIG_HVC_DRIVER=y +CONFIG_HVC_IRQ=y +CONFIG_HVC_XEN=y +CONFIG_HVC_XEN_FRONTEND=y +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +CONFIG_HW_RANDOM=y +CONFIG_HW_RANDOM_TIMERIOMEM=y +CONFIG_HW_RANDOM_INTEL=y +CONFIG_HW_RANDOM_AMD=y +CONFIG_HW_RANDOM_VIA=y +CONFIG_HW_RANDOM_VIRTIO=y +CONFIG_NVRAM=y +# CONFIG_R3964 is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +# CONFIG_RAW_DRIVER is not set +CONFIG_HPET=y +CONFIG_HPET_MMAP=y +CONFIG_HPET_MMAP_DEFAULT=y +CONFIG_HANGCHECK_TIMER=y +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +CONFIG_DEVPORT=y +# CONFIG_XILLYBUS is not set + +# +# I2C support +# +CONFIG_I2C=y +CONFIG_ACPI_I2C_OPREGION=y +CONFIG_I2C_BOARDINFO=y +CONFIG_I2C_COMPAT=y +CONFIG_I2C_CHARDEV=y +CONFIG_I2C_MUX=y + +# +# Multiplexer I2C Chip support +# +# CONFIG_I2C_MUX_PCA9541 is not set +# CONFIG_I2C_MUX_REG is not set +CONFIG_I2C_HELPER_AUTO=y +CONFIG_I2C_ALGOBIT=y + +# +# I2C Hardware Bus support +# + +# +# PC SMBus host controller drivers +# +# CONFIG_I2C_ALI1535 is not set +# CONFIG_I2C_ALI1563 is not set +# CONFIG_I2C_ALI15X3 is not set +# CONFIG_I2C_AMD756 is not set +# CONFIG_I2C_AMD8111 is not set +# CONFIG_I2C_I801 is not set +# CONFIG_I2C_ISCH is not set +# CONFIG_I2C_ISMT is not set +# CONFIG_I2C_PIIX4 is not set +# CONFIG_I2C_NFORCE2 is not set +# CONFIG_I2C_SIS5595 is not set +# CONFIG_I2C_SIS630 is not set +# CONFIG_I2C_SIS96X is not set +# CONFIG_I2C_VIA is not set +# CONFIG_I2C_VIAPRO is not set + +# +# ACPI drivers +# +# CONFIG_I2C_SCMI is not set + +# +# I2C system bus drivers (mostly embedded / system-on-chip) +# +# CONFIG_I2C_DESIGNWARE_PCI is not set +# CONFIG_I2C_OCORES is not set +# CONFIG_I2C_PCA_PLATFORM is not set +# CONFIG_I2C_PXA_PCI is not set +# CONFIG_I2C_SIMTEC is not set +# CONFIG_I2C_XILINX is not set + +# +# External I2C/SMBus adapter drivers +# +# CONFIG_I2C_PARPORT_LIGHT is not set +# CONFIG_I2C_TAOS_EVM is not set + +# +# Other I2C/SMBus bus drivers +# +# CONFIG_I2C_STUB is not set +# CONFIG_I2C_SLAVE is not set +# CONFIG_I2C_DEBUG_CORE is not set +# CONFIG_I2C_DEBUG_ALGO is not set +# CONFIG_I2C_DEBUG_BUS is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set + +# +# PPS support +# +CONFIG_PPS=y +# CONFIG_PPS_DEBUG is not set + +# +# PPS clients support +# +# CONFIG_PPS_CLIENT_KTIMER is not set +# CONFIG_PPS_CLIENT_LDISC is not set +# CONFIG_PPS_CLIENT_GPIO is not set + +# +# PPS generators support +# + +# +# PTP clock support +# +CONFIG_PTP_1588_CLOCK=y + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +# CONFIG_POWER_AVS is not set +# CONFIG_POWER_RESET is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_DS2782 is not set +# CONFIG_BATTERY_SBS is not set +# CONFIG_BATTERY_BQ27XXX is not set +# CONFIG_BATTERY_MAX17040 is not set +# CONFIG_BATTERY_MAX17042 is not set +# CONFIG_CHARGER_MAX8903 is not set +# CONFIG_CHARGER_LP8727 is not set +# CONFIG_CHARGER_BQ2415X is not set +# CONFIG_CHARGER_SMB347 is not set +# CONFIG_BATTERY_GAUGE_LTC2941 is not set +CONFIG_HWMON=y +# CONFIG_HWMON_VID is not set +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_AD7414 is not set +# CONFIG_SENSORS_AD7418 is not set +# CONFIG_SENSORS_ADM1021 is not set +# CONFIG_SENSORS_ADM1025 is not set +# CONFIG_SENSORS_ADM1026 is not set +# CONFIG_SENSORS_ADM1029 is not set +# CONFIG_SENSORS_ADM1031 is not set +# CONFIG_SENSORS_ADM9240 is not set +# CONFIG_SENSORS_ADT7410 is not set +# CONFIG_SENSORS_ADT7411 is not set +# CONFIG_SENSORS_ADT7462 is not set +# CONFIG_SENSORS_ADT7470 is not set +# CONFIG_SENSORS_ADT7475 is not set +# CONFIG_SENSORS_ASC7621 is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_ASB100 is not set +# CONFIG_SENSORS_ATXP1 is not set +# CONFIG_SENSORS_DS620 is not set +# CONFIG_SENSORS_DS1621 is not set +# CONFIG_SENSORS_DELL_SMM is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_F75375S is not set +# CONFIG_SENSORS_FSCHMD is not set +# CONFIG_SENSORS_GL518SM is not set +# CONFIG_SENSORS_GL520SM is not set +# CONFIG_SENSORS_G760A is not set +# CONFIG_SENSORS_G762 is not set +# CONFIG_SENSORS_HIH6130 is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_JC42 is not set +# CONFIG_SENSORS_POWR1220 is not set +# CONFIG_SENSORS_LINEAGE is not set +# CONFIG_SENSORS_LTC2945 is not set +# CONFIG_SENSORS_LTC2990 is not set +# CONFIG_SENSORS_LTC4151 is not set +# CONFIG_SENSORS_LTC4215 is not set +# CONFIG_SENSORS_LTC4222 is not set +# CONFIG_SENSORS_LTC4245 is not set +# CONFIG_SENSORS_LTC4260 is not set +# CONFIG_SENSORS_LTC4261 is not set +# CONFIG_SENSORS_MAX16065 is not set +# CONFIG_SENSORS_MAX1619 is not set +# CONFIG_SENSORS_MAX1668 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_MAX6639 is not set +# CONFIG_SENSORS_MAX6642 is not set +# CONFIG_SENSORS_MAX6650 is not set +# CONFIG_SENSORS_MAX6697 is not set +# CONFIG_SENSORS_MAX31790 is not set +# CONFIG_SENSORS_MCP3021 is not set +# CONFIG_SENSORS_LM63 is not set +# CONFIG_SENSORS_LM73 is not set +# CONFIG_SENSORS_LM75 is not set +# CONFIG_SENSORS_LM77 is not set +# CONFIG_SENSORS_LM78 is not set +# CONFIG_SENSORS_LM80 is not set +# CONFIG_SENSORS_LM83 is not set +# CONFIG_SENSORS_LM85 is not set +# CONFIG_SENSORS_LM87 is not set +# CONFIG_SENSORS_LM90 is not set +# CONFIG_SENSORS_LM92 is not set +# CONFIG_SENSORS_LM93 is not set +# CONFIG_SENSORS_LM95234 is not set +# CONFIG_SENSORS_LM95241 is not set +# CONFIG_SENSORS_LM95245 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NTC_THERMISTOR is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_NCT7802 is not set +# CONFIG_SENSORS_NCT7904 is not set +# CONFIG_SENSORS_PCF8591 is not set +# CONFIG_PMBUS is not set +# CONFIG_SENSORS_SHT21 is not set +# CONFIG_SENSORS_SHT3x is not set +# CONFIG_SENSORS_SHTC1 is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_DME1737 is not set +# CONFIG_SENSORS_EMC1403 is not set +# CONFIG_SENSORS_EMC2103 is not set +# CONFIG_SENSORS_EMC6W201 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47M192 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_SCH56XX_COMMON is not set +# CONFIG_SENSORS_SMM665 is not set +# CONFIG_SENSORS_ADC128D818 is not set +# CONFIG_SENSORS_ADS1015 is not set +# CONFIG_SENSORS_ADS7828 is not set +# CONFIG_SENSORS_AMC6821 is not set +# CONFIG_SENSORS_INA209 is not set +# CONFIG_SENSORS_INA2XX is not set +# CONFIG_SENSORS_INA3221 is not set +# CONFIG_SENSORS_TC74 is not set +# CONFIG_SENSORS_THMC50 is not set +# CONFIG_SENSORS_TMP102 is not set +# CONFIG_SENSORS_TMP103 is not set +# CONFIG_SENSORS_TMP401 is not set +# CONFIG_SENSORS_TMP421 is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83781D is not set +# CONFIG_SENSORS_W83791D is not set +# CONFIG_SENSORS_W83792D is not set +# CONFIG_SENSORS_W83793 is not set +# CONFIG_SENSORS_W83795 is not set +# CONFIG_SENSORS_W83L785TS is not set +# CONFIG_SENSORS_W83L786NG is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +CONFIG_THERMAL=y +# CONFIG_THERMAL_HWMON is not set +# CONFIG_THERMAL_WRITABLE_TRIPS is not set +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +# CONFIG_THERMAL_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_EMULATION is not set +# CONFIG_INTEL_POWERCLAMP is not set +# CONFIG_INTEL_SOC_DTS_THERMAL is not set + +# +# ACPI INT340X thermal drivers +# +# CONFIG_INT340X_THERMAL is not set +# CONFIG_INTEL_PCH_THERMAL is not set +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y + +# +# Sonics Silicon Backplane +# +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y + +# +# Broadcom specific AMBA +# +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +CONFIG_MFD_CORE=y +# CONFIG_MFD_AS3711 is not set +# CONFIG_PMIC_ADP5520 is not set +# CONFIG_MFD_BCM590XX is not set +# CONFIG_MFD_AXP20X_I2C is not set +# CONFIG_MFD_CROS_EC is not set +# CONFIG_PMIC_DA903X is not set +# CONFIG_MFD_DA9052_I2C is not set +# CONFIG_MFD_DA9055 is not set +# CONFIG_MFD_DA9062 is not set +# CONFIG_MFD_DA9063 is not set +# CONFIG_MFD_DA9150 is not set +# CONFIG_MFD_EXYNOS_LPASS is not set +# CONFIG_MFD_MC13XXX_I2C is not set +# CONFIG_HTC_PASIC3 is not set +CONFIG_LPC_ICH=y +CONFIG_LPC_SCH=y +# CONFIG_MFD_INTEL_LPSS_ACPI is not set +# CONFIG_MFD_INTEL_LPSS_PCI is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_88PM800 is not set +# CONFIG_MFD_88PM805 is not set +# CONFIG_MFD_88PM860X is not set +# CONFIG_MFD_MAX14577 is not set +# CONFIG_MFD_MAX77693 is not set +# CONFIG_MFD_MAX77843 is not set +# CONFIG_MFD_MAX8907 is not set +# CONFIG_MFD_MAX8925 is not set +# CONFIG_MFD_MAX8997 is not set +# CONFIG_MFD_MAX8998 is not set +# CONFIG_MFD_MT6397 is not set +# CONFIG_MFD_MENF21BMC is not set +# CONFIG_MFD_RETU is not set +# CONFIG_MFD_PCF50633 is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_RTSX_PCI is not set +# CONFIG_MFD_RT5033 is not set +# CONFIG_MFD_RC5T583 is not set +# CONFIG_MFD_SEC_CORE is not set +# CONFIG_MFD_SI476X_CORE is not set +CONFIG_MFD_SM501=y +# CONFIG_MFD_SKY81452 is not set +# CONFIG_MFD_SMSC is not set +# CONFIG_ABX500_CORE is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_LP3943 is not set +# CONFIG_MFD_LP8788 is not set +# CONFIG_MFD_PALMAS is not set +# CONFIG_TPS6105X is not set +# CONFIG_TPS6507X is not set +# CONFIG_MFD_TPS65086 is not set +# CONFIG_MFD_TPS65090 is not set +# CONFIG_MFD_TPS65217 is not set +# CONFIG_MFD_TI_LP873X is not set +# CONFIG_MFD_TPS65218 is not set +# CONFIG_MFD_TPS6586X is not set +# CONFIG_MFD_TPS65912_I2C is not set +# CONFIG_MFD_TPS80031 is not set +# CONFIG_TWL4030_CORE is not set +# CONFIG_TWL6040_CORE is not set +CONFIG_MFD_WL1273_CORE=y +# CONFIG_MFD_LM3533 is not set +# CONFIG_MFD_TMIO is not set +CONFIG_MFD_VX855=y +# CONFIG_MFD_ARIZONA_I2C is not set +# CONFIG_MFD_WM8400 is not set +# CONFIG_MFD_WM831X_I2C is not set +# CONFIG_MFD_WM8350_I2C is not set +# CONFIG_MFD_WM8994 is not set +# CONFIG_REGULATOR is not set +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +# CONFIG_VGA_ARB is not set +# CONFIG_VGA_SWITCHEROO is not set +# CONFIG_DRM is not set + +# +# ACP (Audio CoProcessor) Configuration +# + +# +# Frame buffer Devices +# +CONFIG_FB=y +# CONFIG_FIRMWARE_EDID is not set +CONFIG_FB_CMDLINE=y +CONFIG_FB_NOTIFY=y +# CONFIG_FB_DDC is not set +CONFIG_FB_BOOT_VESA_SUPPORT=y +CONFIG_FB_CFB_FILLRECT=y +CONFIG_FB_CFB_COPYAREA=y +CONFIG_FB_CFB_IMAGEBLIT=y +# CONFIG_FB_CFB_REV_PIXELS_IN_BYTE is not set +CONFIG_FB_SYS_FILLRECT=y +CONFIG_FB_SYS_COPYAREA=y +CONFIG_FB_SYS_IMAGEBLIT=y +# CONFIG_FB_FOREIGN_ENDIAN is not set +CONFIG_FB_SYS_FOPS=y +CONFIG_FB_DEFERRED_IO=y +# CONFIG_FB_SVGALIB is not set +# CONFIG_FB_MACMODES is not set +# CONFIG_FB_BACKLIGHT is not set +# CONFIG_FB_MODE_HELPERS is not set +# CONFIG_FB_TILEBLITTING is not set + +# +# Frame buffer hardware drivers +# +# CONFIG_FB_CIRRUS is not set +# CONFIG_FB_PM2 is not set +# CONFIG_FB_CYBER2000 is not set +# CONFIG_FB_ARC is not set +# CONFIG_FB_ASILIANT is not set +# CONFIG_FB_IMSTT is not set +# CONFIG_FB_VGA16 is not set +# CONFIG_FB_UVESA is not set +CONFIG_FB_VESA=y +# CONFIG_FB_EFI is not set +# CONFIG_FB_N411 is not set +# CONFIG_FB_HGA is not set +# CONFIG_FB_OPENCORES is not set +# CONFIG_FB_S1D13XXX is not set +# CONFIG_FB_NVIDIA is not set +# CONFIG_FB_RIVA is not set +# CONFIG_FB_I740 is not set +# CONFIG_FB_LE80578 is not set +# CONFIG_FB_MATROX is not set +# CONFIG_FB_RADEON is not set +# CONFIG_FB_ATY128 is not set +# CONFIG_FB_ATY is not set +# CONFIG_FB_S3 is not set +# CONFIG_FB_SAVAGE is not set +# CONFIG_FB_SIS is not set +# CONFIG_FB_NEOMAGIC is not set +# CONFIG_FB_KYRO is not set +# CONFIG_FB_3DFX is not set +# CONFIG_FB_VOODOO1 is not set +# CONFIG_FB_VT8623 is not set +# CONFIG_FB_TRIDENT is not set +# CONFIG_FB_ARK is not set +# CONFIG_FB_PM3 is not set +# CONFIG_FB_CARMINE is not set +# CONFIG_FB_SM501 is not set +# CONFIG_FB_IBM_GXT4500 is not set +# CONFIG_FB_VIRTUAL is not set +CONFIG_XEN_FBDEV_FRONTEND=y +# CONFIG_FB_METRONOME is not set +# CONFIG_FB_MB862XX is not set +# CONFIG_FB_BROADSHEET is not set +# CONFIG_FB_AUO_K190X is not set +CONFIG_FB_HYPERV=y +# CONFIG_FB_SIMPLE is not set +# CONFIG_FB_SM712 is not set +# CONFIG_BACKLIGHT_LCD_SUPPORT is not set +# CONFIG_VGASTATE is not set + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +# CONFIG_VGACON_SOFT_SCROLLBACK is not set +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 +CONFIG_FRAMEBUFFER_CONSOLE=y +CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y +# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set +# CONFIG_LOGO is not set +# CONFIG_SOUND is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +# CONFIG_HID_A4TECH is not set +# CONFIG_HID_ACRUX is not set +# CONFIG_HID_APPLE is not set +# CONFIG_HID_AUREAL is not set +# CONFIG_HID_BELKIN is not set +# CONFIG_HID_CHERRY is not set +# CONFIG_HID_CHICONY is not set +# CONFIG_HID_CMEDIA is not set +# CONFIG_HID_CYPRESS is not set +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +# CONFIG_HID_EZKEY is not set +# CONFIG_HID_GEMBIRD is not set +# CONFIG_HID_GFRM is not set +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +# CONFIG_HID_TWINHAN is not set +# CONFIG_HID_KENSINGTON is not set +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +# CONFIG_HID_LOGITECH is not set +# CONFIG_HID_MAGICMOUSE is not set +# CONFIG_HID_MICROSOFT is not set +# CONFIG_HID_MONTEREY is not set +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +# CONFIG_HID_PLANTRONICS is not set +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SAMSUNG is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_HYPERV_MOUSE is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_THRUSTMASTER is not set +# CONFIG_HID_WACOM is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +# CONFIG_HID_ALPS is not set + +# +# I2C HID support +# +# CONFIG_I2C_HID is not set + +# +# Intel ISH HID support +# +# CONFIG_INTEL_ISH_HID is not set +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +# CONFIG_USB_SUPPORT is not set +# CONFIG_UWB is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +CONFIG_EDAC_ATOMIC_SCRUB=y +CONFIG_EDAC_SUPPORT=y +# CONFIG_EDAC is not set +CONFIG_RTC_LIB=y +CONFIG_RTC_MC146818_LIB=y +CONFIG_RTC_CLASS=y +CONFIG_RTC_HCTOSYS=y +CONFIG_RTC_HCTOSYS_DEVICE="rtc0" +CONFIG_RTC_SYSTOHC=y +CONFIG_RTC_SYSTOHC_DEVICE="rtc0" +# CONFIG_RTC_DEBUG is not set + +# +# RTC interfaces +# +CONFIG_RTC_INTF_SYSFS=y +CONFIG_RTC_INTF_PROC=y +CONFIG_RTC_INTF_DEV=y +# CONFIG_RTC_INTF_DEV_UIE_EMUL is not set +# CONFIG_RTC_DRV_TEST is not set + +# +# I2C RTC drivers +# +# CONFIG_RTC_DRV_ABB5ZES3 is not set +# CONFIG_RTC_DRV_ABX80X is not set +# CONFIG_RTC_DRV_DS1307 is not set +# CONFIG_RTC_DRV_DS1374 is not set +# CONFIG_RTC_DRV_DS1672 is not set +# CONFIG_RTC_DRV_MAX6900 is not set +# CONFIG_RTC_DRV_RS5C372 is not set +# CONFIG_RTC_DRV_ISL1208 is not set +# CONFIG_RTC_DRV_ISL12022 is not set +# CONFIG_RTC_DRV_X1205 is not set +# CONFIG_RTC_DRV_PCF8523 is not set +# CONFIG_RTC_DRV_PCF85063 is not set +# CONFIG_RTC_DRV_PCF8563 is not set +# CONFIG_RTC_DRV_PCF8583 is not set +# CONFIG_RTC_DRV_M41T80 is not set +# CONFIG_RTC_DRV_BQ32K is not set +# CONFIG_RTC_DRV_S35390A is not set +# CONFIG_RTC_DRV_FM3130 is not set +# CONFIG_RTC_DRV_RX8010 is not set +# CONFIG_RTC_DRV_RX8581 is not set +# CONFIG_RTC_DRV_RX8025 is not set +# CONFIG_RTC_DRV_EM3027 is not set +# CONFIG_RTC_DRV_RV8803 is not set + +# +# SPI RTC drivers +# +CONFIG_RTC_I2C_AND_SPI=y + +# +# SPI and I2C RTC drivers +# +# CONFIG_RTC_DRV_DS3232 is not set +# CONFIG_RTC_DRV_PCF2127 is not set +# CONFIG_RTC_DRV_RV3029C2 is not set + +# +# Platform RTC drivers +# +CONFIG_RTC_DRV_CMOS=y +# CONFIG_RTC_DRV_DS1286 is not set +# CONFIG_RTC_DRV_DS1511 is not set +# CONFIG_RTC_DRV_DS1553 is not set +# CONFIG_RTC_DRV_DS1685_FAMILY is not set +# CONFIG_RTC_DRV_DS1742 is not set +# CONFIG_RTC_DRV_DS2404 is not set +# CONFIG_RTC_DRV_STK17TA8 is not set +# CONFIG_RTC_DRV_M48T86 is not set +# CONFIG_RTC_DRV_M48T35 is not set +# CONFIG_RTC_DRV_M48T59 is not set +# CONFIG_RTC_DRV_MSM6242 is not set +# CONFIG_RTC_DRV_BQ4802 is not set +# CONFIG_RTC_DRV_RP5C01 is not set +# CONFIG_RTC_DRV_V3020 is not set + +# +# on-CPU RTC drivers +# + +# +# HID Sensor RTC drivers +# +# CONFIG_DMADEVICES is not set + +# +# DMABUF options +# +# CONFIG_SYNC_FILE is not set +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO=y + +# +# Virtio drivers +# +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI_LEGACY=y +CONFIG_VIRTIO_BALLOON=y +CONFIG_VIRTIO_INPUT=y +CONFIG_VIRTIO_MMIO=y +CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y + +# +# Microsoft Hyper-V guest support +# +CONFIG_HYPERV=y +CONFIG_HYPERV_UTILS=y +CONFIG_HYPERV_BALLOON=y + +# +# Xen driver support +# +CONFIG_XEN_BALLOON=y +CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y +CONFIG_XEN_BALLOON_MEMORY_HOTPLUG_LIMIT=512 +CONFIG_XEN_SCRUB_PAGES=y +CONFIG_XEN_DEV_EVTCHN=y +# CONFIG_XEN_BACKEND is not set +CONFIG_XENFS=y +CONFIG_XEN_COMPAT_XENFS=y +CONFIG_XEN_SYS_HYPERVISOR=y +CONFIG_XEN_XENBUS_FRONTEND=y +CONFIG_XEN_GNTDEV=y +CONFIG_XEN_GRANT_DEV_ALLOC=y +CONFIG_SWIOTLB_XEN=y +CONFIG_XEN_PRIVCMD=y +CONFIG_XEN_ACPI_PROCESSOR=y +CONFIG_XEN_HAVE_PVMMU=y +CONFIG_XEN_EFI=y +CONFIG_XEN_AUTO_XLATE=y +CONFIG_XEN_ACPI=y +# CONFIG_XEN_SYMS is not set +CONFIG_XEN_HAVE_VPMU=y +# CONFIG_STAGING is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACERHDF is not set +# CONFIG_DELL_WMI_AIO is not set +# CONFIG_DELL_SMO8800 is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_HP_WIRELESS is not set +# CONFIG_HP_WMI is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_ASUS_WIRELESS is not set +CONFIG_ACPI_WMI=y +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_TOSHIBA_WMI is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_INTEL_HID_EVENT is not set +# CONFIG_INTEL_VBTN is not set +CONFIG_INTEL_IPS=y +# CONFIG_INTEL_PMC_CORE is not set +# CONFIG_IBM_RTL is not set +CONFIG_MXM_WMI=y +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_PVPANIC is not set +# CONFIG_INTEL_PMC_IPC is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +# CONFIG_INTEL_PUNIT_IPC is not set +# CONFIG_CHROME_PLATFORMS is not set + +# +# Hardware Spinlock drivers +# + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# CONFIG_ATMEL_PIT is not set +# CONFIG_SH_TIMER_CMT is not set +# CONFIG_SH_TIMER_MTU2 is not set +# CONFIG_SH_TIMER_TMU is not set +# CONFIG_EM_TIMER_STI is not set +# CONFIG_MAILBOX is not set +# CONFIG_IOMMU_SUPPORT is not set + +# +# Remoteproc drivers +# +# CONFIG_STE_MODEM_RPROC is not set + +# +# Rpmsg drivers +# + +# +# SOC (System On Chip) specific Drivers +# + +# +# Broadcom SoC drivers +# +# CONFIG_SUNXI_SRAM is not set +# CONFIG_SOC_TI is not set +CONFIG_PM_DEVFREQ=y + +# +# DEVFREQ Governors +# +CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND=y +# CONFIG_DEVFREQ_GOV_PERFORMANCE is not set +# CONFIG_DEVFREQ_GOV_POWERSAVE is not set +# CONFIG_DEVFREQ_GOV_USERSPACE is not set +# CONFIG_DEVFREQ_GOV_PASSIVE is not set + +# +# DEVFREQ Drivers +# +# CONFIG_PM_DEVFREQ_EVENT is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_VME_BUS is not set +# CONFIG_PWM is not set +CONFIG_ARM_GIC_MAX_NR=1 +# CONFIG_IPACK_BUS is not set +CONFIG_RESET_CONTROLLER=y +# CONFIG_RESET_ATH79 is not set +# CONFIG_RESET_BERLIN is not set +# CONFIG_RESET_LPC18XX is not set +# CONFIG_RESET_MESON is not set +# CONFIG_RESET_PISTACHIO is not set +# CONFIG_RESET_SOCFPGA is not set +# CONFIG_RESET_STM32 is not set +# CONFIG_RESET_SUNXI is not set +# CONFIG_TI_SYSCON_RESET is not set +# CONFIG_RESET_ZYNQ is not set +# CONFIG_FMC is not set + +# +# PHY Subsystem +# +CONFIG_GENERIC_PHY=y +# CONFIG_PHY_PXA_28NM_HSIC is not set +# CONFIG_PHY_PXA_28NM_USB2 is not set +# CONFIG_BCM_KONA_USB2_PHY is not set +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set + +# +# Performance monitor support +# +# CONFIG_RAS is not set +# CONFIG_THUNDERBOLT is not set + +# +# Android +# +# CONFIG_ANDROID is not set +# CONFIG_LIBNVDIMM is not set +# CONFIG_DEV_DAX is not set +# CONFIG_NVMEM is not set +# CONFIG_STM is not set +# CONFIG_INTEL_TH is not set + +# +# FPGA Configuration Support +# +# CONFIG_FPGA is not set + +# +# Firmware Drivers +# +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +# CONFIG_DELL_RBU is not set +# CONFIG_DCDBAS is not set +CONFIG_DMIID=y +CONFIG_DMI_SYSFS=y +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_ISCSI_IBFT_FIND is not set +# CONFIG_FW_CFG_SYSFS is not set +# CONFIG_GOOGLE_FIRMWARE is not set + +# +# EFI (Extensible Firmware Interface) Support +# +CONFIG_EFI_VARS=y +CONFIG_EFI_ESRT=y +CONFIG_EFI_VARS_PSTORE=y +# CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set +# CONFIG_EFI_FAKE_MEMMAP is not set +CONFIG_EFI_RUNTIME_WRAPPERS=y +# CONFIG_EFI_BOOTLOADER_CONTROL is not set +# CONFIG_EFI_CAPSULE_LOADER is not set +# CONFIG_EFI_TEST is not set +CONFIG_UEFI_CPER=y + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +# CONFIG_EXT2_FS is not set +# CONFIG_EXT3_FS is not set +CONFIG_EXT4_FS=y +CONFIG_EXT4_USE_FOR_EXT2=y +CONFIG_EXT4_FS_POSIX_ACL=y +CONFIG_EXT4_FS_SECURITY=y +# CONFIG_EXT4_ENCRYPTION is not set +# CONFIG_EXT4_DEBUG is not set +CONFIG_JBD2=y +# CONFIG_JBD2_DEBUG is not set +CONFIG_FS_MBCACHE=y +# CONFIG_REISERFS_FS is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +# CONFIG_F2FS_FS is not set +# CONFIG_FS_DAX is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_EXPORTFS=y +# CONFIG_EXPORTFS_BLOCK_OPS is not set +CONFIG_FILE_LOCKING=y +CONFIG_MANDATORY_FILE_LOCKING=y +# CONFIG_FS_ENCRYPTION is not set +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +CONFIG_FANOTIFY=y +# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set +# CONFIG_QUOTA is not set +# CONFIG_QUOTACTL is not set +# CONFIG_AUTOFS4_FS is not set +CONFIG_FUSE_FS=y +CONFIG_CUSE=y +CONFIG_OVERLAY_FS=y + +# +# Caches +# +CONFIG_FSCACHE=y +CONFIG_FSCACHE_STATS=y +# CONFIG_FSCACHE_HISTOGRAM is not set +# CONFIG_FSCACHE_DEBUG is not set +# CONFIG_FSCACHE_OBJECT_LIST is not set +CONFIG_CACHEFILES=y +# CONFIG_CACHEFILES_DEBUG is not set +# CONFIG_CACHEFILES_HISTOGRAM is not set + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +CONFIG_ZISOFS=y +CONFIG_UDF_FS=y +CONFIG_UDF_NLS=y + +# +# DOS/FAT/NT Filesystems +# +CONFIG_FAT_FS=y +CONFIG_MSDOS_FS=y +CONFIG_VFAT_FS=y +CONFIG_FAT_DEFAULT_CODEPAGE=437 +CONFIG_FAT_DEFAULT_IOCHARSET="utf8" +# CONFIG_FAT_DEFAULT_UTF8 is not set +CONFIG_NTFS_FS=y +# CONFIG_NTFS_DEBUG is not set +# CONFIG_NTFS_RW is not set + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +CONFIG_PROC_CHILDREN=y +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +CONFIG_TMPFS_XATTR=y +CONFIG_HUGETLBFS=y +CONFIG_HUGETLB_PAGE=y +CONFIG_ARCH_HAS_GIGANTIC_PAGE=y +# CONFIG_CONFIGFS_FS is not set +# CONFIG_EFIVAR_FS is not set +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ORANGEFS_FS is not set +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_ECRYPT_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_LOGFS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +CONFIG_PSTORE=y +CONFIG_PSTORE_ZLIB_COMPRESS=y +# CONFIG_PSTORE_LZO_COMPRESS is not set +# CONFIG_PSTORE_LZ4_COMPRESS is not set +# CONFIG_PSTORE_CONSOLE is not set +# CONFIG_PSTORE_PMSG is not set +# CONFIG_PSTORE_FTRACE is not set +# CONFIG_PSTORE_RAM is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +CONFIG_NFS_FS=y +# CONFIG_NFS_V2 is not set +CONFIG_NFS_V3=y +# CONFIG_NFS_V3_ACL is not set +CONFIG_NFS_V4=y +# CONFIG_NFS_SWAP is not set +CONFIG_NFS_V4_1=y +CONFIG_NFS_V4_2=y +CONFIG_PNFS_FILE_LAYOUT=y +CONFIG_PNFS_FLEXFILE_LAYOUT=m +CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org" +# CONFIG_NFS_V4_1_MIGRATION is not set +CONFIG_NFS_V4_SECURITY_LABEL=y +# CONFIG_ROOT_NFS is not set +CONFIG_NFS_FSCACHE=y +# CONFIG_NFS_USE_LEGACY_DNS is not set +CONFIG_NFS_USE_KERNEL_DNS=y +CONFIG_NFSD=y +CONFIG_NFSD_V3=y +# CONFIG_NFSD_V3_ACL is not set +CONFIG_NFSD_V4=y +# CONFIG_NFSD_BLOCKLAYOUT is not set +# CONFIG_NFSD_SCSILAYOUT is not set +# CONFIG_NFSD_FLEXFILELAYOUT is not set +# CONFIG_NFSD_V4_SECURITY_LABEL is not set +# CONFIG_NFSD_FAULT_INJECTION is not set +CONFIG_GRACE_PERIOD=y +CONFIG_LOCKD=y +CONFIG_LOCKD_V4=y +CONFIG_NFS_COMMON=y +CONFIG_SUNRPC=y +CONFIG_SUNRPC_GSS=y +CONFIG_SUNRPC_BACKCHANNEL=y +CONFIG_RPCSEC_GSS_KRB5=y +# CONFIG_SUNRPC_DEBUG is not set +# CONFIG_CEPH_FS is not set +CONFIG_CIFS=y +# CONFIG_CIFS_STATS is not set +# CONFIG_CIFS_WEAK_PW_HASH is not set +# CONFIG_CIFS_UPCALL is not set +CONFIG_CIFS_XATTR=y +CONFIG_CIFS_POSIX=y +# CONFIG_CIFS_ACL is not set +CONFIG_CIFS_DEBUG=y +# CONFIG_CIFS_DEBUG2 is not set +CONFIG_CIFS_DFS_UPCALL=y +CONFIG_CIFS_SMB2=y +# CONFIG_CIFS_SMB311 is not set +CONFIG_CIFS_FSCACHE=y +# CONFIG_NCP_FS is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FSCACHE=y +CONFIG_9P_FS_POSIX_ACL=y +CONFIG_9P_FS_SECURITY=y +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +CONFIG_NLS_CODEPAGE_437=y +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +CONFIG_NLS_ASCII=y +CONFIG_NLS_ISO8859_1=y +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +CONFIG_NLS_UTF8=y + +# +# Kernel hacking +# +CONFIG_TRACE_IRQFLAGS_SUPPORT=y + +# +# printk and dmesg options +# +CONFIG_PRINTK_TIME=y +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set +# CONFIG_DYNAMIC_DEBUG is not set + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +# CONFIG_DEBUG_INFO_REDUCED is not set +CONFIG_DEBUG_INFO_SPLIT=y +# CONFIG_DEBUG_INFO_DWARF4 is not set +# CONFIG_GDB_SCRIPTS is not set +# CONFIG_ENABLE_WARN_DEPRECATED is not set +# CONFIG_ENABLE_MUST_CHECK is not set +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_UNUSED_SYMBOLS is not set +# CONFIG_PAGE_OWNER is not set +CONFIG_DEBUG_FS=y +# CONFIG_HEADERS_CHECK is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_SECTION_MISMATCH_WARN_ONLY=y +CONFIG_ARCH_WANT_FRAME_POINTERS=y +# CONFIG_FRAME_POINTER is not set +# CONFIG_STACK_VALIDATION is not set +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +CONFIG_MAGIC_SYSRQ=y +CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x1 +CONFIG_DEBUG_KERNEL=y + +# +# Memory Debugging +# +CONFIG_PAGE_EXTENSION=y +# CONFIG_DEBUG_PAGEALLOC is not set +CONFIG_PAGE_POISONING=y +CONFIG_PAGE_POISONING_NO_SANITY=y +CONFIG_PAGE_POISONING_ZERO=y +# CONFIG_DEBUG_PAGE_REF is not set +# CONFIG_DEBUG_OBJECTS is not set +# CONFIG_DEBUG_SLAB is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_DEBUG_VM is not set +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +# CONFIG_DEBUG_PER_CPU_MAPS is not set +CONFIG_HAVE_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set +CONFIG_HAVE_ARCH_KMEMCHECK=y +CONFIG_HAVE_ARCH_KASAN=y +# CONFIG_KASAN is not set +CONFIG_ARCH_HAS_KCOV=y +# CONFIG_KCOV is not set +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Lockups and Hangs +# +CONFIG_LOCKUP_DETECTOR=y +CONFIG_HARDLOCKUP_DETECTOR=y +# CONFIG_BOOTPARAM_HARDLOCKUP_PANIC is not set +CONFIG_BOOTPARAM_HARDLOCKUP_PANIC_VALUE=0 +# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set +CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0 +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 +CONFIG_WQ_WATCHDOG=y +CONFIG_PANIC_ON_OOPS=y +CONFIG_PANIC_ON_OOPS_VALUE=1 +CONFIG_PANIC_TIMEOUT=0 +CONFIG_SCHED_DEBUG=y +CONFIG_SCHED_INFO=y +# CONFIG_SCHEDSTATS is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +# CONFIG_DEBUG_TIMEKEEPING is not set +# CONFIG_TIMER_STATS is not set + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +CONFIG_STACKTRACE=y +# CONFIG_DEBUG_KOBJECT is not set +CONFIG_DEBUG_BUGVERBOSE=y +CONFIG_DEBUG_LIST=y +# CONFIG_DEBUG_PI_LIST is not set +# CONFIG_DEBUG_SG is not set +CONFIG_DEBUG_NOTIFIERS=y +CONFIG_DEBUG_CREDENTIALS=y + +# +# RCU Debugging +# +# CONFIG_PROVE_RCU is not set +# CONFIG_SPARSE_RCU_POINTER is not set +# CONFIG_TORTURE_TEST is not set +# CONFIG_RCU_PERF_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +CONFIG_RCU_CPU_STALL_TIMEOUT=60 +# CONFIG_RCU_TRACE is not set +# CONFIG_RCU_EQS_DEBUG is not set +# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set +# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +# CONFIG_LATENCYTOP is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_NOP_TRACER=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_TRACE_CLOCK=y +CONFIG_RING_BUFFER=y +CONFIG_EVENT_TRACING=y +CONFIG_CONTEXT_SWITCH_TRACER=y +CONFIG_RING_BUFFER_ALLOW_SWAP=y +CONFIG_TRACING=y +CONFIG_GENERIC_TRACER=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +CONFIG_FUNCTION_TRACER=y +CONFIG_FUNCTION_GRAPH_TRACER=y +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_HWLAT_TRACER is not set +CONFIG_FTRACE_SYSCALLS=y +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +CONFIG_STACK_TRACER=y +CONFIG_BLK_DEV_IO_TRACE=y +CONFIG_KPROBE_EVENT=y +CONFIG_UPROBE_EVENT=y +CONFIG_BPF_EVENTS=y +CONFIG_PROBE_EVENTS=y +CONFIG_DYNAMIC_FTRACE=y +CONFIG_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_FUNCTION_PROFILER=y +CONFIG_FTRACE_MCOUNT_RECORD=y +# CONFIG_FTRACE_STARTUP_TEST is not set +CONFIG_MMIOTRACE=y +# CONFIG_HIST_TRIGGERS is not set +# CONFIG_MMIOTRACE_TEST is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set +# CONFIG_RING_BUFFER_BENCHMARK is not set +# CONFIG_RING_BUFFER_STARTUP_TEST is not set +# CONFIG_TRACE_ENUM_MAP_FILE is not set + +# +# Runtime Testing +# +# CONFIG_LKDTM is not set +# CONFIG_TEST_LIST_SORT is not set +# CONFIG_KPROBES_SANITY_TEST is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_INTERVAL_TREE_TEST is not set +# CONFIG_PERCPU_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_HEXDUMP is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_PRINTF is not set +# CONFIG_TEST_BITMAP is not set +# CONFIG_TEST_UUID is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_TEST_HASH is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_DMA_API_DEBUG is not set +# CONFIG_TEST_LKM is not set +# CONFIG_TEST_USER_COPY is not set +# CONFIG_TEST_BPF is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_MEMTEST is not set +# CONFIG_TEST_STATIC_KEYS is not set +CONFIG_SAMPLES=y +# CONFIG_SAMPLE_TRACE_EVENTS is not set +# CONFIG_SAMPLE_TRACE_PRINTK is not set +# CONFIG_SAMPLE_KOBJECT is not set +# CONFIG_SAMPLE_KPROBES is not set +# CONFIG_SAMPLE_HW_BREAKPOINT is not set +# CONFIG_SAMPLE_KFIFO is not set +# CONFIG_SAMPLE_CONNECTOR is not set +# CONFIG_SAMPLE_SECCOMP is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y +# CONFIG_ARCH_WANTS_UBSAN_NO_NULL is not set +CONFIG_UBSAN=y +# CONFIG_UBSAN_SANITIZE_ALL is not set +# CONFIG_UBSAN_ALIGNMENT is not set +# CONFIG_UBSAN_NULL is not set +CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y +CONFIG_STRICT_DEVMEM=y +CONFIG_IO_STRICT_DEVMEM=y +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_EARLY_PRINTK_EFI is not set +# CONFIG_X86_PTDUMP_CORE is not set +# CONFIG_X86_PTDUMP is not set +# CONFIG_EFI_PGT_DUMP is not set +# CONFIG_DEBUG_RODATA_TEST is not set +# CONFIG_DEBUG_WX is not set +CONFIG_DEBUG_SET_MODULE_RONX=y +# CONFIG_DEBUG_NX_TEST is not set +CONFIG_DOUBLEFAULT=y +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_STRESS is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +# CONFIG_X86_DECODER_SELFTEST is not set +CONFIG_IO_DELAY_TYPE_0X80=0 +CONFIG_IO_DELAY_TYPE_0XED=1 +CONFIG_IO_DELAY_TYPE_UDELAY=2 +CONFIG_IO_DELAY_TYPE_NONE=3 +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +CONFIG_DEFAULT_IO_DELAY_TYPE=0 +# CONFIG_DEBUG_BOOT_PARAMS is not set +# CONFIG_CPA_DEBUG is not set +CONFIG_OPTIMIZE_INLINING=y +# CONFIG_DEBUG_ENTRY is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +CONFIG_X86_DEBUG_FPU=y +# CONFIG_PUNIT_ATOM_DEBUG is not set + +# +# Security options +# +CONFIG_KEYS=y +CONFIG_PERSISTENT_KEYRINGS=y +CONFIG_BIG_KEYS=y +CONFIG_ENCRYPTED_KEYS=y +CONFIG_KEY_DH_OPERATIONS=y +CONFIG_SECURITY_DMESG_RESTRICT=y +CONFIG_SECURITY=y +CONFIG_SECURITYFS=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_NETWORK_XFRM=y +CONFIG_SECURITY_PATH=y +CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y +CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y +CONFIG_HARDENED_USERCOPY=y +# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set +# CONFIG_SECURITY_SELINUX is not set +# CONFIG_SECURITY_SMACK is not set +# CONFIG_SECURITY_TOMOYO is not set +# CONFIG_SECURITY_APPARMOR is not set +# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_YAMA=y +CONFIG_SECURITY_LANDLOCK=y +CONFIG_INTEGRITY=y +# CONFIG_INTEGRITY_SIGNATURE is not set +CONFIG_INTEGRITY_AUDIT=y +# CONFIG_IMA is not set +# CONFIG_EVM is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_DEFAULT_SECURITY="" +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_BLKCIPHER=y +CONFIG_CRYPTO_BLKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_RNG_DEFAULT=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_RSA=y +# CONFIG_CRYPTO_DH is not set +# CONFIG_CRYPTO_ECDH is not set +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_GF128MUL=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +# CONFIG_CRYPTO_PCRYPT is not set +CONFIG_CRYPTO_WORKQUEUE=y +CONFIG_CRYPTO_CRYPTD=y +# CONFIG_CRYPTO_MCRYPTD is not set +CONFIG_CRYPTO_AUTHENC=y +# CONFIG_CRYPTO_TEST is not set +CONFIG_CRYPTO_ABLK_HELPER=y +CONFIG_CRYPTO_GLUE_HELPER_X86=y + +# +# Authenticated Encryption with Associated Data +# +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_ECHAINIV=y + +# +# Block modes +# +CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_CTR=y +CONFIG_CRYPTO_CTS=y +CONFIG_CRYPTO_ECB=y +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y +CONFIG_CRYPTO_KEYWRAP=y + +# +# Hash modes +# +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=y +CONFIG_CRYPTO_VMAC=y + +# +# Digest +# +CONFIG_CRYPTO_CRC32C=y +CONFIG_CRYPTO_CRC32C_INTEL=y +CONFIG_CRYPTO_CRC32=y +CONFIG_CRYPTO_CRC32_PCLMUL=y +CONFIG_CRYPTO_CRCT10DIF=y +# CONFIG_CRYPTO_CRCT10DIF_PCLMUL is not set +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_POLY1305=y +CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_RMD128=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_RMD256=y +CONFIG_CRYPTO_RMD320=y +CONFIG_CRYPTO_SHA1=y +CONFIG_CRYPTO_SHA1_SSSE3=y +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +# CONFIG_CRYPTO_SHA1_MB is not set +# CONFIG_CRYPTO_SHA256_MB is not set +# CONFIG_CRYPTO_SHA512_MB is not set +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +# CONFIG_CRYPTO_SHA3 is not set +CONFIG_CRYPTO_TGR192=y +CONFIG_CRYPTO_WP512=y +CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=y + +# +# Ciphers +# +CONFIG_CRYPTO_AES=y +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +CONFIG_CRYPTO_DES=y +CONFIG_CRYPTO_DES3_EDE_X86_64=y +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_SALSA20=y +CONFIG_CRYPTO_SALSA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y +CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_SEED=y +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_842=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y + +# +# Random Number Generation +# +CONFIG_CRYPTO_ANSI_CPRNG=y +CONFIG_CRYPTO_DRBG_MENU=y +CONFIG_CRYPTO_DRBG_HMAC=y +# CONFIG_CRYPTO_DRBG_HASH is not set +# CONFIG_CRYPTO_DRBG_CTR is not set +CONFIG_CRYPTO_DRBG=y +CONFIG_CRYPTO_JITTERENTROPY=y +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +CONFIG_CRYPTO_USER_API_RNG=y +CONFIG_CRYPTO_USER_API_AEAD=y +CONFIG_CRYPTO_HASH_INFO=y +CONFIG_CRYPTO_HW=y +CONFIG_CRYPTO_DEV_PADLOCK=y +CONFIG_CRYPTO_DEV_PADLOCK_AES=y +CONFIG_CRYPTO_DEV_PADLOCK_SHA=y +# CONFIG_CRYPTO_DEV_CCP is not set +# CONFIG_CRYPTO_DEV_QAT_DH895xCC is not set +# CONFIG_CRYPTO_DEV_QAT_C3XXX is not set +# CONFIG_CRYPTO_DEV_QAT_C62X is not set +# CONFIG_CRYPTO_DEV_QAT_DH895xCCVF is not set +# CONFIG_CRYPTO_DEV_QAT_C3XXXVF is not set +# CONFIG_CRYPTO_DEV_QAT_C62XVF is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y + +# +# Certificates for signature checking +# +# CONFIG_SYSTEM_TRUSTED_KEYRING is not set +CONFIG_HAVE_KVM=y +# CONFIG_VIRTUALIZATION is not set +CONFIG_BINARY_PRINTF=y + +# +# Library routines +# +CONFIG_BITREVERSE=y +# CONFIG_HAVE_ARCH_BITREVERSE is not set +CONFIG_RATIONAL=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +CONFIG_GENERIC_FIND_FIRST_BIT=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_GENERIC_IO=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +CONFIG_CRC_T10DIF=y +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +# CONFIG_CRC7 is not set +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_842_COMPRESS=y +CONFIG_842_DECOMPRESS=y +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +CONFIG_XZ_DEC=y +CONFIG_XZ_DEC_X86=y +CONFIG_XZ_DEC_POWERPC=y +CONFIG_XZ_DEC_IA64=y +CONFIG_XZ_DEC_ARM=y +CONFIG_XZ_DEC_ARMTHUMB=y +CONFIG_XZ_DEC_SPARC=y +CONFIG_XZ_DEC_BCJ=y +# CONFIG_XZ_DEC_TEST is not set +CONFIG_DECOMPRESS_GZIP=y +CONFIG_GENERIC_ALLOCATOR=y +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_RADIX_TREE_MULTIORDER=y +CONFIG_ASSOCIATIVE_ARRAY=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +CONFIG_CPU_RMAP=y +CONFIG_DQL=y +CONFIG_GLOB=y +# CONFIG_GLOB_SELFTEST is not set +CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y +# CONFIG_CORDIC is not set +# CONFIG_DDR is not set +# CONFIG_IRQ_POLL is not set +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y +CONFIG_UCS2_STRING=y +CONFIG_FONT_SUPPORT=y +# CONFIG_FONTS is not set +CONFIG_FONT_8x8=y +CONFIG_FONT_8x16=y +# CONFIG_SG_SPLIT is not set +CONFIG_SG_POOL=y +CONFIG_ARCH_HAS_SG_CHAIN=y +CONFIG_ARCH_HAS_PMEM_API=y +CONFIG_ARCH_HAS_MMIO_FLUSH=y +CONFIG_SBITMAP=y diff --git a/projects/landlock/kernel-landlock/kernel_config.debug b/projects/landlock/kernel-landlock/kernel_config.debug new file mode 100644 index 000000000..17b14daca --- /dev/null +++ b/projects/landlock/kernel-landlock/kernel_config.debug @@ -0,0 +1,26 @@ + + +## MOBY DEBUG OPTIONS ## + +CONFIG_LOCKDEP=y +CONFIG_FRAME_POINTER=y +CONFIG_LOCKUP_DETECTOR=y +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEBUG_TIMEKEEPING=y +CONFIG_DEBUG_RT_MUTEXES=y +CONFIG_DEBUG_SPINLOCK=y +CONFIG_DEBUG_MUTEXES=y +CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y +CONFIG_DEBUG_LOCK_ALLOC=y +CONFIG_PROVE_LOCKING=y +CONFIG_LOCK_STAT=y +CONFIG_DEBUG_ATOMIC_SLEEP=y +CONFIG_DEBUG_LIST=y +CONFIG_DEBUG_NOTIFIERS=y +CONFIG_PROVE_RCU=y +CONFIG_RCU_TRACE=y +CONFIG_KGDB=y +CONFIG_KGDB_SERIAL_CONSOLE=y +CONFIG_KGDBOC=y +CONFIG_DEBUG_RODATA_TEST=y +CONFIG_DEBUG_WX=y diff --git a/projects/landlock/kernel-landlock/patches-4.9/0001-tools-lib-bpf-Add-missing-header-to-the-library.patch b/projects/landlock/kernel-landlock/patches-4.9/0001-tools-lib-bpf-Add-missing-header-to-the-library.patch new file mode 100644 index 000000000..7d201c866 --- /dev/null +++ b/projects/landlock/kernel-landlock/patches-4.9/0001-tools-lib-bpf-Add-missing-header-to-the-library.patch @@ -0,0 +1,38 @@ +From 9a94a681dffa7b2115806405ab573ba41052ad04 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Tue, 7 Feb 2017 21:56:05 +0100 +Subject: [PATCH 01/12] tools lib bpf: Add missing header to the library +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Include stddef.h to define size_t. + +Signed-off-by: Mickaël Salaün +Acked-by: Wang Nan +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: David S. Miller +Cc: Joe Stringer +Link: http://lkml.kernel.org/r/20170207205609.8035-2-mic@digikod.net +Signed-off-by: Arnaldo Carvalho de Melo +(cherry picked from commit 7a5980f9c0066d085319415ec15ee51f165111f5) +--- + tools/lib/bpf/bpf.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h +index e8ba54087497..eb584e639500 100644 +--- a/tools/lib/bpf/bpf.h ++++ b/tools/lib/bpf/bpf.h +@@ -22,6 +22,7 @@ + #define __BPF_BPF_H + + #include ++#include + + int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size, + int max_entries); +-- +2.11.0 + diff --git a/projects/landlock/kernel-landlock/patches-4.9/0002-samples-bpf-Add-missing-header.patch b/projects/landlock/kernel-landlock/patches-4.9/0002-samples-bpf-Add-missing-header.patch new file mode 100644 index 000000000..5ecceef76 --- /dev/null +++ b/projects/landlock/kernel-landlock/patches-4.9/0002-samples-bpf-Add-missing-header.patch @@ -0,0 +1,39 @@ +From 7dbf58fc4e42a55cc2d37130362080f7ecf8ca1a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 8 Feb 2017 21:27:44 +0100 +Subject: [PATCH 02/12] samples/bpf: Add missing header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Include unistd.h to define __NR_getuid and __NR_getsid. + +Signed-off-by: Mickaël Salaün +Acked-by: Joe Stringer +Acked-by: Wang Nan +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: David S. Miller +Cc: netdev@vger.kernel.org +Link: http://lkml.kernel.org/r/20170208202744.16274-4-mic@digikod.net +Signed-off-by: Arnaldo Carvalho de Melo +(cherry picked from commit af392a8f5399e831cb502ff210dacef8b38ca513) +--- + samples/bpf/tracex5_kern.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/samples/bpf/tracex5_kern.c b/samples/bpf/tracex5_kern.c +index fd12d7154d42..7e4cf74553ff 100644 +--- a/samples/bpf/tracex5_kern.c ++++ b/samples/bpf/tracex5_kern.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include "bpf_helpers.h" + + #define PROG(F) SEC("kprobe/"__stringify(F)) int bpf_func_##F +-- +2.11.0 + diff --git a/projects/landlock/kernel-landlock/patches-4.9/0003-samples-bpf-Ignore-already-processed-ELF-sections.patch b/projects/landlock/kernel-landlock/patches-4.9/0003-samples-bpf-Ignore-already-processed-ELF-sections.patch new file mode 100644 index 000000000..8251c7202 --- /dev/null +++ b/projects/landlock/kernel-landlock/patches-4.9/0003-samples-bpf-Ignore-already-processed-ELF-sections.patch @@ -0,0 +1,40 @@ +From 7e0ee6e01fbafac371e50052eddd59af9b053825 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 8 Feb 2017 21:27:42 +0100 +Subject: [PATCH 03/12] samples/bpf: Ignore already processed ELF sections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add a missing check for the map fixup loop. + +Signed-off-by: Mickaël Salaün +Acked-by: Joe Stringer +Acked-by: Wang Nan +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: David S. Miller +Cc: netdev@vger.kernel.org +Link: http://lkml.kernel.org/r/20170208202744.16274-2-mic@digikod.net +Signed-off-by: Arnaldo Carvalho de Melo +(cherry picked from commit 16ad1329002f905c643a438ddcfb0a180787850a) +--- + samples/bpf/bpf_load.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c +index 97913e109b14..4b86bd3c7c6b 100644 +--- a/samples/bpf/bpf_load.c ++++ b/samples/bpf/bpf_load.c +@@ -307,6 +307,8 @@ int load_bpf_file(char *path) + + /* load programs that need map fixup (relocations) */ + for (i = 1; i < ehdr.e_shnum; i++) { ++ if (processed_sec[i]) ++ continue; + + if (get_sec(elf, i, &ehdr, &shname, &shdr, &data)) + continue; +-- +2.11.0 + diff --git a/projects/landlock/kernel-landlock/patches-4.9/0004-samples-bpf-Reset-global-variables.patch b/projects/landlock/kernel-landlock/patches-4.9/0004-samples-bpf-Reset-global-variables.patch new file mode 100644 index 000000000..1cbdb01ec --- /dev/null +++ b/projects/landlock/kernel-landlock/patches-4.9/0004-samples-bpf-Reset-global-variables.patch @@ -0,0 +1,44 @@ +From 3dd0d725f5e83a53ea2d4cbb3fe0856ce2b836cf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 8 Feb 2017 21:27:43 +0100 +Subject: [PATCH 04/12] samples/bpf: Reset global variables +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Before loading a new ELF, clean previous kernel version, license and +processed sections. + +Signed-off-by: Mickaël Salaün +Acked-by: Joe Stringer +Acked-by: Wang Nan +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: David S. Miller +Cc: netdev@vger.kernel.org +Link: http://lkml.kernel.org/r/20170208202744.16274-3-mic@digikod.net +Signed-off-by: Arnaldo Carvalho de Melo +(cherry picked from commit a734fb5d60067a73dd7099a58756847c07f9cd68) +--- + samples/bpf/bpf_load.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c +index 4b86bd3c7c6b..765a6e45b92d 100644 +--- a/samples/bpf/bpf_load.c ++++ b/samples/bpf/bpf_load.c +@@ -256,6 +256,11 @@ int load_bpf_file(char *path) + Elf_Data *data, *data_prog, *symbols = NULL; + char *shname, *shname_prog; + ++ /* reset global variables */ ++ kern_version = 0; ++ memset(license, 0, sizeof(license)); ++ memset(processed_sec, 0, sizeof(processed_sec)); ++ + if (elf_version(EV_CURRENT) == EV_NONE) + return 1; + +-- +2.11.0 + diff --git a/projects/landlock/kernel-landlock/patches-4.9/0005-bpf-Add-eBPF-program-subtype-and-is_valid_subtype-ve.patch b/projects/landlock/kernel-landlock/patches-4.9/0005-bpf-Add-eBPF-program-subtype-and-is_valid_subtype-ve.patch new file mode 100644 index 000000000..9c821d3e5 --- /dev/null +++ b/projects/landlock/kernel-landlock/patches-4.9/0005-bpf-Add-eBPF-program-subtype-and-is_valid_subtype-ve.patch @@ -0,0 +1,640 @@ +From 0ecb458868b0902aa40d583a24819b97998c5555 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 29 Mar 2017 01:30:33 +0200 +Subject: [PATCH 05/12] bpf: Add eBPF program subtype and is_valid_subtype() + verifier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The goal of the program subtype is to be able to have different static +fine-grained verifications for a unique program type. + +The struct bpf_verifier_ops gets a new optional function: +is_valid_subtype(). This new verifier is called at the beginning of the +eBPF program verification to check if the (optional) program subtype is +valid. + +For now, only Landlock eBPF programs are using a program subtype (see +next commit) but this could be used by other program types in the future. + +Changes since v5: +* use a prog_subtype pointer and make it future-proof +* add subtype test +* constify bpf_load_program()'s subtype argument +* cleanup subtype initialization +* rebase + +Changes since v4: +* replace the "status" field with "version" (more generic) +* replace the "access" field with "ability" (less confusing) + +Changes since v3: +* remove the "origin" field +* add an "option" field +* cleanup comments + +Signed-off-by: Mickaël Salaün +Cc: Alexei Starovoitov +Cc: Arnaldo Carvalho de Melo +Cc: Daniel Borkmann +Cc: David S. Miller +Link: https://lkml.kernel.org/r/20160827205559.GA43880@ast-mbp.thefacebook.com +(cherry picked from commit 173f32497bc24bc1e3379a0050e0ca603fb2922d) +--- + include/linux/bpf.h | 7 +++- + include/linux/filter.h | 2 + + include/uapi/linux/bpf.h | 11 +++++ + kernel/bpf/syscall.c | 92 ++++++++++++++++++++++++++++-------------- + kernel/bpf/verifier.c | 14 ++++++- + kernel/trace/bpf_trace.c | 15 ++++--- + net/core/filter.c | 22 ++++++---- + samples/bpf/bpf_load.c | 3 +- + samples/bpf/fds_example.c | 2 +- + samples/bpf/libbpf.c | 7 +++- + samples/bpf/libbpf.h | 3 +- + samples/bpf/sock_example.c | 2 +- + samples/bpf/test_verifier.c | 2 +- + tools/include/uapi/linux/bpf.h | 11 +++++ + tools/lib/bpf/bpf.c | 5 ++- + tools/lib/bpf/bpf.h | 2 +- + tools/lib/bpf/libbpf.c | 4 +- + tools/perf/tests/bpf.c | 2 +- + 18 files changed, 147 insertions(+), 59 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index c201017b5730..d4b9ca479f79 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -152,18 +152,21 @@ struct bpf_prog; + + struct bpf_verifier_ops { + /* return eBPF function prototype for verification */ +- const struct bpf_func_proto *(*get_func_proto)(enum bpf_func_id func_id); ++ const struct bpf_func_proto *(*get_func_proto)(enum bpf_func_id func_id, ++ union bpf_prog_subtype *prog_subtype); + + /* return true if 'size' wide access at offset 'off' within bpf_context + * with 'type' (read or write) is allowed + */ + bool (*is_valid_access)(int off, int size, enum bpf_access_type type, +- enum bpf_reg_type *reg_type); ++ enum bpf_reg_type *reg_type, ++ union bpf_prog_subtype *prog_subtype); + int (*gen_prologue)(struct bpf_insn *insn, bool direct_write, + const struct bpf_prog *prog); + u32 (*convert_ctx_access)(enum bpf_access_type type, int dst_reg, + int src_reg, int ctx_off, + struct bpf_insn *insn, struct bpf_prog *prog); ++ bool (*is_valid_subtype)(union bpf_prog_subtype *prog_subtype); + }; + + struct bpf_prog_type_list { +diff --git a/include/linux/filter.h b/include/linux/filter.h +index 1f09c521adfe..782a271bf54e 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -406,6 +406,8 @@ struct bpf_prog { + kmemcheck_bitfield_end(meta); + u32 len; /* Number of filter blocks */ + enum bpf_prog_type type; /* Type of BPF program */ ++ u8 has_subtype; ++ union bpf_prog_subtype subtype; /* Fine-grained verifications */ + struct bpf_prog_aux *aux; /* Auxiliary fields */ + struct sock_fprog_kern *orig_prog; /* Original BPF program */ + unsigned int (*bpf_func)(const struct sk_buff *skb, +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index f09c70b97eca..a203fbcb0b2d 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -107,6 +107,15 @@ enum bpf_prog_type { + + #define BPF_F_NO_PREALLOC (1U << 0) + ++union bpf_prog_subtype { ++ struct { ++ __u32 version; /* cf. documentation */ ++ __u32 event; /* enum landlock_subtype_event */ ++ __aligned_u64 ability; /* LANDLOCK_SUBTYPE_ABILITY_* */ ++ __aligned_u64 option; /* LANDLOCK_SUBTYPE_OPTION_* */ ++ } landlock_rule; ++} __attribute__((aligned(8))); ++ + union bpf_attr { + struct { /* anonymous struct used by BPF_MAP_CREATE command */ + __u32 map_type; /* one of enum bpf_map_type */ +@@ -135,6 +144,8 @@ union bpf_attr { + __u32 log_size; /* size of user buffer */ + __aligned_u64 log_buf; /* user supplied buffer */ + __u32 kern_version; /* checked when prog_type=kprobe */ ++ __aligned_u64 prog_subtype; /* bpf_prog_subtype address */ ++ __u32 prog_subtype_size; + }; + + struct { /* anonymous struct used by BPF_OBJ_* commands */ +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 237f3d6a7ddc..17bbd1af517f 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -580,7 +580,8 @@ static void fixup_bpf_calls(struct bpf_prog *prog) + continue; + } + +- fn = prog->aux->ops->get_func_proto(insn->imm); ++ fn = prog->aux->ops->get_func_proto(insn->imm, ++ &prog->subtype); + /* all functions that have prototype and verifier allowed + * programs to call them, must be real in-kernel functions + */ +@@ -717,8 +718,44 @@ struct bpf_prog *bpf_prog_get_type(u32 ufd, enum bpf_prog_type type) + } + EXPORT_SYMBOL_GPL(bpf_prog_get_type); + ++static int check_user_buf(void __user *uptr, unsigned int size_req, ++ unsigned int size_max) ++{ ++ if (!access_ok(VERIFY_READ, uptr, 1)) ++ return -EFAULT; ++ ++ if (size_req > PAGE_SIZE) /* silly large */ ++ return -E2BIG; ++ ++ /* If we're handed a bigger struct than we know of, ++ * ensure all the unknown bits are 0 - i.e. new ++ * user-space does not rely on any kernel feature ++ * extensions we dont know about yet. ++ */ ++ if (size_req > size_max) { ++ unsigned char __user *addr; ++ unsigned char __user *end; ++ unsigned char val; ++ int err; ++ ++ addr = uptr + size_max; ++ end = uptr + size_req; ++ ++ for (; addr < end; addr++) { ++ err = get_user(val, addr); ++ if (err) ++ return err; ++ if (val) ++ return -E2BIG; ++ } ++ return size_max; ++ } ++ ++ return size_req; ++} ++ + /* last field in 'union bpf_attr' used by this command */ +-#define BPF_PROG_LOAD_LAST_FIELD kern_version ++#define BPF_PROG_LOAD_LAST_FIELD prog_subtype_size + + static int bpf_prog_load(union bpf_attr *attr) + { +@@ -777,6 +814,26 @@ static int bpf_prog_load(union bpf_attr *attr) + if (err < 0) + goto free_prog; + ++ /* copy eBPF program subtype from user space */ ++ if (attr->prog_subtype) { ++ __u32 size; ++ ++ size = check_user_buf((void __user *)attr->prog_subtype, ++ attr->prog_subtype_size, ++ sizeof(prog->subtype)); ++ if (size < 0) { ++ err = size; ++ goto free_prog; ++ } ++ /* prog->subtype is __GFP_ZERO */ ++ if (copy_from_user(&prog->subtype, ++ u64_to_user_ptr(attr->prog_subtype), size) ++ != 0) ++ return -EFAULT; ++ prog->has_subtype = 1; ++ } else if (attr->prog_subtype_size != 0) ++ return -EINVAL; ++ + /* run eBPF verifier */ + err = bpf_check(&prog, attr); + if (err < 0) +@@ -832,34 +889,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz + if (!capable(CAP_SYS_ADMIN) && sysctl_unprivileged_bpf_disabled) + return -EPERM; + +- if (!access_ok(VERIFY_READ, uattr, 1)) +- return -EFAULT; +- +- if (size > PAGE_SIZE) /* silly large */ +- return -E2BIG; +- +- /* If we're handed a bigger struct than we know of, +- * ensure all the unknown bits are 0 - i.e. new +- * user-space does not rely on any kernel feature +- * extensions we dont know about yet. +- */ +- if (size > sizeof(attr)) { +- unsigned char __user *addr; +- unsigned char __user *end; +- unsigned char val; +- +- addr = (void __user *)uattr + sizeof(attr); +- end = (void __user *)uattr + size; +- +- for (; addr < end; addr++) { +- err = get_user(val, addr); +- if (err) +- return err; +- if (val) +- return -E2BIG; +- } +- size = sizeof(attr); +- } ++ size = check_user_buf((void __user *)uattr, size, sizeof(attr)); ++ if (size < 0) ++ return size; + + /* copy attributes from user space, may be less than sizeof(bpf_attr) */ + if (copy_from_user(&attr, uattr, size) != 0) +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 85d1c9423ccb..f5f082de2f7f 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -660,7 +660,8 @@ static int check_ctx_access(struct bpf_verifier_env *env, int off, int size, + return 0; + + if (env->prog->aux->ops->is_valid_access && +- env->prog->aux->ops->is_valid_access(off, size, t, reg_type)) { ++ env->prog->aux->ops->is_valid_access(off, size, t, reg_type, ++ &env->prog->subtype)) { + /* remember the offset of last byte accessed in ctx */ + if (env->prog->aux->max_ctx_offset < off + size) + env->prog->aux->max_ctx_offset = off + size; +@@ -1182,7 +1183,8 @@ static int check_call(struct bpf_verifier_env *env, int func_id) + } + + if (env->prog->aux->ops->get_func_proto) +- fn = env->prog->aux->ops->get_func_proto(func_id); ++ fn = env->prog->aux->ops->get_func_proto(func_id, ++ &env->prog->subtype); + + if (!fn) { + verbose("unknown func %d\n", func_id); +@@ -3116,6 +3118,14 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) + if ((*prog)->len <= 0 || (*prog)->len > BPF_MAXINSNS) + return -E2BIG; + ++ if ((*prog)->aux->ops->is_valid_subtype) { ++ if (!(*prog)->aux->ops->is_valid_subtype(&(*prog)->subtype)) ++ return -EINVAL; ++ } else if ((*prog)->has_subtype) { ++ /* do not accept a subtype if the program does not handle it */ ++ return -EINVAL; ++ } ++ + /* 'struct bpf_verifier_env' can be global, but since it's not small, + * allocate/free it every time bpf_check() is called + */ +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 5dcb99281259..653695fbc520 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -435,7 +435,8 @@ static const struct bpf_func_proto *tracing_func_proto(enum bpf_func_id func_id) + } + } + +-static const struct bpf_func_proto *kprobe_prog_func_proto(enum bpf_func_id func_id) ++static const struct bpf_func_proto *kprobe_prog_func_proto(enum bpf_func_id func_id, ++ union bpf_prog_subtype *prog_subtype) + { + switch (func_id) { + case BPF_FUNC_perf_event_output: +@@ -449,7 +450,8 @@ static const struct bpf_func_proto *kprobe_prog_func_proto(enum bpf_func_id func + + /* bpf+kprobe programs can access fields of 'struct pt_regs' */ + static bool kprobe_prog_is_valid_access(int off, int size, enum bpf_access_type type, +- enum bpf_reg_type *reg_type) ++ enum bpf_reg_type *reg_type, ++ union bpf_prog_subtype *prog_subtype) + { + if (off < 0 || off >= sizeof(struct pt_regs)) + return false; +@@ -517,7 +519,8 @@ static const struct bpf_func_proto bpf_get_stackid_proto_tp = { + .arg3_type = ARG_ANYTHING, + }; + +-static const struct bpf_func_proto *tp_prog_func_proto(enum bpf_func_id func_id) ++static const struct bpf_func_proto *tp_prog_func_proto(enum bpf_func_id func_id, ++ union bpf_prog_subtype *prog_subtype) + { + switch (func_id) { + case BPF_FUNC_perf_event_output: +@@ -530,7 +533,8 @@ static const struct bpf_func_proto *tp_prog_func_proto(enum bpf_func_id func_id) + } + + static bool tp_prog_is_valid_access(int off, int size, enum bpf_access_type type, +- enum bpf_reg_type *reg_type) ++ enum bpf_reg_type *reg_type, ++ union bpf_prog_subtype *prog_subtype) + { + if (off < sizeof(void *) || off >= PERF_MAX_TRACE_SIZE) + return false; +@@ -552,7 +556,8 @@ static struct bpf_prog_type_list tracepoint_tl = { + }; + + static bool pe_prog_is_valid_access(int off, int size, enum bpf_access_type type, +- enum bpf_reg_type *reg_type) ++ enum bpf_reg_type *reg_type, ++ union bpf_prog_subtype *prog_subtype) + { + if (off < 0 || off >= sizeof(struct bpf_perf_event_data)) + return false; +diff --git a/net/core/filter.c b/net/core/filter.c +index b391209838ef..36a773c846b9 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2531,7 +2531,8 @@ static const struct bpf_func_proto bpf_xdp_event_output_proto = { + }; + + static const struct bpf_func_proto * +-sk_filter_func_proto(enum bpf_func_id func_id) ++sk_filter_func_proto(enum bpf_func_id func_id, ++ union bpf_prog_subtype *prog_subtype) + { + switch (func_id) { + case BPF_FUNC_map_lookup_elem: +@@ -2557,7 +2558,8 @@ sk_filter_func_proto(enum bpf_func_id func_id) + } + + static const struct bpf_func_proto * +-tc_cls_act_func_proto(enum bpf_func_id func_id) ++tc_cls_act_func_proto(enum bpf_func_id func_id, ++ union bpf_prog_subtype *prog_subtype) + { + switch (func_id) { + case BPF_FUNC_skb_store_bytes: +@@ -2611,12 +2613,13 @@ tc_cls_act_func_proto(enum bpf_func_id func_id) + case BPF_FUNC_skb_under_cgroup: + return &bpf_skb_under_cgroup_proto; + default: +- return sk_filter_func_proto(func_id); ++ return sk_filter_func_proto(func_id, prog_subtype); + } + } + + static const struct bpf_func_proto * +-xdp_func_proto(enum bpf_func_id func_id) ++xdp_func_proto(enum bpf_func_id func_id, ++ union bpf_prog_subtype *prog_subtype) + { + switch (func_id) { + case BPF_FUNC_perf_event_output: +@@ -2624,7 +2627,7 @@ xdp_func_proto(enum bpf_func_id func_id) + case BPF_FUNC_get_smp_processor_id: + return &bpf_get_smp_processor_id_proto; + default: +- return sk_filter_func_proto(func_id); ++ return sk_filter_func_proto(func_id, prog_subtype); + } + } + +@@ -2643,7 +2646,8 @@ static bool __is_valid_access(int off, int size, enum bpf_access_type type) + + static bool sk_filter_is_valid_access(int off, int size, + enum bpf_access_type type, +- enum bpf_reg_type *reg_type) ++ enum bpf_reg_type *reg_type, ++ union bpf_prog_subtype *prog_subtype) + { + switch (off) { + case offsetof(struct __sk_buff, tc_classid): +@@ -2706,7 +2710,8 @@ static int tc_cls_act_prologue(struct bpf_insn *insn_buf, bool direct_write, + + static bool tc_cls_act_is_valid_access(int off, int size, + enum bpf_access_type type, +- enum bpf_reg_type *reg_type) ++ enum bpf_reg_type *reg_type, ++ union bpf_prog_subtype *prog_subtype) + { + if (type == BPF_WRITE) { + switch (off) { +@@ -2749,7 +2754,8 @@ static bool __is_valid_xdp_access(int off, int size, + + static bool xdp_is_valid_access(int off, int size, + enum bpf_access_type type, +- enum bpf_reg_type *reg_type) ++ enum bpf_reg_type *reg_type, ++ union bpf_prog_subtype *prog_subtype) + { + if (type == BPF_WRITE) + return false; +diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c +index 765a6e45b92d..40cf828a37c7 100644 +--- a/samples/bpf/bpf_load.c ++++ b/samples/bpf/bpf_load.c +@@ -56,6 +56,7 @@ static int load_and_attach(const char *event, struct bpf_insn *prog, int size) + char buf[256]; + int fd, efd, err, id; + struct perf_event_attr attr = {}; ++ union bpf_prog_subtype *st = NULL; + + attr.type = PERF_TYPE_TRACEPOINT; + attr.sample_type = PERF_SAMPLE_RAW; +@@ -77,7 +78,7 @@ static int load_and_attach(const char *event, struct bpf_insn *prog, int size) + return -1; + } + +- fd = bpf_prog_load(prog_type, prog, size, license, kern_version); ++ fd = bpf_prog_load(prog_type, prog, size, license, kern_version, st); + if (fd < 0) { + printf("bpf_prog_load() err=%d\n%s", errno, bpf_log_buf); + return -1; +diff --git a/samples/bpf/fds_example.c b/samples/bpf/fds_example.c +index 625e797be6ef..df38b68f3586 100644 +--- a/samples/bpf/fds_example.c ++++ b/samples/bpf/fds_example.c +@@ -59,7 +59,7 @@ static int bpf_prog_create(const char *object) + return prog_fd[0]; + } else { + return bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER, +- insns, sizeof(insns), "GPL", 0); ++ insns, sizeof(insns), "GPL", 0, NULL); + } + } + +diff --git a/samples/bpf/libbpf.c b/samples/bpf/libbpf.c +index 9969e35550c3..b5a4275d13a2 100644 +--- a/samples/bpf/libbpf.c ++++ b/samples/bpf/libbpf.c +@@ -13,7 +13,7 @@ + #include + #include "libbpf.h" + +-static __u64 ptr_to_u64(void *ptr) ++static __u64 ptr_to_u64(const void *ptr) + { + return (__u64) (unsigned long) ptr; + } +@@ -82,7 +82,8 @@ char bpf_log_buf[LOG_BUF_SIZE]; + + int bpf_prog_load(enum bpf_prog_type prog_type, + const struct bpf_insn *insns, int prog_len, +- const char *license, int kern_version) ++ const char *license, int kern_version, ++ const union bpf_prog_subtype *subtype) + { + union bpf_attr attr = { + .prog_type = prog_type, +@@ -92,6 +93,8 @@ int bpf_prog_load(enum bpf_prog_type prog_type, + .log_buf = ptr_to_u64(bpf_log_buf), + .log_size = LOG_BUF_SIZE, + .log_level = 1, ++ .prog_subtype = ptr_to_u64(subtype), ++ .prog_subtype_size = subtype ? sizeof(*subtype) : 0, + }; + + /* assign one field outside of struct init to make sure any +diff --git a/samples/bpf/libbpf.h b/samples/bpf/libbpf.h +index ac6edb61b64a..56a86b847544 100644 +--- a/samples/bpf/libbpf.h ++++ b/samples/bpf/libbpf.h +@@ -13,7 +13,8 @@ int bpf_get_next_key(int fd, void *key, void *next_key); + + int bpf_prog_load(enum bpf_prog_type prog_type, + const struct bpf_insn *insns, int insn_len, +- const char *license, int kern_version); ++ const char *license, int kern_version, ++ const union bpf_prog_subtype *subtype); + + int bpf_obj_pin(int fd, const char *pathname); + int bpf_obj_get(const char *pathname); +diff --git a/samples/bpf/sock_example.c b/samples/bpf/sock_example.c +index 28b60baa9fa8..521f918ab34d 100644 +--- a/samples/bpf/sock_example.c ++++ b/samples/bpf/sock_example.c +@@ -56,7 +56,7 @@ static int test_sock(void) + }; + + prog_fd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER, prog, sizeof(prog), +- "GPL", 0); ++ "GPL", 0, NULL); + if (prog_fd < 0) { + printf("failed to load prog '%s'\n", strerror(errno)); + goto cleanup; +diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c +index 369ffaad3799..7a965da8ed2d 100644 +--- a/samples/bpf/test_verifier.c ++++ b/samples/bpf/test_verifier.c +@@ -2468,7 +2468,7 @@ static int test(void) + + prog_fd = bpf_prog_load(prog_type ?: BPF_PROG_TYPE_SOCKET_FILTER, + prog, prog_len * sizeof(struct bpf_insn), +- "GPL", 0); ++ "GPL", 0, NULL); + + if (unpriv && tests[i].result_unpriv != UNDEF) + expected_result = tests[i].result_unpriv; +diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h +index 9e5fc168c8a3..aae3b82a673c 100644 +--- a/tools/include/uapi/linux/bpf.h ++++ b/tools/include/uapi/linux/bpf.h +@@ -106,6 +106,15 @@ enum bpf_prog_type { + + #define BPF_F_NO_PREALLOC (1U << 0) + ++union bpf_prog_subtype { ++ struct { ++ __u32 version; /* cf. documentation */ ++ __u32 event; /* enum landlock_subtype_event */ ++ __aligned_u64 ability; /* LANDLOCK_SUBTYPE_ABILITY_* */ ++ __aligned_u64 option; /* LANDLOCK_SUBTYPE_OPTION_* */ ++ } landlock_rule; ++} __attribute__((aligned(8))); ++ + union bpf_attr { + struct { /* anonymous struct used by BPF_MAP_CREATE command */ + __u32 map_type; /* one of enum bpf_map_type */ +@@ -134,6 +143,8 @@ union bpf_attr { + __u32 log_size; /* size of user buffer */ + __aligned_u64 log_buf; /* user supplied buffer */ + __u32 kern_version; /* checked when prog_type=kprobe */ ++ __aligned_u64 prog_subtype; /* bpf_prog_subtype address */ ++ __u32 prog_subtype_size; + }; + + struct { /* anonymous struct used by BPF_OBJ_* commands */ +diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c +index 4212ed62235b..57258decb4bd 100644 +--- a/tools/lib/bpf/bpf.c ++++ b/tools/lib/bpf/bpf.c +@@ -70,7 +70,8 @@ int bpf_create_map(enum bpf_map_type map_type, int key_size, + + int bpf_load_program(enum bpf_prog_type type, struct bpf_insn *insns, + size_t insns_cnt, char *license, +- u32 kern_version, char *log_buf, size_t log_buf_sz) ++ u32 kern_version, char *log_buf, size_t log_buf_sz, ++ const union bpf_prog_subtype *subtype) + { + int fd; + union bpf_attr attr; +@@ -84,6 +85,8 @@ int bpf_load_program(enum bpf_prog_type type, struct bpf_insn *insns, + attr.log_size = 0; + attr.log_level = 0; + attr.kern_version = kern_version; ++ attr.prog_subtype = ptr_to_u64(subtype); ++ attr.prog_subtype_size = subtype ? sizeof(*subtype) : 0; + + fd = sys_bpf(BPF_PROG_LOAD, &attr, sizeof(attr)); + if (fd >= 0 || !log_buf || !log_buf_sz) +diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h +index eb584e639500..8a772c817b87 100644 +--- a/tools/lib/bpf/bpf.h ++++ b/tools/lib/bpf/bpf.h +@@ -32,7 +32,7 @@ int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size, + int bpf_load_program(enum bpf_prog_type type, struct bpf_insn *insns, + size_t insns_cnt, char *license, + u32 kern_version, char *log_buf, +- size_t log_buf_sz); ++ size_t log_buf_sz, const union bpf_prog_subtype *subtype); + + int bpf_map_update_elem(int fd, void *key, void *value, + u64 flags); +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index b699aea9a025..ea8c03a12c16 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -916,7 +916,7 @@ load_program(enum bpf_prog_type type, struct bpf_insn *insns, + pr_warning("Alloc log buffer for bpf loader error, continue without log\n"); + + ret = bpf_load_program(type, insns, insns_cnt, license, +- kern_version, log_buf, BPF_LOG_BUF_SIZE); ++ kern_version, log_buf, BPF_LOG_BUF_SIZE, NULL); + + if (ret >= 0) { + *pfd = ret; +@@ -943,7 +943,7 @@ load_program(enum bpf_prog_type type, struct bpf_insn *insns, + + fd = bpf_load_program(BPF_PROG_TYPE_KPROBE, insns, + insns_cnt, license, kern_version, +- NULL, 0); ++ NULL, 0, NULL); + if (fd >= 0) { + close(fd); + ret = -LIBBPF_ERRNO__PROGTYPE; +diff --git a/tools/perf/tests/bpf.c b/tools/perf/tests/bpf.c +index 2673e86ed50f..285b872b46a2 100644 +--- a/tools/perf/tests/bpf.c ++++ b/tools/perf/tests/bpf.c +@@ -266,7 +266,7 @@ static int check_env(void) + + err = bpf_load_program(BPF_PROG_TYPE_KPROBE, insns, + sizeof(insns) / sizeof(insns[0]), +- license, kver_int, NULL, 0); ++ license, kver_int, NULL, 0, NULL); + if (err < 0) { + pr_err("Missing basic BPF support, skip this test: %s\n", + strerror(errno)); +-- +2.11.0 + diff --git a/projects/landlock/kernel-landlock/patches-4.9/0006-bpf-landlock-Define-an-eBPF-program-type-for-Landloc.patch b/projects/landlock/kernel-landlock/patches-4.9/0006-bpf-landlock-Define-an-eBPF-program-type-for-Landloc.patch new file mode 100644 index 000000000..3b4a265a6 --- /dev/null +++ b/projects/landlock/kernel-landlock/patches-4.9/0006-bpf-landlock-Define-an-eBPF-program-type-for-Landloc.patch @@ -0,0 +1,566 @@ +From 7136b7f6c5f451e4c1fd0db5beb69994a2b9a9f7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 29 Mar 2017 01:30:33 +0200 +Subject: [PATCH 06/12] bpf,landlock: Define an eBPF program type for Landlock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add a new type of eBPF program used by Landlock rules. + +This new BPF program type will be registered with the Landlock LSM +initialization. + +Add an initial Landlock Kconfig. + +Changes since v5: +* rename file hooks.c to init.c +* fix spelling + +Changes since v4: +* merge a minimal (not enabled) LSM code and Kconfig in this commit + +Changes since v3: +* split commit +* revamp the landlock_context: + * add arch, syscall_nr and syscall_cmd (ioctl, fcntl…) to be able to + cross-check action with the event type + * replace args array with dedicated fields to ease the addition of new + fields + +Signed-off-by: Mickaël Salaün +Cc: Alexei Starovoitov +Cc: Andy Lutomirski +Cc: Daniel Borkmann +Cc: David S. Miller +Cc: James Morris +Cc: Kees Cook +Cc: Serge E. Hallyn +(cherry picked from commit f2265894fff03038ec0a81dbcf68ee8d1bf7c33d) +--- + include/linux/landlock.h | 23 ++++++++ + include/uapi/linux/bpf.h | 110 ++++++++++++++++++++++++++++++++++++ + security/Kconfig | 1 + + security/Makefile | 2 + + security/landlock/Kconfig | 18 ++++++ + security/landlock/Makefile | 3 + + security/landlock/common.h | 25 +++++++++ + security/landlock/init.c | 123 +++++++++++++++++++++++++++++++++++++++++ + tools/include/uapi/linux/bpf.h | 111 +++++++++++++++++++++++++++++++++++++ + 9 files changed, 416 insertions(+) + create mode 100644 include/linux/landlock.h + create mode 100644 security/landlock/Kconfig + create mode 100644 security/landlock/Makefile + create mode 100644 security/landlock/common.h + create mode 100644 security/landlock/init.c + +diff --git a/include/linux/landlock.h b/include/linux/landlock.h +new file mode 100644 +index 000000000000..53013dc374fe +--- /dev/null ++++ b/include/linux/landlock.h +@@ -0,0 +1,23 @@ ++/* ++ * Landlock LSM - public kernel headers ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++#ifndef _LINUX_LANDLOCK_H ++#define _LINUX_LANDLOCK_H ++#ifdef CONFIG_SECURITY_LANDLOCK ++ ++/* ++ * This is not intended for the UAPI headers. Each userland software should use ++ * a static minimal version for the required features as explained in the ++ * documentation. ++ */ ++#define LANDLOCK_VERSION 1 ++ ++#endif /* CONFIG_SECURITY_LANDLOCK */ ++#endif /* _LINUX_LANDLOCK_H */ +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index a203fbcb0b2d..f190be4f609f 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -96,6 +96,12 @@ enum bpf_prog_type { + BPF_PROG_TYPE_TRACEPOINT, + BPF_PROG_TYPE_XDP, + BPF_PROG_TYPE_PERF_EVENT, ++ BPF_PROG_TYPE_CGROUP_SKB, ++ BPF_PROG_TYPE_CGROUP_SOCK, ++ BPF_PROG_TYPE_LWT_IN, ++ BPF_PROG_TYPE_LWT_OUT, ++ BPF_PROG_TYPE_LWT_XMIT, ++ BPF_PROG_TYPE_LANDLOCK, + }; + + #define BPF_PSEUDO_MAP_FD 1 +@@ -532,4 +538,108 @@ struct xdp_md { + __u32 data_end; + }; + ++/** ++ * enum landlock_subtype_event - event occurring when an action is performed on ++ * a particular kernel object ++ * ++ * An event is a policy decision point which exposes the same context type ++ * (especially the same arg[0-9] field types) for each rule execution. ++ * ++ * @LANDLOCK_SUBTYPE_EVENT_UNSPEC: invalid value ++ * @LANDLOCK_SUBTYPE_EVENT_FS: generic filesystem event ++ */ ++enum landlock_subtype_event { ++ LANDLOCK_SUBTYPE_EVENT_UNSPEC, ++ LANDLOCK_SUBTYPE_EVENT_FS, ++}; ++#define _LANDLOCK_SUBTYPE_EVENT_LAST LANDLOCK_SUBTYPE_EVENT_FS ++ ++/** ++ * DOC: landlock_subtype_access ++ * ++ * eBPF context and functions allowed for a rule ++ * ++ * - LANDLOCK_SUBTYPE_ABILITY_WRITE: allows to directly send notification to ++ * userland (e.g. through a map), which may leaks sensitive information ++ * - LANDLOCK_SUBTYPE_ABILITY_DEBUG: allows to do debug actions (e.g. writing ++ * logs), which may be dangerous and should only be used for rule testing ++ */ ++#define LANDLOCK_SUBTYPE_ABILITY_WRITE (1ULL << 0) ++#define LANDLOCK_SUBTYPE_ABILITY_DEBUG (1ULL << 1) ++#define _LANDLOCK_SUBTYPE_ABILITY_NB 2 ++#define _LANDLOCK_SUBTYPE_ABILITY_MASK ((1ULL << _LANDLOCK_SUBTYPE_ABILITY_NB) - 1) ++ ++/* ++ * Future options for a Landlock rule (e.g. run even if a previous rule denied ++ * an action). ++ */ ++#define _LANDLOCK_SUBTYPE_OPTION_NB 0 ++#define _LANDLOCK_SUBTYPE_OPTION_MASK ((1ULL << _LANDLOCK_SUBTYPE_OPTION_NB) - 1) ++ ++/* ++ * Status visible in the @status field of a context (e.g. already called in ++ * this syscall session, with same args...). ++ * ++ * The @status field exposed to a rule shall depend on the rule version. ++ */ ++#define _LANDLOCK_SUBTYPE_STATUS_NB 0 ++#define _LANDLOCK_SUBTYPE_STATUS_MASK ((1ULL << _LANDLOCK_SUBTYPE_STATUS_NB) - 1) ++ ++/** ++ * DOC: landlock_action_fs ++ * ++ * - %LANDLOCK_ACTION_FS_EXEC: execute a file or walk through a directory ++ * - %LANDLOCK_ACTION_FS_WRITE: modify a file or a directory view (which ++ * include mount actions) ++ * - %LANDLOCK_ACTION_FS_READ: read a file or a directory ++ * - %LANDLOCK_ACTION_FS_NEW: create a file or a directory ++ * - %LANDLOCK_ACTION_FS_GET: open or receive a file ++ * - %LANDLOCK_ACTION_FS_REMOVE: unlink a file or remove a directory ++ * ++ * Each of the following actions are specific to syscall multiplexers. They ++ * fill the syscall_cmd field from &struct landlock_context with their custom ++ * command. ++ * ++ * - %LANDLOCK_ACTION_FS_IOCTL: ioctl command ++ * - %LANDLOCK_ACTION_FS_LOCK: flock or fcntl lock command ++ * - %LANDLOCK_ACTION_FS_FCNTL: fcntl command ++ */ ++#define LANDLOCK_ACTION_FS_EXEC (1ULL << 0) ++#define LANDLOCK_ACTION_FS_WRITE (1ULL << 1) ++#define LANDLOCK_ACTION_FS_READ (1ULL << 2) ++#define LANDLOCK_ACTION_FS_NEW (1ULL << 3) ++#define LANDLOCK_ACTION_FS_GET (1ULL << 4) ++#define LANDLOCK_ACTION_FS_REMOVE (1ULL << 5) ++#define LANDLOCK_ACTION_FS_IOCTL (1ULL << 6) ++#define LANDLOCK_ACTION_FS_LOCK (1ULL << 7) ++#define LANDLOCK_ACTION_FS_FCNTL (1ULL << 8) ++#define _LANDLOCK_ACTION_FS_NB 9 ++#define _LANDLOCK_ACTION_FS_MASK ((1ULL << _LANDLOCK_ACTION_FS_NB) - 1) ++ ++ ++/** ++ * struct landlock_context - context accessible to a Landlock rule ++ * ++ * @status: bitfield for future use (LANDLOCK_SUBTYPE_STATUS_*) ++ * @arch: indicates system call convention as an AUDIT_ARCH_* value ++ * as defined in ++ * @syscall_nr: the system call number called by the current process (may be ++ * useful to debug: find out from which syscall this request came ++ * from) ++ * @syscall_cmd: contains the command used by a multiplexer syscall (e.g. ++ * ioctl, fcntl, flock) ++ * @event: event type (&enum landlock_subtype_event) ++ * @arg1: event's first optional argument ++ * @arg2: event's second optional argument ++ */ ++struct landlock_context { ++ __u64 status; ++ __u32 arch; ++ __u32 syscall_nr; ++ __u32 syscall_cmd; ++ __u32 event; ++ __u64 arg1; ++ __u64 arg2; ++}; ++ + #endif /* _UAPI__LINUX_BPF_H__ */ +diff --git a/security/Kconfig b/security/Kconfig +index 118f4549404e..c63194c561c5 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -164,6 +164,7 @@ source security/tomoyo/Kconfig + source security/apparmor/Kconfig + source security/loadpin/Kconfig + source security/yama/Kconfig ++source security/landlock/Kconfig + + source security/integrity/Kconfig + +diff --git a/security/Makefile b/security/Makefile +index f2d71cdb8e19..3fdc2f19dc48 100644 +--- a/security/Makefile ++++ b/security/Makefile +@@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo + subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor + subdir-$(CONFIG_SECURITY_YAMA) += yama + subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin ++subdir-$(CONFIG_SECURITY_LANDLOCK) += landlock + + # always enable default capabilities + obj-y += commoncap.o +@@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ + obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ + obj-$(CONFIG_SECURITY_YAMA) += yama/ + obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ ++obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/ + obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o + + # Object integrity file lists +diff --git a/security/landlock/Kconfig b/security/landlock/Kconfig +new file mode 100644 +index 000000000000..aa5808e116f1 +--- /dev/null ++++ b/security/landlock/Kconfig +@@ -0,0 +1,18 @@ ++config SECURITY_LANDLOCK ++ bool "Landlock sandbox support" ++ depends on SECURITY ++ depends on BPF_SYSCALL ++ depends on SECCOMP_FILTER ++ default y ++ help ++ Landlock is a stackable LSM which allows to load a security policy to ++ restrict processes (i.e. create a sandbox). The policy is a list of ++ stacked eBPF programs, called rules, dedicated to restrict access to ++ a type of kernel object (e.g. file). ++ ++ You need to enable seccomp filter to apply a security policy to a ++ process hierarchy (e.g. application with built-in sandboxing). ++ ++ See Documentation/security/landlock/ for further information. ++ ++ If you are unsure how to answer this question, answer Y. +diff --git a/security/landlock/Makefile b/security/landlock/Makefile +new file mode 100644 +index 000000000000..7205f9a7a2ee +--- /dev/null ++++ b/security/landlock/Makefile +@@ -0,0 +1,3 @@ ++obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o ++ ++landlock-y := init.o +diff --git a/security/landlock/common.h b/security/landlock/common.h +new file mode 100644 +index 000000000000..a2483405349f +--- /dev/null ++++ b/security/landlock/common.h +@@ -0,0 +1,25 @@ ++/* ++ * Landlock LSM - private headers ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++#ifndef _SECURITY_LANDLOCK_COMMON_H ++#define _SECURITY_LANDLOCK_COMMON_H ++ ++/** ++ * get_index - get an index for the rules of struct landlock_events ++ * ++ * @event: a Landlock event type ++ */ ++static inline int get_index(enum landlock_subtype_event event) ++{ ++ /* event ID > 0 for loaded programs */ ++ return event - 1; ++} ++ ++#endif /* _SECURITY_LANDLOCK_COMMON_H */ +diff --git a/security/landlock/init.c b/security/landlock/init.c +new file mode 100644 +index 000000000000..0a97026f1c07 +--- /dev/null ++++ b/security/landlock/init.c +@@ -0,0 +1,123 @@ ++/* ++ * Landlock LSM - init ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++#include /* enum bpf_access_type */ ++#include /* capable */ ++#include /* LANDLOCK_VERSION */ ++ ++ ++static inline bool bpf_landlock_is_valid_access(int off, int size, ++ enum bpf_access_type type, enum bpf_reg_type *reg_type, ++ union bpf_prog_subtype *prog_subtype) ++{ ++ if (WARN_ON(!prog_subtype)) ++ return false; ++ ++ switch (prog_subtype->landlock_rule.event) { ++ case LANDLOCK_SUBTYPE_EVENT_FS: ++ case LANDLOCK_SUBTYPE_EVENT_UNSPEC: ++ default: ++ return false; ++ } ++} ++ ++static inline bool bpf_landlock_is_valid_subtype( ++ union bpf_prog_subtype *prog_subtype) ++{ ++ if (WARN_ON(!prog_subtype)) ++ return false; ++ ++ switch (prog_subtype->landlock_rule.event) { ++ case LANDLOCK_SUBTYPE_EVENT_FS: ++ break; ++ case LANDLOCK_SUBTYPE_EVENT_UNSPEC: ++ default: ++ return false; ++ } ++ ++ if (!prog_subtype->landlock_rule.version || ++ prog_subtype->landlock_rule.version > LANDLOCK_VERSION) ++ return false; ++ if (!prog_subtype->landlock_rule.event || ++ prog_subtype->landlock_rule.event > _LANDLOCK_SUBTYPE_EVENT_LAST) ++ return false; ++ if (prog_subtype->landlock_rule.ability & ~_LANDLOCK_SUBTYPE_ABILITY_MASK) ++ return false; ++ if (prog_subtype->landlock_rule.option & ~_LANDLOCK_SUBTYPE_OPTION_MASK) ++ return false; ++ ++ /* check ability flags */ ++ if (prog_subtype->landlock_rule.ability & LANDLOCK_SUBTYPE_ABILITY_WRITE && ++ !capable(CAP_SYS_ADMIN)) ++ return false; ++ if (prog_subtype->landlock_rule.ability & LANDLOCK_SUBTYPE_ABILITY_DEBUG && ++ !capable(CAP_SYS_ADMIN)) ++ return false; ++ ++ return true; ++} ++ ++static inline const struct bpf_func_proto *bpf_landlock_func_proto( ++ enum bpf_func_id func_id, union bpf_prog_subtype *prog_subtype) ++{ ++ bool event_fs = (prog_subtype->landlock_rule.event == ++ LANDLOCK_SUBTYPE_EVENT_FS); ++ bool ability_write = !!(prog_subtype->landlock_rule.ability & ++ LANDLOCK_SUBTYPE_ABILITY_WRITE); ++ bool ability_debug = !!(prog_subtype->landlock_rule.ability & ++ LANDLOCK_SUBTYPE_ABILITY_DEBUG); ++ ++ switch (func_id) { ++ case BPF_FUNC_map_lookup_elem: ++ return &bpf_map_lookup_elem_proto; ++ ++ /* ability_write */ ++ case BPF_FUNC_map_delete_elem: ++ if (ability_write) ++ return &bpf_map_delete_elem_proto; ++ return NULL; ++ case BPF_FUNC_map_update_elem: ++ if (ability_write) ++ return &bpf_map_update_elem_proto; ++ return NULL; ++ ++ /* ability_debug */ ++ case BPF_FUNC_get_current_comm: ++ if (ability_debug) ++ return &bpf_get_current_comm_proto; ++ return NULL; ++ case BPF_FUNC_get_current_pid_tgid: ++ if (ability_debug) ++ return &bpf_get_current_pid_tgid_proto; ++ return NULL; ++ case BPF_FUNC_get_current_uid_gid: ++ if (ability_debug) ++ return &bpf_get_current_uid_gid_proto; ++ return NULL; ++ case BPF_FUNC_trace_printk: ++ if (ability_debug) ++ return bpf_get_trace_printk_proto(); ++ return NULL; ++ ++ default: ++ return NULL; ++ } ++} ++ ++static const struct bpf_verifier_ops bpf_landlock_ops = { ++ .get_func_proto = bpf_landlock_func_proto, ++ .is_valid_access = bpf_landlock_is_valid_access, ++ .is_valid_subtype = bpf_landlock_is_valid_subtype, ++}; ++ ++static struct bpf_prog_type_list bpf_landlock_type __ro_after_init = { ++ .ops = &bpf_landlock_ops, ++ .type = BPF_PROG_TYPE_LANDLOCK, ++}; +diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h +index aae3b82a673c..0167f61cb3ba 100644 +--- a/tools/include/uapi/linux/bpf.h ++++ b/tools/include/uapi/linux/bpf.h +@@ -95,6 +95,13 @@ enum bpf_prog_type { + BPF_PROG_TYPE_SCHED_ACT, + BPF_PROG_TYPE_TRACEPOINT, + BPF_PROG_TYPE_XDP, ++ BPF_PROG_TYPE_PERF_EVENT, ++ BPF_PROG_TYPE_CGROUP_SKB, ++ BPF_PROG_TYPE_CGROUP_SOCK, ++ BPF_PROG_TYPE_LWT_IN, ++ BPF_PROG_TYPE_LWT_OUT, ++ BPF_PROG_TYPE_LWT_XMIT, ++ BPF_PROG_TYPE_LANDLOCK, + }; + + #define BPF_PSEUDO_MAP_FD 1 +@@ -481,4 +488,108 @@ struct xdp_md { + __u32 data_end; + }; + ++/** ++ * enum landlock_subtype_event - event occurring when an action is performed on ++ * a particular kernel object ++ * ++ * An event is a policy decision point which exposes the same context type ++ * (especially the same arg[0-9] field types) for each rule execution. ++ * ++ * @LANDLOCK_SUBTYPE_EVENT_UNSPEC: invalid value ++ * @LANDLOCK_SUBTYPE_EVENT_FS: generic filesystem event ++ */ ++enum landlock_subtype_event { ++ LANDLOCK_SUBTYPE_EVENT_UNSPEC, ++ LANDLOCK_SUBTYPE_EVENT_FS, ++}; ++#define _LANDLOCK_SUBTYPE_EVENT_LAST LANDLOCK_SUBTYPE_EVENT_FS ++ ++/** ++ * DOC: landlock_subtype_access ++ * ++ * eBPF context and functions allowed for a rule ++ * ++ * - LANDLOCK_SUBTYPE_ABILITY_WRITE: allows to directly send notification to ++ * userland (e.g. through a map), which may leaks sensitive information ++ * - LANDLOCK_SUBTYPE_ABILITY_DEBUG: allows to do debug actions (e.g. writing ++ * logs), which may be dangerous and should only be used for rule testing ++ */ ++#define LANDLOCK_SUBTYPE_ABILITY_WRITE (1ULL << 0) ++#define LANDLOCK_SUBTYPE_ABILITY_DEBUG (1ULL << 1) ++#define _LANDLOCK_SUBTYPE_ABILITY_NB 2 ++#define _LANDLOCK_SUBTYPE_ABILITY_MASK ((1ULL << _LANDLOCK_SUBTYPE_ABILITY_NB) - 1) ++ ++/* ++ * Future options for a Landlock rule (e.g. run even if a previous rule denied ++ * an action). ++ */ ++#define _LANDLOCK_SUBTYPE_OPTION_NB 0 ++#define _LANDLOCK_SUBTYPE_OPTION_MASK ((1ULL << _LANDLOCK_SUBTYPE_OPTION_NB) - 1) ++ ++/* ++ * Status visible in the @status field of a context (e.g. already called in ++ * this syscall session, with same args...). ++ * ++ * The @status field exposed to a rule shall depend on the rule version. ++ */ ++#define _LANDLOCK_SUBTYPE_STATUS_NB 0 ++#define _LANDLOCK_SUBTYPE_STATUS_MASK ((1ULL << _LANDLOCK_SUBTYPE_STATUS_NB) - 1) ++ ++/** ++ * DOC: landlock_action_fs ++ * ++ * - %LANDLOCK_ACTION_FS_EXEC: execute a file or walk through a directory ++ * - %LANDLOCK_ACTION_FS_WRITE: modify a file or a directory view (which ++ * include mount actions) ++ * - %LANDLOCK_ACTION_FS_READ: read a file or a directory ++ * - %LANDLOCK_ACTION_FS_NEW: create a file or a directory ++ * - %LANDLOCK_ACTION_FS_GET: open or receive a file ++ * - %LANDLOCK_ACTION_FS_REMOVE: unlink a file or remove a directory ++ * ++ * Each of the following actions are specific to syscall multiplexers. They ++ * fill the syscall_cmd field from &struct landlock_context with their custom ++ * command. ++ * ++ * - %LANDLOCK_ACTION_FS_IOCTL: ioctl command ++ * - %LANDLOCK_ACTION_FS_LOCK: flock or fcntl lock command ++ * - %LANDLOCK_ACTION_FS_FCNTL: fcntl command ++ */ ++#define LANDLOCK_ACTION_FS_EXEC (1ULL << 0) ++#define LANDLOCK_ACTION_FS_WRITE (1ULL << 1) ++#define LANDLOCK_ACTION_FS_READ (1ULL << 2) ++#define LANDLOCK_ACTION_FS_NEW (1ULL << 3) ++#define LANDLOCK_ACTION_FS_GET (1ULL << 4) ++#define LANDLOCK_ACTION_FS_REMOVE (1ULL << 5) ++#define LANDLOCK_ACTION_FS_IOCTL (1ULL << 6) ++#define LANDLOCK_ACTION_FS_LOCK (1ULL << 7) ++#define LANDLOCK_ACTION_FS_FCNTL (1ULL << 8) ++#define _LANDLOCK_ACTION_FS_NB 9 ++#define _LANDLOCK_ACTION_FS_MASK ((1ULL << _LANDLOCK_ACTION_FS_NB) - 1) ++ ++ ++/** ++ * struct landlock_context - context accessible to a Landlock rule ++ * ++ * @status: bitfield for future use (LANDLOCK_SUBTYPE_STATUS_*) ++ * @arch: indicates system call convention as an AUDIT_ARCH_* value ++ * as defined in ++ * @syscall_nr: the system call number called by the current process (may be ++ * useful to debug: find out from which syscall this request came ++ * from) ++ * @syscall_cmd: contains the command used by a multiplexer syscall (e.g. ++ * ioctl, fcntl, flock) ++ * @event: event type (&enum landlock_subtype_event) ++ * @arg1: event's first optional argument ++ * @arg2: event's second optional argument ++ */ ++struct landlock_context { ++ __u64 status; ++ __u32 arch; ++ __u32 syscall_nr; ++ __u32 syscall_cmd; ++ __u32 event; ++ __u64 arg1; ++ __u64 arg2; ++}; ++ + #endif /* _UAPI__LINUX_BPF_H__ */ +-- +2.11.0 + diff --git a/projects/landlock/kernel-landlock/patches-4.9/0007-bpf-Define-handle_fs-and-add-a-new-helper-bpf_handle.patch b/projects/landlock/kernel-landlock/patches-4.9/0007-bpf-Define-handle_fs-and-add-a-new-helper-bpf_handle.patch new file mode 100644 index 000000000..4a46c8f21 --- /dev/null +++ b/projects/landlock/kernel-landlock/patches-4.9/0007-bpf-Define-handle_fs-and-add-a-new-helper-bpf_handle.patch @@ -0,0 +1,377 @@ +From ca8ae2066f8852a118e0885ab22d22e603001481 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 29 Mar 2017 01:30:33 +0200 +Subject: [PATCH 07/12] bpf: Define handle_fs and add a new helper + bpf_handle_fs_get_mode() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add an eBPF function bpf_handle_fs_get_mode(handle_fs) to get the mode +of a an abstract object wrapping either a file, a dentry, a path, or an +inode. + +Changes since v5: +* cosmetic fixes and rebase + +Changes since v4: +* use a file abstraction (handle) to wrap inode, dentry, path and file + structs +* remove bpf_landlock_cmp_fs_beneath() +* rename the BPF helper and move it to kernel/bpf/ +* tighten helpers accessible by a Landlock rule + +Changes since v3: +* remove bpf_landlock_cmp_fs_prop() (suggested by Alexie Starovoitov) +* add hooks dealing with struct inode and struct path pointers: + inode_permission and inode_getattr +* add abstraction over eBPF helper arguments thanks to wrapping structs +* add bpf_landlock_get_fs_mode() helper to check file type and mode +* merge WARN_ON() (suggested by Kees Cook) +* fix and update bpf_helpers.h +* use BPF_CALL_* for eBPF helpers (suggested by Alexie Starovoitov) +* make handle arraymap safe (RCU) and remove buggy synchronize_rcu() +* factor out the arraymay walk +* use size_t to index array (suggested by Jann Horn) + +Changes since v2: +* add MNT_INTERNAL check to only add file handle from user-visible FS + (e.g. no anonymous inode) +* replace struct file* with struct path* in map_landlock_handle +* add BPF protos +* fix bpf_landlock_cmp_fs_prop_with_struct_file() + +Signed-off-by: Mickaël Salaün +Cc: Alexei Starovoitov +Cc: Andy Lutomirski +Cc: Daniel Borkmann +Cc: David S. Miller +Cc: James Morris +Cc: Kees Cook +Cc: Serge E. Hallyn +Cc: Jann Horn +(cherry picked from commit 7cb1d72a1cca9442bc0b9c3eeff621b9d1709296) +--- + include/linux/bpf.h | 33 +++++++++++++++++++++ + include/uapi/linux/bpf.h | 17 +++++++++++ + kernel/bpf/Makefile | 2 +- + kernel/bpf/helpers_fs.c | 52 ++++++++++++++++++++++++++++++++ + kernel/bpf/verifier.c | 6 ++++ + samples/bpf/bpf_helpers.h | 2 ++ + security/landlock/init.c | 6 ++++ + tools/include/uapi/linux/bpf.h | 67 ++++++++++++++++++++++++++++++++++++++++++ + 8 files changed, 184 insertions(+), 1 deletion(-) + create mode 100644 kernel/bpf/helpers_fs.c + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index d4b9ca479f79..d66843a2aafb 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -13,6 +13,11 @@ + #include + #include + ++/* FS helpers */ ++#include /* struct dentry */ ++#include /* struct file, struct inode */ ++#include /* struct path */ ++ + struct perf_event; + struct bpf_map; + +@@ -80,6 +85,8 @@ enum bpf_arg_type { + + ARG_PTR_TO_CTX, /* pointer to context */ + ARG_ANYTHING, /* any (initialized) argument is ok */ ++ ++ ARG_CONST_PTR_TO_HANDLE_FS, /* pointer to an abstract FS struct */ + }; + + /* type of values returned from helper functions */ +@@ -146,6 +153,9 @@ enum bpf_reg_type { + * map element. + */ + PTR_TO_MAP_VALUE_ADJ, ++ ++ /* FS helpers */ ++ CONST_PTR_TO_HANDLE_FS, + }; + + struct bpf_prog; +@@ -215,6 +225,26 @@ struct bpf_event_entry { + struct rcu_head rcu; + }; + ++/* FS helpers */ ++enum bpf_handle_fs_type { ++ BPF_HANDLE_FS_TYPE_NONE, ++ BPF_HANDLE_FS_TYPE_FILE, ++ BPF_HANDLE_FS_TYPE_INODE, ++ BPF_HANDLE_FS_TYPE_PATH, ++ BPF_HANDLE_FS_TYPE_DENTRY, ++}; ++ ++struct bpf_handle_fs { ++ enum bpf_handle_fs_type type; ++ union { ++ struct file *file; ++ struct inode *inode; ++ const struct path *path; ++ struct dentry *dentry; ++ }; ++}; ++ ++ + u64 bpf_tail_call(u64 ctx, u64 r2, u64 index, u64 r4, u64 r5); + u64 bpf_get_stackid(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5); + +@@ -331,6 +361,9 @@ extern const struct bpf_func_proto bpf_skb_vlan_push_proto; + extern const struct bpf_func_proto bpf_skb_vlan_pop_proto; + extern const struct bpf_func_proto bpf_get_stackid_proto; + ++/* FS helpers */ ++extern const struct bpf_func_proto bpf_handle_fs_get_mode_proto; ++ + /* Shared helpers among cBPF and eBPF. */ + void bpf_user_rnd_init_once(void); + u64 bpf_user_rnd_u32(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5); +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index f190be4f609f..6aebf7144e93 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -443,6 +443,23 @@ enum bpf_func_id { + */ + BPF_FUNC_set_hash_invalid, + ++ BPF_FUNC_get_numa_node_id, ++ BPF_FUNC_skb_change_head, ++ BPF_FUNC_xdp_adjust_head, ++ BPF_FUNC_probe_read_str, ++ BPF_FUNC_get_socket_cookie, ++ BPF_FUNC_get_socket_uid, ++ ++ /** ++ * s64 bpf_handle_fs_get_mode(handle_fs) ++ * Get the mode of a struct bpf_handle_fs ++ * fs: struct bpf_handle_fs address ++ * Return: ++ * >= 0 file mode ++ * < 0 error ++ */ ++ BPF_FUNC_handle_fs_get_mode, ++ + __BPF_FUNC_MAX_ID, + }; + +diff --git a/kernel/bpf/Makefile b/kernel/bpf/Makefile +index eed911d091da..8fffb30ac7a1 100644 +--- a/kernel/bpf/Makefile ++++ b/kernel/bpf/Makefile +@@ -1,6 +1,6 @@ + obj-y := core.o + +-obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o ++obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o helpers_fs.o + obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o percpu_freelist.o + ifeq ($(CONFIG_PERF_EVENTS),y) + obj-$(CONFIG_BPF_SYSCALL) += stackmap.o +diff --git a/kernel/bpf/helpers_fs.c b/kernel/bpf/helpers_fs.c +new file mode 100644 +index 000000000000..d524d382adeb +--- /dev/null ++++ b/kernel/bpf/helpers_fs.c +@@ -0,0 +1,52 @@ ++/* ++ * BPF filesystem helpers ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++#include /* struct bpf_handle_fs */ ++#include ++#include /* BPF_CALL*() */ ++ ++BPF_CALL_1(bpf_handle_fs_get_mode, struct bpf_handle_fs *, handle_fs) ++{ ++ if (WARN_ON(!handle_fs)) ++ return -EFAULT; ++ if (!handle_fs->file) { ++ /* file can be null for anonymous mmap */ ++ WARN_ON(handle_fs->type != BPF_HANDLE_FS_TYPE_FILE); ++ return -ENOENT; ++ } ++ switch (handle_fs->type) { ++ case BPF_HANDLE_FS_TYPE_FILE: ++ if (WARN_ON(!handle_fs->file->f_inode)) ++ return -ENOENT; ++ return handle_fs->file->f_inode->i_mode; ++ case BPF_HANDLE_FS_TYPE_INODE: ++ return handle_fs->inode->i_mode; ++ case BPF_HANDLE_FS_TYPE_PATH: ++ if (WARN_ON(!handle_fs->path->dentry || ++ !handle_fs->path->dentry->d_inode)) ++ return -ENOENT; ++ return handle_fs->path->dentry->d_inode->i_mode; ++ case BPF_HANDLE_FS_TYPE_DENTRY: ++ if (WARN_ON(!handle_fs->dentry->d_inode)) ++ return -ENOENT; ++ return handle_fs->dentry->d_inode->i_mode; ++ case BPF_HANDLE_FS_TYPE_NONE: ++ default: ++ WARN_ON(1); ++ return -EFAULT; ++ } ++} ++ ++const struct bpf_func_proto bpf_handle_fs_get_mode_proto = { ++ .func = bpf_handle_fs_get_mode, ++ .gpl_only = true, ++ .ret_type = RET_INTEGER, ++ .arg1_type = ARG_CONST_PTR_TO_HANDLE_FS, ++}; +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index f5f082de2f7f..7cecf5099207 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -188,6 +188,7 @@ static const char * const reg_type_str[] = { + [CONST_IMM] = "imm", + [PTR_TO_PACKET] = "pkt", + [PTR_TO_PACKET_END] = "pkt_end", ++ [CONST_PTR_TO_HANDLE_FS] = "handle_fs", + }; + + static void print_verifier_state(struct bpf_verifier_state *state) +@@ -520,6 +521,7 @@ static bool is_spillable_regtype(enum bpf_reg_type type) + case PTR_TO_PACKET_END: + case FRAME_PTR: + case CONST_PTR_TO_MAP: ++ case CONST_PTR_TO_HANDLE_FS: + return true; + default: + return false; +@@ -981,6 +983,10 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno, + expected_type = PTR_TO_CTX; + if (type != expected_type) + goto err_type; ++ } else if (arg_type == ARG_CONST_PTR_TO_HANDLE_FS) { ++ expected_type = CONST_PTR_TO_HANDLE_FS; ++ if (type != expected_type) ++ goto err_type; + } else if (arg_type == ARG_PTR_TO_STACK || + arg_type == ARG_PTR_TO_RAW_STACK) { + expected_type = PTR_TO_STACK; +diff --git a/samples/bpf/bpf_helpers.h b/samples/bpf/bpf_helpers.h +index dadd5161bd91..d962a5d76725 100644 +--- a/samples/bpf/bpf_helpers.h ++++ b/samples/bpf/bpf_helpers.h +@@ -57,6 +57,8 @@ static int (*bpf_skb_set_tunnel_opt)(void *ctx, void *md, int size) = + (void *) BPF_FUNC_skb_set_tunnel_opt; + static unsigned long long (*bpf_get_prandom_u32)(void) = + (void *) BPF_FUNC_get_prandom_u32; ++static long long (*bpf_handle_fs_get_mode)(void *handle_fs) = ++ (void *) BPF_FUNC_handle_fs_get_mode; + + /* llvm builtin functions that eBPF C program may use to + * emit BPF_LD_ABS and BPF_LD_IND instructions +diff --git a/security/landlock/init.c b/security/landlock/init.c +index 0a97026f1c07..914895d08320 100644 +--- a/security/landlock/init.c ++++ b/security/landlock/init.c +@@ -78,6 +78,12 @@ static inline const struct bpf_func_proto *bpf_landlock_func_proto( + case BPF_FUNC_map_lookup_elem: + return &bpf_map_lookup_elem_proto; + ++ /* event_fs */ ++ case BPF_FUNC_handle_fs_get_mode: ++ if (event_fs) ++ return &bpf_handle_fs_get_mode_proto; ++ return NULL; ++ + /* ability_write */ + case BPF_FUNC_map_delete_elem: + if (ability_write) +diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h +index 0167f61cb3ba..6aebf7144e93 100644 +--- a/tools/include/uapi/linux/bpf.h ++++ b/tools/include/uapi/linux/bpf.h +@@ -393,6 +393,73 @@ enum bpf_func_id { + */ + BPF_FUNC_probe_write_user, + ++ /** ++ * bpf_current_task_under_cgroup(map, index) - Check cgroup2 membership of current task ++ * @map: pointer to bpf_map in BPF_MAP_TYPE_CGROUP_ARRAY type ++ * @index: index of the cgroup in the bpf_map ++ * Return: ++ * == 0 current failed the cgroup2 descendant test ++ * == 1 current succeeded the cgroup2 descendant test ++ * < 0 error ++ */ ++ BPF_FUNC_current_task_under_cgroup, ++ ++ /** ++ * bpf_skb_change_tail(skb, len, flags) ++ * The helper will resize the skb to the given new size, ++ * to be used f.e. with control messages. ++ * @skb: pointer to skb ++ * @len: new skb length ++ * @flags: reserved ++ * Return: 0 on success or negative error ++ */ ++ BPF_FUNC_skb_change_tail, ++ ++ /** ++ * bpf_skb_pull_data(skb, len) ++ * The helper will pull in non-linear data in case the ++ * skb is non-linear and not all of len are part of the ++ * linear section. Only needed for read/write with direct ++ * packet access. ++ * @skb: pointer to skb ++ * @len: len to make read/writeable ++ * Return: 0 on success or negative error ++ */ ++ BPF_FUNC_skb_pull_data, ++ ++ /** ++ * bpf_csum_update(skb, csum) ++ * Adds csum into skb->csum in case of CHECKSUM_COMPLETE. ++ * @skb: pointer to skb ++ * @csum: csum to add ++ * Return: csum on success or negative error ++ */ ++ BPF_FUNC_csum_update, ++ ++ /** ++ * bpf_set_hash_invalid(skb) ++ * Invalidate current skb>hash. ++ * @skb: pointer to skb ++ */ ++ BPF_FUNC_set_hash_invalid, ++ ++ BPF_FUNC_get_numa_node_id, ++ BPF_FUNC_skb_change_head, ++ BPF_FUNC_xdp_adjust_head, ++ BPF_FUNC_probe_read_str, ++ BPF_FUNC_get_socket_cookie, ++ BPF_FUNC_get_socket_uid, ++ ++ /** ++ * s64 bpf_handle_fs_get_mode(handle_fs) ++ * Get the mode of a struct bpf_handle_fs ++ * fs: struct bpf_handle_fs address ++ * Return: ++ * >= 0 file mode ++ * < 0 error ++ */ ++ BPF_FUNC_handle_fs_get_mode, ++ + __BPF_FUNC_MAX_ID, + }; + +-- +2.11.0 + diff --git a/projects/landlock/kernel-landlock/patches-4.9/0008-landlock-Add-LSM-hooks-related-to-filesystem.patch b/projects/landlock/kernel-landlock/patches-4.9/0008-landlock-Add-LSM-hooks-related-to-filesystem.patch new file mode 100644 index 000000000..01ce4bc32 --- /dev/null +++ b/projects/landlock/kernel-landlock/patches-4.9/0008-landlock-Add-LSM-hooks-related-to-filesystem.patch @@ -0,0 +1,1052 @@ +From 4cddce4529373b7e903b140220473183f8a813ff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 29 Mar 2017 01:30:33 +0200 +Subject: [PATCH 08/12] landlock: Add LSM hooks related to filesystem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Handle 33 filesystem-related LSM hooks for the Landlock filesystem +event: LANDLOCK_SUBTYPE_EVENT_FS. + +A Landlock event wrap LSM hooks for similar kernel object types (e.g. +struct file, struct path...). Multiple LSM hooks can trigger the same +Landlock event. + +Landlock handle nine coarse-grained actions: read, write, execute, new, +get, remove, ioctl, lock and fcntl. Each of them abstract LSM hook +access control in a way that can be extended in the future. + +The Landlock LSM hook registration is done after other LSM to only run +actions from user-space, via eBPF programs, if the access was granted by +major (privileged) LSMs. + +Changes since v5: +* split hooks.[ch] into hooks.[ch] and hooks_fs.[ch] +* add more documentation +* cosmetic fixes + +Changes since v4: +* add LSM hook abstraction called Landlock event + * use the compiler type checking to verify hooks use by an event + * handle all filesystem related LSM hooks (e.g. file_permission, + mmap_file, sb_mount...) +* register BPF programs for Landlock just after LSM hooks registration +* move hooks registration after other LSMs +* add failsafes to check if a hook is not used by the kernel +* allow partial raw value access form the context (needed for programs + generated by LLVM) + +Changes since v3: +* split commit +* add hooks dealing with struct inode and struct path pointers: + inode_permission and inode_getattr +* add abstraction over eBPF helper arguments thanks to wrapping structs + +Signed-off-by: Mickaël Salaün +Cc: Alexei Starovoitov +Cc: Andy Lutomirski +Cc: Daniel Borkmann +Cc: David S. Miller +Cc: James Morris +Cc: Kees Cook +Cc: Serge E. Hallyn +(cherry picked from commit 3a41a0423f66fbb5e68f655bd80cb575a7de3321) +--- + include/linux/lsm_hooks.h | 5 + + security/landlock/Makefile | 4 +- + security/landlock/hooks.c | 115 +++++++++ + security/landlock/hooks.h | 177 ++++++++++++++ + security/landlock/hooks_fs.c | 563 +++++++++++++++++++++++++++++++++++++++++++ + security/landlock/hooks_fs.h | 19 ++ + security/landlock/init.c | 13 + + security/security.c | 7 +- + 8 files changed, 901 insertions(+), 2 deletions(-) + create mode 100644 security/landlock/hooks.c + create mode 100644 security/landlock/hooks.h + create mode 100644 security/landlock/hooks_fs.c + create mode 100644 security/landlock/hooks_fs.h + +diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h +index 558adfa5c8a8..069af34301d4 100644 +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -1933,5 +1933,10 @@ void __init loadpin_add_hooks(void); + #else + static inline void loadpin_add_hooks(void) { }; + #endif ++#ifdef CONFIG_SECURITY_LANDLOCK ++extern void __init landlock_add_hooks(void); ++#else ++static inline void __init landlock_add_hooks(void) { } ++#endif /* CONFIG_SECURITY_LANDLOCK */ + + #endif /* ! __LINUX_LSM_HOOKS_H */ +diff --git a/security/landlock/Makefile b/security/landlock/Makefile +index 7205f9a7a2ee..c0db504a6335 100644 +--- a/security/landlock/Makefile ++++ b/security/landlock/Makefile +@@ -1,3 +1,5 @@ ++ccflags-$(CONFIG_SECURITY_LANDLOCK) += -Werror=unused-function ++ + obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o + +-landlock-y := init.o ++landlock-y := init.o hooks.o hooks_fs.o +diff --git a/security/landlock/hooks.c b/security/landlock/hooks.c +new file mode 100644 +index 000000000000..eaee8162ff70 +--- /dev/null ++++ b/security/landlock/hooks.c +@@ -0,0 +1,115 @@ ++/* ++ * Landlock LSM - hooks helpers ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++#include ++#include /* task_pt_regs() */ ++#include /* syscall_get_nr(), syscall_get_arch() */ ++#include /* enum bpf_access_type, struct landlock_context */ ++#include /* EPERM */ ++#include /* BPF_PROG_RUN() */ ++#include /* struct landlock_rule */ ++#include ++#include /* list_add_tail_rcu */ ++#include /* offsetof */ ++ ++#include "common.h" /* get_index() */ ++#include "hooks.h" /* CTX_ARG_NB */ ++ ++ ++__init void landlock_register_hooks(struct security_hook_list *hooks, int count) ++{ ++ int i; ++ ++ for (i = 0; i < count; i++) { ++ hooks[i].lsm = "landlock"; ++ list_add_tail_rcu(&hooks[i].list, hooks[i].head); ++ } ++} ++ ++bool landlock_is_valid_access(int off, int size, enum bpf_access_type type, ++ enum bpf_reg_type *reg_type, ++ enum bpf_reg_type ctx_types[CTX_ARG_NB], ++ union bpf_prog_subtype *prog_subtype) ++{ ++ int max_size; ++ ++ if (type != BPF_READ) ++ return false; ++ if (off < 0 || off >= sizeof(struct landlock_context)) ++ return false; ++ if (size <= 0 || size > sizeof(__u64)) ++ return false; ++ ++ /* set max size */ ++ switch (off) { ++ case offsetof(struct landlock_context, arch): ++ case offsetof(struct landlock_context, syscall_nr): ++ case offsetof(struct landlock_context, syscall_cmd): ++ case offsetof(struct landlock_context, event): ++ max_size = sizeof(__u32); ++ break; ++ case offsetof(struct landlock_context, status): ++ case offsetof(struct landlock_context, arg1): ++ case offsetof(struct landlock_context, arg2): ++ max_size = sizeof(__u64); ++ break; ++ default: ++ return false; ++ } ++ ++ /* set register type */ ++ switch (off) { ++ case offsetof(struct landlock_context, arg1): ++ *reg_type = ctx_types[0]; ++ break; ++ case offsetof(struct landlock_context, arg2): ++ *reg_type = ctx_types[1]; ++ break; ++ default: ++ *reg_type = UNKNOWN_VALUE; ++ } ++ ++ /* check memory range access */ ++ switch (*reg_type) { ++ case NOT_INIT: ++ return false; ++ case UNKNOWN_VALUE: ++ case CONST_IMM: ++ /* allow partial raw value */ ++ if (size > max_size) ++ return false; ++ break; ++ default: ++ /* deny partial pointer */ ++ if (size != max_size) ++ return false; ++ } ++ ++ return true; ++} ++ ++int landlock_decide(enum landlock_subtype_event event, ++ __u64 ctx_values[CTX_ARG_NB], u32 cmd, const char *hook) ++{ ++ bool deny = false; ++ u32 event_idx = get_index(event); ++ ++ struct landlock_context ctx = { ++ .status = 0, ++ .arch = syscall_get_arch(), ++ .syscall_nr = syscall_get_nr(current, task_pt_regs(current)), ++ .syscall_cmd = cmd, ++ .event = event, ++ .arg1 = ctx_values[0], ++ .arg2 = ctx_values[1], ++ }; ++ ++ return deny ? -EPERM : 0; ++} +diff --git a/security/landlock/hooks.h b/security/landlock/hooks.h +new file mode 100644 +index 000000000000..2e180f6ed86b +--- /dev/null ++++ b/security/landlock/hooks.h +@@ -0,0 +1,177 @@ ++/* ++ * Landlock LSM - hooks helpers ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++#include ++#include /* enum bpf_access_type */ ++#include ++#include /* struct task_struct */ ++ ++/* separators */ ++#define SEP_COMMA() , ++#define SEP_SPACE() ++#define SEP_AND() && ++ ++#define MAP2x1(s, m, x1, x2, ...) m(x1, x2) ++#define MAP2x2(s, m, x1, x2, ...) m(x1, x2) s() MAP2x1(s, m, __VA_ARGS__) ++#define MAP2x3(s, m, x1, x2, ...) m(x1, x2) s() MAP2x2(s, m, __VA_ARGS__) ++#define MAP2x4(s, m, x1, x2, ...) m(x1, x2) s() MAP2x3(s, m, __VA_ARGS__) ++#define MAP2x5(s, m, x1, x2, ...) m(x1, x2) s() MAP2x4(s, m, __VA_ARGS__) ++#define MAP2x6(s, m, x1, x2, ...) m(x1, x2) s() MAP2x5(s, m, __VA_ARGS__) ++#define MAP2x(n, ...) MAP2x##n(__VA_ARGS__) ++ ++#define MAP1x1(s, m, x1, ...) m(x1) ++#define MAP1x2(s, m, x1, ...) m(x1) s() MAP1x1(s, m, __VA_ARGS__) ++#define MAP1x(n, ...) MAP1x##n(__VA_ARGS__) ++ ++#define SKIP2x1(x1, x2, ...) __VA_ARGS__ ++#define SKIP2x2(x1, x2, ...) SKIP2x1(__VA_ARGS__) ++#define SKIP2x3(x1, x2, ...) SKIP2x2(__VA_ARGS__) ++#define SKIP2x4(x1, x2, ...) SKIP2x3(__VA_ARGS__) ++#define SKIP2x5(x1, x2, ...) SKIP2x4(__VA_ARGS__) ++#define SKIP2x6(x1, x2, ...) SKIP2x5(__VA_ARGS__) ++#define SKIP2x(n, ...) SKIP2x##n(__VA_ARGS__) ++ ++/* LSM hook argument helpers */ ++#define MAP_HOOK_COMMA(n, ...) MAP2x(n, SEP_COMMA, __VA_ARGS__) ++ ++#define GET_HOOK_TA(t, a) t a ++ ++/* Landlock event argument helpers */ ++#define MAP_EVENT_COMMA(h, n, m, ...) MAP2x(n, SEP_COMMA, m, SKIP2x(h, __VA_ARGS__)) ++#define MAP_EVENT_SPACE(h, n, m, ...) MAP2x(n, SEP_SPACE, m, SKIP2x(h, __VA_ARGS__)) ++#define MAP_EVENT_AND(h, n, m, ...) MAP2x(n, SEP_AND, m, SKIP2x(h, __VA_ARGS__)) ++ ++#define GET_CMD(h, n, ...) SKIP2x(n, SKIP2x(h, __VA_ARGS__)) ++ ++#define EXPAND_TYPE(d) d##_TYPE ++#define EXPAND_BPF(d) d##_BPF ++#define EXPAND_C(d) d##_C ++ ++#define GET_TYPE_BPF(t) EXPAND_BPF(t) ++#define GET_TYPE_C(t) EXPAND_C(t) * ++ ++#define GET_EVENT_C(d, a) GET_TYPE_C(EXPAND_TYPE(d)) ++#define GET_EVENT_U64(d, a) ((u64)(d##_VAL(a))) ++#define GET_EVENT_DEC(d, a) d##_DEC(a) ++#define GET_EVENT_OK(d, a) d##_OK(a) ++ ++/** ++ * HOOK_ACCESS ++ * ++ * @EVENT: Landlock event name ++ * @NA: number of event arguments ++ * ++ * The __consistent_##EVENT() extern functions and __wrapcheck_* types are ++ * useful to catch inconsistencies in LSM hook definitions thanks to the ++ * compiler type checking. ++ */ ++#define HOOK_ACCESS(EVENT, NA, ...) \ ++ inline bool landlock_is_valid_access_event_##EVENT( \ ++ int off, int size, enum bpf_access_type type, \ ++ enum bpf_reg_type *reg_type, \ ++ union bpf_prog_subtype *prog_subtype) \ ++ { \ ++ enum bpf_reg_type _ctx_types[CTX_ARG_NB] = { \ ++ MAP1x(NA, SEP_COMMA, GET_TYPE_BPF, __VA_ARGS__) \ ++ }; \ ++ return landlock_is_valid_access(off, size, type, \ ++ reg_type, _ctx_types, prog_subtype); \ ++ } \ ++ extern void __consistent_##EVENT( \ ++ MAP1x(NA, SEP_COMMA, GET_TYPE_C, __VA_ARGS__)) ++ ++/** ++ * HOOK_NEW ++ * ++ * @INST: event instance for this hook ++ * @EVENT: Landlock event name ++ * @NE: number of event arguments ++ * @HOOK: LSM hook name ++ * @NH: number of hook arguments ++ */ ++#define HOOK_NEW(INST, EVENT, NE, HOOK, NH, ...) \ ++ static int landlock_hook_##EVENT##_##HOOK##_##INST( \ ++ MAP_HOOK_COMMA(NH, GET_HOOK_TA, __VA_ARGS__)) \ ++ { \ ++ if (!landlocked(current)) \ ++ return 0; \ ++ if (!(MAP_EVENT_AND(NH, NE, GET_EVENT_OK, \ ++ __VA_ARGS__))) \ ++ return 0; \ ++ { \ ++ MAP_EVENT_SPACE(NH, NE, GET_EVENT_DEC, __VA_ARGS__) \ ++ __u64 _ctx_values[CTX_ARG_NB] = { \ ++ MAP_EVENT_COMMA(NH, NE, GET_EVENT_U64, \ ++ __VA_ARGS__) \ ++ }; \ ++ u32 _cmd = GET_CMD(NH, NE, __VA_ARGS__); \ ++ return landlock_decide(LANDLOCK_SUBTYPE_EVENT_##EVENT, \ ++ _ctx_values, _cmd, #HOOK); \ ++ } \ ++ } \ ++ extern void __consistent_##EVENT(MAP_EVENT_COMMA( \ ++ NH, NE, GET_EVENT_C, __VA_ARGS__)) ++ ++/* ++ * The WRAP_TYPE_* definitions group the bpf_reg_type enum value and the C ++ * type. This C type may remains unused except to catch inconsistencies in LSM ++ * hook definitions thanks to the compiler type checking. ++ */ ++ ++/* WRAP_TYPE_NONE */ ++#define WRAP_TYPE_NONE_BPF NOT_INIT ++#define WRAP_TYPE_NONE_C struct __wrapcheck_none ++WRAP_TYPE_NONE_C; ++ ++/* WRAP_TYPE_RAW */ ++#define WRAP_TYPE_RAW_BPF UNKNOWN_VALUE ++#define WRAP_TYPE_RAW_C struct __wrapcheck_raw ++WRAP_TYPE_RAW_C; ++ ++/* ++ * The WRAP_ARG_* definitions group the LSM hook argument type (C and BPF), the ++ * wrapping struct declaration (if any) and the value to copy to the BPF ++ * context. This definitions may be used thanks to the EXPAND_* helpers. ++ * ++ * WRAP_ARG_*_TYPE: type for BPF and C (cf. WRAP_TYPE_*) ++ * WRAP_ARG_*_DEC: declare a wrapper ++ * WRAP_ARG_*_VAL: get this wrapper's address ++ * WRAP_ARG_*_OK: check if the argument is usable ++ */ ++ ++/* WRAP_ARG_NONE */ ++#define WRAP_ARG_NONE_TYPE WRAP_TYPE_NONE ++#define WRAP_ARG_NONE_DEC(arg) ++#define WRAP_ARG_NONE_VAL(arg) 0 ++#define WRAP_ARG_NONE_OK(arg) (!WARN_ON(true)) ++ ++/* WRAP_ARG_RAW */ ++#define WRAP_ARG_RAW_TYPE WRAP_TYPE_RAW ++#define WRAP_ARG_RAW_DEC(arg) ++#define WRAP_ARG_RAW_VAL(arg) arg ++#define WRAP_ARG_RAW_OK(arg) (true) ++ ++ ++#define CTX_ARG_NB 2 ++ ++static inline bool landlocked(const struct task_struct *task) ++{ ++ return false; ++} ++ ++__init void landlock_register_hooks(struct security_hook_list *hooks, int count); ++ ++bool landlock_is_valid_access(int off, int size, enum bpf_access_type type, ++ enum bpf_reg_type *reg_type, ++ enum bpf_reg_type ctx_types[CTX_ARG_NB], ++ union bpf_prog_subtype *prog_subtype); ++ ++int landlock_decide(enum landlock_subtype_event event, ++ __u64 ctx_values[CTX_ARG_NB], u32 cmd, const char *hook); +diff --git a/security/landlock/hooks_fs.c b/security/landlock/hooks_fs.c +new file mode 100644 +index 000000000000..6578f21783c7 +--- /dev/null ++++ b/security/landlock/hooks_fs.c +@@ -0,0 +1,563 @@ ++/* ++ * Landlock LSM - filesystem hooks ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++#include /* ARRAY_SIZE */ ++#include ++#include /* uintptr_t */ ++ ++/* permissions translation */ ++#include /* MAY_* */ ++#include /* PROT_* */ ++ ++/* hook arguments */ ++#include ++#include /* struct dentry */ ++#include /* struct inode, struct iattr */ ++#include /* struct vm_area_struct */ ++#include /* struct vfsmount */ ++#include /* struct path */ ++#include /* struct task_struct */ ++#include /* struct timespec */ ++ ++#include "hooks.h" ++ ++#include "hooks_fs.h" ++ ++ ++#define HOOK_NEW_FS(...) HOOK_NEW(1, FS, 2, __VA_ARGS__, 0) ++#define HOOK_NEW_FS2(...) HOOK_NEW(2, FS, 2, __VA_ARGS__, 0) ++#define HOOK_NEW_FS3(...) HOOK_NEW(3, FS, 2, __VA_ARGS__, 0) ++#define HOOK_NEW_FS4(...) HOOK_NEW(4, FS, 2, __VA_ARGS__, 0) ++#define HOOK_NEW_FS_CMD(...) HOOK_NEW(1, FS, 2, __VA_ARGS__) ++#define HOOK_INIT_FS(HOOK) LSM_HOOK_INIT(HOOK, landlock_hook_FS_##HOOK##_1) ++#define HOOK_INIT_FS2(HOOK) LSM_HOOK_INIT(HOOK, landlock_hook_FS_##HOOK##_2) ++#define HOOK_INIT_FS3(HOOK) LSM_HOOK_INIT(HOOK, landlock_hook_FS_##HOOK##_3) ++#define HOOK_INIT_FS4(HOOK) LSM_HOOK_INIT(HOOK, landlock_hook_FS_##HOOK##_4) ++ ++/* WRAP_TYPE_FS */ ++#define WRAP_TYPE_FS_BPF CONST_PTR_TO_HANDLE_FS ++#define WRAP_TYPE_FS_C const struct bpf_handle_fs ++ ++/* WRAP_ARG_FILE */ ++#define WRAP_ARG_FILE_TYPE WRAP_TYPE_FS ++#define WRAP_ARG_FILE_DEC(arg) \ ++ EXPAND_C(WRAP_TYPE_FS) wrap_##arg = \ ++ { .type = BPF_HANDLE_FS_TYPE_FILE, .file = arg }; ++#define WRAP_ARG_FILE_VAL(arg) ((uintptr_t)&wrap_##arg) ++#define WRAP_ARG_FILE_OK(arg) (arg) ++ ++/* WRAP_ARG_VMAF */ ++#define WRAP_ARG_VMAF_TYPE WRAP_TYPE_FS ++#define WRAP_ARG_VMAF_DEC(arg) \ ++ EXPAND_C(WRAP_TYPE_FS) wrap_##arg = \ ++ { .type = BPF_HANDLE_FS_TYPE_FILE, .file = arg->vm_file }; ++#define WRAP_ARG_VMAF_VAL(arg) ((uintptr_t)&wrap_##arg) ++#define WRAP_ARG_VMAF_OK(arg) (arg && arg->vm_file) ++ ++/* WRAP_ARG_INODE */ ++#define WRAP_ARG_INODE_TYPE WRAP_TYPE_FS ++#define WRAP_ARG_INODE_DEC(arg) \ ++ EXPAND_C(WRAP_TYPE_FS) wrap_##arg = \ ++ { .type = BPF_HANDLE_FS_TYPE_INODE, .inode = arg }; ++#define WRAP_ARG_INODE_VAL(arg) ((uintptr_t)&wrap_##arg) ++#define WRAP_ARG_INODE_OK(arg) (arg) ++ ++/* WRAP_ARG_PATH */ ++#define WRAP_ARG_PATH_TYPE WRAP_TYPE_FS ++#define WRAP_ARG_PATH_DEC(arg) \ ++ EXPAND_C(WRAP_TYPE_FS) wrap_##arg = \ ++ { .type = BPF_HANDLE_FS_TYPE_PATH, .path = arg }; ++#define WRAP_ARG_PATH_VAL(arg) ((uintptr_t)&wrap_##arg) ++#define WRAP_ARG_PATH_OK(arg) (arg) ++ ++/* WRAP_ARG_DENTRY */ ++#define WRAP_ARG_DENTRY_TYPE WRAP_TYPE_FS ++#define WRAP_ARG_DENTRY_DEC(arg) \ ++ EXPAND_C(WRAP_TYPE_FS) wrap_##arg = \ ++ { .type = BPF_HANDLE_FS_TYPE_DENTRY, .dentry = arg }; ++#define WRAP_ARG_DENTRY_VAL(arg) ((uintptr_t)&wrap_##arg) ++#define WRAP_ARG_DENTRY_OK(arg) (arg) ++ ++/* WRAP_ARG_SB */ ++#define WRAP_ARG_SB_TYPE WRAP_TYPE_FS ++#define WRAP_ARG_SB_DEC(arg) \ ++ EXPAND_C(WRAP_TYPE_FS) wrap_##arg = \ ++ { .type = BPF_HANDLE_FS_TYPE_DENTRY, .dentry = arg->s_root }; ++#define WRAP_ARG_SB_VAL(arg) ((uintptr_t)&wrap_##arg) ++#define WRAP_ARG_SB_OK(arg) (arg && arg->s_root) ++ ++/* WRAP_ARG_MNTROOT */ ++#define WRAP_ARG_MNTROOT_TYPE WRAP_TYPE_FS ++#define WRAP_ARG_MNTROOT_DEC(arg) \ ++ EXPAND_C(WRAP_TYPE_FS) wrap_##arg = \ ++ { .type = BPF_HANDLE_FS_TYPE_DENTRY, .dentry = arg->mnt_root }; ++#define WRAP_ARG_MNTROOT_VAL(arg) ((uintptr_t)&wrap_##arg) ++#define WRAP_ARG_MNTROOT_OK(arg) (arg && arg->mnt_root) ++ ++ ++static inline u64 fs_may_to_access(int fs_may) ++{ ++ u64 ret = 0; ++ ++ if (fs_may & MAY_EXEC) ++ ret |= LANDLOCK_ACTION_FS_EXEC; ++ if (fs_may & MAY_READ) ++ ret |= LANDLOCK_ACTION_FS_READ; ++ if (fs_may & MAY_WRITE) ++ ret |= LANDLOCK_ACTION_FS_WRITE; ++ if (fs_may & MAY_APPEND) ++ ret |= LANDLOCK_ACTION_FS_WRITE; ++ if (fs_may & MAY_OPEN) ++ ret |= LANDLOCK_ACTION_FS_GET; ++ /* ignore MAY_CHDIR and MAY_ACCESS */ ++ ++ return ret; ++} ++ ++static u64 mem_prot_to_access(unsigned long prot, bool private) ++{ ++ u64 ret = 0; ++ ++ /* private mapping do not write to files */ ++ if (!private && (prot & PROT_WRITE)) ++ ret |= LANDLOCK_ACTION_FS_WRITE; ++ if (prot & PROT_READ) ++ ret |= LANDLOCK_ACTION_FS_READ; ++ if (prot & PROT_EXEC) ++ ret |= LANDLOCK_ACTION_FS_EXEC; ++ ++ return ret; ++} ++ ++/* hook definitions */ ++ ++HOOK_ACCESS(FS, 2, WRAP_TYPE_FS, WRAP_TYPE_RAW); ++ ++/* binder_* hooks */ ++ ++HOOK_NEW_FS(binder_transfer_file, 3, ++ struct task_struct *, from, ++ struct task_struct *, to, ++ struct file *, file, ++ WRAP_ARG_FILE, file, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_READ ++); ++ ++/* sb_* hooks */ ++ ++HOOK_NEW_FS(sb_statfs, 1, ++ struct dentry *, dentry, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_READ ++); ++ ++/* ++ * Being able to mount on a path means being able to override the underlying ++ * filesystem view of this path, hence the need for a write access right. ++ */ ++HOOK_NEW_FS(sb_mount, 5, ++ const char *, dev_name, ++ const struct path *, path, ++ const char *, type, ++ unsigned long, flags, ++ void *, data, ++ WRAP_ARG_PATH, path, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS(sb_remount, 2, ++ struct super_block *, sb, ++ void *, data, ++ WRAP_ARG_SB, sb, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS(sb_umount, 2, ++ struct vfsmount *, mnt, ++ int, flags, ++ WRAP_ARG_MNTROOT, mnt, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++/* ++ * The old_path is similar to a destination mount point. ++ */ ++HOOK_NEW_FS(sb_pivotroot, 2, ++ const struct path *, old_path, ++ const struct path *, new_path, ++ WRAP_ARG_PATH, old_path, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++/* inode_* hooks */ ++ ++/* a directory inode contains only one dentry */ ++HOOK_NEW_FS(inode_create, 3, ++ struct inode *, dir, ++ struct dentry *, dentry, ++ umode_t, mode, ++ WRAP_ARG_INODE, dir, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS2(inode_create, 3, ++ struct inode *, dir, ++ struct dentry *, dentry, ++ umode_t, mode, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_NEW ++); ++ ++HOOK_NEW_FS(inode_link, 3, ++ struct dentry *, old_dentry, ++ struct inode *, dir, ++ struct dentry *, new_dentry, ++ WRAP_ARG_DENTRY, old_dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_READ ++); ++ ++HOOK_NEW_FS2(inode_link, 3, ++ struct dentry *, old_dentry, ++ struct inode *, dir, ++ struct dentry *, new_dentry, ++ WRAP_ARG_INODE, dir, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS3(inode_link, 3, ++ struct dentry *, old_dentry, ++ struct inode *, dir, ++ struct dentry *, new_dentry, ++ WRAP_ARG_DENTRY, new_dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_NEW ++); ++ ++HOOK_NEW_FS(inode_unlink, 2, ++ struct inode *, dir, ++ struct dentry *, dentry, ++ WRAP_ARG_INODE, dir, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS2(inode_unlink, 2, ++ struct inode *, dir, ++ struct dentry *, dentry, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_REMOVE ++); ++ ++HOOK_NEW_FS(inode_symlink, 3, ++ struct inode *, dir, ++ struct dentry *, dentry, ++ const char *, old_name, ++ WRAP_ARG_INODE, dir, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS2(inode_symlink, 3, ++ struct inode *, dir, ++ struct dentry *, dentry, ++ const char *, old_name, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_NEW ++); ++ ++HOOK_NEW_FS(inode_mkdir, 3, ++ struct inode *, dir, ++ struct dentry *, dentry, ++ umode_t, mode, ++ WRAP_ARG_INODE, dir, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS2(inode_mkdir, 3, ++ struct inode *, dir, ++ struct dentry *, dentry, ++ umode_t, mode, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_NEW ++); ++ ++HOOK_NEW_FS(inode_rmdir, 2, ++ struct inode *, dir, ++ struct dentry *, dentry, ++ WRAP_ARG_INODE, dir, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS2(inode_rmdir, 2, ++ struct inode *, dir, ++ struct dentry *, dentry, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_REMOVE ++); ++ ++HOOK_NEW_FS(inode_mknod, 4, ++ struct inode *, dir, ++ struct dentry *, dentry, ++ umode_t, mode, ++ dev_t, dev, ++ WRAP_ARG_INODE, dir, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS2(inode_mknod, 4, ++ struct inode *, dir, ++ struct dentry *, dentry, ++ umode_t, mode, ++ dev_t, dev, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_NEW ++); ++ ++HOOK_NEW_FS(inode_rename, 4, ++ struct inode *, old_dir, ++ struct dentry *, old_dentry, ++ struct inode *, new_dir, ++ struct dentry *, new_dentry, ++ WRAP_ARG_INODE, old_dir, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS2(inode_rename, 4, ++ struct inode *, old_dir, ++ struct dentry *, old_dentry, ++ struct inode *, new_dir, ++ struct dentry *, new_dentry, ++ WRAP_ARG_DENTRY, old_dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_REMOVE ++); ++ ++HOOK_NEW_FS3(inode_rename, 4, ++ struct inode *, old_dir, ++ struct dentry *, old_dentry, ++ struct inode *, new_dir, ++ struct dentry *, new_dentry, ++ WRAP_ARG_INODE, new_dir, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS4(inode_rename, 4, ++ struct inode *, old_dir, ++ struct dentry *, old_dentry, ++ struct inode *, new_dir, ++ struct dentry *, new_dentry, ++ WRAP_ARG_DENTRY, new_dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_NEW ++); ++ ++HOOK_NEW_FS(inode_readlink, 1, ++ struct dentry *, dentry, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_READ ++); ++ ++// XXX: handle inode? ++HOOK_NEW_FS(inode_follow_link, 3, ++ struct dentry *, dentry, ++ struct inode *, inode, ++ bool, rcu, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_READ ++); ++ ++HOOK_NEW_FS(inode_permission, 2, ++ struct inode *, inode, ++ int, mask, ++ WRAP_ARG_INODE, inode, ++ WRAP_ARG_RAW, fs_may_to_access(mask) ++); ++ ++HOOK_NEW_FS(inode_setattr, 2, ++ struct dentry *, dentry, ++ struct iattr *, attr, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS(inode_getattr, 1, ++ const struct path *, path, ++ WRAP_ARG_PATH, path, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_READ ++); ++ ++HOOK_NEW_FS(inode_setxattr, 5, ++ struct dentry *, dentry, ++ const char *, name, ++ const void *, value, ++ size_t, size, ++ int, flags, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS(inode_getxattr, 2, ++ struct dentry *, dentry, ++ const char *, name, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_READ ++); ++ ++HOOK_NEW_FS(inode_listxattr, 1, ++ struct dentry *, dentry, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_READ ++); ++ ++HOOK_NEW_FS(inode_removexattr, 2, ++ struct dentry *, dentry, ++ const char *, name, ++ WRAP_ARG_DENTRY, dentry, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++HOOK_NEW_FS(inode_getsecurity, 4, ++ struct inode *, inode, ++ const char *, name, ++ void **, buffer, ++ bool, alloc, ++ WRAP_ARG_INODE, inode, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_READ ++); ++ ++HOOK_NEW_FS(inode_setsecurity, 5, ++ struct inode *, inode, ++ const char *, name, ++ const void *, value, ++ size_t, size, ++ int, flag, ++ WRAP_ARG_INODE, inode, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_WRITE ++); ++ ++/* file_* hooks */ ++ ++HOOK_NEW_FS(file_permission, 2, ++ struct file *, file, ++ int, mask, ++ WRAP_ARG_FILE, file, ++ WRAP_ARG_RAW, fs_may_to_access(mask) ++); ++ ++/* ++ * An ioctl command can be a read or a write. This can be checked with _IOC*() ++ * for some commands but a Landlock rule should check the ioctl command to ++ * whitelist them. ++ */ ++HOOK_NEW_FS_CMD(file_ioctl, 3, ++ struct file *, file, ++ unsigned int, cmd, ++ unsigned long, arg, ++ WRAP_ARG_FILE, file, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_IOCTL, ++ cmd ++); ++ ++HOOK_NEW_FS_CMD(file_lock, 2, ++ struct file *, file, ++ unsigned int, cmd, ++ WRAP_ARG_FILE, file, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_LOCK, ++ cmd ++); ++ ++HOOK_NEW_FS_CMD(file_fcntl, 3, ++ struct file *, file, ++ unsigned int, cmd, ++ unsigned long, arg, ++ WRAP_ARG_FILE, file, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_FCNTL, ++ cmd ++); ++ ++HOOK_NEW_FS(mmap_file, 4, ++ struct file *, file, ++ unsigned long, reqprot, ++ unsigned long, prot, ++ unsigned long, flags, ++ WRAP_ARG_FILE, file, ++ WRAP_ARG_RAW, mem_prot_to_access(prot, flags & MAP_PRIVATE) ++); ++ ++HOOK_NEW_FS(file_mprotect, 3, ++ struct vm_area_struct *, vma, ++ unsigned long, reqprot, ++ unsigned long, prot, ++ WRAP_ARG_VMAF, vma, ++ WRAP_ARG_RAW, mem_prot_to_access(prot, !(vma->vm_flags & VM_SHARED)) ++); ++ ++HOOK_NEW_FS(file_receive, 1, ++ struct file *, file, ++ WRAP_ARG_FILE, file, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_GET ++); ++ ++HOOK_NEW_FS(file_open, 2, ++ struct file *, file, ++ const struct cred *, cred, ++ WRAP_ARG_FILE, file, ++ WRAP_ARG_RAW, LANDLOCK_ACTION_FS_GET ++); ++ ++static struct security_hook_list landlock_hooks[] = { ++ HOOK_INIT_FS(binder_transfer_file), ++ ++ HOOK_INIT_FS(sb_statfs), ++ HOOK_INIT_FS(sb_mount), ++ HOOK_INIT_FS(sb_remount), ++ HOOK_INIT_FS(sb_umount), ++ HOOK_INIT_FS(sb_pivotroot), ++ ++ HOOK_INIT_FS(inode_create), ++ HOOK_INIT_FS2(inode_create), ++ HOOK_INIT_FS(inode_link), ++ HOOK_INIT_FS2(inode_link), ++ HOOK_INIT_FS3(inode_link), ++ HOOK_INIT_FS(inode_unlink), ++ HOOK_INIT_FS2(inode_unlink), ++ HOOK_INIT_FS(inode_symlink), ++ HOOK_INIT_FS2(inode_symlink), ++ HOOK_INIT_FS(inode_mkdir), ++ HOOK_INIT_FS2(inode_mkdir), ++ HOOK_INIT_FS(inode_rmdir), ++ HOOK_INIT_FS2(inode_rmdir), ++ HOOK_INIT_FS(inode_mknod), ++ HOOK_INIT_FS2(inode_mknod), ++ HOOK_INIT_FS(inode_rename), ++ HOOK_INIT_FS2(inode_rename), ++ HOOK_INIT_FS3(inode_rename), ++ HOOK_INIT_FS4(inode_rename), ++ HOOK_INIT_FS(inode_readlink), ++ HOOK_INIT_FS(inode_follow_link), ++ HOOK_INIT_FS(inode_permission), ++ HOOK_INIT_FS(inode_setattr), ++ HOOK_INIT_FS(inode_getattr), ++ HOOK_INIT_FS(inode_setxattr), ++ HOOK_INIT_FS(inode_getxattr), ++ HOOK_INIT_FS(inode_listxattr), ++ HOOK_INIT_FS(inode_removexattr), ++ HOOK_INIT_FS(inode_getsecurity), ++ HOOK_INIT_FS(inode_setsecurity), ++ ++ HOOK_INIT_FS(file_permission), ++ HOOK_INIT_FS(file_ioctl), ++ HOOK_INIT_FS(file_lock), ++ HOOK_INIT_FS(file_fcntl), ++ HOOK_INIT_FS(mmap_file), ++ HOOK_INIT_FS(file_mprotect), ++ HOOK_INIT_FS(file_receive), ++ HOOK_INIT_FS(file_open), ++}; ++ ++__init void landlock_add_hooks_fs(void) ++{ ++ landlock_register_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks)); ++} +diff --git a/security/landlock/hooks_fs.h b/security/landlock/hooks_fs.h +new file mode 100644 +index 000000000000..093c72bb91dc +--- /dev/null ++++ b/security/landlock/hooks_fs.h +@@ -0,0 +1,19 @@ ++/* ++ * Landlock LSM - filesystem hooks ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++#include /* enum bpf_access_type */ ++ ++ ++bool landlock_is_valid_access_event_FS( ++ int off, int size, enum bpf_access_type type, ++ enum bpf_reg_type *reg_type, ++ union bpf_prog_subtype *prog_subtype); ++ ++__init void landlock_add_hooks_fs(void); +diff --git a/security/landlock/init.c b/security/landlock/init.c +index 914895d08320..1c2750e12dfa 100644 +--- a/security/landlock/init.c ++++ b/security/landlock/init.c +@@ -11,6 +11,9 @@ + #include /* enum bpf_access_type */ + #include /* capable */ + #include /* LANDLOCK_VERSION */ ++#include ++ ++#include "hooks_fs.h" + + + static inline bool bpf_landlock_is_valid_access(int off, int size, +@@ -22,6 +25,8 @@ static inline bool bpf_landlock_is_valid_access(int off, int size, + + switch (prog_subtype->landlock_rule.event) { + case LANDLOCK_SUBTYPE_EVENT_FS: ++ return landlock_is_valid_access_event_FS(off, size, type, ++ reg_type, prog_subtype); + case LANDLOCK_SUBTYPE_EVENT_UNSPEC: + default: + return false; +@@ -127,3 +132,11 @@ static struct bpf_prog_type_list bpf_landlock_type __ro_after_init = { + .ops = &bpf_landlock_ops, + .type = BPF_PROG_TYPE_LANDLOCK, + }; ++ ++void __init landlock_add_hooks(void) ++{ ++ pr_info("landlock: Version %u", LANDLOCK_VERSION); ++ landlock_add_hooks_fs(); ++ security_add_hooks(NULL, 0, "landlock"); ++ bpf_register_prog_type(&bpf_landlock_type); ++} +diff --git a/security/security.c b/security/security.c +index f825304f04a7..74d2bf057f30 100644 +--- a/security/security.c ++++ b/security/security.c +@@ -63,10 +63,15 @@ int __init security_init(void) + loadpin_add_hooks(); + + /* +- * Load all the remaining security modules. ++ * Load all remaining privileged security modules. + */ + do_security_initcalls(); + ++ /* ++ * Load potentially-unprivileged security modules at the end. ++ */ ++ landlock_add_hooks(); ++ + return 0; + } + +-- +2.11.0 + diff --git a/projects/landlock/kernel-landlock/patches-4.9/0009-seccomp-Split-put_seccomp_filter-with-put_seccomp.patch b/projects/landlock/kernel-landlock/patches-4.9/0009-seccomp-Split-put_seccomp_filter-with-put_seccomp.patch new file mode 100644 index 000000000..139691280 --- /dev/null +++ b/projects/landlock/kernel-landlock/patches-4.9/0009-seccomp-Split-put_seccomp_filter-with-put_seccomp.patch @@ -0,0 +1,143 @@ +From 1512eca4f0a5b3d1a98ed9940cae462bf71cc956 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 29 Mar 2017 01:30:33 +0200 +Subject: [PATCH 09/12] seccomp: Split put_seccomp_filter() with put_seccomp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The semantic is unchanged. This will be useful for the Landlock +integration with seccomp (next commit). + +Signed-off-by: Mickaël Salaün +Cc: Kees Cook +Cc: Andy Lutomirski +Cc: Will Drewry +(cherry picked from commit 2f707c41fd744e5c2beb382dafe3b2dc658c26d4) +--- + include/linux/seccomp.h | 4 ++-- + kernel/fork.c | 2 +- + kernel/seccomp.c | 18 +++++++++++++----- + security/landlock/hooks.c | 4 +--- + security/landlock/init.c | 2 +- + 5 files changed, 18 insertions(+), 12 deletions(-) + +diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h +index ecc296c137cd..e25aee2cdfc0 100644 +--- a/include/linux/seccomp.h ++++ b/include/linux/seccomp.h +@@ -77,10 +77,10 @@ static inline int seccomp_mode(struct seccomp *s) + #endif /* CONFIG_SECCOMP */ + + #ifdef CONFIG_SECCOMP_FILTER +-extern void put_seccomp_filter(struct task_struct *tsk); ++extern void put_seccomp(struct task_struct *tsk); + extern void get_seccomp_filter(struct task_struct *tsk); + #else /* CONFIG_SECCOMP_FILTER */ +-static inline void put_seccomp_filter(struct task_struct *tsk) ++static inline void put_seccomp(struct task_struct *tsk) + { + return; + } +diff --git a/kernel/fork.c b/kernel/fork.c +index ba8a01564985..48996df6eb5e 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -352,7 +352,7 @@ void free_task(struct task_struct *tsk) + #endif + rt_mutex_debug_task_free(tsk); + ftrace_graph_exit_task(tsk); +- put_seccomp_filter(tsk); ++ put_seccomp(tsk); + arch_release_task_struct(tsk); + free_task_struct(tsk); + } +diff --git a/kernel/seccomp.c b/kernel/seccomp.c +index 0db7c8a2afe2..e741a82eab4d 100644 +--- a/kernel/seccomp.c ++++ b/kernel/seccomp.c +@@ -63,6 +63,8 @@ struct seccomp_filter { + /* Limit any path through the tree to 256KB worth of instructions. */ + #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter)) + ++static void put_seccomp_filter(struct seccomp_filter *filter); ++ + /* + * Endianness is explicitly ignored and left for BPF program authors to manage + * as per the specific architecture. +@@ -313,7 +315,7 @@ static inline void seccomp_sync_threads(void) + * current's path will hold a reference. (This also + * allows a put before the assignment.) + */ +- put_seccomp_filter(thread); ++ put_seccomp_filter(thread->seccomp.filter); + smp_store_release(&thread->seccomp.filter, + caller->seccomp.filter); + +@@ -475,10 +477,11 @@ static inline void seccomp_filter_free(struct seccomp_filter *filter) + } + } + +-/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */ +-void put_seccomp_filter(struct task_struct *tsk) ++/* put_seccomp_filter - decrements the ref count of a filter */ ++static void put_seccomp_filter(struct seccomp_filter *filter) + { +- struct seccomp_filter *orig = tsk->seccomp.filter; ++ struct seccomp_filter *orig = filter; ++ + /* Clean up single-reference branches iteratively. */ + while (orig && atomic_dec_and_test(&orig->usage)) { + struct seccomp_filter *freeme = orig; +@@ -487,6 +490,11 @@ void put_seccomp_filter(struct task_struct *tsk) + } + } + ++void put_seccomp(struct task_struct *tsk) ++{ ++ put_seccomp_filter(tsk->seccomp.filter); ++} ++ + /** + * seccomp_send_sigsys - signals the task to allow in-process syscall emulation + * @syscall: syscall number to send to userland +@@ -898,7 +906,7 @@ long seccomp_get_filter(struct task_struct *task, unsigned long filter_off, + if (copy_to_user(data, fprog->filter, bpf_classic_proglen(fprog))) + ret = -EFAULT; + +- put_seccomp_filter(task); ++ put_seccomp_filter(task->seccomp.filter); + return ret; + + out: +diff --git a/security/landlock/hooks.c b/security/landlock/hooks.c +index eaee8162ff70..cbad4b66ca13 100644 +--- a/security/landlock/hooks.c ++++ b/security/landlock/hooks.c +@@ -27,10 +27,8 @@ __init void landlock_register_hooks(struct security_hook_list *hooks, int count) + { + int i; + +- for (i = 0; i < count; i++) { +- hooks[i].lsm = "landlock"; ++ for (i = 0; i < count; i++) + list_add_tail_rcu(&hooks[i].list, hooks[i].head); +- } + } + + bool landlock_is_valid_access(int off, int size, enum bpf_access_type type, +diff --git a/security/landlock/init.c b/security/landlock/init.c +index 1c2750e12dfa..909c51c3fa32 100644 +--- a/security/landlock/init.c ++++ b/security/landlock/init.c +@@ -137,6 +137,6 @@ void __init landlock_add_hooks(void) + { + pr_info("landlock: Version %u", LANDLOCK_VERSION); + landlock_add_hooks_fs(); +- security_add_hooks(NULL, 0, "landlock"); ++ security_add_hooks(NULL, 0); + bpf_register_prog_type(&bpf_landlock_type); + } +-- +2.11.0 + diff --git a/projects/landlock/kernel-landlock/patches-4.9/0010-seccomp-landlock-Handle-Landlock-events-per-process-.patch b/projects/landlock/kernel-landlock/patches-4.9/0010-seccomp-landlock-Handle-Landlock-events-per-process-.patch new file mode 100644 index 000000000..44f468429 --- /dev/null +++ b/projects/landlock/kernel-landlock/patches-4.9/0010-seccomp-landlock-Handle-Landlock-events-per-process-.patch @@ -0,0 +1,599 @@ +From a53bef1072081d7ff33c58293a019cfab91111a7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 29 Mar 2017 01:30:33 +0200 +Subject: [PATCH 10/12] seccomp,landlock: Handle Landlock events per process + hierarchy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The seccomp(2) syscall can be used by a task to apply a Landlock rule to +itself. As a seccomp filter, a Landlock rule is enforced for the current +task and all its future children. A rule is immutable and a task can +only add new restricting rules to itself, forming a chain of rules. + +A Landlock rule is tied to a Landlock event. If the use of a kernel +object is allowed by the other Linux security mechanisms (e.g. DAC, +capabilities, other LSM), then a Landlock event related to this kind of +object is triggered. The chain of rules for this event is then +evaluated. Each rule return a 32-bit value which can deny the use of a +kernel object with a non-zero value. If every rules of the chain return +zero, then the use of the object is allowed. + +Changes since v5: +* remove struct landlock_node and use a similar inheritance mechanisme + as seccomp-bpf (requested by Andy Lutomirski) +* rename SECCOMP_ADD_LANDLOCK_RULE to SECCOMP_APPEND_LANDLOCK_RULE +* rename file manager.c to providers.c +* add comments +* typo and cosmetic fixes + +Changes since v4: +* merge manager and seccomp patches +* return -EFAULT in seccomp(2) when user_bpf_fd is null to easely check + if Landlock is supported +* only allow a process with the global CAP_SYS_ADMIN to use Landlock + (will be lifted in the future) +* add an early check to exit as soon as possible if the current process + does not have Landlock rules + +Changes since v3: +* remove the hard link with seccomp (suggested by Andy Lutomirski and + Kees Cook): + * remove the cookie which could imply multiple evaluation of Landlock + rules + * remove the origin field in struct landlock_data +* remove documentation fix (merged upstream) +* rename the new seccomp command to SECCOMP_ADD_LANDLOCK_RULE +* internal renaming +* split commit +* new design to be able to inherit on the fly the parent rules + +Changes since v2: +* Landlock programs can now be run without seccomp filter but for any + syscall (from the process) or interruption +* move Landlock related functions and structs into security/landlock/* + (to manage cgroups as well) +* fix seccomp filter handling: run Landlock programs for each of their + legitimate seccomp filter +* properly clean up all seccomp results +* cosmetic changes to ease the understanding +* fix some ifdef + +Signed-off-by: Mickaël Salaün +Cc: Alexei Starovoitov +Cc: Andrew Morton +Cc: Andy Lutomirski +Cc: James Morris +Cc: Kees Cook +Cc: Serge E. Hallyn +Cc: Will Drewry +Link: https://lkml.kernel.org/r/c10a503d-5e35-7785-2f3d-25ed8dd63fab@digikod.net +(cherry picked from commit 47986b417d07970983d82579fd9def4844f8ed78) +--- + include/linux/landlock.h | 36 +++++++ + include/linux/seccomp.h | 8 ++ + include/uapi/linux/seccomp.h | 1 + + kernel/fork.c | 14 ++- + kernel/seccomp.c | 8 ++ + security/landlock/Makefile | 2 +- + security/landlock/hooks.c | 37 +++++++ + security/landlock/hooks.h | 5 + + security/landlock/init.c | 3 +- + security/landlock/providers.c | 232 ++++++++++++++++++++++++++++++++++++++++++ + 10 files changed, 342 insertions(+), 4 deletions(-) + create mode 100644 security/landlock/providers.c + +diff --git a/include/linux/landlock.h b/include/linux/landlock.h +index 53013dc374fe..c40ee78e86e0 100644 +--- a/include/linux/landlock.h ++++ b/include/linux/landlock.h +@@ -12,6 +12,9 @@ + #define _LINUX_LANDLOCK_H + #ifdef CONFIG_SECURITY_LANDLOCK + ++#include /* _LANDLOCK_SUBTYPE_EVENT_LAST */ ++#include /* atomic_t */ ++ + /* + * This is not intended for the UAPI headers. Each userland software should use + * a static minimal version for the required features as explained in the +@@ -19,5 +22,38 @@ + */ + #define LANDLOCK_VERSION 1 + ++struct landlock_rule { ++ atomic_t usage; ++ struct landlock_rule *prev; ++ struct bpf_prog *prog; ++}; ++ ++/** ++ * struct landlock_events - Landlock event rules enforced on a thread ++ * ++ * This is used for low performance impact when forking a process. Instead of ++ * copying the full array and incrementing the usage of each entries, only ++ * create a pointer to &struct landlock_events and increments its usage. When ++ * appending a new rule, if &struct landlock_events is shared with other tasks, ++ * then duplicate it and append the rule to this new &struct landlock_events. ++ * ++ * @usage: reference count to manage the object lifetime. When a thread need to ++ * add Landlock rules and if @usage is greater than 1, then the thread ++ * must duplicate &struct landlock_events to not change the children's ++ * rules as well. ++ * @rules: array of non-NULL &struct landlock_rule pointers ++ */ ++struct landlock_events { ++ atomic_t usage; ++ struct landlock_rule *rules[_LANDLOCK_SUBTYPE_EVENT_LAST]; ++}; ++ ++void put_landlock_events(struct landlock_events *events); ++ ++#ifdef CONFIG_SECCOMP_FILTER ++int landlock_seccomp_append_prog(unsigned int flags, ++ const char __user *user_bpf_fd); ++#endif /* CONFIG_SECCOMP_FILTER */ ++ + #endif /* CONFIG_SECURITY_LANDLOCK */ + #endif /* _LINUX_LANDLOCK_H */ +diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h +index e25aee2cdfc0..9a38de3c0e72 100644 +--- a/include/linux/seccomp.h ++++ b/include/linux/seccomp.h +@@ -10,6 +10,10 @@ + #include + #include + ++#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_SECURITY_LANDLOCK) ++struct landlock_events; ++#endif /* CONFIG_SECCOMP_FILTER && CONFIG_SECURITY_LANDLOCK */ ++ + struct seccomp_filter; + /** + * struct seccomp - the state of a seccomp'ed process +@@ -18,6 +22,7 @@ struct seccomp_filter; + * system calls available to a process. + * @filter: must always point to a valid seccomp-filter or NULL as it is + * accessed without locking during system call entry. ++ * @landlock_events: contains an array of Landlock rules. + * + * @filter must only be accessed from the context of current as there + * is no read locking. +@@ -25,6 +30,9 @@ struct seccomp_filter; + struct seccomp { + int mode; + struct seccomp_filter *filter; ++#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_SECURITY_LANDLOCK) ++ struct landlock_events *landlock_events; ++#endif /* CONFIG_SECCOMP_FILTER && CONFIG_SECURITY_LANDLOCK */ + }; + + #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER +diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h +index 0f238a43ff1e..74891cf60ca6 100644 +--- a/include/uapi/linux/seccomp.h ++++ b/include/uapi/linux/seccomp.h +@@ -13,6 +13,7 @@ + /* Valid operations for seccomp syscall. */ + #define SECCOMP_SET_MODE_STRICT 0 + #define SECCOMP_SET_MODE_FILTER 1 ++#define SECCOMP_APPEND_LANDLOCK_RULE 2 + + /* Valid flags for SECCOMP_SET_MODE_FILTER */ + #define SECCOMP_FILTER_FLAG_TSYNC 1 +diff --git a/kernel/fork.c b/kernel/fork.c +index 48996df6eb5e..8c7e289d0727 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -513,7 +514,10 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node) + * the usage counts on the error path calling free_task. + */ + tsk->seccomp.filter = NULL; +-#endif ++#ifdef CONFIG_SECURITY_LANDLOCK ++ tsk->seccomp.landlock_events = NULL; ++#endif /* CONFIG_SECURITY_LANDLOCK */ ++#endif /* CONFIG_SECCOMP */ + + setup_thread_stack(tsk, orig); + clear_user_return_notifier(tsk); +@@ -1384,7 +1388,13 @@ static void copy_seccomp(struct task_struct *p) + + /* Ref-count the new filter user, and assign it. */ + get_seccomp_filter(current); +- p->seccomp = current->seccomp; ++ p->seccomp.mode = current->seccomp.mode; ++ p->seccomp.filter = current->seccomp.filter; ++#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_SECURITY_LANDLOCK) ++ p->seccomp.landlock_events = current->seccomp.landlock_events; ++ if (p->seccomp.landlock_events) ++ atomic_inc(&p->seccomp.landlock_events->usage); ++#endif /* CONFIG_SECCOMP_FILTER && CONFIG_SECURITY_LANDLOCK */ + + /* + * Explicitly enable no_new_privs here in case it got set +diff --git a/kernel/seccomp.c b/kernel/seccomp.c +index e741a82eab4d..72b1cc4ce63b 100644 +--- a/kernel/seccomp.c ++++ b/kernel/seccomp.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + /** + * struct seccomp_filter - container for seccomp BPF programs +@@ -493,6 +494,9 @@ static void put_seccomp_filter(struct seccomp_filter *filter) + void put_seccomp(struct task_struct *tsk) + { + put_seccomp_filter(tsk->seccomp.filter); ++#ifdef CONFIG_SECURITY_LANDLOCK ++ put_landlock_events(tsk->seccomp.landlock_events); ++#endif /* CONFIG_SECURITY_LANDLOCK */ + } + + /** +@@ -797,6 +801,10 @@ static long do_seccomp(unsigned int op, unsigned int flags, + return seccomp_set_mode_strict(); + case SECCOMP_SET_MODE_FILTER: + return seccomp_set_mode_filter(flags, uargs); ++#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_SECURITY_LANDLOCK) ++ case SECCOMP_APPEND_LANDLOCK_RULE: ++ return landlock_seccomp_append_prog(flags, uargs); ++#endif /* CONFIG_SECCOMP_FILTER && CONFIG_SECURITY_LANDLOCK */ + default: + return -EINVAL; + } +diff --git a/security/landlock/Makefile b/security/landlock/Makefile +index c0db504a6335..da8ba8b5183e 100644 +--- a/security/landlock/Makefile ++++ b/security/landlock/Makefile +@@ -2,4 +2,4 @@ ccflags-$(CONFIG_SECURITY_LANDLOCK) += -Werror=unused-function + + obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o + +-landlock-y := init.o hooks.o hooks_fs.o ++landlock-y := init.o providers.o hooks.o hooks_fs.o +diff --git a/security/landlock/hooks.c b/security/landlock/hooks.c +index cbad4b66ca13..194cd4307b01 100644 +--- a/security/landlock/hooks.c ++++ b/security/landlock/hooks.c +@@ -93,6 +93,38 @@ bool landlock_is_valid_access(int off, int size, enum bpf_access_type type, + return true; + } + ++/** ++ * landlock_event_deny - run Landlock rules tied to an event ++ * ++ * @event_idx: event index in the rules array ++ * @ctx: non-NULL eBPF context ++ * @events: Landlock events pointer ++ * ++ * Return true if at least one rule deny the event. ++ */ ++static bool landlock_event_deny(u32 event_idx, const struct landlock_context *ctx, ++ struct landlock_events *events) ++{ ++ struct landlock_rule *rule; ++ ++ if (!events) ++ return false; ++ ++ for (rule = events->rules[event_idx]; rule; rule = rule->prev) { ++ u32 ret; ++ ++ if (WARN_ON(!rule->prog)) ++ continue; ++ rcu_read_lock(); ++ ret = BPF_PROG_RUN(rule->prog, (void *)ctx); ++ rcu_read_unlock(); ++ /* deny access if a program returns a value different than 0 */ ++ if (ret) ++ return true; ++ } ++ return false; ++} ++ + int landlock_decide(enum landlock_subtype_event event, + __u64 ctx_values[CTX_ARG_NB], u32 cmd, const char *hook) + { +@@ -109,5 +141,10 @@ int landlock_decide(enum landlock_subtype_event event, + .arg2 = ctx_values[1], + }; + ++#ifdef CONFIG_SECCOMP_FILTER ++ deny = landlock_event_deny(event_idx, &ctx, ++ current->seccomp.landlock_events); ++#endif /* CONFIG_SECCOMP_FILTER */ ++ + return deny ? -EPERM : 0; + } +diff --git a/security/landlock/hooks.h b/security/landlock/hooks.h +index 2e180f6ed86b..dd0486a4c284 100644 +--- a/security/landlock/hooks.h ++++ b/security/landlock/hooks.h +@@ -12,6 +12,7 @@ + #include /* enum bpf_access_type */ + #include + #include /* struct task_struct */ ++#include + + /* separators */ + #define SEP_COMMA() , +@@ -163,7 +164,11 @@ WRAP_TYPE_RAW_C; + + static inline bool landlocked(const struct task_struct *task) + { ++#ifdef CONFIG_SECCOMP_FILTER ++ return !!(task->seccomp.landlock_events); ++#else + return false; ++#endif /* CONFIG_SECCOMP_FILTER */ + } + + __init void landlock_register_hooks(struct security_hook_list *hooks, int count); +diff --git a/security/landlock/init.c b/security/landlock/init.c +index 909c51c3fa32..9ea7963dcf4c 100644 +--- a/security/landlock/init.c ++++ b/security/landlock/init.c +@@ -135,7 +135,8 @@ static struct bpf_prog_type_list bpf_landlock_type __ro_after_init = { + + void __init landlock_add_hooks(void) + { +- pr_info("landlock: Version %u", LANDLOCK_VERSION); ++ pr_info("landlock: Version %u, ready to sandbox with %s\n", ++ LANDLOCK_VERSION, "seccomp"); + landlock_add_hooks_fs(); + security_add_hooks(NULL, 0); + bpf_register_prog_type(&bpf_landlock_type); +diff --git a/security/landlock/providers.c b/security/landlock/providers.c +new file mode 100644 +index 000000000000..6d867a39c947 +--- /dev/null ++++ b/security/landlock/providers.c +@@ -0,0 +1,232 @@ ++/* ++ * Landlock LSM - seccomp provider ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++#include /* PAGE_SIZE */ ++#include /* atomic_*(), smp_store_release() */ ++#include /* bpf_prog_put() */ ++#include /* struct bpf_prog */ ++#include /* round_up() */ ++#include ++#include /* current_cred(), task_no_new_privs() */ ++#include /* security_capable_noaudit() */ ++#include /* alloc(), kfree() */ ++#include /* atomic_t */ ++#include /* copy_from_user() */ ++ ++#include "common.h" ++ ++static void put_landlock_rule(struct landlock_rule *rule) ++{ ++ struct landlock_rule *orig = rule; ++ ++ /* clean up single-reference branches iteratively */ ++ while (orig && atomic_dec_and_test(&orig->usage)) { ++ struct landlock_rule *freeme = orig; ++ ++ bpf_prog_put(orig->prog); ++ orig = orig->prev; ++ kfree(freeme); ++ } ++} ++ ++void put_landlock_events(struct landlock_events *events) ++{ ++ if (events && atomic_dec_and_test(&events->usage)) { ++ size_t i; ++ ++ for (i = 0; i < ARRAY_SIZE(events->rules); i++) ++ /* XXX: Do we need to use lockless_dereference() here? */ ++ put_landlock_rule(events->rules[i]); ++ kfree(events); ++ } ++} ++ ++static struct landlock_events *new_landlock_events(void) ++{ ++ struct landlock_events *ret; ++ ++ /* array filled with NULL values */ ++ ret = kzalloc(sizeof(*ret), GFP_KERNEL); ++ if (!ret) ++ return ERR_PTR(-ENOMEM); ++ atomic_set(&ret->usage, 1); ++ return ret; ++} ++ ++static void add_landlock_rule(struct landlock_events *events, ++ struct landlock_rule *rule) ++{ ++ /* subtype.landlock_rule.event > 0 for loaded programs */ ++ u32 event_idx = get_index(rule->prog->subtype.landlock_rule.event); ++ ++ rule->prev = events->rules[event_idx]; ++ WARN_ON(atomic_read(&rule->usage)); ++ atomic_set(&rule->usage, 1); ++ /* do not increment the previous rule usage */ ++ smp_store_release(&events->rules[event_idx], rule); ++} ++ ++/* limit Landlock events to 256KB */ ++#define LANDLOCK_EVENTS_MAX_PAGES (1 << 6) ++ ++/** ++ * landlock_append_prog - attach a Landlock rule to @current_events ++ * ++ * @current_events: landlock_events pointer, must be locked (if needed) to ++ * prevent a concurrent put/free. This pointer must not be ++ * freed after the call. ++ * @prog: non-NULL Landlock rule to append to @current_events. @prog will be ++ * owned by landlock_append_prog() and freed if an error happened. ++ * ++ * Return @current_events or a new pointer when OK. Return a pointer error ++ * otherwise. ++ */ ++static struct landlock_events *landlock_append_prog( ++ struct landlock_events *current_events, struct bpf_prog *prog) ++{ ++ struct landlock_events *new_events = current_events; ++ unsigned long pages; ++ struct landlock_rule *rule; ++ u32 event_idx; ++ ++ if (prog->type != BPF_PROG_TYPE_LANDLOCK) { ++ new_events = ERR_PTR(-EINVAL); ++ goto put_prog; ++ } ++ ++ /* validate memory size allocation */ ++ pages = prog->pages; ++ if (current_events) { ++ size_t i; ++ ++ for (i = 0; i < ARRAY_SIZE(current_events->rules); i++) { ++ struct landlock_rule *walker_r; ++ ++ for (walker_r = current_events->rules[i]; walker_r; ++ walker_r = walker_r->prev) ++ pages += walker_r->prog->pages; ++ } ++ /* count a struct landlock_events if we need to allocate one */ ++ if (atomic_read(¤t_events->usage) != 1) ++ pages += round_up(sizeof(*current_events), PAGE_SIZE) / ++ PAGE_SIZE; ++ } ++ if (pages > LANDLOCK_EVENTS_MAX_PAGES) { ++ new_events = ERR_PTR(-E2BIG); ++ goto put_prog; ++ } ++ ++ rule = kzalloc(sizeof(*rule), GFP_KERNEL); ++ if (!rule) { ++ new_events = ERR_PTR(-ENOMEM); ++ goto put_prog; ++ } ++ rule->prog = prog; ++ ++ /* subtype.landlock_rule.event > 0 for loaded programs */ ++ event_idx = get_index(rule->prog->subtype.landlock_rule.event); ++ ++ if (!new_events) { ++ /* ++ * If there is no Landlock events used by the current task, ++ * then create a new one. ++ */ ++ new_events = new_landlock_events(); ++ if (IS_ERR(new_events)) ++ goto put_rule; ++ } else if (atomic_read(¤t_events->usage) > 1) { ++ /* ++ * If the current task is not the sole user of its Landlock ++ * events, then duplicate them. ++ */ ++ size_t i; ++ ++ new_events = new_landlock_events(); ++ if (IS_ERR(new_events)) ++ goto put_rule; ++ for (i = 0; i < ARRAY_SIZE(new_events->rules); i++) { ++ new_events->rules[i] = ++ lockless_dereference(current_events->rules[i]); ++ if (new_events->rules[i]) ++ atomic_inc(&new_events->rules[i]->usage); ++ } ++ ++ /* ++ * Landlock events from the current task will not be freed here ++ * because the usage is strictly greater than 1. It is only ++ * prevented to be freed by another subject thanks to the ++ * caller of landlock_append_prog() which should be locked if ++ * needed. ++ */ ++ put_landlock_events(current_events); ++ } ++ add_landlock_rule(new_events, rule); ++ return new_events; ++ ++put_prog: ++ bpf_prog_put(prog); ++ return new_events; ++ ++put_rule: ++ put_landlock_rule(rule); ++ return new_events; ++} ++ ++/** ++ * landlock_seccomp_append_prog - attach a Landlock rule to the current process ++ * ++ * current->seccomp.landlock_events is lazily allocated. When a process fork, ++ * only a pointer is copied. When a new event is added by a process, if there ++ * is other references to this process' landlock_events, then a new allocation ++ * is made to contain an array pointing to Landlock rule lists. This design ++ * enable low-performance impact and is memory efficient while keeping the ++ * property of append-only rules. ++ * ++ * @flags: not used for now, but could be used for TSYNC ++ * @user_bpf_fd: file descriptor pointing to a loaded Landlock rule ++ */ ++#ifdef CONFIG_SECCOMP_FILTER ++int landlock_seccomp_append_prog(unsigned int flags, ++ const char __user *user_bpf_fd) ++{ ++ struct landlock_events *new_events; ++ struct bpf_prog *prog; ++ int bpf_fd; ++ ++ /* force no_new_privs to limit privilege escalation */ ++ if (!task_no_new_privs(current)) ++ return -EPERM; ++ /* will be removed in the future to allow unprivileged tasks */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ /* enable to check if Landlock is supported with early EFAULT */ ++ if (!user_bpf_fd) ++ return -EFAULT; ++ if (flags) ++ return -EINVAL; ++ if (copy_from_user(&bpf_fd, user_bpf_fd, sizeof(bpf_fd))) ++ return -EFAULT; ++ prog = bpf_prog_get(bpf_fd); ++ if (IS_ERR(prog)) ++ return PTR_ERR(prog); ++ ++ /* ++ * We don't need to lock anything for the current process hierarchy, ++ * everything is guarded by the atomic counters. ++ */ ++ new_events = landlock_append_prog(current->seccomp.landlock_events, ++ prog); ++ /* @prog is managed/freed by landlock_append_prog() */ ++ if (IS_ERR(new_events)) ++ return PTR_ERR(new_events); ++ current->seccomp.landlock_events = new_events; ++ return 0; ++} ++#endif /* CONFIG_SECCOMP_FILTER */ +-- +2.11.0 + diff --git a/projects/landlock/kernel-landlock/patches-4.9/0011-landlock-Add-ptrace-restrictions.patch b/projects/landlock/kernel-landlock/patches-4.9/0011-landlock-Add-ptrace-restrictions.patch new file mode 100644 index 000000000..ccb5440b7 --- /dev/null +++ b/projects/landlock/kernel-landlock/patches-4.9/0011-landlock-Add-ptrace-restrictions.patch @@ -0,0 +1,216 @@ +From 2a43bc167fa63c0d02bed4b5826bdfc1fd719714 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 29 Mar 2017 01:30:33 +0200 +Subject: [PATCH 11/12] landlock: Add ptrace restrictions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A landlocked process has less privileges than a non-landlocked process +and must then be subject to additional restrictions when manipulating +processes. To be allowed to use ptrace(2) and related syscalls on a +target process, a landlocked process must have a subset of the target +process' rules. + +New in v6 + +Signed-off-by: Mickaël Salaün +Cc: Alexei Starovoitov +Cc: Andy Lutomirski +Cc: Daniel Borkmann +Cc: David S. Miller +Cc: James Morris +Cc: Kees Cook +Cc: Serge E. Hallyn +(cherry picked from commit 9f9bb82c0f1a9694263a0a1d6833f3049f0abec2) +--- + security/landlock/Makefile | 2 +- + security/landlock/hooks_ptrace.c | 126 +++++++++++++++++++++++++++++++++++++++ + security/landlock/hooks_ptrace.h | 11 ++++ + security/landlock/init.c | 2 + + 4 files changed, 140 insertions(+), 1 deletion(-) + create mode 100644 security/landlock/hooks_ptrace.c + create mode 100644 security/landlock/hooks_ptrace.h + +diff --git a/security/landlock/Makefile b/security/landlock/Makefile +index da8ba8b5183e..099a56ca4842 100644 +--- a/security/landlock/Makefile ++++ b/security/landlock/Makefile +@@ -2,4 +2,4 @@ ccflags-$(CONFIG_SECURITY_LANDLOCK) += -Werror=unused-function + + obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o + +-landlock-y := init.o providers.o hooks.o hooks_fs.o ++landlock-y := init.o providers.o hooks.o hooks_fs.o hooks_ptrace.o +diff --git a/security/landlock/hooks_ptrace.c b/security/landlock/hooks_ptrace.c +new file mode 100644 +index 000000000000..8ab53baba9ad +--- /dev/null ++++ b/security/landlock/hooks_ptrace.c +@@ -0,0 +1,126 @@ ++/* ++ * Landlock LSM - ptrace hooks ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++#include ++#include /* ARRAY_SIZE */ ++#include /* struct landlock_events */ ++#include ++#include /* struct task_struct */ ++#include ++ ++#include "hooks.h" /* landlocked() */ ++ ++#include "hooks_ptrace.h" ++ ++ ++static bool landlock_events_are_subset(const struct landlock_events *parent, ++ const struct landlock_events *child) ++{ ++ size_t i; ++ ++ if (!parent || !child) ++ return false; ++ if (parent == child) ++ return true; ++ ++ for (i = 0; i < ARRAY_SIZE(child->rules); i++) { ++ struct landlock_rule *walker; ++ bool found_parent = false; ++ ++ if (!parent->rules[i]) ++ continue; ++ for (walker = child->rules[i]; walker; walker = walker->prev) { ++ if (walker == parent->rules[i]) { ++ found_parent = true; ++ break; ++ } ++ } ++ if (!found_parent) ++ return false; ++ } ++ return true; ++} ++ ++static bool landlock_task_has_subset_events(const struct task_struct *parent, ++ const struct task_struct *child) ++{ ++#ifdef CONFIG_SECCOMP_FILTER ++ if (landlock_events_are_subset(parent->seccomp.landlock_events, ++ child->seccomp.landlock_events)) ++ /* must be ANDed with other providers (i.e. cgroup) */ ++ return true; ++#endif /* CONFIG_SECCOMP_FILTER */ ++ return false; ++} ++ ++/** ++ * landlock_ptrace_access_check - determine whether the current process may ++ * access another ++ * ++ * @child: the process to be accessed ++ * @mode: the mode of attachment ++ * ++ * If the current task has Landlock rules, then the child must have at least ++ * the same rules. Else denied. ++ * ++ * Determine whether a process may access another, returning 0 if permission ++ * granted, -errno if denied. ++ */ ++static int landlock_ptrace_access_check(struct task_struct *child, ++ unsigned int mode) ++{ ++ if (!landlocked(current)) ++ return 0; ++ ++ if (!landlocked(child)) ++ return -EPERM; ++ ++ if (landlock_task_has_subset_events(current, child)) ++ return 0; ++ ++ return -EPERM; ++} ++ ++/** ++ * landlock_ptrace_traceme - determine whether another process may trace the ++ * current one ++ * ++ * @parent: the task proposed to be the tracer ++ * ++ * If the parent has Landlock rules, then the current task must have the same ++ * or more rules. ++ * Else denied. ++ * ++ * Determine whether the nominated task is permitted to trace the current ++ * process, returning 0 if permission is granted, -errno if denied. ++ */ ++static int landlock_ptrace_traceme(struct task_struct *parent) ++{ ++ if (!landlocked(parent)) ++ return 0; ++ ++ if (!landlocked(current)) ++ return -EPERM; ++ ++ if (landlock_task_has_subset_events(parent, current)) ++ return 0; ++ ++ return -EPERM; ++} ++ ++static struct security_hook_list landlock_hooks[] = { ++ LSM_HOOK_INIT(ptrace_access_check, landlock_ptrace_access_check), ++ LSM_HOOK_INIT(ptrace_traceme, landlock_ptrace_traceme), ++}; ++ ++__init void landlock_add_hooks_ptrace(void) ++{ ++ landlock_register_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks)); ++} +diff --git a/security/landlock/hooks_ptrace.h b/security/landlock/hooks_ptrace.h +new file mode 100644 +index 000000000000..15b1f3479e0e +--- /dev/null ++++ b/security/landlock/hooks_ptrace.h +@@ -0,0 +1,11 @@ ++/* ++ * Landlock LSM - ptrace hooks ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++__init void landlock_add_hooks_ptrace(void); +diff --git a/security/landlock/init.c b/security/landlock/init.c +index 9ea7963dcf4c..74f0e17a92f6 100644 +--- a/security/landlock/init.c ++++ b/security/landlock/init.c +@@ -14,6 +14,7 @@ + #include + + #include "hooks_fs.h" ++#include "hooks_ptrace.h" + + + static inline bool bpf_landlock_is_valid_access(int off, int size, +@@ -137,6 +138,7 @@ void __init landlock_add_hooks(void) + { + pr_info("landlock: Version %u, ready to sandbox with %s\n", + LANDLOCK_VERSION, "seccomp"); ++ landlock_add_hooks_ptrace(); + landlock_add_hooks_fs(); + security_add_hooks(NULL, 0); + bpf_register_prog_type(&bpf_landlock_type); +-- +2.11.0 + diff --git a/projects/landlock/kernel-landlock/patches-4.9/0012-bpf-Add-a-Landlock-sandbox-example.patch b/projects/landlock/kernel-landlock/patches-4.9/0012-bpf-Add-a-Landlock-sandbox-example.patch new file mode 100644 index 000000000..1985ec135 --- /dev/null +++ b/projects/landlock/kernel-landlock/patches-4.9/0012-bpf-Add-a-Landlock-sandbox-example.patch @@ -0,0 +1,355 @@ +From 9fca752f05909f12edd32f619ec40d38a6c2b305 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 29 Mar 2017 01:30:33 +0200 +Subject: [PATCH 12/12] bpf: Add a Landlock sandbox example +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add a basic sandbox tool to create a process isolated from some part of +the system. This sandbox create a read-only environment. It is only +allowed to write to a character device such as a TTY: + + # :> X + # echo $? + 0 + # ./samples/bpf/landlock1 /bin/sh -i + Launching a new sandboxed process. + # :> Y + cannot create Y: Operation not permitted + +Changes since v5: +* cosmetic fixes +* rebase + +Changes since v4: +* write Landlock rule in C and compiled it with LLVM +* remove cgroup handling +* remove path handling: only handle a read-only environment +* remove errno return codes + +Changes since v3: +* remove seccomp and origin field: completely free from seccomp programs +* handle more FS-related hooks +* handle inode hooks and directory traversal +* add faked but consistent view thanks to ENOENT +* add /lib64 in the example +* fix spelling +* rename some types and definitions (e.g. SECCOMP_ADD_LANDLOCK_RULE) + +Changes since v2: +* use BPF_PROG_ATTACH for cgroup handling + +Signed-off-by: Mickaël Salaün +Cc: Alexei Starovoitov +Cc: Andy Lutomirski +Cc: Daniel Borkmann +Cc: David S. Miller +Cc: James Morris +Cc: Kees Cook +Cc: Serge E. Hallyn +(cherry picked from commit 9c5c745d4c0640a96f30f072cb835c21e7bd3ca6) +--- + samples/bpf/Makefile | 4 ++ + samples/bpf/bpf_load.c | 30 +++++++++++-- + samples/bpf/landlock1_kern.c | 46 +++++++++++++++++++ + samples/bpf/landlock1_user.c | 102 +++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 178 insertions(+), 4 deletions(-) + create mode 100644 samples/bpf/landlock1_kern.c + create mode 100644 samples/bpf/landlock1_user.c + +diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile +index 72c58675973e..c9ce3b2e7a7e 100644 +--- a/samples/bpf/Makefile ++++ b/samples/bpf/Makefile +@@ -28,6 +28,7 @@ hostprogs-y += test_current_task_under_cgroup + hostprogs-y += trace_event + hostprogs-y += sampleip + hostprogs-y += tc_l2_redirect ++hostprogs-y += landlock1 + + test_verifier-objs := test_verifier.o libbpf.o + test_maps-objs := test_maps.o libbpf.o +@@ -58,6 +59,7 @@ test_current_task_under_cgroup-objs := bpf_load.o libbpf.o \ + trace_event-objs := bpf_load.o libbpf.o trace_event_user.o + sampleip-objs := bpf_load.o libbpf.o sampleip_user.o + tc_l2_redirect-objs := bpf_load.o libbpf.o tc_l2_redirect_user.o ++landlock1-objs := bpf_load.o libbpf.o landlock1_user.o + + # Tell kbuild to always build the programs + always := $(hostprogs-y) +@@ -88,6 +90,7 @@ always += xdp2_kern.o + always += test_current_task_under_cgroup_kern.o + always += trace_event_kern.o + always += sampleip_kern.o ++always += landlock1_kern.o + + HOSTCFLAGS += -I$(objtree)/usr/include + +@@ -115,6 +118,7 @@ HOSTLOADLIBES_test_current_task_under_cgroup += -lelf + HOSTLOADLIBES_trace_event += -lelf + HOSTLOADLIBES_sampleip += -lelf + HOSTLOADLIBES_tc_l2_redirect += -l elf ++HOSTLOADLIBES_landlock1 += -lelf + + # Allows pointing LLC/CLANG to a LLVM backend with bpf support, redefine on cmdline: + # make samples/bpf/ LLC=~/git/llvm/build/bin/llc CLANG=~/git/llvm/build/bin/clang +diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c +index 40cf828a37c7..1a461afb1d82 100644 +--- a/samples/bpf/bpf_load.c ++++ b/samples/bpf/bpf_load.c +@@ -25,6 +25,8 @@ + + static char license[128]; + static int kern_version; ++static union bpf_prog_subtype subtype = {}; ++static bool has_subtype; + static bool processed_sec[128]; + int map_fd[MAX_MAPS]; + int prog_fd[MAX_PROGS]; +@@ -52,6 +54,7 @@ static int load_and_attach(const char *event, struct bpf_insn *prog, int size) + bool is_tracepoint = strncmp(event, "tracepoint/", 11) == 0; + bool is_xdp = strncmp(event, "xdp", 3) == 0; + bool is_perf_event = strncmp(event, "perf_event", 10) == 0; ++ bool is_landlock = strncmp(event, "landlock", 8) == 0; + enum bpf_prog_type prog_type; + char buf[256]; + int fd, efd, err, id; +@@ -73,6 +76,13 @@ static int load_and_attach(const char *event, struct bpf_insn *prog, int size) + prog_type = BPF_PROG_TYPE_XDP; + } else if (is_perf_event) { + prog_type = BPF_PROG_TYPE_PERF_EVENT; ++ } else if (is_landlock) { ++ prog_type = BPF_PROG_TYPE_LANDLOCK; ++ if (!has_subtype) { ++ printf("No subtype\n"); ++ return -1; ++ } ++ st = &subtype; + } else { + printf("Unknown event '%s'\n", event); + return -1; +@@ -86,7 +96,7 @@ static int load_and_attach(const char *event, struct bpf_insn *prog, int size) + + prog_fd[prog_cnt++] = fd; + +- if (is_xdp || is_perf_event) ++ if (is_xdp || is_perf_event || is_landlock) + return 0; + + if (is_socket) { +@@ -261,6 +271,7 @@ int load_bpf_file(char *path) + kern_version = 0; + memset(license, 0, sizeof(license)); + memset(processed_sec, 0, sizeof(processed_sec)); ++ has_subtype = false; + + if (elf_version(EV_CURRENT) == EV_NONE) + return 1; +@@ -306,6 +317,16 @@ int load_bpf_file(char *path) + processed_sec[i] = true; + if (load_maps(data->d_buf, data->d_size)) + return 1; ++ } else if (strcmp(shname, "subtype") == 0) { ++ processed_sec[i] = true; ++ if (data->d_size != sizeof(union bpf_prog_subtype)) { ++ printf("invalid size of subtype section %zd\n", ++ data->d_size); ++ return 1; ++ } ++ memcpy(&subtype, data->d_buf, ++ sizeof(union bpf_prog_subtype)); ++ has_subtype = true; + } else if (shdr.sh_type == SHT_SYMTAB) { + symbols = data; + } +@@ -338,14 +359,14 @@ int load_bpf_file(char *path) + memcmp(shname_prog, "tracepoint/", 11) == 0 || + memcmp(shname_prog, "xdp", 3) == 0 || + memcmp(shname_prog, "perf_event", 10) == 0 || +- memcmp(shname_prog, "socket", 6) == 0) ++ memcmp(shname_prog, "socket", 6) == 0 || ++ memcmp(shname_prog, "landlock", 8) == 0) + load_and_attach(shname_prog, insns, data_prog->d_size); + } + } + + /* load programs that don't use maps */ + for (i = 1; i < ehdr.e_shnum; i++) { +- + if (processed_sec[i]) + continue; + +@@ -357,7 +378,8 @@ int load_bpf_file(char *path) + memcmp(shname, "tracepoint/", 11) == 0 || + memcmp(shname, "xdp", 3) == 0 || + memcmp(shname, "perf_event", 10) == 0 || +- memcmp(shname, "socket", 6) == 0) ++ memcmp(shname, "socket", 6) == 0 || ++ memcmp(shname, "landlock", 8) == 0) + load_and_attach(shname, data->d_buf, data->d_size); + } + +diff --git a/samples/bpf/landlock1_kern.c b/samples/bpf/landlock1_kern.c +new file mode 100644 +index 000000000000..b8a9b0ca84c9 +--- /dev/null ++++ b/samples/bpf/landlock1_kern.c +@@ -0,0 +1,46 @@ ++/* ++ * Landlock rule - partial read-only filesystem ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++#define KBUILD_MODNAME "foo" ++#include ++#include /* S_ISCHR() */ ++#include "bpf_helpers.h" ++ ++SEC("landlock1") ++static int landlock_fs_prog1(struct landlock_context *ctx) ++{ ++ char fmt_error[] = "landlock1: error: get_mode:%lld\n"; ++ char fmt_name[] = "landlock1: syscall:%d\n"; ++ long long ret; ++ ++ if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) ++ return 0; ++ ret = bpf_handle_fs_get_mode((void *)ctx->arg1); ++ if (ret < 0) { ++ bpf_trace_printk(fmt_error, sizeof(fmt_error), ret); ++ return 1; ++ } ++ if (S_ISCHR(ret)) ++ return 0; ++ bpf_trace_printk(fmt_name, sizeof(fmt_name), ctx->syscall_nr); ++ return 1; ++} ++ ++SEC("subtype") ++static union bpf_prog_subtype _subtype = { ++ .landlock_rule = { ++ .version = 1, ++ .event = LANDLOCK_SUBTYPE_EVENT_FS, ++ .ability = LANDLOCK_SUBTYPE_ABILITY_DEBUG, ++ } ++}; ++ ++SEC("license") ++static const char _license[] = "GPL"; +diff --git a/samples/bpf/landlock1_user.c b/samples/bpf/landlock1_user.c +new file mode 100644 +index 000000000000..6f79eb0ee6db +--- /dev/null ++++ b/samples/bpf/landlock1_user.c +@@ -0,0 +1,102 @@ ++/* ++ * Landlock sandbox - partial read-only filesystem ++ * ++ * Copyright © 2017 Mickaël Salaün ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ */ ++ ++#include "bpf_load.h" ++#include "libbpf.h" ++ ++#define _GNU_SOURCE ++#include ++#include /* open() */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifndef seccomp ++static int seccomp(unsigned int op, unsigned int flags, void *args) ++{ ++ errno = 0; ++ return syscall(__NR_seccomp, op, flags, args); ++} ++#endif ++ ++#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0])) ++#define MAX_ERRNO 4095 ++ ++ ++struct landlock_rule { ++ enum landlock_subtype_event event; ++ struct bpf_insn *bpf; ++ size_t size; ++}; ++ ++static int apply_sandbox(int prog_fd) ++{ ++ int ret = 0; ++ ++ /* set up the test sandbox */ ++ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { ++ perror("prctl(no_new_priv)"); ++ return 1; ++ } ++ if (seccomp(SECCOMP_APPEND_LANDLOCK_RULE, 0, &prog_fd)) { ++ perror("seccomp(set_hook)"); ++ ret = 1; ++ } ++ close(prog_fd); ++ ++ return ret; ++} ++ ++int main(int argc, char * const argv[], char * const *envp) ++{ ++ char filename[256]; ++ char *cmd_path; ++ char * const *cmd_argv; ++ ++ if (argc < 2) { ++ fprintf(stderr, "usage: %s [args]...\n\n", argv[0]); ++ fprintf(stderr, "Launch a command in a read-only environment " ++ "(except for character devices).\n"); ++ fprintf(stderr, "Display debug with: " ++ "cat /sys/kernel/debug/tracing/trace_pipe &\n"); ++ return 1; ++ } ++ ++ snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]); ++ if (load_bpf_file(filename)) { ++ printf("%s", bpf_log_buf); ++ return 1; ++ } ++ if (!prog_fd[0]) { ++ if (errno) { ++ printf("load_bpf_file: %s\n", strerror(errno)); ++ } else { ++ printf("load_bpf_file: Error\n"); ++ } ++ return 1; ++ } ++ ++ if (apply_sandbox(prog_fd[0])) ++ return 1; ++ cmd_path = argv[1]; ++ cmd_argv = argv + 1; ++ fprintf(stderr, "Launching a new sandboxed process.\n"); ++ execve(cmd_path, cmd_argv, envp); ++ perror("execve"); ++ return 1; ++} +-- +2.11.0 +