diff --git a/alpine/cloud/aws/syslinux.cfg b/alpine/cloud/aws/syslinux.cfg index fb284b205..944ecb431 100644 --- a/alpine/cloud/aws/syslinux.cfg +++ b/alpine/cloud/aws/syslinux.cfg @@ -4,4 +4,4 @@ PROMPT 0 LABEL linux KERNEL /vmlinuz64 INITRD /initrd.img - APPEND root=/dev/xvdb1 console=tty0 console=tty1 console=ttyS0 mobyplatform=aws vsyscall=emulate + APPEND root=/dev/xvdb1 console=tty0 console=tty1 console=ttyS0 mobyplatform=aws vsyscall=emulate page_poison=1 diff --git a/alpine/cloud/azure/syslinux.cfg b/alpine/cloud/azure/syslinux.cfg index 0dbb4297f..fd07dba79 100644 --- a/alpine/cloud/azure/syslinux.cfg +++ b/alpine/cloud/azure/syslinux.cfg @@ -2,4 +2,4 @@ DEFAULT linux LABEL linux KERNEL /vmlinuz64 INITRD /initrd.img - APPEND root=/dev/sda1 rootdelay=300 console=tty1 console=ttyS0 earlyprintk=ttyS0 mobyplatform=azure vsyscall=emulate + APPEND root=/dev/sda1 rootdelay=300 console=tty1 console=ttyS0 earlyprintk=ttyS0 mobyplatform=azure vsyscall=emulate page_poison=1 diff --git a/base/mkimage-iso-efi/make-efi b/base/mkimage-iso-efi/make-efi index 67e0e16c1..9284cdaa3 100755 --- a/base/mkimage-iso-efi/make-efi +++ b/base/mkimage-iso-efi/make-efi @@ -22,7 +22,7 @@ KERNEL="$(find . -name vmlinuz64 -or -name bzImage)" find . -mindepth 1 -maxdepth 1 -type d | xargs rm -rf # Docker for Windows specific options, should be moved -WINDOWS_OPTIONS="mobyplatform=windows vsyscall=emulate panic=1 rootdelay=300 noautodetect" +WINDOWS_OPTIONS="mobyplatform=windows vsyscall=emulate page_poison=1 panic=1 rootdelay=300 noautodetect" # Create a EFI boot file with kernel and initrd. From: # https://github.com/haraldh/mkrescue-uefi/blob/master/mkrescue-uefi.sh diff --git a/base/test/bin/test.sh b/base/test/bin/test.sh index 0d238eb38..f92e75bf5 100755 --- a/base/test/bin/test.sh +++ b/base/test/bin/test.sh @@ -11,5 +11,5 @@ docker pull armhf/alpine docker run --rm armhf/alpine uname -a docker swarm init docker run mobylinux/check-config:dc29b05bb5cca871f83421e4c4aaa8f5d3c682f4@sha256:5dcdf0e3386ed506a28a59191eaa1ea48261e15199fcbbe8caf8dc1889405b2d -docker run mobylinux/check-kernel-config:766a83e4b1831bef7f748071d0cd7715935d8be2@sha256:6821a7bce30bd013a6cc190d171228f9b02359e9c792858005f401ab15357575 +docker run mobylinux/check-kernel-config:b7616e925bc58ce9f9cc2b60009a95084ef4ca4a@sha256:0799d81892e65743ea606b4151ae3d13b29b70c0ac6f1636e67d3e8b79541150 cat /etc/moby diff --git a/kernel/kernel_config b/kernel/kernel_config index 5dd9fab37..1e4de3aa2 100644 --- a/kernel/kernel_config +++ b/kernel/kernel_config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.9.5 Kernel Configuration +# Linux/x86 4.9.9 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -465,8 +465,6 @@ CONFIG_PERF_EVENTS_INTEL_RAPL=y CONFIG_PERF_EVENTS_INTEL_CSTATE=y # CONFIG_PERF_EVENTS_AMD_POWER is not set # CONFIG_VM86 is not set -CONFIG_X86_16BIT=y -CONFIG_X86_ESPFIX64=y CONFIG_X86_VSYSCALL_EMULATION=y # CONFIG_I8K is not set CONFIG_MICROCODE=y @@ -561,8 +559,11 @@ CONFIG_SCHED_HRTICK=y # CONFIG_CRASH_DUMP is not set CONFIG_PHYSICAL_START=0x1000000 CONFIG_RELOCATABLE=y -# CONFIG_RANDOMIZE_BASE is not set +CONFIG_RANDOMIZE_BASE=y +CONFIG_X86_NEED_RELOCS=y CONFIG_PHYSICAL_ALIGN=0x1000000 +CONFIG_RANDOMIZE_MEMORY=y +CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa CONFIG_HOTPLUG_CPU=y # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set # CONFIG_DEBUG_HOTPLUG_CPU0 is not set @@ -571,7 +572,7 @@ CONFIG_HOTPLUG_CPU=y # CONFIG_LEGACY_VSYSCALL_EMULATE is not set CONFIG_LEGACY_VSYSCALL_NONE=y # CONFIG_CMDLINE_BOOL is not set -CONFIG_MODIFY_LDT_SYSCALL=y +# CONFIG_MODIFY_LDT_SYSCALL is not set CONFIG_HAVE_LIVEPATCH=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y @@ -3126,9 +3127,11 @@ CONFIG_DEBUG_KERNEL=y # # Memory Debugging # -# CONFIG_PAGE_EXTENSION is not set +CONFIG_PAGE_EXTENSION=y # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_PAGE_POISONING is not set +CONFIG_PAGE_POISONING=y +CONFIG_PAGE_POISONING_NO_SANITY=y +CONFIG_PAGE_POISONING_ZERO=y # CONFIG_DEBUG_PAGE_REF is not set # CONFIG_DEBUG_OBJECTS is not set # CONFIG_DEBUG_SLAB is not set diff --git a/tools/check-kernel-config/check-kernel-config.sh b/tools/check-kernel-config/check-kernel-config.sh index f82f7075d..c4700eca5 100755 --- a/tools/check-kernel-config/check-kernel-config.sh +++ b/tools/check-kernel-config/check-kernel-config.sh @@ -20,6 +20,7 @@ cat unzipped_config | grep CONFIG_DEBUG_RODATA=y cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR=y cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR_STRONG=y cat unzipped_config | grep CONFIG_STRICT_DEVMEM=y +cat unzipped_config | grep CONFIG_IO_STRICT_DEVMEM=y cat unzipped_config | grep CONFIG_SYN_COOKIES=y cat unzipped_config | grep CONFIG_DEBUG_CREDENTIALS=y cat unzipped_config | grep CONFIG_DEBUG_NOTIFIERS=y @@ -30,6 +31,15 @@ cat unzipped_config | grep CONFIG_SECURITY=y cat unzipped_config | grep CONFIG_SECURITY_YAMA=y cat unzipped_config | grep CONFIG_PANIC_ON_OOPS=y cat unzipped_config | grep CONFIG_DEBUG_SET_MODULE_RONX=y +cat unzipped_config | grep CONFIG_HARDENED_USERCOPY=y +cat unzipped_config | grep CONFIG_SYN_COOKIES=y +cat unzipped_config | grep CONFIG_PAGE_POISONING=y +cat unzipped_config | grep CONFIG_PAGE_POISONING_NO_SANITY=y +cat unzipped_config | grep CONFIG_PAGE_POISONING_ZERO=y +cat unzipped_config | grep CONFIG_LEGACY_VSYSCALL_NONE=y +cat unzipped_config | grep CONFIG_BUG_ON_DATA_CORRUPTION=y +cat unzipped_config | grep CONFIG_RANDOMIZE_BASE=y +cat unzipped_config | grep CONFIG_RANDOMIZE_MEMORY=y # Conditional on kernel version if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 5 ]; then @@ -51,3 +61,5 @@ cat unzipped_config | grep 'CONFIG_COMPAT_VDSO is not set' cat unzipped_config | grep 'CONFIG_KEXEC is not set' cat unzipped_config | grep 'CONFIG_HIBERNATION is not set' cat unzipped_config | grep 'CONFIG_LEGACY_PTYS is not set' +cat unzipped_config | grep 'CONFIG_X86_X32 is not set' +cat unzipped_config | grep 'CONFIG_MODIFY_LDT_SYSCALL is not set' diff --git a/tools/mkimage-gce/make-gce b/tools/mkimage-gce/make-gce index 67ddec72c..09795e501 100755 --- a/tools/mkimage-gce/make-gce +++ b/tools/mkimage-gce/make-gce @@ -26,7 +26,7 @@ KERNEL="$(find . -name vmlinuz64 -or -name bzImage)" find . -mindepth 1 -maxdepth 1 -type d | xargs rm -rf # should be externally provided as GCE specific -GCE_CONFIG="earlyprintk=ttyS0,115200 console=ttyS0,115200 mobyplatform=gcp vsyscall=emulate" +GCE_CONFIG="earlyprintk=ttyS0,115200 console=ttyS0,115200 mobyplatform=gcp vsyscall=emulate page_poison=1" CFG="DEFAULT linux LABEL linux