From c77b192a399ee3af93c90dec1603571ae497e091 Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Fri, 10 Feb 2017 19:27:20 -0800 Subject: [PATCH 1/5] Bump kernel config to 4.9.8 Signed-off-by: Riyaz Faizullabhoy --- kernel/kernel_config | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/kernel/kernel_config b/kernel/kernel_config index 5dd9fab37..80038184d 100644 --- a/kernel/kernel_config +++ b/kernel/kernel_config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.9.5 Kernel Configuration +# Linux/x86 4.9.8 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -190,12 +190,10 @@ CONFIG_RD_GZIP=y CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_SYSCTL=y CONFIG_ANON_INODES=y -CONFIG_HAVE_UID16=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_BPF=y CONFIG_EXPERT=y -CONFIG_UID16=y CONFIG_MULTIUSER=y CONFIG_SGETMASK_SYSCALL=y CONFIG_SYSFS_SYSCALL=y @@ -275,8 +273,6 @@ CONFIG_HAVE_ARCH_JUMP_LABEL=y CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y CONFIG_HAVE_CMPXCHG_LOCAL=y CONFIG_HAVE_CMPXCHG_DOUBLE=y -CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y -CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y CONFIG_HAVE_GCC_PLUGINS=y @@ -299,14 +295,10 @@ CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y CONFIG_HAVE_EXIT_THREAD=y CONFIG_ARCH_MMAP_RND_BITS=28 -CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y -CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 CONFIG_HAVE_COPY_THREAD_TLS=y CONFIG_HAVE_STACK_VALIDATION=y # CONFIG_HAVE_ARCH_HASH is not set # CONFIG_ISA_BUS_API is not set -CONFIG_OLD_SIGSUSPEND3=y -CONFIG_COMPAT_OLD_SIGACTION=y # CONFIG_CPU_NO_EFFICIENT_FFS is not set CONFIG_HAVE_ARCH_VMAP_STACK=y CONFIG_VMAP_STACK=y @@ -360,7 +352,6 @@ CONFIG_MSDOS_PARTITION=y CONFIG_EFI_PARTITION=y # CONFIG_SYSV68_PARTITION is not set # CONFIG_CMDLINE_PARTITION is not set -CONFIG_BLOCK_COMPAT=y CONFIG_BLK_MQ_PCI=y # @@ -465,8 +456,6 @@ CONFIG_PERF_EVENTS_INTEL_RAPL=y CONFIG_PERF_EVENTS_INTEL_CSTATE=y # CONFIG_PERF_EVENTS_AMD_POWER is not set # CONFIG_VM86 is not set -CONFIG_X86_16BIT=y -CONFIG_X86_ESPFIX64=y CONFIG_X86_VSYSCALL_EMULATION=y # CONFIG_I8K is not set CONFIG_MICROCODE=y From 8fdc58e86790f052d26ed4631e67ddb044df8dbf Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Fri, 10 Feb 2017 19:27:42 -0800 Subject: [PATCH 2/5] Harden kernel config with page poisoning, randomized mem, disabling ia32 and ldt syscall modification Signed-off-by: Riyaz Faizullabhoy --- kernel/kernel_config | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/kernel/kernel_config b/kernel/kernel_config index 80038184d..9b1f449cc 100644 --- a/kernel/kernel_config +++ b/kernel/kernel_config @@ -550,17 +550,19 @@ CONFIG_SCHED_HRTICK=y # CONFIG_CRASH_DUMP is not set CONFIG_PHYSICAL_START=0x1000000 CONFIG_RELOCATABLE=y -# CONFIG_RANDOMIZE_BASE is not set +CONFIG_RANDOMIZE_BASE=y +CONFIG_X86_NEED_RELOCS=y CONFIG_PHYSICAL_ALIGN=0x1000000 +CONFIG_RANDOMIZE_MEMORY=y +CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa CONFIG_HOTPLUG_CPU=y # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set # CONFIG_DEBUG_HOTPLUG_CPU0 is not set -# CONFIG_COMPAT_VDSO is not set # CONFIG_LEGACY_VSYSCALL_NATIVE is not set # CONFIG_LEGACY_VSYSCALL_EMULATE is not set CONFIG_LEGACY_VSYSCALL_NONE=y # CONFIG_CMDLINE_BOOL is not set -CONFIG_MODIFY_LDT_SYSCALL=y +# CONFIG_MODIFY_LDT_SYSCALL is not set CONFIG_HAVE_LIVEPATCH=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y @@ -731,20 +733,14 @@ CONFIG_AMD_NB=y # Executable file formats / Emulations # CONFIG_BINFMT_ELF=y -CONFIG_COMPAT_BINFMT_ELF=y CONFIG_ELFCORE=y # CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set CONFIG_BINFMT_SCRIPT=y # CONFIG_HAVE_AOUT is not set CONFIG_BINFMT_MISC=y CONFIG_COREDUMP=y -CONFIG_IA32_EMULATION=y -# CONFIG_IA32_AOUT is not set +# CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set -CONFIG_COMPAT=y -CONFIG_COMPAT_FOR_U64_ALIGNMENT=y -CONFIG_SYSVIPC_COMPAT=y -CONFIG_KEYS_COMPAT=y CONFIG_X86_DEV_DMA_OPS=y CONFIG_PMC_ATOM=y CONFIG_NET=y @@ -3115,9 +3111,11 @@ CONFIG_DEBUG_KERNEL=y # # Memory Debugging # -# CONFIG_PAGE_EXTENSION is not set +CONFIG_PAGE_EXTENSION=y # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_PAGE_POISONING is not set +CONFIG_PAGE_POISONING=y +CONFIG_PAGE_POISONING_NO_SANITY=y +CONFIG_PAGE_POISONING_ZERO=y # CONFIG_DEBUG_PAGE_REF is not set # CONFIG_DEBUG_OBJECTS is not set # CONFIG_DEBUG_SLAB is not set From 24c029ab8a6319295d73c8ea4a45f0a8cc1255c1 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Mon, 13 Feb 2017 14:27:41 +0000 Subject: [PATCH 3/5] Update kernel config check for suggested values This should be done with #1175 Config not updated as may still need changes Signed-off-by: Justin Cormack --- tools/check-kernel-config/check-kernel-config.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tools/check-kernel-config/check-kernel-config.sh b/tools/check-kernel-config/check-kernel-config.sh index f82f7075d..ca033fbd2 100755 --- a/tools/check-kernel-config/check-kernel-config.sh +++ b/tools/check-kernel-config/check-kernel-config.sh @@ -20,6 +20,7 @@ cat unzipped_config | grep CONFIG_DEBUG_RODATA=y cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR=y cat unzipped_config | grep CONFIG_CC_STACKPROTECTOR_STRONG=y cat unzipped_config | grep CONFIG_STRICT_DEVMEM=y +cat unzipped_config | grep CONFIG_IO_STRICT_DEVMEM=y cat unzipped_config | grep CONFIG_SYN_COOKIES=y cat unzipped_config | grep CONFIG_DEBUG_CREDENTIALS=y cat unzipped_config | grep CONFIG_DEBUG_NOTIFIERS=y @@ -30,6 +31,15 @@ cat unzipped_config | grep CONFIG_SECURITY=y cat unzipped_config | grep CONFIG_SECURITY_YAMA=y cat unzipped_config | grep CONFIG_PANIC_ON_OOPS=y cat unzipped_config | grep CONFIG_DEBUG_SET_MODULE_RONX=y +cat unzipped_config | grep CONFIG_HARDENED_USERCOPY=y +cat unzipped_config | grep CONFIG_SYN_COOKIES=y +cat unzipped_config | grep CONFIG_PAGE_POISONING=y +cat unzipped_config | grep CONFIG_PAGE_POISONING_NO_SANITY=y +cat unzipped_config | grep CONFIG_PAGE_POISONING_ZERO=y +cat unzipped_config | grep CONFIG_LEGACY_VSYSCALL_NONE=y +cat unzipped_config | grep CONFIG_BUG_ON_DATA_CORRUPTION=y +cat unzipped_config | grep CONFIG_RANDOMIZE_BASE=y +cat unzipped_config | grep CONFIG_RANDOMIZE_MEMORY=y # Conditional on kernel version if [ "$kernelMajor" -ge 4 -a "$kernelMinor" -ge 5 ]; then @@ -51,3 +61,7 @@ cat unzipped_config | grep 'CONFIG_COMPAT_VDSO is not set' cat unzipped_config | grep 'CONFIG_KEXEC is not set' cat unzipped_config | grep 'CONFIG_HIBERNATION is not set' cat unzipped_config | grep 'CONFIG_LEGACY_PTYS is not set' +cat unzipped_config | grep 'CONFIG_X86_X32 is not set' +cat unzipped_config | grep 'CONFIG_MODIFY_LDT_SYSCALL is not set' +cat unzipped_config | grep 'CONFIG_KEXEC is not set' +cat unzipped_config | grep 'CONFIG_HIBERNATION is not set' From 7036d3d676b975ab4b8aeb127ccb1d84fde7ab7f Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Mon, 13 Feb 2017 10:16:46 -0800 Subject: [PATCH 4/5] Add page_poison=1 to boot args Signed-off-by: Riyaz Faizullabhoy --- alpine/cloud/aws/syslinux.cfg | 2 +- alpine/cloud/azure/syslinux.cfg | 2 +- base/mkimage-iso-efi/make-efi | 2 +- tools/mkimage-gce/make-gce | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/alpine/cloud/aws/syslinux.cfg b/alpine/cloud/aws/syslinux.cfg index fb284b205..944ecb431 100644 --- a/alpine/cloud/aws/syslinux.cfg +++ b/alpine/cloud/aws/syslinux.cfg @@ -4,4 +4,4 @@ PROMPT 0 LABEL linux KERNEL /vmlinuz64 INITRD /initrd.img - APPEND root=/dev/xvdb1 console=tty0 console=tty1 console=ttyS0 mobyplatform=aws vsyscall=emulate + APPEND root=/dev/xvdb1 console=tty0 console=tty1 console=ttyS0 mobyplatform=aws vsyscall=emulate page_poison=1 diff --git a/alpine/cloud/azure/syslinux.cfg b/alpine/cloud/azure/syslinux.cfg index 0dbb4297f..fd07dba79 100644 --- a/alpine/cloud/azure/syslinux.cfg +++ b/alpine/cloud/azure/syslinux.cfg @@ -2,4 +2,4 @@ DEFAULT linux LABEL linux KERNEL /vmlinuz64 INITRD /initrd.img - APPEND root=/dev/sda1 rootdelay=300 console=tty1 console=ttyS0 earlyprintk=ttyS0 mobyplatform=azure vsyscall=emulate + APPEND root=/dev/sda1 rootdelay=300 console=tty1 console=ttyS0 earlyprintk=ttyS0 mobyplatform=azure vsyscall=emulate page_poison=1 diff --git a/base/mkimage-iso-efi/make-efi b/base/mkimage-iso-efi/make-efi index 67e0e16c1..9284cdaa3 100755 --- a/base/mkimage-iso-efi/make-efi +++ b/base/mkimage-iso-efi/make-efi @@ -22,7 +22,7 @@ KERNEL="$(find . -name vmlinuz64 -or -name bzImage)" find . -mindepth 1 -maxdepth 1 -type d | xargs rm -rf # Docker for Windows specific options, should be moved -WINDOWS_OPTIONS="mobyplatform=windows vsyscall=emulate panic=1 rootdelay=300 noautodetect" +WINDOWS_OPTIONS="mobyplatform=windows vsyscall=emulate page_poison=1 panic=1 rootdelay=300 noautodetect" # Create a EFI boot file with kernel and initrd. From: # https://github.com/haraldh/mkrescue-uefi/blob/master/mkrescue-uefi.sh diff --git a/tools/mkimage-gce/make-gce b/tools/mkimage-gce/make-gce index 67ddec72c..09795e501 100755 --- a/tools/mkimage-gce/make-gce +++ b/tools/mkimage-gce/make-gce @@ -26,7 +26,7 @@ KERNEL="$(find . -name vmlinuz64 -or -name bzImage)" find . -mindepth 1 -maxdepth 1 -type d | xargs rm -rf # should be externally provided as GCE specific -GCE_CONFIG="earlyprintk=ttyS0,115200 console=ttyS0,115200 mobyplatform=gcp vsyscall=emulate" +GCE_CONFIG="earlyprintk=ttyS0,115200 console=ttyS0,115200 mobyplatform=gcp vsyscall=emulate page_poison=1" CFG="DEFAULT linux LABEL linux From 5a5c58c29f4e0dbf51772d7c423746519cc288a3 Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Mon, 13 Feb 2017 10:34:25 -0800 Subject: [PATCH 5/5] Bump kernel config test and revert IA32_EMULATION Signed-off-by: Riyaz Faizullabhoy --- base/test/bin/test.sh | 2 +- kernel/kernel_config | 20 +++++++++++++++++-- .../check-kernel-config.sh | 2 -- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/base/test/bin/test.sh b/base/test/bin/test.sh index 0d238eb38..f92e75bf5 100755 --- a/base/test/bin/test.sh +++ b/base/test/bin/test.sh @@ -11,5 +11,5 @@ docker pull armhf/alpine docker run --rm armhf/alpine uname -a docker swarm init docker run mobylinux/check-config:dc29b05bb5cca871f83421e4c4aaa8f5d3c682f4@sha256:5dcdf0e3386ed506a28a59191eaa1ea48261e15199fcbbe8caf8dc1889405b2d -docker run mobylinux/check-kernel-config:766a83e4b1831bef7f748071d0cd7715935d8be2@sha256:6821a7bce30bd013a6cc190d171228f9b02359e9c792858005f401ab15357575 +docker run mobylinux/check-kernel-config:b7616e925bc58ce9f9cc2b60009a95084ef4ca4a@sha256:0799d81892e65743ea606b4151ae3d13b29b70c0ac6f1636e67d3e8b79541150 cat /etc/moby diff --git a/kernel/kernel_config b/kernel/kernel_config index 9b1f449cc..1e4de3aa2 100644 --- a/kernel/kernel_config +++ b/kernel/kernel_config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.9.8 Kernel Configuration +# Linux/x86 4.9.9 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -190,10 +190,12 @@ CONFIG_RD_GZIP=y CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_SYSCTL=y CONFIG_ANON_INODES=y +CONFIG_HAVE_UID16=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_BPF=y CONFIG_EXPERT=y +CONFIG_UID16=y CONFIG_MULTIUSER=y CONFIG_SGETMASK_SYSCALL=y CONFIG_SYSFS_SYSCALL=y @@ -273,6 +275,8 @@ CONFIG_HAVE_ARCH_JUMP_LABEL=y CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y CONFIG_HAVE_CMPXCHG_LOCAL=y CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y +CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y CONFIG_HAVE_GCC_PLUGINS=y @@ -295,10 +299,14 @@ CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y CONFIG_HAVE_EXIT_THREAD=y CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y +CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 CONFIG_HAVE_COPY_THREAD_TLS=y CONFIG_HAVE_STACK_VALIDATION=y # CONFIG_HAVE_ARCH_HASH is not set # CONFIG_ISA_BUS_API is not set +CONFIG_OLD_SIGSUSPEND3=y +CONFIG_COMPAT_OLD_SIGACTION=y # CONFIG_CPU_NO_EFFICIENT_FFS is not set CONFIG_HAVE_ARCH_VMAP_STACK=y CONFIG_VMAP_STACK=y @@ -352,6 +360,7 @@ CONFIG_MSDOS_PARTITION=y CONFIG_EFI_PARTITION=y # CONFIG_SYSV68_PARTITION is not set # CONFIG_CMDLINE_PARTITION is not set +CONFIG_BLOCK_COMPAT=y CONFIG_BLK_MQ_PCI=y # @@ -558,6 +567,7 @@ CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa CONFIG_HOTPLUG_CPU=y # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set # CONFIG_DEBUG_HOTPLUG_CPU0 is not set +# CONFIG_COMPAT_VDSO is not set # CONFIG_LEGACY_VSYSCALL_NATIVE is not set # CONFIG_LEGACY_VSYSCALL_EMULATE is not set CONFIG_LEGACY_VSYSCALL_NONE=y @@ -733,14 +743,20 @@ CONFIG_AMD_NB=y # Executable file formats / Emulations # CONFIG_BINFMT_ELF=y +CONFIG_COMPAT_BINFMT_ELF=y CONFIG_ELFCORE=y # CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set CONFIG_BINFMT_SCRIPT=y # CONFIG_HAVE_AOUT is not set CONFIG_BINFMT_MISC=y CONFIG_COREDUMP=y -# CONFIG_IA32_EMULATION is not set +CONFIG_IA32_EMULATION=y +# CONFIG_IA32_AOUT is not set # CONFIG_X86_X32 is not set +CONFIG_COMPAT=y +CONFIG_COMPAT_FOR_U64_ALIGNMENT=y +CONFIG_SYSVIPC_COMPAT=y +CONFIG_KEYS_COMPAT=y CONFIG_X86_DEV_DMA_OPS=y CONFIG_PMC_ATOM=y CONFIG_NET=y diff --git a/tools/check-kernel-config/check-kernel-config.sh b/tools/check-kernel-config/check-kernel-config.sh index ca033fbd2..c4700eca5 100755 --- a/tools/check-kernel-config/check-kernel-config.sh +++ b/tools/check-kernel-config/check-kernel-config.sh @@ -63,5 +63,3 @@ cat unzipped_config | grep 'CONFIG_HIBERNATION is not set' cat unzipped_config | grep 'CONFIG_LEGACY_PTYS is not set' cat unzipped_config | grep 'CONFIG_X86_X32 is not set' cat unzipped_config | grep 'CONFIG_MODIFY_LDT_SYSCALL is not set' -cat unzipped_config | grep 'CONFIG_KEXEC is not set' -cat unzipped_config | grep 'CONFIG_HIBERNATION is not set'