This looks like there are a couple of minor fixes to the
recent KPTI changes but nothing major...
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This contains the fixes to the eBPF verifier which allowed
privilege escalation in 4.9 and 4.14 kernels.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The update in 6ede240737 ("kernel: Update to
4.14.1/4.13.15/4.9.64/4.4.100") failed to build on aarch64.
This fixes it.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
REFCOUNT_FULL enables full reference count validation. There is a
potential slow down but ti protects against certain use-after-free
attacks.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
On 4.13 and 4.14 kernels GCC_PLUGIN_RANDSTRUCT can be use to randomise
some kernel data structures such as structs with function pointers.
We also select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE which
tries harder to restrict randomisation to cache-lines in order to reduce
performance impact.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.13 and 4.14 kernels support GCC_PLUGIN_STRUCTLEAK, a GCC plugin
to zero initialise any structures with the __user attribute to prevent
information exposure.
On 4.14 kernels also enable GCC_PLUGIN_STRUCTLEAK_BYREF_ALL which is
an extension of the above
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The previous commit used the 4.13.x config files as the
4.14.x config files. This commit stashes the result of
running the 4.14.x oldconfig over them.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The kernel config files are a copy of the 4.13 kernel configs,
which will be refined in subsequent commits.
This does not yet include any patches which may
be required for LCOW.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
