REFCOUNT_FULL enables full reference count validation. There is a
potential slow down but ti protects against certain use-after-free
attacks.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
On 4.13 and 4.14 kernels GCC_PLUGIN_RANDSTRUCT can be use to randomise
some kernel data structures such as structs with function pointers.
We also select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE which
tries harder to restrict randomisation to cache-lines in order to reduce
performance impact.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.13 and 4.14 kernels support GCC_PLUGIN_STRUCTLEAK, a GCC plugin
to zero initialise any structures with the __user attribute to prevent
information exposure.
On 4.14 kernels also enable GCC_PLUGIN_STRUCTLEAK_BYREF_ALL which is
an extension of the above
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Note: There were more conflicts in applying the
vmbus patches to 4.13. For now I've just skipped the
conflicting patches so the end-result may be that
Hyper-V sockets on 4.13 may break (if they were not
already broken by the update to 4.13.6).
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
It's kinda obvious that these are kernel configuration files
and, looking at various other distros it seems more common
to call the files 'config-<foo>'.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
