mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-29 09:26:32 -05:00
Breakup hardenDefconfig for readbility and debugging purposes
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
79132fddef
commit
441a66bbb0
@ -663,12 +663,109 @@ hardenDefconfig() {
|
||||
local defconfigPath=$(getDefconfig)
|
||||
|
||||
#Enable supported options
|
||||
#Linux <3.0
|
||||
declare -a optionsYes=("BUG" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_NOTIFIERS" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "SLUB_DEBUG" "STRICT_DEVMEM" "SYN_COOKIES");
|
||||
#Disabled: DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981)
|
||||
declare -a optionsYes=("ARM64_PTR_AUTH" "ARM64_SW_TTBR0_PAN" "ARM64_UAO" "ASYMMETRIC_KEY_TYPE" "ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "BUG" "BUG_ON_DATA_CORRUPTION" "CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG" "CPU_SW_DOMAIN_PAN" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_NOTIFIERS" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "DEBUG_WX" "FORTIFY_SOURCE" "HARDEN_BRANCH_PREDICTOR" "HARDENED_USERCOPY" "HARDEN_EL2_VECTORS" "INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON" "INIT_STACK_ALL" "INIT_STACK_ALL_ZERO" "IO_STRICT_DEVMEM" "IPV6_PRIVACY" "KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "LEGACY_VSYSCALL_NONE" "MMC_SECDISCARD" "PAGE_POISONING" "PAGE_POISONING_NO_SANITY" "PAGE_POISONING_ZERO" "PAGE_TABLE_ISOLATION" "PANIC_ON_OOPS" "PKCS7_MESSAGE_PARSER" "RANDOMIZE_BASE" "RANDOMIZE_MEMORY" "REFCOUNT_FULL" "RETPOLINE" "RODATA_FULL_DEFAULT_ENABLED" "SCHED_STACK_END_CHECK" "SECCOMP" "SECCOMP_FILTER" "SECURITY" "SECURITY_DMESG_RESTRICT" "SECURITY_PERF_EVENTS_RESTRICT" "SECURITY_YAMA" "SECURITY_YAMA_STACKED" "SHUFFLE_PAGE_ALLOCATOR" "SLAB_FREELIST_HARDENED" "SLAB_FREELIST_RANDOM" "SLAB_HARDENED" "SLUB_DEBUG" "SLUB_HARDENED" "STACKPROTECTOR" "STACKPROTECTOR_PER_TASK" "STACKPROTECTOR_STRONG" "STRICT_DEVMEM" "STRICT_KERNEL_RWX" "STRICT_MEMORY_RWX" "STRICT_MODULE_RWX" "SYN_COOKIES" "SYSTEM_TRUSTED_KEYRING" "THREAD_INFO_IN_TASK" "UNMAP_KERNEL_AT_EL0" "VMAP_STACK" "X509_CERTIFICATE_PARSER");
|
||||
#optionsYes+="GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
|
||||
optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_CANARY" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY");
|
||||
|
||||
#Linux 3.4
|
||||
optionsYes+=("SECURITY_YAMA");
|
||||
|
||||
#Linux 3.5
|
||||
optionsYes+=("PANIC_ON_OOPS" "SECCOMP_FILTER");
|
||||
|
||||
#Linux 3.7
|
||||
optionsYes+=("ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "SECURITY_YAMA_STACKED" "X509_CERTIFICATE_PARSER");
|
||||
|
||||
#Linux 3.13
|
||||
optionsYes+=("SYSTEM_TRUSTED_KEYRING");
|
||||
|
||||
#Linux 3.14
|
||||
optionsYes+=("CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG");
|
||||
|
||||
#Linux 3.17
|
||||
optionsYes+=("PKCS7_MESSAGE_PARSER");
|
||||
|
||||
#Linux 3.18
|
||||
optionsYes+=("HARDENED_USERCOPY" "SCHED_STACK_END_CHECK");
|
||||
|
||||
#Linux 4.3
|
||||
optionsYes+=("ARM64_PAN" "CPU_SW_DOMAIN_PAN");
|
||||
|
||||
#Linux 4.4
|
||||
optionsYes+=("LEGACY_VSYSCALL_NONE");
|
||||
|
||||
#Linux 4.5
|
||||
optionsYes+=("IO_STRICT_DEVMEM");
|
||||
|
||||
#Linux 4.6
|
||||
optionsYes+=("ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_NO_SANITY");
|
||||
|
||||
#Linux 4.7
|
||||
optionsYes+=("ASYMMETRIC_KEY_TYPE" "RANDOMIZE_BASE" "SLAB_FREELIST_RANDOM");
|
||||
|
||||
#Linux 4.8
|
||||
optionsYes+=("RANDOMIZE_MEMORY");
|
||||
|
||||
#Linux 4.9
|
||||
optionsYes+=("THREAD_INFO_IN_TASK" "VMAP_STACK");
|
||||
|
||||
#Linux 4.10
|
||||
optionsYes+=("ARM64_SW_TTBR0_PAN" "BUG_ON_DATA_CORRUPTION");
|
||||
|
||||
#Linux 4.11
|
||||
optionsYes+=("STRICT_KERNEL_RWX" "STRICT_MODULE_RWX");
|
||||
|
||||
#Linux 4.13
|
||||
optionsYes+=("FORTIFY_SOURCE" "REFCOUNT_FULL");
|
||||
|
||||
#Linux 4.14
|
||||
optionsYes+=("SLAB_FREELIST_HARDENED");
|
||||
|
||||
#Linux 4.15
|
||||
optionsYes+=("PAGE_TABLE_ISOLATION" "RETPOLINE");
|
||||
|
||||
#Linux 4.16
|
||||
optionsYes+=("UNMAP_KERNEL_AT_EL0");
|
||||
|
||||
#Linux 4.17
|
||||
optionsYes+=("HARDEN_EL2_VECTORS");
|
||||
|
||||
#Linux 4.18
|
||||
optionsYes+=("HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG");
|
||||
|
||||
#Linux 4.19
|
||||
optionsYes+=("PAGE_POISONING_ZERO");
|
||||
|
||||
#Linux 5.0
|
||||
optionsYes+=("ARM64_PTR_AUTH" "RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK");
|
||||
|
||||
#Linux 5.2
|
||||
optionsYes+=("INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR");
|
||||
|
||||
#Linux 5.3
|
||||
optionsYes+=("INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON");
|
||||
|
||||
#Linux 5.8
|
||||
optionsYes+=("ARM64_BTI_KERNEL" "DEBUG_WX");
|
||||
|
||||
#Linux 5.9
|
||||
optionsYes+=("INIT_STACK_ALL_ZERO");
|
||||
|
||||
#GCC Plugins - 4.19 - 5.2
|
||||
#optionsYes+=("GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
|
||||
|
||||
#GrapheneOS Patches
|
||||
optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_CANARY" "SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY");
|
||||
|
||||
#out of tree or renamed or removed ?
|
||||
optionsYes+=("KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "MMC_SECDISCARD" "SECURITY_PERF_EVENTS_RESTRICT" "SLUB_HARDENED" "STRICT_MEMORY_RWX");
|
||||
|
||||
#Time hardware
|
||||
#if [ "$DOS_DEBLOBBER_REPLACE_TIME" = true ]; then optionsYes+=("RTC_DRV_MSM" "RTC_DRV_PM8XXX" "RTC_DRV_MSM7X00A" "RTC_DRV_QPNP"); fi;
|
||||
optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER"); #XXX: This needs a better home
|
||||
|
||||
#Hardware enablement #XXX: This needs a better home
|
||||
optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER");
|
||||
|
||||
for option in "${optionsYes[@]}"
|
||||
do
|
||||
sed -i 's/# '"CONFIG_$option"' is not set/'"CONFIG_$option"'=y/' $defconfigPath &>/dev/null || true;
|
||||
@ -682,12 +779,11 @@ hardenDefconfig() {
|
||||
#Disable supported options
|
||||
#Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery), MSM_DLOAD_MODE (breaks compile)
|
||||
declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" "BINFMT_AOUT" "BINFMT_MISC" "BT_HS" "CHECKPOINT_RESTORE" "COMPAT_BRK" "COMPAT_VDSO" "CP_ACCESS64" "DEBUG_KMEMLEAK" "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "HARDENED_USERCOPY_FALLBACK" "HIBERNATION" "HWPOISON_INJECT" "IA32_EMULATION" "IOMMU_NON_SECURE" "INPUT_EVBUG" "IO_URING" "IP_DCCP" "IP_SCTP" "KEXEC" "KEXEC_FILE" "KSM" "LDISC_AUTOLOAD" "LEGACY_PTYS" "LIVEPATCH" "MEM_SOFT_DIRTY" "MMIOTRACE" "MMIOTRACE_TEST" "MODIFY_LDT_SYSCALL" "MSM_BUSPM_DEV" "NEEDS_SYSCALL_FOR_CMPXCHG" "NOTIFIER_ERROR_INJECTION" "OABI_COMPAT" "PAGE_OWNER" "PROC_KCORE" "PROC_PAGE_MONITOR" "PROC_VMCORE" "RDS" "RDS_TCP" "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" "SLAB_MERGE_DEFAULT" "STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE" "TIMER_STATS" "TSC" "TSPP2" "UKSM" "UPROBES" "USELIB" "USERFAULTFD" "VIDEO_VIVID" "WLAN_FEATURE_MEMDUMP" "X86_IOPL_IOPERM" "X86_PTDUMP" "X86_VSYSCALL_EMULATION" "ZSMALLOC_STAT");
|
||||
#if [[ "$1" != *"kernel/htc/msm8994"* ]] && [[ "$1" != *"kernel/samsung/smdk4412"* ]] && [[ "$1" != *"kernel/htc/flounder"* ]] && [[ "$1" != *"kernel/amazon/hdx-common"* ]] && [[ "$1" != *"msm899"* ]] && [[ "$1" != *"sdm8"* ]] && [[ "$1" != *"sdm6"* ]]; then
|
||||
#optionsNo+=("DIAG_CHAR" "DIAG_OVER_USB" "USB_QCOM_DIAG_BRIDGE" "DIAGFWD_BRIDGE_CODE" "DIAG_SDIO_PIPE" "DIAG_HSIC_PIPE");
|
||||
#fi;
|
||||
|
||||
if [ "$DOS_DEBLOBBER_REMOVE_IPA" = true ]; then optionsNo+=("IPA" "RMNET_IPA"); fi;
|
||||
optionsNo+=("WIREGUARD"); #Requires root access, which we do not provide
|
||||
#optionsNo+=("LTO_CLANG"); #Can easily require 64GB of RAM on host system to compile
|
||||
|
||||
for option in "${optionsNo[@]}"
|
||||
do
|
||||
sed -i 's/'"CONFIG_$option"'=y/# '"CONFIG_$option"' is not set/' $defconfigPath &>/dev/null || true;
|
||||
@ -699,6 +795,7 @@ hardenDefconfig() {
|
||||
fi;
|
||||
fi;
|
||||
done
|
||||
|
||||
#Extras
|
||||
sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=8/CONFIG_ARCH_MMAP_RND_BITS=16/' $defconfigPath &>/dev/null || true;
|
||||
sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=18/CONFIG_ARCH_MMAP_RND_BITS=24/' $defconfigPath &>/dev/null || true;
|
||||
|
Loading…
Reference in New Issue
Block a user