Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity

Make hardenDefconfig more manageable

Browse Source 
No functional changes

Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2022-10-03 08:24:34 -04:00
parent da2e44c5f3
commit c9b14ae70d
No known key found for this signature in database
GPG Key ID: B286E9F57A07424B
2 changed files with 57 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
PrebuiltApps

@ -1 +1 @@
Subproject commit 8e7c49c355c78e23a479eabf1dc9f6ad2e5de97b
Subproject commit 06ac85aa9a84680b22721786f596d2721ef9048e

69
Scripts/Common/Functions.sh
View File

@ -783,7 +783,9 @@ hardenDefconfig() {
#Enable supported options
#Linux <3.0
declare -a optionsYes=("BUG" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "STRICT_DEVMEM" "SYN_COOKIES");
declare -a optionsYes=("BUG" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "STRICT_DEVMEM" "SYN_COOKIES");
optionsYes+=("DEBUG_KERNEL" "DEBUG_CREDENTIALS" "DEBUG_LIST" "DEBUG_VIRTUAL");
optionsYes+=("DEBUG_RODATA" "DEBUG_SET_MODULE_RONX");
#optionsYes+=("DEBUG_SG"); #bootloops - https://patchwork.kernel.org/patch/8989981
if [[ $kernelVersion == "3."* ]] || [[ $kernelVersion == "4.4"* ]] || [[ $kernelVersion == "4.9"* ]]; then
@ -859,7 +861,8 @@ hardenDefconfig() {
optionsYes+=("HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG");
#Linux 5.0
optionsYes+=("ARM64_PTR_AUTH" "RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK");
optionsYes+=("ARM64_PTR_AUTH"); #can stall CPUs on boot if missing support
optionsYes+=("RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK");
#Linux 5.2
optionsYes+=("INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR");
@ -900,9 +903,6 @@ hardenDefconfig() {
#out of tree or renamed or removed ?
optionsYes+=("KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "MMC_SECDISCARD" "SECURITY_PERF_EVENTS_RESTRICT" "SLUB_HARDENED" "STRICT_MEMORY_RWX");
#Time hardware
#if [ "$DOS_DEBLOBBER_REPLACE_TIME" = true ]; then optionsYes+=("RTC_DRV_MSM" "RTC_DRV_PM8XXX" "RTC_DRV_MSM7X00A" "RTC_DRV_QPNP"); fi;
#Hardware enablement #XXX: This needs a better home
optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER");
@ -930,22 +930,65 @@ hardenDefconfig() {
fi;
done
#Disable supported options
#Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery), MSM_DLOAD_MODE (breaks compile), PROC_PAGE_MONITOR (breaks memory stats), SCHED_DEBUG (breaks compile), INET_DIAG
declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" "BINFMT_AOUT" "BINFMT_MISC" "BLK_DEV_FD" "BT_HS" "CHECKPOINT_RESTORE" "COMPAT_BRK" "COMPAT_VDSO" "CP_ACCESS64" "DEBUG_KMEMLEAK" "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "FB_VIRTUAL" "HARDENED_USERCOPY_FALLBACK" "HARDENED_USERCOPY_PAGESPAN" "HIBERNATION" "HWPOISON_INJECT" "IA32_EMULATION" "IOMMU_NON_SECURE" "INPUT_EVBUG" "IO_URING" "IP_DCCP" "IP_SCTP" "KEXEC" "KEXEC_FILE" "KSM" "LDISC_AUTOLOAD" "LEGACY_PTYS" "LIVEPATCH" "MEM_SOFT_DIRTY" "MMIOTRACE" "MMIOTRACE_TEST" "MODIFY_LDT_SYSCALL" "MSM_BUSPM_DEV" "NEEDS_SYSCALL_FOR_CMPXCHG" "NOTIFIER_ERROR_INJECTION" "OABI_COMPAT" "PAGE_OWNER" "PROC_KCORE" "PROC_VMCORE" "RDS" "RDS_TCP" "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" "SLAB_MERGE_DEFAULT" "STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE" "TIMER_STATS" "TSC" "TSPP2" "UKSM" "UPROBES" "USELIB" "USERFAULTFD" "VIDEO_VIVID" "WLAN_FEATURE_MEMDUMP" "X86_IOPL_IOPERM" "X86_PTDUMP" "X86_VSYSCALL_EMULATION" "ZSMALLOC_STAT");
#optionsNo+=("CFI_PERMISSIVE");
#debugging
declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE");
optionsNo+=("CHECKPOINT_RESTORE" "MEM_SOFT_DIRTY");
optionsNo+=("CP_ACCESS64" "WLAN_FEATURE_MEMDUMP");
optionsNo+=("DEBUG_ATOMIC_SLEEP" "DEBUG_BUS_VOTER" "DEBUG_MUTEXES" "DEBUG_KMEMLEAK" "DEBUG_PAGEALLOC" "DEBUG_STACK_USAGE" "DEBUG_SPINLOCK");
optionsNo+=("DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "PROC_KCORE" "PROC_VMCORE" "X86_PTDUMP");
optionsNo+=("HWPOISON_INJECT" "NOTIFIER_ERROR_INJECTION");
optionsNo+=("INPUT_EVBUG");
optionsNo+=("IOMMU_DEBUG" "IOMMU_DEBUG_TRACKING" "IOMMU_NON_SECURE" "IOMMU_TESTS");
optionsNo+=("L2TP_DEBUGFS" "LOCKUP_DETECTOR" "LOG_BUF_MAGIC" "PREEMPT_TRACER");
optionsNo+=("MMIOTRACE" "MMIOTRACE_TEST");
optionsNo+=("PAGE_OWNER");
optionsNo+=("SLUB_DEBUG" "SLUB_DEBUG_ON");
optionsNo+=("TIMER_STATS" "ZSMALLOC_STAT");
optionsNo+=("UPROBES");
#optionsNo+=("STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE"); #GCC only
if [[ $kernelVersion == "4."* ]] || [[ $kernelVersion == "5."* ]]; then
#optionsNo+=("DEBUG_FS");
optionsNo+=("FTRACE" "KPROBE_EVENTS" "UPROBE_EVENTS" "GENERIC_TRACER" "FUNCTION_TRACER" "STACK_TRACER" "HIST_TRIGGERS" "BLK_DEV_IO_TRACE" "FAIL_FUTEX" "DYNAMIC_DEBUG");
fi;
optionsNo+=("DEBUG_ATOMIC_SLEEP" "DEBUG_BUS_VOTER" "DEBUG_MUTEXES" "DEBUG_PAGEALLOC" "DEBUG_STACK_USAGE" "FB_MSM_MDSS_XLOG_DEBUG" "HAVE_DEBUG_BUGVERBOSE" "HAVE_DEBUG_KMEMLEAK" "IOMMU_DEBUG" "IOMMU_DEBUG_TRACKING" "IOMMU_TESTS" "L2TP_DEBUGFS" "LOCKUP_DETECTOR" "LOG_BUF_MAGIC" "MSMB_CAMERA_DEBUG" "MSM_CAMERA_DEBUG" "MSM_SMD_DEBUG" "PREEMPT_TRACER" "DEBUG_SPINLOCK");
if [[ "$1" != *"kernel/oneplus/sm8250"* ]]; then
optionsNo+=("CORESIGHT_CSR" "CORESIGHT_CTI_SAVE_DISABLE" "CORESIGHT_CTI" "CORESIGHT_DBGUI" "CORESIGHT_ETM" "CORESIGHT_ETMV4" "CORESIGHT_EVENT" "CORESIGHT_FUNNEL" "CORESIGHT_FUSE" "CORESIGHT_HWEVENT" "CORESIGHT_QPDI" "CORESIGHT_REMOTE_ETM" "CORESIGHT_REPLICATOR" "CORESIGHT_STM_DEFAULT_ENABLE" "CORESIGHT_STM" "CORESIGHT_TMC" "CORESIGHT_TPDA" "CORESIGHT_TPDM_DEFAULT_ENABLE" "CORESIGHT_TPDM" "CORESIGHT_TPIU" "CORESIGHT" "HAVE_CORESIGHT_SINK" "OF_CORESIGHT");
optionsNo+=("CORESIGHT_CSR" "CORESIGHT_CTI_SAVE_DISABLE" "CORESIGHT_CTI" "CORESIGHT_DBGUI" "CORESIGHT_ETM" "CORESIGHT_ETMV4" "CORESIGHT_EVENT" "CORESIGHT_FUNNEL" "CORESIGHT_FUSE" "CORESIGHT_HWEVENT" "CORESIGHT_QPDI" "CORESIGHT_REMOTE_ETM" "CORESIGHT_REPLICATOR" "CORESIGHT_STM_DEFAULT_ENABLE" "CORESIGHT_STM" "CORESIGHT_TMC" "CORESIGHT_TPDA" "CORESIGHT_TPDM_DEFAULT_ENABLE" "CORESIGHT_TPDM" "CORESIGHT_TPIU" "CORESIGHT" "OF_CORESIGHT");
fi;
if [ "$DOS_DEBLOBBER_REMOVE_IPA" = true ]; then optionsNo+=("IPA" "RMNET_IPA"); fi;
#legacy
optionsNo+=("BINFMT_AOUT" "BINFMT_MISC");
optionsNo+=("COMPAT_BRK" "COMPAT_VDSO");
optionsNo+=("LDISC_AUTOLOAD" "LEGACY_PTYS");
optionsNo+=("MODIFY_LDT_SYSCALL");
optionsNo+=("OABI_COMPAT");
optionsNo+=("USELIB");
optionsNo+=("X86_IOPL_IOPERM" "X86_VSYSCALL_EMULATION");
#unnecessary
optionsNo+=("BLK_DEV_FD" "BT_HS" "IO_URING" "IP_DCCP" "IP_SCTP" "VIDEO_VIVID" "FB_VIRTUAL" "RDS" "RDS_TCP");
optionsNo+=("HIBERNATION");
optionsNo+=("KEXEC" "KEXEC_FILE");
optionsNo+=("KSM" "UKSM");
optionsNo+=("LIVEPATCH");
optionsNo+=("WIREGUARD"); #Requires root access, which we do not provide
if [ "$DOS_DEBLOBBER_REMOVE_IPA" = true ]; then optionsNo+=("IPA" "RMNET_IPA"); fi;
#unsafe
optionsNo+=("GCC_PLUGIN_RANDSTRUCT_PERFORMANCE");
optionsNo+=("HARDENED_USERCOPY_FALLBACK");
optionsNo+=("SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS");
optionsNo+=("SLAB_MERGE_DEFAULT");
optionsNo+=("USERFAULTFD");
#optionsNo+=("CFI_PERMISSIVE");
#???
optionsNo+=("FB_MSM_MDSS_XLOG_DEBUG" "MSM_BUSPM_DEV" "MSMB_CAMERA_DEBUG" "MSM_CAMERA_DEBUG" "MSM_SMD_DEBUG");
optionsNo+=("NEEDS_SYSCALL_FOR_CMPXCHG");
optionsNo+=("TSC" "TSPP2");
#breakage
optionsNo+=("HARDENED_USERCOPY_PAGESPAN");
#optionsNo+=("IKCONFIG"); #breaks recovery
#optionsNo+=("KALLSYMS"); #breaks boot on select devices
#optionsNo+=("MAGIC_SYSRQ"); #breaks compile
#optionsNo+=("MSM_DLOAD_MODE"); #breaks compile
#optionsNo+=("MSM_SMP2P_TEST" "INET_DIAG");
#optionsNo+=("PROC_PAGE_MONITOR"); #breaks memory stats
#optionsNo+=("SCHED_DEBUG"); #breaks compile
for option in "${optionsNo[@]}"
do