From c9b14ae70d4d42e50cb33eb1d07f7213e699d74d Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 3 Oct 2022 08:24:34 -0400 Subject: [PATCH] Make hardenDefconfig more manageable No functional changes Signed-off-by: Tad --- PrebuiltApps | 2 +- Scripts/Common/Functions.sh | 69 ++++++++++++++++++++++++++++++------- 2 files changed, 57 insertions(+), 14 deletions(-) diff --git a/PrebuiltApps b/PrebuiltApps index 8e7c49c3..06ac85aa 160000 --- a/PrebuiltApps +++ b/PrebuiltApps @@ -1 +1 @@ -Subproject commit 8e7c49c355c78e23a479eabf1dc9f6ad2e5de97b +Subproject commit 06ac85aa9a84680b22721786f596d2721ef9048e diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh index a7220fc3..92f9a2c7 100644 --- a/Scripts/Common/Functions.sh +++ b/Scripts/Common/Functions.sh @@ -783,7 +783,9 @@ hardenDefconfig() { #Enable supported options #Linux <3.0 - declare -a optionsYes=("BUG" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "STRICT_DEVMEM" "SYN_COOKIES"); + declare -a optionsYes=("BUG" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "STRICT_DEVMEM" "SYN_COOKIES"); + optionsYes+=("DEBUG_KERNEL" "DEBUG_CREDENTIALS" "DEBUG_LIST" "DEBUG_VIRTUAL"); + optionsYes+=("DEBUG_RODATA" "DEBUG_SET_MODULE_RONX"); #optionsYes+=("DEBUG_SG"); #bootloops - https://patchwork.kernel.org/patch/8989981 if [[ $kernelVersion == "3."* ]] || [[ $kernelVersion == "4.4"* ]] || [[ $kernelVersion == "4.9"* ]]; then @@ -859,7 +861,8 @@ hardenDefconfig() { optionsYes+=("HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG"); #Linux 5.0 - optionsYes+=("ARM64_PTR_AUTH" "RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK"); + optionsYes+=("ARM64_PTR_AUTH"); #can stall CPUs on boot if missing support + optionsYes+=("RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK"); #Linux 5.2 optionsYes+=("INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR"); @@ -900,9 +903,6 @@ hardenDefconfig() { #out of tree or renamed or removed ? optionsYes+=("KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "MMC_SECDISCARD" "SECURITY_PERF_EVENTS_RESTRICT" "SLUB_HARDENED" "STRICT_MEMORY_RWX"); - #Time hardware - #if [ "$DOS_DEBLOBBER_REPLACE_TIME" = true ]; then optionsYes+=("RTC_DRV_MSM" "RTC_DRV_PM8XXX" "RTC_DRV_MSM7X00A" "RTC_DRV_QPNP"); fi; - #Hardware enablement #XXX: This needs a better home optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER"); @@ -930,22 +930,65 @@ hardenDefconfig() { fi; done #Disable supported options - #Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery), MSM_DLOAD_MODE (breaks compile), PROC_PAGE_MONITOR (breaks memory stats), SCHED_DEBUG (breaks compile), INET_DIAG - declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" "BINFMT_AOUT" "BINFMT_MISC" "BLK_DEV_FD" "BT_HS" "CHECKPOINT_RESTORE" "COMPAT_BRK" "COMPAT_VDSO" "CP_ACCESS64" "DEBUG_KMEMLEAK" "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "FB_VIRTUAL" "HARDENED_USERCOPY_FALLBACK" "HARDENED_USERCOPY_PAGESPAN" "HIBERNATION" "HWPOISON_INJECT" "IA32_EMULATION" "IOMMU_NON_SECURE" "INPUT_EVBUG" "IO_URING" "IP_DCCP" "IP_SCTP" "KEXEC" "KEXEC_FILE" "KSM" "LDISC_AUTOLOAD" "LEGACY_PTYS" "LIVEPATCH" "MEM_SOFT_DIRTY" "MMIOTRACE" "MMIOTRACE_TEST" "MODIFY_LDT_SYSCALL" "MSM_BUSPM_DEV" "NEEDS_SYSCALL_FOR_CMPXCHG" "NOTIFIER_ERROR_INJECTION" "OABI_COMPAT" "PAGE_OWNER" "PROC_KCORE" "PROC_VMCORE" "RDS" "RDS_TCP" "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" "SLAB_MERGE_DEFAULT" "STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE" "TIMER_STATS" "TSC" "TSPP2" "UKSM" "UPROBES" "USELIB" "USERFAULTFD" "VIDEO_VIVID" "WLAN_FEATURE_MEMDUMP" "X86_IOPL_IOPERM" "X86_PTDUMP" "X86_VSYSCALL_EMULATION" "ZSMALLOC_STAT"); - #optionsNo+=("CFI_PERMISSIVE"); + #debugging + declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE"); + optionsNo+=("CHECKPOINT_RESTORE" "MEM_SOFT_DIRTY"); + optionsNo+=("CP_ACCESS64" "WLAN_FEATURE_MEMDUMP"); + optionsNo+=("DEBUG_ATOMIC_SLEEP" "DEBUG_BUS_VOTER" "DEBUG_MUTEXES" "DEBUG_KMEMLEAK" "DEBUG_PAGEALLOC" "DEBUG_STACK_USAGE" "DEBUG_SPINLOCK"); + optionsNo+=("DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "PROC_KCORE" "PROC_VMCORE" "X86_PTDUMP"); + optionsNo+=("HWPOISON_INJECT" "NOTIFIER_ERROR_INJECTION"); + optionsNo+=("INPUT_EVBUG"); + optionsNo+=("IOMMU_DEBUG" "IOMMU_DEBUG_TRACKING" "IOMMU_NON_SECURE" "IOMMU_TESTS"); + optionsNo+=("L2TP_DEBUGFS" "LOCKUP_DETECTOR" "LOG_BUF_MAGIC" "PREEMPT_TRACER"); + optionsNo+=("MMIOTRACE" "MMIOTRACE_TEST"); + optionsNo+=("PAGE_OWNER"); optionsNo+=("SLUB_DEBUG" "SLUB_DEBUG_ON"); + optionsNo+=("TIMER_STATS" "ZSMALLOC_STAT"); + optionsNo+=("UPROBES"); + #optionsNo+=("STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE"); #GCC only if [[ $kernelVersion == "4."* ]] || [[ $kernelVersion == "5."* ]]; then #optionsNo+=("DEBUG_FS"); optionsNo+=("FTRACE" "KPROBE_EVENTS" "UPROBE_EVENTS" "GENERIC_TRACER" "FUNCTION_TRACER" "STACK_TRACER" "HIST_TRIGGERS" "BLK_DEV_IO_TRACE" "FAIL_FUTEX" "DYNAMIC_DEBUG"); fi; - optionsNo+=("DEBUG_ATOMIC_SLEEP" "DEBUG_BUS_VOTER" "DEBUG_MUTEXES" "DEBUG_PAGEALLOC" "DEBUG_STACK_USAGE" "FB_MSM_MDSS_XLOG_DEBUG" "HAVE_DEBUG_BUGVERBOSE" "HAVE_DEBUG_KMEMLEAK" "IOMMU_DEBUG" "IOMMU_DEBUG_TRACKING" "IOMMU_TESTS" "L2TP_DEBUGFS" "LOCKUP_DETECTOR" "LOG_BUF_MAGIC" "MSMB_CAMERA_DEBUG" "MSM_CAMERA_DEBUG" "MSM_SMD_DEBUG" "PREEMPT_TRACER" "DEBUG_SPINLOCK"); - if [[ "$1" != *"kernel/oneplus/sm8250"* ]]; then - optionsNo+=("CORESIGHT_CSR" "CORESIGHT_CTI_SAVE_DISABLE" "CORESIGHT_CTI" "CORESIGHT_DBGUI" "CORESIGHT_ETM" "CORESIGHT_ETMV4" "CORESIGHT_EVENT" "CORESIGHT_FUNNEL" "CORESIGHT_FUSE" "CORESIGHT_HWEVENT" "CORESIGHT_QPDI" "CORESIGHT_REMOTE_ETM" "CORESIGHT_REPLICATOR" "CORESIGHT_STM_DEFAULT_ENABLE" "CORESIGHT_STM" "CORESIGHT_TMC" "CORESIGHT_TPDA" "CORESIGHT_TPDM_DEFAULT_ENABLE" "CORESIGHT_TPDM" "CORESIGHT_TPIU" "CORESIGHT" "HAVE_CORESIGHT_SINK" "OF_CORESIGHT"); + optionsNo+=("CORESIGHT_CSR" "CORESIGHT_CTI_SAVE_DISABLE" "CORESIGHT_CTI" "CORESIGHT_DBGUI" "CORESIGHT_ETM" "CORESIGHT_ETMV4" "CORESIGHT_EVENT" "CORESIGHT_FUNNEL" "CORESIGHT_FUSE" "CORESIGHT_HWEVENT" "CORESIGHT_QPDI" "CORESIGHT_REMOTE_ETM" "CORESIGHT_REPLICATOR" "CORESIGHT_STM_DEFAULT_ENABLE" "CORESIGHT_STM" "CORESIGHT_TMC" "CORESIGHT_TPDA" "CORESIGHT_TPDM_DEFAULT_ENABLE" "CORESIGHT_TPDM" "CORESIGHT_TPIU" "CORESIGHT" "OF_CORESIGHT"); fi; - - if [ "$DOS_DEBLOBBER_REMOVE_IPA" = true ]; then optionsNo+=("IPA" "RMNET_IPA"); fi; + #legacy + optionsNo+=("BINFMT_AOUT" "BINFMT_MISC"); + optionsNo+=("COMPAT_BRK" "COMPAT_VDSO"); + optionsNo+=("LDISC_AUTOLOAD" "LEGACY_PTYS"); + optionsNo+=("MODIFY_LDT_SYSCALL"); + optionsNo+=("OABI_COMPAT"); + optionsNo+=("USELIB"); + optionsNo+=("X86_IOPL_IOPERM" "X86_VSYSCALL_EMULATION"); + #unnecessary + optionsNo+=("BLK_DEV_FD" "BT_HS" "IO_URING" "IP_DCCP" "IP_SCTP" "VIDEO_VIVID" "FB_VIRTUAL" "RDS" "RDS_TCP"); + optionsNo+=("HIBERNATION"); + optionsNo+=("KEXEC" "KEXEC_FILE"); + optionsNo+=("KSM" "UKSM"); + optionsNo+=("LIVEPATCH"); optionsNo+=("WIREGUARD"); #Requires root access, which we do not provide + if [ "$DOS_DEBLOBBER_REMOVE_IPA" = true ]; then optionsNo+=("IPA" "RMNET_IPA"); fi; + #unsafe + optionsNo+=("GCC_PLUGIN_RANDSTRUCT_PERFORMANCE"); + optionsNo+=("HARDENED_USERCOPY_FALLBACK"); + optionsNo+=("SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS"); + optionsNo+=("SLAB_MERGE_DEFAULT"); + optionsNo+=("USERFAULTFD"); + #optionsNo+=("CFI_PERMISSIVE"); + #??? + optionsNo+=("FB_MSM_MDSS_XLOG_DEBUG" "MSM_BUSPM_DEV" "MSMB_CAMERA_DEBUG" "MSM_CAMERA_DEBUG" "MSM_SMD_DEBUG"); + optionsNo+=("NEEDS_SYSCALL_FOR_CMPXCHG"); + optionsNo+=("TSC" "TSPP2"); + #breakage + optionsNo+=("HARDENED_USERCOPY_PAGESPAN"); + #optionsNo+=("IKCONFIG"); #breaks recovery + #optionsNo+=("KALLSYMS"); #breaks boot on select devices + #optionsNo+=("MAGIC_SYSRQ"); #breaks compile + #optionsNo+=("MSM_DLOAD_MODE"); #breaks compile + #optionsNo+=("MSM_SMP2P_TEST" "INET_DIAG"); + #optionsNo+=("PROC_PAGE_MONITOR"); #breaks memory stats + #optionsNo+=("SCHED_DEBUG"); #breaks compile for option in "${optionsNo[@]}" do