--- a/Kconfig 2021-06-04 19:03:33.646823432 -0400 +++ b/Kconfig 2021-06-04 19:03:40.508892817 -0400 @@ -30,3 +30,5 @@ source "lib/Kconfig" source "lib/Kconfig.debug" source "Documentation/Kconfig" + +source "distro/Kconfig" --- /dev/null 2021-06-06 14:01:09.950742356 -0400 +++ b/distro/Kconfig 2021-06-06 17:48:05.912077568 -0400 @@ -0,0 +1,267 @@ +menu "Gentoo Linux" + +config GENTOO_LINUX + bool "Gentoo Linux support" + + default y + + help + In order to boot Gentoo Linux a minimal set of config settings needs to + be enabled in the kernel; to avoid the users from having to enable them + manually as part of a Gentoo Linux installation or a new clean config, + we enable these config settings by default for convenience. + + See the settings that become available for more details and fine-tuning. + +config GENTOO_LINUX_UDEV + bool "Linux dynamic and persistent device naming (userspace devfs) support" + + depends on GENTOO_LINUX + default y if GENTOO_LINUX + + select DEVTMPFS + select TMPFS + select UNIX + + select MMU + select SHMEM + + help + In order to boot Gentoo Linux a minimal set of config settings needs to + be enabled in the kernel; to avoid the users from having to enable them + manually as part of a Gentoo Linux installation or a new clean config, + we enable these config settings by default for convenience. + + Currently this only selects TMPFS, DEVTMPFS and their dependencies. + TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and + /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev. + + Some of these are critical files that need to be available early in the + boot process; if not available, it causes sysfs and udev to malfunction. + + To ensure Gentoo Linux boots, it is best to leave this setting enabled; + if you run a custom setup, you could consider whether to disable this. + +config GENTOO_LINUX_PORTAGE + bool "Select options required by Portage features" + + depends on GENTOO_LINUX + default y if GENTOO_LINUX + + select CGROUPS + select NAMESPACES + select IPC_NS + select NET_NS + select PID_NS + select SYSVIPC + select UTS_NS + + help + This enables options required by various Portage FEATURES. + Currently this selects: + + CGROUPS (required for FEATURES=cgroup) + IPC_NS (required for FEATURES=ipc-sandbox) + NET_NS (required for FEATURES=network-sandbox) + PID_NS (required for FEATURES=pid-sandbox) + SYSVIPC (required by IPC_NS) + + + It is highly recommended that you leave this enabled as these FEATURES + are, or will soon be, enabled by default. + +menu "Support for init systems, system and service managers" + visible if GENTOO_LINUX + +config GENTOO_LINUX_INIT_SCRIPT + bool "OpenRC, runit and other script based systems and managers" + + default y if GENTOO_LINUX + + depends on GENTOO_LINUX + + select BINFMT_SCRIPT + select CGROUPS + select EPOLL + select FILE_LOCKING + select INOTIFY_USER + select SIGNALFD + select TIMERFD + + help + The init system is the first thing that loads after the kernel booted. + + These config settings allow you to select which init systems to support; + instead of having to select all the individual settings all over the + place, these settings allows you to select all the settings at once. + + This particular setting enables all the known requirements for OpenRC, + runit and similar script based systems and managers. + + If you are unsure about this, it is best to leave this setting enabled. + +config GENTOO_LINUX_INIT_SYSTEMD + bool "systemd" + + default n + + depends on GENTOO_LINUX && GENTOO_LINUX_UDEV + + select AUTOFS4_FS + select BLK_DEV_BSG + select BPF_SYSCALL + select CGROUP_BPF + select CGROUPS + select CHECKPOINT_RESTORE + select CRYPTO_HMAC + select CRYPTO_SHA256 + select CRYPTO_USER_API_HASH + select DEVPTS_MULTIPLE_INSTANCES + select DMIID if X86_32 || X86_64 || X86 + select EPOLL + select FANOTIFY + select FHANDLE + select FILE_LOCKING + select INOTIFY_USER + select IPV6 + select NET + select NET_NS + select PROC_FS + select SECCOMP + select SECCOMP_FILTER + select SIGNALFD + select SYSFS + select TIMERFD + select TMPFS_POSIX_ACL + select TMPFS_XATTR + select USER_NS + + select ANON_INODES + select BLOCK + select EVENTFD + select FSNOTIFY + select INET + select NLATTR + + help + The init system is the first thing that loads after the kernel booted. + + These config settings allow you to select which init systems to support; + instead of having to select all the individual settings all over the + place, these settings allows you to select all the settings at once. + + This particular setting enables all the known requirements for systemd; + it also enables suggested optional settings, as the package suggests to. + +endmenu + +menu "Enable Kernel Self Protection Project Recommendations" + visible if GENTOO_LINUX + +config GENTOO_KERNEL_SELF_PROTECTION + bool "Architecture Independant Kernel Self Protection Project Recommendations" + + help + Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project + See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings + Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due + to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for + dependency information on your specific architecture. + Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 + for X86_64 + + depends on GENTOO_LINUX && !HARDENED_USERCOPY_FALLBACK && !HARDENED_USERCOPY_PAGESPAN && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !SECURITY_SELINUX_DISABLE && !IA32_EMULATION && !X86_X32 && !MODIFY_LDT_SYSCALL + + + select BUG + select STRICT_KERNEL_RWX + select DEBUG_WX + select STACKPROTECTOR + select STACKPROTECTOR_STRONG + select STRICT_DEVMEM + select IO_STRICT_DEVMEM + + select SYN_COOKIES + select DEBUG_CREDENTIALS + select DEBUG_NOTIFIERS + select DEBUG_LIST + select DEBUG_SG + select BUG_ON_DATA_CORRUPTION + select SCHED_STACK_END_CHECK + select SECCOMP + select SECCOMP_FILTER + select SECURITY + select SECURITY_YAMA + select HARDENED_USERCOPY + select SLAB_FREELIST_RANDOM + select SLAB_FREELIST_HARDENED + select SHUFFLE_PAGE_ALLOCATOR + select SLUB_DEBUG + select PAGE_POISONING + select PAGE_POISONING_NO_SANITY + select PAGE_POISONING_ZERO + select INIT_ON_ALLOC_DEFAULT_ON + select INIT_ON_FREE_DEFAULT_ON + select VMAP_STACK + select REFCOUNT_FULL + select FORTIFY_SOURCE + select SECURITY_DMESG_RESTRICT + select PANIC_ON_OOPS + select CONFIG_GCC_PLUGINS=y + select GCC_PLUGIN_LATENT_ENTROPY + select GCC_PLUGIN_STRUCTLEAK + select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL + select GCC_PLUGIN_STACKLEAK + select GCC_PLUGIN_RANDSTRUCT + select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE + +menu "Architecture Specific Self Protection Project Recommendations" + +config GENTOO_KERNEL_SELF_PROTECTION_X86_64 + bool "X86_64 KSPP Settings" + + depends on !X86_MSR && X86_64 + default n + + select RANDOMIZE_BASE + select RANDOMIZE_MEMORY + select LEGACY_VSYSCALL_NONE + select PAGE_TABLE_ISOLATION + + +config GENTOO_KERNEL_SELF_PROTECTION_ARM64 + bool "ARM64 KSPP Settings" + + depends on ARM64 + default n + + select RANDOMIZE_BASE + select ARM64_SW_TTBR0_PAN + select CONFIG_UNMAP_KERNEL_AT_EL0 + +config GENTOO_KERNEL_SELF_PROTECTION_X86_32 + bool "X86_32 KSPP Settings" + + depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 + default n + + select HIGHMEM64G + select X86_PAE + select RANDOMIZE_BASE + select PAGE_TABLE_ISOLATION + +config GENTOO_KERNEL_SELF_PROTECTION_ARM + bool "ARM KSPP Settings" + + depends on !OABI_COMPAT && ARM + default n + + select VMSPLIT_3G + select STRICT_MEMORY_RWX + select CPU_SW_DOMAIN_PAN + +endmenu + +endmenu + +endmenu