mitigation-v4 for enabling io_uring

google · Dec 5, 2024 · ab79a48 · ab79a48
1 parent fc80975
commit ab79a48
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 1 deletion.
diff --git a/kernelctf/build_release.sh b/kernelctf/build_release.sh
@@ -29,6 +29,10 @@ case $TARGET in
   mitigation)
     REPO="https://github.com/thejh/linux"
     case $VERSION in
+        v4*)
+            DEFAULT_BRANCH="slub-virtual-v6.6"
+            CONFIG_FN="mitigation-v4.config"
+            ;;
         v3-* | v3b-*)
             DEFAULT_BRANCH="mitigations-next"
             case $VERSION in

diff --git a/kernelctf/kernel_configs/lts-6.6.config b/kernelctf/kernel_configs/lts-6.6.config
@@ -1,3 +1,2 @@
-# CONFIG_IO_URING is not set
 # CONFIG_NF_TABLES is not set
 CONFIG_SYSTEM_TRUSTED_KEYS=""
diff --git a/kernelctf/kernel_configs/mitigation-v4.config b/kernelctf/kernel_configs/mitigation-v4.config
@@ -0,0 +1,26 @@
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+
+## required by CONFIG_KMALLOC_SPLIT_VARSIZE
+# CONFIG_SLAB_MERGE_DEFAULT is not set
+
+## turns on our mitigations
+CONFIG_KMALLOC_SPLIT_VARSIZE=y
+CONFIG_SLAB_VIRTUAL=y
+
+## turns on CONFIG_RANDOM_KMALLOC_CACHES
+CONFIG_RANDOM_KMALLOC_CACHES=y
+
+## turns on additional hardenings
+CONFIG_BUG_ON_DATA_CORRUPTION=y
+CONFIG_FORTIFY_SOURCE=y
+CONFIG_DEBUG_WX=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
+# CONFIG_FUSE_FS is not set
+
+### Make the kernel less annoying to debug
+## Compile the kernel with debug info
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
+# Have all symbols in kallsyms
+CONFIG_KALLSYMS_ALL=y
+
+# CONFIG_NF_TABLES is not set