increase security

2024-07-13 08:32:41 +08:00 · 2024-07-13 08:32:41 +08:00 · e8fa5b3f62
commit e8fa5b3f62
parent 2a8fea8844
3 changed files with 46 additions and 5 deletions
--- a/7
+++ b/7
@ -32,12 +32,15 @@ _srctag=v${pkgver%.*}-${pkgver##*.}
 source=(
  https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/${_srcname}.tar.xz
  config  # the main kernel config file
+  defaultmaxASLR.patch
 )
 # https://www.kernel.org/pub/linux/kernel/v6.x/sha256sums.asc
 sha256sums=('2be05b487eb239a3bf687d628a8f104177d09c310f00bcc2a5e50f1733421eb9'
-            '254c531c49080ffb399a6246537a9c7b65718acdf1515b72f3570d23aa0a4fe6')
+            '254c531c49080ffb399a6246537a9c7b65718acdf1515b72f3570d23aa0a4fe6'
+            '9f29efd7acf37d8e3015029216865fb590362d9589feb91dc84e68fee6dabff0')
 b2sums=('a228397902894f566d49adef24e4d44271893173cf0c58e8eb6006137dfb870b5f3aea17cadc775988a0682ba4a5261ebd3f10689b6c096f762cc8af666c56ff'
-        'ea46d444dcbec8d6edc761b84ee047b72d9d9d65802902c8fc01f0cef55adf4f16c35834c2c8c01ccb20b249efa8054f20ce851c7eb6cfd2eb2ee90ee8bf6ad5')
+        'ea46d444dcbec8d6edc761b84ee047b72d9d9d65802902c8fc01f0cef55adf4f16c35834c2c8c01ccb20b249efa8054f20ce851c7eb6cfd2eb2ee90ee8bf6ad5'
+        '30f9ecc8011b67e89166a01cf15c6994ba72cb7277cf8cce3461db66c3f0dfa77f396976dc82b6b78c723845282ea721a07a8fb1f3baff43dbf46bee10940b1a')

 export KBUILD_BUILD_HOST=archlinux
 export KBUILD_BUILD_USER=$pkgbase
--- a/README.md
+++ b/README.md
@ -1,11 +1,16 @@
-patches folder contains all the patches. files shipped are already prepatched 
+My personal custom kernel

-patch order:
+defaultmaxASLR.patch - increase security
+
+
+patches folder contains all the config patches. config shipped are already prepatched 
+
+config patch order:

 1. waydroid.patch
 2. security.patch

-sources: 
+config sources: 

 - waydroid.patch: https://wiki.archlinux.org/title/Waydroid
 - security.patch: selected from https://www.kicksecure.com/wiki/Hardened-kernel
--- a/defaultmaxASLR.patch
+++ b/defaultmaxASLR.patch
@ -0,0 +1,33 @@
+From db70c38e74c8850174dcc09b302c41543583c980 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
+Date: Sat, 13 Jan 2024 15:29:25 +0100
+Subject: [PATCH] arch/Kconfig: Default to maximum amount of ASLR bits
+
+To mitigate https://zolutal.github.io/aslrnt/; do this with a patch to
+avoid having to enable `CONFIG_EXPERT`.
+---
+ arch/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/Kconfig b/arch/Kconfig
+index 30f7930275d838..318a4e75058b3b 100644
+--- a/arch/Kconfig
+++ b/arch/Kconfig
+@@ -1033,7 +1033,7 @@ config ARCH_MMAP_RND_BITS
+ 	int "Number of bits to use for ASLR of mmap base address" if EXPERT
+ 	range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX
+ 	default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT
+-	default ARCH_MMAP_RND_BITS_MIN
+	default ARCH_MMAP_RND_BITS_MAX
+ 	depends on HAVE_ARCH_MMAP_RND_BITS
+ 	help
+ 	  This value can be used to select the number of bits to use to
+@@ -1067,7 +1067,7 @@ config ARCH_MMAP_RND_COMPAT_BITS
+ 	int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT
+ 	range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX
+ 	default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT
+-	default ARCH_MMAP_RND_COMPAT_BITS_MIN
+	default ARCH_MMAP_RND_COMPAT_BITS_MAX
+ 	depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS
+ 	help
+ 	  This value can be used to select the number of bits to use to