http://git.sabayon.org/linux/kernel/sabayon.git/log/?h=3.3-hardened-test (kernel configs in sabayon/config -- patches in sabayon/patches)
Rationale behind some config choices ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Un)mount logging disabled: it considerably slows down boot (looks like userspace is put to sleep when throttling [triggered by bursty mount calls happening at initramfs time]) Virtualization profile selected, then Custom: We want reasonable performance in virtualization environments as well. Otoh, we also want to selectively "cherry-pick" each feature Some GrSecurity options turned off: See: http://blog.flameeyes.eu/2012/04/hard-containers (we want LXC to reasonably work out of the box) Deny mounts (CONFIG_GRKERNSEC_CHROOT_MOUNT) Deny pivot_root in chroot (CONFIG_GRKERNSEC_CHROOT_PIVOT) Capability restrictions (CONFIG_GRKERNSEC_CHROOT_CAPS) Other GrSecurity options turned off: Restrict priority changes (GRKERNSEC_CHROOT_NICE): PulseAudio and KDE stuff does renice {REQUIRES further investigation though} CONFIG_PAX_MPROTECT disabled: KDE segfaults with this turned on here, I got: "denied RWX mmap /usr/bin/kdeinit4[plasma-desktop]" Is it possible to PaX mark this stuff? (sorry, I don't remember if this is PaX related, will check) GrSecurity TPE disabled: It will make impossible to boot into KDE or any other DE due to startup scripts execution failure. Moreover, it makes impossible for users to run any script {correct?} Aufs compatibility: I think I could have done better here (wrt fixing Aufs code), but I wanted to move on with the actual testing ;-)) diff --git a/fs/aufs/f_op_sp.c b/fs/aufs/f_op_sp.c index 48b8aa1..888768a 100644 --- a/fs/aufs/f_op_sp.c +++ b/fs/aufs/f_op_sp.c @@ -107,7 +107,7 @@ enum { static int aufs_open_sp(struct inode *inode, struct file *file); static struct au_sp_fop { int done; - struct file_operations fop; /* not 'const' */ + file_operations_no_const fop; /* not 'const' */ spinlock_t spin; } au_sp_fop[AuSp_Last] = { [AuSp_FIFO] = { diff --git a/include/linux/fs.h b/include/linux/fs.h index d6ba573..9d71a07 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -621,7 +621,7 @@ struct address_space_operations { int (*is_partially_uptodate) (struct page *, read_descriptor_t *, unsigned long); int (*error_remove_page)(struct address_space *, struct page *); -}; +} __no_const; extern const struct address_space_operations empty_aops; Maybe I could have also declared address_space_operations_no_const and let Aufs use that. But I haven't spent much time on this tbh. -- Fabio Erculiani
