From 01b1f8af0442d0938bf1e7337f62ba6571b2fb1e Mon Sep 17 00:00:00 2001 From: Nils Freydank Date: Mon, 26 Aug 2024 21:27:31 +0200 Subject: [PATCH] pygoscelis: Enable bpf for systemd, add new build dep MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - enable CONFIG_BPF_LSM=Y - CONFIG_DEBUG_INFO_BTF=Y, which needs dev-util/pahole. Let's add it to try that fancy new shit of 2019 / systemd 243 ;) Seriously, let's try eBPF support in systemd units as Gentoo/Linux gained access by USE flags recently. Unfortunately it leads to some disabled hardending features (randstruct). Let’s live with it for now. --- pygoscelis-config | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/pygoscelis-config b/pygoscelis-config index 66ee30c..695e8f3 100644 --- a/pygoscelis-config +++ b/pygoscelis-config @@ -18,7 +18,7 @@ CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y CONFIG_TOOLS_SUPPORT_RELR=y CONFIG_CC_HAS_ASM_INLINE=y CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y -CONFIG_PAHOLE_VERSION=0 +CONFIG_PAHOLE_VERSION=127 CONFIG_IRQ_WORK=y CONFIG_BUILDTIME_TABLE_SORT=y CONFIG_THREAD_INFO_IN_TASK=y @@ -121,7 +121,7 @@ CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y CONFIG_BPF_UNPRIV_DEFAULT_OFF=y # CONFIG_BPF_PRELOAD is not set -# CONFIG_BPF_LSM is not set +CONFIG_BPF_LSM=y # end of BPF subsystem CONFIG_PREEMPT_BUILD=y @@ -5157,7 +5157,6 @@ CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" # # Kernel hardening options # -CONFIG_GCC_PLUGIN_STRUCTLEAK=y # # Memory initialization @@ -5168,7 +5167,6 @@ CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO=y # CONFIG_INIT_STACK_NONE is not set # CONFIG_INIT_STACK_ALL_PATTERN is not set CONFIG_INIT_STACK_ALL_ZERO=y -# CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE is not set CONFIG_STACKLEAK_TRACK_MIN_SIZE=100 @@ -5187,11 +5185,9 @@ CONFIG_LIST_HARDENED=y CONFIG_BUG_ON_DATA_CORRUPTION=y # end of Hardening of kernel data structures -# CONFIG_RANDSTRUCT_NONE is not set +CONFIG_RANDSTRUCT_NONE=y # CONFIG_RANDSTRUCT_FULL is not set -CONFIG_RANDSTRUCT_PERFORMANCE=y -CONFIG_RANDSTRUCT=y -CONFIG_GCC_PLUGIN_RANDSTRUCT=y +# CONFIG_RANDSTRUCT_PERFORMANCE is not set # end of Kernel hardening options # end of Security options @@ -5624,11 +5620,23 @@ CONFIG_DEBUG_MISC=y # # Compile-time checks and compiler options # +CONFIG_DEBUG_INFO=y CONFIG_AS_HAS_NON_CONST_ULEB128=y -CONFIG_DEBUG_INFO_NONE=y -# CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT is not set +# CONFIG_DEBUG_INFO_NONE is not set +CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y # CONFIG_DEBUG_INFO_DWARF4 is not set # CONFIG_DEBUG_INFO_DWARF5 is not set +# CONFIG_DEBUG_INFO_REDUCED is not set +CONFIG_DEBUG_INFO_COMPRESSED_NONE=y +# CONFIG_DEBUG_INFO_COMPRESSED_ZLIB is not set +# CONFIG_DEBUG_INFO_COMPRESSED_ZSTD is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +CONFIG_DEBUG_INFO_BTF=y +CONFIG_PAHOLE_HAS_SPLIT_BTF=y +CONFIG_PAHOLE_HAS_LANG_EXCLUDE=y +CONFIG_DEBUG_INFO_BTF_MODULES=y +# CONFIG_MODULE_ALLOW_BTF_MISMATCH is not set +# CONFIG_GDB_SCRIPTS is not set CONFIG_FRAME_WARN=2048 CONFIG_STRIP_ASM_SYMS=y # CONFIG_READABLE_ASM is not set @@ -5936,6 +5944,5 @@ CONFIG_GENTOO_LINUX_INIT_SYSTEMD=y # end of Support for init systems, system and service managers CONFIG_GENTOO_KERNEL_SELF_PROTECTION=y -CONFIG_GENTOO_KERNEL_SELF_PROTECTION_COMMON=y CONFIG_GENTOO_PRINT_FIRMWARE_INFO=y # end of Gentoo Linux