pygoscelis: Enable bpf for systemd, add new build dep

- enable CONFIG_BPF_LSM=Y
- CONFIG_DEBUG_INFO_BTF=Y, which needs dev-util/pahole.

Let's add it to try that fancy new shit of 2019 / systemd 243 ;)

Seriously, let's try eBPF support in systemd units as Gentoo/Linux
gained access by USE flags recently. Unfortunately it leads to some
disabled hardending features (randstruct). Let’s live with it for now.
This commit is contained in:
Nils Freydank 2024-08-26 21:27:31 +02:00
parent 7d721273f0
commit 01b1f8af04
Signed by: nfr
GPG Key ID: 0F1DEAB2D36AD112

View File

@ -18,7 +18,7 @@ CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
CONFIG_TOOLS_SUPPORT_RELR=y CONFIG_TOOLS_SUPPORT_RELR=y
CONFIG_CC_HAS_ASM_INLINE=y CONFIG_CC_HAS_ASM_INLINE=y
CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
CONFIG_PAHOLE_VERSION=0 CONFIG_PAHOLE_VERSION=127
CONFIG_IRQ_WORK=y CONFIG_IRQ_WORK=y
CONFIG_BUILDTIME_TABLE_SORT=y CONFIG_BUILDTIME_TABLE_SORT=y
CONFIG_THREAD_INFO_IN_TASK=y CONFIG_THREAD_INFO_IN_TASK=y
@ -121,7 +121,7 @@ CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set # CONFIG_BPF_PRELOAD is not set
# CONFIG_BPF_LSM is not set CONFIG_BPF_LSM=y
# end of BPF subsystem # end of BPF subsystem
CONFIG_PREEMPT_BUILD=y CONFIG_PREEMPT_BUILD=y
@ -5157,7 +5157,6 @@ CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
# #
# Kernel hardening options # Kernel hardening options
# #
CONFIG_GCC_PLUGIN_STRUCTLEAK=y
# #
# Memory initialization # Memory initialization
@ -5168,7 +5167,6 @@ CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO=y
# CONFIG_INIT_STACK_NONE is not set # CONFIG_INIT_STACK_NONE is not set
# CONFIG_INIT_STACK_ALL_PATTERN is not set # CONFIG_INIT_STACK_ALL_PATTERN is not set
CONFIG_INIT_STACK_ALL_ZERO=y CONFIG_INIT_STACK_ALL_ZERO=y
# CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
CONFIG_GCC_PLUGIN_STACKLEAK=y CONFIG_GCC_PLUGIN_STACKLEAK=y
# CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE is not set # CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE is not set
CONFIG_STACKLEAK_TRACK_MIN_SIZE=100 CONFIG_STACKLEAK_TRACK_MIN_SIZE=100
@ -5187,11 +5185,9 @@ CONFIG_LIST_HARDENED=y
CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_BUG_ON_DATA_CORRUPTION=y
# end of Hardening of kernel data structures # end of Hardening of kernel data structures
# CONFIG_RANDSTRUCT_NONE is not set CONFIG_RANDSTRUCT_NONE=y
# CONFIG_RANDSTRUCT_FULL is not set # CONFIG_RANDSTRUCT_FULL is not set
CONFIG_RANDSTRUCT_PERFORMANCE=y # CONFIG_RANDSTRUCT_PERFORMANCE is not set
CONFIG_RANDSTRUCT=y
CONFIG_GCC_PLUGIN_RANDSTRUCT=y
# end of Kernel hardening options # end of Kernel hardening options
# end of Security options # end of Security options
@ -5624,11 +5620,23 @@ CONFIG_DEBUG_MISC=y
# #
# Compile-time checks and compiler options # Compile-time checks and compiler options
# #
CONFIG_DEBUG_INFO=y
CONFIG_AS_HAS_NON_CONST_ULEB128=y CONFIG_AS_HAS_NON_CONST_ULEB128=y
CONFIG_DEBUG_INFO_NONE=y # CONFIG_DEBUG_INFO_NONE is not set
# CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT is not set CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
# CONFIG_DEBUG_INFO_DWARF4 is not set # CONFIG_DEBUG_INFO_DWARF4 is not set
# CONFIG_DEBUG_INFO_DWARF5 is not set # CONFIG_DEBUG_INFO_DWARF5 is not set
# CONFIG_DEBUG_INFO_REDUCED is not set
CONFIG_DEBUG_INFO_COMPRESSED_NONE=y
# CONFIG_DEBUG_INFO_COMPRESSED_ZLIB is not set
# CONFIG_DEBUG_INFO_COMPRESSED_ZSTD is not set
# CONFIG_DEBUG_INFO_SPLIT is not set
CONFIG_DEBUG_INFO_BTF=y
CONFIG_PAHOLE_HAS_SPLIT_BTF=y
CONFIG_PAHOLE_HAS_LANG_EXCLUDE=y
CONFIG_DEBUG_INFO_BTF_MODULES=y
# CONFIG_MODULE_ALLOW_BTF_MISMATCH is not set
# CONFIG_GDB_SCRIPTS is not set
CONFIG_FRAME_WARN=2048 CONFIG_FRAME_WARN=2048
CONFIG_STRIP_ASM_SYMS=y CONFIG_STRIP_ASM_SYMS=y
# CONFIG_READABLE_ASM is not set # CONFIG_READABLE_ASM is not set
@ -5936,6 +5944,5 @@ CONFIG_GENTOO_LINUX_INIT_SYSTEMD=y
# end of Support for init systems, system and service managers # end of Support for init systems, system and service managers
CONFIG_GENTOO_KERNEL_SELF_PROTECTION=y CONFIG_GENTOO_KERNEL_SELF_PROTECTION=y
CONFIG_GENTOO_KERNEL_SELF_PROTECTION_COMMON=y
CONFIG_GENTOO_PRINT_FIRMWARE_INFO=y CONFIG_GENTOO_PRINT_FIRMWARE_INFO=y
# end of Gentoo Linux # end of Gentoo Linux