From 6390333332628437c142fb5e93b1b2f3aaa54b6c Mon Sep 17 00:00:00 2001 From: Wynn Wolf Arbor Date: Mon, 23 Dec 2019 12:37:32 +0100 Subject: Initial import --- fragments/base/common | 54 +++++++++++++++++++++++++++++++++ fragments/base/crypto | 4 +++ fragments/base/modules | 2 ++ fragments/base/net | 40 ++++++++++++++++++++++++ fragments/base/security | 14 +++++++++ fragments/boot/efi | 5 +++ fragments/boot/initrd | 1 + fragments/cpu/amd | 13 ++++++++ fragments/cpu/intel | 7 +++++ fragments/devices/input/xpad | 3 ++ fragments/devices/net/r8169 | 1 + fragments/devices/net/tigon3 | 1 + fragments/devices/usb/bluetooth | 1 + fragments/devices/usb/sound | 1 + fragments/drivers/i2c | 2 ++ fragments/drivers/pci | 2 ++ fragments/drivers/raid | 7 +++++ fragments/drivers/sata | 7 +++++ fragments/drivers/sound | 7 +++++ fragments/drivers/usb | 11 +++++++ fragments/fs/cifs | 4 +++ fragments/fs/devtmpfs | 2 ++ fragments/fs/ext4 | 4 +++ fragments/fs/foreign | 9 ++++++ fragments/fs/fuse | 1 + fragments/fs/tmpfs | 2 ++ fragments/hosts/coleridge | 1 + fragments/hosts/nabokov | 3 ++ fragments/net/bluetooth | 3 ++ fragments/net/nftables | 67 +++++++++++++++++++++++++++++++++++++++++ fragments/profile/desktop | 7 +++++ fragments/profile/server | 5 +++ fragments/profile/vm | 9 ++++++ fragments/security/audit | 4 +++ fragments/security/cgroups | 7 +++++ fragments/security/namespaces | 5 +++ 36 files changed, 316 insertions(+) create mode 100644 fragments/base/common create mode 100644 fragments/base/crypto create mode 100644 fragments/base/modules create mode 100644 fragments/base/net create mode 100644 fragments/base/security create mode 100644 fragments/boot/efi create mode 100644 fragments/boot/initrd create mode 100644 fragments/cpu/amd create mode 100644 fragments/cpu/intel create mode 100644 fragments/devices/input/xpad create mode 100644 fragments/devices/net/r8169 create mode 100644 fragments/devices/net/tigon3 create mode 100644 fragments/devices/usb/bluetooth create mode 100644 fragments/devices/usb/sound create mode 100644 fragments/drivers/i2c create mode 100644 fragments/drivers/pci create mode 100644 fragments/drivers/raid create mode 100644 fragments/drivers/sata create mode 100644 fragments/drivers/sound create mode 100644 fragments/drivers/usb create mode 100644 fragments/fs/cifs create mode 100644 fragments/fs/devtmpfs create mode 100644 fragments/fs/ext4 create mode 100644 fragments/fs/foreign create mode 100644 fragments/fs/fuse create mode 100644 fragments/fs/tmpfs create mode 100644 fragments/hosts/coleridge create mode 100644 fragments/hosts/nabokov create mode 100644 fragments/net/bluetooth create mode 100644 fragments/net/nftables create mode 100644 fragments/profile/desktop create mode 100644 fragments/profile/server create mode 100644 fragments/profile/vm create mode 100644 fragments/security/audit create mode 100644 fragments/security/cgroups create mode 100644 fragments/security/namespaces (limited to 'fragments') diff --git a/fragments/base/common b/fragments/base/common new file mode 100644 index 0000000..1a26566 --- /dev/null +++ b/fragments/base/common @@ -0,0 +1,54 @@ +CONFIG_SMP=y + +CONFIG_SYSVIPC=y +CONFIG_POSIX_MQUEUE=y + +CONFIG_NO_HZ_IDLE=y +CONFIG_HIGH_RES_TIMERS=y + +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y + +CONFIG_SCHED_AUTOGROUP=y + +# We only really care about standard PC systems +# CONFIG_X86_EXTENDED_PLATFORM is not set + +CONFIG_NUMA=y + +# The following can be disabled since it is a legacy option, +# the kernel will use X86_64_ACPI_NUMA instead +# CONFIG_AMD_NUMA is not set + +CONFIG_PARTITION_ADVANCED=y + +# The kernel cites 65536 as a "reasonable" value here. +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 + +# We want to support transparent hugepages, though want applications +# to ask for them specifically with madvise +CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y + +CONFIG_MD=y +CONFIG_BLK_DEV_DM=y +CONFIG_BLK_DEV_LOOP=y + +# CONFIG_LEGACY_PTYS is not set + +CONFIG_HPET=y + +CONFIG_HIDRAW=y + +CONFIG_EDAC=y +CONFIG_EDAC_SBRIDGE=y +# CONFIG_EDAC_LEGACY_SYSFS is not set + +CONFIG_RTC_CLASS=y + +# CONFIG_UNUSED_SYMBOLS is not set + +# https://lwn.net/Articles/681763/ +CONFIG_BLK_WBT=y +CONFIG_BLK_WBT_SQ=y +CONFIG_BLK_WBT_MQ=y diff --git a/fragments/base/crypto b/fragments/base/crypto new file mode 100644 index 0000000..0f63cdd --- /dev/null +++ b/fragments/base/crypto @@ -0,0 +1,4 @@ +CONFIG_DM_CRYPT=y +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y diff --git a/fragments/base/modules b/fragments/base/modules new file mode 100644 index 0000000..a3f5b21 --- /dev/null +++ b/fragments/base/modules @@ -0,0 +1,2 @@ +CONFIG_MODULES=y +CONFIG_MODULE_UNLOAD=y diff --git a/fragments/base/net b/fragments/base/net new file mode 100644 index 0000000..b0aefe2 --- /dev/null +++ b/fragments/base/net @@ -0,0 +1,40 @@ +CONFIG_NET=y + +# "Foo over UDP" is needed for any application that wants to tunnel +# traffic over UDP, like wireguard et al +CONFIG_NET_FOU=y + +CONFIG_RFKILL=y + +CONFIG_NETDEVICES=y +CONFIG_TUN=m +CONFIG_VETH=m + +CONFIG_VLAN_8021Q=y +CONFIG_BRIDGE=y + +CONFIG_PACKET=y +CONFIG_PACKET_DIAG=y +CONFIG_NETLINK_DIAG=y +CONFIG_UNIX=y +CONFIG_UNIX_DIAG=y +CONFIG_INET=y +CONFIG_XFRM_USER=y +CONFIG_IP_ADVANCED_ROUTER=y +CONFIG_IP_MULTIPLE_TABLES=y +CONFIG_IP_ROUTE_VERBOSE=y +CONFIG_SYN_COOKIES=y +CONFIG_INET_UDP_DIAG=y +CONFIG_INET_RAW_DIAG=y + +# The following options enable support for IPsec and are enabled by default. +# We think wireguard is the superior solution, and hence disable them. +# CONFIG_INET_XFRM_MODE_TRANSPORT is not set +# CONFIG_INET_XFRM_MODE_TUNNEL is not set +# CONFIG_INET_XFRM_MODE_BEET is not set +# CONFIG_INET6_XFRM_MODE_TRANSPORT is not set +# CONFIG_INET6_XFRM_MODE_TUNNEL is not set +# CONFIG_INET6_XFRM_MODE_BEET is not set + +# We do not need IPv6-in-IPv4 +# CONFIG_IPV6_SIT is not set diff --git a/fragments/base/security b/fragments/base/security new file mode 100644 index 0000000..5d8b95c --- /dev/null +++ b/fragments/base/security @@ -0,0 +1,14 @@ +CONFIG_REFCOUNT_FULL=y +CONFIG_GCC_PLUGINS=y +CONFIG_GCC_PLUGIN_STRUCTLEAK=y +CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y + +# CONFIG_COMPAT_BRK is not set +# CONFIG_SLAB_MERGE_DEFAULT is not set +CONFIG_SLAB_FREELIST_RANDOM=y +CONFIG_SLAB_FREELIST_HARDENED=y + +CONFIG_HARDENED_USERCOPY=y +CONFIG_FORTIFY_SOURCE=y + +CONFIG_IO_STRICT_DEVMEM=y diff --git a/fragments/boot/efi b/fragments/boot/efi new file mode 100644 index 0000000..c3dd195 --- /dev/null +++ b/fragments/boot/efi @@ -0,0 +1,5 @@ +CONFIG_EFI=y +CONFIG_EFI_STUB=y +CONFIG_EFI_VARS=y +CONFIG_RESET_ATTACK_MITIGATION=y +CONFIG_EFIVAR_FS=y diff --git a/fragments/boot/initrd b/fragments/boot/initrd new file mode 100644 index 0000000..f97f7a0 --- /dev/null +++ b/fragments/boot/initrd @@ -0,0 +1 @@ +CONFIG_BLK_DEV_INITRD=y diff --git a/fragments/cpu/amd b/fragments/cpu/amd new file mode 100644 index 0000000..f0dfd33 --- /dev/null +++ b/fragments/cpu/amd @@ -0,0 +1,13 @@ +CONFIG_GENERIC_CPU=y +CONFIG_X86_ACPI_CPUFREQ=y +CONFIG_X86_AMD_PLATFORM_DEVICE=y +CONFIG_PERF_EVENTS_AMD_POWER=y +CONFIG_MICROCODE_AMD=y + +CONFIG_SENSORS_K10TEMP=y +CONFIG_SENSORS_FAM15H_POWER=y + +CONFIG_EDAC_AMD64=y + +CONFIG_AMD_IOMMU=y +CONFIG_AMD_IOMMU_V2=y diff --git a/fragments/cpu/intel b/fragments/cpu/intel new file mode 100644 index 0000000..c64743e --- /dev/null +++ b/fragments/cpu/intel @@ -0,0 +1,7 @@ +CONFIG_INTEL_IDLE=y +CONFIG_INTEL_IOMMU=y +CONFIG_MCORE2=y + +CONFIG_X86_INTEL_TSX_MODE_ON=y + +CONFIG_SENSORS_CORETEMP=y diff --git a/fragments/devices/input/xpad b/fragments/devices/input/xpad new file mode 100644 index 0000000..38ed99f --- /dev/null +++ b/fragments/devices/input/xpad @@ -0,0 +1,3 @@ +CONFIG_INPUT_JOYSTICK=y +CONFIG_JOYSTICK_XPAD=m +CONFIG_JOYSTICK_XPAD_FF=y diff --git a/fragments/devices/net/r8169 b/fragments/devices/net/r8169 new file mode 100644 index 0000000..811d42a --- /dev/null +++ b/fragments/devices/net/r8169 @@ -0,0 +1 @@ +CONFIG_R8169=y diff --git a/fragments/devices/net/tigon3 b/fragments/devices/net/tigon3 new file mode 100644 index 0000000..7659e32 --- /dev/null +++ b/fragments/devices/net/tigon3 @@ -0,0 +1 @@ +CONFIG_TIGON3=y diff --git a/fragments/devices/usb/bluetooth b/fragments/devices/usb/bluetooth new file mode 100644 index 0000000..87df533 --- /dev/null +++ b/fragments/devices/usb/bluetooth @@ -0,0 +1 @@ +CONFIG_BT_HCIBTUSB=m diff --git a/fragments/devices/usb/sound b/fragments/devices/usb/sound new file mode 100644 index 0000000..fdd348d --- /dev/null +++ b/fragments/devices/usb/sound @@ -0,0 +1 @@ +CONFIG_SND_USB_AUDIO=y diff --git a/fragments/drivers/i2c b/fragments/drivers/i2c new file mode 100644 index 0000000..5fd23e6 --- /dev/null +++ b/fragments/drivers/i2c @@ -0,0 +1,2 @@ +CONFIG_I2C=y +CONFIG_I2C_CHARDEV=y diff --git a/fragments/drivers/pci b/fragments/drivers/pci new file mode 100644 index 0000000..56b5a87 --- /dev/null +++ b/fragments/drivers/pci @@ -0,0 +1,2 @@ +CONFIG_PCIEPORTBUS=y +CONFIG_PCI_MSI=y diff --git a/fragments/drivers/raid b/fragments/drivers/raid new file mode 100644 index 0000000..2ebb46d --- /dev/null +++ b/fragments/drivers/raid @@ -0,0 +1,7 @@ +CONFIG_BLK_DEV_MD=y +CONFIG_MD_AUTODETECT=y +CONFIG_MD_LINEAR=y +CONFIG_MD_RAID0=y +CONFIG_MD_RAID1=y +CONFIG_MD_RAID10=y +CONFIG_MD_RAID456=y diff --git a/fragments/drivers/sata b/fragments/drivers/sata new file mode 100644 index 0000000..bd4fc1d --- /dev/null +++ b/fragments/drivers/sata @@ -0,0 +1,7 @@ +CONFIG_ATA=y +# CONFIG_ATA_SFF is not set +CONFIG_BLK_DEV_SD=y +CONFIG_BLK_DEV_SR=y +CONFIG_CHR_DEV_SG=y +CONFIG_SATA_AHCI=y +CONFIG_SCSI_CONSTANTS=y diff --git a/fragments/drivers/sound b/fragments/drivers/sound new file mode 100644 index 0000000..9ea12a5 --- /dev/null +++ b/fragments/drivers/sound @@ -0,0 +1,7 @@ +CONFIG_SOUND=y +CONFIG_SND=y +CONFIG_SND_HRTIMER=y +# CONFIG_SND_SUPPORT_OLD_API is not set + +# pulseaudio recommends the following +CONFIG_SND_HDA_PREALLOC_SIZE=2048 diff --git a/fragments/drivers/usb b/fragments/drivers/usb new file mode 100644 index 0000000..764451d --- /dev/null +++ b/fragments/drivers/usb @@ -0,0 +1,11 @@ +CONFIG_USB=y +CONFIG_USB_HID=y +CONFIG_USB_HIDDEV=y +CONFIG_USB_ANNOUNCE_NEW_DEVICES=y +CONFIG_USB_MON=y +CONFIG_USB_XHCI_HCD=y +CONFIG_USB_EHCI_HCD=y +CONFIG_USB_EHCI_ROOT_HUB_TT=y +CONFIG_USB_OHCI_HCD=y +CONFIG_USB_UHCI_HCD=y +CONFIG_USB_STORAGE=y diff --git a/fragments/fs/cifs b/fragments/fs/cifs new file mode 100644 index 0000000..2512c7c --- /dev/null +++ b/fragments/fs/cifs @@ -0,0 +1,4 @@ +CONFIG_CIFS=y +CONFIG_CIFS_XATTR=y +CONFIG_CIFS_POSIX=y +CONFIG_CIFS_ACL=y diff --git a/fragments/fs/devtmpfs b/fragments/fs/devtmpfs new file mode 100644 index 0000000..5e9cf98 --- /dev/null +++ b/fragments/fs/devtmpfs @@ -0,0 +1,2 @@ +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y diff --git a/fragments/fs/ext4 b/fragments/fs/ext4 new file mode 100644 index 0000000..c229a59 --- /dev/null +++ b/fragments/fs/ext4 @@ -0,0 +1,4 @@ +CONFIG_EXT4_FS=y +CONFIG_EXT4_FS_POSIX_ACL=y +CONFIG_EXT4_FS_SECURITY=y +CONFIG_EXT4_ENCRYPTION=y diff --git a/fragments/fs/foreign b/fragments/fs/foreign new file mode 100644 index 0000000..6efa183 --- /dev/null +++ b/fragments/fs/foreign @@ -0,0 +1,9 @@ +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +CONFIG_ZISOFS=y +CONFIG_UDF_FS=y +CONFIG_VFAT_FS=y + +CONFIG_NLS_CODEPAGE_437=y +CONFIG_NLS_ISO8859_1=y +CONFIG_NLS_UTF8=y diff --git a/fragments/fs/fuse b/fragments/fs/fuse new file mode 100644 index 0000000..43e95f2 --- /dev/null +++ b/fragments/fs/fuse @@ -0,0 +1 @@ +CONFIG_FUSE_FS=y diff --git a/fragments/fs/tmpfs b/fragments/fs/tmpfs new file mode 100644 index 0000000..9b5a40b --- /dev/null +++ b/fragments/fs/tmpfs @@ -0,0 +1,2 @@ +CONFIG_TMPFS=y +CONFIG_TMPFS_POSIX_ACL=y diff --git a/fragments/hosts/coleridge b/fragments/hosts/coleridge new file mode 100644 index 0000000..8ad4c9b --- /dev/null +++ b/fragments/hosts/coleridge @@ -0,0 +1 @@ +CONFIG_EXTRA_FIRMWARE="amd-ucode/microcode_amd_fam15h.bin" diff --git a/fragments/hosts/nabokov b/fragments/hosts/nabokov new file mode 100644 index 0000000..f24a95e --- /dev/null +++ b/fragments/hosts/nabokov @@ -0,0 +1,3 @@ +CONFIG_CMDLINE_BOOL=y +CONFIG_CMDLINE="root=PARTUUID=580f465c-a0ed-324d-8a10-04bb7027b492" +CONFIG_EXTRA_FIRMWARE="intel-ucode/06-3c-03" diff --git a/fragments/net/bluetooth b/fragments/net/bluetooth new file mode 100644 index 0000000..da900ed --- /dev/null +++ b/fragments/net/bluetooth @@ -0,0 +1,3 @@ +CONFIG_BT=m +CONFIG_BT_RFCOMM=m +CONFIG_BT_HIDP=y diff --git a/fragments/net/nftables b/fragments/net/nftables new file mode 100644 index 0000000..148d48f --- /dev/null +++ b/fragments/net/nftables @@ -0,0 +1,67 @@ +CONFIG_NETFILTER=y +CONFIG_NETFILTER_NETLINK_ACCT=y +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +CONFIG_NETFILTER_NETLINK_OSF=y +CONFIG_NF_CONNTRACK=y +# CONFIG_NF_CONNTRACK_PROCFS is not set +CONFIG_NF_CONNTRACK_MARK=y +CONFIG_NF_CONNTRACK_LABELS=y +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +# CONFIG_NF_CT_PROTO_UDPLITE is not set +CONFIG_NF_TABLES=y +CONFIG_NF_TABLES_SET=y +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y +CONFIG_NFT_NUMGEN=y +CONFIG_NFT_CT=y +CONFIG_NFT_COUNTER=y +CONFIG_NFT_CONNLIMIT=y +CONFIG_NFT_LOG=y +CONFIG_NFT_LIMIT=y +CONFIG_NFT_MASQ=y +CONFIG_NFT_REDIR=y +CONFIG_NFT_NAT=y +CONFIG_NFT_TUNNEL=y +CONFIG_NFT_OBJREF=y +CONFIG_NFT_QUEUE=y +CONFIG_NFT_QUOTA=y +CONFIG_NFT_REJECT=y +CONFIG_NFT_HASH=y +CONFIG_NFT_SOCKET=y +CONFIG_NFT_OSF=y +CONFIG_NFT_TPROXY=y +CONFIG_NF_DUP_NETDEV=y +CONFIG_NFT_DUP_NETDEV=y +CONFIG_NFT_FWD_NETDEV=y +CONFIG_NF_FLOW_TABLE_INET=y +CONFIG_NF_FLOW_TABLE=y +CONFIG_NFT_CHAIN_ROUTE_IPV4=y +CONFIG_NFT_DUP_IPV4=y +CONFIG_NFT_FIB_INET=y +CONFIG_NFT_FIB_IPV4=y +CONFIG_NFT_FLOW_OFFLOAD=y +CONFIG_NF_TABLES_ARP=y +CONFIG_NF_FLOW_TABLE_IPV4=y +CONFIG_NF_LOG_ARP=y +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_NAT_IPV4=y +CONFIG_NFT_CHAIN_NAT_IPV4=y +CONFIG_NFT_MASQ_IPV4=y +CONFIG_NFT_REDIR_IPV4=y +CONFIG_NFT_CHAIN_ROUTE_IPV6=y +CONFIG_NFT_DUP_IPV6=y +CONFIG_NFT_FIB_IPV6=y +CONFIG_NFT_FIB_NETDEV=y +CONFIG_NF_FLOW_TABLE_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_NAT_IPV6=y +CONFIG_NFT_CHAIN_NAT_IPV6=y +CONFIG_NFT_MASQ_IPV6=y +CONFIG_NFT_REDIR_IPV6=y +CONFIG_BRIDGE_NETFILTER=y +CONFIG_BRIDGE_VLAN_FILTERING=y +CONFIG_NF_TABLES_BRIDGE=y +CONFIG_NFT_BRIDGE_REJECT=y +CONFIG_NF_LOG_BRIDGE=y diff --git a/fragments/profile/desktop b/fragments/profile/desktop new file mode 100644 index 0000000..8d035c2 --- /dev/null +++ b/fragments/profile/desktop @@ -0,0 +1,7 @@ +CONFIG_PREEMPT_VOLUNTARY=y + +CONFIG_HZ_1000=y +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_EVDEV=y + +CONFIG_DRM=y diff --git a/fragments/profile/server b/fragments/profile/server new file mode 100644 index 0000000..36580b4 --- /dev/null +++ b/fragments/profile/server @@ -0,0 +1,5 @@ +CONFIG_PREEMPT_NONE=y + +CONFIG_HZ_300=y + +# CONFIG_SUSPEND is not set diff --git a/fragments/profile/vm b/fragments/profile/vm new file mode 100644 index 0000000..bf6bc2d --- /dev/null +++ b/fragments/profile/vm @@ -0,0 +1,9 @@ +CONFIG_KVM=y +CONFIG_KVM_INTEL=y +CONFIG_KVM_AMD=y +CONFIG_VHOST_NET=m + +CONFIG_MACVLAN=m +CONFIG_MACVTAP=m +CONFIG_IPVLAN=m +CONFIG_IPVTAP=m diff --git a/fragments/security/audit b/fragments/security/audit new file mode 100644 index 0000000..f594b65 --- /dev/null +++ b/fragments/security/audit @@ -0,0 +1,4 @@ +CONFIG_AUDIT=y +CONFIG_AUDITSYSCALL=y +CONFIG_AUDIT_WATCH=y +CONFIG_AUDIT_TREE=y diff --git a/fragments/security/cgroups b/fragments/security/cgroups new file mode 100644 index 0000000..e3ed289 --- /dev/null +++ b/fragments/security/cgroups @@ -0,0 +1,7 @@ +CONFIG_CGROUPS=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_SCHED=y +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y diff --git a/fragments/security/namespaces b/fragments/security/namespaces new file mode 100644 index 0000000..14935f8 --- /dev/null +++ b/fragments/security/namespaces @@ -0,0 +1,5 @@ +CONFIG_IPC_NS=y +CONFIG_NET_NS=y +CONFIG_PID_NS=y +CONFIG_USER_NS=y +CONFIG_UTS_NS=y -- cgit v1.2.3-2-gb3c3