From ab79a4804c8114ece3f772f4f13ffb5e42b71e54 Mon Sep 17 00:00:00 2001
From: Chani Jindal <chanijindal@google.com>
Date: Tue, 26 Nov 2024 08:33:53 +0000
Subject: [PATCH] mitigation-v4 for enabling io_uring

---
 kernelctf/build_release.sh                    |  4 +++
 kernelctf/kernel_configs/lts-6.6.config       |  1 -
 kernelctf/kernel_configs/mitigation-v4.config | 26 +++++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 kernelctf/kernel_configs/mitigation-v4.config

diff --git a/kernelctf/build_release.sh b/kernelctf/build_release.sh
index 00728913e..81211084a 100755
--- a/kernelctf/build_release.sh
+++ b/kernelctf/build_release.sh
@@ -29,6 +29,10 @@ case $TARGET in
   mitigation)
     REPO="https://github.com/thejh/linux"
     case $VERSION in
+        v4*)
+            DEFAULT_BRANCH="slub-virtual-v6.6"
+            CONFIG_FN="mitigation-v4.config"
+            ;;
         v3-* | v3b-*)
             DEFAULT_BRANCH="mitigations-next"
             case $VERSION in
diff --git a/kernelctf/kernel_configs/lts-6.6.config b/kernelctf/kernel_configs/lts-6.6.config
index 846fd455e..60284b84c 100644
--- a/kernelctf/kernel_configs/lts-6.6.config
+++ b/kernelctf/kernel_configs/lts-6.6.config
@@ -1,3 +1,2 @@
-# CONFIG_IO_URING is not set
 # CONFIG_NF_TABLES is not set
 CONFIG_SYSTEM_TRUSTED_KEYS=""
diff --git a/kernelctf/kernel_configs/mitigation-v4.config b/kernelctf/kernel_configs/mitigation-v4.config
new file mode 100644
index 000000000..4011b4e41
--- /dev/null
+++ b/kernelctf/kernel_configs/mitigation-v4.config
@@ -0,0 +1,26 @@
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+
+## required by CONFIG_KMALLOC_SPLIT_VARSIZE
+# CONFIG_SLAB_MERGE_DEFAULT is not set
+
+## turns on our mitigations
+CONFIG_KMALLOC_SPLIT_VARSIZE=y
+CONFIG_SLAB_VIRTUAL=y
+
+## turns on CONFIG_RANDOM_KMALLOC_CACHES
+CONFIG_RANDOM_KMALLOC_CACHES=y
+
+## turns on additional hardenings
+CONFIG_BUG_ON_DATA_CORRUPTION=y
+CONFIG_FORTIFY_SOURCE=y
+CONFIG_DEBUG_WX=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
+# CONFIG_FUSE_FS is not set
+
+### Make the kernel less annoying to debug
+## Compile the kernel with debug info
+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
+# Have all symbols in kallsyms
+CONFIG_KALLSYMS_ALL=y
+
+# CONFIG_NF_TABLES is not set