Starting with commit 1cf2d7357c lxc is
failing on aarch64 only. For whatever reason, the version check done
on docbook2man here is no longer registering as >=0.8.8
3efa1c3037/meson.build (L323)
This falls through to this line, which changes the behavior of the
configured sgml header.
3efa1c3037/meson.build (L327)
Instead of figuring out /why/ this is the case, I'm just going to skip
the check for lxc since we won't ever ship docbook2x < 0.8.
The 1.75 patch can't be fetched, because it doesn't apply. But git
can apply it cleanly, so it must just need to do a three-way merge or
something. Regardless, we need to include a version that patch(1) can
apply in Nixpkgs.
Borrowing from here to match hardened profile with more recent kernels:
* https://madaidans-insecurities.github.io/guides/linux-hardening.html?#boot-parameters
* https://github.com/a13xp0p0v/kernel-hardening-checker/
Removed "slub_debug" as that option disables kernel memory address
hashing. You also see a big warning about this in the dmesg:
"This system shows unhashed kernel memory addresses via the console, logs, and other interfaces."
"init_on_alloc=1" and "init_on_free=1" zeroes all SLAB and SLUB allocations. Introduced in 6471384af2a6530696fc0203bafe4de41a23c9ef. Also the default for the Android Google kernel btw. It is on by default through the KConfig.
"slab_nomerge" prevents the merging of slab/slub caches. These are
effectively slab/slub pools.
"LEGACY_VSYSCALL_NONE" disables the older vsyscall mechanic that relies on
static address. It got superseeded by vdsos a decade ago. Read some
LWN.net to learn more ;)
"debugfs=off" I'm sure there are some few userspace programs that rely on
debugfs, but they shouldn't.
Most other things mentioned on the blog where already the default on a
running machine or may not be applicable.
Most other Kconfigs changes come from the kernel hardening checker and
were added, when they were not applied to the kernel already.
Unsure about CONFIG_STATIC_USERMODEHELPER. Would need testing.
