mer_verify_kernel_config

#!/usr/bin/perl -w
# Mer Kernel config specification checker
# http://wiki.merproject.org/wiki/Adaptation_Guide

# CONFIG must be set to one of the permitted values "," seperated and
# multiple values permitted

# y = set and enabled
# m = set and module
# n = must be unset (commented out)
#
# "value" = must be set to "value"
# /regexp/ = "value" which matches regexp
#
# ! = Failure will be warned, not errored

# Known issues with the basic parser:
# * # in regexps or strings cause issues if there's no trailing #
# * can't have "," in /regexp/

use Text::ParseWords;
use strict;

my $debug = 0;
my %config;


=item cmp_version()

=head1 NAME cmp_version - compare two version strings

=head1 SYNOPSIS
  cmp_version(1.0, >=, 2.0);

=head1 DESCRIPTION

Compare C<$version> and C<$version1> with C<operator>.
Just like if ( ) but for version strings.
=cut

sub cmp_version
{

  my $st_version = shift;
  my $operator = shift;
  my $nd_version = shift;

  return version->parse($st_version) < version->parse($nd_version)
      if $operator eq '<';
  return version->parse($st_version) > version->parse($nd_version)
      if $operator eq '>';
  return version->parse($st_version) >= version->parse($nd_version)
      if $operator eq '>=';
  return version->parse($st_version) == version->parse($nd_version)
      if $operator eq '==';
  return version->parse($st_version) <= version->parse($nd_version)
      if $operator eq '<=';
  return version->parse($st_version) != version->parse($nd_version)
      if $operator eq '!=';
}

while (<DATA>) {
  next if /^\s*(#.*)?$/ ; # skip comments and blank lines
  chomp;

  my ($conf, $allowed) = split(' ', $_, 2);

  # Remove and capture any trailing comment (dubious matching here
  # since comments in a "" or // will be removed too)
  my $comment;
  if ($allowed =~ s/(#\s*)(.*)?$//) {
    $comment = $2 if $2;
  }

  # http://perldoc.perl.org/Text/ParseWords.html
  my @allowed = parse_line(",", 1, $allowed);

  my $warning;
  my $version;
  my $version2;
  # Strip leading/trailing space for each value and check for warnings
  foreach (@allowed) {
    s/^\s+|\s+$//g;
    $warning = 1 if $_ eq "!" ;
    $version2 = $_ if (m/[\d\.<>=]/ and $version);
    $version = $_ if m/[\d\.<>=]/ and ! $version;
  }

  # Each CONFIG_* has an array of allowed values, a comment and a flag
  # to say it's only a warning (in which case we print the comment)
  $config{$conf} = {allowed => \@allowed,
                    comment => $comment,
                    warning => $warning,
                    version => $version,
                    version2 => $version2};
}

my $kconfig_line = 0;
my $kernel_version;

print "\nScanning\n" if $debug;
while (<>) {

  if (!$kernel_version  and $kconfig_line < 4 ) {
     print "HEADER:$_" if $debug;
     if ($_ =~ /[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,3}/) {
      # Find string with kernel version and extract version number from it
      $_ =~ s/#//;
      # Remove extra version number which is separated by + (e.g. Linux/arm 4.4.184+0.0.6)
      $_ =~ tr/+/ /;
      $_ =~ tr/-/ /;
      $kernel_version = (split(' ', $_, 3))[1];
      print "Kernel version $kernel_version\n" if $debug;
      # Look for values that aren't valid for $kernel_version
      for my $conf (keys %config)
      {
         my $c = $config{$conf};
         my $version_valid = 1;
         if ($c->{"version"})
         {
            my $config_version = $c->{"version"};
            my $operator = $config_version;
            $operator =~ s/[\d\s\w\.]//g;
            $config_version =~ s/[><=]//g;
            if(!cmp_version($kernel_version, $operator, $config_version))
            {
               delete($config{$conf});
               print "Removing $conf, $kernel_version, $operator, $config_version\n"
                   if $debug;
               $version_valid = 0;
            }
         }
         if ($version_valid and $c->{"version2"})
         {
            my $config_version = $c->{"version2"};
            my $operator = $config_version;
            $operator =~ s/[\d\s\w\.]//g;
            $config_version =~ s/[><=]//g;
            if(!cmp_version($kernel_version, $operator, $config_version))
            {
               delete($config{$conf});
               print "Removing $conf, $kernel_version, $operator, $config_version\n"
                   if $debug;
            }
         }
      }
    }
  }
  next if /^\s*(#.*)?$/ ; # skip comments and blank lines
  $kconfig_line++;
  chomp;
  my ($conf, $value) = split('=', $_, 2);

  # Only check CONFIG_* values we know about
  next unless $config{$conf};

  my $c = $config{$conf};

  print "$conf matched, checking..." if $debug;
  $c->{"value"} = $value; # Store the value for later reporting

  my $allowed = $c->{"allowed"};
  for my $allow (@$allowed) {
    if (substr($allow,1,1) eq '/') { # regexps
      print "Do a regex match : \"$value\" =~ $allow\n" if $debug;

    } elsif (substr($allow,1,1) eq '"') { # strings
      print "Do a string match : $allow == $value\n" if $debug;
      if ($value eq $allow) {$c->{"valid"} = 1; }

    } else { # plain y/m values
      print "match y/m : $value == $allow\n" if $debug;
      if ($value eq $allow) {$c->{"valid"} = 1; }
    }
  }
  if ($c->{"valid"}) { print "OK\n" if $debug;}
}

print "Results\n" if $debug;
print "WARNING: kernel version missing, some reports maybe misleading\n"
    if not $kernel_version;
my $fatal = 0;
for my $conf (keys %config) {
  my $c = $config{$conf};

  if (! $c->{"valid"}) { # Check for 'n' case
    foreach my $allow (@{$c->{"allowed"}}) {
      if (("$allow" eq "n") and ! $c->{"value"}) {
	$c->{"valid"} = 1;
      }
    }
  }

  # Now report
  if (! $c->{"valid"}) {
    print defined($c->{"warning"}) ? "WARNING: " : "ERROR: ";
    print "$conf is invalid\n";
    if ($c->{"value"}) {
      print "Value is: ". $c->{"value"} ."\n";
    } else {
      print "It is unset\n";
    }
    print "Allowed values : ".join(", ", @{$c->{"allowed"}}) ."\n";
    print "Comment says: ". $c->{"comment"}."\n\n";
    if (! $c->{"warning"}) {
      $fatal = 1;
    }
  }
}
exit $fatal;








__DATA__
CONFIG_ANDROID_LOW_MEMORY_KILLER	y,! # Helping memory handling at least with Android runtime (tested on Jolla C)
CONFIG_ANDROID_PARANOID_NETWORK		y,n       # Since Android 5 on some devices this flag is needed for rild to work. But it breaks connectivity in Sailfish OS if user nemo is not part of inet group. "y,n" switch means that this flag's presence/absence won't fail the checks anymore, but instead dhd will autodetect it and add nemo to inet
CONFIG_AUDIT				y,!	# Required by SELinux. Can be disabled at boottime via kernel cmdline: audit=0. You can also leave audit enabled, if you don't plan to use systemd's containers: http://cgit.freedesktop.org/systemd/systemd/commit/README?id=77b6e19458f37cfde127ec6aa9494c0ac45ad890
CONFIG_AUTOFS4_FS			y,m,!	# systemd (optional): http://cgit.freedesktop.org/systemd/systemd/commit/README?id=713bc0cfa477ca1df8769041cb3dbc83c10eace2
CONFIG_BLK_CGROUP			y,!	# systemd (optional): https://github.com/systemd/systemd/blob/v238/README
CONFIG_BLK_DEV_NBD			y,m,!	# optional, for NFS & CIFS support
CONFIG_BRIDGE				y,m,!	# connman (optional): support tethering, http://git.kernel.org/cgit/network/connman/connman.git/commit/README?id=19fe7cad485afa6a7a5cc4aa75615ce8b7b8d376
CONFIG_BT_BNEP_MC_FILTER		y,!	# Bluez (optional): Needed if bluetooth networking is wanted, e.g. for bluetooth tethering
CONFIG_BT_BNEP_PROTO_FILTER		y,!	# Bluez (optional): Needed if bluetooth networking is wanted, e.g. for bluetooth tethering
CONFIG_BT_BNEP				y,!	# Bluez (optional): Needed if bluetooth networking is wanted, e.g. for bluetooth tethering
CONFIG_BT_HCIUART_H4			y,!	# Bluez (optional): Needed if bluez used as bluetooth stack
CONFIG_BT_HCIUART			y,!	# Bluez (optional): Needed if bluez used as bluetooth stack
CONFIG_BT_HCIVHCI			y,!	# Bluez (optional): Needed if bluebinder is used with bluez (Android 8+ based ports)
CONFIG_BT_HIDP				y,!	# Bluez (optional): Needed for HIDP (Human Interface Device Protocol) transport layer
CONFIG_BT_MSM_SLEEP			n,!	# Bluez (optional): Causes problems with bluez thus disabling is recommended.
CONFIG_BT_RFCOMM			y,!	# Bluez (optional): Needed if bluez used as bluetooth stack
CONFIG_BTRFS_FS				y,!	# optional extra filesystem (BTRFS)
CONFIG_BT				y,!	# Bluez (optional): Needed if bluez used as bluetooth stack
CONFIG_CGROUP_CPUACCT			y,!	# systemd (optional): https://github.com/systemd/systemd/blob/v238/README
CONFIG_CGROUP_DEVICE			y,!	# systemd (optional): https://github.com/systemd/systemd/blob/v238/README
CONFIG_CGROUP_FREEZER			y,!	# systemd (optional): https://github.com/systemd/systemd/blob/v238/README
CONFIG_CGROUP_MEM_RES_CTLR_KMEM		y,!,<=3.5	# systemd (optional): https://github.com/systemd/systemd/blob/v238/README, only valid if kernel version <= 3.5
CONFIG_CGROUP_MEM_RES_CTLR_SWAP		y,!,<=3.5	# systemd (optional): https://github.com/systemd/systemd/blob/v238/README, only valid if kernel version <= 3.5
CONFIG_CGROUP_MEM_RES_CTLR		y,!,<=3.5	# systemd (optional): https://github.com/systemd/systemd/blob/v238/README, only valid if kernel version <= 3.5
CONFIG_CGROUP_NET_PRIO			y,!,>=3.14	# systemd (optional): https://github.com/systemd/systemd/blob/v238/README
CONFIG_CGROUP_PERF			y,!	# systemd (optional): https://github.com/systemd/systemd/blob/v238/README
CONFIG_CGROUP_SCHED			y,!	# systemd (optional): https://github.com/systemd/systemd/blob/v238/README
CONFIG_CGROUPS				y	# systemd: https://github.com/systemd/systemd/blob/v238/README
CONFIG_CHECKPOINT_RESTORE		y,!	# rich-core-dumper (https://github.com/mer-tools/sp-rich-core/) needs this to collect all data for environment recreation.
CONFIG_CIFS				y,m,!	# optional extra filesystem (CIFS - Windows net fs)
CONFIG_CPUSETS				y,m,!	# lxc (optional): required to run lxc containers
CONFIG_CUSE				y,!,>=2.6	# CUSE (optional): Required for software security modules support.
CONFIG_DEVTMPFS_MOUNT			y	# Required by hybris-boot init-script
CONFIG_DEVTMPFS				y	# systemd: https://github.com/systemd/systemd/blob/v238/README
CONFIG_DUMMY				n
CONFIG_ECRYPT_FS			y,m,!	# optional extra filesystem (ecryptfs)
CONFIG_EPOLL				y	# systemd: https://github.com/systemd/systemd/blob/v238/README
CONFIG_EXT4_FS				y,m,!	# Mer uses ext4 as rootfs by default
CONFIG_F2FS_FS_SECURITY			y,m,!	# required to mount f2fs volumes under SELinux
CONFIG_F2FS_FS				y,m,!	# optional extra filesystem (f2fs - a good SD filesystem)
CONFIG_FANOTIFY				y,!	# optional, required for systemd readahead.
CONFIG_FHANDLE				y	# systemd: http://cgit.freedesktop.org/systemd/systemd/commit/README?id=001809282918f273d372f1ee09d10b783c18a474
CONFIG_FW_LOADER_USER_HELPER_FALLBACK	y,!	# optional, for droid firmware load helper
CONFIG_FW_LOADER_USER_HELPER		y,!	# Required by droid firmware load helper
CONFIG_HIDRAW				y,m,!	# optional: Support HID devices
CONFIG_IKCONFIG_PROC			y	# Required by hybris-boot init-script
CONFIG_INET_AH				y	# Required by IPSec
CONFIG_INET_ESP				y	# Required by IPSec
CONFIG_INET6_AH				y	# Required by IPSec
CONFIG_INET6_ESP			y	# Required by IPSec
CONFIG_INOTIFY_USER			y	# systemd: https://github.com/systemd/systemd/blob/v238/README
CONFIG_IP6_NF_FILTER			y,m	# Basic IPv6 packet filtering support for netfilter
CONFIG_IP6_NF_IPTABLES			y,m	# Basic IPv6 iptables support for packet filtering
CONFIG_IP6_NF_MANGLE			y,m	# Support IPv6 packet mangling with netfilter
CONFIG_IP6_NF_MATCH_AH			y,m,!	# connman: for ip6tables ah match
CONFIG_IP6_NF_MATCH_FRAG		y,m,!	# connman: for ip6tables frag match
CONFIG_IP6_NF_MATCH_MH			y,m,!	# connman: for ip6tables mh match
CONFIG_IP6_NF_MATCH_RPFILTER		y	# To be able to mitigate CVE-2019-14899 with ConnMan iptables rule
CONFIG_IP6_NF_RAW			y	# Support RAW packet table in IPv6 netfilter. A basic need for iptables.
CONFIG_IP6_NF_TARGET_REJECT		y	# Support netfilter reject target in IPv6 netfilter. A basic need for iptables.
CONFIG_IPC_NS				y	# Namespacing option needed by firejail
CONFIG_IPC_NS				y,!	# optional, enables kernel namespaces for systemd-nspawn containers
CONFIG_IP_MULTIPLE_TABLES		y,m,!	# connman (optional): for routing and statistic support in sessions, http://git.kernel.org/cgit/network/connman/connman.git/commit/README?id=41f37125887cb9208da2441e350e1e3324c17ee6
CONFIG_IP_NF_ARPFILTER			y,m,!	# Support filtering arp packets in netfilter
CONFIG_IP_NF_ARP_MANGLE			y,m,!	# Support mangling of ARP packets in netfilter
CONFIG_IP_NF_ARPTABLES			y,m,!	# Support ARP tables in netfilter
CONFIG_IP_NF_FILTER			y	# Support packet filtering in IPv4 netfilter
CONFIG_IP_NF_IPTABLES			y,m,!	# connman (optional): for routing and statistic support in sessions, http://git.kernel.org/cgit/network/connman/connman.git/commit/README?id=41f37125887cb9208da2441e350e1e3324c17ee6
CONFIG_IP_NF_MANGLE			y	# Support mangle table in IPV4 netfilter. Mangle table is required for IPv6 CVE-2019-14899
CONFIG_IP_NF_MATCH_AH			y,m,!	# connman: for iptables ah match
CONFIG_IP_NF_MATCH_ECN			y,m,!	# connman: for iptables ecn match
CONFIG_IP_NF_MATCH_RPFILTER		y	# Add to have both IPv4 and IPv6 RPFILTER matches set
CONFIG_IP_NF_MATCH_TTL			y,m,!	# connman: for iptables ttl match
CONFIG_IP_NF_NAT			y,>=3.17	# Support NAT table in netfilter. Tethering requires this. Since 3.17 and before this as CONFIG_NF_NAT_IPV4
CONFIG_IP_NF_RAW			y	# Support raw table in IPv4 netfilter
CONFIG_IP_NF_SECURITY			y	# Support security table in IPv4 netfilter
CONFIG_IP_NF_TARGET_MASQUERADE		y,m,!	# connman (optional): support tethering, http://git.kernel.org/cgit/network/connman/connman.git/commit/README?id=19fe7cad485afa6a7a5cc4aa75615ce8b7b8d376
CONFIG_IP_NF_TARGET_REDIRECT		y,m,!	# Support redirect target in IPv4 netfilter, required for some masquerading scenarios
CONFIG_IP_NF_TARGET_REJECT		y	# Support reject target in IPv4 netfilter, a quite basic requirement for iptables
CONFIG_IP_SCTP				y,!,>=3.8	# SCTP support on both IP families, experimental exists already from 2.5 upwards but android kernels may have broken support for it. Experimental status dropped on 3.8 and upwards.
CONFIG_IPV6				y,m,!	# systemd: http://cgit.freedesktop.org/systemd/systemd/tree/README#n37
CONFIG_ISO9660_FS			y,m,!	# optional extra filesystem (CD-ROM)
CONFIG_L2TP_IP				y,m,!	# Support for L2TP-over-IP socket family. Enables L2TPIP socket family with which userspace L2TPv3 daemons may create L2TP/IP tunnel sockets when UDP encapsulation is not required
CONFIG_LBDAF				y,!	# ext4 filesystem requires this in order to support filesysetms with huge_file feature, which is enabled by default by mke2fs.ext4, not needed for 64bit architectures
CONFIG_LOCKD_V4				y,!	# optional, for NFS support
CONFIG_LOCKD				y,m,!	# optional, for NFS support
CONFIG_MEMCG_KMEM			y,!,>=3.6	# systemd (optional, but recommended): https://github.com/systemd/systemd/blob/v238/README, only valid if kernel version >= 3.6
CONFIG_MEMCG_SWAP			y,!,>=3.6	# systemd (optional, but recommended): https://github.com/systemd/systemd/blob/v238/README, only valid if kernel version >= 3.6
CONFIG_MEMCG				y,!,>=3.6	# systemd (optional, but recommended): https://github.com/systemd/systemd/blob/v238/README, only valid if version >= 3.6
CONFIG_MODULES				y,!	# optional, required for module support (Such as WLAN for example)
CONFIG_NAMESPACES			y	# Namespacing is needed by firejail
CONFIG_NET_CLS_CGROUP			y,!	# systemd (optional): https://github.com/systemd/systemd/blob/v238/README
CONFIG_NETFILTER_NETLINK_ACCT		y,m,!	# connman (optional): for routing and statistic support in sessions, http://git.kernel.org/cgit/network/connman/connman.git/commit/README?id=41f37125887cb9208da2441e350e1e3324c17ee6
CONFIG_NETFILTER_XT_CONNMARK		y,m,!	# connman (optional): for routing and statistic support in sessions, http://git.kernel.org/cgit/network/connman/connman.git/commit/README?id=115cb9cbd3cdda00784e58a4ea12b42d128732b4
CONFIG_NETFILTER_XT_MATCH_CONNMARK	y,m,!	# connman (optional): for routing and statistic support in sessions, http://git.kernel.org/cgit/network/connman/connman.git/commit/README?id=115cb9cbd3cdda00784e58a4ea12b42d128732b4
CONFIG_NETFILTER_XT_MATCH_CONNTRACK	y	# connman: for iptables conntrack match
CONFIG_NETFILTER_XT_MATCH_DCCP		y,m,!	# connman: for iptables dccp match
CONFIG_NETFILTER_XT_MATCH_ESP		y,m,!	# connmman: for iptables esp match
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT	y,m,!	# connman: for iptables hashlimit match
CONFIG_NETFILTER_XT_MATCH_HELPER	y,m,!	# connman: for iptables helper match
CONFIG_NETFILTER_XT_MATCH_IPRANGE	y,m,!	# connman: for iptables iprange match
CONFIG_NETFILTER_XT_MATCH_LIMIT		y,m,!	# connman: for iptables limit match
CONFIG_NETFILTER_XT_MATCH_MARK		y,m,!	# connman: for iptables mark match
CONFIG_NETFILTER_XT_MATCH_MULTIPORT	y	# connman: for iptables multiple port match
CONFIG_NETFILTER_XT_MATCH_NFACCT	y,m,!	# connman (optional): for routing and statistic support in sessions, http://git.kernel.org/cgit/network/connman/connman.git/commit/README?id=41f37125887cb9208da2441e350e1e3324c17ee6
CONFIG_NETFILTER_XT_MATCH_OWNER		y,m,>=4.14.0	# connman: for iptables owner match
CONFIG_NETFILTER_XT_MATCH_PKTTYPE	y,m,!	# connman: for iptables pkttype match
CONFIG_NETFILTER_XT_MATCH_QTAGUID	y,m,<=4.13.0	# connman: for iptables owner/qtaguid match, deprecated after Android Q, non-mainline feature https://android.googlesource.com/kernel/configs/+/189cbab05f8680af3778b82a0b899485773e42e9%5E%21/android-4.14/android-base.config
CONFIG_NETFILTER_XT_MATCH_RECENT	y,m,!	# connman: for iptables recent match
CONFIG_NETFILTER_XT_MATCH_SCTP		y,m,!	# connman: for iptables sctp match
CONFIG_NETFILTER_XT_MATCH_STATE		y,m,!	# connman: for iptables state match
CONFIG_NETFILTER_XT_NAT			y,m,!	# Enable netfilter DNAT and SNAT targets.
CONFIG_NETFILTER_XT_TARGET_CONNMARK	y,m,!	# connman (optional): for routing and statistic support in sessions, http://git.kernel.org/cgit/network/connman/connman.git/commit/README?id=115cb9cbd3cdda00784e58a4ea12b42d128732b4
CONFIG_NETFILTER_XT_TARGET_LOG		y,m,!	# Enable LOG target for netfilter. A real basic need for debugging iptables rules.
CONFIG_NET_NS				y,!	# optional, enables kernel namespaces for systemd-nspawn containers
CONFIG_NETPRIO_CGROUP			y,!,<=3.13	# systemd (optional): https://github.com/systemd/systemd/blob/v238/README
CONFIG_NETWORK_FILESYSTEMS		y,!	# optional, for NFS support
CONFIG_NET				y	# systemd: http://cgit.freedesktop.org/systemd/systemd/commit/README?id=41938693e76c32161d2b3b83253ce996468cbf9b
CONFIG_NF_CONNTRACK_IPV4		y,m,!,<=4.18	# optional, exists up to 4.18
CONFIG_NF_CONNTRACK_IPV6		y,m,!,<=4.18	# optional, exists up to 4.18
CONFIG_NF_NAT_IPV4			y,m,>=3.7,<=5.0	# connman: to enable IPv4 NAT, exists in kernels betweek 3.7 and 5.0
CONFIG_NF_NAT_IPV6			y,m,!,>=3.7,<=5.0	# connman: to enable IPv6 NAT, optional as exists in kernel between 3.7 to 5.0
CONFIG_NFS_ACL_SUPPORT			y,m,!	# optional, for NFS support
CONFIG_NFS_COMMON			y,!	# optional, for NFS support
CONFIG_NFS_FS				y,m,!	# optional, for NFS support
CONFIG_NFS_USE_KERNEL_DNS		y,!	# optional, for NFS support
CONFIG_NFS_V3_ACL			y,!	# optional, for NFS support
CONFIG_NFS_V3				y,!	# optional, for NFS support
CONFIG_NFS_V4_1				y,!	# optional, for NFS support
CONFIG_NFS_V4				y,!	# optional, for NFS support
CONFIG_NLS_UTF8				y	# Ensure that we support UTF8 filenames.
CONFIG_PID_NS				y	# Namespacing option needed by firejail
CONFIG_PID_NS				y,!	# optional, enables kernel namespaces for systemd-nspawn containers
CONFIG_PROC_FS				y	# systemd: http://cgit.freedesktop.org/systemd/systemd/commit/README?id=06d461ee6f3da6650e6d023d7828455752d70b0b
CONFIG_QFMT_V2				y	# Use this version of the interface for quotactl
CONFIG_QUOTACTL				y	# To adjust quota
CONFIG_QUOTA_NETLINK_INTERFACE		y	# For quota_nld service
CONFIG_QUOTA				y	# Quota is needed to prevent additional users from taking all space
CONFIG_RD_GZIP				y	# Required by hybris-boot Android.mk
CONFIG_RFKILL				y,m,!	# (optional) Needed if bluebinder is used
CONFIG_RTC_DRV_CMOS			y,!	# optional, but highly recommended, not available on arm64
CONFIG_SCHED_DEBUG			y,!	# systemd-bootchart (optional): http://cgit.freedesktop.org/systemd/systemd/commit/README?id=f1c24fea94e19cf2108abbeed1d36ded7102ab98
CONFIG_SCHEDSTATS			y,!	# systemd-bootchart (optional): http://cgit.freedesktop.org/systemd/systemd/commit/README?id=f1c24fea94e19cf2108abbeed1d36ded7102ab98
CONFIG_SECCOMP				y,!	# systemd (optional): strongly recommended, http://cgit.freedesktop.org/systemd/systemd/commit/README?id=f28cbd0382ca53baa99803bbc907a469fbf68128
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE	0,!	# Alternative way to disable SELinux at boottime
CONFIG_SECURITY_SELINUX_BOOTPARAM	y,!	# Up to hybris-16 it's recommended to have SELinux disabled at boottime via kernel cmdline: selinux=0 or SECURITY_SELINUX_BOOTPARAM_VALUE=0. For hybris-17 SELinux should be left enabled.
CONFIG_SECURITY_SELINUX			y,!	# Most hybris adaptations must have SELinux builtin in kernel
CONFIG_SECURITY_YAMA_STACKED		y,!,<4.3	# optional, only valid for kernel < 4.3
CONFIG_SECURITY_YAMA			y,!	# optional, prevents user's processes from ptracing each other
CONFIG_SIGNALFD				y	# systemd: https://github.com/systemd/systemd/blob/v238/README
CONFIG_SUNRPC_GSS			y,m,!	# optional, for NFS support
CONFIG_SUNRPC				y,m,!	# optional, for NFS support
CONFIG_SYSFS_DEPRECATED			n	# systemd: https://github.com/systemd/systemd/blob/v238/README
CONFIG_SYSFS				y	# systemd: https://github.com/systemd/systemd/blob/v238/README
CONFIG_SYSVIPC				y	# Inter Process Communication option is required to run Mer
CONFIG_TIMERFD				y	# systemd: https://github.com/systemd/systemd/blob/v238/README
CONFIG_TMPFS_POSIX_ACL			y	# systemd: required by hybris-boot init-script, if you want pam_systemd.so to setup your "seats". http://cgit.freedesktop.org/systemd/systemd/commit/README?id=77b6e19458f37cfde127ec6aa9494c0ac45ad890
CONFIG_TMPFS_XATTR			y,!	# systemd (optional): strongly recommended, https://github.com/systemd/systemd/blob/v238/README
CONFIG_TUN				y,m,!	# ofono: http://git.kernel.org/?p=network/ofono/ofono.git;a=blob;f=README;h=413d789e5f9e96024986f5116d3c8aff0c9f15b8;hb=HEAD#l28
CONFIG_UDF_FS				y,m,!	# optional extra filesystem (DVD & portable USB)
CONFIG_UEVENT_HELPER_PATH		"", !	# should be empty, if you want to use systemd without initramfs. Also systemd: https://github.com/systemd/systemd/blob/v238/README
CONFIG_UNIX				y	# UNIX sockets option is required to run Mer
CONFIG_UTS_NS				y	# Namespacing option needed by firejail
CONFIG_UTS_NS 				y,!	# optional, enables kernel namespaces for systemd-nspawn containers
CONFIG_VT				y	# Required for virtual consoles
CONFIG_WATCHDOG_NOWAYOUT		y,!	# If device uses watchdogs with dsme (https://github.com/sailfishos/dsme), this option should be enabled or watchdog does not protect the device in case dsme crashes.
CONFIG_STATIC_USERMODEHELPER	n,	# Android mandates to use a user mode helper when the kernel has to call userspace programs to handle things such as core dumps but we don't do that.