summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2012-07-08 10:06:25 -0400
committerAnthony G. Basile <blueness@gentoo.org>2012-07-08 10:06:25 -0400
commit6945acd26a70cab18361185055af47ca9257acd4 (patch)
treebccf471a8f564f515b7f73d276b8caf58bcb59d9 /3.2.22/4455_grsec-kconfig-gentoo.patch
parentGrsec/PaX: 2.9-{2.6.32.59,3.2.21,3.4.4}-201207021921 (diff)
downloadhardened-patchset-6945acd26a70cab18361185055af47ca9257acd4.tar.gz
hardened-patchset-6945acd26a70cab18361185055af47ca9257acd4.tar.bz2
hardened-patchset-6945acd26a70cab18361185055af47ca9257acd4.zip
Grsec/PaX: 2.9-{2.6.32.59,3.2.22,3.4.4}-201207080925
Diffstat (limited to '3.2.22/4455_grsec-kconfig-gentoo.patch')
-rw-r--r--3.2.22/4455_grsec-kconfig-gentoo.patch357
1 files changed, 357 insertions, 0 deletions
diff --git a/3.2.22/4455_grsec-kconfig-gentoo.patch b/3.2.22/4455_grsec-kconfig-gentoo.patch
new file mode 100644
index 0000000..87b5454
--- /dev/null
+++ b/3.2.22/4455_grsec-kconfig-gentoo.patch
@@ -0,0 +1,357 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+From: Gordon Malm <gengor@gentoo.org>
+From: Jory A. Pratt <anarchy@gentoo.org>
+From: Kerin Millar <kerframil@gmail.com>
+
+Add Hardened Gentoo [server/workstation] predefined grsecurity
+levels. They're designed to provide a comparitively high level of
+security while remaining generally suitable for as great a majority
+of the userbase as possible (particularly new users).
+
+Make Hardened Gentoo [workstation] predefined grsecurity level the
+default. The Hardened Gentoo [server] level is more restrictive
+and conflicts with some software and thus would be less suitable.
+
+The original version of this patch was conceived and created by:
+Ned Ludd <solar@gentoo.org>
+
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+--- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500
++++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500
+@@ -18,7 +18,7 @@
+ choice
+ prompt "Security Level"
+ depends on GRKERNSEC
+- default GRKERNSEC_CUSTOM
++ default GRKERNSEC_HARDENED_WORKSTATION
+
+ config GRKERNSEC_LOW
+ bool "Low"
+@@ -192,6 +192,262 @@
+ - Restricted sysfs/debugfs
+ - Active kernel exploit response
+
++config GRKERNSEC_HARDENED_SERVER
++ bool "Hardened Gentoo [server]"
++ select GRKERNSEC_LINK
++ select GRKERNSEC_FIFO
++ select GRKERNSEC_DMESG
++ select GRKERNSEC_FORKFAIL
++ select GRKERNSEC_TIME
++ select GRKERNSEC_SIGNAL
++ select GRKERNSEC_CHROOT
++ select GRKERNSEC_CHROOT_SHMAT
++ select GRKERNSEC_CHROOT_UNIX
++ select GRKERNSEC_CHROOT_MOUNT
++ select GRKERNSEC_CHROOT_FCHDIR
++ select GRKERNSEC_CHROOT_PIVOT
++ select GRKERNSEC_CHROOT_DOUBLE
++ select GRKERNSEC_CHROOT_CHDIR
++ select GRKERNSEC_CHROOT_MKNOD
++ select GRKERNSEC_CHROOT_CAPS
++ select GRKERNSEC_CHROOT_SYSCTL
++ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_SYSFS_RESTRICT
++ select GRKERNSEC_PROC
++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
++ select GRKERNSEC_HIDESYM
++ select GRKERNSEC_BRUTE
++ select GRKERNSEC_PROC_USERGROUP
++ select GRKERNSEC_KMEM
++ select GRKERNSEC_RESLOG
++ select GRKERNSEC_AUDIT_PTRACE
++ select GRKERNSEC_RANDNET
++ select GRKERNSEC_PROC_ADD
++ select GRKERNSEC_CHROOT_CHMOD
++ select GRKERNSEC_CHROOT_NICE
++ select GRKERNSEC_AUDIT_MOUNT
++ select GRKERNSEC_MODHARDEN if (MODULES)
++ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_PTRACE_READEXEC
++ select GRKERNSEC_SETXID
++ select GRKERNSEC_VM86 if (X86_32)
++ select GRKERNSEC_IO
++ select GRKERNSEC_PROC_IPADDR
++ select GRKERNSEC_RWXMAP_LOG
++ select GRKERNSEC_SYSCTL
++ select GRKERNSEC_SYSCTL_ON
++ select PAX
++ select PAX_ASLR
++ select PAX_RANDKSTACK if (X86_TSC && X86)
++ select PAX_RANDUSTACK
++ select PAX_RANDMMAP
++ select PAX_NOEXEC
++ select PAX_MPROTECT
++ select PAX_EI_PAX
++ select PAX_PT_PAX_FLAGS
++ select PAX_HAVE_ACL_FLAGS
++ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++ select PAX_MEMORY_UDEREF if (X86 && !XEN)
++ select PAX_SEGMEXEC if (X86_32)
++ select PAX_PAGEEXEC
++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
++ select PAX_EMUTRAMP if (PARISC)
++ select PAX_EMUSIGRT if (PARISC)
++ select PAX_REFCOUNT if (X86 || SPARC64)
++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
++ select PAX_MEMORY_SANITIZE
++ select PAX_MEMORY_STACKLEAK if (!XEN)
++ help
++ If you say Y here, a configuration for grsecurity/PaX features
++ will be used that is endorsed by the Hardened Gentoo project.
++ These pre-defined security levels are designed to provide a high
++ level of security while minimizing incompatibilities with a majority
++ of Gentoo's available software.
++
++ This "Hardened Gentoo [server]" level is identical to the
++ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
++ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
++ security level if the system will not be utilizing software incompatible
++ with these features.
++
++ When this level is selected, some security features will be forced on,
++ while others will default to their suggested values of off or on. The
++ later can be tweaked at the user's discretion, but may cause problems
++ in some situations. You can fully customize all grsecurity/PaX features
++ by choosing "Custom" in the Security Level menu. It may be helpful to
++ inherit the options selected by this security level as a starting point.
++ To accomplish this, select this security level, then exit the menuconfig
++ interface, saving changes when prompted. Run make menuconfig again and
++ select the "Custom" level.
++
++config GRKERNSEC_HARDENED_WORKSTATION
++ bool "Hardened Gentoo [workstation]"
++ select GRKERNSEC_LINK
++ select GRKERNSEC_FIFO
++ select GRKERNSEC_DMESG
++ select GRKERNSEC_FORKFAIL
++ select GRKERNSEC_TIME
++ select GRKERNSEC_SIGNAL
++ select GRKERNSEC_CHROOT
++ select GRKERNSEC_CHROOT_SHMAT
++ select GRKERNSEC_CHROOT_UNIX
++ select GRKERNSEC_CHROOT_MOUNT
++ select GRKERNSEC_CHROOT_FCHDIR
++ select GRKERNSEC_CHROOT_PIVOT
++ select GRKERNSEC_CHROOT_DOUBLE
++ select GRKERNSEC_CHROOT_CHDIR
++ select GRKERNSEC_CHROOT_MKNOD
++ select GRKERNSEC_CHROOT_CAPS
++ select GRKERNSEC_CHROOT_SYSCTL
++ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_PROC
++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
++ select GRKERNSEC_HIDESYM
++ select GRKERNSEC_BRUTE
++ select GRKERNSEC_PROC_USERGROUP
++ select GRKERNSEC_KMEM
++ select GRKERNSEC_RESLOG
++ select GRKERNSEC_AUDIT_PTRACE
++ select GRKERNSEC_RANDNET
++ select GRKERNSEC_CHROOT_CHMOD
++ select GRKERNSEC_CHROOT_NICE
++ select GRKERNSEC_AUDIT_MOUNT
++ select GRKERNSEC_MODHARDEN if (MODULES)
++ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_PTRACE_READEXEC
++ select GRKERNSEC_SETXID
++ select GRKERNSEC_VM86 if (X86_32)
++ select GRKERNSEC_PROC_IPADDR
++ select GRKERNSEC_RWXMAP_LOG
++ select GRKERNSEC_SYSCTL
++ select GRKERNSEC_SYSCTL_ON
++ select PAX
++ select PAX_ASLR
++ select PAX_RANDKSTACK if (X86_TSC && X86)
++ select PAX_RANDUSTACK
++ select PAX_RANDMMAP
++ select PAX_NOEXEC
++ select PAX_MPROTECT
++ select PAX_EI_PAX
++ select PAX_PT_PAX_FLAGS
++ select PAX_HAVE_ACL_FLAGS
++ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++ select PAX_MEMORY_UDEREF if (X86 && !XEN)
++ select PAX_SEGMEXEC if (X86_32)
++ select PAX_PAGEEXEC
++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
++ select PAX_EMUTRAMP if (PARISC)
++ select PAX_EMUSIGRT if (PARISC)
++ select PAX_REFCOUNT if (X86 || SPARC64)
++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
++ select PAX_MEMORY_SANITIZE
++ select PAX_MEMORY_STACKLEAK if (!XEN)
++ help
++ If you say Y here, a configuration for grsecurity/PaX features
++ will be used that is endorsed by the Hardened Gentoo project.
++ These pre-defined security levels are designed to provide a high
++ level of security while minimizing incompatibilities with a majority
++ of Gentoo's available software.
++
++ This "Hardened Gentoo [workstation]" level is identical to the
++ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
++ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
++ security level if the system will be utilizing software incompatible
++ with these features.
++
++ When this level is selected, some security features will be forced on,
++ while others will default to their suggested values of off or on. The
++ later can be tweaked at the user's discretion, but may cause problems
++ in some situations. You can fully customize all grsecurity/PaX features
++ by choosing "Custom" in the Security Level menu. It may be helpful to
++ inherit the options selected by this security level as a starting point.
++ To accomplish this, select this security level, then exit the menuconfig
++ interface, saving changes when prompted. Run make menuconfig again and
++ select the "Custom" level.
++
++config GRKERNSEC_HARDENED_VIRTUALIZATION
++ bool "Hardened Gentoo [virtualization]"
++ select GRKERNSEC_LINK
++ select GRKERNSEC_FIFO
++ select GRKERNSEC_DMESG
++ select GRKERNSEC_FORKFAIL
++ select GRKERNSEC_TIME
++ select GRKERNSEC_SIGNAL
++ select GRKERNSEC_CHROOT
++ select GRKERNSEC_CHROOT_SHMAT
++ select GRKERNSEC_CHROOT_UNIX
++ select GRKERNSEC_CHROOT_MOUNT
++ select GRKERNSEC_CHROOT_FCHDIR
++ select GRKERNSEC_CHROOT_PIVOT
++ select GRKERNSEC_CHROOT_DOUBLE
++ select GRKERNSEC_CHROOT_CHDIR
++ select GRKERNSEC_CHROOT_MKNOD
++ select GRKERNSEC_CHROOT_CAPS
++ select GRKERNSEC_CHROOT_SYSCTL
++ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_PROC
++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
++ select GRKERNSEC_HIDESYM
++ select GRKERNSEC_BRUTE
++ select GRKERNSEC_PROC_USERGROUP
++ select GRKERNSEC_KMEM
++ select GRKERNSEC_RESLOG
++ select GRKERNSEC_AUDIT_PTRACE
++ select GRKERNSEC_RANDNET
++ select GRKERNSEC_CHROOT_CHMOD
++ select GRKERNSEC_CHROOT_NICE
++ select GRKERNSEC_AUDIT_MOUNT
++ select GRKERNSEC_MODHARDEN if (MODULES)
++ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_PTRACE_READEXEC
++ select GRKERNSEC_SETXID
++ select GRKERNSEC_VM86 if (X86_32)
++ select GRKERNSEC_PROC_IPADDR
++ select GRKERNSEC_RWXMAP_LOG
++ select GRKERNSEC_SYSCTL
++ select GRKERNSEC_SYSCTL_ON
++ select PAX
++ select PAX_ASLR
++ select PAX_RANDKSTACK if (X86_TSC && X86)
++ select PAX_RANDUSTACK
++ select PAX_RANDMMAP
++ select PAX_NOEXEC
++ select PAX_MPROTECT
++ select PAX_EI_PAX
++ select PAX_PT_PAX_FLAGS
++ select PAX_HAVE_ACL_FLAGS
++ select PAX_SEGMEXEC if (X86_32)
++ select PAX_PAGEEXEC
++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
++ select PAX_EMUTRAMP if (PARISC)
++ select PAX_EMUSIGRT if (PARISC)
++ select PAX_REFCOUNT if (X86 || SPARC64)
++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
++ select PAX_MEMORY_SANITIZE
++ select PAX_MEMORY_STACKLEAK if (!XEN)
++ help
++ If you say Y here, a configuration for grsecurity/PaX features
++ will be used that is endorsed by the Hardened Gentoo project.
++ These pre-defined security levels are designed to provide a high
++ level of security while minimizing incompatibilities with a majority
++ of Gentoo's available software.
++
++ This "Hardened Gentoo [virtualization]" level is identical to the
++ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
++ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
++ security level if the system will be utilizing virtualization software
++ incompatible with these features, like VirtualBox or kvm.
++
++ When this level is selected, some security features will be forced on,
++ while others will default to their suggested values of off or on. The
++ later can be tweaked at the user's discretion, but may cause problems
++ in some situations. You can fully customize all grsecurity/PaX features
++ by choosing "Custom" in the Security Level menu. It may be helpful to
++ inherit the options selected by this security level as a starting point.
++ To accomplish this, select this security level, then exit the menuconfig
++ interface, saving changes when prompted. Run make menuconfig again and
++ select the "Custom" level.
++
+ config GRKERNSEC_CUSTOM
+ bool "Custom"
+ help
+diff -Naur a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500
++++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500
+@@ -362,9 +362,10 @@
+
+ config PAX_KERNEXEC
+ bool "Enforce non-executable kernel pages"
+- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
++ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
+ select PAX_KERNEXEC_PLUGIN if X86_64
++ default y if GRKERNSEC_HARDENED_WORKSTATION
+ help
+ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
+ that is, enabling this option will make it harder to inject
+@@ -375,30 +376,30 @@
+
+ choice
+ prompt "Return Address Instrumentation Method"
+- default PAX_KERNEXEC_PLUGIN_METHOD_BTS
++ default PAX_KERNEXEC_PLUGIN_METHOD_OR
+ depends on PAX_KERNEXEC_PLUGIN
+ help
+ Select the method used to instrument function pointer dereferences.
+ Note that binary modules cannot be instrumented by this approach.
+
+- config PAX_KERNEXEC_PLUGIN_METHOD_BTS
+- bool "bts"
+- help
+- This method is compatible with binary only modules but has
+- a higher runtime overhead.
+-
+ config PAX_KERNEXEC_PLUGIN_METHOD_OR
+ bool "or"
+ depends on !PARAVIRT
+ help
+ This method is incompatible with binary only modules but has
+ a lower runtime overhead.
++
++ config PAX_KERNEXEC_PLUGIN_METHOD_BTS
++ bool "bts"
++ help
++ This method is compatible with binary only modules but has
++ a higher runtime overhead.
+ endchoice
+
+ config PAX_KERNEXEC_PLUGIN_METHOD
+ string
+- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
+ default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
++ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
+ default ""
+
+ config PAX_KERNEXEC_MODULE_TEXT
+@@ -555,8 +556,9 @@
+
+ config PAX_MEMORY_UDEREF
+ bool "Prevent invalid userland pointer dereference"
+- depends on X86 && !UML_X86 && !XEN
++ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ select PAX_PER_CPU_PGD if X86_64
++ default y if GRKERNSEC_HARDENED_WORKSTATION
+ help
+ By saying Y here the kernel will be prevented from dereferencing
+ userland pointers in contexts where the kernel expects only kernel