diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2011-02-21 12:07:11 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2011-02-21 12:07:11 -0500 |
commit | 000dbd34d0c3725fcf3d9a752bb4ba12828b964e (patch) | |
tree | 4c594052b0aa57efa312901b09753113c5bf79e6 | |
parent | Update Grsec/PaX (diff) | |
download | hardened-patchset-000dbd34d0c3725fcf3d9a752bb4ba12828b964e.tar.gz hardened-patchset-000dbd34d0c3725fcf3d9a752bb4ba12828b964e.tar.bz2 hardened-patchset-000dbd34d0c3725fcf3d9a752bb4ba12828b964e.zip |
Updated PaX config for WORKSTATION and VIRTUALIZATION
Unforced default y KERNEXEC and UDEREF for WORKSTATION
Force KERNEXEC and UDEREF off for VIRTUALIZATION
-rw-r--r-- | 2.6.32/4435_grsec-kconfig-gentoo.patch | 29 | ||||
-rw-r--r-- | 2.6.37/4435_grsec-kconfig-gentoo.patch | 29 |
2 files changed, 54 insertions, 4 deletions
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch index 87984fb..d67ab0d 100644 --- a/2.6.32/4435_grsec-kconfig-gentoo.patch +++ b/2.6.32/4435_grsec-kconfig-gentoo.patch @@ -16,8 +16,8 @@ The original version of this patch was conceived and created by: Ned Ludd <solar@gentoo.org> diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig ---- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-02 09:18:14.000000000 -0500 -+++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-02 09:43:28.000000000 -0500 +--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-21 11:47:15.000000000 -0500 ++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-21 11:48:08.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" @@ -289,3 +289,28 @@ diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardene config GRKERNSEC_CUSTOM bool "Custom" help +diff -Naur linux-2.6.37-hardened-r2.orig/security/Kconfig linux-2.6.37-hardened-r2/security/Kconfig +--- linux-2.6.37-hardened-r2.orig/security/Kconfig 2011-02-21 11:46:40.000000000 -0500 ++++ linux-2.6.37-hardened-r2/security/Kconfig 2011-02-21 11:53:42.000000000 -0500 +@@ -324,8 +324,9 @@ + + config PAX_KERNEXEC + bool "Enforce non-executable kernel pages" +- depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN ++ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) ++ default y if GRKERNSEC_HARDENED_WORKSTATION + help + This is the kernel land equivalent of PAGEEXEC and MPROTECT, + that is, enabling this option will make it harder to inject +@@ -461,8 +462,9 @@ + + config PAX_MEMORY_UDEREF + bool "Prevent invalid userland pointer dereference" +- depends on X86 && !UML_X86 && !XEN ++ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION + select PAX_PER_CPU_PGD if X86_64 ++ default y if GRKERNSEC_HARDENED_WORKSTATION + help + By saying Y here the kernel will be prevented from dereferencing + userland pointers in contexts where the kernel expects only kernel diff --git a/2.6.37/4435_grsec-kconfig-gentoo.patch b/2.6.37/4435_grsec-kconfig-gentoo.patch index 87984fb..d67ab0d 100644 --- a/2.6.37/4435_grsec-kconfig-gentoo.patch +++ b/2.6.37/4435_grsec-kconfig-gentoo.patch @@ -16,8 +16,8 @@ The original version of this patch was conceived and created by: Ned Ludd <solar@gentoo.org> diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig ---- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-02 09:18:14.000000000 -0500 -+++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-02 09:43:28.000000000 -0500 +--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-21 11:47:15.000000000 -0500 ++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-21 11:48:08.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" @@ -289,3 +289,28 @@ diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardene config GRKERNSEC_CUSTOM bool "Custom" help +diff -Naur linux-2.6.37-hardened-r2.orig/security/Kconfig linux-2.6.37-hardened-r2/security/Kconfig +--- linux-2.6.37-hardened-r2.orig/security/Kconfig 2011-02-21 11:46:40.000000000 -0500 ++++ linux-2.6.37-hardened-r2/security/Kconfig 2011-02-21 11:53:42.000000000 -0500 +@@ -324,8 +324,9 @@ + + config PAX_KERNEXEC + bool "Enforce non-executable kernel pages" +- depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN ++ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) ++ default y if GRKERNSEC_HARDENED_WORKSTATION + help + This is the kernel land equivalent of PAGEEXEC and MPROTECT, + that is, enabling this option will make it harder to inject +@@ -461,8 +462,9 @@ + + config PAX_MEMORY_UDEREF + bool "Prevent invalid userland pointer dereference" +- depends on X86 && !UML_X86 && !XEN ++ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION + select PAX_PER_CPU_PGD if X86_64 ++ default y if GRKERNSEC_HARDENED_WORKSTATION + help + By saying Y here the kernel will be prevented from dereferencing + userland pointers in contexts where the kernel expects only kernel |