Updated PaX config for WORKSTATION and VIRTUALIZATION

Unforced default y KERNEXEC and UDEREF for WORKSTATION Force KERNEXEC and UDEREF off for VIRTUALIZATION
author: Anthony G. Basile <blueness@gentoo.org> 2011-02-21 12:07:11 -0500
committer: Anthony G. Basile <blueness@gentoo.org> 2011-02-21 12:07:11 -0500
commit: 000dbd34d0c3725fcf3d9a752bb4ba12828b964e (patch)
tree: 4c594052b0aa57efa312901b09753113c5bf79e6
parent: Update Grsec/PaX (diff)
download: hardened-patchset-000dbd34d0c3725fcf3d9a752bb4ba12828b964e.tar.gz
hardened-patchset-000dbd34d0c3725fcf3d9a752bb4ba12828b964e.tar.bz2
hardened-patchset-000dbd34d0c3725fcf3d9a752bb4ba12828b964e.zip
2 files changed, 54 insertions, 4 deletions
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch
index 87984fb..d67ab0d 100644
--- a/2.6.32/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.32/4435_grsec-kconfig-gentoo.patch
@@ -16,8 +16,8 @@ The original version of this patch was conceived and created by:
 Ned Ludd <solar@gentoo.org>
 
 diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig
---- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig	2011-02-02 09:18:14.000000000 -0500
-+++ linux-2.6.37-hardened-r2/grsecurity/Kconfig	2011-02-02 09:43:28.000000000 -0500
+--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig	2011-02-21 11:47:15.000000000 -0500
++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig	2011-02-21 11:48:08.000000000 -0500
 @@ -18,7 +18,7 @@
  choice
  	prompt "Security Level"
@@ -289,3 +289,28 @@ diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardene
  config GRKERNSEC_CUSTOM
  	bool "Custom"
  	help
+diff -Naur linux-2.6.37-hardened-r2.orig/security/Kconfig linux-2.6.37-hardened-r2/security/Kconfig
+--- linux-2.6.37-hardened-r2.orig/security/Kconfig	2011-02-21 11:46:40.000000000 -0500
++++ linux-2.6.37-hardened-r2/security/Kconfig	2011-02-21 11:53:42.000000000 -0500
+@@ -324,8 +324,9 @@
+ 
+ config PAX_KERNEXEC
+ 	bool "Enforce non-executable kernel pages"
+-	depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
++	depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ 	select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
++	default y if GRKERNSEC_HARDENED_WORKSTATION
+ 	help
+ 	  This is the kernel land equivalent of PAGEEXEC and MPROTECT,
+ 	  that is, enabling this option will make it harder to inject
+@@ -461,8 +462,9 @@
+ 
+ config PAX_MEMORY_UDEREF
+ 	bool "Prevent invalid userland pointer dereference"
+-	depends on X86 && !UML_X86 && !XEN
++	depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ 	select PAX_PER_CPU_PGD if X86_64
++	default y if GRKERNSEC_HARDENED_WORKSTATION
+ 	help
+ 	  By saying Y here the kernel will be prevented from dereferencing
+ 	  userland pointers in contexts where the kernel expects only kernel
diff --git a/2.6.37/4435_grsec-kconfig-gentoo.patch b/2.6.37/4435_grsec-kconfig-gentoo.patch
index 87984fb..d67ab0d 100644
--- a/2.6.37/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.37/4435_grsec-kconfig-gentoo.patch
@@ -16,8 +16,8 @@ The original version of this patch was conceived and created by:
 Ned Ludd <solar@gentoo.org>
 
 diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig
---- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig	2011-02-02 09:18:14.000000000 -0500
-+++ linux-2.6.37-hardened-r2/grsecurity/Kconfig	2011-02-02 09:43:28.000000000 -0500
+--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig	2011-02-21 11:47:15.000000000 -0500
++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig	2011-02-21 11:48:08.000000000 -0500
 @@ -18,7 +18,7 @@
  choice
  	prompt "Security Level"
@@ -289,3 +289,28 @@ diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardene
  config GRKERNSEC_CUSTOM
  	bool "Custom"
  	help
+diff -Naur linux-2.6.37-hardened-r2.orig/security/Kconfig linux-2.6.37-hardened-r2/security/Kconfig
+--- linux-2.6.37-hardened-r2.orig/security/Kconfig	2011-02-21 11:46:40.000000000 -0500
++++ linux-2.6.37-hardened-r2/security/Kconfig	2011-02-21 11:53:42.000000000 -0500
+@@ -324,8 +324,9 @@
+ 
+ config PAX_KERNEXEC
+ 	bool "Enforce non-executable kernel pages"
+-	depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
++	depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ 	select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
++	default y if GRKERNSEC_HARDENED_WORKSTATION
+ 	help
+ 	  This is the kernel land equivalent of PAGEEXEC and MPROTECT,
+ 	  that is, enabling this option will make it harder to inject
+@@ -461,8 +462,9 @@
+ 
+ config PAX_MEMORY_UDEREF
+ 	bool "Prevent invalid userland pointer dereference"
+-	depends on X86 && !UML_X86 && !XEN
++	depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ 	select PAX_PER_CPU_PGD if X86_64
++	default y if GRKERNSEC_HARDENED_WORKSTATION
+ 	help
+ 	  By saying Y here the kernel will be prevented from dereferencing
+ 	  userland pointers in contexts where the kernel expects only kernel
author	Anthony G. Basile <blueness@gentoo.org>	2011-02-21 12:07:11 -0500
committer	Anthony G. Basile <blueness@gentoo.org>	2011-02-21 12:07:11 -0500
commit	000dbd34d0c3725fcf3d9a752bb4ba12828b964e (patch)
tree	4c594052b0aa57efa312901b09753113c5bf79e6
parent	Update Grsec/PaX (diff)
download	hardened-patchset-000dbd34d0c3725fcf3d9a752bb4ba12828b964e.tar.gz hardened-patchset-000dbd34d0c3725fcf3d9a752bb4ba12828b964e.tar.bz2 hardened-patchset-000dbd34d0c3725fcf3d9a752bb4ba12828b964e.zip