summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2011-02-25 21:25:45 -0500
committerAnthony G. Basile <blueness@gentoo.org>2011-02-25 21:25:45 -0500
commit061c8e2e1fcf85d12bf4cd661d9e8302580511fc (patch)
tree2ab05a270dfff29f74176ca1da79f9cb1499f57a
parentUpdate Grsec/PaX (diff)
parentUpdate Grsec/PaX (diff)
downloadhardened-patchset-061c8e2e1fcf85d12bf4cd661d9e8302580511fc.tar.gz
hardened-patchset-061c8e2e1fcf85d12bf4cd661d9e8302580511fc.tar.bz2
hardened-patchset-061c8e2e1fcf85d12bf4cd661d9e8302580511fc.zip
Merge branch 'experimental'
-rw-r--r--2.6.32/4435_grsec-kconfig-gentoo.patch348
-rw-r--r--2.6.32/4440_selinux-avc_audit-log-curr_ip.patch2
-rw-r--r--2.6.37/4435_grsec-kconfig-gentoo.patch348
-rw-r--r--2.6.37/4440_selinux-avc_audit-log-curr_ip.patch2
4 files changed, 222 insertions, 478 deletions
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch
index c9fbc5f..d67ab0d 100644
--- a/2.6.32/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.32/4435_grsec-kconfig-gentoo.patch
@@ -1,3 +1,4 @@
+From: Anthony G. Basile <blueness@gentoo.org>
From: Gordon Malm <gengor@gentoo.org>
From: Jory A. Pratt <anarchy@gentoo.org>
From: Kerin Millar <kerframil@gmail.com>
@@ -14,18 +15,19 @@ and conflicts with some software and thus would be less suitable.
The original version of this patch was conceived and created by:
Ned Ludd <solar@gentoo.org>
---- a/grsecurity/Kconfig 2009-07-31 02:34:44.661115764 +0100
-+++ b/grsecurity/Kconfig 2009-08-01 02:04:02.047475888 +0100
+diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig
+--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-21 11:47:15.000000000 -0500
++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-21 11:48:08.000000000 -0500
@@ -18,7 +18,7 @@
choice
prompt "Security Level"
depends on GRKERNSEC
- default GRKERNSEC_CUSTOM
-+ default GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC
++ default GRKERNSEC_HARDENED_WORKSTATION
config GRKERNSEC_LOW
bool "Low"
-@@ -191,6 +191,416 @@
+@@ -191,6 +191,261 @@
- Ptrace restrictions
- Restricted vm86 mode
@@ -63,9 +65,11 @@ Ned Ludd <solar@gentoo.org>
+ select GRKERNSEC_CHROOT_NICE
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
++ select GRKERNSEC_HARDEN_PTRACE
+ select GRKERNSEC_VM86 if (X86_32)
+ select GRKERNSEC_IO if (X86)
+ select GRKERNSEC_PROC_IPADDR
++ select GRKERNSEC_RWXMAP_LOG
+ select GRKERNSEC_SYSCTL
+ select GRKERNSEC_SYSCTL_ON
+ select PAX
@@ -77,8 +81,8 @@ Ned Ludd <solar@gentoo.org>
+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
-+ select PAX_MEMORY_UDEREF if (X86_32)
++ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++ select PAX_MEMORY_UDEREF if (X86 && !XEN)
+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
+ select PAX_SEGMEXEC if (X86_32)
+ select PAX_PAGEEXEC
@@ -87,154 +91,30 @@ Ned Ludd <solar@gentoo.org>
+ select PAX_EMUSIGRT if (PARISC)
+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
+ help
-+ If you say Y here, a configuration will be used that is endorsed by
-+ the Hardened Gentoo project. Therefore, many of the protections
-+ made available by grsecurity and PaX will be enabled.
++ If you say Y here, a configuration for grsecurity/PaX features
++ will be used that is endorsed by the Hardened Gentoo project.
++ These pre-defined security levels are designed to provide a high
++ level of security while minimizing incompatibilities with a majority
++ of Gentoo's available software.
+
-+ Hardened Gentoo's pre-defined security levels are designed to provide
-+ a high level of security while minimizing incompatibilities with the
-+ majority of available software. For further information, please
-+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+ well as the Hardened Gentoo Primer at
-+ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
++ This "Hardened Gentoo [server]" level is identical to the
++ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
++ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
++ security level if the system will not be utilizing software incompatible
++ with these features.
+
-+ This Hardened Gentoo [server] level is identical to the
-+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO,
-+ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled.
-+ Accordingly, this is the preferred security level if the system will
-+ not be utilizing software incompatible with the aforementioned
-+ grsecurity/PaX features.
-+
-+ You may wish to emerge paxctl, a utility which allows you to toggle
-+ PaX features on problematic binaries on an individual basis. Note that
-+ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+ Translated, this means that if you wish to toggle PaX features on
-+ binaries provided by applications that are distributed only in binary
-+ format (rather than being built locally from sources), you will need to
-+ run paxctl -C on the binaries beforehand so as to inject the missing
-+ headers.
-+
-+ When this level is selected, some options cannot be changed. However,
-+ you may opt to fully customize the options that are selected by
-+ choosing "Custom" in the Security Level menu. You may find it helpful
-+ to inherit the options selected by the "Hardened Gentoo [server]"
-+ security level as a starting point for further configuration. To
-+ accomplish this, select this security level then exit the menuconfig
-+ interface, saving changes when prompted. Then, run make menuconfig
-+ again and select the "Custom" level.
-+
-+ Note that this security level probably should not be used if the
-+ target system is a 32bit x86 virtualized guest. If you intend to run
-+ the kernel in a 32bit x86 virtualized guest you will likely need to
-+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+ impact on performance.
-+
-+config GRKERNSEC_HARDENED_SERVER_NO_RBAC
-+ bool "Hardened Gentoo [server no rbac]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_EXECVE
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_PROC_ADD
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_IO if (X86)
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select GRKERNSEC_NO_RBAC
-+ select PAX
-+ select PAX_RANDUSTACK
-+ select PAX_ASLR
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_NO_ACL_FLAGS
-+ select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
-+ select PAX_MEMORY_UDEREF if (X86_32)
-+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ help
-+ If you say Y here, a configuration will be used that is endorsed by
-+ the Hardened Gentoo project. Therefore, many of the protections
-+ made available by grsecurity and PaX will be enabled.
-+
-+ Hardened Gentoo's pre-defined security levels are designed to provide
-+ a high level of security while minimizing incompatibilities with the
-+ majority of available software. For further information, please
-+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+ well as the Hardened Gentoo Primer at
-+ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
-+
-+ This Hardened Gentoo [server] level is identical to the
-+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO,
-+ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled.
-+ Accordingly, this is the preferred security level if the system will
-+ not be utilizing software incompatible with the aforementioned
-+ grsecurity/PaX features.
-+
-+ You may wish to emerge paxctl, a utility which allows you to toggle
-+ PaX features on problematic binaries on an individual basis. Note that
-+ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+ Translated, this means that if you wish to toggle PaX features on
-+ binaries provided by applications that are distributed only in binary
-+ format (rather than being built locally from sources), you will need to
-+ run paxctl -C on the binaries beforehand so as to inject the missing
-+ headers.
-+
-+ When this level is selected, some options cannot be changed. However,
-+ you may opt to fully customize the options that are selected by
-+ choosing "Custom" in the Security Level menu. You may find it helpful
-+ to inherit the options selected by the "Hardened Gentoo [server]"
-+ security level as a starting point for further configuration. To
-+ accomplish this, select this security level then exit the menuconfig
-+ interface, saving changes when prompted. Then, run make menuconfig
-+ again and select the "Custom" level.
-+
-+ Note that this security level probably should not be used if the
-+ target system is a 32bit x86 virtualized guest. If you intend to run
-+ the kernel in a 32bit x86 virtualized guest you will likely need to
-+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+ impact on performance.
++ When this level is selected, some security features will be forced on,
++ while others will default to their suggested values of off or on. The
++ later can be tweaked at the user's discretion, but may cause problems
++ in some situations. You can fully customize all grsecurity/PaX features
++ by choosing "Custom" in the Security Level menu. It may be helpful to
++ inherit the options selected by this security level as a starting point.
++ To accomplish this, select this security level, then exit the menuconfig
++ interface, saving changes when prompted. Run make menuconfig again and
++ select the "Custom" level.
+
+config GRKERNSEC_HARDENED_WORKSTATION
+ bool "Hardened Gentoo [workstation]"
@@ -265,12 +145,16 @@ Ned Ludd <solar@gentoo.org>
+ select GRKERNSEC_KMEM
+ select GRKERNSEC_RESLOG
+ select GRKERNSEC_RANDNET
++ # select GRKERNSEC_PROC_ADD
+ select GRKERNSEC_CHROOT_CHMOD
+ select GRKERNSEC_CHROOT_NICE
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
++ select GRKERNSEC_HARDEN_PTRACE
+ select GRKERNSEC_VM86 if (X86_32)
++ # select GRKERNSEC_IO if (X86)
+ select GRKERNSEC_PROC_IPADDR
++ select GRKERNSEC_RWXMAP_LOG
+ select GRKERNSEC_SYSCTL
+ select GRKERNSEC_SYSCTL_ON
+ select PAX
@@ -282,8 +166,8 @@ Ned Ludd <solar@gentoo.org>
+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
-+ # select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
-+ select PAX_MEMORY_UDEREF if (X86_32)
++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
+ select PAX_SEGMEXEC if (X86_32)
+ select PAX_PAGEEXEC
@@ -292,53 +176,33 @@ Ned Ludd <solar@gentoo.org>
+ select PAX_EMUSIGRT if (PARISC)
+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
+ help
-+ If you say Y here, a configuration will be used that is endorsed by
-+ the Hardened Gentoo project. Therefore, many of the protections
-+ made available by grsecurity and PaX will be enabled.
-+
-+ Hardened Gentoo's pre-defined security levels are designed to provide
-+ a high level of security while minimizing incompatibilities with the
-+ majority of available software. For further information, please
-+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+ well as the Hardened Gentoo Primer at
-+ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
-+
-+ This Hardened Gentoo [workstation] level is designed for machines
-+ which are intended to run software not compatible with the
-+ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity.
-+ Accordingly, this security level is suitable for use with the X server
-+ "Xorg" and/or any system that will act as host OS to the virtualization
-+ softwares vmware-server or virtualbox.
++ If you say Y here, a configuration for grsecurity/PaX features
++ will be used that is endorsed by the Hardened Gentoo project.
++ These pre-defined security levels are designed to provide a high
++ level of security while minimizing incompatibilities with a majority
++ of Gentoo's available software.
+
-+ You may wish to emerge paxctl, a utility which allows you to toggle
-+ PaX features on problematic binaries on an individual basis. Note that
-+ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+ Translated, this means that if you wish to toggle PaX features on
-+ binaries provided by applications that are distributed only in binary
-+ format (rather than being built locally from sources), you will need to
-+ run paxctl -C on the binaries beforehand so as to inject the missing
-+ headers.
++ This "Hardened Gentoo [workstation]" level is identical to the
++ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
++ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
++ security level if the system will be utilizing software incompatible
++ with these features.
+
-+ When this level is selected, some options cannot be changed. However,
-+ you may opt to fully customize the options that are selected by
-+ choosing "Custom" in the Security Level menu. You may find it helpful
-+ to inherit the options selected by the "Hardened Gentoo [workstation]"
-+ security level as a starting point for further configuration. To
-+ accomplish this, select this security level then exit the menuconfig
-+ interface, saving changes when prompted. Then, run make menuconfig
-+ again and select the "Custom" level.
++ When this level is selected, some security features will be forced on,
++ while others will default to their suggested values of off or on. The
++ later can be tweaked at the user's discretion, but may cause problems
++ in some situations. You can fully customize all grsecurity/PaX features
++ by choosing "Custom" in the Security Level menu. It may be helpful to
++ inherit the options selected by this security level as a starting point.
++ To accomplish this, select this security level, then exit the menuconfig
++ interface, saving changes when prompted. Run make menuconfig again and
++ select the "Custom" level.
+
-+ Note that this security level probably should not be used if the
-+ target system is a 32bit x86 virtualized guest. If you intend to run
-+ the kernel in a 32bit x86 virtualized guest you will likely need to
-+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+ impact on performance.
-+
-+config GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC
-+ bool "Hardened Gentoo [workstation no rbac]"
++config GRKERNSEC_HARDENED_VIRTUALIZATION
++ bool "Hardened Gentoo [virtualization]"
+ select GRKERNSEC_LINK
+ select GRKERNSEC_FIFO
+ select GRKERNSEC_EXECVE
@@ -366,15 +230,18 @@ Ned Ludd <solar@gentoo.org>
+ select GRKERNSEC_KMEM
+ select GRKERNSEC_RESLOG
+ select GRKERNSEC_RANDNET
++ # select GRKERNSEC_PROC_ADD
+ select GRKERNSEC_CHROOT_CHMOD
+ select GRKERNSEC_CHROOT_NICE
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
++ select GRKERNSEC_HARDEN_PTRACE
+ select GRKERNSEC_VM86 if (X86_32)
++ # select GRKERNSEC_IO if (X86)
+ select GRKERNSEC_PROC_IPADDR
++ select GRKERNSEC_RWXMAP_LOG
+ select GRKERNSEC_SYSCTL
+ select GRKERNSEC_SYSCTL_ON
-+ select GRKERNSEC_NO_RBAC
+ select PAX
+ select PAX_RANDUSTACK
+ select PAX_ASLR
@@ -383,9 +250,9 @@ Ned Ludd <solar@gentoo.org>
+ select PAX_MPROTECT
+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
-+ select PAX_NO_ACL_FLAGS
-+ # select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
-+ select PAX_MEMORY_UDEREF if (X86_32)
++ select PAX_HAVE_ACL_FLAGS
++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
+ select PAX_SEGMEXEC if (X86_32)
+ select PAX_PAGEEXEC
@@ -394,51 +261,56 @@ Ned Ludd <solar@gentoo.org>
+ select PAX_EMUSIGRT if (PARISC)
+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
+ help
-+ If you say Y here, a configuration will be used that is endorsed by
-+ the Hardened Gentoo project. Therefore, many of the protections
-+ made available by grsecurity and PaX will be enabled.
-+
-+ Hardened Gentoo's pre-defined security levels are designed to provide
-+ a high level of security while minimizing incompatibilities with the
-+ majority of available software. For further information, please
-+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+ well as the Hardened Gentoo Primer at
-+ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
-+
-+ This Hardened Gentoo [workstation] level is designed for machines
-+ which are intended to run software not compatible with the
-+ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity.
-+ Accordingly, this security level is suitable for use with the X server
-+ "Xorg" and/or any system that will act as host OS to the virtualization
-+ softwares vmware-server or virtualbox.
-+
-+ You may wish to emerge paxctl, a utility which allows you to toggle
-+ PaX features on problematic binaries on an individual basis. Note that
-+ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+ Translated, this means that if you wish to toggle PaX features on
-+ binaries provided by applications that are distributed only in binary
-+ format (rather than being built locally from sources), you will need to
-+ run paxctl -C on the binaries beforehand so as to inject the missing
-+ headers.
++ If you say Y here, a configuration for grsecurity/PaX features
++ will be used that is endorsed by the Hardened Gentoo project.
++ These pre-defined security levels are designed to provide a high
++ level of security while minimizing incompatibilities with a majority
++ of Gentoo's available software.
+
-+ When this level is selected, some options cannot be changed. However,
-+ you may opt to fully customize the options that are selected by
-+ choosing "Custom" in the Security Level menu. You may find it helpful
-+ to inherit the options selected by the "Hardened Gentoo [workstation]"
-+ security level as a starting point for further configuration. To
-+ accomplish this, select this security level then exit the menuconfig
-+ interface, saving changes when prompted. Then, run make menuconfig
-+ again and select the "Custom" level.
++ This "Hardened Gentoo [virtualization]" level is identical to the
++ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
++ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
++ security level if the system will be utilizing virtualization software
++ incompatible with these features, like VirtualBox or kvm.
+
-+ Note that this security level probably should not be used if the
-+ target system is a 32bit x86 virtualized guest. If you intend to run
-+ the kernel in a 32bit x86 virtualized guest you will likely need to
-+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+ impact on performance.
++ When this level is selected, some security features will be forced on,
++ while others will default to their suggested values of off or on. The
++ later can be tweaked at the user's discretion, but may cause problems
++ in some situations. You can fully customize all grsecurity/PaX features
++ by choosing "Custom" in the Security Level menu. It may be helpful to
++ inherit the options selected by this security level as a starting point.
++ To accomplish this, select this security level, then exit the menuconfig
++ interface, saving changes when prompted. Run make menuconfig again and
++ select the "Custom" level.
+
config GRKERNSEC_CUSTOM
bool "Custom"
help
+diff -Naur linux-2.6.37-hardened-r2.orig/security/Kconfig linux-2.6.37-hardened-r2/security/Kconfig
+--- linux-2.6.37-hardened-r2.orig/security/Kconfig 2011-02-21 11:46:40.000000000 -0500
++++ linux-2.6.37-hardened-r2/security/Kconfig 2011-02-21 11:53:42.000000000 -0500
+@@ -324,8 +324,9 @@
+
+ config PAX_KERNEXEC
+ bool "Enforce non-executable kernel pages"
+- depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
++ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
++ default y if GRKERNSEC_HARDENED_WORKSTATION
+ help
+ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
+ that is, enabling this option will make it harder to inject
+@@ -461,8 +462,9 @@
+
+ config PAX_MEMORY_UDEREF
+ bool "Prevent invalid userland pointer dereference"
+- depends on X86 && !UML_X86 && !XEN
++ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ select PAX_PER_CPU_PGD if X86_64
++ default y if GRKERNSEC_HARDENED_WORKSTATION
+ help
+ By saying Y here the kernel will be prevented from dereferencing
+ userland pointers in contexts where the kernel expects only kernel
diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
index 0049a17..5592c67 100644
--- a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
@@ -27,7 +27,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
--- a/grsecurity/Kconfig
+++ b/grsecurity/Kconfig
-@@ -1385,6 +1385,27 @@
+@@ -1230,6 +1230,27 @@
menu "Logging Options"
depends on GRKERNSEC
diff --git a/2.6.37/4435_grsec-kconfig-gentoo.patch b/2.6.37/4435_grsec-kconfig-gentoo.patch
index c9fbc5f..d67ab0d 100644
--- a/2.6.37/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.37/4435_grsec-kconfig-gentoo.patch
@@ -1,3 +1,4 @@
+From: Anthony G. Basile <blueness@gentoo.org>
From: Gordon Malm <gengor@gentoo.org>
From: Jory A. Pratt <anarchy@gentoo.org>
From: Kerin Millar <kerframil@gmail.com>
@@ -14,18 +15,19 @@ and conflicts with some software and thus would be less suitable.
The original version of this patch was conceived and created by:
Ned Ludd <solar@gentoo.org>
---- a/grsecurity/Kconfig 2009-07-31 02:34:44.661115764 +0100
-+++ b/grsecurity/Kconfig 2009-08-01 02:04:02.047475888 +0100
+diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig
+--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-21 11:47:15.000000000 -0500
++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-21 11:48:08.000000000 -0500
@@ -18,7 +18,7 @@
choice
prompt "Security Level"
depends on GRKERNSEC
- default GRKERNSEC_CUSTOM
-+ default GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC
++ default GRKERNSEC_HARDENED_WORKSTATION
config GRKERNSEC_LOW
bool "Low"
-@@ -191,6 +191,416 @@
+@@ -191,6 +191,261 @@
- Ptrace restrictions
- Restricted vm86 mode
@@ -63,9 +65,11 @@ Ned Ludd <solar@gentoo.org>
+ select GRKERNSEC_CHROOT_NICE
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
++ select GRKERNSEC_HARDEN_PTRACE
+ select GRKERNSEC_VM86 if (X86_32)
+ select GRKERNSEC_IO if (X86)
+ select GRKERNSEC_PROC_IPADDR
++ select GRKERNSEC_RWXMAP_LOG
+ select GRKERNSEC_SYSCTL
+ select GRKERNSEC_SYSCTL_ON
+ select PAX
@@ -77,8 +81,8 @@ Ned Ludd <solar@gentoo.org>
+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
-+ select PAX_MEMORY_UDEREF if (X86_32)
++ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++ select PAX_MEMORY_UDEREF if (X86 && !XEN)
+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
+ select PAX_SEGMEXEC if (X86_32)
+ select PAX_PAGEEXEC
@@ -87,154 +91,30 @@ Ned Ludd <solar@gentoo.org>
+ select PAX_EMUSIGRT if (PARISC)
+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
+ help
-+ If you say Y here, a configuration will be used that is endorsed by
-+ the Hardened Gentoo project. Therefore, many of the protections
-+ made available by grsecurity and PaX will be enabled.
++ If you say Y here, a configuration for grsecurity/PaX features
++ will be used that is endorsed by the Hardened Gentoo project.
++ These pre-defined security levels are designed to provide a high
++ level of security while minimizing incompatibilities with a majority
++ of Gentoo's available software.
+
-+ Hardened Gentoo's pre-defined security levels are designed to provide
-+ a high level of security while minimizing incompatibilities with the
-+ majority of available software. For further information, please
-+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+ well as the Hardened Gentoo Primer at
-+ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
++ This "Hardened Gentoo [server]" level is identical to the
++ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
++ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
++ security level if the system will not be utilizing software incompatible
++ with these features.
+
-+ This Hardened Gentoo [server] level is identical to the
-+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO,
-+ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled.
-+ Accordingly, this is the preferred security level if the system will
-+ not be utilizing software incompatible with the aforementioned
-+ grsecurity/PaX features.
-+
-+ You may wish to emerge paxctl, a utility which allows you to toggle
-+ PaX features on problematic binaries on an individual basis. Note that
-+ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+ Translated, this means that if you wish to toggle PaX features on
-+ binaries provided by applications that are distributed only in binary
-+ format (rather than being built locally from sources), you will need to
-+ run paxctl -C on the binaries beforehand so as to inject the missing
-+ headers.
-+
-+ When this level is selected, some options cannot be changed. However,
-+ you may opt to fully customize the options that are selected by
-+ choosing "Custom" in the Security Level menu. You may find it helpful
-+ to inherit the options selected by the "Hardened Gentoo [server]"
-+ security level as a starting point for further configuration. To
-+ accomplish this, select this security level then exit the menuconfig
-+ interface, saving changes when prompted. Then, run make menuconfig
-+ again and select the "Custom" level.
-+
-+ Note that this security level probably should not be used if the
-+ target system is a 32bit x86 virtualized guest. If you intend to run
-+ the kernel in a 32bit x86 virtualized guest you will likely need to
-+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+ impact on performance.
-+
-+config GRKERNSEC_HARDENED_SERVER_NO_RBAC
-+ bool "Hardened Gentoo [server no rbac]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_EXECVE
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_PROC_ADD
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_IO if (X86)
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select GRKERNSEC_NO_RBAC
-+ select PAX
-+ select PAX_RANDUSTACK
-+ select PAX_ASLR
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_NO_ACL_FLAGS
-+ select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
-+ select PAX_MEMORY_UDEREF if (X86_32)
-+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ help
-+ If you say Y here, a configuration will be used that is endorsed by
-+ the Hardened Gentoo project. Therefore, many of the protections
-+ made available by grsecurity and PaX will be enabled.
-+
-+ Hardened Gentoo's pre-defined security levels are designed to provide
-+ a high level of security while minimizing incompatibilities with the
-+ majority of available software. For further information, please
-+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+ well as the Hardened Gentoo Primer at
-+ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
-+
-+ This Hardened Gentoo [server] level is identical to the
-+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO,
-+ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled.
-+ Accordingly, this is the preferred security level if the system will
-+ not be utilizing software incompatible with the aforementioned
-+ grsecurity/PaX features.
-+
-+ You may wish to emerge paxctl, a utility which allows you to toggle
-+ PaX features on problematic binaries on an individual basis. Note that
-+ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+ Translated, this means that if you wish to toggle PaX features on
-+ binaries provided by applications that are distributed only in binary
-+ format (rather than being built locally from sources), you will need to
-+ run paxctl -C on the binaries beforehand so as to inject the missing
-+ headers.
-+
-+ When this level is selected, some options cannot be changed. However,
-+ you may opt to fully customize the options that are selected by
-+ choosing "Custom" in the Security Level menu. You may find it helpful
-+ to inherit the options selected by the "Hardened Gentoo [server]"
-+ security level as a starting point for further configuration. To
-+ accomplish this, select this security level then exit the menuconfig
-+ interface, saving changes when prompted. Then, run make menuconfig
-+ again and select the "Custom" level.
-+
-+ Note that this security level probably should not be used if the
-+ target system is a 32bit x86 virtualized guest. If you intend to run
-+ the kernel in a 32bit x86 virtualized guest you will likely need to
-+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+ impact on performance.
++ When this level is selected, some security features will be forced on,
++ while others will default to their suggested values of off or on. The
++ later can be tweaked at the user's discretion, but may cause problems
++ in some situations. You can fully customize all grsecurity/PaX features
++ by choosing "Custom" in the Security Level menu. It may be helpful to
++ inherit the options selected by this security level as a starting point.
++ To accomplish this, select this security level, then exit the menuconfig
++ interface, saving changes when prompted. Run make menuconfig again and
++ select the "Custom" level.
+
+config GRKERNSEC_HARDENED_WORKSTATION
+ bool "Hardened Gentoo [workstation]"
@@ -265,12 +145,16 @@ Ned Ludd <solar@gentoo.org>
+ select GRKERNSEC_KMEM
+ select GRKERNSEC_RESLOG
+ select GRKERNSEC_RANDNET
++ # select GRKERNSEC_PROC_ADD
+ select GRKERNSEC_CHROOT_CHMOD
+ select GRKERNSEC_CHROOT_NICE
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
++ select GRKERNSEC_HARDEN_PTRACE
+ select GRKERNSEC_VM86 if (X86_32)
++ # select GRKERNSEC_IO if (X86)
+ select GRKERNSEC_PROC_IPADDR
++ select GRKERNSEC_RWXMAP_LOG
+ select GRKERNSEC_SYSCTL
+ select GRKERNSEC_SYSCTL_ON
+ select PAX
@@ -282,8 +166,8 @@ Ned Ludd <solar@gentoo.org>
+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
-+ # select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
-+ select PAX_MEMORY_UDEREF if (X86_32)
++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
+ select PAX_SEGMEXEC if (X86_32)
+ select PAX_PAGEEXEC
@@ -292,53 +176,33 @@ Ned Ludd <solar@gentoo.org>
+ select PAX_EMUSIGRT if (PARISC)
+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
+ help
-+ If you say Y here, a configuration will be used that is endorsed by
-+ the Hardened Gentoo project. Therefore, many of the protections
-+ made available by grsecurity and PaX will be enabled.
-+
-+ Hardened Gentoo's pre-defined security levels are designed to provide
-+ a high level of security while minimizing incompatibilities with the
-+ majority of available software. For further information, please
-+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+ well as the Hardened Gentoo Primer at
-+ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
-+
-+ This Hardened Gentoo [workstation] level is designed for machines
-+ which are intended to run software not compatible with the
-+ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity.
-+ Accordingly, this security level is suitable for use with the X server
-+ "Xorg" and/or any system that will act as host OS to the virtualization
-+ softwares vmware-server or virtualbox.
++ If you say Y here, a configuration for grsecurity/PaX features
++ will be used that is endorsed by the Hardened Gentoo project.
++ These pre-defined security levels are designed to provide a high
++ level of security while minimizing incompatibilities with a majority
++ of Gentoo's available software.
+
-+ You may wish to emerge paxctl, a utility which allows you to toggle
-+ PaX features on problematic binaries on an individual basis. Note that
-+ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+ Translated, this means that if you wish to toggle PaX features on
-+ binaries provided by applications that are distributed only in binary
-+ format (rather than being built locally from sources), you will need to
-+ run paxctl -C on the binaries beforehand so as to inject the missing
-+ headers.
++ This "Hardened Gentoo [workstation]" level is identical to the
++ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
++ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
++ security level if the system will be utilizing software incompatible
++ with these features.
+
-+ When this level is selected, some options cannot be changed. However,
-+ you may opt to fully customize the options that are selected by
-+ choosing "Custom" in the Security Level menu. You may find it helpful
-+ to inherit the options selected by the "Hardened Gentoo [workstation]"
-+ security level as a starting point for further configuration. To
-+ accomplish this, select this security level then exit the menuconfig
-+ interface, saving changes when prompted. Then, run make menuconfig
-+ again and select the "Custom" level.
++ When this level is selected, some security features will be forced on,
++ while others will default to their suggested values of off or on. The
++ later can be tweaked at the user's discretion, but may cause problems
++ in some situations. You can fully customize all grsecurity/PaX features
++ by choosing "Custom" in the Security Level menu. It may be helpful to
++ inherit the options selected by this security level as a starting point.
++ To accomplish this, select this security level, then exit the menuconfig
++ interface, saving changes when prompted. Run make menuconfig again and
++ select the "Custom" level.
+
-+ Note that this security level probably should not be used if the
-+ target system is a 32bit x86 virtualized guest. If you intend to run
-+ the kernel in a 32bit x86 virtualized guest you will likely need to
-+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+ impact on performance.
-+
-+config GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC
-+ bool "Hardened Gentoo [workstation no rbac]"
++config GRKERNSEC_HARDENED_VIRTUALIZATION
++ bool "Hardened Gentoo [virtualization]"
+ select GRKERNSEC_LINK
+ select GRKERNSEC_FIFO
+ select GRKERNSEC_EXECVE
@@ -366,15 +230,18 @@ Ned Ludd <solar@gentoo.org>
+ select GRKERNSEC_KMEM
+ select GRKERNSEC_RESLOG
+ select GRKERNSEC_RANDNET
++ # select GRKERNSEC_PROC_ADD
+ select GRKERNSEC_CHROOT_CHMOD
+ select GRKERNSEC_CHROOT_NICE
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
++ select GRKERNSEC_HARDEN_PTRACE
+ select GRKERNSEC_VM86 if (X86_32)
++ # select GRKERNSEC_IO if (X86)
+ select GRKERNSEC_PROC_IPADDR
++ select GRKERNSEC_RWXMAP_LOG
+ select GRKERNSEC_SYSCTL
+ select GRKERNSEC_SYSCTL_ON
-+ select GRKERNSEC_NO_RBAC
+ select PAX
+ select PAX_RANDUSTACK
+ select PAX_ASLR
@@ -383,9 +250,9 @@ Ned Ludd <solar@gentoo.org>
+ select PAX_MPROTECT
+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
-+ select PAX_NO_ACL_FLAGS
-+ # select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
-+ select PAX_MEMORY_UDEREF if (X86_32)
++ select PAX_HAVE_ACL_FLAGS
++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
+ select PAX_SEGMEXEC if (X86_32)
+ select PAX_PAGEEXEC
@@ -394,51 +261,56 @@ Ned Ludd <solar@gentoo.org>
+ select PAX_EMUSIGRT if (PARISC)
+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
+ help
-+ If you say Y here, a configuration will be used that is endorsed by
-+ the Hardened Gentoo project. Therefore, many of the protections
-+ made available by grsecurity and PaX will be enabled.
-+
-+ Hardened Gentoo's pre-defined security levels are designed to provide
-+ a high level of security while minimizing incompatibilities with the
-+ majority of available software. For further information, please
-+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+ well as the Hardened Gentoo Primer at
-+ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
-+
-+ This Hardened Gentoo [workstation] level is designed for machines
-+ which are intended to run software not compatible with the
-+ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity.
-+ Accordingly, this security level is suitable for use with the X server
-+ "Xorg" and/or any system that will act as host OS to the virtualization
-+ softwares vmware-server or virtualbox.
-+
-+ You may wish to emerge paxctl, a utility which allows you to toggle
-+ PaX features on problematic binaries on an individual basis. Note that
-+ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+ Translated, this means that if you wish to toggle PaX features on
-+ binaries provided by applications that are distributed only in binary
-+ format (rather than being built locally from sources), you will need to
-+ run paxctl -C on the binaries beforehand so as to inject the missing
-+ headers.
++ If you say Y here, a configuration for grsecurity/PaX features
++ will be used that is endorsed by the Hardened Gentoo project.
++ These pre-defined security levels are designed to provide a high
++ level of security while minimizing incompatibilities with a majority
++ of Gentoo's available software.
+
-+ When this level is selected, some options cannot be changed. However,
-+ you may opt to fully customize the options that are selected by
-+ choosing "Custom" in the Security Level menu. You may find it helpful
-+ to inherit the options selected by the "Hardened Gentoo [workstation]"
-+ security level as a starting point for further configuration. To
-+ accomplish this, select this security level then exit the menuconfig
-+ interface, saving changes when prompted. Then, run make menuconfig
-+ again and select the "Custom" level.
++ This "Hardened Gentoo [virtualization]" level is identical to the
++ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
++ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
++ security level if the system will be utilizing virtualization software
++ incompatible with these features, like VirtualBox or kvm.
+
-+ Note that this security level probably should not be used if the
-+ target system is a 32bit x86 virtualized guest. If you intend to run
-+ the kernel in a 32bit x86 virtualized guest you will likely need to
-+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+ impact on performance.
++ When this level is selected, some security features will be forced on,
++ while others will default to their suggested values of off or on. The
++ later can be tweaked at the user's discretion, but may cause problems
++ in some situations. You can fully customize all grsecurity/PaX features
++ by choosing "Custom" in the Security Level menu. It may be helpful to
++ inherit the options selected by this security level as a starting point.
++ To accomplish this, select this security level, then exit the menuconfig
++ interface, saving changes when prompted. Run make menuconfig again and
++ select the "Custom" level.
+
config GRKERNSEC_CUSTOM
bool "Custom"
help
+diff -Naur linux-2.6.37-hardened-r2.orig/security/Kconfig linux-2.6.37-hardened-r2/security/Kconfig
+--- linux-2.6.37-hardened-r2.orig/security/Kconfig 2011-02-21 11:46:40.000000000 -0500
++++ linux-2.6.37-hardened-r2/security/Kconfig 2011-02-21 11:53:42.000000000 -0500
+@@ -324,8 +324,9 @@
+
+ config PAX_KERNEXEC
+ bool "Enforce non-executable kernel pages"
+- depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
++ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
++ default y if GRKERNSEC_HARDENED_WORKSTATION
+ help
+ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
+ that is, enabling this option will make it harder to inject
+@@ -461,8 +462,9 @@
+
+ config PAX_MEMORY_UDEREF
+ bool "Prevent invalid userland pointer dereference"
+- depends on X86 && !UML_X86 && !XEN
++ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ select PAX_PER_CPU_PGD if X86_64
++ default y if GRKERNSEC_HARDENED_WORKSTATION
+ help
+ By saying Y here the kernel will be prevented from dereferencing
+ userland pointers in contexts where the kernel expects only kernel
diff --git a/2.6.37/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.37/4440_selinux-avc_audit-log-curr_ip.patch
index e8b9c36..c7c942f 100644
--- a/2.6.37/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/2.6.37/4440_selinux-avc_audit-log-curr_ip.patch
@@ -27,7 +27,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
--- a/grsecurity/Kconfig
+++ b/grsecurity/Kconfig
-@@ -1385,6 +1385,27 @@
+@@ -1230,6 +1230,27 @@
menu "Logging Options"
depends on GRKERNSEC