diff options
author | Anthony G. Basile <basile@opensource.dyc.edu> | 2011-01-22 11:28:04 -0500 |
---|---|---|
committer | Anthony G. Basile <basile@opensource.dyc.edu> | 2011-01-22 11:28:04 -0500 |
commit | 9a0e12ac2cd6488e9e6a2fa0970034f658c53ef4 (patch) | |
tree | b7bb77b2b26d44bebf7dcd9ee52532e1bb684f06 | |
parent | Tweaked Gentoo's SERVER and WORKSTATION GRSEC options (diff) | |
download | hardened-patchset-9a0e12ac2cd6488e9e6a2fa0970034f658c53ef4.tar.gz hardened-patchset-9a0e12ac2cd6488e9e6a2fa0970034f658c53ef4.tar.bz2 hardened-patchset-9a0e12ac2cd6488e9e6a2fa0970034f658c53ef4.zip |
Updated help for Gentoo's SERVER and WORKSTATION GRSEC options
-rw-r--r-- | 2.6.32/4435_grsec-kconfig-gentoo.patch | 122 | ||||
-rw-r--r-- | 2.6.37/4435_grsec-kconfig-gentoo.patch | 122 |
2 files changed, 84 insertions, 160 deletions
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch index 1c08801..319fa4b 100644 --- a/2.6.32/4435_grsec-kconfig-gentoo.patch +++ b/2.6.32/4435_grsec-kconfig-gentoo.patch @@ -17,7 +17,7 @@ Ned Ludd <solar@gentoo.org> diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig --- linux-2.6.37-hardened.orig/grsecurity/Kconfig 2011-01-22 06:53:30.000000000 -0500 -+++ linux-2.6.37-hardened/grsecurity/Kconfig 2011-01-22 10:07:08.000000000 -0500 ++++ linux-2.6.37-hardened/grsecurity/Kconfig 2011-01-22 11:23:17.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" @@ -27,7 +27,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g config GRKERNSEC_LOW bool "Low" -@@ -191,6 +191,216 @@ +@@ -191,6 +191,178 @@ - Ptrace restrictions - Restricted vm86 mode @@ -94,47 +94,28 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. + -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. ++ This "Hardened Gentoo [server]" level is identical to the ++ "Hardened Gentoo [workstation or virtualization host]" level, but with ++ the GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF ++ enabled. Accordingly, this is the preferred security level if the system ++ will not be utilizing software incompatible with these features, like ++ VirtualBox or kvm. + -+ This Hardened Gentoo [server] level is identical to the -+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO, -+ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled. -+ Accordingly, this is the preferred security level if the system will -+ not be utilizing software incompatible with the aforementioned -+ grsecurity/PaX features. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. -+ -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [server]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. -+ -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. ++ When this level is selected, some security features will be forced on, ++ while others will default to off. The later can be turned on at the ++ user's discretion to further enhance hardening, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. + +config GRKERNSEC_HARDENED_WORKSTATION + bool "Hardened Gentoo [workstation or virtualization host]" @@ -199,47 +180,28 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. -+ -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. -+ -+ This Hardened Gentoo [workstation] level is designed for machines -+ which are intended to run software not compatible with the -+ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity. -+ Accordingly, this security level is suitable for use with the X server -+ "Xorg" and/or any system that will act as host OS to the virtualization -+ softwares vmware-server or virtualbox. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. + -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [workstation]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. ++ This "Hardened Gentoo [workstation or virtualization host]" level ++ is identical to the "Hardened Gentoo [server]" level, but with the ++ GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF ++ disabled. Accordingly, this is the preferred security level if the ++ system will be utilizing software incompatible with these features, ++ like VirtualBox or kvm. + -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. ++ When this level is selected, some security features will be forced on, ++ while others will default to off. The later can be turned on at the ++ user's discretion to further enhance hardening, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. + config GRKERNSEC_CUSTOM bool "Custom" diff --git a/2.6.37/4435_grsec-kconfig-gentoo.patch b/2.6.37/4435_grsec-kconfig-gentoo.patch index 1c08801..319fa4b 100644 --- a/2.6.37/4435_grsec-kconfig-gentoo.patch +++ b/2.6.37/4435_grsec-kconfig-gentoo.patch @@ -17,7 +17,7 @@ Ned Ludd <solar@gentoo.org> diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig --- linux-2.6.37-hardened.orig/grsecurity/Kconfig 2011-01-22 06:53:30.000000000 -0500 -+++ linux-2.6.37-hardened/grsecurity/Kconfig 2011-01-22 10:07:08.000000000 -0500 ++++ linux-2.6.37-hardened/grsecurity/Kconfig 2011-01-22 11:23:17.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" @@ -27,7 +27,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g config GRKERNSEC_LOW bool "Low" -@@ -191,6 +191,216 @@ +@@ -191,6 +191,178 @@ - Ptrace restrictions - Restricted vm86 mode @@ -94,47 +94,28 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. + -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. ++ This "Hardened Gentoo [server]" level is identical to the ++ "Hardened Gentoo [workstation or virtualization host]" level, but with ++ the GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF ++ enabled. Accordingly, this is the preferred security level if the system ++ will not be utilizing software incompatible with these features, like ++ VirtualBox or kvm. + -+ This Hardened Gentoo [server] level is identical to the -+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO, -+ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled. -+ Accordingly, this is the preferred security level if the system will -+ not be utilizing software incompatible with the aforementioned -+ grsecurity/PaX features. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. -+ -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [server]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. -+ -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. ++ When this level is selected, some security features will be forced on, ++ while others will default to off. The later can be turned on at the ++ user's discretion to further enhance hardening, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. + +config GRKERNSEC_HARDENED_WORKSTATION + bool "Hardened Gentoo [workstation or virtualization host]" @@ -199,47 +180,28 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. -+ -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. -+ -+ This Hardened Gentoo [workstation] level is designed for machines -+ which are intended to run software not compatible with the -+ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity. -+ Accordingly, this security level is suitable for use with the X server -+ "Xorg" and/or any system that will act as host OS to the virtualization -+ softwares vmware-server or virtualbox. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. + -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [workstation]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. ++ This "Hardened Gentoo [workstation or virtualization host]" level ++ is identical to the "Hardened Gentoo [server]" level, but with the ++ GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF ++ disabled. Accordingly, this is the preferred security level if the ++ system will be utilizing software incompatible with these features, ++ like VirtualBox or kvm. + -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. ++ When this level is selected, some security features will be forced on, ++ while others will default to off. The later can be turned on at the ++ user's discretion to further enhance hardening, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. + config GRKERNSEC_CUSTOM bool "Custom" |