Updated help for Gentoo's SERVER and WORKSTATION GRSEC options

2 files changed, 84 insertions, 160 deletions

diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch
index 1c08801..319fa4b 100644
--- a/2.6.32/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.32/4435_grsec-kconfig-gentoo.patch
@@ -17,7 +17,7 @@ Ned Ludd <solar@gentoo.org>
 
 diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig
 --- linux-2.6.37-hardened.orig/grsecurity/Kconfig	2011-01-22 06:53:30.000000000 -0500
-+++ linux-2.6.37-hardened/grsecurity/Kconfig	2011-01-22 10:07:08.000000000 -0500
++++ linux-2.6.37-hardened/grsecurity/Kconfig	2011-01-22 11:23:17.000000000 -0500
 @@ -18,7 +18,7 @@
  choice
  	prompt "Security Level"
@@ -27,7 +27,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
  
  config GRKERNSEC_LOW
  	bool "Low"
-@@ -191,6 +191,216 @@
+@@ -191,6 +191,178 @@
  	  - Ptrace restrictions
  	  - Restricted vm86 mode
  
@@ -94,47 +94,28 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
 +	help
-+	  If you say Y here, a configuration will be used that is endorsed by
-+	  the Hardened Gentoo project.  Therefore, many of the protections
-+	  made available by grsecurity and PaX will be enabled.
++	  If you say Y here, a configuration for grsecurity/PaX features
++	  will be used that is endorsed by the Hardened Gentoo project.
++	  These pre-defined security levels are designed to provide a high
++	  level of security while minimizing incompatibilities with a majority
++	  of Gentoo's available software.
 +
-+	  Hardened Gentoo's pre-defined security levels are designed to provide
-+	  a high level of security while minimizing incompatibilities with the
-+	  majority of available software.  For further information, please
-+	  view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+	  well as the Hardened Gentoo Primer at
-+	  <http://www.gentoo.org/proj/en/hardened/primer.xml>.
++	  This "Hardened Gentoo [server]" level is identical to the
++	  "Hardened Gentoo [workstation or virtualization host]" level, but with
++	  the GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF
++	  enabled.  Accordingly, this is the preferred security level if the system
++	  will not be utilizing software incompatible with these features, like
++	  VirtualBox or kvm.
 +
-+	  This Hardened Gentoo [server] level is identical to the
-+	  Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO,
-+	  PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled.
-+	  Accordingly, this is the preferred security level if the system will
-+	  not be utilizing software incompatible with the aforementioned
-+	  grsecurity/PaX features.
-+
-+	  You may wish to emerge paxctl, a utility which allows you to toggle
-+	  PaX features on problematic binaries on an individual basis. Note that
-+	  this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+	  Translated, this means that if you wish to toggle PaX features on
-+	  binaries provided by applications that are distributed only in binary
-+	  format (rather than being built locally from sources), you will need to
-+	  run paxctl -C on the binaries beforehand so as to inject the missing
-+	  headers.
-+
-+	  When this level is selected, some options cannot be changed. However,
-+	  you may opt to fully customize the options that are selected by
-+	  choosing "Custom" in the Security Level menu. You may find it helpful
-+	  to inherit the options selected by the "Hardened Gentoo [server]"
-+	  security level as a starting point for further configuration. To
-+	  accomplish this, select this security level then exit the menuconfig
-+	  interface, saving changes when prompted. Then, run make menuconfig
-+	  again and select the "Custom" level.
-+
-+	  Note that this security level probably should not be used if the
-+	  target system is a 32bit x86 virtualized guest.  If you intend to run
-+	  the kernel in a 32bit x86 virtualized guest you will likely need to
-+	  disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+	  impact on performance.
++	  When this level is selected, some security features will be forced on,
++	  while others will default to off.  The later can be turned on at the
++	  user's discretion to further enhance hardening, but may cause problems
++	  in some situations.  You can fully customize all grsecurity/PaX features
++	  by choosing "Custom" in the Security Level menu.  It may be helpful to
++	  inherit the options selected by this security level as a starting point.
++	  To accomplish this, select this security level, then exit the menuconfig
++	  interface, saving changes when prompted.  Run make menuconfig again and
++	  select the "Custom" level.
 +
 +config GRKERNSEC_HARDENED_WORKSTATION
 +	bool "Hardened Gentoo [workstation or virtualization host]"
@@ -199,47 +180,28 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
 +	help
-+	  If you say Y here, a configuration will be used that is endorsed by
-+	  the Hardened Gentoo project.  Therefore, many of the protections
-+	  made available by grsecurity and PaX will be enabled.
-+
-+	  Hardened Gentoo's pre-defined security levels are designed to provide
-+	  a high level of security while minimizing incompatibilities with the
-+	  majority of available software.  For further information, please
-+	  view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+	  well as the Hardened Gentoo Primer at
-+	  <http://www.gentoo.org/proj/en/hardened/primer.xml>.
-+
-+	  This Hardened Gentoo [workstation] level is designed for machines
-+	  which are intended to run software not compatible with the
-+	  GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity.
-+	  Accordingly, this security level is suitable for use with the X server
-+	  "Xorg" and/or any system that will act as host OS to the virtualization
-+	  softwares vmware-server or virtualbox.
-+
-+	  You may wish to emerge paxctl, a utility which allows you to toggle
-+	  PaX features on problematic binaries on an individual basis. Note that
-+	  this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+	  Translated, this means that if you wish to toggle PaX features on
-+	  binaries provided by applications that are distributed only in binary
-+	  format (rather than being built locally from sources), you will need to
-+	  run paxctl -C on the binaries beforehand so as to inject the missing
-+	  headers.
++	  If you say Y here, a configuration for grsecurity/PaX features
++	  will be used that is endorsed by the Hardened Gentoo project.
++	  These pre-defined security levels are designed to provide a high
++	  level of security while minimizing incompatibilities with a majority
++	  of Gentoo's available software.
 +
-+	  When this level is selected, some options cannot be changed. However,
-+	  you may opt to fully customize the options that are selected by
-+	  choosing "Custom" in the Security Level menu. You may find it helpful
-+	  to inherit the options selected by the "Hardened Gentoo [workstation]"
-+	  security level as a starting point for further configuration. To
-+	  accomplish this, select this security level then exit the menuconfig
-+	  interface, saving changes when prompted. Then, run make menuconfig
-+	  again and select the "Custom" level.
++	  This "Hardened Gentoo [workstation or virtualization host]" level
++	  is identical to the "Hardened Gentoo [server]" level, but with the
++	  GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF
++	  disabled.  Accordingly, this is the preferred security level if the
++	  system will be utilizing software incompatible with these features,
++	  like VirtualBox or kvm.
 +
-+	  Note that this security level probably should not be used if the
-+	  target system is a 32bit x86 virtualized guest.  If you intend to run
-+	  the kernel in a 32bit x86 virtualized guest you will likely need to
-+	  disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+	  impact on performance.
++	  When this level is selected, some security features will be forced on,
++	  while others will default to off.  The later can be turned on at the
++	  user's discretion to further enhance hardening, but may cause problems
++	  in some situations.  You can fully customize all grsecurity/PaX features
++	  by choosing "Custom" in the Security Level menu.  It may be helpful to
++	  inherit the options selected by this security level as a starting point.
++	  To accomplish this, select this security level, then exit the menuconfig
++	  interface, saving changes when prompted.  Run make menuconfig again and
++	  select the "Custom" level.
 +
  config GRKERNSEC_CUSTOM
  	bool "Custom"
diff --git a/2.6.37/4435_grsec-kconfig-gentoo.patch b/2.6.37/4435_grsec-kconfig-gentoo.patch
index 1c08801..319fa4b 100644
--- a/2.6.37/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.37/4435_grsec-kconfig-gentoo.patch
@@ -17,7 +17,7 @@ Ned Ludd <solar@gentoo.org>
 
 diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig
 --- linux-2.6.37-hardened.orig/grsecurity/Kconfig	2011-01-22 06:53:30.000000000 -0500
-+++ linux-2.6.37-hardened/grsecurity/Kconfig	2011-01-22 10:07:08.000000000 -0500
++++ linux-2.6.37-hardened/grsecurity/Kconfig	2011-01-22 11:23:17.000000000 -0500
 @@ -18,7 +18,7 @@
  choice
  	prompt "Security Level"
@@ -27,7 +27,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
  
  config GRKERNSEC_LOW
  	bool "Low"
-@@ -191,6 +191,216 @@
+@@ -191,6 +191,178 @@
  	  - Ptrace restrictions
  	  - Restricted vm86 mode
  
@@ -94,47 +94,28 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
 +	help
-+	  If you say Y here, a configuration will be used that is endorsed by
-+	  the Hardened Gentoo project.  Therefore, many of the protections
-+	  made available by grsecurity and PaX will be enabled.
++	  If you say Y here, a configuration for grsecurity/PaX features
++	  will be used that is endorsed by the Hardened Gentoo project.
++	  These pre-defined security levels are designed to provide a high
++	  level of security while minimizing incompatibilities with a majority
++	  of Gentoo's available software.
 +
-+	  Hardened Gentoo's pre-defined security levels are designed to provide
-+	  a high level of security while minimizing incompatibilities with the
-+	  majority of available software.  For further information, please
-+	  view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+	  well as the Hardened Gentoo Primer at
-+	  <http://www.gentoo.org/proj/en/hardened/primer.xml>.
++	  This "Hardened Gentoo [server]" level is identical to the
++	  "Hardened Gentoo [workstation or virtualization host]" level, but with
++	  the GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF
++	  enabled.  Accordingly, this is the preferred security level if the system
++	  will not be utilizing software incompatible with these features, like
++	  VirtualBox or kvm.
 +
-+	  This Hardened Gentoo [server] level is identical to the
-+	  Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO,
-+	  PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled.
-+	  Accordingly, this is the preferred security level if the system will
-+	  not be utilizing software incompatible with the aforementioned
-+	  grsecurity/PaX features.
-+
-+	  You may wish to emerge paxctl, a utility which allows you to toggle
-+	  PaX features on problematic binaries on an individual basis. Note that
-+	  this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+	  Translated, this means that if you wish to toggle PaX features on
-+	  binaries provided by applications that are distributed only in binary
-+	  format (rather than being built locally from sources), you will need to
-+	  run paxctl -C on the binaries beforehand so as to inject the missing
-+	  headers.
-+
-+	  When this level is selected, some options cannot be changed. However,
-+	  you may opt to fully customize the options that are selected by
-+	  choosing "Custom" in the Security Level menu. You may find it helpful
-+	  to inherit the options selected by the "Hardened Gentoo [server]"
-+	  security level as a starting point for further configuration. To
-+	  accomplish this, select this security level then exit the menuconfig
-+	  interface, saving changes when prompted. Then, run make menuconfig
-+	  again and select the "Custom" level.
-+
-+	  Note that this security level probably should not be used if the
-+	  target system is a 32bit x86 virtualized guest.  If you intend to run
-+	  the kernel in a 32bit x86 virtualized guest you will likely need to
-+	  disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+	  impact on performance.
++	  When this level is selected, some security features will be forced on,
++	  while others will default to off.  The later can be turned on at the
++	  user's discretion to further enhance hardening, but may cause problems
++	  in some situations.  You can fully customize all grsecurity/PaX features
++	  by choosing "Custom" in the Security Level menu.  It may be helpful to
++	  inherit the options selected by this security level as a starting point.
++	  To accomplish this, select this security level, then exit the menuconfig
++	  interface, saving changes when prompted.  Run make menuconfig again and
++	  select the "Custom" level.
 +
 +config GRKERNSEC_HARDENED_WORKSTATION
 +	bool "Hardened Gentoo [workstation or virtualization host]"
@@ -199,47 +180,28 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
 +	help
-+	  If you say Y here, a configuration will be used that is endorsed by
-+	  the Hardened Gentoo project.  Therefore, many of the protections
-+	  made available by grsecurity and PaX will be enabled.
-+
-+	  Hardened Gentoo's pre-defined security levels are designed to provide
-+	  a high level of security while minimizing incompatibilities with the
-+	  majority of available software.  For further information, please
-+	  view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+	  well as the Hardened Gentoo Primer at
-+	  <http://www.gentoo.org/proj/en/hardened/primer.xml>.
-+
-+	  This Hardened Gentoo [workstation] level is designed for machines
-+	  which are intended to run software not compatible with the
-+	  GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity.
-+	  Accordingly, this security level is suitable for use with the X server
-+	  "Xorg" and/or any system that will act as host OS to the virtualization
-+	  softwares vmware-server or virtualbox.
-+
-+	  You may wish to emerge paxctl, a utility which allows you to toggle
-+	  PaX features on problematic binaries on an individual basis. Note that
-+	  this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+	  Translated, this means that if you wish to toggle PaX features on
-+	  binaries provided by applications that are distributed only in binary
-+	  format (rather than being built locally from sources), you will need to
-+	  run paxctl -C on the binaries beforehand so as to inject the missing
-+	  headers.
++	  If you say Y here, a configuration for grsecurity/PaX features
++	  will be used that is endorsed by the Hardened Gentoo project.
++	  These pre-defined security levels are designed to provide a high
++	  level of security while minimizing incompatibilities with a majority
++	  of Gentoo's available software.
 +
-+	  When this level is selected, some options cannot be changed. However,
-+	  you may opt to fully customize the options that are selected by
-+	  choosing "Custom" in the Security Level menu. You may find it helpful
-+	  to inherit the options selected by the "Hardened Gentoo [workstation]"
-+	  security level as a starting point for further configuration. To
-+	  accomplish this, select this security level then exit the menuconfig
-+	  interface, saving changes when prompted. Then, run make menuconfig
-+	  again and select the "Custom" level.
++	  This "Hardened Gentoo [workstation or virtualization host]" level
++	  is identical to the "Hardened Gentoo [server]" level, but with the
++	  GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF
++	  disabled.  Accordingly, this is the preferred security level if the
++	  system will be utilizing software incompatible with these features,
++	  like VirtualBox or kvm.
 +
-+	  Note that this security level probably should not be used if the
-+	  target system is a 32bit x86 virtualized guest.  If you intend to run
-+	  the kernel in a 32bit x86 virtualized guest you will likely need to
-+	  disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+	  impact on performance.
++	  When this level is selected, some security features will be forced on,
++	  while others will default to off.  The later can be turned on at the
++	  user's discretion to further enhance hardening, but may cause problems
++	  in some situations.  You can fully customize all grsecurity/PaX features
++	  by choosing "Custom" in the Security Level menu.  It may be helpful to
++	  inherit the options selected by this security level as a starting point.
++	  To accomplish this, select this security level, then exit the menuconfig
++	  interface, saving changes when prompted.  Run make menuconfig again and
++	  select the "Custom" level.
 +
  config GRKERNSEC_CUSTOM
  	bool "Custom"