Change Gentoo's GRSEC settings -- remove NO_RBAC

2 files changed, 12 insertions, 420 deletions

diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch
index c9fbc5f..837e411 100644
--- a/2.6.32/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.32/4435_grsec-kconfig-gentoo.patch
@@ -1,3 +1,4 @@
+From: Anthony G. Basile <blueness@gentoo.org>
 From: Gordon Malm <gengor@gentoo.org>
 From: Jory A. Pratt <anarchy@gentoo.org>
 From: Kerin Millar <kerframil@gmail.com>
@@ -14,18 +15,19 @@ and conflicts with some software and thus would be less suitable.
 The original version of this patch was conceived and created by:
 Ned Ludd <solar@gentoo.org>
 
---- a/grsecurity/Kconfig	2009-07-31 02:34:44.661115764 +0100
-+++ b/grsecurity/Kconfig	2009-08-01 02:04:02.047475888 +0100
+diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig
+--- linux-2.6.37-hardened.orig/grsecurity/Kconfig	2011-01-21 20:13:54.000000000 -0500
++++ linux-2.6.37-hardened/grsecurity/Kconfig	2011-01-21 20:46:38.000000000 -0500
 @@ -18,7 +18,7 @@
  choice
  	prompt "Security Level"
  	depends on GRKERNSEC
 -	default GRKERNSEC_CUSTOM
-+	default GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC
++	default GRKERNSEC_HARDENED_WORKSTATION
  
  config GRKERNSEC_LOW
  	bool "Low"
-@@ -191,6 +191,416 @@
+@@ -191,6 +191,210 @@
  	  - Ptrace restrictions
  	  - Restricted vm86 mode
  
@@ -132,110 +134,6 @@ Ned Ludd <solar@gentoo.org>
 +	  disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
 +	  impact on performance.
 +
-+config GRKERNSEC_HARDENED_SERVER_NO_RBAC
-+	bool "Hardened Gentoo [server no rbac]"
-+	select GRKERNSEC_LINK
-+	select GRKERNSEC_FIFO
-+	select GRKERNSEC_EXECVE
-+	select GRKERNSEC_DMESG
-+	select GRKERNSEC_FORKFAIL
-+	select GRKERNSEC_TIME
-+	select GRKERNSEC_SIGNAL
-+	select GRKERNSEC_CHROOT
-+	select GRKERNSEC_CHROOT_SHMAT
-+	select GRKERNSEC_CHROOT_UNIX
-+	select GRKERNSEC_CHROOT_MOUNT
-+	select GRKERNSEC_CHROOT_FCHDIR
-+	select GRKERNSEC_CHROOT_PIVOT
-+	select GRKERNSEC_CHROOT_DOUBLE
-+	select GRKERNSEC_CHROOT_CHDIR
-+	select GRKERNSEC_CHROOT_MKNOD
-+	select GRKERNSEC_CHROOT_CAPS
-+	select GRKERNSEC_CHROOT_SYSCTL
-+	select GRKERNSEC_CHROOT_FINDTASK
-+	select GRKERNSEC_PROC
-+	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+	select GRKERNSEC_HIDESYM
-+	select GRKERNSEC_BRUTE
-+	select GRKERNSEC_PROC_USERGROUP
-+	select GRKERNSEC_KMEM
-+	select GRKERNSEC_RESLOG
-+	select GRKERNSEC_RANDNET
-+	select GRKERNSEC_PROC_ADD
-+	select GRKERNSEC_CHROOT_CHMOD
-+	select GRKERNSEC_CHROOT_NICE
-+	select GRKERNSEC_AUDIT_MOUNT
-+	select GRKERNSEC_MODHARDEN if (MODULES)
-+	select GRKERNSEC_VM86 if (X86_32)
-+	select GRKERNSEC_IO if (X86)
-+	select GRKERNSEC_PROC_IPADDR
-+	select GRKERNSEC_SYSCTL
-+	select GRKERNSEC_SYSCTL_ON
-+	select GRKERNSEC_NO_RBAC
-+	select PAX
-+	select PAX_RANDUSTACK
-+	select PAX_ASLR
-+	select PAX_RANDMMAP
-+	select PAX_NOEXEC
-+	select PAX_MPROTECT
-+	select PAX_EI_PAX
-+	select PAX_PT_PAX_FLAGS
-+	select PAX_NO_ACL_FLAGS
-+	select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
-+	select PAX_MEMORY_UDEREF if (X86_32)
-+	select PAX_RANDKSTACK if (X86_TSC && !X86_64)
-+	select PAX_SEGMEXEC if (X86_32)
-+	select PAX_PAGEEXEC
-+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
-+	select PAX_EMUTRAMP if (PARISC)
-+	select PAX_EMUSIGRT if (PARISC)
-+	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-+	select PAX_REFCOUNT if (X86 || SPARC64)
-+	select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
-+	select PAX_MEMORY_SANITIZE
-+	help
-+	  If you say Y here, a configuration will be used that is endorsed by
-+	  the Hardened Gentoo project.  Therefore, many of the protections
-+	  made available by grsecurity and PaX will be enabled.
-+
-+	  Hardened Gentoo's pre-defined security levels are designed to provide
-+	  a high level of security while minimizing incompatibilities with the
-+	  majority of available software.  For further information, please
-+	  view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+	  well as the Hardened Gentoo Primer at
-+	  <http://www.gentoo.org/proj/en/hardened/primer.xml>.
-+
-+	  This Hardened Gentoo [server] level is identical to the
-+	  Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO,
-+	  PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled.
-+	  Accordingly, this is the preferred security level if the system will
-+	  not be utilizing software incompatible with the aforementioned
-+	  grsecurity/PaX features.
-+
-+	  You may wish to emerge paxctl, a utility which allows you to toggle
-+	  PaX features on problematic binaries on an individual basis. Note that
-+	  this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+	  Translated, this means that if you wish to toggle PaX features on
-+	  binaries provided by applications that are distributed only in binary
-+	  format (rather than being built locally from sources), you will need to
-+	  run paxctl -C on the binaries beforehand so as to inject the missing
-+	  headers.
-+
-+	  When this level is selected, some options cannot be changed. However,
-+	  you may opt to fully customize the options that are selected by
-+	  choosing "Custom" in the Security Level menu. You may find it helpful
-+	  to inherit the options selected by the "Hardened Gentoo [server]"
-+	  security level as a starting point for further configuration. To
-+	  accomplish this, select this security level then exit the menuconfig
-+	  interface, saving changes when prompted. Then, run make menuconfig
-+	  again and select the "Custom" level.
-+
-+	  Note that this security level probably should not be used if the
-+	  target system is a 32bit x86 virtualized guest.  If you intend to run
-+	  the kernel in a 32bit x86 virtualized guest you will likely need to
-+	  disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+	  impact on performance.
-+
 +config GRKERNSEC_HARDENED_WORKSTATION
 +	bool "Hardened Gentoo [workstation]"
 +	select GRKERNSEC_LINK
@@ -337,108 +235,6 @@ Ned Ludd <solar@gentoo.org>
 +	  disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
 +	  impact on performance.
 +
-+config GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC
-+	bool "Hardened Gentoo [workstation no rbac]"
-+	select GRKERNSEC_LINK
-+	select GRKERNSEC_FIFO
-+	select GRKERNSEC_EXECVE
-+	select GRKERNSEC_DMESG
-+	select GRKERNSEC_FORKFAIL
-+	select GRKERNSEC_TIME
-+	select GRKERNSEC_SIGNAL
-+	select GRKERNSEC_CHROOT
-+	select GRKERNSEC_CHROOT_SHMAT
-+	select GRKERNSEC_CHROOT_UNIX
-+	select GRKERNSEC_CHROOT_MOUNT
-+	select GRKERNSEC_CHROOT_FCHDIR
-+	select GRKERNSEC_CHROOT_PIVOT
-+	select GRKERNSEC_CHROOT_DOUBLE
-+	select GRKERNSEC_CHROOT_CHDIR
-+	select GRKERNSEC_CHROOT_MKNOD
-+	select GRKERNSEC_CHROOT_CAPS
-+	select GRKERNSEC_CHROOT_SYSCTL
-+	select GRKERNSEC_CHROOT_FINDTASK
-+	select GRKERNSEC_PROC
-+	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+	select GRKERNSEC_HIDESYM
-+	select GRKERNSEC_BRUTE
-+	select GRKERNSEC_PROC_USERGROUP
-+	select GRKERNSEC_KMEM
-+	select GRKERNSEC_RESLOG
-+	select GRKERNSEC_RANDNET
-+	select GRKERNSEC_CHROOT_CHMOD
-+	select GRKERNSEC_CHROOT_NICE
-+	select GRKERNSEC_AUDIT_MOUNT
-+	select GRKERNSEC_MODHARDEN if (MODULES)
-+	select GRKERNSEC_VM86 if (X86_32)
-+	select GRKERNSEC_PROC_IPADDR
-+	select GRKERNSEC_SYSCTL
-+	select GRKERNSEC_SYSCTL_ON
-+	select GRKERNSEC_NO_RBAC
-+	select PAX
-+	select PAX_RANDUSTACK
-+	select PAX_ASLR
-+	select PAX_RANDMMAP
-+	select PAX_NOEXEC
-+	select PAX_MPROTECT
-+	select PAX_EI_PAX
-+	select PAX_PT_PAX_FLAGS
-+	select PAX_NO_ACL_FLAGS
-+	# select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
-+	select PAX_MEMORY_UDEREF if (X86_32)
-+	select PAX_RANDKSTACK if (X86_TSC && !X86_64)
-+	select PAX_SEGMEXEC if (X86_32)
-+	select PAX_PAGEEXEC
-+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
-+	select PAX_EMUTRAMP if (PARISC)
-+	select PAX_EMUSIGRT if (PARISC)
-+	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-+	select PAX_REFCOUNT if (X86 || SPARC64)
-+	select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
-+	select PAX_MEMORY_SANITIZE
-+	help
-+	  If you say Y here, a configuration will be used that is endorsed by
-+	  the Hardened Gentoo project.  Therefore, many of the protections
-+	  made available by grsecurity and PaX will be enabled.
-+
-+	  Hardened Gentoo's pre-defined security levels are designed to provide
-+	  a high level of security while minimizing incompatibilities with the
-+	  majority of available software.  For further information, please
-+	  view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+	  well as the Hardened Gentoo Primer at
-+	  <http://www.gentoo.org/proj/en/hardened/primer.xml>.
-+
-+	  This Hardened Gentoo [workstation] level is designed for machines
-+	  which are intended to run software not compatible with the
-+	  GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity.
-+	  Accordingly, this security level is suitable for use with the X server
-+	  "Xorg" and/or any system that will act as host OS to the virtualization
-+	  softwares vmware-server or virtualbox.
-+
-+	  You may wish to emerge paxctl, a utility which allows you to toggle
-+	  PaX features on problematic binaries on an individual basis. Note that
-+	  this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+	  Translated, this means that if you wish to toggle PaX features on
-+	  binaries provided by applications that are distributed only in binary
-+	  format (rather than being built locally from sources), you will need to
-+	  run paxctl -C on the binaries beforehand so as to inject the missing
-+	  headers.
-+
-+	  When this level is selected, some options cannot be changed. However,
-+	  you may opt to fully customize the options that are selected by
-+	  choosing "Custom" in the Security Level menu. You may find it helpful
-+	  to inherit the options selected by the "Hardened Gentoo [workstation]"
-+	  security level as a starting point for further configuration. To
-+	  accomplish this, select this security level then exit the menuconfig
-+	  interface, saving changes when prompted. Then, run make menuconfig
-+	  again and select the "Custom" level.
-+
-+	  Note that this security level probably should not be used if the
-+	  target system is a 32bit x86 virtualized guest.  If you intend to run
-+	  the kernel in a 32bit x86 virtualized guest you will likely need to
-+	  disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+	  impact on performance.
-+
  config GRKERNSEC_CUSTOM
  	bool "Custom"
  	help
diff --git a/2.6.37/4435_grsec-kconfig-gentoo.patch b/2.6.37/4435_grsec-kconfig-gentoo.patch
index c9fbc5f..837e411 100644
--- a/2.6.37/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.37/4435_grsec-kconfig-gentoo.patch
@@ -1,3 +1,4 @@
+From: Anthony G. Basile <blueness@gentoo.org>
 From: Gordon Malm <gengor@gentoo.org>
 From: Jory A. Pratt <anarchy@gentoo.org>
 From: Kerin Millar <kerframil@gmail.com>
@@ -14,18 +15,19 @@ and conflicts with some software and thus would be less suitable.
 The original version of this patch was conceived and created by:
 Ned Ludd <solar@gentoo.org>
 
---- a/grsecurity/Kconfig	2009-07-31 02:34:44.661115764 +0100
-+++ b/grsecurity/Kconfig	2009-08-01 02:04:02.047475888 +0100
+diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig
+--- linux-2.6.37-hardened.orig/grsecurity/Kconfig	2011-01-21 20:13:54.000000000 -0500
++++ linux-2.6.37-hardened/grsecurity/Kconfig	2011-01-21 20:46:38.000000000 -0500
 @@ -18,7 +18,7 @@
  choice
  	prompt "Security Level"
  	depends on GRKERNSEC
 -	default GRKERNSEC_CUSTOM
-+	default GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC
++	default GRKERNSEC_HARDENED_WORKSTATION
  
  config GRKERNSEC_LOW
  	bool "Low"
-@@ -191,6 +191,416 @@
+@@ -191,6 +191,210 @@
  	  - Ptrace restrictions
  	  - Restricted vm86 mode
  
@@ -132,110 +134,6 @@ Ned Ludd <solar@gentoo.org>
 +	  disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
 +	  impact on performance.
 +
-+config GRKERNSEC_HARDENED_SERVER_NO_RBAC
-+	bool "Hardened Gentoo [server no rbac]"
-+	select GRKERNSEC_LINK
-+	select GRKERNSEC_FIFO
-+	select GRKERNSEC_EXECVE
-+	select GRKERNSEC_DMESG
-+	select GRKERNSEC_FORKFAIL
-+	select GRKERNSEC_TIME
-+	select GRKERNSEC_SIGNAL
-+	select GRKERNSEC_CHROOT
-+	select GRKERNSEC_CHROOT_SHMAT
-+	select GRKERNSEC_CHROOT_UNIX
-+	select GRKERNSEC_CHROOT_MOUNT
-+	select GRKERNSEC_CHROOT_FCHDIR
-+	select GRKERNSEC_CHROOT_PIVOT
-+	select GRKERNSEC_CHROOT_DOUBLE
-+	select GRKERNSEC_CHROOT_CHDIR
-+	select GRKERNSEC_CHROOT_MKNOD
-+	select GRKERNSEC_CHROOT_CAPS
-+	select GRKERNSEC_CHROOT_SYSCTL
-+	select GRKERNSEC_CHROOT_FINDTASK
-+	select GRKERNSEC_PROC
-+	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+	select GRKERNSEC_HIDESYM
-+	select GRKERNSEC_BRUTE
-+	select GRKERNSEC_PROC_USERGROUP
-+	select GRKERNSEC_KMEM
-+	select GRKERNSEC_RESLOG
-+	select GRKERNSEC_RANDNET
-+	select GRKERNSEC_PROC_ADD
-+	select GRKERNSEC_CHROOT_CHMOD
-+	select GRKERNSEC_CHROOT_NICE
-+	select GRKERNSEC_AUDIT_MOUNT
-+	select GRKERNSEC_MODHARDEN if (MODULES)
-+	select GRKERNSEC_VM86 if (X86_32)
-+	select GRKERNSEC_IO if (X86)
-+	select GRKERNSEC_PROC_IPADDR
-+	select GRKERNSEC_SYSCTL
-+	select GRKERNSEC_SYSCTL_ON
-+	select GRKERNSEC_NO_RBAC
-+	select PAX
-+	select PAX_RANDUSTACK
-+	select PAX_ASLR
-+	select PAX_RANDMMAP
-+	select PAX_NOEXEC
-+	select PAX_MPROTECT
-+	select PAX_EI_PAX
-+	select PAX_PT_PAX_FLAGS
-+	select PAX_NO_ACL_FLAGS
-+	select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
-+	select PAX_MEMORY_UDEREF if (X86_32)
-+	select PAX_RANDKSTACK if (X86_TSC && !X86_64)
-+	select PAX_SEGMEXEC if (X86_32)
-+	select PAX_PAGEEXEC
-+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
-+	select PAX_EMUTRAMP if (PARISC)
-+	select PAX_EMUSIGRT if (PARISC)
-+	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-+	select PAX_REFCOUNT if (X86 || SPARC64)
-+	select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
-+	select PAX_MEMORY_SANITIZE
-+	help
-+	  If you say Y here, a configuration will be used that is endorsed by
-+	  the Hardened Gentoo project.  Therefore, many of the protections
-+	  made available by grsecurity and PaX will be enabled.
-+
-+	  Hardened Gentoo's pre-defined security levels are designed to provide
-+	  a high level of security while minimizing incompatibilities with the
-+	  majority of available software.  For further information, please
-+	  view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+	  well as the Hardened Gentoo Primer at
-+	  <http://www.gentoo.org/proj/en/hardened/primer.xml>.
-+
-+	  This Hardened Gentoo [server] level is identical to the
-+	  Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO,
-+	  PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled.
-+	  Accordingly, this is the preferred security level if the system will
-+	  not be utilizing software incompatible with the aforementioned
-+	  grsecurity/PaX features.
-+
-+	  You may wish to emerge paxctl, a utility which allows you to toggle
-+	  PaX features on problematic binaries on an individual basis. Note that
-+	  this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+	  Translated, this means that if you wish to toggle PaX features on
-+	  binaries provided by applications that are distributed only in binary
-+	  format (rather than being built locally from sources), you will need to
-+	  run paxctl -C on the binaries beforehand so as to inject the missing
-+	  headers.
-+
-+	  When this level is selected, some options cannot be changed. However,
-+	  you may opt to fully customize the options that are selected by
-+	  choosing "Custom" in the Security Level menu. You may find it helpful
-+	  to inherit the options selected by the "Hardened Gentoo [server]"
-+	  security level as a starting point for further configuration. To
-+	  accomplish this, select this security level then exit the menuconfig
-+	  interface, saving changes when prompted. Then, run make menuconfig
-+	  again and select the "Custom" level.
-+
-+	  Note that this security level probably should not be used if the
-+	  target system is a 32bit x86 virtualized guest.  If you intend to run
-+	  the kernel in a 32bit x86 virtualized guest you will likely need to
-+	  disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+	  impact on performance.
-+
 +config GRKERNSEC_HARDENED_WORKSTATION
 +	bool "Hardened Gentoo [workstation]"
 +	select GRKERNSEC_LINK
@@ -337,108 +235,6 @@ Ned Ludd <solar@gentoo.org>
 +	  disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
 +	  impact on performance.
 +
-+config GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC
-+	bool "Hardened Gentoo [workstation no rbac]"
-+	select GRKERNSEC_LINK
-+	select GRKERNSEC_FIFO
-+	select GRKERNSEC_EXECVE
-+	select GRKERNSEC_DMESG
-+	select GRKERNSEC_FORKFAIL
-+	select GRKERNSEC_TIME
-+	select GRKERNSEC_SIGNAL
-+	select GRKERNSEC_CHROOT
-+	select GRKERNSEC_CHROOT_SHMAT
-+	select GRKERNSEC_CHROOT_UNIX
-+	select GRKERNSEC_CHROOT_MOUNT
-+	select GRKERNSEC_CHROOT_FCHDIR
-+	select GRKERNSEC_CHROOT_PIVOT
-+	select GRKERNSEC_CHROOT_DOUBLE
-+	select GRKERNSEC_CHROOT_CHDIR
-+	select GRKERNSEC_CHROOT_MKNOD
-+	select GRKERNSEC_CHROOT_CAPS
-+	select GRKERNSEC_CHROOT_SYSCTL
-+	select GRKERNSEC_CHROOT_FINDTASK
-+	select GRKERNSEC_PROC
-+	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+	select GRKERNSEC_HIDESYM
-+	select GRKERNSEC_BRUTE
-+	select GRKERNSEC_PROC_USERGROUP
-+	select GRKERNSEC_KMEM
-+	select GRKERNSEC_RESLOG
-+	select GRKERNSEC_RANDNET
-+	select GRKERNSEC_CHROOT_CHMOD
-+	select GRKERNSEC_CHROOT_NICE
-+	select GRKERNSEC_AUDIT_MOUNT
-+	select GRKERNSEC_MODHARDEN if (MODULES)
-+	select GRKERNSEC_VM86 if (X86_32)
-+	select GRKERNSEC_PROC_IPADDR
-+	select GRKERNSEC_SYSCTL
-+	select GRKERNSEC_SYSCTL_ON
-+	select GRKERNSEC_NO_RBAC
-+	select PAX
-+	select PAX_RANDUSTACK
-+	select PAX_ASLR
-+	select PAX_RANDMMAP
-+	select PAX_NOEXEC
-+	select PAX_MPROTECT
-+	select PAX_EI_PAX
-+	select PAX_PT_PAX_FLAGS
-+	select PAX_NO_ACL_FLAGS
-+	# select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK))
-+	select PAX_MEMORY_UDEREF if (X86_32)
-+	select PAX_RANDKSTACK if (X86_TSC && !X86_64)
-+	select PAX_SEGMEXEC if (X86_32)
-+	select PAX_PAGEEXEC
-+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
-+	select PAX_EMUTRAMP if (PARISC)
-+	select PAX_EMUSIGRT if (PARISC)
-+	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-+	select PAX_REFCOUNT if (X86 || SPARC64)
-+	select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
-+	select PAX_MEMORY_SANITIZE
-+	help
-+	  If you say Y here, a configuration will be used that is endorsed by
-+	  the Hardened Gentoo project.  Therefore, many of the protections
-+	  made available by grsecurity and PaX will be enabled.
-+
-+	  Hardened Gentoo's pre-defined security levels are designed to provide
-+	  a high level of security while minimizing incompatibilities with the
-+	  majority of available software.  For further information, please
-+	  view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
-+	  well as the Hardened Gentoo Primer at
-+	  <http://www.gentoo.org/proj/en/hardened/primer.xml>.
-+
-+	  This Hardened Gentoo [workstation] level is designed for machines
-+	  which are intended to run software not compatible with the
-+	  GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity.
-+	  Accordingly, this security level is suitable for use with the X server
-+	  "Xorg" and/or any system that will act as host OS to the virtualization
-+	  softwares vmware-server or virtualbox.
-+
-+	  You may wish to emerge paxctl, a utility which allows you to toggle
-+	  PaX features on problematic binaries on an individual basis. Note that
-+	  this only works for ELF binaries that contain a PT_PAX_FLAGS header.
-+	  Translated, this means that if you wish to toggle PaX features on
-+	  binaries provided by applications that are distributed only in binary
-+	  format (rather than being built locally from sources), you will need to
-+	  run paxctl -C on the binaries beforehand so as to inject the missing
-+	  headers.
-+
-+	  When this level is selected, some options cannot be changed. However,
-+	  you may opt to fully customize the options that are selected by
-+	  choosing "Custom" in the Security Level menu. You may find it helpful
-+	  to inherit the options selected by the "Hardened Gentoo [workstation]"
-+	  security level as a starting point for further configuration. To
-+	  accomplish this, select this security level then exit the menuconfig
-+	  interface, saving changes when prompted. Then, run make menuconfig
-+	  again and select the "Custom" level.
-+
-+	  Note that this security level probably should not be used if the
-+	  target system is a 32bit x86 virtualized guest.  If you intend to run
-+	  the kernel in a 32bit x86 virtualized guest you will likely need to
-+	  disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
-+	  impact on performance.
-+
  config GRKERNSEC_CUSTOM
  	bool "Custom"
  	help