Separated Workastation and Virtualization predefined security levels

2 files changed, 206 insertions, 40 deletions

diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch
index 319fa4b..87984fb 100644
--- a/2.6.32/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.32/4435_grsec-kconfig-gentoo.patch
@@ -15,9 +15,9 @@ and conflicts with some software and thus would be less suitable.
 The original version of this patch was conceived and created by:
 Ned Ludd <solar@gentoo.org>
 
-diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig
---- linux-2.6.37-hardened.orig/grsecurity/Kconfig	2011-01-22 06:53:30.000000000 -0500
-+++ linux-2.6.37-hardened/grsecurity/Kconfig	2011-01-22 11:23:17.000000000 -0500
+diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig
+--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig	2011-02-02 09:18:14.000000000 -0500
++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig	2011-02-02 09:43:28.000000000 -0500
 @@ -18,7 +18,7 @@
  choice
  	prompt "Security Level"
@@ -27,7 +27,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
  
  config GRKERNSEC_LOW
  	bool "Low"
-@@ -191,6 +191,178 @@
+@@ -191,6 +191,261 @@
  	  - Ptrace restrictions
  	  - Restricted vm86 mode
  
@@ -101,15 +101,14 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
 +	  of Gentoo's available software.
 +
 +	  This "Hardened Gentoo [server]" level is identical to the
-+	  "Hardened Gentoo [workstation or virtualization host]" level, but with
-+	  the GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF
-+	  enabled.  Accordingly, this is the preferred security level if the system
-+	  will not be utilizing software incompatible with these features, like
-+	  VirtualBox or kvm.
++	  "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
++	  and GRKERNSEC_PROC_ADD enabled.  Accordingly, this is the preferred
++	  security level if the system will not be utilizing software incompatible
++	  with these features.
 +
 +	  When this level is selected, some security features will be forced on,
-+	  while others will default to off.  The later can be turned on at the
-+	  user's discretion to further enhance hardening, but may cause problems
++	  while others will default to their suggested values of off or on.  The
++	  later can be tweaked at the user's discretion, but may cause problems
 +	  in some situations.  You can fully customize all grsecurity/PaX features
 +	  by choosing "Custom" in the Security Level menu.  It may be helpful to
 +	  inherit the options selected by this security level as a starting point.
@@ -118,7 +117,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
 +	  select the "Custom" level.
 +
 +config GRKERNSEC_HARDENED_WORKSTATION
-+	bool "Hardened Gentoo [workstation or virtualization host]"
++	bool "Hardened Gentoo [workstation]"
 +	select GRKERNSEC_LINK
 +	select GRKERNSEC_FIFO
 +	select GRKERNSEC_EXECVE
@@ -186,16 +185,100 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
 +	  level of security while minimizing incompatibilities with a majority
 +	  of Gentoo's available software.
 +
-+	  This "Hardened Gentoo [workstation or virtualization host]" level
-+	  is identical to the "Hardened Gentoo [server]" level, but with the
-+	  GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF
-+	  disabled.  Accordingly, this is the preferred security level if the
-+	  system will be utilizing software incompatible with these features,
-+	  like VirtualBox or kvm.
++	  This "Hardened Gentoo [workstation]" level is identical to the
++	  "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
++	  GRKERNSEC_PROC_ADD disabled.  Accordingly, this is the preferred
++	  security level if the system will be utilizing software incompatible
++	  with these features.
 +
 +	  When this level is selected, some security features will be forced on,
-+	  while others will default to off.  The later can be turned on at the
-+	  user's discretion to further enhance hardening, but may cause problems
++	  while others will default to their suggested values of off or on.  The
++	  later can be tweaked at the user's discretion, but may cause problems
++	  in some situations.  You can fully customize all grsecurity/PaX features
++	  by choosing "Custom" in the Security Level menu.  It may be helpful to
++	  inherit the options selected by this security level as a starting point.
++	  To accomplish this, select this security level, then exit the menuconfig
++	  interface, saving changes when prompted.  Run make menuconfig again and
++	  select the "Custom" level.
++
++config GRKERNSEC_HARDENED_VIRTUALIZATION
++	bool "Hardened Gentoo [virtualization]"
++	select GRKERNSEC_LINK
++	select GRKERNSEC_FIFO
++	select GRKERNSEC_EXECVE
++	select GRKERNSEC_DMESG
++	select GRKERNSEC_FORKFAIL
++	select GRKERNSEC_TIME
++	select GRKERNSEC_SIGNAL
++	select GRKERNSEC_CHROOT
++	select GRKERNSEC_CHROOT_SHMAT
++	select GRKERNSEC_CHROOT_UNIX
++	select GRKERNSEC_CHROOT_MOUNT
++	select GRKERNSEC_CHROOT_FCHDIR
++	select GRKERNSEC_CHROOT_PIVOT
++	select GRKERNSEC_CHROOT_DOUBLE
++	select GRKERNSEC_CHROOT_CHDIR
++	select GRKERNSEC_CHROOT_MKNOD
++	select GRKERNSEC_CHROOT_CAPS
++	select GRKERNSEC_CHROOT_SYSCTL
++	select GRKERNSEC_CHROOT_FINDTASK
++	select GRKERNSEC_PROC
++	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
++	select GRKERNSEC_HIDESYM
++	select GRKERNSEC_BRUTE
++	select GRKERNSEC_PROC_USERGROUP
++	select GRKERNSEC_KMEM
++	select GRKERNSEC_RESLOG
++	select GRKERNSEC_RANDNET
++	# select GRKERNSEC_PROC_ADD
++	select GRKERNSEC_CHROOT_CHMOD
++	select GRKERNSEC_CHROOT_NICE
++	select GRKERNSEC_AUDIT_MOUNT
++	select GRKERNSEC_MODHARDEN if (MODULES)
++	select GRKERNSEC_HARDEN_PTRACE
++	select GRKERNSEC_VM86 if (X86_32)
++	# select GRKERNSEC_IO if (X86)
++	select GRKERNSEC_PROC_IPADDR
++	select GRKERNSEC_RWXMAP_LOG
++	select GRKERNSEC_SYSCTL
++	select GRKERNSEC_SYSCTL_ON
++	select PAX
++	select PAX_RANDUSTACK
++	select PAX_ASLR
++	select PAX_RANDMMAP
++	select PAX_NOEXEC
++	select PAX_MPROTECT
++	select PAX_EI_PAX
++	select PAX_PT_PAX_FLAGS
++	select PAX_HAVE_ACL_FLAGS
++	# select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++	# select PAX_MEMORY_UDEREF if (X86 && !XEN)
++	select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++	select PAX_SEGMEXEC if (X86_32)
++	select PAX_PAGEEXEC
++	select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++	select PAX_EMUTRAMP if (PARISC)
++	select PAX_EMUSIGRT if (PARISC)
++	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++	select PAX_REFCOUNT if (X86 || SPARC64)
++	select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++	select PAX_MEMORY_SANITIZE
++	help
++	  If you say Y here, a configuration for grsecurity/PaX features
++	  will be used that is endorsed by the Hardened Gentoo project.
++	  These pre-defined security levels are designed to provide a high
++	  level of security while minimizing incompatibilities with a majority
++	  of Gentoo's available software.
++
++	  This "Hardened Gentoo [virtualization]" level is identical to the
++	  "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
++	  PAX_MEMORY_UDEREF defaulting to off.  Accordingly, this is the preferred
++	  security level if the system will be utilizing virtualization software
++	  incompatible with these features, like VirtualBox or kvm.
++
++	  When this level is selected, some security features will be forced on,
++	  while others will default to their suggested values of off or on.  The
++	  later can be tweaked at the user's discretion, but may cause problems
 +	  in some situations.  You can fully customize all grsecurity/PaX features
 +	  by choosing "Custom" in the Security Level menu.  It may be helpful to
 +	  inherit the options selected by this security level as a starting point.
diff --git a/2.6.37/4435_grsec-kconfig-gentoo.patch b/2.6.37/4435_grsec-kconfig-gentoo.patch
index 319fa4b..87984fb 100644
--- a/2.6.37/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.37/4435_grsec-kconfig-gentoo.patch
@@ -15,9 +15,9 @@ and conflicts with some software and thus would be less suitable.
 The original version of this patch was conceived and created by:
 Ned Ludd <solar@gentoo.org>
 
-diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig
---- linux-2.6.37-hardened.orig/grsecurity/Kconfig	2011-01-22 06:53:30.000000000 -0500
-+++ linux-2.6.37-hardened/grsecurity/Kconfig	2011-01-22 11:23:17.000000000 -0500
+diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig
+--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig	2011-02-02 09:18:14.000000000 -0500
++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig	2011-02-02 09:43:28.000000000 -0500
 @@ -18,7 +18,7 @@
  choice
  	prompt "Security Level"
@@ -27,7 +27,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
  
  config GRKERNSEC_LOW
  	bool "Low"
-@@ -191,6 +191,178 @@
+@@ -191,6 +191,261 @@
  	  - Ptrace restrictions
  	  - Restricted vm86 mode
  
@@ -101,15 +101,14 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
 +	  of Gentoo's available software.
 +
 +	  This "Hardened Gentoo [server]" level is identical to the
-+	  "Hardened Gentoo [workstation or virtualization host]" level, but with
-+	  the GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF
-+	  enabled.  Accordingly, this is the preferred security level if the system
-+	  will not be utilizing software incompatible with these features, like
-+	  VirtualBox or kvm.
++	  "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
++	  and GRKERNSEC_PROC_ADD enabled.  Accordingly, this is the preferred
++	  security level if the system will not be utilizing software incompatible
++	  with these features.
 +
 +	  When this level is selected, some security features will be forced on,
-+	  while others will default to off.  The later can be turned on at the
-+	  user's discretion to further enhance hardening, but may cause problems
++	  while others will default to their suggested values of off or on.  The
++	  later can be tweaked at the user's discretion, but may cause problems
 +	  in some situations.  You can fully customize all grsecurity/PaX features
 +	  by choosing "Custom" in the Security Level menu.  It may be helpful to
 +	  inherit the options selected by this security level as a starting point.
@@ -118,7 +117,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
 +	  select the "Custom" level.
 +
 +config GRKERNSEC_HARDENED_WORKSTATION
-+	bool "Hardened Gentoo [workstation or virtualization host]"
++	bool "Hardened Gentoo [workstation]"
 +	select GRKERNSEC_LINK
 +	select GRKERNSEC_FIFO
 +	select GRKERNSEC_EXECVE
@@ -186,16 +185,100 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g
 +	  level of security while minimizing incompatibilities with a majority
 +	  of Gentoo's available software.
 +
-+	  This "Hardened Gentoo [workstation or virtualization host]" level
-+	  is identical to the "Hardened Gentoo [server]" level, but with the
-+	  GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF
-+	  disabled.  Accordingly, this is the preferred security level if the
-+	  system will be utilizing software incompatible with these features,
-+	  like VirtualBox or kvm.
++	  This "Hardened Gentoo [workstation]" level is identical to the
++	  "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
++	  GRKERNSEC_PROC_ADD disabled.  Accordingly, this is the preferred
++	  security level if the system will be utilizing software incompatible
++	  with these features.
 +
 +	  When this level is selected, some security features will be forced on,
-+	  while others will default to off.  The later can be turned on at the
-+	  user's discretion to further enhance hardening, but may cause problems
++	  while others will default to their suggested values of off or on.  The
++	  later can be tweaked at the user's discretion, but may cause problems
++	  in some situations.  You can fully customize all grsecurity/PaX features
++	  by choosing "Custom" in the Security Level menu.  It may be helpful to
++	  inherit the options selected by this security level as a starting point.
++	  To accomplish this, select this security level, then exit the menuconfig
++	  interface, saving changes when prompted.  Run make menuconfig again and
++	  select the "Custom" level.
++
++config GRKERNSEC_HARDENED_VIRTUALIZATION
++	bool "Hardened Gentoo [virtualization]"
++	select GRKERNSEC_LINK
++	select GRKERNSEC_FIFO
++	select GRKERNSEC_EXECVE
++	select GRKERNSEC_DMESG
++	select GRKERNSEC_FORKFAIL
++	select GRKERNSEC_TIME
++	select GRKERNSEC_SIGNAL
++	select GRKERNSEC_CHROOT
++	select GRKERNSEC_CHROOT_SHMAT
++	select GRKERNSEC_CHROOT_UNIX
++	select GRKERNSEC_CHROOT_MOUNT
++	select GRKERNSEC_CHROOT_FCHDIR
++	select GRKERNSEC_CHROOT_PIVOT
++	select GRKERNSEC_CHROOT_DOUBLE
++	select GRKERNSEC_CHROOT_CHDIR
++	select GRKERNSEC_CHROOT_MKNOD
++	select GRKERNSEC_CHROOT_CAPS
++	select GRKERNSEC_CHROOT_SYSCTL
++	select GRKERNSEC_CHROOT_FINDTASK
++	select GRKERNSEC_PROC
++	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
++	select GRKERNSEC_HIDESYM
++	select GRKERNSEC_BRUTE
++	select GRKERNSEC_PROC_USERGROUP
++	select GRKERNSEC_KMEM
++	select GRKERNSEC_RESLOG
++	select GRKERNSEC_RANDNET
++	# select GRKERNSEC_PROC_ADD
++	select GRKERNSEC_CHROOT_CHMOD
++	select GRKERNSEC_CHROOT_NICE
++	select GRKERNSEC_AUDIT_MOUNT
++	select GRKERNSEC_MODHARDEN if (MODULES)
++	select GRKERNSEC_HARDEN_PTRACE
++	select GRKERNSEC_VM86 if (X86_32)
++	# select GRKERNSEC_IO if (X86)
++	select GRKERNSEC_PROC_IPADDR
++	select GRKERNSEC_RWXMAP_LOG
++	select GRKERNSEC_SYSCTL
++	select GRKERNSEC_SYSCTL_ON
++	select PAX
++	select PAX_RANDUSTACK
++	select PAX_ASLR
++	select PAX_RANDMMAP
++	select PAX_NOEXEC
++	select PAX_MPROTECT
++	select PAX_EI_PAX
++	select PAX_PT_PAX_FLAGS
++	select PAX_HAVE_ACL_FLAGS
++	# select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++	# select PAX_MEMORY_UDEREF if (X86 && !XEN)
++	select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++	select PAX_SEGMEXEC if (X86_32)
++	select PAX_PAGEEXEC
++	select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++	select PAX_EMUTRAMP if (PARISC)
++	select PAX_EMUSIGRT if (PARISC)
++	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++	select PAX_REFCOUNT if (X86 || SPARC64)
++	select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++	select PAX_MEMORY_SANITIZE
++	help
++	  If you say Y here, a configuration for grsecurity/PaX features
++	  will be used that is endorsed by the Hardened Gentoo project.
++	  These pre-defined security levels are designed to provide a high
++	  level of security while minimizing incompatibilities with a majority
++	  of Gentoo's available software.
++
++	  This "Hardened Gentoo [virtualization]" level is identical to the
++	  "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
++	  PAX_MEMORY_UDEREF defaulting to off.  Accordingly, this is the preferred
++	  security level if the system will be utilizing virtualization software
++	  incompatible with these features, like VirtualBox or kvm.
++
++	  When this level is selected, some security features will be forced on,
++	  while others will default to their suggested values of off or on.  The
++	  later can be tweaked at the user's discretion, but may cause problems
 +	  in some situations.  You can fully customize all grsecurity/PaX features
 +	  by choosing "Custom" in the Security Level menu.  It may be helpful to
 +	  inherit the options selected by this security level as a starting point.