Added predefined selections for GRKERNSEC_HARDENED_{SERVER,WORKSTATION,VIRTUALIZATION}

Forced selection on for: GRKERNSEC_SYSFS_RESTRICT GRKERNSEC_AUDIT_PTRACE CONFIG_GRKERNSEC_SETXID CONFIG_PAX_RANDKSTACK CONFIG_PAX_MEMORY_STACKLEAK default to CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR depened >= gcc-4.5.0
author: Anthony G. Basile <blueness@gentoo.org> 2011-12-26 12:57:21 -0500
committer: Anthony G. Basile <blueness@gentoo.org> 2011-12-26 12:57:21 -0500
commit: 835527baca95c642a9edf5920646d9609dc05647 (patch)
tree: c875545dbcca344c082a742992a029f3602214a8
parent: Add patch to bump to 3.1.6 (diff)
download: hardened-patchset-835527baca95c642a9edf5920646d9609dc05647.tar.gz
hardened-patchset-835527baca95c642a9edf5920646d9609dc05647.tar.bz2
hardened-patchset-835527baca95c642a9edf5920646d9609dc05647.zip
7 files changed, 165 insertions, 70 deletions
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch
index b9e9d3a..8257202 100644
--- a/2.6.32/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.32/4435_grsec-kconfig-gentoo.patch
@@ -16,8 +16,8 @@ The original version of this patch was conceived and created by:
 Ned Ludd <solar@gentoo.org>
 
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig	2011-04-17 18:41:22.000000000 -0400
-+++ b/grsecurity/Kconfig	2011-04-17 18:42:14.000000000 -0400
+--- a/grsecurity/Kconfig	2011-12-26 10:56:24.000000000 -0500
++++ b/grsecurity/Kconfig	2011-12-26 12:20:25.000000000 -0500
 @@ -18,7 +18,7 @@
  choice
  	prompt "Security Level"
@@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  
  config GRKERNSEC_LOW
  	bool "Low"
-@@ -190,6 +190,258 @@
+@@ -190,6 +190,267 @@
  	  - Restricted sysfs/debugfs
  	  - Active kernel exploit response
  
@@ -51,6 +51,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_CHROOT_CAPS
 +	select GRKERNSEC_CHROOT_SYSCTL
 +	select GRKERNSEC_CHROOT_FINDTASK
++	select GRKERNSEC_SYSFS_RESTRICT
 +	select GRKERNSEC_PROC
 +	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
 +	select GRKERNSEC_HIDESYM
@@ -58,6 +59,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_PROC_USERGROUP
 +	select GRKERNSEC_KMEM
 +	select GRKERNSEC_RESLOG
++	select GRKERNSEC_AUDIT_PTRACE
 +	select GRKERNSEC_RANDNET
 +	select GRKERNSEC_PROC_ADD
 +	select GRKERNSEC_CHROOT_CHMOD
@@ -65,33 +67,36 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_AUDIT_MOUNT
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
++	select GRKERNSEC_SETXID
 +	select GRKERNSEC_VM86 if (X86_32)
-+	select GRKERNSEC_IO if (X86)
++	select GRKERNSEC_IO
 +	select GRKERNSEC_PROC_IPADDR
 +	select GRKERNSEC_RWXMAP_LOG
 +	select GRKERNSEC_SYSCTL
 +	select GRKERNSEC_SYSCTL_ON
 +	select PAX
-+	select PAX_RANDUSTACK
 +	select PAX_ASLR
++	select PAX_RANDKSTACK
++	select PAX_RANDUSTACK
 +	select PAX_RANDMMAP
 +	select PAX_NOEXEC
 +	select PAX_MPROTECT
 +	select PAX_EI_PAX
 +	select PAX_PT_PAX_FLAGS
 +	select PAX_HAVE_ACL_FLAGS
-+	select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+	select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+	select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++	select PAX_KERNEXEC
++	select PAX_MEMORY_UDEREF
 +	select PAX_SEGMEXEC if (X86_32)
 +	select PAX_PAGEEXEC
-+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
 +	select PAX_EMUTRAMP if (PARISC)
 +	select PAX_EMUSIGRT if (PARISC)
 +	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++	select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
 +	select PAX_REFCOUNT if (X86 || SPARC64)
-+	select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
++	select PAX_MEMORY_STACKLEAK
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
@@ -135,6 +140,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_CHROOT_CAPS
 +	select GRKERNSEC_CHROOT_SYSCTL
 +	select GRKERNSEC_CHROOT_FINDTASK
++	select GRKERNSEC_SYSFS_RESTRICT
 +	select GRKERNSEC_PROC
 +	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
 +	select GRKERNSEC_HIDESYM
@@ -142,40 +148,42 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_PROC_USERGROUP
 +	select GRKERNSEC_KMEM
 +	select GRKERNSEC_RESLOG
++	select GRKERNSEC_AUDIT_PTRACE
 +	select GRKERNSEC_RANDNET
-+	# select GRKERNSEC_PROC_ADD
 +	select GRKERNSEC_CHROOT_CHMOD
 +	select GRKERNSEC_CHROOT_NICE
 +	select GRKERNSEC_AUDIT_MOUNT
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
++	select GRKERNSEC_SETXID
 +	select GRKERNSEC_VM86 if (X86_32)
-+	# select GRKERNSEC_IO if (X86)
 +	select GRKERNSEC_PROC_IPADDR
 +	select GRKERNSEC_RWXMAP_LOG
 +	select GRKERNSEC_SYSCTL
 +	select GRKERNSEC_SYSCTL_ON
 +	select PAX
-+	select PAX_RANDUSTACK
 +	select PAX_ASLR
++	select PAX_RANDKSTACK
++	select PAX_RANDUSTACK
 +	select PAX_RANDMMAP
 +	select PAX_NOEXEC
 +	select PAX_MPROTECT
 +	select PAX_EI_PAX
 +	select PAX_PT_PAX_FLAGS
 +	select PAX_HAVE_ACL_FLAGS
-+	# select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+	# select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+	select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++	select PAX_KERNEXEC
++	select PAX_MEMORY_UDEREF
 +	select PAX_SEGMEXEC if (X86_32)
 +	select PAX_PAGEEXEC
-+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
 +	select PAX_EMUTRAMP if (PARISC)
 +	select PAX_EMUSIGRT if (PARISC)
 +	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++	select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
 +	select PAX_REFCOUNT if (X86 || SPARC64)
-+	select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
++	select PAX_MEMORY_STACKLEAK
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
@@ -219,6 +227,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_CHROOT_CAPS
 +	select GRKERNSEC_CHROOT_SYSCTL
 +	select GRKERNSEC_CHROOT_FINDTASK
++	select GRKERNSEC_SYSFS_RESTRICT
 +	select GRKERNSEC_PROC
 +	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
 +	select GRKERNSEC_HIDESYM
@@ -226,40 +235,40 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_PROC_USERGROUP
 +	select GRKERNSEC_KMEM
 +	select GRKERNSEC_RESLOG
++	select GRKERNSEC_AUDIT_PTRACE
 +	select GRKERNSEC_RANDNET
-+	# select GRKERNSEC_PROC_ADD
 +	select GRKERNSEC_CHROOT_CHMOD
 +	select GRKERNSEC_CHROOT_NICE
 +	select GRKERNSEC_AUDIT_MOUNT
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
++	select GRKERNSEC_SETXID
 +	select GRKERNSEC_VM86 if (X86_32)
-+	# select GRKERNSEC_IO if (X86)
 +	select GRKERNSEC_PROC_IPADDR
 +	select GRKERNSEC_RWXMAP_LOG
 +	select GRKERNSEC_SYSCTL
 +	select GRKERNSEC_SYSCTL_ON
 +	select PAX
-+	select PAX_RANDUSTACK
 +	select PAX_ASLR
++	select PAX_RANDKSTACK
++	select PAX_RANDUSTACK
 +	select PAX_RANDMMAP
 +	select PAX_NOEXEC
 +	select PAX_MPROTECT
 +	select PAX_EI_PAX
 +	select PAX_PT_PAX_FLAGS
 +	select PAX_HAVE_ACL_FLAGS
-+	# select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+	# select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+	select PAX_RANDKSTACK if (X86_TSC && !X86_64)
 +	select PAX_SEGMEXEC if (X86_32)
 +	select PAX_PAGEEXEC
-+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
 +	select PAX_EMUTRAMP if (PARISC)
 +	select PAX_EMUSIGRT if (PARISC)
 +	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++	select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
 +	select PAX_REFCOUNT if (X86 || SPARC64)
-+	select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
++	select PAX_MEMORY_STACKLEAK
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
@@ -287,8 +296,8 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	bool "Custom"
  	help
 diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig	2011-04-17 18:36:55.000000000 -0400
-+++ b/security/Kconfig	2011-04-17 18:42:14.000000000 -0400
+--- a/security/Kconfig	2011-12-26 12:23:44.000000000 -0500
++++ b/security/Kconfig	2011-12-26 11:14:27.000000000 -0500
 @@ -322,9 +322,10 @@
  
  config PAX_KERNEXEC
@@ -301,6 +310,45 @@ diff -Naur a/security/Kconfig b/security/Kconfig
  	help
  	  This is the kernel land equivalent of PAGEEXEC and MPROTECT,
  	  that is, enabling this option will make it harder to inject
+@@ -335,30 +336,30 @@
+ 
+ choice
+ 	prompt "Return Address Instrumentation Method"
+-	default PAX_KERNEXEC_PLUGIN_METHOD_BTS
++	default PAX_KERNEXEC_PLUGIN_METHOD_OR
+ 	depends on PAX_KERNEXEC_PLUGIN
+ 	help
+ 	  Select the method used to instrument function pointer dereferences.
+ 	  Note that binary modules cannot be instrumented by this approach.
+ 
+-	config PAX_KERNEXEC_PLUGIN_METHOD_BTS
+-		bool "bts"
+-		help
+-		  This method is compatible with binary only modules but has
+-		  a higher runtime overhead.
+-
+ 	config PAX_KERNEXEC_PLUGIN_METHOD_OR
+ 		bool "or"
+ 		depends on !PARAVIRT
+ 		help
+ 		  This method is incompatible with binary only modules but has
+ 		  a lower runtime overhead.
++
++	config PAX_KERNEXEC_PLUGIN_METHOD_BTS
++		bool "bts"
++		help
++		  This method is compatible with binary only modules but has
++		  a higher runtime overhead.
+ endchoice
+ 
+ config PAX_KERNEXEC_PLUGIN_METHOD
+ 	string
+-	default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
+ 	default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
++	default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
+ 	default ""
+ 
+ config PAX_KERNEXEC_MODULE_TEXT
 @@ -515,8 +516,9 @@
  
  config PAX_MEMORY_UDEREF
diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch
index a8ad5ac..1e181f3 100644
--- a/2.6.32/4437-grsec-kconfig-proc-user.patch
+++ b/2.6.32/4437-grsec-kconfig-proc-user.patch
@@ -6,7 +6,7 @@ in a different way to avoid bug #366019.  This patch should eventually go upstre
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-06-29 07:46:02.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-06-29 07:47:20.000000000 -0400
-@@ -664,7 +664,7 @@
+@@ -673,7 +673,7 @@
  
  config GRKERNSEC_PROC_USER
  	bool "Restrict /proc to user only"
@@ -15,7 +15,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  If you say Y here, non-root users will only be able to view their own
  	  processes, and restricts them from viewing network-related information,
-@@ -672,7 +672,7 @@
+@@ -681,7 +681,7 @@
  
  config GRKERNSEC_PROC_USERGROUP
  	bool "Allow special group"
diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
index fa1d60d..8a6daac 100644
--- a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-04-17 18:47:02.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-04-17 18:51:15.000000000 -0400
-@@ -1263,6 +1263,27 @@
+@@ -1272,6 +1272,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
  
diff --git a/3.1.6/4430_grsec-kconfig-default-gids.patch b/3.1.6/4430_grsec-kconfig-default-gids.patch
index 453cb8d..243fbd5 100644
--- a/3.1.6/4430_grsec-kconfig-default-gids.patch
+++ b/3.1.6/4430_grsec-kconfig-default-gids.patch
@@ -12,7 +12,7 @@ from shooting themselves in the foot.
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-12-12 16:54:30.000000000 -0500
 +++ b/grsecurity/Kconfig	2011-12-12 16:55:09.000000000 -0500
-@@ -432,7 +432,7 @@
+@@ -433,7 +433,7 @@
  config GRKERNSEC_PROC_GID
  	int "GID for special group"
  	depends on GRKERNSEC_PROC_USERGROUP
@@ -21,7 +21,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  
  config GRKERNSEC_PROC_ADD
  	bool "Additional restrictions"
-@@ -656,7 +656,7 @@
+@@ -657,7 +657,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
  	depends on GRKERNSEC_AUDIT_GROUP
@@ -30,7 +30,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  
  config GRKERNSEC_EXECLOG
  	bool "Exec logging"
-@@ -834,7 +834,7 @@
+@@ -848,7 +848,7 @@
  config GRKERNSEC_TPE_GID
  	int "GID for untrusted users"
  	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -39,7 +39,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *enabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -843,7 +843,7 @@
+@@ -857,7 +857,7 @@
  config GRKERNSEC_TPE_GID
  	int "GID for trusted users"
  	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -48,7 +48,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -916,7 +916,7 @@
+@@ -930,7 +930,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -57,7 +57,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -937,7 +937,7 @@
+@@ -951,7 +951,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -66,7 +66,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -955,7 +955,7 @@
+@@ -969,7 +969,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.1.6/4435_grsec-kconfig-gentoo.patch b/3.1.6/4435_grsec-kconfig-gentoo.patch
index d9083f4..bec600b 100644
--- a/3.1.6/4435_grsec-kconfig-gentoo.patch
+++ b/3.1.6/4435_grsec-kconfig-gentoo.patch
@@ -16,8 +16,8 @@ The original version of this patch was conceived and created by:
 Ned Ludd <solar@gentoo.org>
 
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
-+++ b/grsecurity/Kconfig	2011-04-17 19:27:46.000000000 -0400
+--- a/grsecurity/Kconfig	2011-12-26 10:56:24.000000000 -0500
++++ b/grsecurity/Kconfig	2011-12-26 12:20:25.000000000 -0500
 @@ -18,7 +18,7 @@
  choice
  	prompt "Security Level"
@@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  
  config GRKERNSEC_LOW
  	bool "Low"
-@@ -190,6 +190,258 @@
+@@ -191,6 +191,267 @@
  	  - Restricted sysfs/debugfs
  	  - Active kernel exploit response
  
@@ -51,6 +51,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_CHROOT_CAPS
 +	select GRKERNSEC_CHROOT_SYSCTL
 +	select GRKERNSEC_CHROOT_FINDTASK
++	select GRKERNSEC_SYSFS_RESTRICT
 +	select GRKERNSEC_PROC
 +	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
 +	select GRKERNSEC_HIDESYM
@@ -58,6 +59,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_PROC_USERGROUP
 +	select GRKERNSEC_KMEM
 +	select GRKERNSEC_RESLOG
++	select GRKERNSEC_AUDIT_PTRACE
 +	select GRKERNSEC_RANDNET
 +	select GRKERNSEC_PROC_ADD
 +	select GRKERNSEC_CHROOT_CHMOD
@@ -65,33 +67,36 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_AUDIT_MOUNT
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
++	select GRKERNSEC_SETXID
 +	select GRKERNSEC_VM86 if (X86_32)
-+	select GRKERNSEC_IO if (X86)
++	select GRKERNSEC_IO
 +	select GRKERNSEC_PROC_IPADDR
 +	select GRKERNSEC_RWXMAP_LOG
 +	select GRKERNSEC_SYSCTL
 +	select GRKERNSEC_SYSCTL_ON
 +	select PAX
-+	select PAX_RANDUSTACK
 +	select PAX_ASLR
++	select PAX_RANDKSTACK
++	select PAX_RANDUSTACK
 +	select PAX_RANDMMAP
 +	select PAX_NOEXEC
 +	select PAX_MPROTECT
 +	select PAX_EI_PAX
 +	select PAX_PT_PAX_FLAGS
 +	select PAX_HAVE_ACL_FLAGS
-+	select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+	select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+	select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++	select PAX_KERNEXEC
++	select PAX_MEMORY_UDEREF
 +	select PAX_SEGMEXEC if (X86_32)
 +	select PAX_PAGEEXEC
-+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
 +	select PAX_EMUTRAMP if (PARISC)
 +	select PAX_EMUSIGRT if (PARISC)
 +	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++	select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
 +	select PAX_REFCOUNT if (X86 || SPARC64)
-+	select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
++	select PAX_MEMORY_STACKLEAK
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
@@ -135,6 +140,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_CHROOT_CAPS
 +	select GRKERNSEC_CHROOT_SYSCTL
 +	select GRKERNSEC_CHROOT_FINDTASK
++	select GRKERNSEC_SYSFS_RESTRICT
 +	select GRKERNSEC_PROC
 +	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
 +	select GRKERNSEC_HIDESYM
@@ -142,40 +148,42 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_PROC_USERGROUP
 +	select GRKERNSEC_KMEM
 +	select GRKERNSEC_RESLOG
++	select GRKERNSEC_AUDIT_PTRACE
 +	select GRKERNSEC_RANDNET
-+	# select GRKERNSEC_PROC_ADD
 +	select GRKERNSEC_CHROOT_CHMOD
 +	select GRKERNSEC_CHROOT_NICE
 +	select GRKERNSEC_AUDIT_MOUNT
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
++	select GRKERNSEC_SETXID
 +	select GRKERNSEC_VM86 if (X86_32)
-+	# select GRKERNSEC_IO if (X86)
 +	select GRKERNSEC_PROC_IPADDR
 +	select GRKERNSEC_RWXMAP_LOG
 +	select GRKERNSEC_SYSCTL
 +	select GRKERNSEC_SYSCTL_ON
 +	select PAX
-+	select PAX_RANDUSTACK
 +	select PAX_ASLR
++	select PAX_RANDKSTACK
++	select PAX_RANDUSTACK
 +	select PAX_RANDMMAP
 +	select PAX_NOEXEC
 +	select PAX_MPROTECT
 +	select PAX_EI_PAX
 +	select PAX_PT_PAX_FLAGS
 +	select PAX_HAVE_ACL_FLAGS
-+	# select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+	# select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+	select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++	select PAX_KERNEXEC
++	select PAX_MEMORY_UDEREF
 +	select PAX_SEGMEXEC if (X86_32)
 +	select PAX_PAGEEXEC
-+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
 +	select PAX_EMUTRAMP if (PARISC)
 +	select PAX_EMUSIGRT if (PARISC)
 +	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++	select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
 +	select PAX_REFCOUNT if (X86 || SPARC64)
-+	select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
++	select PAX_MEMORY_STACKLEAK
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
@@ -219,6 +227,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_CHROOT_CAPS
 +	select GRKERNSEC_CHROOT_SYSCTL
 +	select GRKERNSEC_CHROOT_FINDTASK
++	select GRKERNSEC_SYSFS_RESTRICT
 +	select GRKERNSEC_PROC
 +	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
 +	select GRKERNSEC_HIDESYM
@@ -226,40 +235,40 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_PROC_USERGROUP
 +	select GRKERNSEC_KMEM
 +	select GRKERNSEC_RESLOG
++	select GRKERNSEC_AUDIT_PTRACE
 +	select GRKERNSEC_RANDNET
-+	# select GRKERNSEC_PROC_ADD
 +	select GRKERNSEC_CHROOT_CHMOD
 +	select GRKERNSEC_CHROOT_NICE
 +	select GRKERNSEC_AUDIT_MOUNT
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
++	select GRKERNSEC_SETXID
 +	select GRKERNSEC_VM86 if (X86_32)
-+	# select GRKERNSEC_IO if (X86)
 +	select GRKERNSEC_PROC_IPADDR
 +	select GRKERNSEC_RWXMAP_LOG
 +	select GRKERNSEC_SYSCTL
 +	select GRKERNSEC_SYSCTL_ON
 +	select PAX
-+	select PAX_RANDUSTACK
 +	select PAX_ASLR
++	select PAX_RANDKSTACK
++	select PAX_RANDUSTACK
 +	select PAX_RANDMMAP
 +	select PAX_NOEXEC
 +	select PAX_MPROTECT
 +	select PAX_EI_PAX
 +	select PAX_PT_PAX_FLAGS
 +	select PAX_HAVE_ACL_FLAGS
-+	# select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+	# select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+	select PAX_RANDKSTACK if (X86_TSC && !X86_64)
 +	select PAX_SEGMEXEC if (X86_32)
 +	select PAX_PAGEEXEC
-+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
 +	select PAX_EMUTRAMP if (PARISC)
 +	select PAX_EMUSIGRT if (PARISC)
 +	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++	select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
 +	select PAX_REFCOUNT if (X86 || SPARC64)
-+	select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
++	select PAX_MEMORY_STACKLEAK
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
@@ -287,8 +296,8 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	bool "Custom"
  	help
 diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig	2011-09-21 07:20:02.000000000 -0400
-+++ b/security/Kconfig	2011-09-21 07:25:50.000000000 -0400
+--- a/security/Kconfig	2011-12-26 12:23:44.000000000 -0500
++++ b/security/Kconfig	2011-12-26 11:14:27.000000000 -0500
 @@ -322,9 +322,10 @@
  
  config PAX_KERNEXEC
@@ -301,6 +310,45 @@ diff -Naur a/security/Kconfig b/security/Kconfig
  	help
  	  This is the kernel land equivalent of PAGEEXEC and MPROTECT,
  	  that is, enabling this option will make it harder to inject
+@@ -335,30 +336,30 @@
+ 
+ choice
+ 	prompt "Return Address Instrumentation Method"
+-	default PAX_KERNEXEC_PLUGIN_METHOD_BTS
++	default PAX_KERNEXEC_PLUGIN_METHOD_OR
+ 	depends on PAX_KERNEXEC_PLUGIN
+ 	help
+ 	  Select the method used to instrument function pointer dereferences.
+ 	  Note that binary modules cannot be instrumented by this approach.
+ 
+-	config PAX_KERNEXEC_PLUGIN_METHOD_BTS
+-		bool "bts"
+-		help
+-		  This method is compatible with binary only modules but has
+-		  a higher runtime overhead.
+-
+ 	config PAX_KERNEXEC_PLUGIN_METHOD_OR
+ 		bool "or"
+ 		depends on !PARAVIRT
+ 		help
+ 		  This method is incompatible with binary only modules but has
+ 		  a lower runtime overhead.
++
++	config PAX_KERNEXEC_PLUGIN_METHOD_BTS
++		bool "bts"
++		help
++		  This method is compatible with binary only modules but has
++		  a higher runtime overhead.
+ endchoice
+ 
+ config PAX_KERNEXEC_PLUGIN_METHOD
+ 	string
+-	default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
+ 	default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
++	default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
+ 	default ""
+ 
+ config PAX_KERNEXEC_MODULE_TEXT
 @@ -515,8 +516,9 @@
  
  config PAX_MEMORY_UDEREF
@@ -312,4 +360,3 @@ diff -Naur a/security/Kconfig b/security/Kconfig
  	help
  	  By saying Y here the kernel will be prevented from dereferencing
  	  userland pointers in contexts where the kernel expects only kernel
-
diff --git a/3.1.6/4437-grsec-kconfig-proc-user.patch b/3.1.6/4437-grsec-kconfig-proc-user.patch
index fb20d59..4c9550b 100644
--- a/3.1.6/4437-grsec-kconfig-proc-user.patch
+++ b/3.1.6/4437-grsec-kconfig-proc-user.patch
@@ -6,7 +6,7 @@ in a different way to avoid bug #366019.  This patch should eventually go upstre
 diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-06-29 10:02:56.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-06-29 10:08:07.000000000 -0400
-@@ -665,7 +665,7 @@
+@@ -675,7 +675,7 @@
  
  config GRKERNSEC_PROC_USER
  	bool "Restrict /proc to user only"
@@ -15,7 +15,7 @@ diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-harden
  	help
  	  If you say Y here, non-root users will only be able to view their own
  	  processes, and restricts them from viewing network-related information,
-@@ -673,7 +673,7 @@
+@@ -683,7 +683,7 @@
  
  config GRKERNSEC_PROC_USERGROUP
  	bool "Allow special group"
diff --git a/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch b/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch
index 56c8ef1..4bce851 100644
--- a/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardened-r1/grsecurity/Kconfig
 --- linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
 +++ linux-2.6.38-hardened-r1/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400
-@@ -1264,6 +1264,27 @@
+@@ -1287,6 +1287,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
author	Anthony G. Basile <blueness@gentoo.org>	2011-12-26 12:57:21 -0500
committer	Anthony G. Basile <blueness@gentoo.org>	2011-12-26 12:57:21 -0500
commit	835527baca95c642a9edf5920646d9609dc05647 (patch)
tree	c875545dbcca344c082a742992a029f3602214a8
parent	Add patch to bump to 3.1.6 (diff)
download	hardened-patchset-835527baca95c642a9edf5920646d9609dc05647.tar.gz hardened-patchset-835527baca95c642a9edf5920646d9609dc05647.tar.bz2 hardened-patchset-835527baca95c642a9edf5920646d9609dc05647.zip