diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2011-12-26 12:57:21 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2011-12-26 12:57:21 -0500 |
commit | 835527baca95c642a9edf5920646d9609dc05647 (patch) | |
tree | c875545dbcca344c082a742992a029f3602214a8 | |
parent | Add patch to bump to 3.1.6 (diff) | |
download | hardened-patchset-835527baca95c642a9edf5920646d9609dc05647.tar.gz hardened-patchset-835527baca95c642a9edf5920646d9609dc05647.tar.bz2 hardened-patchset-835527baca95c642a9edf5920646d9609dc05647.zip |
Added predefined selections for GRKERNSEC_HARDENED_{SERVER,WORKSTATION,VIRTUALIZATION}
Forced selection on for:
GRKERNSEC_SYSFS_RESTRICT
GRKERNSEC_AUDIT_PTRACE
CONFIG_GRKERNSEC_SETXID
CONFIG_PAX_RANDKSTACK
CONFIG_PAX_MEMORY_STACKLEAK
default to CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
depened >= gcc-4.5.0
-rw-r--r-- | 2.6.32/4435_grsec-kconfig-gentoo.patch | 104 | ||||
-rw-r--r-- | 2.6.32/4437-grsec-kconfig-proc-user.patch | 4 | ||||
-rw-r--r-- | 2.6.32/4440_selinux-avc_audit-log-curr_ip.patch | 2 | ||||
-rw-r--r-- | 3.1.6/4430_grsec-kconfig-default-gids.patch | 14 | ||||
-rw-r--r-- | 3.1.6/4435_grsec-kconfig-gentoo.patch | 105 | ||||
-rw-r--r-- | 3.1.6/4437-grsec-kconfig-proc-user.patch | 4 | ||||
-rw-r--r-- | 3.1.6/4440_selinux-avc_audit-log-curr_ip.patch | 2 |
7 files changed, 165 insertions, 70 deletions
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch index b9e9d3a..8257202 100644 --- a/2.6.32/4435_grsec-kconfig-gentoo.patch +++ b/2.6.32/4435_grsec-kconfig-gentoo.patch @@ -16,8 +16,8 @@ The original version of this patch was conceived and created by: Ned Ludd <solar@gentoo.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2011-04-17 18:41:22.000000000 -0400 -+++ b/grsecurity/Kconfig 2011-04-17 18:42:14.000000000 -0400 +--- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500 ++++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" @@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_LOW bool "Low" -@@ -190,6 +190,258 @@ +@@ -190,6 +190,267 @@ - Restricted sysfs/debugfs - Active kernel exploit response @@ -51,6 +51,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_CHROOT_CAPS + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_CHROOT_FINDTASK ++ select GRKERNSEC_SYSFS_RESTRICT + select GRKERNSEC_PROC + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) + select GRKERNSEC_HIDESYM @@ -58,6 +59,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_PROC_USERGROUP + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG ++ select GRKERNSEC_AUDIT_PTRACE + select GRKERNSEC_RANDNET + select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD @@ -65,33 +67,36 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_SETXID + select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_IO if (X86) ++ select GRKERNSEC_IO + select GRKERNSEC_PROC_IPADDR + select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX -+ select PAX_RANDUSTACK + select PAX_ASLR ++ select PAX_RANDKSTACK ++ select PAX_RANDUSTACK + select PAX_RANDMMAP + select PAX_NOEXEC + select PAX_MPROTECT + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64) ++ select PAX_KERNEXEC ++ select PAX_MEMORY_UDEREF + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) ++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) + select PAX_EMUTRAMP if (PARISC) + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) ++ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86)) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE ++ select PAX_MEMORY_STACKLEAK + help + If you say Y here, a configuration for grsecurity/PaX features + will be used that is endorsed by the Hardened Gentoo project. @@ -135,6 +140,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_CHROOT_CAPS + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_CHROOT_FINDTASK ++ select GRKERNSEC_SYSFS_RESTRICT + select GRKERNSEC_PROC + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) + select GRKERNSEC_HIDESYM @@ -142,40 +148,42 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_PROC_USERGROUP + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG ++ select GRKERNSEC_AUDIT_PTRACE + select GRKERNSEC_RANDNET -+ # select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_SETXID + select GRKERNSEC_VM86 if (X86_32) -+ # select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR + select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX -+ select PAX_RANDUSTACK + select PAX_ASLR ++ select PAX_RANDKSTACK ++ select PAX_RANDUSTACK + select PAX_RANDMMAP + select PAX_NOEXEC + select PAX_MPROTECT + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ # select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64) ++ select PAX_KERNEXEC ++ select PAX_MEMORY_UDEREF + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) ++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) + select PAX_EMUTRAMP if (PARISC) + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) ++ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86)) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE ++ select PAX_MEMORY_STACKLEAK + help + If you say Y here, a configuration for grsecurity/PaX features + will be used that is endorsed by the Hardened Gentoo project. @@ -219,6 +227,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_CHROOT_CAPS + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_CHROOT_FINDTASK ++ select GRKERNSEC_SYSFS_RESTRICT + select GRKERNSEC_PROC + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) + select GRKERNSEC_HIDESYM @@ -226,40 +235,40 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_PROC_USERGROUP + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG ++ select GRKERNSEC_AUDIT_PTRACE + select GRKERNSEC_RANDNET -+ # select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_SETXID + select GRKERNSEC_VM86 if (X86_32) -+ # select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR + select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX -+ select PAX_RANDUSTACK + select PAX_ASLR ++ select PAX_RANDKSTACK ++ select PAX_RANDUSTACK + select PAX_RANDMMAP + select PAX_NOEXEC + select PAX_MPROTECT + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ # select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) ++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) + select PAX_EMUTRAMP if (PARISC) + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) ++ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86)) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE ++ select PAX_MEMORY_STACKLEAK + help + If you say Y here, a configuration for grsecurity/PaX features + will be used that is endorsed by the Hardened Gentoo project. @@ -287,8 +296,8 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig bool "Custom" help diff -Naur a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2011-04-17 18:36:55.000000000 -0400 -+++ b/security/Kconfig 2011-04-17 18:42:14.000000000 -0400 +--- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500 ++++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500 @@ -322,9 +322,10 @@ config PAX_KERNEXEC @@ -301,6 +310,45 @@ diff -Naur a/security/Kconfig b/security/Kconfig help This is the kernel land equivalent of PAGEEXEC and MPROTECT, that is, enabling this option will make it harder to inject +@@ -335,30 +336,30 @@ + + choice + prompt "Return Address Instrumentation Method" +- default PAX_KERNEXEC_PLUGIN_METHOD_BTS ++ default PAX_KERNEXEC_PLUGIN_METHOD_OR + depends on PAX_KERNEXEC_PLUGIN + help + Select the method used to instrument function pointer dereferences. + Note that binary modules cannot be instrumented by this approach. + +- config PAX_KERNEXEC_PLUGIN_METHOD_BTS +- bool "bts" +- help +- This method is compatible with binary only modules but has +- a higher runtime overhead. +- + config PAX_KERNEXEC_PLUGIN_METHOD_OR + bool "or" + depends on !PARAVIRT + help + This method is incompatible with binary only modules but has + a lower runtime overhead. ++ ++ config PAX_KERNEXEC_PLUGIN_METHOD_BTS ++ bool "bts" ++ help ++ This method is compatible with binary only modules but has ++ a higher runtime overhead. + endchoice + + config PAX_KERNEXEC_PLUGIN_METHOD + string +- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS + default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR ++ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS + default "" + + config PAX_KERNEXEC_MODULE_TEXT @@ -515,8 +516,9 @@ config PAX_MEMORY_UDEREF diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch index a8ad5ac..1e181f3 100644 --- a/2.6.32/4437-grsec-kconfig-proc-user.patch +++ b/2.6.32/4437-grsec-kconfig-proc-user.patch @@ -6,7 +6,7 @@ in a different way to avoid bug #366019. This patch should eventually go upstre diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400 +++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400 -@@ -664,7 +664,7 @@ +@@ -673,7 +673,7 @@ config GRKERNSEC_PROC_USER bool "Restrict /proc to user only" @@ -15,7 +15,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help If you say Y here, non-root users will only be able to view their own processes, and restricts them from viewing network-related information, -@@ -672,7 +672,7 @@ +@@ -681,7 +681,7 @@ config GRKERNSEC_PROC_USERGROUP bool "Allow special group" diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch index fa1d60d..8a6daac 100644 --- a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch +++ b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400 -@@ -1263,6 +1263,27 @@ +@@ -1272,6 +1272,27 @@ menu "Logging Options" depends on GRKERNSEC diff --git a/3.1.6/4430_grsec-kconfig-default-gids.patch b/3.1.6/4430_grsec-kconfig-default-gids.patch index 453cb8d..243fbd5 100644 --- a/3.1.6/4430_grsec-kconfig-default-gids.patch +++ b/3.1.6/4430_grsec-kconfig-default-gids.patch @@ -12,7 +12,7 @@ from shooting themselves in the foot. diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-12-12 16:54:30.000000000 -0500 +++ b/grsecurity/Kconfig 2011-12-12 16:55:09.000000000 -0500 -@@ -432,7 +432,7 @@ +@@ -433,7 +433,7 @@ config GRKERNSEC_PROC_GID int "GID for special group" depends on GRKERNSEC_PROC_USERGROUP @@ -21,7 +21,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_PROC_ADD bool "Additional restrictions" -@@ -656,7 +656,7 @@ +@@ -657,7 +657,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -30,7 +30,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -834,7 +834,7 @@ +@@ -848,7 +848,7 @@ config GRKERNSEC_TPE_GID int "GID for untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -39,7 +39,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -843,7 +843,7 @@ +@@ -857,7 +857,7 @@ config GRKERNSEC_TPE_GID int "GID for trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -48,7 +48,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -916,7 +916,7 @@ +@@ -930,7 +930,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -57,7 +57,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -937,7 +937,7 @@ +@@ -951,7 +951,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -66,7 +66,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -955,7 +955,7 @@ +@@ -969,7 +969,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/3.1.6/4435_grsec-kconfig-gentoo.patch b/3.1.6/4435_grsec-kconfig-gentoo.patch index d9083f4..bec600b 100644 --- a/3.1.6/4435_grsec-kconfig-gentoo.patch +++ b/3.1.6/4435_grsec-kconfig-gentoo.patch @@ -16,8 +16,8 @@ The original version of this patch was conceived and created by: Ned Ludd <solar@gentoo.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 -+++ b/grsecurity/Kconfig 2011-04-17 19:27:46.000000000 -0400 +--- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500 ++++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" @@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_LOW bool "Low" -@@ -190,6 +190,258 @@ +@@ -191,6 +191,267 @@ - Restricted sysfs/debugfs - Active kernel exploit response @@ -51,6 +51,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_CHROOT_CAPS + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_CHROOT_FINDTASK ++ select GRKERNSEC_SYSFS_RESTRICT + select GRKERNSEC_PROC + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) + select GRKERNSEC_HIDESYM @@ -58,6 +59,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_PROC_USERGROUP + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG ++ select GRKERNSEC_AUDIT_PTRACE + select GRKERNSEC_RANDNET + select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD @@ -65,33 +67,36 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_SETXID + select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_IO if (X86) ++ select GRKERNSEC_IO + select GRKERNSEC_PROC_IPADDR + select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX -+ select PAX_RANDUSTACK + select PAX_ASLR ++ select PAX_RANDKSTACK ++ select PAX_RANDUSTACK + select PAX_RANDMMAP + select PAX_NOEXEC + select PAX_MPROTECT + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64) ++ select PAX_KERNEXEC ++ select PAX_MEMORY_UDEREF + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) ++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) + select PAX_EMUTRAMP if (PARISC) + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) ++ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86)) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE ++ select PAX_MEMORY_STACKLEAK + help + If you say Y here, a configuration for grsecurity/PaX features + will be used that is endorsed by the Hardened Gentoo project. @@ -135,6 +140,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_CHROOT_CAPS + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_CHROOT_FINDTASK ++ select GRKERNSEC_SYSFS_RESTRICT + select GRKERNSEC_PROC + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) + select GRKERNSEC_HIDESYM @@ -142,40 +148,42 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_PROC_USERGROUP + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG ++ select GRKERNSEC_AUDIT_PTRACE + select GRKERNSEC_RANDNET -+ # select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_SETXID + select GRKERNSEC_VM86 if (X86_32) -+ # select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR + select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX -+ select PAX_RANDUSTACK + select PAX_ASLR ++ select PAX_RANDKSTACK ++ select PAX_RANDUSTACK + select PAX_RANDMMAP + select PAX_NOEXEC + select PAX_MPROTECT + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ # select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64) ++ select PAX_KERNEXEC ++ select PAX_MEMORY_UDEREF + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) ++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) + select PAX_EMUTRAMP if (PARISC) + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) ++ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86)) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE ++ select PAX_MEMORY_STACKLEAK + help + If you say Y here, a configuration for grsecurity/PaX features + will be used that is endorsed by the Hardened Gentoo project. @@ -219,6 +227,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_CHROOT_CAPS + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_CHROOT_FINDTASK ++ select GRKERNSEC_SYSFS_RESTRICT + select GRKERNSEC_PROC + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) + select GRKERNSEC_HIDESYM @@ -226,40 +235,40 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_PROC_USERGROUP + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG ++ select GRKERNSEC_AUDIT_PTRACE + select GRKERNSEC_RANDNET -+ # select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_SETXID + select GRKERNSEC_VM86 if (X86_32) -+ # select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR + select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX -+ select PAX_RANDUSTACK + select PAX_ASLR ++ select PAX_RANDKSTACK ++ select PAX_RANDUSTACK + select PAX_RANDMMAP + select PAX_NOEXEC + select PAX_MPROTECT + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ # select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) ++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) + select PAX_EMUTRAMP if (PARISC) + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) ++ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86)) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE ++ select PAX_MEMORY_STACKLEAK + help + If you say Y here, a configuration for grsecurity/PaX features + will be used that is endorsed by the Hardened Gentoo project. @@ -287,8 +296,8 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig bool "Custom" help diff -Naur a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2011-09-21 07:20:02.000000000 -0400 -+++ b/security/Kconfig 2011-09-21 07:25:50.000000000 -0400 +--- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500 ++++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500 @@ -322,9 +322,10 @@ config PAX_KERNEXEC @@ -301,6 +310,45 @@ diff -Naur a/security/Kconfig b/security/Kconfig help This is the kernel land equivalent of PAGEEXEC and MPROTECT, that is, enabling this option will make it harder to inject +@@ -335,30 +336,30 @@ + + choice + prompt "Return Address Instrumentation Method" +- default PAX_KERNEXEC_PLUGIN_METHOD_BTS ++ default PAX_KERNEXEC_PLUGIN_METHOD_OR + depends on PAX_KERNEXEC_PLUGIN + help + Select the method used to instrument function pointer dereferences. + Note that binary modules cannot be instrumented by this approach. + +- config PAX_KERNEXEC_PLUGIN_METHOD_BTS +- bool "bts" +- help +- This method is compatible with binary only modules but has +- a higher runtime overhead. +- + config PAX_KERNEXEC_PLUGIN_METHOD_OR + bool "or" + depends on !PARAVIRT + help + This method is incompatible with binary only modules but has + a lower runtime overhead. ++ ++ config PAX_KERNEXEC_PLUGIN_METHOD_BTS ++ bool "bts" ++ help ++ This method is compatible with binary only modules but has ++ a higher runtime overhead. + endchoice + + config PAX_KERNEXEC_PLUGIN_METHOD + string +- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS + default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR ++ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS + default "" + + config PAX_KERNEXEC_MODULE_TEXT @@ -515,8 +516,9 @@ config PAX_MEMORY_UDEREF @@ -312,4 +360,3 @@ diff -Naur a/security/Kconfig b/security/Kconfig help By saying Y here the kernel will be prevented from dereferencing userland pointers in contexts where the kernel expects only kernel - diff --git a/3.1.6/4437-grsec-kconfig-proc-user.patch b/3.1.6/4437-grsec-kconfig-proc-user.patch index fb20d59..4c9550b 100644 --- a/3.1.6/4437-grsec-kconfig-proc-user.patch +++ b/3.1.6/4437-grsec-kconfig-proc-user.patch @@ -6,7 +6,7 @@ in a different way to avoid bug #366019. This patch should eventually go upstre diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400 +++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400 -@@ -665,7 +665,7 @@ +@@ -675,7 +675,7 @@ config GRKERNSEC_PROC_USER bool "Restrict /proc to user only" @@ -15,7 +15,7 @@ diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-harden help If you say Y here, non-root users will only be able to view their own processes, and restricts them from viewing network-related information, -@@ -673,7 +673,7 @@ +@@ -683,7 +683,7 @@ config GRKERNSEC_PROC_USERGROUP bool "Allow special group" diff --git a/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch b/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch index 56c8ef1..4bce851 100644 --- a/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch +++ b/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardened-r1/grsecurity/Kconfig --- linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ linux-2.6.38-hardened-r1/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -1264,6 +1264,27 @@ +@@ -1287,6 +1287,27 @@ menu "Logging Options" depends on GRKERNSEC |