4455_grsec-kconfig-gentoo.patch: fixed CONFIG_PAX_MEMORY_STACKLEAK

On xenserver guests and other systems, relaxing the constraints on PAX_RANDKSTACK, PAX_KERNEXEC and PAX_MEMORY_UDEREF means that the user can turn on these which will cause breakage. Restoring the constrainst prevents this. Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
author: Matthew Thode <prometheanfire@gentoo.org> 2012-04-26 23:52:48 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2012-04-30 07:27:25 -0400
commit: a8c2ec02358ccda733de078af3d945de2753d246 (patch)
tree: ea7caba53386925635e6ef4d332a6e6a2420cac9
parent: Grsec/PaX: 2.9-{2.6.32,3.2.16,3.3.3}-201204231833 (diff)
download: hardened-patchset-a8c2ec02358ccda733de078af3d945de2753d246.tar.gz
hardened-patchset-a8c2ec02358ccda733de078af3d945de2753d246.tar.bz2
hardened-patchset-a8c2ec02358ccda733de078af3d945de2753d246.zip
3 files changed, 23 insertions, 23 deletions
diff --git a/2.6.32/4455_grsec-kconfig-gentoo.patch b/2.6.32/4455_grsec-kconfig-gentoo.patch
index e578aa6..e18ba0b 100644
--- a/2.6.32/4455_grsec-kconfig-gentoo.patch
+++ b/2.6.32/4455_grsec-kconfig-gentoo.patch
@@ -77,7 +77,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_SYSCTL_ON
 +	select PAX
 +	select PAX_ASLR
-+	select PAX_RANDKSTACK
++	select PAX_RANDKSTACK if (X86_TSC && X86)
 +	select PAX_RANDUSTACK
 +	select PAX_RANDMMAP
 +	select PAX_NOEXEC
@@ -85,8 +85,8 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_EI_PAX
 +	select PAX_PT_PAX_FLAGS
 +	select PAX_HAVE_ACL_FLAGS
-+	select PAX_KERNEXEC
-+	select PAX_MEMORY_UDEREF
++	select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++	select PAX_MEMORY_UDEREF if (X86 && !XEN)
 +	select PAX_SEGMEXEC if (X86_32)
 +	select PAX_PAGEEXEC
 +	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
@@ -95,7 +95,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_REFCOUNT if (X86 || SPARC64)
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
-+	select PAX_MEMORY_STACKLEAK
++	select PAX_MEMORY_STACKLEAK if (!XEN)
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
@@ -162,7 +162,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_SYSCTL_ON
 +	select PAX
 +	select PAX_ASLR
-+	select PAX_RANDKSTACK
++	select PAX_RANDKSTACK if (X86_TSC && X86)
 +	select PAX_RANDUSTACK
 +	select PAX_RANDMMAP
 +	select PAX_NOEXEC
@@ -170,8 +170,8 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_EI_PAX
 +	select PAX_PT_PAX_FLAGS
 +	select PAX_HAVE_ACL_FLAGS
-+	select PAX_KERNEXEC
-+	select PAX_MEMORY_UDEREF
++	select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++	select PAX_MEMORY_UDEREF if (X86 && !XEN)
 +	select PAX_SEGMEXEC if (X86_32)
 +	select PAX_PAGEEXEC
 +	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
@@ -180,7 +180,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_REFCOUNT if (X86 || SPARC64)
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
-+	select PAX_MEMORY_STACKLEAK
++	select PAX_MEMORY_STACKLEAK if (!XEN)
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
@@ -247,7 +247,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_SYSCTL_ON
 +	select PAX
 +	select PAX_ASLR
-+	select PAX_RANDKSTACK
++	select PAX_RANDKSTACK if (X86_TSC && X86)
 +	select PAX_RANDUSTACK
 +	select PAX_RANDMMAP
 +	select PAX_NOEXEC
@@ -263,7 +263,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_REFCOUNT if (X86 || SPARC64)
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
-+	select PAX_MEMORY_STACKLEAK
++	select PAX_MEMORY_STACKLEAK if (!XEN)
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
diff --git a/3.2.16/4455_grsec-kconfig-gentoo.patch b/3.2.16/4455_grsec-kconfig-gentoo.patch
index 2527bad..87b5454 100644
--- a/3.2.16/4455_grsec-kconfig-gentoo.patch
+++ b/3.2.16/4455_grsec-kconfig-gentoo.patch
@@ -77,7 +77,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_SYSCTL_ON
 +	select PAX
 +	select PAX_ASLR
-+	select PAX_RANDKSTACK
++	select PAX_RANDKSTACK if (X86_TSC && X86)
 +	select PAX_RANDUSTACK
 +	select PAX_RANDMMAP
 +	select PAX_NOEXEC
@@ -85,8 +85,8 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_EI_PAX
 +	select PAX_PT_PAX_FLAGS
 +	select PAX_HAVE_ACL_FLAGS
-+	select PAX_KERNEXEC
-+	select PAX_MEMORY_UDEREF
++	select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++	select PAX_MEMORY_UDEREF if (X86 && !XEN)
 +	select PAX_SEGMEXEC if (X86_32)
 +	select PAX_PAGEEXEC
 +	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
@@ -95,7 +95,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_REFCOUNT if (X86 || SPARC64)
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
-+	select PAX_MEMORY_STACKLEAK
++	select PAX_MEMORY_STACKLEAK if (!XEN)
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
@@ -162,7 +162,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_SYSCTL_ON
 +	select PAX
 +	select PAX_ASLR
-+	select PAX_RANDKSTACK
++	select PAX_RANDKSTACK if (X86_TSC && X86)
 +	select PAX_RANDUSTACK
 +	select PAX_RANDMMAP
 +	select PAX_NOEXEC
@@ -170,8 +170,8 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_EI_PAX
 +	select PAX_PT_PAX_FLAGS
 +	select PAX_HAVE_ACL_FLAGS
-+	select PAX_KERNEXEC
-+	select PAX_MEMORY_UDEREF
++	select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++	select PAX_MEMORY_UDEREF if (X86 && !XEN)
 +	select PAX_SEGMEXEC if (X86_32)
 +	select PAX_PAGEEXEC
 +	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
@@ -180,7 +180,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_REFCOUNT if (X86 || SPARC64)
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
-+	select PAX_MEMORY_STACKLEAK
++	select PAX_MEMORY_STACKLEAK if (!XEN)
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
@@ -247,7 +247,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select GRKERNSEC_SYSCTL_ON
 +	select PAX
 +	select PAX_ASLR
-+	select PAX_RANDKSTACK
++	select PAX_RANDKSTACK if (X86_TSC && X86)
 +	select PAX_RANDUSTACK
 +	select PAX_RANDMMAP
 +	select PAX_NOEXEC
@@ -263,7 +263,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_REFCOUNT if (X86 || SPARC64)
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
-+	select PAX_MEMORY_STACKLEAK
++	select PAX_MEMORY_STACKLEAK if (!XEN)
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
diff --git a/3.3.3/4455_grsec-kconfig-gentoo.patch b/3.3.3/4455_grsec-kconfig-gentoo.patch
index ef59341..1ce4ccf 100644
--- a/3.3.3/4455_grsec-kconfig-gentoo.patch
+++ b/3.3.3/4455_grsec-kconfig-gentoo.patch
@@ -95,7 +95,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_REFCOUNT if (X86 || SPARC64)
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
-+	select PAX_MEMORY_STACKLEAK
++	select PAX_MEMORY_STACKLEAK if (!XEN)
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
@@ -180,7 +180,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_REFCOUNT if (X86 || SPARC64)
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
-+	select PAX_MEMORY_STACKLEAK
++	select PAX_MEMORY_STACKLEAK if (!XEN)
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
@@ -263,7 +263,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 +	select PAX_REFCOUNT if (X86 || SPARC64)
 +	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
 +	select PAX_MEMORY_SANITIZE
-+	select PAX_MEMORY_STACKLEAK
++	select PAX_MEMORY_STACKLEAK if (!XEN)
 +	help
 +	  If you say Y here, a configuration for grsecurity/PaX features
 +	  will be used that is endorsed by the Hardened Gentoo project.
author	Matthew Thode <prometheanfire@gentoo.org>	2012-04-26 23:52:48 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2012-04-30 07:27:25 -0400
commit	a8c2ec02358ccda733de078af3d945de2753d246 (patch)
tree	ea7caba53386925635e6ef4d332a6e6a2420cac9
parent	Grsec/PaX: 2.9-{2.6.32,3.2.16,3.3.3}-201204231833 (diff)
download	hardened-patchset-a8c2ec02358ccda733de078af3d945de2753d246.tar.gz hardened-patchset-a8c2ec02358ccda733de078af3d945de2753d246.tar.bz2 hardened-patchset-a8c2ec02358ccda733de078af3d945de2753d246.zip