diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2012-07-01 13:56:27 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2012-07-01 13:56:27 -0400 |
commit | 6ed3a4cda487bd77f4cf449c8041a95569547f94 (patch) | |
tree | 5fead2719c82e738a9bd7a23ee1accf0445206cb | |
parent | Correct patch 4420 for 3.4.4 (diff) | |
download | hardened-patchset-6ed3a4cda487bd77f4cf449c8041a95569547f94.tar.gz hardened-patchset-6ed3a4cda487bd77f4cf449c8041a95569547f94.tar.bz2 hardened-patchset-6ed3a4cda487bd77f4cf449c8041a95569547f94.zip |
Grsec/PaX: 2.9.1-3.4.4-201206251759: new 3.4.4 Kconfig structure
-rw-r--r-- | 3.4.4/0000_README | 18 | ||||
-rw-r--r-- | 3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch (renamed from 3.4.4/4420_grsecurity-2.9.1-3.4.4-201206231147.patch) | 488 | ||||
-rw-r--r-- | 3.4.4/4445_grsec-pax-without-grsec.patch | 91 | ||||
-rw-r--r-- | 3.4.4/4450_grsec-kconfig-default-gids.patch | 52 | ||||
-rw-r--r-- | 3.4.4/4455_grsec-kconfig-gentoo.patch | 357 | ||||
-rw-r--r-- | 3.4.4/4460-grsec-kconfig-proc-user.patch | 26 | ||||
-rw-r--r-- | 3.4.4/4465_selinux-avc_audit-log-curr_ip.patch | 2 | ||||
-rw-r--r-- | 3.4.4/4470_disable-compat_vdso.patch | 2 |
8 files changed, 308 insertions, 728 deletions
diff --git a/3.4.4/0000_README b/3.4.4/0000_README index dbb8629..61e9d20 100644 --- a/3.4.4/0000_README +++ b/3.4.4/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.4.4-201206231147.patch +Patch: 4420_grsecurity-2.9.1-3.4.4-201206251759.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity @@ -20,27 +20,11 @@ Patch: 4440_grsec-remove-protected-paths.patch From: Anthony G. Basile <blueness@gentoo.org> Desc: Removes chmod statements from grsecurity/Makefile -Patch: 4445_grsec-pax-without-grsec.patch -From: Gordon Malm <gengor@gentoo.org> -Desc: Allows PaX features to be selected without enabling GRKERNSEC - Patch: 4450_grsec-kconfig-default-gids.patch From: Kerin Millar <kerframil@gmail.com> Desc: Sets sane(r) default GIDs on various grsecurity group-dependent features -Patch: 4455_grsec-kconfig-gentoo.patch -From: Gordon Malm <gengor@gentoo.org> - Kerin Millar <kerframil@gmail.com> - Anthony G. Basile <blueness@gentoo.org> -Desc: Adds Hardened Gentoo [server/workstation/virtualization] security levels, - sets Hardened Gentoo [workstation] as default - -Patch: 4460-grsec-kconfig-proc-user.patch -From: Anthony G. Basile <blueness@gentoo.org> -Desc: Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually - exclusive to avoid bug #366019. - Patch: 4465_selinux-avc_audit-log-curr_ip.patch From: Gordon Malm <gengor@gentoo.org> Anthony G. Basile <blueness@gentoo.org> diff --git a/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206231147.patch b/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch index 758a4c4..083b3e1 100644 --- a/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206231147.patch +++ b/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch @@ -7733,7 +7733,7 @@ index 706e12e..62e4feb 100644 config X86_MINIMUM_CPU_FAMILY int diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug -index e46c214..7c72b55 100644 +index e46c214..ab62fd1 100644 --- a/arch/x86/Kconfig.debug +++ b/arch/x86/Kconfig.debug @@ -84,7 +84,7 @@ config X86_PTDUMP @@ -7754,6 +7754,15 @@ index e46c214..7c72b55 100644 ---help--- This option helps catch unintended modifications to loadable kernel module's text and read-only data. It also prevents execution +@@ -275,7 +275,7 @@ config OPTIMIZE_INLINING + + config DEBUG_STRICT_USER_COPY_CHECKS + bool "Strict copy size checks" +- depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING ++ depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING && !PAX_SIZE_OVERFLOW + ---help--- + Enabling this option turns a certain set of sanity checks for user + copy operations into compile time failures. diff --git a/arch/x86/Makefile b/arch/x86/Makefile index b1c611e..2c1a823 100644 --- a/arch/x86/Makefile @@ -49100,221 +49109,19 @@ index 3011b87..1ab03e9 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..2645296 +index 0000000..2d6e3a8 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1079 @@ +@@ -0,0 +1,915 @@ +# +# grecurity configuration +# -+ -+menu "Grsecurity" -+ -+config GRKERNSEC -+ bool "Grsecurity" -+ select CRYPTO -+ select CRYPTO_SHA256 -+ help -+ If you say Y here, you will be able to configure many features -+ that will enhance the security of your system. It is highly -+ recommended that you say Y here and read through the help -+ for each option so that you fully understand the features and -+ can evaluate their usefulness for your machine. -+ -+choice -+ prompt "Security Level" -+ depends on GRKERNSEC -+ default GRKERNSEC_CUSTOM -+ -+config GRKERNSEC_LOW -+ bool "Low" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_CHDIR -+ -+ help -+ If you choose this option, several of the grsecurity options will -+ be enabled that will give you greater protection against a number -+ of attacks, while assuring that none of your software will have any -+ conflicts with the additional security measures. If you run a lot -+ of unusual software, or you are having problems with the higher -+ security levels, you should say Y here. With this option, the -+ following features are enabled: -+ -+ - Linking restrictions -+ - FIFO restrictions -+ - Restricted dmesg -+ - Enforced chdir("/") on chroot -+ - Runtime module disabling -+ -+config GRKERNSEC_MEDIUM -+ bool "Medium" -+ select PAX -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_USERGROUP -+ select PAX_RANDUSTACK -+ select PAX_ASLR -+ select PAX_RANDMMAP -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB)) -+ -+ help -+ If you say Y here, several features in addition to those included -+ in the low additional security level will be enabled. These -+ features provide even more security to your system, though in rare -+ cases they may be incompatible with very old or poorly written -+ software. If you enable this option, make sure that your auth -+ service (identd) is running as gid 1001. With this option, -+ the following features (in addition to those provided in the -+ low additional security level) will be enabled: -+ -+ - Failed fork logging -+ - Time change logging -+ - Signal logging -+ - Deny mounts in chroot -+ - Deny double chrooting -+ - Deny sysctl writes in chroot -+ - Deny mknod in chroot -+ - Deny access to abstract AF_UNIX sockets out of chroot -+ - Deny pivot_root in chroot -+ - Denied reads/writes of /dev/kmem, /dev/mem, and /dev/port -+ - /proc restrictions with special GID set to 10 (usually wheel) -+ - Address Space Layout Randomization (ASLR) -+ - Prevent exploitation of most refcount overflows -+ - Bounds checking of copying between the kernel and userland -+ -+config GRKERNSEC_HIGH -+ bool "High" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_SYSFS_RESTRICT -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_PROC_ADD -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_SETXID if (X86 || SPARC64 || PPC || ARM || MIPS) -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC) -+ select PAX -+ select PAX_RANDUSTACK -+ select PAX_ASLR -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) -+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86)) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ help -+ If you say Y here, many of the features of grsecurity will be -+ enabled, which will protect you against many kinds of attacks -+ against your system. The heightened security comes at a cost -+ of an increased chance of incompatibilities with rare software -+ on your machine. Since this security level enables PaX, you should -+ view <http://pax.grsecurity.net> and read about the PaX -+ project. While you are there, download chpax and run it on -+ binaries that cause problems with PaX. Also remember that -+ since the /proc restrictions are enabled, you must run your -+ identd as gid 1001. This security level enables the following -+ features in addition to those listed in the low and medium -+ security levels: -+ -+ - Additional /proc restrictions -+ - Chmod restrictions in chroot -+ - No signals, ptrace, or viewing of processes outside of chroot -+ - Capability restrictions in chroot -+ - Deny fchdir out of chroot -+ - Priority restrictions in chroot -+ - Segmentation-based implementation of PaX -+ - Mprotect restrictions -+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat] -+ - Kernel stack randomization -+ - Mount/unmount/remount logging -+ - Kernel symbol hiding -+ - Hardening of module auto-loading -+ - Ptrace restrictions -+ - Restricted vm86 mode -+ - Restricted sysfs/debugfs -+ - Active kernel exploit response -+ -+config GRKERNSEC_CUSTOM -+ bool "Custom" -+ help -+ If you say Y here, you will be able to configure every grsecurity -+ option, which allows you to enable many more features that aren't -+ covered in the basic security levels. These additional features -+ include TPE, socket restrictions, and the sysctl system for -+ grsecurity. It is advised that you read through the help for -+ each option to determine its usefulness in your situation. -+ -+endchoice -+ +menu "Memory Protections" +depends on GRKERNSEC + +config GRKERNSEC_KMEM + bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port" ++ default y if GRKERNSEC_CONFIG_AUTO + select STRICT_DEVMEM if (X86 || ARM || TILE || S390) + help + If you say Y here, /dev/kmem and /dev/mem won't be allowed to @@ -49336,6 +49143,7 @@ index 0000000..2645296 + +config GRKERNSEC_VM86 + bool "Restrict VM86 mode" ++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER) + depends on X86_32 + + help @@ -49349,6 +49157,7 @@ index 0000000..2645296 + +config GRKERNSEC_IO + bool "Disable privileged I/O" ++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER) + depends on X86 + select RTC_CLASS + select RTC_INTF_DEV @@ -49368,7 +49177,7 @@ index 0000000..2645296 + +config GRKERNSEC_PROC_MEMMAP + bool "Harden ASLR against information leaks and entropy reduction" -+ default y if (PAX_NOEXEC || PAX_ASLR) ++ default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR) + depends on PAX_NOEXEC || PAX_ASLR + help + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will @@ -49388,6 +49197,7 @@ index 0000000..2645296 + +config GRKERNSEC_BRUTE + bool "Deter exploit bruteforcing" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, attempts to bruteforce exploits against forking + daemons such as apache or sshd, as well as against suid/sgid binaries @@ -49408,6 +49218,7 @@ index 0000000..2645296 + +config GRKERNSEC_MODHARDEN + bool "Harden module auto-loading" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on MODULES + help + If you say Y here, module auto-loading in response to use of some @@ -49429,6 +49240,7 @@ index 0000000..2645296 + +config GRKERNSEC_HIDESYM + bool "Hide kernel symbols" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, getting information on loaded modules, and + displaying all kernel symbols through a syscall will be restricted @@ -49454,11 +49266,12 @@ index 0000000..2645296 + +config GRKERNSEC_KERN_LOCKOUT + bool "Active kernel exploit response" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on X86 || ARM || PPC || SPARC + help + If you say Y here, when a PaX alert is triggered due to suspicious + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY) -+ or an OOPs occurs due to bad memory accesses, instead of just ++ or an OOPS occurs due to bad memory accesses, instead of just + terminating the offending process (and potentially allowing + a subsequent exploit from the same user), we will take one of two + actions: @@ -49517,6 +49330,7 @@ index 0000000..2645296 + +config GRKERNSEC_PROC + bool "Proc restrictions" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, the permissions of the /proc filesystem + will be altered to enhance system security and privacy. You MUST @@ -49538,6 +49352,7 @@ index 0000000..2645296 + +config GRKERNSEC_PROC_USERGROUP + bool "Allow special group" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER + help + If you say Y here, you will be able to select a group that will be @@ -49553,6 +49368,7 @@ index 0000000..2645296 + +config GRKERNSEC_PROC_ADD + bool "Additional restrictions" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP + help + If you say Y here, additional restrictions will be placed on @@ -49561,6 +49377,7 @@ index 0000000..2645296 + +config GRKERNSEC_LINK + bool "Linking restrictions" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, /tmp race exploits will be prevented, since users + will no longer be able to follow symlinks owned by other users in @@ -49571,6 +49388,7 @@ index 0000000..2645296 + +config GRKERNSEC_FIFO + bool "FIFO restrictions" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, users will not be able to write to FIFOs they don't + own in world-writable +t directories (e.g. /tmp), unless the owner of @@ -49580,6 +49398,7 @@ index 0000000..2645296 + +config GRKERNSEC_SYSFS_RESTRICT + bool "Sysfs/debugfs restriction" ++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER) + depends on SYSFS + help + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and @@ -49613,6 +49432,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT + bool "Chroot jail restrictions" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, you will be able to choose several options that will + make breaking out of a chrooted jail much more difficult. If you @@ -49621,6 +49441,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_MOUNT + bool "Deny mounts" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to @@ -49629,6 +49450,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_DOUBLE + bool "Deny double-chroots" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to chroot @@ -49639,6 +49461,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_PIVOT + bool "Deny pivot_root in chroot" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to use @@ -49651,6 +49474,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_CHDIR + bool "Enforce chdir(\"/\") on all chroots" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, the current working directory of all newly-chrooted @@ -49667,6 +49491,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_CHMOD + bool "Deny (f)chmod +s" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to chmod @@ -49677,6 +49502,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_FCHDIR + bool "Deny fchdir out of chroot" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, a well-known method of breaking chroots by fchdir'ing @@ -49686,6 +49512,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_MKNOD + bool "Deny mknod" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be allowed to @@ -49700,6 +49527,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_SHMAT + bool "Deny shmat() out of chroot" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to attach @@ -49709,6 +49537,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_UNIX + bool "Deny access to abstract AF_UNIX sockets out of chroot" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to @@ -49719,6 +49548,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_FINDTASK + bool "Protect outside processes" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to @@ -49729,6 +49559,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_NICE + bool "Restrict priority changes" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, processes inside a chroot will not be able to raise @@ -49740,6 +49571,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_SYSCTL + bool "Deny sysctl writes" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, an attacker in a chroot will not be able to @@ -49750,6 +49582,7 @@ index 0000000..2645296 + +config GRKERNSEC_CHROOT_CAPS + bool "Capability restrictions" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_CHROOT + help + If you say Y here, the capabilities on all processes within a @@ -49792,6 +49625,7 @@ index 0000000..2645296 + +config GRKERNSEC_RESLOG + bool "Resource logging" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, all attempts to overstep resource limits will + be logged with the resource name, the requested size, and the current @@ -49830,6 +49664,7 @@ index 0000000..2645296 + +config GRKERNSEC_SIGNAL + bool "Signal logging" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, certain important signals will be logged, such as + SIGSEGV, which will as a result inform you of when a error in a program @@ -49847,6 +49682,7 @@ index 0000000..2645296 + +config GRKERNSEC_TIME + bool "Time change logging" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, any changes of the system clock will be logged. + If the sysctl option is enabled, a sysctl option with name @@ -49854,6 +49690,7 @@ index 0000000..2645296 + +config GRKERNSEC_PROC_IPADDR + bool "/proc/<pid>/ipaddr support" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, a new entry will be added to each /proc/<pid> + directory that contains the IP address of the person using the task. @@ -49865,6 +49702,7 @@ index 0000000..2645296 + +config GRKERNSEC_RWXMAP_LOG + bool 'Denied RWX mmap/mprotect logging' ++ default y if GRKERNSEC_CONFIG_AUTO + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT + help + If you say Y here, calls to mmap() and mprotect() with explicit @@ -49893,6 +49731,7 @@ index 0000000..2645296 + +config GRKERNSEC_DMESG + bool "Dmesg(8) restriction" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, non-root users will not be able to use dmesg(8) + to view up to the last 4kb of messages in the kernel's log buffer. @@ -49904,6 +49743,7 @@ index 0000000..2645296 + +config GRKERNSEC_HARDEN_PTRACE + bool "Deter ptrace-based process snooping" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, TTY sniffers and other malicious monitoring + programs implemented through ptrace will be defeated. If you @@ -49920,6 +49760,7 @@ index 0000000..2645296 + +config GRKERNSEC_PTRACE_READEXEC + bool "Require read access to ptrace sensitive binaries" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, unprivileged users will not be able to ptrace unreadable + binaries. This option is useful in environments that @@ -49933,6 +49774,7 @@ index 0000000..2645296 + +config GRKERNSEC_SETXID + bool "Enforce consistent multithreaded privileges" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on (X86 || SPARC64 || PPC || ARM || MIPS) + help + If you say Y here, a change from a root uid to a non-root uid @@ -49947,6 +49789,7 @@ index 0000000..2645296 + +config GRKERNSEC_TPE + bool "Trusted Path Execution (TPE)" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, you will be able to choose a gid to add to the + supplementary groups of users you want to mark as "untrusted." @@ -50003,6 +49846,7 @@ index 0000000..2645296 + +config GRKERNSEC_RANDNET + bool "Larger entropy pools" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, the entropy pools used for many features of Linux + and grsecurity will be doubled in size. Since several grsecurity @@ -50012,6 +49856,7 @@ index 0000000..2645296 + +config GRKERNSEC_BLACKHOLE + bool "TCP/UDP blackhole and LAST_ACK DoS prevention" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on NET + help + If you say Y here, neither TCP resets nor ICMP @@ -50111,11 +49956,12 @@ index 0000000..2645296 + option with name "socket_server_gid" is created. + +endmenu -+menu "Sysctl support" ++menu "Sysctl Support" +depends on GRKERNSEC && SYSCTL + +config GRKERNSEC_SYSCTL + bool "Sysctl support" ++ default y if GRKERNSEC_CONFIG_AUTO + help + If you say Y here, you will be able to change the options that + grsecurity runs with at bootup, without having to recompile your @@ -50146,6 +49992,7 @@ index 0000000..2645296 + +config GRKERNSEC_SYSCTL_ON + bool "Turn on features by default" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC_SYSCTL + help + If you say Y here, instead of having all features enabled in the @@ -50181,8 +50028,6 @@ index 0000000..2645296 + raise this value. + +endmenu -+ -+endmenu diff --git a/grsecurity/Makefile b/grsecurity/Makefile new file mode 100644 index 0000000..1b9afa9 @@ -77757,14 +77602,197 @@ index 5c11312..72742b5 100644 write_hex_cnt = 0; for (i = 0; i < logo_clutsize; i++) { diff --git a/security/Kconfig b/security/Kconfig -index ccc61f8..5effdb4 100644 +index ccc61f8..3334dd6 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,640 @@ +@@ -4,6 +4,849 @@ menu "Security options" -+source grsecurity/Kconfig ++menu "Grsecurity" ++ ++config GRKERNSEC ++ bool "Grsecurity" ++ select CRYPTO ++ select CRYPTO_SHA256 ++ help ++ If you say Y here, you will be able to configure many features ++ that will enhance the security of your system. It is highly ++ recommended that you say Y here and read through the help ++ for each option so that you fully understand the features and ++ can evaluate their usefulness for your machine. ++ ++choice ++ prompt "Configuration Method" ++ depends on GRKERNSEC ++ default GRKERNSEC_CONFIG_CUSTOM ++ help ++ ++config GRKERNSEC_CONFIG_AUTO ++ bool "Automatic" ++ help ++ If you choose this configuration method, you'll be able to answer a small ++ number of simple questions about how you plan to use this kernel. ++ The settings of grsecurity and PaX will be automatically configured for ++ the highest commonly-used settings within the provided constraints. ++ ++ If you require additional configuration, custom changes can still be made ++ from the "custom configuration" menu. ++ ++config GRKERNSEC_CONFIG_CUSTOM ++ bool "Custom" ++ help ++ If you choose this configuration method, you'll be able to configure all ++ grsecurity and PaX settings manually. Via this method, no options are ++ automatically enabled. ++ ++endchoice ++ ++choice ++ prompt "Usage Type" ++ depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO) ++ default GRKERNSEC_CONFIG_SERVER ++ help ++ ++config GRKERNSEC_CONFIG_SERVER ++ bool "Server" ++ help ++ Choose this option if you plan to use this kernel on a server. ++ ++config GRKERNSEC_CONFIG_DESKTOP ++ bool "Desktop" ++ help ++ Choose this option if you plan to use this kernel on a desktop. ++ ++endchoice ++ ++choice ++ prompt "Virtualization Type" ++ depends on (GRKERNSEC && X86 && GRKERNSEC_CONFIG_AUTO) ++ default GRKERNSEC_CONFIG_VIRT_NONE ++ help ++ ++config GRKERNSEC_CONFIG_VIRT_NONE ++ bool "None" ++ help ++ Choose this option if this kernel will be run on bare metal. ++ ++config GRKERNSEC_CONFIG_VIRT_GUEST ++ bool "Guest" ++ help ++ Choose this option if this kernel will be run as a VM guest. ++ ++config GRKERNSEC_CONFIG_VIRT_HOST ++ bool "Host" ++ help ++ Choose this option if this kernel will be run as a VM host. ++ ++endchoice ++ ++choice ++ prompt "Virtualization Hardware" ++ depends on (GRKERNSEC && X86 && GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_GUEST || GRKERNSEC_CONFIG_VIRT_HOST)) ++ help ++ ++config GRKERNSEC_CONFIG_VIRT_EPT ++ bool "EPT/RVI Processor Support" ++ depends on X86 ++ help ++ Choose this option if your CPU supports the EPT or RVI features of 2nd-gen ++ hardware virtualization. This allows for additional kernel hardening protections ++ to operate without additional performance impact. ++ ++ To see if your Intel processor supports EPT, see: ++ http://ark.intel.com/Products/VirtualizationTechnology ++ (Most Core i3/5/7 support EPT) ++ ++ To see if your AMD processor supports RVI, see: ++ http://support.amd.com/us/kbarticles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx ++ ++config GRKERNSEC_CONFIG_VIRT_SOFT ++ bool "First-gen/No Hardware Virtualization" ++ help ++ Choose this option if you use an Atom/Pentium/Core 2 processor that either doesn't ++ support hardware virtualization or doesn't support the EPT/RVI extensions. ++ ++endchoice ++ ++choice ++ prompt "Virtualization Software" ++ depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_GUEST || GRKERNSEC_CONFIG_VIRT_HOST)) ++ help ++ ++config GRKERNSEC_CONFIG_VIRT_XEN ++ bool "Xen" ++ help ++ Choose this option if this kernel is running as a Xen guest or host. ++ ++config GRKERNSEC_CONFIG_VIRT_VMWARE ++ bool "VMWare" ++ help ++ Choose this option if this kernel is running as a VMWare guest or host. ++ ++config GRKERNSEC_CONFIG_VIRT_KVM ++ bool "KVM" ++ help ++ Choose this option if this kernel is running as a KVM guest or host. ++ ++config GRKERNSEC_CONFIG_VIRT_VIRTUALBOX ++ bool "VirtualBox" ++ help ++ Choose this option if this kernel is running as a VirtualBox guest or host. ++ ++endchoice ++ ++choice ++ prompt "Required Priorities" ++ depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO) ++ default GRKERNSEC_CONFIG_PRIORITY_PERF ++ help ++ ++config GRKERNSEC_CONFIG_PRIORITY_PERF ++ bool "Performance" ++ help ++ Choose this option if performance is of highest priority for this deployment ++ of grsecurity. Features like UDEREF on a 64bit kernel, kernel stack clearing, ++ and freed memory sanitizing will be disabled. ++ ++config GRKERNSEC_CONFIG_PRIORITY_SECURITY ++ bool "Security" ++ help ++ Choose this option if security is of highest priority for this deployment of ++ grsecurity. UDEREF, kernel stack clearing, and freed memory sanitizing will ++ be enabled for this kernel. In a worst-case scenario, these features can ++ introduce a 20% performance hit (UDEREF on x64 contributing half of this hit). ++ ++endchoice ++ ++menu "Default Special Groups" ++depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO) ++ ++config GRKERNSEC_PROC_GID ++ int "GID exempted from /proc restrictions" ++ default 1001 ++ help ++ Setting this GID determines which group will be exempted from ++ grsecurity's /proc restrictions, allowing users of the specified ++ group to view network statistics and the existence of other users' ++ processes on the system. ++ ++config GRKERNSEC_TPE_GID ++ int "GID for untrusted users" ++ default 1005 ++ help ++ Setting this GID determines which group untrusted users should ++ be added to. These users will be placed under grsecurity's Trusted Path ++ Execution mechanism, preventing them from executing their own binaries. ++ The users will only be able to execute binaries in directories owned and ++ writable only by the root user. ++ ++endmenu ++ ++menu "Customize Configuration" ++depends on GRKERNSEC + +menu "PaX" + @@ -77789,6 +77817,7 @@ index ccc61f8..5effdb4 100644 + +config PAX + bool "Enable various PaX features" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) + help + This allows you to enable various PaX features. PaX adds @@ -77812,6 +77841,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_EI_PAX + bool 'Use legacy ELF header marking' ++ default y if GRKERNSEC_CONFIG_AUTO + help + Enabling this option will allow you to control PaX features on + a per executable basis via the 'chpax' utility available at @@ -77831,6 +77861,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_PT_PAX_FLAGS + bool 'Use ELF program header marking' ++ default y if GRKERNSEC_CONFIG_AUTO + help + Enabling this option will allow you to control PaX features on + a per executable basis via the 'paxctl' utility available at @@ -77852,6 +77883,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_XATTR_PAX_FLAGS + bool 'Use filesystem extended attributes marking' ++ default y if GRKERNSEC_CONFIG_AUTO + select CIFS_XATTR if CIFS + select EXT2_FS_XATTR if EXT2_FS + select EXT3_FS_XATTR if EXT3_FS @@ -77913,6 +77945,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_NOEXEC + bool "Enforce non-executable pages" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86 + help + By design some architectures do not allow for protecting memory @@ -77941,6 +77974,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_PAGEEXEC + bool "Paging based non-executable pages" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7) + select S390_SWITCH_AMODE if S390 + select S390_EXEC_PROTECT if S390 @@ -77963,6 +77997,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_SEGMEXEC + bool "Segmentation based non-executable pages" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on PAX_NOEXEC && X86_32 + help + This implementation is based on the segmentation feature of the @@ -78029,6 +78064,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_MPROTECT + bool "Restrict mprotect()" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) + help + Enabling this option will prevent programs from @@ -78046,8 +78082,8 @@ index ccc61f8..5effdb4 100644 + +config PAX_MPROTECT_COMPAT + bool "Use legacy/compat protection demoting (read help)" ++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_DESKTOP) + depends on PAX_MPROTECT -+ default n + help + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects + by sending the proper error code to the application. For some broken @@ -78122,6 +78158,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_KERNEXEC + bool "Enforce non-executable kernel pages" ++ default y if GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_NONE || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_GUEST) || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_KVM)) + depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) + select PAX_KERNEXEC_PLUGIN if X86_64 @@ -78163,7 +78200,8 @@ index ccc61f8..5effdb4 100644 + +config PAX_KERNEXEC_MODULE_TEXT + int "Minimum amount of memory reserved for module code" -+ default "4" ++ default "4" if (!GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_SERVER) ++ default "12" if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_DESKTOP) + depends on PAX_KERNEXEC && X86_32 && MODULES + help + Due to implementation details the kernel must reserve a fixed @@ -78188,6 +78226,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_ASLR + bool "Address Space Layout Randomization" ++ default y if GRKERNSEC_CONFIG_AUTO + help + Many if not most exploit techniques rely on the knowledge of + certain addresses in the attacked program. The following options @@ -78217,6 +78256,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_RANDKSTACK + bool "Randomize kernel stack base" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on X86_TSC && X86 + help + By saying Y here the kernel will randomize every task's kernel @@ -78231,6 +78271,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_RANDUSTACK + bool "Randomize user stack base" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on PAX_ASLR + help + By saying Y here the kernel will randomize every task's userland @@ -78243,6 +78284,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_RANDMMAP + bool "Randomize mmap() base" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on PAX_ASLR + help + By saying Y here the kernel will use a randomized base address for @@ -78269,6 +78311,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_MEMORY_SANITIZE + bool "Sanitize all freed memory" ++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY) + depends on !HIBERNATION + help + By saying Y here the kernel will erase memory pages as soon as they @@ -78291,6 +78334,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_MEMORY_STACKLEAK + bool "Sanitize kernel stack" ++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY) + depends on X86 + help + By saying Y here the kernel will erase the kernel stack before it @@ -78315,6 +78359,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_MEMORY_UDEREF + bool "Prevent invalid userland pointer dereference" ++ default y if GRKERNSEC_CONFIG_AUTO && (X86_32 || (X86_64 && GRKERNSEC_CONFIG_PRIORITY_SECURITY)) && (GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT) + depends on X86 && !UML_X86 && !XEN + select PAX_PER_CPU_PGD if X86_64 + help @@ -78334,6 +78379,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_REFCOUNT + bool "Prevent various kernel object reference counter overflows" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on GRKERNSEC && ((ARM && (CPU_32v6 || CPU_32v6K || CPU_32v7)) || SPARC64 || X86) + help + By saying Y here the kernel will detect and prevent overflowing @@ -78353,6 +78399,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_USERCOPY + bool "Harden heap object copies between kernel and userland" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on X86 || PPC || SPARC || ARM + depends on GRKERNSEC && (SLAB || SLUB || SLOB) + help @@ -78382,6 +78429,7 @@ index ccc61f8..5effdb4 100644 + +config PAX_SIZE_OVERFLOW + bool "Prevent various integer overflows in function size parameters" ++ default y if GRKERNSEC_CONFIG_AUTO + depends on X86 + help + By saying Y here the kernel recomputes expressions of function @@ -78398,10 +78446,16 @@ index ccc61f8..5effdb4 100644 + +endmenu + ++source grsecurity/Kconfig ++ ++endmenu ++ ++endmenu ++ config KEYS bool "Enable access key retention support" help -@@ -169,7 +803,7 @@ config INTEL_TXT +@@ -169,7 +1012,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX diff --git a/3.4.4/4445_grsec-pax-without-grsec.patch b/3.4.4/4445_grsec-pax-without-grsec.patch deleted file mode 100644 index 35255c2..0000000 --- a/3.4.4/4445_grsec-pax-without-grsec.patch +++ /dev/null @@ -1,91 +0,0 @@ -ny G. Basile <blueness@gentoo.org> - -With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and -pax_report_om_user in fs/exec.c were consolidated into pax_report_usercopy. -This patch has been updated to reflect that change. - -With grsecurity-2.9-2.6.32.58-201203131839, NORET_TYPE has been replaced by __noreturn. -This patch has been updated to reflect that change. --- -From: Jory Pratt <anarchy@gentoo.org> -Updated patch for kernel 2.6.32 - -The credits/description from the original version of this patch remain accurate -and are included below. --- -From: Gordon Malm <gengor@gentoo.org> - -Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC. - -This patch has been updated to keep current with newer kernel versions. -The original version of this patch contained no credits/description. - -diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c ---- a/arch/x86/mm/fault.c 2011-04-17 19:05:03.000000000 -0400 -+++ a/arch/x86/mm/fault.c 2011-04-17 19:20:30.000000000 -0400 -@@ -657,10 +657,12 @@ - - #ifdef CONFIG_PAX_KERNEXEC - if (init_mm.start_code <= address && address < init_mm.end_code) { -+#ifdef CONFIG_GRKERNSEC - if (current->signal->curr_ip) - printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", - ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); - else -+#endif - printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", - current->comm, task_pid_nr(current), current_uid(), current_euid()); - } -diff -Naur a/fs/exec.c b/fs/exec.c ---- a/fs/exec.c 2011-04-17 19:05:03.000000000 -0400 -+++ b/fs/exec.c 2011-04-17 19:20:30.000000000 -0400 -@@ -2052,9 +2052,11 @@ - } - up_read(&mm->mmap_sem); - } -+#ifdef CONFIG_GRKERNSEC - if (tsk->signal->curr_ip) - printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset); - else -+#endif - printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset); - printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, " - "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), -@@ -2069,10 +2071,12 @@ - #ifdef CONFIG_PAX_REFCOUNT - void pax_report_refcount_overflow(struct pt_regs *regs) - { -+#ifdef CONFIG_GRKERNSEC - if (current->signal->curr_ip) - printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", - ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); - else -+#endif - printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", - current->comm, task_pid_nr(current), current_uid(), current_euid()); - print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); -@@ -2131,10 +2135,12 @@ - - __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) - { -+#ifdef CONFIG_GRKERNSEC - if (current->signal->curr_ip) - printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", - ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); - else -+#endif - printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", - to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); - dump_stack(); -diff -Naur a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2011-04-17 19:05:03.000000000 -0400 -+++ b/security/Kconfig 2011-04-17 19:20:30.000000000 -0400 -@@ -29,7 +29,7 @@ - - config PAX - bool "Enable various PaX features" -- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) -+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) - help - This allows you to enable various PaX features. PaX adds - intrusion prevention mechanisms to the kernel that reduce diff --git a/3.4.4/4450_grsec-kconfig-default-gids.patch b/3.4.4/4450_grsec-kconfig-default-gids.patch index 123f877..a728d1a 100644 --- a/3.4.4/4450_grsec-kconfig-default-gids.patch +++ b/3.4.4/4450_grsec-kconfig-default-gids.patch @@ -1,3 +1,7 @@ +From: Anthony G. Basile <blueness@gentoo.org> +Updated patch for the new Kconfig system for >=3.4.4 + +--- From: Kerin Millar <kerframil@gmail.com> grsecurity contains a number of options which allow certain protections @@ -9,19 +13,10 @@ attention to the finer points of kernel configuration, it is probably wise to specify some reasonable defaults so as to stop careless users from shooting themselves in the foot. -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2011-12-12 16:54:30.000000000 -0500 -+++ b/grsecurity/Kconfig 2011-12-12 16:55:09.000000000 -0500 -@@ -443,7 +443,7 @@ - config GRKERNSEC_PROC_GID - int "GID for special group" - depends on GRKERNSEC_PROC_USERGROUP -- default 1001 -+ default 10 - - config GRKERNSEC_PROC_ADD - bool "Additional restrictions" -@@ -671,7 +671,7 @@ +diff -Nuar a/grsecurity/Kconfig b/Kconfig +--- a/grsecurity/Kconfig 2012-07-01 12:54:58.000000000 -0400 ++++ b/grsecurity/Kconfig 2012-07-01 13:00:04.000000000 -0400 +@@ -495,7 +495,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -30,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -875,7 +875,7 @@ +@@ -710,7 +710,7 @@ config GRKERNSEC_TPE_GID int "GID for untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -39,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -884,7 +884,7 @@ +@@ -719,7 +719,7 @@ config GRKERNSEC_TPE_GID int "GID for trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -48,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -957,7 +957,7 @@ +@@ -794,7 +794,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -57,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -978,7 +978,7 @@ +@@ -815,7 +815,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -66,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -996,7 +996,7 @@ +@@ -833,7 +833,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER @@ -75,3 +70,24 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable server socket access for. Remember to add the users you want server socket access disabled for to +diff -Nuar a/security/Kconfig b/security/Kconfig +--- a/security/Kconfig 2012-07-01 12:51:41.000000000 -0400 ++++ b/security/Kconfig 2012-07-01 13:00:23.000000000 -0400 +@@ -167,7 +167,7 @@ + + config GRKERNSEC_PROC_GID + int "GID exempted from /proc restrictions" +- default 1001 ++ default 10 + help + Setting this GID determines which group will be exempted from + grsecurity's /proc restrictions, allowing users of the specified +@@ -176,7 +176,7 @@ + + config GRKERNSEC_TPE_GID + int "GID for untrusted users" +- default 1005 ++ default 100 + help + Setting this GID determines which group untrusted users should + be added to. These users will be placed under grsecurity's Trusted Path diff --git a/3.4.4/4455_grsec-kconfig-gentoo.patch b/3.4.4/4455_grsec-kconfig-gentoo.patch deleted file mode 100644 index b9dc3e5..0000000 --- a/3.4.4/4455_grsec-kconfig-gentoo.patch +++ /dev/null @@ -1,357 +0,0 @@ -From: Anthony G. Basile <blueness@gentoo.org> -From: Gordon Malm <gengor@gentoo.org> -From: Jory A. Pratt <anarchy@gentoo.org> -From: Kerin Millar <kerframil@gmail.com> - -Add Hardened Gentoo [server/workstation] predefined grsecurity -levels. They're designed to provide a comparitively high level of -security while remaining generally suitable for as great a majority -of the userbase as possible (particularly new users). - -Make Hardened Gentoo [workstation] predefined grsecurity level the -default. The Hardened Gentoo [server] level is more restrictive -and conflicts with some software and thus would be less suitable. - -The original version of this patch was conceived and created by: -Ned Ludd <solar@gentoo.org> - -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500 -+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500 -@@ -18,7 +18,7 @@ - choice - prompt "Security Level" - depends on GRKERNSEC -- default GRKERNSEC_CUSTOM -+ default GRKERNSEC_HARDENED_WORKSTATION - - config GRKERNSEC_LOW - bool "Low" -@@ -192,6 +192,262 @@ - - Restricted sysfs/debugfs - - Active kernel exploit response - -+config GRKERNSEC_HARDENED_SERVER -+ bool "Hardened Gentoo [server]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_SYSFS_RESTRICT -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_AUDIT_PTRACE -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_PROC_ADD -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_SETXID -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_IO -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_RWXMAP_LOG -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select PAX -+ select PAX_ASLR -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_RANDUSTACK -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ select PAX_MEMORY_STACKLEAK if (!XEN) -+ help -+ If you say Y here, a configuration for grsecurity/PaX features -+ will be used that is endorsed by the Hardened Gentoo project. -+ These pre-defined security levels are designed to provide a high -+ level of security while minimizing incompatibilities with a majority -+ of Gentoo's available software. -+ -+ This "Hardened Gentoo [server]" level is identical to the -+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO, -+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred -+ security level if the system will not be utilizing software incompatible -+ with these features. -+ -+ When this level is selected, some security features will be forced on, -+ while others will default to their suggested values of off or on. The -+ later can be tweaked at the user's discretion, but may cause problems -+ in some situations. You can fully customize all grsecurity/PaX features -+ by choosing "Custom" in the Security Level menu. It may be helpful to -+ inherit the options selected by this security level as a starting point. -+ To accomplish this, select this security level, then exit the menuconfig -+ interface, saving changes when prompted. Run make menuconfig again and -+ select the "Custom" level. -+ -+config GRKERNSEC_HARDENED_WORKSTATION -+ bool "Hardened Gentoo [workstation]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_AUDIT_PTRACE -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_SETXID -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_RWXMAP_LOG -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select PAX -+ select PAX_ASLR -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_RANDUSTACK -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ select PAX_MEMORY_STACKLEAK if (!XEN) -+ help -+ If you say Y here, a configuration for grsecurity/PaX features -+ will be used that is endorsed by the Hardened Gentoo project. -+ These pre-defined security levels are designed to provide a high -+ level of security while minimizing incompatibilities with a majority -+ of Gentoo's available software. -+ -+ This "Hardened Gentoo [workstation]" level is identical to the -+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and -+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred -+ security level if the system will be utilizing software incompatible -+ with these features. -+ -+ When this level is selected, some security features will be forced on, -+ while others will default to their suggested values of off or on. The -+ later can be tweaked at the user's discretion, but may cause problems -+ in some situations. You can fully customize all grsecurity/PaX features -+ by choosing "Custom" in the Security Level menu. It may be helpful to -+ inherit the options selected by this security level as a starting point. -+ To accomplish this, select this security level, then exit the menuconfig -+ interface, saving changes when prompted. Run make menuconfig again and -+ select the "Custom" level. -+ -+config GRKERNSEC_HARDENED_VIRTUALIZATION -+ bool "Hardened Gentoo [virtualization]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_AUDIT_PTRACE -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_SETXID -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_RWXMAP_LOG -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select PAX -+ select PAX_ASLR -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_RANDUSTACK -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ select PAX_MEMORY_STACKLEAK if (!XEN) -+ help -+ If you say Y here, a configuration for grsecurity/PaX features -+ will be used that is endorsed by the Hardened Gentoo project. -+ These pre-defined security levels are designed to provide a high -+ level of security while minimizing incompatibilities with a majority -+ of Gentoo's available software. -+ -+ This "Hardened Gentoo [virtualization]" level is identical to the -+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and -+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred -+ security level if the system will be utilizing virtualization software -+ incompatible with these features, like VirtualBox or kvm. -+ -+ When this level is selected, some security features will be forced on, -+ while others will default to their suggested values of off or on. The -+ later can be tweaked at the user's discretion, but may cause problems -+ in some situations. You can fully customize all grsecurity/PaX features -+ by choosing "Custom" in the Security Level menu. It may be helpful to -+ inherit the options selected by this security level as a starting point. -+ To accomplish this, select this security level, then exit the menuconfig -+ interface, saving changes when prompted. Run make menuconfig again and -+ select the "Custom" level. -+ - config GRKERNSEC_CUSTOM - bool "Custom" - help -diff -Naur a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500 -+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500 -@@ -363,9 +363,10 @@ - - config PAX_KERNEXEC - bool "Enforce non-executable kernel pages" -- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN -+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION - select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) - select PAX_KERNEXEC_PLUGIN if X86_64 -+ default y if GRKERNSEC_HARDENED_WORKSTATION - help - This is the kernel land equivalent of PAGEEXEC and MPROTECT, - that is, enabling this option will make it harder to inject -@@ -376,30 +377,30 @@ - - choice - prompt "Return Address Instrumentation Method" -- default PAX_KERNEXEC_PLUGIN_METHOD_BTS -+ default PAX_KERNEXEC_PLUGIN_METHOD_OR - depends on PAX_KERNEXEC_PLUGIN - help - Select the method used to instrument function pointer dereferences. - Note that binary modules cannot be instrumented by this approach. - -- config PAX_KERNEXEC_PLUGIN_METHOD_BTS -- bool "bts" -- help -- This method is compatible with binary only modules but has -- a higher runtime overhead. -- - config PAX_KERNEXEC_PLUGIN_METHOD_OR - bool "or" - depends on !PARAVIRT - help - This method is incompatible with binary only modules but has - a lower runtime overhead. -+ -+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS -+ bool "bts" -+ help -+ This method is compatible with binary only modules but has -+ a higher runtime overhead. - endchoice - - config PAX_KERNEXEC_PLUGIN_METHOD - string -- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS - default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR -+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS - default "" - - config PAX_KERNEXEC_MODULE_TEXT -@@ -556,8 +557,9 @@ - - config PAX_MEMORY_UDEREF - bool "Prevent invalid userland pointer dereference" -- depends on X86 && !UML_X86 && !XEN -+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION - select PAX_PER_CPU_PGD if X86_64 -+ default y if GRKERNSEC_HARDENED_WORKSTATION - help - By saying Y here the kernel will be prevented from dereferencing - userland pointers in contexts where the kernel expects only kernel diff --git a/3.4.4/4460-grsec-kconfig-proc-user.patch b/3.4.4/4460-grsec-kconfig-proc-user.patch deleted file mode 100644 index b2b3188..0000000 --- a/3.4.4/4460-grsec-kconfig-proc-user.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Anthony G. Basile <blueness@gentoo.org> - -Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP -in a different way to avoid bug #366019. This patch should eventually go upstream. - -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400 -+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400 -@@ -680,7 +680,7 @@ - - config GRKERNSEC_PROC_USER - bool "Restrict /proc to user only" -- depends on GRKERNSEC_PROC -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP - help - If you say Y here, non-root users will only be able to view their own - processes, and restricts them from viewing network-related information, -@@ -688,7 +688,7 @@ - - config GRKERNSEC_PROC_USERGROUP - bool "Allow special group" -- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER -+ depends on GRKERNSEC_PROC - help - If you say Y here, you will be able to select a group that will be - able to view all processes and network-related information. If you've diff --git a/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch b/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch index 5a9d80c..fe28523 100644 --- a/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -1309,6 +1309,27 @@ +@@ -892,6 +892,27 @@ menu "Logging Options" depends on GRKERNSEC diff --git a/3.4.4/4470_disable-compat_vdso.patch b/3.4.4/4470_disable-compat_vdso.patch index c40f44f..2a637c1 100644 --- a/3.4.4/4470_disable-compat_vdso.patch +++ b/3.4.4/4470_disable-compat_vdso.patch @@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig --- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 +++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 -@@ -1694,17 +1694,8 @@ +@@ -1678,17 +1678,8 @@ config COMPAT_VDSO def_bool n |