diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2012-07-09 19:55:51 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2012-07-09 19:55:51 -0400 |
commit | 386d50181178e9320f033575d3eabc2017a7b7ae (patch) | |
tree | 782831dae9efebcd02869117623444407bfe16cf | |
parent | Grsec/PaX: 2.9-{2.6.32.59,3.2.22,3.4.4}-201207080925 (diff) | |
download | hardened-patchset-386d50181178e9320f033575d3eabc2017a7b7ae.tar.gz hardened-patchset-386d50181178e9320f033575d3eabc2017a7b7ae.tar.bz2 hardened-patchset-386d50181178e9320f033575d3eabc2017a7b7ae.zip |
Sync gentoo patches with new Kconfig structure
-rw-r--r-- | 2.6.32/0000_README | 16 | ||||
-rw-r--r-- | 2.6.32/4445_grsec-pax-without-grsec.patch | 91 | ||||
-rw-r--r-- | 2.6.32/4450_grsec-kconfig-default-gids.patch | 43 | ||||
-rw-r--r-- | 2.6.32/4455_grsec-kconfig-gentoo.patch | 357 | ||||
-rw-r--r-- | 2.6.32/4460-grsec-kconfig-proc-user.patch | 26 | ||||
-rw-r--r-- | 2.6.32/4465_selinux-avc_audit-log-curr_ip.patch | 2 | ||||
-rw-r--r-- | 2.6.32/4470_disable-compat_vdso.patch | 2 | ||||
-rw-r--r-- | 3.2.22/0000_README | 16 | ||||
-rw-r--r-- | 3.2.22/4445_grsec-pax-without-grsec.patch | 91 | ||||
-rw-r--r-- | 3.2.22/4455_grsec-kconfig-gentoo.patch | 357 | ||||
-rw-r--r-- | 3.2.22/4460-grsec-kconfig-proc-user.patch | 26 | ||||
-rw-r--r-- | 3.4.4/0000_README | 4 |
12 files changed, 31 insertions, 1000 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 2011830..a0df600 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -48,27 +48,11 @@ Patch: 4440_grsec-remove-protected-paths.patch From: Anthony G. Basile <blueness@gentoo.org> Desc: Removes chmod statements from grsecurity/Makefile -Patch: 4445_grsec-pax-without-grsec.patch -From: Gordon Malm <gengor@gentoo.org> -Desc: Allows PaX features to be selected without enabling GRKERNSEC - Patch: 4450_grsec-kconfig-default-gids.patch From: Kerin Millar <kerframil@gmail.com> Desc: Sets sane(r) default GIDs on various grsecurity group-dependent features -Patch: 4455_grsec-kconfig-gentoo.patch -From: Gordon Malm <gengor@gentoo.org> - Kerin Millar <kerframil@gmail.com> - Anthony G. Basile <blueness@gentoo.org> -Desc: Adds Hardened Gentoo [server/workstation/virtualization] security - levels, sets Hardened Gentoo [workstation] as default - -Patch: 4460-grsec-kconfig-proc-user.patch -From: Anthony G. Basile <blueness@gentoo.org> -Desc: Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually - exclusive to avoid bug #366019. - Patch: 4465_selinux-avc_audit-log-curr_ip.patch From: Gordon Malm <gengor@gentoo.org> Anthony G. Basile <blueness@gentoo.org> diff --git a/2.6.32/4445_grsec-pax-without-grsec.patch b/2.6.32/4445_grsec-pax-without-grsec.patch deleted file mode 100644 index f07b2df..0000000 --- a/2.6.32/4445_grsec-pax-without-grsec.patch +++ /dev/null @@ -1,91 +0,0 @@ -From: Anthony G. Basile <blueness@gentoo.org> - -With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and -pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy. -This patch has been updated to reflect that change. - -With grsecurity-2.9-2.6.32.58-201203131839, NORET_TYPE has been replaced by __noreturn. -This patch has been updated to reflect that change. --- -From: Jory Pratt <anarchy@gentoo.org> -Updated patch for kernel 2.6.32 - -The credits/description from the original version of this patch remain accurate -and are included below. --- -From: Gordon Malm <gengor@gentoo.org> - -Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC. - -This patch has been updated to keep current with newer kernel versions. -The original version of this patch contained no credits/description. - -diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c ---- a/arch/x86/mm/fault.c 2011-04-17 18:15:54.000000000 -0400 -+++ b/arch/x86/mm/fault.c 2011-04-17 18:28:11.000000000 -0400 -@@ -662,10 +662,12 @@ - - #ifdef CONFIG_PAX_KERNEXEC - if (init_mm.start_code <= address && address < init_mm.end_code) { -+#ifdef CONFIG_GRKERNSEC - if (current->signal->curr_ip) - printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", - ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); - else -+#endif - printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", - current->comm, task_pid_nr(current), current_uid(), current_euid()); - } -diff -Naur a/fs/exec.c b/fs/exec.c ---- a/fs/exec.c 2011-04-17 18:15:55.000000000 -0400 -+++ b/fs/exec.c 2011-04-17 18:29:40.000000000 -0400 -@@ -1849,9 +1849,11 @@ - } - up_read(&mm->mmap_sem); - } -+#ifdef CONFIG_GRKERNSEC - if (tsk->signal->curr_ip) - printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset); - else -+#endif - printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset); - printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, " - "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), -@@ -1866,10 +1868,12 @@ - #ifdef CONFIG_PAX_REFCOUNT - void pax_report_refcount_overflow(struct pt_regs *regs) - { -+#ifdef CONFIG_GRKERNSEC - if (current->signal->curr_ip) - printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", - ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); - else -+#endif - printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", - current->comm, task_pid_nr(current), current_uid(), current_euid()); - print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); -@@ -1928,10 +1932,12 @@ - - __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) - { -+#ifdef CONFIG_GRKERNSEC - if (current->signal->curr_ip) - printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", - ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); - else -+#endif - printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", - to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); - -diff -Naur a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2011-04-17 18:15:55.000000000 -0400 -+++ b/security/Kconfig 2011-04-17 18:28:11.000000000 -0400 -@@ -29,7 +29,7 @@ - - config PAX - bool "Enable various PaX features" -- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) -+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) - help - This allows you to enable various PaX features. PaX adds - intrusion prevention mechanisms to the kernel that reduce diff --git a/2.6.32/4450_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch index 8c6f609..038bb2e 100644 --- a/2.6.32/4450_grsec-kconfig-default-gids.patch +++ b/2.6.32/4450_grsec-kconfig-default-gids.patch @@ -1,3 +1,7 @@ +From: Anthony G. Basile <blueness@gentoo.org> +Updated patch for the new Kconfig system for >=3.4.4 + +--- From: Kerin Millar <kerframil@gmail.com> grsecurity contains a number of options which allow certain protections @@ -9,19 +13,10 @@ attention to the finer points of kernel configuration, it is probably wise to specify some reasonable defaults so as to stop careless users from shooting themselves in the foot. -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2011-12-12 15:11:47.000000000 -0500 -+++ b/grsecurity/Kconfig 2011-12-12 15:13:17.000000000 -0500 -@@ -442,7 +442,7 @@ - config GRKERNSEC_PROC_GID - int "GID for special group" - depends on GRKERNSEC_PROC_USERGROUP -- default 1001 -+ default 10 - - config GRKERNSEC_PROC_ADD - bool "Additional restrictions" -@@ -670,7 +670,7 @@ +diff -Nuar a/grsecurity/Kconfig b/Kconfig +--- a/grsecurity/Kconfig 2012-07-01 12:54:58.000000000 -0400 ++++ b/grsecurity/Kconfig 2012-07-01 13:00:04.000000000 -0400 +@@ -519,7 +519,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -30,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -874,7 +874,7 @@ +@@ -734,7 +734,7 @@ config GRKERNSEC_TPE_GID int "GID for untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -39,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -883,7 +883,7 @@ +@@ -743,7 +743,7 @@ config GRKERNSEC_TPE_GID int "GID for trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -48,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -956,7 +956,7 @@ +@@ -818,7 +818,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -57,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -977,7 +977,7 @@ +@@ -839,7 +839,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -66,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -995,7 +995,7 @@ +@@ -857,7 +857,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER @@ -75,3 +70,15 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable server socket access for. Remember to add the users you want server socket access disabled for to +diff -Nuar a/security/Kconfig b/security/Kconfig +--- a/security/Kconfig 2012-07-01 12:51:41.000000000 -0400 ++++ b/security/Kconfig 2012-07-01 13:00:23.000000000 -0400 +@@ -186,7 +186,7 @@ + + config GRKERNSEC_PROC_GID + int "GID exempted from /proc restrictions" +- default 1001 ++ default 10 + help + Setting this GID determines which group will be exempted from + grsecurity's /proc restrictions, allowing users of the specified diff --git a/2.6.32/4455_grsec-kconfig-gentoo.patch b/2.6.32/4455_grsec-kconfig-gentoo.patch deleted file mode 100644 index e18ba0b..0000000 --- a/2.6.32/4455_grsec-kconfig-gentoo.patch +++ /dev/null @@ -1,357 +0,0 @@ -From: Anthony G. Basile <blueness@gentoo.org> -From: Gordon Malm <gengor@gentoo.org> -From: Jory A. Pratt <anarchy@gentoo.org> -From: Kerin Millar <kerframil@gmail.com> - -Add Hardened Gentoo [server/workstation] predefined grsecurity -levels. They're designed to provide a comparitively high level of -security while remaining generally suitable for as great a majority -of the userbase as possible (particularly new users). - -Make Hardened Gentoo [workstation] predefined grsecurity level the -default. The Hardened Gentoo [server] level is more restrictive -and conflicts with some software and thus would be less suitable. - -The original version of this patch was conceived and created by: -Ned Ludd <solar@gentoo.org> - -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500 -+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500 -@@ -18,7 +18,7 @@ - choice - prompt "Security Level" - depends on GRKERNSEC -- default GRKERNSEC_CUSTOM -+ default GRKERNSEC_HARDENED_WORKSTATION - - config GRKERNSEC_LOW - bool "Low" -@@ -192,6 +192,262 @@ - - Restricted sysfs/debugfs - - Active kernel exploit response - -+config GRKERNSEC_HARDENED_SERVER -+ bool "Hardened Gentoo [server]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_SYSFS_RESTRICT -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_AUDIT_PTRACE -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_PROC_ADD -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_SETXID -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_IO -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_RWXMAP_LOG -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select PAX -+ select PAX_ASLR -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_RANDUSTACK -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ select PAX_MEMORY_STACKLEAK if (!XEN) -+ help -+ If you say Y here, a configuration for grsecurity/PaX features -+ will be used that is endorsed by the Hardened Gentoo project. -+ These pre-defined security levels are designed to provide a high -+ level of security while minimizing incompatibilities with a majority -+ of Gentoo's available software. -+ -+ This "Hardened Gentoo [server]" level is identical to the -+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO, -+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred -+ security level if the system will not be utilizing software incompatible -+ with these features. -+ -+ When this level is selected, some security features will be forced on, -+ while others will default to their suggested values of off or on. The -+ later can be tweaked at the user's discretion, but may cause problems -+ in some situations. You can fully customize all grsecurity/PaX features -+ by choosing "Custom" in the Security Level menu. It may be helpful to -+ inherit the options selected by this security level as a starting point. -+ To accomplish this, select this security level, then exit the menuconfig -+ interface, saving changes when prompted. Run make menuconfig again and -+ select the "Custom" level. -+ -+config GRKERNSEC_HARDENED_WORKSTATION -+ bool "Hardened Gentoo [workstation]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_AUDIT_PTRACE -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_SETXID -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_RWXMAP_LOG -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select PAX -+ select PAX_ASLR -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_RANDUSTACK -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ select PAX_MEMORY_STACKLEAK if (!XEN) -+ help -+ If you say Y here, a configuration for grsecurity/PaX features -+ will be used that is endorsed by the Hardened Gentoo project. -+ These pre-defined security levels are designed to provide a high -+ level of security while minimizing incompatibilities with a majority -+ of Gentoo's available software. -+ -+ This "Hardened Gentoo [workstation]" level is identical to the -+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and -+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred -+ security level if the system will be utilizing software incompatible -+ with these features. -+ -+ When this level is selected, some security features will be forced on, -+ while others will default to their suggested values of off or on. The -+ later can be tweaked at the user's discretion, but may cause problems -+ in some situations. You can fully customize all grsecurity/PaX features -+ by choosing "Custom" in the Security Level menu. It may be helpful to -+ inherit the options selected by this security level as a starting point. -+ To accomplish this, select this security level, then exit the menuconfig -+ interface, saving changes when prompted. Run make menuconfig again and -+ select the "Custom" level. -+ -+config GRKERNSEC_HARDENED_VIRTUALIZATION -+ bool "Hardened Gentoo [virtualization]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_AUDIT_PTRACE -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_SETXID -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_RWXMAP_LOG -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select PAX -+ select PAX_ASLR -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_RANDUSTACK -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ select PAX_MEMORY_STACKLEAK if (!XEN) -+ help -+ If you say Y here, a configuration for grsecurity/PaX features -+ will be used that is endorsed by the Hardened Gentoo project. -+ These pre-defined security levels are designed to provide a high -+ level of security while minimizing incompatibilities with a majority -+ of Gentoo's available software. -+ -+ This "Hardened Gentoo [virtualization]" level is identical to the -+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and -+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred -+ security level if the system will be utilizing virtualization software -+ incompatible with these features, like VirtualBox or kvm. -+ -+ When this level is selected, some security features will be forced on, -+ while others will default to their suggested values of off or on. The -+ later can be tweaked at the user's discretion, but may cause problems -+ in some situations. You can fully customize all grsecurity/PaX features -+ by choosing "Custom" in the Security Level menu. It may be helpful to -+ inherit the options selected by this security level as a starting point. -+ To accomplish this, select this security level, then exit the menuconfig -+ interface, saving changes when prompted. Run make menuconfig again and -+ select the "Custom" level. -+ - config GRKERNSEC_CUSTOM - bool "Custom" - help -diff -Naur a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500 -+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500 -@@ -360,9 +360,10 @@ - - config PAX_KERNEXEC - bool "Enforce non-executable kernel pages" -- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN -+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION - select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) - select PAX_KERNEXEC_PLUGIN if X86_64 -+ default y if GRKERNSEC_HARDENED_WORKSTATION - help - This is the kernel land equivalent of PAGEEXEC and MPROTECT, - that is, enabling this option will make it harder to inject -@@ -373,30 +374,30 @@ - - choice - prompt "Return Address Instrumentation Method" -- default PAX_KERNEXEC_PLUGIN_METHOD_BTS -+ default PAX_KERNEXEC_PLUGIN_METHOD_OR - depends on PAX_KERNEXEC_PLUGIN - help - Select the method used to instrument function pointer dereferences. - Note that binary modules cannot be instrumented by this approach. - -- config PAX_KERNEXEC_PLUGIN_METHOD_BTS -- bool "bts" -- help -- This method is compatible with binary only modules but has -- a higher runtime overhead. -- - config PAX_KERNEXEC_PLUGIN_METHOD_OR - bool "or" - depends on !PARAVIRT - help - This method is incompatible with binary only modules but has - a lower runtime overhead. -+ -+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS -+ bool "bts" -+ help -+ This method is compatible with binary only modules but has -+ a higher runtime overhead. - endchoice - - config PAX_KERNEXEC_PLUGIN_METHOD - string -- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS - default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR -+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS - default "" - - config PAX_KERNEXEC_MODULE_TEXT -@@ -553,8 +554,9 @@ - - config PAX_MEMORY_UDEREF - bool "Prevent invalid userland pointer dereference" -- depends on X86 && !UML_X86 && !XEN -+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION - select PAX_PER_CPU_PGD if X86_64 -+ default y if GRKERNSEC_HARDENED_WORKSTATION - help - By saying Y here the kernel will be prevented from dereferencing - userland pointers in contexts where the kernel expects only kernel diff --git a/2.6.32/4460-grsec-kconfig-proc-user.patch b/2.6.32/4460-grsec-kconfig-proc-user.patch deleted file mode 100644 index 8409e87..0000000 --- a/2.6.32/4460-grsec-kconfig-proc-user.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Anthony G. Basile <blueness@gentoo.org> - -Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP -in a different way to avoid bug #366019. This patch should eventually go upstream. - -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400 -+++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400 -@@ -679,7 +679,7 @@ - - config GRKERNSEC_PROC_USER - bool "Restrict /proc to user only" -- depends on GRKERNSEC_PROC -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP - help - If you say Y here, non-root users will only be able to view their own - processes, and restricts them from viewing network-related information, -@@ -687,7 +687,7 @@ - - config GRKERNSEC_PROC_USERGROUP - bool "Allow special group" -- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER -+ depends on GRKERNSEC_PROC - help - If you say Y here, you will be able to select a group that will be - able to view all processes and network-related information. If you've diff --git a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch index 43147a7..67d09ef 100644 --- a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch +++ b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400 -@@ -1308,6 +1308,27 @@ +@@ -916,6 +916,27 @@ menu "Logging Options" depends on GRKERNSEC diff --git a/2.6.32/4470_disable-compat_vdso.patch b/2.6.32/4470_disable-compat_vdso.patch index c8e1aeb..a54092e 100644 --- a/2.6.32/4470_disable-compat_vdso.patch +++ b/2.6.32/4470_disable-compat_vdso.patch @@ -27,7 +27,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig --- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 +++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 -@@ -1616,17 +1616,8 @@ +@@ -1625,17 +1625,8 @@ config COMPAT_VDSO def_bool n diff --git a/3.2.22/0000_README b/3.2.22/0000_README index b314927..ccfefdd 100644 --- a/3.2.22/0000_README +++ b/3.2.22/0000_README @@ -20,27 +20,11 @@ Patch: 4440_grsec-remove-protected-paths.patch From: Anthony G. Basile <blueness@gentoo.org> Desc: Removes chmod statements from grsecurity/Makefile -Patch: 4445_grsec-pax-without-grsec.patch -From: Gordon Malm <gengor@gentoo.org> -Desc: Allows PaX features to be selected without enabling GRKERNSEC - Patch: 4450_grsec-kconfig-default-gids.patch From: Kerin Millar <kerframil@gmail.com> Desc: Sets sane(r) default GIDs on various grsecurity group-dependent features -Patch: 4455_grsec-kconfig-gentoo.patch -From: Gordon Malm <gengor@gentoo.org> - Kerin Millar <kerframil@gmail.com> - Anthony G. Basile <blueness@gentoo.org> -Desc: Adds Hardened Gentoo [server/workstation/virtualization] security levels, - sets Hardened Gentoo [workstation] as default - -Patch: 4460-grsec-kconfig-proc-user.patch -From: Anthony G. Basile <blueness@gentoo.org> -Desc: Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually - exclusive to avoid bug #366019. - Patch: 4465_selinux-avc_audit-log-curr_ip.patch From: Gordon Malm <gengor@gentoo.org> Anthony G. Basile <blueness@gentoo.org> diff --git a/3.2.22/4445_grsec-pax-without-grsec.patch b/3.2.22/4445_grsec-pax-without-grsec.patch deleted file mode 100644 index 58301c0..0000000 --- a/3.2.22/4445_grsec-pax-without-grsec.patch +++ /dev/null @@ -1,91 +0,0 @@ -From: Anthony G. Basile <blueness@gentoo.org> - -With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and -pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy. -This patch has been updated to reflect that change. - -With grsecurity-2.9-2.6.32.58-201203131839, NORET_TYPE has been replaced by __noreturn. -This patch has been updated to reflect that change. --- -From: Jory Pratt <anarchy@gentoo.org> -Updated patch for kernel 2.6.32 - -The credits/description from the original version of this patch remain accurate -and are included below. --- -From: Gordon Malm <gengor@gentoo.org> - -Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC. - -This patch has been updated to keep current with newer kernel versions. -The original version of this patch contained no credits/description. - -diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c ---- a/arch/x86/mm/fault.c 2011-04-17 19:05:03.000000000 -0400 -+++ a/arch/x86/mm/fault.c 2011-04-17 19:20:30.000000000 -0400 -@@ -657,10 +657,12 @@ - - #ifdef CONFIG_PAX_KERNEXEC - if (init_mm.start_code <= address && address < init_mm.end_code) { -+#ifdef CONFIG_GRKERNSEC - if (current->signal->curr_ip) - printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", - ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); - else -+#endif - printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", - current->comm, task_pid_nr(current), current_uid(), current_euid()); - } -diff -Naur a/fs/exec.c b/fs/exec.c ---- a/fs/exec.c 2011-04-17 19:05:03.000000000 -0400 -+++ b/fs/exec.c 2011-04-17 19:20:30.000000000 -0400 -@@ -2048,9 +2048,11 @@ - } - up_read(&mm->mmap_sem); - } -+#ifdef CONFIG_GRKERNSEC - if (tsk->signal->curr_ip) - printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset); - else -+#endif - printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset); - printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, " - "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), -@@ -2065,10 +2067,12 @@ - #ifdef CONFIG_PAX_REFCOUNT - void pax_report_refcount_overflow(struct pt_regs *regs) - { -+#ifdef CONFIG_GRKERNSEC - if (current->signal->curr_ip) - printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", - ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); - else -+#endif - printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", - current->comm, task_pid_nr(current), current_uid(), current_euid()); - print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); -@@ -2127,10 +2131,12 @@ - - __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) - { -+#ifdef CONFIG_GRKERNSEC - if (current->signal->curr_ip) - printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", - ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); - else -+#endif - printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", - to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); - dump_stack(); -diff -Naur a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2011-04-17 19:05:03.000000000 -0400 -+++ b/security/Kconfig 2011-04-17 19:20:30.000000000 -0400 -@@ -29,7 +29,7 @@ - - config PAX - bool "Enable various PaX features" -- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) -+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) - help - This allows you to enable various PaX features. PaX adds - intrusion prevention mechanisms to the kernel that reduce diff --git a/3.2.22/4455_grsec-kconfig-gentoo.patch b/3.2.22/4455_grsec-kconfig-gentoo.patch deleted file mode 100644 index 87b5454..0000000 --- a/3.2.22/4455_grsec-kconfig-gentoo.patch +++ /dev/null @@ -1,357 +0,0 @@ -From: Anthony G. Basile <blueness@gentoo.org> -From: Gordon Malm <gengor@gentoo.org> -From: Jory A. Pratt <anarchy@gentoo.org> -From: Kerin Millar <kerframil@gmail.com> - -Add Hardened Gentoo [server/workstation] predefined grsecurity -levels. They're designed to provide a comparitively high level of -security while remaining generally suitable for as great a majority -of the userbase as possible (particularly new users). - -Make Hardened Gentoo [workstation] predefined grsecurity level the -default. The Hardened Gentoo [server] level is more restrictive -and conflicts with some software and thus would be less suitable. - -The original version of this patch was conceived and created by: -Ned Ludd <solar@gentoo.org> - -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500 -+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500 -@@ -18,7 +18,7 @@ - choice - prompt "Security Level" - depends on GRKERNSEC -- default GRKERNSEC_CUSTOM -+ default GRKERNSEC_HARDENED_WORKSTATION - - config GRKERNSEC_LOW - bool "Low" -@@ -192,6 +192,262 @@ - - Restricted sysfs/debugfs - - Active kernel exploit response - -+config GRKERNSEC_HARDENED_SERVER -+ bool "Hardened Gentoo [server]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_SYSFS_RESTRICT -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_AUDIT_PTRACE -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_PROC_ADD -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_SETXID -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_IO -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_RWXMAP_LOG -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select PAX -+ select PAX_ASLR -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_RANDUSTACK -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ select PAX_MEMORY_STACKLEAK if (!XEN) -+ help -+ If you say Y here, a configuration for grsecurity/PaX features -+ will be used that is endorsed by the Hardened Gentoo project. -+ These pre-defined security levels are designed to provide a high -+ level of security while minimizing incompatibilities with a majority -+ of Gentoo's available software. -+ -+ This "Hardened Gentoo [server]" level is identical to the -+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO, -+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred -+ security level if the system will not be utilizing software incompatible -+ with these features. -+ -+ When this level is selected, some security features will be forced on, -+ while others will default to their suggested values of off or on. The -+ later can be tweaked at the user's discretion, but may cause problems -+ in some situations. You can fully customize all grsecurity/PaX features -+ by choosing "Custom" in the Security Level menu. It may be helpful to -+ inherit the options selected by this security level as a starting point. -+ To accomplish this, select this security level, then exit the menuconfig -+ interface, saving changes when prompted. Run make menuconfig again and -+ select the "Custom" level. -+ -+config GRKERNSEC_HARDENED_WORKSTATION -+ bool "Hardened Gentoo [workstation]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_AUDIT_PTRACE -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_SETXID -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_RWXMAP_LOG -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select PAX -+ select PAX_ASLR -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_RANDUSTACK -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ select PAX_MEMORY_STACKLEAK if (!XEN) -+ help -+ If you say Y here, a configuration for grsecurity/PaX features -+ will be used that is endorsed by the Hardened Gentoo project. -+ These pre-defined security levels are designed to provide a high -+ level of security while minimizing incompatibilities with a majority -+ of Gentoo's available software. -+ -+ This "Hardened Gentoo [workstation]" level is identical to the -+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and -+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred -+ security level if the system will be utilizing software incompatible -+ with these features. -+ -+ When this level is selected, some security features will be forced on, -+ while others will default to their suggested values of off or on. The -+ later can be tweaked at the user's discretion, but may cause problems -+ in some situations. You can fully customize all grsecurity/PaX features -+ by choosing "Custom" in the Security Level menu. It may be helpful to -+ inherit the options selected by this security level as a starting point. -+ To accomplish this, select this security level, then exit the menuconfig -+ interface, saving changes when prompted. Run make menuconfig again and -+ select the "Custom" level. -+ -+config GRKERNSEC_HARDENED_VIRTUALIZATION -+ bool "Hardened Gentoo [virtualization]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_AUDIT_PTRACE -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_SETXID -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_RWXMAP_LOG -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select PAX -+ select PAX_ASLR -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_RANDUSTACK -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ select PAX_MEMORY_STACKLEAK if (!XEN) -+ help -+ If you say Y here, a configuration for grsecurity/PaX features -+ will be used that is endorsed by the Hardened Gentoo project. -+ These pre-defined security levels are designed to provide a high -+ level of security while minimizing incompatibilities with a majority -+ of Gentoo's available software. -+ -+ This "Hardened Gentoo [virtualization]" level is identical to the -+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and -+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred -+ security level if the system will be utilizing virtualization software -+ incompatible with these features, like VirtualBox or kvm. -+ -+ When this level is selected, some security features will be forced on, -+ while others will default to their suggested values of off or on. The -+ later can be tweaked at the user's discretion, but may cause problems -+ in some situations. You can fully customize all grsecurity/PaX features -+ by choosing "Custom" in the Security Level menu. It may be helpful to -+ inherit the options selected by this security level as a starting point. -+ To accomplish this, select this security level, then exit the menuconfig -+ interface, saving changes when prompted. Run make menuconfig again and -+ select the "Custom" level. -+ - config GRKERNSEC_CUSTOM - bool "Custom" - help -diff -Naur a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500 -+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500 -@@ -362,9 +362,10 @@ - - config PAX_KERNEXEC - bool "Enforce non-executable kernel pages" -- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN -+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION - select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) - select PAX_KERNEXEC_PLUGIN if X86_64 -+ default y if GRKERNSEC_HARDENED_WORKSTATION - help - This is the kernel land equivalent of PAGEEXEC and MPROTECT, - that is, enabling this option will make it harder to inject -@@ -375,30 +376,30 @@ - - choice - prompt "Return Address Instrumentation Method" -- default PAX_KERNEXEC_PLUGIN_METHOD_BTS -+ default PAX_KERNEXEC_PLUGIN_METHOD_OR - depends on PAX_KERNEXEC_PLUGIN - help - Select the method used to instrument function pointer dereferences. - Note that binary modules cannot be instrumented by this approach. - -- config PAX_KERNEXEC_PLUGIN_METHOD_BTS -- bool "bts" -- help -- This method is compatible with binary only modules but has -- a higher runtime overhead. -- - config PAX_KERNEXEC_PLUGIN_METHOD_OR - bool "or" - depends on !PARAVIRT - help - This method is incompatible with binary only modules but has - a lower runtime overhead. -+ -+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS -+ bool "bts" -+ help -+ This method is compatible with binary only modules but has -+ a higher runtime overhead. - endchoice - - config PAX_KERNEXEC_PLUGIN_METHOD - string -- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS - default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR -+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS - default "" - - config PAX_KERNEXEC_MODULE_TEXT -@@ -555,8 +556,9 @@ - - config PAX_MEMORY_UDEREF - bool "Prevent invalid userland pointer dereference" -- depends on X86 && !UML_X86 && !XEN -+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION - select PAX_PER_CPU_PGD if X86_64 -+ default y if GRKERNSEC_HARDENED_WORKSTATION - help - By saying Y here the kernel will be prevented from dereferencing - userland pointers in contexts where the kernel expects only kernel diff --git a/3.2.22/4460-grsec-kconfig-proc-user.patch b/3.2.22/4460-grsec-kconfig-proc-user.patch deleted file mode 100644 index b2b3188..0000000 --- a/3.2.22/4460-grsec-kconfig-proc-user.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Anthony G. Basile <blueness@gentoo.org> - -Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP -in a different way to avoid bug #366019. This patch should eventually go upstream. - -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400 -+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400 -@@ -680,7 +680,7 @@ - - config GRKERNSEC_PROC_USER - bool "Restrict /proc to user only" -- depends on GRKERNSEC_PROC -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP - help - If you say Y here, non-root users will only be able to view their own - processes, and restricts them from viewing network-related information, -@@ -688,7 +688,7 @@ - - config GRKERNSEC_PROC_USERGROUP - bool "Allow special group" -- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER -+ depends on GRKERNSEC_PROC - help - If you say Y here, you will be able to select a group that will be - able to view all processes and network-related information. If you've diff --git a/3.4.4/0000_README b/3.4.4/0000_README index be72568..6e60159 100644 --- a/3.4.4/0000_README +++ b/3.4.4/0000_README @@ -2,6 +2,10 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- +Patch: 2600_FW_MIPS_FILE_06_regression.patch +From: Anthony G. Basile <blueness@gentoo.org> +Desc: Fix regressions against bnx2 firmware + Patch: 4420_grsecurity-2.9.1-3.4.4-201207080925.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity |