Grsec/PaX: 2.9.1-{2.6.32.60,3.2.37,3.7.5}-20130131181120130131

author: Anthony G. Basile <blueness@gentoo.org> 2013-01-31 19:47:46 -0500
committer: Anthony G. Basile <blueness@gentoo.org> 2013-01-31 19:47:46 -0500
commit: 6772694beda827666e7c091e6208fbe9a83114e5 (patch)
tree: 8b5223176b9188a5df8f652acca5a50285116115
parent: Grsec/PaX: 2.9.1-{2.6.32.60,3.2.37,3.7.5}-201301281957 (diff)
download: hardened-patchset-6772694beda827666e7c091e6208fbe9a83114e5.tar.gz
hardened-patchset-6772694beda827666e7c091e6208fbe9a83114e5.tar.bz2
hardened-patchset-6772694beda827666e7c091e6208fbe9a83114e5.zip
6 files changed, 138 insertions, 54 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 584dc17..ff482d8 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch:	1059_linux-2.6.32.60.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.60-201301281956.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.60-201301311809.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301281956.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301311809.patch
index dd6c22f..c356f5e 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301281956.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301311809.patch
@@ -8816,7 +8816,7 @@ index d1b93c4..ae1b7fd 100644
  void default_idle(void);
  
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index aa889d6..1468e63 100644
+index aa889d6..883686f 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
 @@ -223,7 +223,7 @@ config X86_TRAMPOLINE
@@ -8828,7 +8828,15 @@ index aa889d6..1468e63 100644
  
  config KTIME_SCALAR
  	def_bool X86_32
-@@ -1008,7 +1008,7 @@ choice
+@@ -985,6 +985,7 @@ config MICROCODE_OLD_INTERFACE
+ 
+ config X86_MSR
+ 	tristate "/dev/cpu/*/msr - Model-specific register support"
++	depends on !GRKERNSEC_KMEM
+ 	---help---
+ 	  This device gives privileged processes access to the x86
+ 	  Model-Specific Registers (MSRs).  It is a character device with
+@@ -1008,7 +1009,7 @@ choice
  
  config NOHIGHMEM
  	bool "off"
@@ -8837,7 +8845,7 @@ index aa889d6..1468e63 100644
  	---help---
  	  Linux can use up to 64 Gigabytes of physical memory on x86 systems.
  	  However, the address space of 32-bit x86 processors is only 4
-@@ -1045,7 +1045,7 @@ config NOHIGHMEM
+@@ -1045,7 +1046,7 @@ config NOHIGHMEM
  
  config HIGHMEM4G
  	bool "4GB"
@@ -8846,7 +8854,7 @@ index aa889d6..1468e63 100644
  	---help---
  	  Select this if you have a 32-bit processor and between 1 and 4
  	  gigabytes of physical RAM.
-@@ -1099,7 +1099,7 @@ config PAGE_OFFSET
+@@ -1099,7 +1100,7 @@ config PAGE_OFFSET
  	hex
  	default 0xB0000000 if VMSPLIT_3G_OPT
  	default 0x80000000 if VMSPLIT_2G
@@ -8855,7 +8863,7 @@ index aa889d6..1468e63 100644
  	default 0x40000000 if VMSPLIT_1G
  	default 0xC0000000
  	depends on X86_32
-@@ -1469,6 +1469,7 @@ config SECCOMP
+@@ -1469,6 +1470,7 @@ config SECCOMP
  
  config CC_STACKPROTECTOR
  	bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
@@ -8863,7 +8871,7 @@ index aa889d6..1468e63 100644
  	---help---
  	  This option turns on the -fstack-protector GCC feature. This
  	  feature puts, at the beginning of functions, a canary value on
-@@ -1526,6 +1527,7 @@ config KEXEC_JUMP
+@@ -1526,6 +1528,7 @@ config KEXEC_JUMP
  config PHYSICAL_START
  	hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
  	default "0x1000000"
@@ -8871,7 +8879,7 @@ index aa889d6..1468e63 100644
  	---help---
  	  This gives the physical address where the kernel is loaded.
  
-@@ -1590,6 +1592,7 @@ config PHYSICAL_ALIGN
+@@ -1590,6 +1593,7 @@ config PHYSICAL_ALIGN
  	hex
  	prompt "Alignment value to which kernel should be aligned" if X86_32
  	default "0x1000000"
@@ -8879,7 +8887,7 @@ index aa889d6..1468e63 100644
  	range 0x2000 0x1000000
  	---help---
  	  This value puts the alignment restrictions on physical address
-@@ -1621,9 +1624,10 @@ config HOTPLUG_CPU
+@@ -1621,9 +1625,10 @@ config HOTPLUG_CPU
  	  Say N if you want to disable CPU hotplug.
  
  config COMPAT_VDSO
@@ -20876,6 +20884,20 @@ index 3b7078a..7367929 100644
 +	*(void **)&x86_init.resources.probe_roms = x86_init_noop;
 +	*(void **)&x86_init.resources.reserve_resources = x86_init_noop;
  }
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
+index 5eaeb5e..63a053b 100644
+--- a/arch/x86/kernel/msr.c
++++ b/arch/x86/kernel/msr.c
+@@ -176,6 +176,9 @@ static int msr_open(struct inode *inode, struct file *file)
+ 	struct cpuinfo_x86 *c = &cpu_data(cpu);
+ 	int ret = 0;
+ 
++	if (!capable(CAP_SYS_RAWIO))
++		return -EPERM;
++
+ 	lock_kernel();
+ 	cpu = iminor(file->f_path.dentry->d_inode);
+ 
 diff --git a/arch/x86/kernel/paravirt-spinlocks.c b/arch/x86/kernel/paravirt-spinlocks.c
 index 3a7c5a4..9191528 100644
 --- a/arch/x86/kernel/paravirt-spinlocks.c
@@ -84661,10 +84683,10 @@ index e89734e..5e84d8d 100644
  			return 0;
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..5e175a6
+index 0000000..23e4fc1
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,997 @@
+@@ -0,0 +1,1003 @@
 +#
 +# grecurity configuration
 +#
@@ -84678,18 +84700,24 @@ index 0000000..5e175a6
 +	help
 +	  If you say Y here, /dev/kmem and /dev/mem won't be allowed to
 +	  be written to or read from to modify or leak the contents of the running
-+	  kernel.  /dev/port will also not be allowed to be opened. If you have module
-+	  support disabled, enabling this will close up four ways that are
++	  kernel.  /dev/port will also not be allowed to be opened and support
++	  for /dev/cpu/*/msr will be removed.  If you have module
++	  support disabled, enabling this will close up five ways that are
 +	  currently used  to insert malicious code into the running kernel.
++
 +	  Even with all these features enabled, we still highly recommend that
 +	  you use the RBAC system, as it is still possible for an attacker to
 +	  modify the running kernel through privileged I/O granted by ioperm/iopl.
++
 +	  If you are not using XFree86, you may be able to stop this additional
 +	  case by enabling the 'Disable privileged I/O' option. Though nothing
 +	  legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
 +	  but only to video memory, which is the only writing we allow in this
 +	  case.  If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
 +	  not be allowed to mprotect it with PROT_WRITE later.
++	  Enabling this feature will prevent the "cpupower" and "powertop" tools
++	  from working.
++
 +	  It is highly recommended that you say Y here if you meet all the
 +	  conditions above.
 +
@@ -85212,11 +85240,11 @@ index 0000000..5e175a6
 +config GRKERNSEC_AUDIT_GROUP
 +	bool "Single group for auditing"
 +	help
-+	  If you say Y here, the exec, chdir, and (un)mount logging features
-+	  will only operate on a group you specify.  This option is recommended
-+	  if you only want to watch certain users instead of having a large
-+	  amount of logs from the entire system.  If the sysctl option is enabled,
-+	  a sysctl option with name "audit_group" is created.
++	  If you say Y here, the exec and chdir logging features will only operate
++	  on a group you specify.  This option is recommended if you only want to
++	  watch certain users instead of having a large amount of logs from the
++	  entire system.  If the sysctl option is enabled, a sysctl option with
++	  name "audit_group" is created.
 +
 +config GRKERNSEC_AUDIT_GID
 +	int "GID for auditing"
diff --git a/3.2.37/0000_README b/3.2.37/0000_README
index f61fd16..4390092 100644
--- a/3.2.37/0000_README
+++ b/3.2.37/0000_README
@@ -66,7 +66,7 @@ Patch:	1036_linux-3.2.37.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.37
 
-Patch:	4420_grsecurity-2.9.1-3.2.37-201301281956.patch
+Patch:	4420_grsecurity-2.9.1-3.2.37-201301311810.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.37/4420_grsecurity-2.9.1-3.2.37-201301281956.patch b/3.2.37/4420_grsecurity-2.9.1-3.2.37-201301311810.patch
index c2ee615..aba5725 100644
--- a/3.2.37/4420_grsecurity-2.9.1-3.2.37-201301281956.patch
+++ b/3.2.37/4420_grsecurity-2.9.1-3.2.37-201301311810.patch
@@ -8010,7 +8010,7 @@ index ad8f795..2c7eec6 100644
  /*
   * Memory returned by kmalloc() may be used for DMA, so we must make
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index efb4294..61bc18c 100644
+index efb4294..9e31255 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
 @@ -235,7 +235,7 @@ config X86_HT
@@ -8022,7 +8022,15 @@ index efb4294..61bc18c 100644
  
  config ARCH_HWEIGHT_CFLAGS
  	string
-@@ -1022,7 +1022,7 @@ choice
+@@ -999,6 +999,7 @@ config MICROCODE_OLD_INTERFACE
+ 
+ config X86_MSR
+ 	tristate "/dev/cpu/*/msr - Model-specific register support"
++	depends on !GRKERNSEC_KMEM
+ 	---help---
+ 	  This device gives privileged processes access to the x86
+ 	  Model-Specific Registers (MSRs).  It is a character device with
+@@ -1022,7 +1023,7 @@ choice
  
  config NOHIGHMEM
  	bool "off"
@@ -8031,7 +8039,7 @@ index efb4294..61bc18c 100644
  	---help---
  	  Linux can use up to 64 Gigabytes of physical memory on x86 systems.
  	  However, the address space of 32-bit x86 processors is only 4
-@@ -1059,7 +1059,7 @@ config NOHIGHMEM
+@@ -1059,7 +1060,7 @@ config NOHIGHMEM
  
  config HIGHMEM4G
  	bool "4GB"
@@ -8040,7 +8048,7 @@ index efb4294..61bc18c 100644
  	---help---
  	  Select this if you have a 32-bit processor and between 1 and 4
  	  gigabytes of physical RAM.
-@@ -1113,7 +1113,7 @@ config PAGE_OFFSET
+@@ -1113,7 +1114,7 @@ config PAGE_OFFSET
  	hex
  	default 0xB0000000 if VMSPLIT_3G_OPT
  	default 0x80000000 if VMSPLIT_2G
@@ -8049,7 +8057,7 @@ index efb4294..61bc18c 100644
  	default 0x40000000 if VMSPLIT_1G
  	default 0xC0000000
  	depends on X86_32
-@@ -1496,6 +1496,7 @@ config SECCOMP
+@@ -1496,6 +1497,7 @@ config SECCOMP
  
  config CC_STACKPROTECTOR
  	bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
@@ -8057,7 +8065,7 @@ index efb4294..61bc18c 100644
  	---help---
  	  This option turns on the -fstack-protector GCC feature. This
  	  feature puts, at the beginning of functions, a canary value on
-@@ -1553,6 +1554,7 @@ config KEXEC_JUMP
+@@ -1553,6 +1555,7 @@ config KEXEC_JUMP
  config PHYSICAL_START
  	hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
  	default "0x1000000"
@@ -8065,7 +8073,7 @@ index efb4294..61bc18c 100644
  	---help---
  	  This gives the physical address where the kernel is loaded.
  
-@@ -1616,6 +1618,7 @@ config X86_NEED_RELOCS
+@@ -1616,6 +1619,7 @@ config X86_NEED_RELOCS
  config PHYSICAL_ALIGN
  	hex "Alignment value to which kernel should be aligned" if X86_32
  	default "0x1000000"
@@ -8073,7 +8081,7 @@ index efb4294..61bc18c 100644
  	range 0x2000 0x1000000
  	---help---
  	  This value puts the alignment restrictions on physical address
-@@ -1647,9 +1650,10 @@ config HOTPLUG_CPU
+@@ -1647,9 +1651,10 @@ config HOTPLUG_CPU
  	  Say N if you want to disable CPU hotplug.
  
  config COMPAT_VDSO
@@ -18876,6 +18884,20 @@ index 925179f..59bfaa1 100644
  #if 0
  			if ((s64)val != *(s32 *)loc)
  				goto overflow;
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
+index 12fcbe2..f7d1a64 100644
+--- a/arch/x86/kernel/msr.c
++++ b/arch/x86/kernel/msr.c
+@@ -175,6 +175,9 @@ static int msr_open(struct inode *inode, struct file *file)
+ 	unsigned int cpu;
+ 	struct cpuinfo_x86 *c;
+ 
++	if (!capable(CAP_SYS_RAWIO))
++		return -EPERM;
++
+ 	cpu = iminor(file->f_path.dentry->d_inode);
+ 	if (cpu >= nr_cpu_ids || !cpu_online(cpu))
+ 		return -ENXIO;	/* No such CPU */
 diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
 index e88f37b..1353db6 100644
 --- a/arch/x86/kernel/nmi.c
@@ -52785,10 +52807,10 @@ index 87323f1..dab9d00 100644
  	ip = issum ? mp->m_rsumip : mp->m_rbmip;
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..511310f
+index 0000000..52786fd
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1015 @@
+@@ -0,0 +1,1021 @@
 +#
 +# grecurity configuration
 +#
@@ -52802,18 +52824,24 @@ index 0000000..511310f
 +	help
 +	  If you say Y here, /dev/kmem and /dev/mem won't be allowed to
 +	  be written to or read from to modify or leak the contents of the running
-+	  kernel.  /dev/port will also not be allowed to be opened. If you have module
-+	  support disabled, enabling this will close up four ways that are
++	  kernel.  /dev/port will also not be allowed to be opened and support
++	  for /dev/cpu/*/msr will be removed.  If you have module
++	  support disabled, enabling this will close up five ways that are
 +	  currently used  to insert malicious code into the running kernel.
++
 +	  Even with all these features enabled, we still highly recommend that
 +	  you use the RBAC system, as it is still possible for an attacker to
 +	  modify the running kernel through privileged I/O granted by ioperm/iopl.
++
 +	  If you are not using XFree86, you may be able to stop this additional
 +	  case by enabling the 'Disable privileged I/O' option. Though nothing
 +	  legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
 +	  but only to video memory, which is the only writing we allow in this
 +	  case.  If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
 +	  not be allowed to mprotect it with PROT_WRITE later.
++	  Enabling this feature will prevent the "cpupower" and "powertop" tools
++	  from working.
++
 +	  It is highly recommended that you say Y here if you meet all the
 +	  conditions above.
 +
@@ -53354,11 +53382,11 @@ index 0000000..511310f
 +config GRKERNSEC_AUDIT_GROUP
 +	bool "Single group for auditing"
 +	help
-+	  If you say Y here, the exec, chdir, and (un)mount logging features
-+	  will only operate on a group you specify.  This option is recommended
-+	  if you only want to watch certain users instead of having a large
-+	  amount of logs from the entire system.  If the sysctl option is enabled,
-+	  a sysctl option with name "audit_group" is created.
++	  If you say Y here, the exec and chdir logging features will only operate
++	  on a group you specify.  This option is recommended if you only want to
++	  watch certain users instead of having a large amount of logs from the
++	  entire system.  If the sysctl option is enabled, a sysctl option with
++	  name "audit_group" is created.
 +
 +config GRKERNSEC_AUDIT_GID
 +	int "GID for auditing"
diff --git a/3.7.5/0000_README b/3.7.5/0000_README
index 71573a5..cecc634 100644
--- a/3.7.5/0000_README
+++ b/3.7.5/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.9.1-3.7.5-201301281957.patch
+Patch:	4420_grsecurity-2.9.1-3.7.5-201301311811.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.7.5/4420_grsecurity-2.9.1-3.7.5-201301281957.patch b/3.7.5/4420_grsecurity-2.9.1-3.7.5-201301311811.patch
index 8d072d3..1a84583 100644
--- a/3.7.5/4420_grsecurity-2.9.1-3.7.5-201301281957.patch
+++ b/3.7.5/4420_grsecurity-2.9.1-3.7.5-201301311811.patch
@@ -8568,7 +8568,7 @@ index ad8f795..2c7eec6 100644
  /*
   * Memory returned by kmalloc() may be used for DMA, so we must make
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 46c3bff..c2286e7 100644
+index 46c3bff..da289d1 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
 @@ -241,7 +241,7 @@ config X86_HT
@@ -8580,7 +8580,15 @@ index 46c3bff..c2286e7 100644
  
  config ARCH_HWEIGHT_CFLAGS
  	string
-@@ -1056,7 +1056,7 @@ choice
+@@ -1033,6 +1033,7 @@ config MICROCODE_OLD_INTERFACE
+ 
+ config X86_MSR
+ 	tristate "/dev/cpu/*/msr - Model-specific register support"
++	depends on !GRKERNSEC_KMEM
+ 	---help---
+ 	  This device gives privileged processes access to the x86
+ 	  Model-Specific Registers (MSRs).  It is a character device with
+@@ -1056,7 +1057,7 @@ choice
  
  config NOHIGHMEM
  	bool "off"
@@ -8589,7 +8597,7 @@ index 46c3bff..c2286e7 100644
  	---help---
  	  Linux can use up to 64 Gigabytes of physical memory on x86 systems.
  	  However, the address space of 32-bit x86 processors is only 4
-@@ -1093,7 +1093,7 @@ config NOHIGHMEM
+@@ -1093,7 +1094,7 @@ config NOHIGHMEM
  
  config HIGHMEM4G
  	bool "4GB"
@@ -8598,7 +8606,7 @@ index 46c3bff..c2286e7 100644
  	---help---
  	  Select this if you have a 32-bit processor and between 1 and 4
  	  gigabytes of physical RAM.
-@@ -1147,7 +1147,7 @@ config PAGE_OFFSET
+@@ -1147,7 +1148,7 @@ config PAGE_OFFSET
  	hex
  	default 0xB0000000 if VMSPLIT_3G_OPT
  	default 0x80000000 if VMSPLIT_2G
@@ -8607,7 +8615,7 @@ index 46c3bff..c2286e7 100644
  	default 0x40000000 if VMSPLIT_1G
  	default 0xC0000000
  	depends on X86_32
-@@ -1548,6 +1548,7 @@ config SECCOMP
+@@ -1548,6 +1549,7 @@ config SECCOMP
  
  config CC_STACKPROTECTOR
  	bool "Enable -fstack-protector buffer overflow detection"
@@ -8615,7 +8623,7 @@ index 46c3bff..c2286e7 100644
  	---help---
  	  This option turns on the -fstack-protector GCC feature. This
  	  feature puts, at the beginning of functions, a canary value on
-@@ -1605,6 +1606,7 @@ config KEXEC_JUMP
+@@ -1605,6 +1607,7 @@ config KEXEC_JUMP
  config PHYSICAL_START
  	hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
  	default "0x1000000"
@@ -8623,7 +8631,7 @@ index 46c3bff..c2286e7 100644
  	---help---
  	  This gives the physical address where the kernel is loaded.
  
-@@ -1668,6 +1670,7 @@ config X86_NEED_RELOCS
+@@ -1668,6 +1671,7 @@ config X86_NEED_RELOCS
  config PHYSICAL_ALIGN
  	hex "Alignment value to which kernel should be aligned" if X86_32
  	default "0x1000000"
@@ -8631,7 +8639,7 @@ index 46c3bff..c2286e7 100644
  	range 0x2000 0x1000000
  	---help---
  	  This value puts the alignment restrictions on physical address
-@@ -1699,9 +1702,10 @@ config HOTPLUG_CPU
+@@ -1699,9 +1703,10 @@ config HOTPLUG_CPU
  	  Say N if you want to disable CPU hotplug.
  
  config COMPAT_VDSO
@@ -19602,6 +19610,20 @@ index 216a4d7..b328f09 100644
  #if 0
  			if ((s64)val != *(s32 *)loc)
  				goto overflow;
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
+index a7c5661..4929502 100644
+--- a/arch/x86/kernel/msr.c
++++ b/arch/x86/kernel/msr.c
+@@ -174,6 +174,9 @@ static int msr_open(struct inode *inode, struct file *file)
+ 	unsigned int cpu;
+ 	struct cpuinfo_x86 *c;
+ 
++	if (!capable(CAP_SYS_RAWIO))
++		return -EPERM;
++
+ 	cpu = iminor(file->f_path.dentry->d_inode);
+ 	if (cpu >= nr_cpu_ids || !cpu_online(cpu))
+ 		return -ENXIO;	/* No such CPU */
 diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
 index f84f5c5..e27e54b 100644
 --- a/arch/x86/kernel/nmi.c
@@ -52223,10 +52245,10 @@ index 4e00cf0..3374374 100644
  		kfree(s);
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..5ce8347
+index 0000000..92247e4
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1015 @@
+@@ -0,0 +1,1021 @@
 +#
 +# grecurity configuration
 +#
@@ -52240,18 +52262,24 @@ index 0000000..5ce8347
 +	help
 +	  If you say Y here, /dev/kmem and /dev/mem won't be allowed to
 +	  be written to or read from to modify or leak the contents of the running
-+	  kernel.  /dev/port will also not be allowed to be opened. If you have module
-+	  support disabled, enabling this will close up four ways that are
++	  kernel.  /dev/port will also not be allowed to be opened and support
++	  for /dev/cpu/*/msr will be removed.  If you have module
++	  support disabled, enabling this will close up five ways that are
 +	  currently used  to insert malicious code into the running kernel.
++
 +	  Even with all these features enabled, we still highly recommend that
 +	  you use the RBAC system, as it is still possible for an attacker to
 +	  modify the running kernel through privileged I/O granted by ioperm/iopl.
++
 +	  If you are not using XFree86, you may be able to stop this additional
 +	  case by enabling the 'Disable privileged I/O' option. Though nothing
 +	  legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
 +	  but only to video memory, which is the only writing we allow in this
 +	  case.  If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
 +	  not be allowed to mprotect it with PROT_WRITE later.
++	  Enabling this feature will prevent the "cpupower" and "powertop" tools
++	  from working.
++
 +	  It is highly recommended that you say Y here if you meet all the
 +	  conditions above.
 +
@@ -52792,11 +52820,11 @@ index 0000000..5ce8347
 +config GRKERNSEC_AUDIT_GROUP
 +	bool "Single group for auditing"
 +	help
-+	  If you say Y here, the exec, chdir, and (un)mount logging features
-+	  will only operate on a group you specify.  This option is recommended
-+	  if you only want to watch certain users instead of having a large
-+	  amount of logs from the entire system.  If the sysctl option is enabled,
-+	  a sysctl option with name "audit_group" is created.
++	  If you say Y here, the exec and chdir logging features will only operate
++	  on a group you specify.  This option is recommended if you only want to
++	  watch certain users instead of having a large amount of logs from the
++	  entire system.  If the sysctl option is enabled, a sysctl option with
++	  name "audit_group" is created.
 +
 +config GRKERNSEC_AUDIT_GID
 +	int "GID for auditing"
author	Anthony G. Basile <blueness@gentoo.org>	2013-01-31 19:47:46 -0500
committer	Anthony G. Basile <blueness@gentoo.org>	2013-01-31 19:47:46 -0500
commit	6772694beda827666e7c091e6208fbe9a83114e5 (patch)
tree	8b5223176b9188a5df8f652acca5a50285116115
parent	Grsec/PaX: 2.9.1-{2.6.32.60,3.2.37,3.7.5}-201301281957 (diff)
download	hardened-patchset-6772694beda827666e7c091e6208fbe9a83114e5.tar.gz hardened-patchset-6772694beda827666e7c091e6208fbe9a83114e5.tar.bz2 hardened-patchset-6772694beda827666e7c091e6208fbe9a83114e5.zip