summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '2.6.32/4455_grsec-kconfig-gentoo.patch')
-rw-r--r--2.6.32/4455_grsec-kconfig-gentoo.patch357
1 files changed, 0 insertions, 357 deletions
diff --git a/2.6.32/4455_grsec-kconfig-gentoo.patch b/2.6.32/4455_grsec-kconfig-gentoo.patch
deleted file mode 100644
index e18ba0b..0000000
--- a/2.6.32/4455_grsec-kconfig-gentoo.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-From: Gordon Malm <gengor@gentoo.org>
-From: Jory A. Pratt <anarchy@gentoo.org>
-From: Kerin Millar <kerframil@gmail.com>
-
-Add Hardened Gentoo [server/workstation] predefined grsecurity
-levels. They're designed to provide a comparitively high level of
-security while remaining generally suitable for as great a majority
-of the userbase as possible (particularly new users).
-
-Make Hardened Gentoo [workstation] predefined grsecurity level the
-default. The Hardened Gentoo [server] level is more restrictive
-and conflicts with some software and thus would be less suitable.
-
-The original version of this patch was conceived and created by:
-Ned Ludd <solar@gentoo.org>
-
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500
-+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500
-@@ -18,7 +18,7 @@
- choice
- prompt "Security Level"
- depends on GRKERNSEC
-- default GRKERNSEC_CUSTOM
-+ default GRKERNSEC_HARDENED_WORKSTATION
-
- config GRKERNSEC_LOW
- bool "Low"
-@@ -192,6 +192,262 @@
- - Restricted sysfs/debugfs
- - Active kernel exploit response
-
-+config GRKERNSEC_HARDENED_SERVER
-+ bool "Hardened Gentoo [server]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_SYSFS_RESTRICT
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_AUDIT_PTRACE
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_PROC_ADD
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_HARDEN_PTRACE
-+ select GRKERNSEC_PTRACE_READEXEC
-+ select GRKERNSEC_SETXID
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_IO
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_RWXMAP_LOG
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select PAX
-+ select PAX_ASLR
-+ select PAX_RANDKSTACK if (X86_TSC && X86)
-+ select PAX_RANDUSTACK
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ select PAX_MEMORY_STACKLEAK if (!XEN)
-+ help
-+ If you say Y here, a configuration for grsecurity/PaX features
-+ will be used that is endorsed by the Hardened Gentoo project.
-+ These pre-defined security levels are designed to provide a high
-+ level of security while minimizing incompatibilities with a majority
-+ of Gentoo's available software.
-+
-+ This "Hardened Gentoo [server]" level is identical to the
-+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
-+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
-+ security level if the system will not be utilizing software incompatible
-+ with these features.
-+
-+ When this level is selected, some security features will be forced on,
-+ while others will default to their suggested values of off or on. The
-+ later can be tweaked at the user's discretion, but may cause problems
-+ in some situations. You can fully customize all grsecurity/PaX features
-+ by choosing "Custom" in the Security Level menu. It may be helpful to
-+ inherit the options selected by this security level as a starting point.
-+ To accomplish this, select this security level, then exit the menuconfig
-+ interface, saving changes when prompted. Run make menuconfig again and
-+ select the "Custom" level.
-+
-+config GRKERNSEC_HARDENED_WORKSTATION
-+ bool "Hardened Gentoo [workstation]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_AUDIT_PTRACE
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_HARDEN_PTRACE
-+ select GRKERNSEC_PTRACE_READEXEC
-+ select GRKERNSEC_SETXID
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_RWXMAP_LOG
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select PAX
-+ select PAX_ASLR
-+ select PAX_RANDKSTACK if (X86_TSC && X86)
-+ select PAX_RANDUSTACK
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ select PAX_MEMORY_STACKLEAK if (!XEN)
-+ help
-+ If you say Y here, a configuration for grsecurity/PaX features
-+ will be used that is endorsed by the Hardened Gentoo project.
-+ These pre-defined security levels are designed to provide a high
-+ level of security while minimizing incompatibilities with a majority
-+ of Gentoo's available software.
-+
-+ This "Hardened Gentoo [workstation]" level is identical to the
-+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
-+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
-+ security level if the system will be utilizing software incompatible
-+ with these features.
-+
-+ When this level is selected, some security features will be forced on,
-+ while others will default to their suggested values of off or on. The
-+ later can be tweaked at the user's discretion, but may cause problems
-+ in some situations. You can fully customize all grsecurity/PaX features
-+ by choosing "Custom" in the Security Level menu. It may be helpful to
-+ inherit the options selected by this security level as a starting point.
-+ To accomplish this, select this security level, then exit the menuconfig
-+ interface, saving changes when prompted. Run make menuconfig again and
-+ select the "Custom" level.
-+
-+config GRKERNSEC_HARDENED_VIRTUALIZATION
-+ bool "Hardened Gentoo [virtualization]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_AUDIT_PTRACE
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_HARDEN_PTRACE
-+ select GRKERNSEC_PTRACE_READEXEC
-+ select GRKERNSEC_SETXID
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_RWXMAP_LOG
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select PAX
-+ select PAX_ASLR
-+ select PAX_RANDKSTACK if (X86_TSC && X86)
-+ select PAX_RANDUSTACK
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ select PAX_MEMORY_STACKLEAK if (!XEN)
-+ help
-+ If you say Y here, a configuration for grsecurity/PaX features
-+ will be used that is endorsed by the Hardened Gentoo project.
-+ These pre-defined security levels are designed to provide a high
-+ level of security while minimizing incompatibilities with a majority
-+ of Gentoo's available software.
-+
-+ This "Hardened Gentoo [virtualization]" level is identical to the
-+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
-+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
-+ security level if the system will be utilizing virtualization software
-+ incompatible with these features, like VirtualBox or kvm.
-+
-+ When this level is selected, some security features will be forced on,
-+ while others will default to their suggested values of off or on. The
-+ later can be tweaked at the user's discretion, but may cause problems
-+ in some situations. You can fully customize all grsecurity/PaX features
-+ by choosing "Custom" in the Security Level menu. It may be helpful to
-+ inherit the options selected by this security level as a starting point.
-+ To accomplish this, select this security level, then exit the menuconfig
-+ interface, saving changes when prompted. Run make menuconfig again and
-+ select the "Custom" level.
-+
- config GRKERNSEC_CUSTOM
- bool "Custom"
- help
-diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500
-+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500
-@@ -360,9 +360,10 @@
-
- config PAX_KERNEXEC
- bool "Enforce non-executable kernel pages"
-- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
-+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
- select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
- select PAX_KERNEXEC_PLUGIN if X86_64
-+ default y if GRKERNSEC_HARDENED_WORKSTATION
- help
- This is the kernel land equivalent of PAGEEXEC and MPROTECT,
- that is, enabling this option will make it harder to inject
-@@ -373,30 +374,30 @@
-
- choice
- prompt "Return Address Instrumentation Method"
-- default PAX_KERNEXEC_PLUGIN_METHOD_BTS
-+ default PAX_KERNEXEC_PLUGIN_METHOD_OR
- depends on PAX_KERNEXEC_PLUGIN
- help
- Select the method used to instrument function pointer dereferences.
- Note that binary modules cannot be instrumented by this approach.
-
-- config PAX_KERNEXEC_PLUGIN_METHOD_BTS
-- bool "bts"
-- help
-- This method is compatible with binary only modules but has
-- a higher runtime overhead.
--
- config PAX_KERNEXEC_PLUGIN_METHOD_OR
- bool "or"
- depends on !PARAVIRT
- help
- This method is incompatible with binary only modules but has
- a lower runtime overhead.
-+
-+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS
-+ bool "bts"
-+ help
-+ This method is compatible with binary only modules but has
-+ a higher runtime overhead.
- endchoice
-
- config PAX_KERNEXEC_PLUGIN_METHOD
- string
-- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
- default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
-+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
- default ""
-
- config PAX_KERNEXEC_MODULE_TEXT
-@@ -553,8 +554,9 @@
-
- config PAX_MEMORY_UDEREF
- bool "Prevent invalid userland pointer dereference"
-- depends on X86 && !UML_X86 && !XEN
-+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
- select PAX_PER_CPU_PGD if X86_64
-+ default y if GRKERNSEC_HARDENED_WORKSTATION
- help
- By saying Y here the kernel will be prevented from dereferencing
- userland pointers in contexts where the kernel expects only kernel