diff options
Diffstat (limited to '2.6.32')
-rw-r--r-- | 2.6.32/4435_grsec-kconfig-gentoo.patch | 123 |
1 files changed, 103 insertions, 20 deletions
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch index 319fa4b..87984fb 100644 --- a/2.6.32/4435_grsec-kconfig-gentoo.patch +++ b/2.6.32/4435_grsec-kconfig-gentoo.patch @@ -15,9 +15,9 @@ and conflicts with some software and thus would be less suitable. The original version of this patch was conceived and created by: Ned Ludd <solar@gentoo.org> -diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig ---- linux-2.6.37-hardened.orig/grsecurity/Kconfig 2011-01-22 06:53:30.000000000 -0500 -+++ linux-2.6.37-hardened/grsecurity/Kconfig 2011-01-22 11:23:17.000000000 -0500 +diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig +--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-02 09:18:14.000000000 -0500 ++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-02 09:43:28.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" @@ -27,7 +27,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g config GRKERNSEC_LOW bool "Low" -@@ -191,6 +191,178 @@ +@@ -191,6 +191,261 @@ - Ptrace restrictions - Restricted vm86 mode @@ -101,15 +101,14 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + of Gentoo's available software. + + This "Hardened Gentoo [server]" level is identical to the -+ "Hardened Gentoo [workstation or virtualization host]" level, but with -+ the GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF -+ enabled. Accordingly, this is the preferred security level if the system -+ will not be utilizing software incompatible with these features, like -+ VirtualBox or kvm. ++ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO, ++ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred ++ security level if the system will not be utilizing software incompatible ++ with these features. + + When this level is selected, some security features will be forced on, -+ while others will default to off. The later can be turned on at the -+ user's discretion to further enhance hardening, but may cause problems ++ while others will default to their suggested values of off or on. The ++ later can be tweaked at the user's discretion, but may cause problems + in some situations. You can fully customize all grsecurity/PaX features + by choosing "Custom" in the Security Level menu. It may be helpful to + inherit the options selected by this security level as a starting point. @@ -118,7 +117,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select the "Custom" level. + +config GRKERNSEC_HARDENED_WORKSTATION -+ bool "Hardened Gentoo [workstation or virtualization host]" ++ bool "Hardened Gentoo [workstation]" + select GRKERNSEC_LINK + select GRKERNSEC_FIFO + select GRKERNSEC_EXECVE @@ -186,16 +185,100 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + level of security while minimizing incompatibilities with a majority + of Gentoo's available software. + -+ This "Hardened Gentoo [workstation or virtualization host]" level -+ is identical to the "Hardened Gentoo [server]" level, but with the -+ GRKERNSEC_IO, GRKERNSEC_PROC_ADD, PAX_KERNEXEC and PAX_MEMORY_UDEREF -+ disabled. Accordingly, this is the preferred security level if the -+ system will be utilizing software incompatible with these features, -+ like VirtualBox or kvm. ++ This "Hardened Gentoo [workstation]" level is identical to the ++ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and ++ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred ++ security level if the system will be utilizing software incompatible ++ with these features. + + When this level is selected, some security features will be forced on, -+ while others will default to off. The later can be turned on at the -+ user's discretion to further enhance hardening, but may cause problems ++ while others will default to their suggested values of off or on. The ++ later can be tweaked at the user's discretion, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. ++ ++config GRKERNSEC_HARDENED_VIRTUALIZATION ++ bool "Hardened Gentoo [virtualization]" ++ select GRKERNSEC_LINK ++ select GRKERNSEC_FIFO ++ select GRKERNSEC_EXECVE ++ select GRKERNSEC_DMESG ++ select GRKERNSEC_FORKFAIL ++ select GRKERNSEC_TIME ++ select GRKERNSEC_SIGNAL ++ select GRKERNSEC_CHROOT ++ select GRKERNSEC_CHROOT_SHMAT ++ select GRKERNSEC_CHROOT_UNIX ++ select GRKERNSEC_CHROOT_MOUNT ++ select GRKERNSEC_CHROOT_FCHDIR ++ select GRKERNSEC_CHROOT_PIVOT ++ select GRKERNSEC_CHROOT_DOUBLE ++ select GRKERNSEC_CHROOT_CHDIR ++ select GRKERNSEC_CHROOT_MKNOD ++ select GRKERNSEC_CHROOT_CAPS ++ select GRKERNSEC_CHROOT_SYSCTL ++ select GRKERNSEC_CHROOT_FINDTASK ++ select GRKERNSEC_PROC ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) ++ select GRKERNSEC_HIDESYM ++ select GRKERNSEC_BRUTE ++ select GRKERNSEC_PROC_USERGROUP ++ select GRKERNSEC_KMEM ++ select GRKERNSEC_RESLOG ++ select GRKERNSEC_RANDNET ++ # select GRKERNSEC_PROC_ADD ++ select GRKERNSEC_CHROOT_CHMOD ++ select GRKERNSEC_CHROOT_NICE ++ select GRKERNSEC_AUDIT_MOUNT ++ select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_VM86 if (X86_32) ++ # select GRKERNSEC_IO if (X86) ++ select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG ++ select GRKERNSEC_SYSCTL ++ select GRKERNSEC_SYSCTL_ON ++ select PAX ++ select PAX_RANDUSTACK ++ select PAX_ASLR ++ select PAX_RANDMMAP ++ select PAX_NOEXEC ++ select PAX_MPROTECT ++ select PAX_EI_PAX ++ select PAX_PT_PAX_FLAGS ++ select PAX_HAVE_ACL_FLAGS ++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ # select PAX_MEMORY_UDEREF if (X86 && !XEN) ++ select PAX_RANDKSTACK if (X86_TSC && !X86_64) ++ select PAX_SEGMEXEC if (X86_32) ++ select PAX_PAGEEXEC ++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) ++ select PAX_EMUTRAMP if (PARISC) ++ select PAX_EMUSIGRT if (PARISC) ++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) ++ select PAX_REFCOUNT if (X86 || SPARC64) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_MEMORY_SANITIZE ++ help ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. ++ ++ This "Hardened Gentoo [virtualization]" level is identical to the ++ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and ++ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred ++ security level if the system will be utilizing virtualization software ++ incompatible with these features, like VirtualBox or kvm. ++ ++ When this level is selected, some security features will be forced on, ++ while others will default to their suggested values of off or on. The ++ later can be tweaked at the user's discretion, but may cause problems + in some situations. You can fully customize all grsecurity/PaX features + by choosing "Custom" in the Security Level menu. It may be helpful to + inherit the options selected by this security level as a starting point. |