summaryrefslogtreecommitdiff
path: root/3.2.22
diff options
context:
space:
mode:
Diffstat (limited to '3.2.22')
-rw-r--r--3.2.22/0000_README16
-rw-r--r--3.2.22/4445_grsec-pax-without-grsec.patch91
-rw-r--r--3.2.22/4455_grsec-kconfig-gentoo.patch357
-rw-r--r--3.2.22/4460-grsec-kconfig-proc-user.patch26
4 files changed, 0 insertions, 490 deletions
diff --git a/3.2.22/0000_README b/3.2.22/0000_README
index b314927..ccfefdd 100644
--- a/3.2.22/0000_README
+++ b/3.2.22/0000_README
@@ -20,27 +20,11 @@ Patch: 4440_grsec-remove-protected-paths.patch
From: Anthony G. Basile <blueness@gentoo.org>
Desc: Removes chmod statements from grsecurity/Makefile
-Patch: 4445_grsec-pax-without-grsec.patch
-From: Gordon Malm <gengor@gentoo.org>
-Desc: Allows PaX features to be selected without enabling GRKERNSEC
-
Patch: 4450_grsec-kconfig-default-gids.patch
From: Kerin Millar <kerframil@gmail.com>
Desc: Sets sane(r) default GIDs on various grsecurity group-dependent
features
-Patch: 4455_grsec-kconfig-gentoo.patch
-From: Gordon Malm <gengor@gentoo.org>
- Kerin Millar <kerframil@gmail.com>
- Anthony G. Basile <blueness@gentoo.org>
-Desc: Adds Hardened Gentoo [server/workstation/virtualization] security levels,
- sets Hardened Gentoo [workstation] as default
-
-Patch: 4460-grsec-kconfig-proc-user.patch
-From: Anthony G. Basile <blueness@gentoo.org>
-Desc: Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually
- exclusive to avoid bug #366019.
-
Patch: 4465_selinux-avc_audit-log-curr_ip.patch
From: Gordon Malm <gengor@gentoo.org>
Anthony G. Basile <blueness@gentoo.org>
diff --git a/3.2.22/4445_grsec-pax-without-grsec.patch b/3.2.22/4445_grsec-pax-without-grsec.patch
deleted file mode 100644
index 58301c0..0000000
--- a/3.2.22/4445_grsec-pax-without-grsec.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-
-With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and
-pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy.
-This patch has been updated to reflect that change.
-
-With grsecurity-2.9-2.6.32.58-201203131839, NORET_TYPE has been replaced by __noreturn.
-This patch has been updated to reflect that change.
---
-From: Jory Pratt <anarchy@gentoo.org>
-Updated patch for kernel 2.6.32
-
-The credits/description from the original version of this patch remain accurate
-and are included below.
---
-From: Gordon Malm <gengor@gentoo.org>
-
-Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC.
-
-This patch has been updated to keep current with newer kernel versions.
-The original version of this patch contained no credits/description.
-
-diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
---- a/arch/x86/mm/fault.c 2011-04-17 19:05:03.000000000 -0400
-+++ a/arch/x86/mm/fault.c 2011-04-17 19:20:30.000000000 -0400
-@@ -657,10 +657,12 @@
-
- #ifdef CONFIG_PAX_KERNEXEC
- if (init_mm.start_code <= address && address < init_mm.end_code) {
-+#ifdef CONFIG_GRKERNSEC
- if (current->signal->curr_ip)
- printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
- &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
- else
-+#endif
- printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
- current->comm, task_pid_nr(current), current_uid(), current_euid());
- }
-diff -Naur a/fs/exec.c b/fs/exec.c
---- a/fs/exec.c 2011-04-17 19:05:03.000000000 -0400
-+++ b/fs/exec.c 2011-04-17 19:20:30.000000000 -0400
-@@ -2048,9 +2048,11 @@
- }
- up_read(&mm->mmap_sem);
- }
-+#ifdef CONFIG_GRKERNSEC
- if (tsk->signal->curr_ip)
- printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
- else
-+#endif
- printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
- printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
- "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
-@@ -2065,10 +2067,12 @@
- #ifdef CONFIG_PAX_REFCOUNT
- void pax_report_refcount_overflow(struct pt_regs *regs)
- {
-+#ifdef CONFIG_GRKERNSEC
- if (current->signal->curr_ip)
- printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
- &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
- else
-+#endif
- printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
- current->comm, task_pid_nr(current), current_uid(), current_euid());
- print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
-@@ -2127,10 +2131,12 @@
-
- __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
- {
-+#ifdef CONFIG_GRKERNSEC
- if (current->signal->curr_ip)
- printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
- &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
- else
-+#endif
- printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
- to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
- dump_stack();
-diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2011-04-17 19:05:03.000000000 -0400
-+++ b/security/Kconfig 2011-04-17 19:20:30.000000000 -0400
-@@ -29,7 +29,7 @@
-
- config PAX
- bool "Enable various PaX features"
-- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
-+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
- help
- This allows you to enable various PaX features. PaX adds
- intrusion prevention mechanisms to the kernel that reduce
diff --git a/3.2.22/4455_grsec-kconfig-gentoo.patch b/3.2.22/4455_grsec-kconfig-gentoo.patch
deleted file mode 100644
index 87b5454..0000000
--- a/3.2.22/4455_grsec-kconfig-gentoo.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-From: Gordon Malm <gengor@gentoo.org>
-From: Jory A. Pratt <anarchy@gentoo.org>
-From: Kerin Millar <kerframil@gmail.com>
-
-Add Hardened Gentoo [server/workstation] predefined grsecurity
-levels. They're designed to provide a comparitively high level of
-security while remaining generally suitable for as great a majority
-of the userbase as possible (particularly new users).
-
-Make Hardened Gentoo [workstation] predefined grsecurity level the
-default. The Hardened Gentoo [server] level is more restrictive
-and conflicts with some software and thus would be less suitable.
-
-The original version of this patch was conceived and created by:
-Ned Ludd <solar@gentoo.org>
-
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500
-+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500
-@@ -18,7 +18,7 @@
- choice
- prompt "Security Level"
- depends on GRKERNSEC
-- default GRKERNSEC_CUSTOM
-+ default GRKERNSEC_HARDENED_WORKSTATION
-
- config GRKERNSEC_LOW
- bool "Low"
-@@ -192,6 +192,262 @@
- - Restricted sysfs/debugfs
- - Active kernel exploit response
-
-+config GRKERNSEC_HARDENED_SERVER
-+ bool "Hardened Gentoo [server]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_SYSFS_RESTRICT
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_AUDIT_PTRACE
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_PROC_ADD
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_HARDEN_PTRACE
-+ select GRKERNSEC_PTRACE_READEXEC
-+ select GRKERNSEC_SETXID
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_IO
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_RWXMAP_LOG
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select PAX
-+ select PAX_ASLR
-+ select PAX_RANDKSTACK if (X86_TSC && X86)
-+ select PAX_RANDUSTACK
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ select PAX_MEMORY_STACKLEAK if (!XEN)
-+ help
-+ If you say Y here, a configuration for grsecurity/PaX features
-+ will be used that is endorsed by the Hardened Gentoo project.
-+ These pre-defined security levels are designed to provide a high
-+ level of security while minimizing incompatibilities with a majority
-+ of Gentoo's available software.
-+
-+ This "Hardened Gentoo [server]" level is identical to the
-+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
-+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
-+ security level if the system will not be utilizing software incompatible
-+ with these features.
-+
-+ When this level is selected, some security features will be forced on,
-+ while others will default to their suggested values of off or on. The
-+ later can be tweaked at the user's discretion, but may cause problems
-+ in some situations. You can fully customize all grsecurity/PaX features
-+ by choosing "Custom" in the Security Level menu. It may be helpful to
-+ inherit the options selected by this security level as a starting point.
-+ To accomplish this, select this security level, then exit the menuconfig
-+ interface, saving changes when prompted. Run make menuconfig again and
-+ select the "Custom" level.
-+
-+config GRKERNSEC_HARDENED_WORKSTATION
-+ bool "Hardened Gentoo [workstation]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_AUDIT_PTRACE
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_HARDEN_PTRACE
-+ select GRKERNSEC_PTRACE_READEXEC
-+ select GRKERNSEC_SETXID
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_RWXMAP_LOG
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select PAX
-+ select PAX_ASLR
-+ select PAX_RANDKSTACK if (X86_TSC && X86)
-+ select PAX_RANDUSTACK
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ select PAX_MEMORY_STACKLEAK if (!XEN)
-+ help
-+ If you say Y here, a configuration for grsecurity/PaX features
-+ will be used that is endorsed by the Hardened Gentoo project.
-+ These pre-defined security levels are designed to provide a high
-+ level of security while minimizing incompatibilities with a majority
-+ of Gentoo's available software.
-+
-+ This "Hardened Gentoo [workstation]" level is identical to the
-+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
-+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
-+ security level if the system will be utilizing software incompatible
-+ with these features.
-+
-+ When this level is selected, some security features will be forced on,
-+ while others will default to their suggested values of off or on. The
-+ later can be tweaked at the user's discretion, but may cause problems
-+ in some situations. You can fully customize all grsecurity/PaX features
-+ by choosing "Custom" in the Security Level menu. It may be helpful to
-+ inherit the options selected by this security level as a starting point.
-+ To accomplish this, select this security level, then exit the menuconfig
-+ interface, saving changes when prompted. Run make menuconfig again and
-+ select the "Custom" level.
-+
-+config GRKERNSEC_HARDENED_VIRTUALIZATION
-+ bool "Hardened Gentoo [virtualization]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_AUDIT_PTRACE
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_HARDEN_PTRACE
-+ select GRKERNSEC_PTRACE_READEXEC
-+ select GRKERNSEC_SETXID
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_RWXMAP_LOG
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select PAX
-+ select PAX_ASLR
-+ select PAX_RANDKSTACK if (X86_TSC && X86)
-+ select PAX_RANDUSTACK
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ select PAX_MEMORY_STACKLEAK if (!XEN)
-+ help
-+ If you say Y here, a configuration for grsecurity/PaX features
-+ will be used that is endorsed by the Hardened Gentoo project.
-+ These pre-defined security levels are designed to provide a high
-+ level of security while minimizing incompatibilities with a majority
-+ of Gentoo's available software.
-+
-+ This "Hardened Gentoo [virtualization]" level is identical to the
-+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
-+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
-+ security level if the system will be utilizing virtualization software
-+ incompatible with these features, like VirtualBox or kvm.
-+
-+ When this level is selected, some security features will be forced on,
-+ while others will default to their suggested values of off or on. The
-+ later can be tweaked at the user's discretion, but may cause problems
-+ in some situations. You can fully customize all grsecurity/PaX features
-+ by choosing "Custom" in the Security Level menu. It may be helpful to
-+ inherit the options selected by this security level as a starting point.
-+ To accomplish this, select this security level, then exit the menuconfig
-+ interface, saving changes when prompted. Run make menuconfig again and
-+ select the "Custom" level.
-+
- config GRKERNSEC_CUSTOM
- bool "Custom"
- help
-diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500
-+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500
-@@ -362,9 +362,10 @@
-
- config PAX_KERNEXEC
- bool "Enforce non-executable kernel pages"
-- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
-+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
- select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
- select PAX_KERNEXEC_PLUGIN if X86_64
-+ default y if GRKERNSEC_HARDENED_WORKSTATION
- help
- This is the kernel land equivalent of PAGEEXEC and MPROTECT,
- that is, enabling this option will make it harder to inject
-@@ -375,30 +376,30 @@
-
- choice
- prompt "Return Address Instrumentation Method"
-- default PAX_KERNEXEC_PLUGIN_METHOD_BTS
-+ default PAX_KERNEXEC_PLUGIN_METHOD_OR
- depends on PAX_KERNEXEC_PLUGIN
- help
- Select the method used to instrument function pointer dereferences.
- Note that binary modules cannot be instrumented by this approach.
-
-- config PAX_KERNEXEC_PLUGIN_METHOD_BTS
-- bool "bts"
-- help
-- This method is compatible with binary only modules but has
-- a higher runtime overhead.
--
- config PAX_KERNEXEC_PLUGIN_METHOD_OR
- bool "or"
- depends on !PARAVIRT
- help
- This method is incompatible with binary only modules but has
- a lower runtime overhead.
-+
-+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS
-+ bool "bts"
-+ help
-+ This method is compatible with binary only modules but has
-+ a higher runtime overhead.
- endchoice
-
- config PAX_KERNEXEC_PLUGIN_METHOD
- string
-- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
- default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
-+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
- default ""
-
- config PAX_KERNEXEC_MODULE_TEXT
-@@ -555,8 +556,9 @@
-
- config PAX_MEMORY_UDEREF
- bool "Prevent invalid userland pointer dereference"
-- depends on X86 && !UML_X86 && !XEN
-+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
- select PAX_PER_CPU_PGD if X86_64
-+ default y if GRKERNSEC_HARDENED_WORKSTATION
- help
- By saying Y here the kernel will be prevented from dereferencing
- userland pointers in contexts where the kernel expects only kernel
diff --git a/3.2.22/4460-grsec-kconfig-proc-user.patch b/3.2.22/4460-grsec-kconfig-proc-user.patch
deleted file mode 100644
index b2b3188..0000000
--- a/3.2.22/4460-grsec-kconfig-proc-user.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-
-Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
-in a different way to avoid bug #366019. This patch should eventually go upstream.
-
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400
-+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400
-@@ -680,7 +680,7 @@
-
- config GRKERNSEC_PROC_USER
- bool "Restrict /proc to user only"
-- depends on GRKERNSEC_PROC
-+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
- help
- If you say Y here, non-root users will only be able to view their own
- processes, and restricts them from viewing network-related information,
-@@ -688,7 +688,7 @@
-
- config GRKERNSEC_PROC_USERGROUP
- bool "Allow special group"
-- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
-+ depends on GRKERNSEC_PROC
- help
- If you say Y here, you will be able to select a group that will be
- able to view all processes and network-related information. If you've