From 37cbbcacda2762cc7a054330ae8df40dd5ec9e62 Mon Sep 17 00:00:00 2001
From: "Anthony G. Basile" <blueness@gentoo.org>
Date: Sun, 5 Feb 2012 11:40:33 -0500
Subject: Renumbered patches

---
 2.6.32/4455_grsec-kconfig-gentoo.patch | 354 +++++++++++++++++++++++++++++++++
 1 file changed, 354 insertions(+)
 create mode 100644 2.6.32/4455_grsec-kconfig-gentoo.patch

(limited to '2.6.32/4455_grsec-kconfig-gentoo.patch')

diff --git a/2.6.32/4455_grsec-kconfig-gentoo.patch b/2.6.32/4455_grsec-kconfig-gentoo.patch
new file mode 100644
index 0000000..b7e7322
--- /dev/null
+++ b/2.6.32/4455_grsec-kconfig-gentoo.patch
@@ -0,0 +1,354 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+From: Gordon Malm <gengor@gentoo.org>
+From: Jory A. Pratt <anarchy@gentoo.org>
+From: Kerin Millar <kerframil@gmail.com>
+
+Add Hardened Gentoo [server/workstation] predefined grsecurity
+levels. They're designed to provide a comparitively high level of
+security while remaining generally suitable for as great a majority
+of the userbase as possible (particularly new users).
+
+Make Hardened Gentoo [workstation] predefined grsecurity level the
+default. The Hardened Gentoo [server] level is more restrictive
+and conflicts with some software and thus would be less suitable.
+
+The original version of this patch was conceived and created by:
+Ned Ludd <solar@gentoo.org>
+
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+--- a/grsecurity/Kconfig	2011-12-26 10:56:24.000000000 -0500
++++ b/grsecurity/Kconfig	2011-12-26 12:20:25.000000000 -0500
+@@ -18,7 +18,7 @@
+ choice
+ 	prompt "Security Level"
+ 	depends on GRKERNSEC
+-	default GRKERNSEC_CUSTOM
++	default GRKERNSEC_HARDENED_WORKSTATION
+ 
+ config GRKERNSEC_LOW
+ 	bool "Low"
+@@ -192,6 +192,259 @@
+ 	  - Restricted sysfs/debugfs
+ 	  - Active kernel exploit response
+ 
++config GRKERNSEC_HARDENED_SERVER
++	bool "Hardened Gentoo [server]"
++	select GRKERNSEC_LINK
++	select GRKERNSEC_FIFO
++	select GRKERNSEC_DMESG
++	select GRKERNSEC_FORKFAIL
++	select GRKERNSEC_TIME
++	select GRKERNSEC_SIGNAL
++	select GRKERNSEC_CHROOT
++	select GRKERNSEC_CHROOT_SHMAT
++	select GRKERNSEC_CHROOT_UNIX
++	select GRKERNSEC_CHROOT_MOUNT
++	select GRKERNSEC_CHROOT_FCHDIR
++	select GRKERNSEC_CHROOT_PIVOT
++	select GRKERNSEC_CHROOT_DOUBLE
++	select GRKERNSEC_CHROOT_CHDIR
++	select GRKERNSEC_CHROOT_MKNOD
++	select GRKERNSEC_CHROOT_CAPS
++	select GRKERNSEC_CHROOT_SYSCTL
++	select GRKERNSEC_CHROOT_FINDTASK
++	select GRKERNSEC_SYSFS_RESTRICT
++	select GRKERNSEC_PROC
++	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
++	select GRKERNSEC_HIDESYM
++	select GRKERNSEC_BRUTE
++	select GRKERNSEC_PROC_USERGROUP
++	select GRKERNSEC_KMEM
++	select GRKERNSEC_RESLOG
++	select GRKERNSEC_AUDIT_PTRACE
++	select GRKERNSEC_RANDNET
++	select GRKERNSEC_PROC_ADD
++	select GRKERNSEC_CHROOT_CHMOD
++	select GRKERNSEC_CHROOT_NICE
++	select GRKERNSEC_AUDIT_MOUNT
++	select GRKERNSEC_MODHARDEN if (MODULES)
++	select GRKERNSEC_HARDEN_PTRACE
++	select GRKERNSEC_SETXID
++	select GRKERNSEC_VM86 if (X86_32)
++	select GRKERNSEC_IO
++	select GRKERNSEC_PROC_IPADDR
++	select GRKERNSEC_RWXMAP_LOG
++	select GRKERNSEC_SYSCTL
++	select GRKERNSEC_SYSCTL_ON
++	select PAX
++	select PAX_ASLR
++	select PAX_RANDKSTACK
++	select PAX_RANDUSTACK
++	select PAX_RANDMMAP
++	select PAX_NOEXEC
++	select PAX_MPROTECT
++	select PAX_EI_PAX
++	select PAX_PT_PAX_FLAGS
++	select PAX_HAVE_ACL_FLAGS
++	select PAX_KERNEXEC
++	select PAX_MEMORY_UDEREF
++	select PAX_SEGMEXEC if (X86_32)
++	select PAX_PAGEEXEC
++	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
++	select PAX_EMUTRAMP if (PARISC)
++	select PAX_EMUSIGRT if (PARISC)
++	select PAX_REFCOUNT if (X86 || SPARC64)
++	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
++	select PAX_MEMORY_SANITIZE
++	select PAX_MEMORY_STACKLEAK
++	help
++	  If you say Y here, a configuration for grsecurity/PaX features
++	  will be used that is endorsed by the Hardened Gentoo project.
++	  These pre-defined security levels are designed to provide a high
++	  level of security while minimizing incompatibilities with a majority
++	  of Gentoo's available software.
++
++	  This "Hardened Gentoo [server]" level is identical to the
++	  "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
++	  and GRKERNSEC_PROC_ADD enabled.  Accordingly, this is the preferred
++	  security level if the system will not be utilizing software incompatible
++	  with these features.
++
++	  When this level is selected, some security features will be forced on,
++	  while others will default to their suggested values of off or on.  The
++	  later can be tweaked at the user's discretion, but may cause problems
++	  in some situations.  You can fully customize all grsecurity/PaX features
++	  by choosing "Custom" in the Security Level menu.  It may be helpful to
++	  inherit the options selected by this security level as a starting point.
++	  To accomplish this, select this security level, then exit the menuconfig
++	  interface, saving changes when prompted.  Run make menuconfig again and
++	  select the "Custom" level.
++
++config GRKERNSEC_HARDENED_WORKSTATION
++	bool "Hardened Gentoo [workstation]"
++	select GRKERNSEC_LINK
++	select GRKERNSEC_FIFO
++	select GRKERNSEC_DMESG
++	select GRKERNSEC_FORKFAIL
++	select GRKERNSEC_TIME
++	select GRKERNSEC_SIGNAL
++	select GRKERNSEC_CHROOT
++	select GRKERNSEC_CHROOT_SHMAT
++	select GRKERNSEC_CHROOT_UNIX
++	select GRKERNSEC_CHROOT_MOUNT
++	select GRKERNSEC_CHROOT_FCHDIR
++	select GRKERNSEC_CHROOT_PIVOT
++	select GRKERNSEC_CHROOT_DOUBLE
++	select GRKERNSEC_CHROOT_CHDIR
++	select GRKERNSEC_CHROOT_MKNOD
++	select GRKERNSEC_CHROOT_CAPS
++	select GRKERNSEC_CHROOT_SYSCTL
++	select GRKERNSEC_CHROOT_FINDTASK
++	select GRKERNSEC_PROC
++	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
++	select GRKERNSEC_HIDESYM
++	select GRKERNSEC_BRUTE
++	select GRKERNSEC_PROC_USERGROUP
++	select GRKERNSEC_KMEM
++	select GRKERNSEC_RESLOG
++	select GRKERNSEC_AUDIT_PTRACE
++	select GRKERNSEC_RANDNET
++	select GRKERNSEC_CHROOT_CHMOD
++	select GRKERNSEC_CHROOT_NICE
++	select GRKERNSEC_AUDIT_MOUNT
++	select GRKERNSEC_MODHARDEN if (MODULES)
++	select GRKERNSEC_HARDEN_PTRACE
++	select GRKERNSEC_SETXID
++	select GRKERNSEC_VM86 if (X86_32)
++	select GRKERNSEC_PROC_IPADDR
++	select GRKERNSEC_RWXMAP_LOG
++	select GRKERNSEC_SYSCTL
++	select GRKERNSEC_SYSCTL_ON
++	select PAX
++	select PAX_ASLR
++	select PAX_RANDKSTACK
++	select PAX_RANDUSTACK
++	select PAX_RANDMMAP
++	select PAX_NOEXEC
++	select PAX_MPROTECT
++	select PAX_EI_PAX
++	select PAX_PT_PAX_FLAGS
++	select PAX_HAVE_ACL_FLAGS
++	select PAX_KERNEXEC
++	select PAX_MEMORY_UDEREF
++	select PAX_SEGMEXEC if (X86_32)
++	select PAX_PAGEEXEC
++	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
++	select PAX_EMUTRAMP if (PARISC)
++	select PAX_EMUSIGRT if (PARISC)
++	select PAX_REFCOUNT if (X86 || SPARC64)
++	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
++	select PAX_MEMORY_SANITIZE
++	select PAX_MEMORY_STACKLEAK
++	help
++	  If you say Y here, a configuration for grsecurity/PaX features
++	  will be used that is endorsed by the Hardened Gentoo project.
++	  These pre-defined security levels are designed to provide a high
++	  level of security while minimizing incompatibilities with a majority
++	  of Gentoo's available software.
++
++	  This "Hardened Gentoo [workstation]" level is identical to the
++	  "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
++	  GRKERNSEC_PROC_ADD disabled.  Accordingly, this is the preferred
++	  security level if the system will be utilizing software incompatible
++	  with these features.
++
++	  When this level is selected, some security features will be forced on,
++	  while others will default to their suggested values of off or on.  The
++	  later can be tweaked at the user's discretion, but may cause problems
++	  in some situations.  You can fully customize all grsecurity/PaX features
++	  by choosing "Custom" in the Security Level menu.  It may be helpful to
++	  inherit the options selected by this security level as a starting point.
++	  To accomplish this, select this security level, then exit the menuconfig
++	  interface, saving changes when prompted.  Run make menuconfig again and
++	  select the "Custom" level.
++
++config GRKERNSEC_HARDENED_VIRTUALIZATION
++	bool "Hardened Gentoo [virtualization]"
++	select GRKERNSEC_LINK
++	select GRKERNSEC_FIFO
++	select GRKERNSEC_DMESG
++	select GRKERNSEC_FORKFAIL
++	select GRKERNSEC_TIME
++	select GRKERNSEC_SIGNAL
++	select GRKERNSEC_CHROOT
++	select GRKERNSEC_CHROOT_SHMAT
++	select GRKERNSEC_CHROOT_UNIX
++	select GRKERNSEC_CHROOT_MOUNT
++	select GRKERNSEC_CHROOT_FCHDIR
++	select GRKERNSEC_CHROOT_PIVOT
++	select GRKERNSEC_CHROOT_DOUBLE
++	select GRKERNSEC_CHROOT_CHDIR
++	select GRKERNSEC_CHROOT_MKNOD
++	select GRKERNSEC_CHROOT_CAPS
++	select GRKERNSEC_CHROOT_SYSCTL
++	select GRKERNSEC_CHROOT_FINDTASK
++	select GRKERNSEC_PROC
++	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
++	select GRKERNSEC_HIDESYM
++	select GRKERNSEC_BRUTE
++	select GRKERNSEC_PROC_USERGROUP
++	select GRKERNSEC_KMEM
++	select GRKERNSEC_RESLOG
++	select GRKERNSEC_AUDIT_PTRACE
++	select GRKERNSEC_RANDNET
++	select GRKERNSEC_CHROOT_CHMOD
++	select GRKERNSEC_CHROOT_NICE
++	select GRKERNSEC_AUDIT_MOUNT
++	select GRKERNSEC_MODHARDEN if (MODULES)
++	select GRKERNSEC_HARDEN_PTRACE
++	select GRKERNSEC_SETXID
++	select GRKERNSEC_VM86 if (X86_32)
++	select GRKERNSEC_PROC_IPADDR
++	select GRKERNSEC_RWXMAP_LOG
++	select GRKERNSEC_SYSCTL
++	select GRKERNSEC_SYSCTL_ON
++	select PAX
++	select PAX_ASLR
++	select PAX_RANDKSTACK
++	select PAX_RANDUSTACK
++	select PAX_RANDMMAP
++	select PAX_NOEXEC
++	select PAX_MPROTECT
++	select PAX_EI_PAX
++	select PAX_PT_PAX_FLAGS
++	select PAX_HAVE_ACL_FLAGS
++	select PAX_SEGMEXEC if (X86_32)
++	select PAX_PAGEEXEC
++	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
++	select PAX_EMUTRAMP if (PARISC)
++	select PAX_EMUSIGRT if (PARISC)
++	select PAX_REFCOUNT if (X86 || SPARC64)
++	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
++	select PAX_MEMORY_SANITIZE
++	select PAX_MEMORY_STACKLEAK
++	help
++	  If you say Y here, a configuration for grsecurity/PaX features
++	  will be used that is endorsed by the Hardened Gentoo project.
++	  These pre-defined security levels are designed to provide a high
++	  level of security while minimizing incompatibilities with a majority
++	  of Gentoo's available software.
++
++	  This "Hardened Gentoo [virtualization]" level is identical to the
++	  "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
++	  PAX_MEMORY_UDEREF defaulting to off.  Accordingly, this is the preferred
++	  security level if the system will be utilizing virtualization software
++	  incompatible with these features, like VirtualBox or kvm.
++
++	  When this level is selected, some security features will be forced on,
++	  while others will default to their suggested values of off or on.  The
++	  later can be tweaked at the user's discretion, but may cause problems
++	  in some situations.  You can fully customize all grsecurity/PaX features
++	  by choosing "Custom" in the Security Level menu.  It may be helpful to
++	  inherit the options selected by this security level as a starting point.
++	  To accomplish this, select this security level, then exit the menuconfig
++	  interface, saving changes when prompted.  Run make menuconfig again and
++	  select the "Custom" level.
++
+ config GRKERNSEC_CUSTOM
+ 	bool "Custom"
+ 	help
+diff -Naur a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig	2011-12-26 12:23:44.000000000 -0500
++++ b/security/Kconfig	2011-12-26 11:14:27.000000000 -0500
+@@ -361,9 +361,10 @@
+ 
+ config PAX_KERNEXEC
+ 	bool "Enforce non-executable kernel pages"
+-	depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
++	depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ 	select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
+ 	select PAX_KERNEXEC_PLUGIN if X86_64
++	default y if GRKERNSEC_HARDENED_WORKSTATION
+ 	help
+ 	  This is the kernel land equivalent of PAGEEXEC and MPROTECT,
+ 	  that is, enabling this option will make it harder to inject
+@@ -374,30 +375,30 @@
+ 
+ choice
+ 	prompt "Return Address Instrumentation Method"
+-	default PAX_KERNEXEC_PLUGIN_METHOD_BTS
++	default PAX_KERNEXEC_PLUGIN_METHOD_OR
+ 	depends on PAX_KERNEXEC_PLUGIN
+ 	help
+ 	  Select the method used to instrument function pointer dereferences.
+ 	  Note that binary modules cannot be instrumented by this approach.
+ 
+-	config PAX_KERNEXEC_PLUGIN_METHOD_BTS
+-		bool "bts"
+-		help
+-		  This method is compatible with binary only modules but has
+-		  a higher runtime overhead.
+-
+ 	config PAX_KERNEXEC_PLUGIN_METHOD_OR
+ 		bool "or"
+ 		depends on !PARAVIRT
+ 		help
+ 		  This method is incompatible with binary only modules but has
+ 		  a lower runtime overhead.
++
++	config PAX_KERNEXEC_PLUGIN_METHOD_BTS
++		bool "bts"
++		help
++		  This method is compatible with binary only modules but has
++		  a higher runtime overhead.
+ endchoice
+ 
+ config PAX_KERNEXEC_PLUGIN_METHOD
+ 	string
+-	default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
+ 	default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
++	default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
+ 	default ""
+ 
+ config PAX_KERNEXEC_MODULE_TEXT
+@@ -554,8 +555,9 @@
+ 
+ config PAX_MEMORY_UDEREF
+ 	bool "Prevent invalid userland pointer dereference"
+-	depends on X86 && !UML_X86 && !XEN
++	depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ 	select PAX_PER_CPU_PGD if X86_64
++	default y if GRKERNSEC_HARDENED_WORKSTATION
+ 	help
+ 	  By saying Y here the kernel will be prevented from dereferencing
+ 	  userland pointers in contexts where the kernel expects only kernel
-- 
cgit v1.2.3