From 386d50181178e9320f033575d3eabc2017a7b7ae Mon Sep 17 00:00:00 2001 From: "Anthony G. Basile" Date: Mon, 9 Jul 2012 19:55:51 -0400 Subject: Sync gentoo patches with new Kconfig structure --- 2.6.32/4455_grsec-kconfig-gentoo.patch | 357 --------------------------------- 1 file changed, 357 deletions(-) delete mode 100644 2.6.32/4455_grsec-kconfig-gentoo.patch (limited to '2.6.32/4455_grsec-kconfig-gentoo.patch') diff --git a/2.6.32/4455_grsec-kconfig-gentoo.patch b/2.6.32/4455_grsec-kconfig-gentoo.patch deleted file mode 100644 index e18ba0b..0000000 --- a/2.6.32/4455_grsec-kconfig-gentoo.patch +++ /dev/null @@ -1,357 +0,0 @@ -From: Anthony G. Basile -From: Gordon Malm -From: Jory A. Pratt -From: Kerin Millar - -Add Hardened Gentoo [server/workstation] predefined grsecurity -levels. They're designed to provide a comparitively high level of -security while remaining generally suitable for as great a majority -of the userbase as possible (particularly new users). - -Make Hardened Gentoo [workstation] predefined grsecurity level the -default. The Hardened Gentoo [server] level is more restrictive -and conflicts with some software and thus would be less suitable. - -The original version of this patch was conceived and created by: -Ned Ludd - -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig ---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500 -+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500 -@@ -18,7 +18,7 @@ - choice - prompt "Security Level" - depends on GRKERNSEC -- default GRKERNSEC_CUSTOM -+ default GRKERNSEC_HARDENED_WORKSTATION - - config GRKERNSEC_LOW - bool "Low" -@@ -192,6 +192,262 @@ - - Restricted sysfs/debugfs - - Active kernel exploit response - -+config GRKERNSEC_HARDENED_SERVER -+ bool "Hardened Gentoo [server]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_SYSFS_RESTRICT -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_AUDIT_PTRACE -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_PROC_ADD -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_SETXID -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_IO -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_RWXMAP_LOG -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select PAX -+ select PAX_ASLR -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_RANDUSTACK -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ select PAX_MEMORY_STACKLEAK if (!XEN) -+ help -+ If you say Y here, a configuration for grsecurity/PaX features -+ will be used that is endorsed by the Hardened Gentoo project. -+ These pre-defined security levels are designed to provide a high -+ level of security while minimizing incompatibilities with a majority -+ of Gentoo's available software. -+ -+ This "Hardened Gentoo [server]" level is identical to the -+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO, -+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred -+ security level if the system will not be utilizing software incompatible -+ with these features. -+ -+ When this level is selected, some security features will be forced on, -+ while others will default to their suggested values of off or on. The -+ later can be tweaked at the user's discretion, but may cause problems -+ in some situations. You can fully customize all grsecurity/PaX features -+ by choosing "Custom" in the Security Level menu. It may be helpful to -+ inherit the options selected by this security level as a starting point. -+ To accomplish this, select this security level, then exit the menuconfig -+ interface, saving changes when prompted. Run make menuconfig again and -+ select the "Custom" level. -+ -+config GRKERNSEC_HARDENED_WORKSTATION -+ bool "Hardened Gentoo [workstation]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_AUDIT_PTRACE -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_SETXID -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_RWXMAP_LOG -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select PAX -+ select PAX_ASLR -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_RANDUSTACK -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) -+ select PAX_MEMORY_UDEREF if (X86 && !XEN) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ select PAX_MEMORY_STACKLEAK if (!XEN) -+ help -+ If you say Y here, a configuration for grsecurity/PaX features -+ will be used that is endorsed by the Hardened Gentoo project. -+ These pre-defined security levels are designed to provide a high -+ level of security while minimizing incompatibilities with a majority -+ of Gentoo's available software. -+ -+ This "Hardened Gentoo [workstation]" level is identical to the -+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and -+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred -+ security level if the system will be utilizing software incompatible -+ with these features. -+ -+ When this level is selected, some security features will be forced on, -+ while others will default to their suggested values of off or on. The -+ later can be tweaked at the user's discretion, but may cause problems -+ in some situations. You can fully customize all grsecurity/PaX features -+ by choosing "Custom" in the Security Level menu. It may be helpful to -+ inherit the options selected by this security level as a starting point. -+ To accomplish this, select this security level, then exit the menuconfig -+ interface, saving changes when prompted. Run make menuconfig again and -+ select the "Custom" level. -+ -+config GRKERNSEC_HARDENED_VIRTUALIZATION -+ bool "Hardened Gentoo [virtualization]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_AUDIT_PTRACE -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_HARDEN_PTRACE -+ select GRKERNSEC_PTRACE_READEXEC -+ select GRKERNSEC_SETXID -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_RWXMAP_LOG -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select PAX -+ select PAX_ASLR -+ select PAX_RANDKSTACK if (X86_TSC && X86) -+ select PAX_RANDUSTACK -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_HAVE_ACL_FLAGS -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ select PAX_MEMORY_STACKLEAK if (!XEN) -+ help -+ If you say Y here, a configuration for grsecurity/PaX features -+ will be used that is endorsed by the Hardened Gentoo project. -+ These pre-defined security levels are designed to provide a high -+ level of security while minimizing incompatibilities with a majority -+ of Gentoo's available software. -+ -+ This "Hardened Gentoo [virtualization]" level is identical to the -+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and -+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred -+ security level if the system will be utilizing virtualization software -+ incompatible with these features, like VirtualBox or kvm. -+ -+ When this level is selected, some security features will be forced on, -+ while others will default to their suggested values of off or on. The -+ later can be tweaked at the user's discretion, but may cause problems -+ in some situations. You can fully customize all grsecurity/PaX features -+ by choosing "Custom" in the Security Level menu. It may be helpful to -+ inherit the options selected by this security level as a starting point. -+ To accomplish this, select this security level, then exit the menuconfig -+ interface, saving changes when prompted. Run make menuconfig again and -+ select the "Custom" level. -+ - config GRKERNSEC_CUSTOM - bool "Custom" - help -diff -Naur a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500 -+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500 -@@ -360,9 +360,10 @@ - - config PAX_KERNEXEC - bool "Enforce non-executable kernel pages" -- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN -+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION - select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) - select PAX_KERNEXEC_PLUGIN if X86_64 -+ default y if GRKERNSEC_HARDENED_WORKSTATION - help - This is the kernel land equivalent of PAGEEXEC and MPROTECT, - that is, enabling this option will make it harder to inject -@@ -373,30 +374,30 @@ - - choice - prompt "Return Address Instrumentation Method" -- default PAX_KERNEXEC_PLUGIN_METHOD_BTS -+ default PAX_KERNEXEC_PLUGIN_METHOD_OR - depends on PAX_KERNEXEC_PLUGIN - help - Select the method used to instrument function pointer dereferences. - Note that binary modules cannot be instrumented by this approach. - -- config PAX_KERNEXEC_PLUGIN_METHOD_BTS -- bool "bts" -- help -- This method is compatible with binary only modules but has -- a higher runtime overhead. -- - config PAX_KERNEXEC_PLUGIN_METHOD_OR - bool "or" - depends on !PARAVIRT - help - This method is incompatible with binary only modules but has - a lower runtime overhead. -+ -+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS -+ bool "bts" -+ help -+ This method is compatible with binary only modules but has -+ a higher runtime overhead. - endchoice - - config PAX_KERNEXEC_PLUGIN_METHOD - string -- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS - default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR -+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS - default "" - - config PAX_KERNEXEC_MODULE_TEXT -@@ -553,8 +554,9 @@ - - config PAX_MEMORY_UDEREF - bool "Prevent invalid userland pointer dereference" -- depends on X86 && !UML_X86 && !XEN -+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION - select PAX_PER_CPU_PGD if X86_64 -+ default y if GRKERNSEC_HARDENED_WORKSTATION - help - By saying Y here the kernel will be prevented from dereferencing - userland pointers in contexts where the kernel expects only kernel -- cgit v1.2.3