From 4895dfb5e3c3b27c4cb626a1872ad3e572fe4625 Mon Sep 17 00:00:00 2001 From: "Anthony G. Basile" Date: Sat, 22 Jan 2011 10:13:32 -0500 Subject: Tweaked Gentoo's SERVER and WORKSTATION GRSEC options --- 2.6.32/4435_grsec-kconfig-gentoo.patch | 26 ++++++++++++++++---------- 2.6.37/4435_grsec-kconfig-gentoo.patch | 26 ++++++++++++++++---------- 2 files changed, 32 insertions(+), 20 deletions(-) diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch index 837e411..1c08801 100644 --- a/2.6.32/4435_grsec-kconfig-gentoo.patch +++ b/2.6.32/4435_grsec-kconfig-gentoo.patch @@ -16,8 +16,8 @@ The original version of this patch was conceived and created by: Ned Ludd diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig ---- linux-2.6.37-hardened.orig/grsecurity/Kconfig 2011-01-21 20:13:54.000000000 -0500 -+++ linux-2.6.37-hardened/grsecurity/Kconfig 2011-01-21 20:46:38.000000000 -0500 +--- linux-2.6.37-hardened.orig/grsecurity/Kconfig 2011-01-22 06:53:30.000000000 -0500 ++++ linux-2.6.37-hardened/grsecurity/Kconfig 2011-01-22 10:07:08.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" @@ -27,7 +27,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g config GRKERNSEC_LOW bool "Low" -@@ -191,6 +191,210 @@ +@@ -191,6 +191,216 @@ - Ptrace restrictions - Restricted vm86 mode @@ -65,9 +65,11 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) + select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX @@ -79,8 +81,8 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) ++ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC @@ -89,7 +91,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help + If you say Y here, a configuration will be used that is endorsed by @@ -135,7 +137,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + impact on performance. + +config GRKERNSEC_HARDENED_WORKSTATION -+ bool "Hardened Gentoo [workstation]" ++ bool "Hardened Gentoo [workstation or virtualization host]" + select GRKERNSEC_LINK + select GRKERNSEC_FIFO + select GRKERNSEC_EXECVE @@ -163,12 +165,16 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG + select GRKERNSEC_RANDNET ++ # select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) ++ # select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX @@ -180,8 +186,8 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ # select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) ++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ # select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC @@ -190,7 +196,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help + If you say Y here, a configuration will be used that is endorsed by diff --git a/2.6.37/4435_grsec-kconfig-gentoo.patch b/2.6.37/4435_grsec-kconfig-gentoo.patch index 837e411..1c08801 100644 --- a/2.6.37/4435_grsec-kconfig-gentoo.patch +++ b/2.6.37/4435_grsec-kconfig-gentoo.patch @@ -16,8 +16,8 @@ The original version of this patch was conceived and created by: Ned Ludd diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig ---- linux-2.6.37-hardened.orig/grsecurity/Kconfig 2011-01-21 20:13:54.000000000 -0500 -+++ linux-2.6.37-hardened/grsecurity/Kconfig 2011-01-21 20:46:38.000000000 -0500 +--- linux-2.6.37-hardened.orig/grsecurity/Kconfig 2011-01-22 06:53:30.000000000 -0500 ++++ linux-2.6.37-hardened/grsecurity/Kconfig 2011-01-22 10:07:08.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" @@ -27,7 +27,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g config GRKERNSEC_LOW bool "Low" -@@ -191,6 +191,210 @@ +@@ -191,6 +191,216 @@ - Ptrace restrictions - Restricted vm86 mode @@ -65,9 +65,11 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) + select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX @@ -79,8 +81,8 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) ++ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC @@ -89,7 +91,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help + If you say Y here, a configuration will be used that is endorsed by @@ -135,7 +137,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + impact on performance. + +config GRKERNSEC_HARDENED_WORKSTATION -+ bool "Hardened Gentoo [workstation]" ++ bool "Hardened Gentoo [workstation or virtualization host]" + select GRKERNSEC_LINK + select GRKERNSEC_FIFO + select GRKERNSEC_EXECVE @@ -163,12 +165,16 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG + select GRKERNSEC_RANDNET ++ # select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) ++ # select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX @@ -180,8 +186,8 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ # select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) ++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ # select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC @@ -190,7 +196,7 @@ diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/g + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help + If you say Y here, a configuration will be used that is endorsed by -- cgit v1.2.3-65-gdbad