1 |
commit: 000dbd34d0c3725fcf3d9a752bb4ba12828b964e |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Feb 21 17:07:11 2011 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 21 17:07:11 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=000dbd34 |
7 |
|
8 |
Updated PaX config for WORKSTATION and VIRTUALIZATION |
9 |
Unforced default y KERNEXEC and UDEREF for WORKSTATION |
10 |
Force KERNEXEC and UDEREF off for VIRTUALIZATION |
11 |
|
12 |
--- |
13 |
2.6.32/4435_grsec-kconfig-gentoo.patch | 29 +++++++++++++++++++++++++++-- |
14 |
2.6.37/4435_grsec-kconfig-gentoo.patch | 29 +++++++++++++++++++++++++++-- |
15 |
2 files changed, 54 insertions(+), 4 deletions(-) |
16 |
|
17 |
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch |
18 |
index 87984fb..d67ab0d 100644 |
19 |
--- a/2.6.32/4435_grsec-kconfig-gentoo.patch |
20 |
+++ b/2.6.32/4435_grsec-kconfig-gentoo.patch |
21 |
@@ -16,8 +16,8 @@ The original version of this patch was conceived and created by: |
22 |
Ned Ludd <solar@g.o> |
23 |
|
24 |
diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig |
25 |
---- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-02 09:18:14.000000000 -0500 |
26 |
-+++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-02 09:43:28.000000000 -0500 |
27 |
+--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-21 11:47:15.000000000 -0500 |
28 |
++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-21 11:48:08.000000000 -0500 |
29 |
@@ -18,7 +18,7 @@ |
30 |
choice |
31 |
prompt "Security Level" |
32 |
@@ -289,3 +289,28 @@ diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardene |
33 |
config GRKERNSEC_CUSTOM |
34 |
bool "Custom" |
35 |
help |
36 |
+diff -Naur linux-2.6.37-hardened-r2.orig/security/Kconfig linux-2.6.37-hardened-r2/security/Kconfig |
37 |
+--- linux-2.6.37-hardened-r2.orig/security/Kconfig 2011-02-21 11:46:40.000000000 -0500 |
38 |
++++ linux-2.6.37-hardened-r2/security/Kconfig 2011-02-21 11:53:42.000000000 -0500 |
39 |
+@@ -324,8 +324,9 @@ |
40 |
+ |
41 |
+ config PAX_KERNEXEC |
42 |
+ bool "Enforce non-executable kernel pages" |
43 |
+- depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN |
44 |
++ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION |
45 |
+ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) |
46 |
++ default y if GRKERNSEC_HARDENED_WORKSTATION |
47 |
+ help |
48 |
+ This is the kernel land equivalent of PAGEEXEC and MPROTECT, |
49 |
+ that is, enabling this option will make it harder to inject |
50 |
+@@ -461,8 +462,9 @@ |
51 |
+ |
52 |
+ config PAX_MEMORY_UDEREF |
53 |
+ bool "Prevent invalid userland pointer dereference" |
54 |
+- depends on X86 && !UML_X86 && !XEN |
55 |
++ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION |
56 |
+ select PAX_PER_CPU_PGD if X86_64 |
57 |
++ default y if GRKERNSEC_HARDENED_WORKSTATION |
58 |
+ help |
59 |
+ By saying Y here the kernel will be prevented from dereferencing |
60 |
+ userland pointers in contexts where the kernel expects only kernel |
61 |
|
62 |
diff --git a/2.6.37/4435_grsec-kconfig-gentoo.patch b/2.6.37/4435_grsec-kconfig-gentoo.patch |
63 |
index 87984fb..d67ab0d 100644 |
64 |
--- a/2.6.37/4435_grsec-kconfig-gentoo.patch |
65 |
+++ b/2.6.37/4435_grsec-kconfig-gentoo.patch |
66 |
@@ -16,8 +16,8 @@ The original version of this patch was conceived and created by: |
67 |
Ned Ludd <solar@g.o> |
68 |
|
69 |
diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig |
70 |
---- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-02 09:18:14.000000000 -0500 |
71 |
-+++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-02 09:43:28.000000000 -0500 |
72 |
+--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-21 11:47:15.000000000 -0500 |
73 |
++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-21 11:48:08.000000000 -0500 |
74 |
@@ -18,7 +18,7 @@ |
75 |
choice |
76 |
prompt "Security Level" |
77 |
@@ -289,3 +289,28 @@ diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardene |
78 |
config GRKERNSEC_CUSTOM |
79 |
bool "Custom" |
80 |
help |
81 |
+diff -Naur linux-2.6.37-hardened-r2.orig/security/Kconfig linux-2.6.37-hardened-r2/security/Kconfig |
82 |
+--- linux-2.6.37-hardened-r2.orig/security/Kconfig 2011-02-21 11:46:40.000000000 -0500 |
83 |
++++ linux-2.6.37-hardened-r2/security/Kconfig 2011-02-21 11:53:42.000000000 -0500 |
84 |
+@@ -324,8 +324,9 @@ |
85 |
+ |
86 |
+ config PAX_KERNEXEC |
87 |
+ bool "Enforce non-executable kernel pages" |
88 |
+- depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN |
89 |
++ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION |
90 |
+ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) |
91 |
++ default y if GRKERNSEC_HARDENED_WORKSTATION |
92 |
+ help |
93 |
+ This is the kernel land equivalent of PAGEEXEC and MPROTECT, |
94 |
+ that is, enabling this option will make it harder to inject |
95 |
+@@ -461,8 +462,9 @@ |
96 |
+ |
97 |
+ config PAX_MEMORY_UDEREF |
98 |
+ bool "Prevent invalid userland pointer dereference" |
99 |
+- depends on X86 && !UML_X86 && !XEN |
100 |
++ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION |
101 |
+ select PAX_PER_CPU_PGD if X86_64 |
102 |
++ default y if GRKERNSEC_HARDENED_WORKSTATION |
103 |
+ help |
104 |
+ By saying Y here the kernel will be prevented from dereferencing |
105 |
+ userland pointers in contexts where the kernel expects only kernel |