1 |
commit: 386d50181178e9320f033575d3eabc2017a7b7ae |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Jul 9 23:55:51 2012 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jul 9 23:55:51 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=386d5018 |
7 |
|
8 |
Sync gentoo patches with new Kconfig structure |
9 |
|
10 |
--- |
11 |
2.6.32/0000_README | 16 - |
12 |
2.6.32/4445_grsec-pax-without-grsec.patch | 91 ------ |
13 |
2.6.32/4450_grsec-kconfig-default-gids.patch | 43 ++-- |
14 |
2.6.32/4455_grsec-kconfig-gentoo.patch | 357 ----------------------- |
15 |
2.6.32/4460-grsec-kconfig-proc-user.patch | 26 -- |
16 |
2.6.32/4465_selinux-avc_audit-log-curr_ip.patch | 2 +- |
17 |
2.6.32/4470_disable-compat_vdso.patch | 2 +- |
18 |
3.2.22/0000_README | 16 - |
19 |
3.2.22/4445_grsec-pax-without-grsec.patch | 91 ------ |
20 |
3.2.22/4455_grsec-kconfig-gentoo.patch | 357 ----------------------- |
21 |
3.2.22/4460-grsec-kconfig-proc-user.patch | 26 -- |
22 |
3.4.4/0000_README | 4 + |
23 |
12 files changed, 31 insertions(+), 1000 deletions(-) |
24 |
|
25 |
diff --git a/2.6.32/0000_README b/2.6.32/0000_README |
26 |
index 2011830..a0df600 100644 |
27 |
--- a/2.6.32/0000_README |
28 |
+++ b/2.6.32/0000_README |
29 |
@@ -48,27 +48,11 @@ Patch: 4440_grsec-remove-protected-paths.patch |
30 |
From: Anthony G. Basile <blueness@g.o> |
31 |
Desc: Removes chmod statements from grsecurity/Makefile |
32 |
|
33 |
-Patch: 4445_grsec-pax-without-grsec.patch |
34 |
-From: Gordon Malm <gengor@g.o> |
35 |
-Desc: Allows PaX features to be selected without enabling GRKERNSEC |
36 |
- |
37 |
Patch: 4450_grsec-kconfig-default-gids.patch |
38 |
From: Kerin Millar <kerframil@×××××.com> |
39 |
Desc: Sets sane(r) default GIDs on various grsecurity group-dependent |
40 |
features |
41 |
|
42 |
-Patch: 4455_grsec-kconfig-gentoo.patch |
43 |
-From: Gordon Malm <gengor@g.o> |
44 |
- Kerin Millar <kerframil@×××××.com> |
45 |
- Anthony G. Basile <blueness@g.o> |
46 |
-Desc: Adds Hardened Gentoo [server/workstation/virtualization] security |
47 |
- levels, sets Hardened Gentoo [workstation] as default |
48 |
- |
49 |
-Patch: 4460-grsec-kconfig-proc-user.patch |
50 |
-From: Anthony G. Basile <blueness@g.o> |
51 |
-Desc: Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually |
52 |
- exclusive to avoid bug #366019. |
53 |
- |
54 |
Patch: 4465_selinux-avc_audit-log-curr_ip.patch |
55 |
From: Gordon Malm <gengor@g.o> |
56 |
Anthony G. Basile <blueness@g.o> |
57 |
|
58 |
diff --git a/2.6.32/4445_grsec-pax-without-grsec.patch b/2.6.32/4445_grsec-pax-without-grsec.patch |
59 |
deleted file mode 100644 |
60 |
index f07b2df..0000000 |
61 |
--- a/2.6.32/4445_grsec-pax-without-grsec.patch |
62 |
+++ /dev/null |
63 |
@@ -1,91 +0,0 @@ |
64 |
-From: Anthony G. Basile <blueness@g.o> |
65 |
- |
66 |
-With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and |
67 |
-pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy. |
68 |
-This patch has been updated to reflect that change. |
69 |
- |
70 |
-With grsecurity-2.9-2.6.32.58-201203131839, NORET_TYPE has been replaced by __noreturn. |
71 |
-This patch has been updated to reflect that change. |
72 |
--- |
73 |
-From: Jory Pratt <anarchy@g.o> |
74 |
-Updated patch for kernel 2.6.32 |
75 |
- |
76 |
-The credits/description from the original version of this patch remain accurate |
77 |
-and are included below. |
78 |
--- |
79 |
-From: Gordon Malm <gengor@g.o> |
80 |
- |
81 |
-Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC. |
82 |
- |
83 |
-This patch has been updated to keep current with newer kernel versions. |
84 |
-The original version of this patch contained no credits/description. |
85 |
- |
86 |
-diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c |
87 |
---- a/arch/x86/mm/fault.c 2011-04-17 18:15:54.000000000 -0400 |
88 |
-+++ b/arch/x86/mm/fault.c 2011-04-17 18:28:11.000000000 -0400 |
89 |
-@@ -662,10 +662,12 @@ |
90 |
- |
91 |
- #ifdef CONFIG_PAX_KERNEXEC |
92 |
- if (init_mm.start_code <= address && address < init_mm.end_code) { |
93 |
-+#ifdef CONFIG_GRKERNSEC |
94 |
- if (current->signal->curr_ip) |
95 |
- printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", |
96 |
- ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); |
97 |
- else |
98 |
-+#endif |
99 |
- printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", |
100 |
- current->comm, task_pid_nr(current), current_uid(), current_euid()); |
101 |
- } |
102 |
-diff -Naur a/fs/exec.c b/fs/exec.c |
103 |
---- a/fs/exec.c 2011-04-17 18:15:55.000000000 -0400 |
104 |
-+++ b/fs/exec.c 2011-04-17 18:29:40.000000000 -0400 |
105 |
-@@ -1849,9 +1849,11 @@ |
106 |
- } |
107 |
- up_read(&mm->mmap_sem); |
108 |
- } |
109 |
-+#ifdef CONFIG_GRKERNSEC |
110 |
- if (tsk->signal->curr_ip) |
111 |
- printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset); |
112 |
- else |
113 |
-+#endif |
114 |
- printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset); |
115 |
- printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, " |
116 |
- "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), |
117 |
-@@ -1866,10 +1868,12 @@ |
118 |
- #ifdef CONFIG_PAX_REFCOUNT |
119 |
- void pax_report_refcount_overflow(struct pt_regs *regs) |
120 |
- { |
121 |
-+#ifdef CONFIG_GRKERNSEC |
122 |
- if (current->signal->curr_ip) |
123 |
- printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", |
124 |
- ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); |
125 |
- else |
126 |
-+#endif |
127 |
- printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", |
128 |
- current->comm, task_pid_nr(current), current_uid(), current_euid()); |
129 |
- print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); |
130 |
-@@ -1928,10 +1932,12 @@ |
131 |
- |
132 |
- __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) |
133 |
- { |
134 |
-+#ifdef CONFIG_GRKERNSEC |
135 |
- if (current->signal->curr_ip) |
136 |
- printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", |
137 |
- ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); |
138 |
- else |
139 |
-+#endif |
140 |
- printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", |
141 |
- to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); |
142 |
- |
143 |
-diff -Naur a/security/Kconfig b/security/Kconfig |
144 |
---- a/security/Kconfig 2011-04-17 18:15:55.000000000 -0400 |
145 |
-+++ b/security/Kconfig 2011-04-17 18:28:11.000000000 -0400 |
146 |
-@@ -29,7 +29,7 @@ |
147 |
- |
148 |
- config PAX |
149 |
- bool "Enable various PaX features" |
150 |
-- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) |
151 |
-+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) |
152 |
- help |
153 |
- This allows you to enable various PaX features. PaX adds |
154 |
- intrusion prevention mechanisms to the kernel that reduce |
155 |
|
156 |
diff --git a/2.6.32/4450_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch |
157 |
index 8c6f609..038bb2e 100644 |
158 |
--- a/2.6.32/4450_grsec-kconfig-default-gids.patch |
159 |
+++ b/2.6.32/4450_grsec-kconfig-default-gids.patch |
160 |
@@ -1,3 +1,7 @@ |
161 |
+From: Anthony G. Basile <blueness@g.o> |
162 |
+Updated patch for the new Kconfig system for >=3.4.4 |
163 |
+ |
164 |
+--- |
165 |
From: Kerin Millar <kerframil@×××××.com> |
166 |
|
167 |
grsecurity contains a number of options which allow certain protections |
168 |
@@ -9,19 +13,10 @@ attention to the finer points of kernel configuration, it is probably |
169 |
wise to specify some reasonable defaults so as to stop careless users |
170 |
from shooting themselves in the foot. |
171 |
|
172 |
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
173 |
---- a/grsecurity/Kconfig 2011-12-12 15:11:47.000000000 -0500 |
174 |
-+++ b/grsecurity/Kconfig 2011-12-12 15:13:17.000000000 -0500 |
175 |
-@@ -442,7 +442,7 @@ |
176 |
- config GRKERNSEC_PROC_GID |
177 |
- int "GID for special group" |
178 |
- depends on GRKERNSEC_PROC_USERGROUP |
179 |
-- default 1001 |
180 |
-+ default 10 |
181 |
- |
182 |
- config GRKERNSEC_PROC_ADD |
183 |
- bool "Additional restrictions" |
184 |
-@@ -670,7 +670,7 @@ |
185 |
+diff -Nuar a/grsecurity/Kconfig b/Kconfig |
186 |
+--- a/grsecurity/Kconfig 2012-07-01 12:54:58.000000000 -0400 |
187 |
++++ b/grsecurity/Kconfig 2012-07-01 13:00:04.000000000 -0400 |
188 |
+@@ -519,7 +519,7 @@ |
189 |
config GRKERNSEC_AUDIT_GID |
190 |
int "GID for auditing" |
191 |
depends on GRKERNSEC_AUDIT_GROUP |
192 |
@@ -30,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
193 |
|
194 |
config GRKERNSEC_EXECLOG |
195 |
bool "Exec logging" |
196 |
-@@ -874,7 +874,7 @@ |
197 |
+@@ -734,7 +734,7 @@ |
198 |
config GRKERNSEC_TPE_GID |
199 |
int "GID for untrusted users" |
200 |
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT |
201 |
@@ -39,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
202 |
help |
203 |
Setting this GID determines what group TPE restrictions will be |
204 |
*enabled* for. If the sysctl option is enabled, a sysctl option |
205 |
-@@ -883,7 +883,7 @@ |
206 |
+@@ -743,7 +743,7 @@ |
207 |
config GRKERNSEC_TPE_GID |
208 |
int "GID for trusted users" |
209 |
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT |
210 |
@@ -48,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
211 |
help |
212 |
Setting this GID determines what group TPE restrictions will be |
213 |
*disabled* for. If the sysctl option is enabled, a sysctl option |
214 |
-@@ -956,7 +956,7 @@ |
215 |
+@@ -818,7 +818,7 @@ |
216 |
config GRKERNSEC_SOCKET_ALL_GID |
217 |
int "GID to deny all sockets for" |
218 |
depends on GRKERNSEC_SOCKET_ALL |
219 |
@@ -57,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
220 |
help |
221 |
Here you can choose the GID to disable socket access for. Remember to |
222 |
add the users you want socket access disabled for to the GID |
223 |
-@@ -977,7 +977,7 @@ |
224 |
+@@ -839,7 +839,7 @@ |
225 |
config GRKERNSEC_SOCKET_CLIENT_GID |
226 |
int "GID to deny client sockets for" |
227 |
depends on GRKERNSEC_SOCKET_CLIENT |
228 |
@@ -66,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
229 |
help |
230 |
Here you can choose the GID to disable client socket access for. |
231 |
Remember to add the users you want client socket access disabled for to |
232 |
-@@ -995,7 +995,7 @@ |
233 |
+@@ -857,7 +857,7 @@ |
234 |
config GRKERNSEC_SOCKET_SERVER_GID |
235 |
int "GID to deny server sockets for" |
236 |
depends on GRKERNSEC_SOCKET_SERVER |
237 |
@@ -75,3 +70,15 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
238 |
help |
239 |
Here you can choose the GID to disable server socket access for. |
240 |
Remember to add the users you want server socket access disabled for to |
241 |
+diff -Nuar a/security/Kconfig b/security/Kconfig |
242 |
+--- a/security/Kconfig 2012-07-01 12:51:41.000000000 -0400 |
243 |
++++ b/security/Kconfig 2012-07-01 13:00:23.000000000 -0400 |
244 |
+@@ -186,7 +186,7 @@ |
245 |
+ |
246 |
+ config GRKERNSEC_PROC_GID |
247 |
+ int "GID exempted from /proc restrictions" |
248 |
+- default 1001 |
249 |
++ default 10 |
250 |
+ help |
251 |
+ Setting this GID determines which group will be exempted from |
252 |
+ grsecurity's /proc restrictions, allowing users of the specified |
253 |
|
254 |
diff --git a/2.6.32/4455_grsec-kconfig-gentoo.patch b/2.6.32/4455_grsec-kconfig-gentoo.patch |
255 |
deleted file mode 100644 |
256 |
index e18ba0b..0000000 |
257 |
--- a/2.6.32/4455_grsec-kconfig-gentoo.patch |
258 |
+++ /dev/null |
259 |
@@ -1,357 +0,0 @@ |
260 |
-From: Anthony G. Basile <blueness@g.o> |
261 |
-From: Gordon Malm <gengor@g.o> |
262 |
-From: Jory A. Pratt <anarchy@g.o> |
263 |
-From: Kerin Millar <kerframil@×××××.com> |
264 |
- |
265 |
-Add Hardened Gentoo [server/workstation] predefined grsecurity |
266 |
-levels. They're designed to provide a comparitively high level of |
267 |
-security while remaining generally suitable for as great a majority |
268 |
-of the userbase as possible (particularly new users). |
269 |
- |
270 |
-Make Hardened Gentoo [workstation] predefined grsecurity level the |
271 |
-default. The Hardened Gentoo [server] level is more restrictive |
272 |
-and conflicts with some software and thus would be less suitable. |
273 |
- |
274 |
-The original version of this patch was conceived and created by: |
275 |
-Ned Ludd <solar@g.o> |
276 |
- |
277 |
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
278 |
---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500 |
279 |
-+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500 |
280 |
-@@ -18,7 +18,7 @@ |
281 |
- choice |
282 |
- prompt "Security Level" |
283 |
- depends on GRKERNSEC |
284 |
-- default GRKERNSEC_CUSTOM |
285 |
-+ default GRKERNSEC_HARDENED_WORKSTATION |
286 |
- |
287 |
- config GRKERNSEC_LOW |
288 |
- bool "Low" |
289 |
-@@ -192,6 +192,262 @@ |
290 |
- - Restricted sysfs/debugfs |
291 |
- - Active kernel exploit response |
292 |
- |
293 |
-+config GRKERNSEC_HARDENED_SERVER |
294 |
-+ bool "Hardened Gentoo [server]" |
295 |
-+ select GRKERNSEC_LINK |
296 |
-+ select GRKERNSEC_FIFO |
297 |
-+ select GRKERNSEC_DMESG |
298 |
-+ select GRKERNSEC_FORKFAIL |
299 |
-+ select GRKERNSEC_TIME |
300 |
-+ select GRKERNSEC_SIGNAL |
301 |
-+ select GRKERNSEC_CHROOT |
302 |
-+ select GRKERNSEC_CHROOT_SHMAT |
303 |
-+ select GRKERNSEC_CHROOT_UNIX |
304 |
-+ select GRKERNSEC_CHROOT_MOUNT |
305 |
-+ select GRKERNSEC_CHROOT_FCHDIR |
306 |
-+ select GRKERNSEC_CHROOT_PIVOT |
307 |
-+ select GRKERNSEC_CHROOT_DOUBLE |
308 |
-+ select GRKERNSEC_CHROOT_CHDIR |
309 |
-+ select GRKERNSEC_CHROOT_MKNOD |
310 |
-+ select GRKERNSEC_CHROOT_CAPS |
311 |
-+ select GRKERNSEC_CHROOT_SYSCTL |
312 |
-+ select GRKERNSEC_CHROOT_FINDTASK |
313 |
-+ select GRKERNSEC_SYSFS_RESTRICT |
314 |
-+ select GRKERNSEC_PROC |
315 |
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
316 |
-+ select GRKERNSEC_HIDESYM |
317 |
-+ select GRKERNSEC_BRUTE |
318 |
-+ select GRKERNSEC_PROC_USERGROUP |
319 |
-+ select GRKERNSEC_KMEM |
320 |
-+ select GRKERNSEC_RESLOG |
321 |
-+ select GRKERNSEC_AUDIT_PTRACE |
322 |
-+ select GRKERNSEC_RANDNET |
323 |
-+ select GRKERNSEC_PROC_ADD |
324 |
-+ select GRKERNSEC_CHROOT_CHMOD |
325 |
-+ select GRKERNSEC_CHROOT_NICE |
326 |
-+ select GRKERNSEC_AUDIT_MOUNT |
327 |
-+ select GRKERNSEC_MODHARDEN if (MODULES) |
328 |
-+ select GRKERNSEC_HARDEN_PTRACE |
329 |
-+ select GRKERNSEC_PTRACE_READEXEC |
330 |
-+ select GRKERNSEC_SETXID |
331 |
-+ select GRKERNSEC_VM86 if (X86_32) |
332 |
-+ select GRKERNSEC_IO |
333 |
-+ select GRKERNSEC_PROC_IPADDR |
334 |
-+ select GRKERNSEC_RWXMAP_LOG |
335 |
-+ select GRKERNSEC_SYSCTL |
336 |
-+ select GRKERNSEC_SYSCTL_ON |
337 |
-+ select PAX |
338 |
-+ select PAX_ASLR |
339 |
-+ select PAX_RANDKSTACK if (X86_TSC && X86) |
340 |
-+ select PAX_RANDUSTACK |
341 |
-+ select PAX_RANDMMAP |
342 |
-+ select PAX_NOEXEC |
343 |
-+ select PAX_MPROTECT |
344 |
-+ select PAX_EI_PAX |
345 |
-+ select PAX_PT_PAX_FLAGS |
346 |
-+ select PAX_HAVE_ACL_FLAGS |
347 |
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
348 |
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN) |
349 |
-+ select PAX_SEGMEXEC if (X86_32) |
350 |
-+ select PAX_PAGEEXEC |
351 |
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) |
352 |
-+ select PAX_EMUTRAMP if (PARISC) |
353 |
-+ select PAX_EMUSIGRT if (PARISC) |
354 |
-+ select PAX_REFCOUNT if (X86 || SPARC64) |
355 |
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) |
356 |
-+ select PAX_MEMORY_SANITIZE |
357 |
-+ select PAX_MEMORY_STACKLEAK if (!XEN) |
358 |
-+ help |
359 |
-+ If you say Y here, a configuration for grsecurity/PaX features |
360 |
-+ will be used that is endorsed by the Hardened Gentoo project. |
361 |
-+ These pre-defined security levels are designed to provide a high |
362 |
-+ level of security while minimizing incompatibilities with a majority |
363 |
-+ of Gentoo's available software. |
364 |
-+ |
365 |
-+ This "Hardened Gentoo [server]" level is identical to the |
366 |
-+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO, |
367 |
-+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred |
368 |
-+ security level if the system will not be utilizing software incompatible |
369 |
-+ with these features. |
370 |
-+ |
371 |
-+ When this level is selected, some security features will be forced on, |
372 |
-+ while others will default to their suggested values of off or on. The |
373 |
-+ later can be tweaked at the user's discretion, but may cause problems |
374 |
-+ in some situations. You can fully customize all grsecurity/PaX features |
375 |
-+ by choosing "Custom" in the Security Level menu. It may be helpful to |
376 |
-+ inherit the options selected by this security level as a starting point. |
377 |
-+ To accomplish this, select this security level, then exit the menuconfig |
378 |
-+ interface, saving changes when prompted. Run make menuconfig again and |
379 |
-+ select the "Custom" level. |
380 |
-+ |
381 |
-+config GRKERNSEC_HARDENED_WORKSTATION |
382 |
-+ bool "Hardened Gentoo [workstation]" |
383 |
-+ select GRKERNSEC_LINK |
384 |
-+ select GRKERNSEC_FIFO |
385 |
-+ select GRKERNSEC_DMESG |
386 |
-+ select GRKERNSEC_FORKFAIL |
387 |
-+ select GRKERNSEC_TIME |
388 |
-+ select GRKERNSEC_SIGNAL |
389 |
-+ select GRKERNSEC_CHROOT |
390 |
-+ select GRKERNSEC_CHROOT_SHMAT |
391 |
-+ select GRKERNSEC_CHROOT_UNIX |
392 |
-+ select GRKERNSEC_CHROOT_MOUNT |
393 |
-+ select GRKERNSEC_CHROOT_FCHDIR |
394 |
-+ select GRKERNSEC_CHROOT_PIVOT |
395 |
-+ select GRKERNSEC_CHROOT_DOUBLE |
396 |
-+ select GRKERNSEC_CHROOT_CHDIR |
397 |
-+ select GRKERNSEC_CHROOT_MKNOD |
398 |
-+ select GRKERNSEC_CHROOT_CAPS |
399 |
-+ select GRKERNSEC_CHROOT_SYSCTL |
400 |
-+ select GRKERNSEC_CHROOT_FINDTASK |
401 |
-+ select GRKERNSEC_PROC |
402 |
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
403 |
-+ select GRKERNSEC_HIDESYM |
404 |
-+ select GRKERNSEC_BRUTE |
405 |
-+ select GRKERNSEC_PROC_USERGROUP |
406 |
-+ select GRKERNSEC_KMEM |
407 |
-+ select GRKERNSEC_RESLOG |
408 |
-+ select GRKERNSEC_AUDIT_PTRACE |
409 |
-+ select GRKERNSEC_RANDNET |
410 |
-+ select GRKERNSEC_CHROOT_CHMOD |
411 |
-+ select GRKERNSEC_CHROOT_NICE |
412 |
-+ select GRKERNSEC_AUDIT_MOUNT |
413 |
-+ select GRKERNSEC_MODHARDEN if (MODULES) |
414 |
-+ select GRKERNSEC_HARDEN_PTRACE |
415 |
-+ select GRKERNSEC_PTRACE_READEXEC |
416 |
-+ select GRKERNSEC_SETXID |
417 |
-+ select GRKERNSEC_VM86 if (X86_32) |
418 |
-+ select GRKERNSEC_PROC_IPADDR |
419 |
-+ select GRKERNSEC_RWXMAP_LOG |
420 |
-+ select GRKERNSEC_SYSCTL |
421 |
-+ select GRKERNSEC_SYSCTL_ON |
422 |
-+ select PAX |
423 |
-+ select PAX_ASLR |
424 |
-+ select PAX_RANDKSTACK if (X86_TSC && X86) |
425 |
-+ select PAX_RANDUSTACK |
426 |
-+ select PAX_RANDMMAP |
427 |
-+ select PAX_NOEXEC |
428 |
-+ select PAX_MPROTECT |
429 |
-+ select PAX_EI_PAX |
430 |
-+ select PAX_PT_PAX_FLAGS |
431 |
-+ select PAX_HAVE_ACL_FLAGS |
432 |
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
433 |
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN) |
434 |
-+ select PAX_SEGMEXEC if (X86_32) |
435 |
-+ select PAX_PAGEEXEC |
436 |
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) |
437 |
-+ select PAX_EMUTRAMP if (PARISC) |
438 |
-+ select PAX_EMUSIGRT if (PARISC) |
439 |
-+ select PAX_REFCOUNT if (X86 || SPARC64) |
440 |
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) |
441 |
-+ select PAX_MEMORY_SANITIZE |
442 |
-+ select PAX_MEMORY_STACKLEAK if (!XEN) |
443 |
-+ help |
444 |
-+ If you say Y here, a configuration for grsecurity/PaX features |
445 |
-+ will be used that is endorsed by the Hardened Gentoo project. |
446 |
-+ These pre-defined security levels are designed to provide a high |
447 |
-+ level of security while minimizing incompatibilities with a majority |
448 |
-+ of Gentoo's available software. |
449 |
-+ |
450 |
-+ This "Hardened Gentoo [workstation]" level is identical to the |
451 |
-+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and |
452 |
-+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred |
453 |
-+ security level if the system will be utilizing software incompatible |
454 |
-+ with these features. |
455 |
-+ |
456 |
-+ When this level is selected, some security features will be forced on, |
457 |
-+ while others will default to their suggested values of off or on. The |
458 |
-+ later can be tweaked at the user's discretion, but may cause problems |
459 |
-+ in some situations. You can fully customize all grsecurity/PaX features |
460 |
-+ by choosing "Custom" in the Security Level menu. It may be helpful to |
461 |
-+ inherit the options selected by this security level as a starting point. |
462 |
-+ To accomplish this, select this security level, then exit the menuconfig |
463 |
-+ interface, saving changes when prompted. Run make menuconfig again and |
464 |
-+ select the "Custom" level. |
465 |
-+ |
466 |
-+config GRKERNSEC_HARDENED_VIRTUALIZATION |
467 |
-+ bool "Hardened Gentoo [virtualization]" |
468 |
-+ select GRKERNSEC_LINK |
469 |
-+ select GRKERNSEC_FIFO |
470 |
-+ select GRKERNSEC_DMESG |
471 |
-+ select GRKERNSEC_FORKFAIL |
472 |
-+ select GRKERNSEC_TIME |
473 |
-+ select GRKERNSEC_SIGNAL |
474 |
-+ select GRKERNSEC_CHROOT |
475 |
-+ select GRKERNSEC_CHROOT_SHMAT |
476 |
-+ select GRKERNSEC_CHROOT_UNIX |
477 |
-+ select GRKERNSEC_CHROOT_MOUNT |
478 |
-+ select GRKERNSEC_CHROOT_FCHDIR |
479 |
-+ select GRKERNSEC_CHROOT_PIVOT |
480 |
-+ select GRKERNSEC_CHROOT_DOUBLE |
481 |
-+ select GRKERNSEC_CHROOT_CHDIR |
482 |
-+ select GRKERNSEC_CHROOT_MKNOD |
483 |
-+ select GRKERNSEC_CHROOT_CAPS |
484 |
-+ select GRKERNSEC_CHROOT_SYSCTL |
485 |
-+ select GRKERNSEC_CHROOT_FINDTASK |
486 |
-+ select GRKERNSEC_PROC |
487 |
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
488 |
-+ select GRKERNSEC_HIDESYM |
489 |
-+ select GRKERNSEC_BRUTE |
490 |
-+ select GRKERNSEC_PROC_USERGROUP |
491 |
-+ select GRKERNSEC_KMEM |
492 |
-+ select GRKERNSEC_RESLOG |
493 |
-+ select GRKERNSEC_AUDIT_PTRACE |
494 |
-+ select GRKERNSEC_RANDNET |
495 |
-+ select GRKERNSEC_CHROOT_CHMOD |
496 |
-+ select GRKERNSEC_CHROOT_NICE |
497 |
-+ select GRKERNSEC_AUDIT_MOUNT |
498 |
-+ select GRKERNSEC_MODHARDEN if (MODULES) |
499 |
-+ select GRKERNSEC_HARDEN_PTRACE |
500 |
-+ select GRKERNSEC_PTRACE_READEXEC |
501 |
-+ select GRKERNSEC_SETXID |
502 |
-+ select GRKERNSEC_VM86 if (X86_32) |
503 |
-+ select GRKERNSEC_PROC_IPADDR |
504 |
-+ select GRKERNSEC_RWXMAP_LOG |
505 |
-+ select GRKERNSEC_SYSCTL |
506 |
-+ select GRKERNSEC_SYSCTL_ON |
507 |
-+ select PAX |
508 |
-+ select PAX_ASLR |
509 |
-+ select PAX_RANDKSTACK if (X86_TSC && X86) |
510 |
-+ select PAX_RANDUSTACK |
511 |
-+ select PAX_RANDMMAP |
512 |
-+ select PAX_NOEXEC |
513 |
-+ select PAX_MPROTECT |
514 |
-+ select PAX_EI_PAX |
515 |
-+ select PAX_PT_PAX_FLAGS |
516 |
-+ select PAX_HAVE_ACL_FLAGS |
517 |
-+ select PAX_SEGMEXEC if (X86_32) |
518 |
-+ select PAX_PAGEEXEC |
519 |
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) |
520 |
-+ select PAX_EMUTRAMP if (PARISC) |
521 |
-+ select PAX_EMUSIGRT if (PARISC) |
522 |
-+ select PAX_REFCOUNT if (X86 || SPARC64) |
523 |
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) |
524 |
-+ select PAX_MEMORY_SANITIZE |
525 |
-+ select PAX_MEMORY_STACKLEAK if (!XEN) |
526 |
-+ help |
527 |
-+ If you say Y here, a configuration for grsecurity/PaX features |
528 |
-+ will be used that is endorsed by the Hardened Gentoo project. |
529 |
-+ These pre-defined security levels are designed to provide a high |
530 |
-+ level of security while minimizing incompatibilities with a majority |
531 |
-+ of Gentoo's available software. |
532 |
-+ |
533 |
-+ This "Hardened Gentoo [virtualization]" level is identical to the |
534 |
-+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and |
535 |
-+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred |
536 |
-+ security level if the system will be utilizing virtualization software |
537 |
-+ incompatible with these features, like VirtualBox or kvm. |
538 |
-+ |
539 |
-+ When this level is selected, some security features will be forced on, |
540 |
-+ while others will default to their suggested values of off or on. The |
541 |
-+ later can be tweaked at the user's discretion, but may cause problems |
542 |
-+ in some situations. You can fully customize all grsecurity/PaX features |
543 |
-+ by choosing "Custom" in the Security Level menu. It may be helpful to |
544 |
-+ inherit the options selected by this security level as a starting point. |
545 |
-+ To accomplish this, select this security level, then exit the menuconfig |
546 |
-+ interface, saving changes when prompted. Run make menuconfig again and |
547 |
-+ select the "Custom" level. |
548 |
-+ |
549 |
- config GRKERNSEC_CUSTOM |
550 |
- bool "Custom" |
551 |
- help |
552 |
-diff -Naur a/security/Kconfig b/security/Kconfig |
553 |
---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500 |
554 |
-+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500 |
555 |
-@@ -360,9 +360,10 @@ |
556 |
- |
557 |
- config PAX_KERNEXEC |
558 |
- bool "Enforce non-executable kernel pages" |
559 |
-- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN |
560 |
-+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION |
561 |
- select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) |
562 |
- select PAX_KERNEXEC_PLUGIN if X86_64 |
563 |
-+ default y if GRKERNSEC_HARDENED_WORKSTATION |
564 |
- help |
565 |
- This is the kernel land equivalent of PAGEEXEC and MPROTECT, |
566 |
- that is, enabling this option will make it harder to inject |
567 |
-@@ -373,30 +374,30 @@ |
568 |
- |
569 |
- choice |
570 |
- prompt "Return Address Instrumentation Method" |
571 |
-- default PAX_KERNEXEC_PLUGIN_METHOD_BTS |
572 |
-+ default PAX_KERNEXEC_PLUGIN_METHOD_OR |
573 |
- depends on PAX_KERNEXEC_PLUGIN |
574 |
- help |
575 |
- Select the method used to instrument function pointer dereferences. |
576 |
- Note that binary modules cannot be instrumented by this approach. |
577 |
- |
578 |
-- config PAX_KERNEXEC_PLUGIN_METHOD_BTS |
579 |
-- bool "bts" |
580 |
-- help |
581 |
-- This method is compatible with binary only modules but has |
582 |
-- a higher runtime overhead. |
583 |
-- |
584 |
- config PAX_KERNEXEC_PLUGIN_METHOD_OR |
585 |
- bool "or" |
586 |
- depends on !PARAVIRT |
587 |
- help |
588 |
- This method is incompatible with binary only modules but has |
589 |
- a lower runtime overhead. |
590 |
-+ |
591 |
-+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS |
592 |
-+ bool "bts" |
593 |
-+ help |
594 |
-+ This method is compatible with binary only modules but has |
595 |
-+ a higher runtime overhead. |
596 |
- endchoice |
597 |
- |
598 |
- config PAX_KERNEXEC_PLUGIN_METHOD |
599 |
- string |
600 |
-- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS |
601 |
- default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR |
602 |
-+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS |
603 |
- default "" |
604 |
- |
605 |
- config PAX_KERNEXEC_MODULE_TEXT |
606 |
-@@ -553,8 +554,9 @@ |
607 |
- |
608 |
- config PAX_MEMORY_UDEREF |
609 |
- bool "Prevent invalid userland pointer dereference" |
610 |
-- depends on X86 && !UML_X86 && !XEN |
611 |
-+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION |
612 |
- select PAX_PER_CPU_PGD if X86_64 |
613 |
-+ default y if GRKERNSEC_HARDENED_WORKSTATION |
614 |
- help |
615 |
- By saying Y here the kernel will be prevented from dereferencing |
616 |
- userland pointers in contexts where the kernel expects only kernel |
617 |
|
618 |
diff --git a/2.6.32/4460-grsec-kconfig-proc-user.patch b/2.6.32/4460-grsec-kconfig-proc-user.patch |
619 |
deleted file mode 100644 |
620 |
index 8409e87..0000000 |
621 |
--- a/2.6.32/4460-grsec-kconfig-proc-user.patch |
622 |
+++ /dev/null |
623 |
@@ -1,26 +0,0 @@ |
624 |
-From: Anthony G. Basile <blueness@g.o> |
625 |
- |
626 |
-Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP |
627 |
-in a different way to avoid bug #366019. This patch should eventually go upstream. |
628 |
- |
629 |
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
630 |
---- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400 |
631 |
-+++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400 |
632 |
-@@ -679,7 +679,7 @@ |
633 |
- |
634 |
- config GRKERNSEC_PROC_USER |
635 |
- bool "Restrict /proc to user only" |
636 |
-- depends on GRKERNSEC_PROC |
637 |
-+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP |
638 |
- help |
639 |
- If you say Y here, non-root users will only be able to view their own |
640 |
- processes, and restricts them from viewing network-related information, |
641 |
-@@ -687,7 +687,7 @@ |
642 |
- |
643 |
- config GRKERNSEC_PROC_USERGROUP |
644 |
- bool "Allow special group" |
645 |
-- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER |
646 |
-+ depends on GRKERNSEC_PROC |
647 |
- help |
648 |
- If you say Y here, you will be able to select a group that will be |
649 |
- able to view all processes and network-related information. If you've |
650 |
|
651 |
diff --git a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch |
652 |
index 43147a7..67d09ef 100644 |
653 |
--- a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch |
654 |
+++ b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch |
655 |
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org> |
656 |
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
657 |
--- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400 |
658 |
+++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400 |
659 |
-@@ -1308,6 +1308,27 @@ |
660 |
+@@ -916,6 +916,27 @@ |
661 |
menu "Logging Options" |
662 |
depends on GRKERNSEC |
663 |
|
664 |
|
665 |
diff --git a/2.6.32/4470_disable-compat_vdso.patch b/2.6.32/4470_disable-compat_vdso.patch |
666 |
index c8e1aeb..a54092e 100644 |
667 |
--- a/2.6.32/4470_disable-compat_vdso.patch |
668 |
+++ b/2.6.32/4470_disable-compat_vdso.patch |
669 |
@@ -27,7 +27,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 |
670 |
diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig |
671 |
--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 |
672 |
+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 |
673 |
-@@ -1616,17 +1616,8 @@ |
674 |
+@@ -1625,17 +1625,8 @@ |
675 |
|
676 |
config COMPAT_VDSO |
677 |
def_bool n |
678 |
|
679 |
diff --git a/3.2.22/0000_README b/3.2.22/0000_README |
680 |
index b314927..ccfefdd 100644 |
681 |
--- a/3.2.22/0000_README |
682 |
+++ b/3.2.22/0000_README |
683 |
@@ -20,27 +20,11 @@ Patch: 4440_grsec-remove-protected-paths.patch |
684 |
From: Anthony G. Basile <blueness@g.o> |
685 |
Desc: Removes chmod statements from grsecurity/Makefile |
686 |
|
687 |
-Patch: 4445_grsec-pax-without-grsec.patch |
688 |
-From: Gordon Malm <gengor@g.o> |
689 |
-Desc: Allows PaX features to be selected without enabling GRKERNSEC |
690 |
- |
691 |
Patch: 4450_grsec-kconfig-default-gids.patch |
692 |
From: Kerin Millar <kerframil@×××××.com> |
693 |
Desc: Sets sane(r) default GIDs on various grsecurity group-dependent |
694 |
features |
695 |
|
696 |
-Patch: 4455_grsec-kconfig-gentoo.patch |
697 |
-From: Gordon Malm <gengor@g.o> |
698 |
- Kerin Millar <kerframil@×××××.com> |
699 |
- Anthony G. Basile <blueness@g.o> |
700 |
-Desc: Adds Hardened Gentoo [server/workstation/virtualization] security levels, |
701 |
- sets Hardened Gentoo [workstation] as default |
702 |
- |
703 |
-Patch: 4460-grsec-kconfig-proc-user.patch |
704 |
-From: Anthony G. Basile <blueness@g.o> |
705 |
-Desc: Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually |
706 |
- exclusive to avoid bug #366019. |
707 |
- |
708 |
Patch: 4465_selinux-avc_audit-log-curr_ip.patch |
709 |
From: Gordon Malm <gengor@g.o> |
710 |
Anthony G. Basile <blueness@g.o> |
711 |
|
712 |
diff --git a/3.2.22/4445_grsec-pax-without-grsec.patch b/3.2.22/4445_grsec-pax-without-grsec.patch |
713 |
deleted file mode 100644 |
714 |
index 58301c0..0000000 |
715 |
--- a/3.2.22/4445_grsec-pax-without-grsec.patch |
716 |
+++ /dev/null |
717 |
@@ -1,91 +0,0 @@ |
718 |
-From: Anthony G. Basile <blueness@g.o> |
719 |
- |
720 |
-With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and |
721 |
-pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy. |
722 |
-This patch has been updated to reflect that change. |
723 |
- |
724 |
-With grsecurity-2.9-2.6.32.58-201203131839, NORET_TYPE has been replaced by __noreturn. |
725 |
-This patch has been updated to reflect that change. |
726 |
--- |
727 |
-From: Jory Pratt <anarchy@g.o> |
728 |
-Updated patch for kernel 2.6.32 |
729 |
- |
730 |
-The credits/description from the original version of this patch remain accurate |
731 |
-and are included below. |
732 |
--- |
733 |
-From: Gordon Malm <gengor@g.o> |
734 |
- |
735 |
-Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC. |
736 |
- |
737 |
-This patch has been updated to keep current with newer kernel versions. |
738 |
-The original version of this patch contained no credits/description. |
739 |
- |
740 |
-diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c |
741 |
---- a/arch/x86/mm/fault.c 2011-04-17 19:05:03.000000000 -0400 |
742 |
-+++ a/arch/x86/mm/fault.c 2011-04-17 19:20:30.000000000 -0400 |
743 |
-@@ -657,10 +657,12 @@ |
744 |
- |
745 |
- #ifdef CONFIG_PAX_KERNEXEC |
746 |
- if (init_mm.start_code <= address && address < init_mm.end_code) { |
747 |
-+#ifdef CONFIG_GRKERNSEC |
748 |
- if (current->signal->curr_ip) |
749 |
- printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", |
750 |
- ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); |
751 |
- else |
752 |
-+#endif |
753 |
- printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", |
754 |
- current->comm, task_pid_nr(current), current_uid(), current_euid()); |
755 |
- } |
756 |
-diff -Naur a/fs/exec.c b/fs/exec.c |
757 |
---- a/fs/exec.c 2011-04-17 19:05:03.000000000 -0400 |
758 |
-+++ b/fs/exec.c 2011-04-17 19:20:30.000000000 -0400 |
759 |
-@@ -2048,9 +2048,11 @@ |
760 |
- } |
761 |
- up_read(&mm->mmap_sem); |
762 |
- } |
763 |
-+#ifdef CONFIG_GRKERNSEC |
764 |
- if (tsk->signal->curr_ip) |
765 |
- printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset); |
766 |
- else |
767 |
-+#endif |
768 |
- printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset); |
769 |
- printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, " |
770 |
- "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), |
771 |
-@@ -2065,10 +2067,12 @@ |
772 |
- #ifdef CONFIG_PAX_REFCOUNT |
773 |
- void pax_report_refcount_overflow(struct pt_regs *regs) |
774 |
- { |
775 |
-+#ifdef CONFIG_GRKERNSEC |
776 |
- if (current->signal->curr_ip) |
777 |
- printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", |
778 |
- ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); |
779 |
- else |
780 |
-+#endif |
781 |
- printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", |
782 |
- current->comm, task_pid_nr(current), current_uid(), current_euid()); |
783 |
- print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); |
784 |
-@@ -2127,10 +2131,12 @@ |
785 |
- |
786 |
- __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) |
787 |
- { |
788 |
-+#ifdef CONFIG_GRKERNSEC |
789 |
- if (current->signal->curr_ip) |
790 |
- printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", |
791 |
- ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); |
792 |
- else |
793 |
-+#endif |
794 |
- printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", |
795 |
- to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); |
796 |
- dump_stack(); |
797 |
-diff -Naur a/security/Kconfig b/security/Kconfig |
798 |
---- a/security/Kconfig 2011-04-17 19:05:03.000000000 -0400 |
799 |
-+++ b/security/Kconfig 2011-04-17 19:20:30.000000000 -0400 |
800 |
-@@ -29,7 +29,7 @@ |
801 |
- |
802 |
- config PAX |
803 |
- bool "Enable various PaX features" |
804 |
-- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) |
805 |
-+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) |
806 |
- help |
807 |
- This allows you to enable various PaX features. PaX adds |
808 |
- intrusion prevention mechanisms to the kernel that reduce |
809 |
|
810 |
diff --git a/3.2.22/4455_grsec-kconfig-gentoo.patch b/3.2.22/4455_grsec-kconfig-gentoo.patch |
811 |
deleted file mode 100644 |
812 |
index 87b5454..0000000 |
813 |
--- a/3.2.22/4455_grsec-kconfig-gentoo.patch |
814 |
+++ /dev/null |
815 |
@@ -1,357 +0,0 @@ |
816 |
-From: Anthony G. Basile <blueness@g.o> |
817 |
-From: Gordon Malm <gengor@g.o> |
818 |
-From: Jory A. Pratt <anarchy@g.o> |
819 |
-From: Kerin Millar <kerframil@×××××.com> |
820 |
- |
821 |
-Add Hardened Gentoo [server/workstation] predefined grsecurity |
822 |
-levels. They're designed to provide a comparitively high level of |
823 |
-security while remaining generally suitable for as great a majority |
824 |
-of the userbase as possible (particularly new users). |
825 |
- |
826 |
-Make Hardened Gentoo [workstation] predefined grsecurity level the |
827 |
-default. The Hardened Gentoo [server] level is more restrictive |
828 |
-and conflicts with some software and thus would be less suitable. |
829 |
- |
830 |
-The original version of this patch was conceived and created by: |
831 |
-Ned Ludd <solar@g.o> |
832 |
- |
833 |
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
834 |
---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500 |
835 |
-+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500 |
836 |
-@@ -18,7 +18,7 @@ |
837 |
- choice |
838 |
- prompt "Security Level" |
839 |
- depends on GRKERNSEC |
840 |
-- default GRKERNSEC_CUSTOM |
841 |
-+ default GRKERNSEC_HARDENED_WORKSTATION |
842 |
- |
843 |
- config GRKERNSEC_LOW |
844 |
- bool "Low" |
845 |
-@@ -192,6 +192,262 @@ |
846 |
- - Restricted sysfs/debugfs |
847 |
- - Active kernel exploit response |
848 |
- |
849 |
-+config GRKERNSEC_HARDENED_SERVER |
850 |
-+ bool "Hardened Gentoo [server]" |
851 |
-+ select GRKERNSEC_LINK |
852 |
-+ select GRKERNSEC_FIFO |
853 |
-+ select GRKERNSEC_DMESG |
854 |
-+ select GRKERNSEC_FORKFAIL |
855 |
-+ select GRKERNSEC_TIME |
856 |
-+ select GRKERNSEC_SIGNAL |
857 |
-+ select GRKERNSEC_CHROOT |
858 |
-+ select GRKERNSEC_CHROOT_SHMAT |
859 |
-+ select GRKERNSEC_CHROOT_UNIX |
860 |
-+ select GRKERNSEC_CHROOT_MOUNT |
861 |
-+ select GRKERNSEC_CHROOT_FCHDIR |
862 |
-+ select GRKERNSEC_CHROOT_PIVOT |
863 |
-+ select GRKERNSEC_CHROOT_DOUBLE |
864 |
-+ select GRKERNSEC_CHROOT_CHDIR |
865 |
-+ select GRKERNSEC_CHROOT_MKNOD |
866 |
-+ select GRKERNSEC_CHROOT_CAPS |
867 |
-+ select GRKERNSEC_CHROOT_SYSCTL |
868 |
-+ select GRKERNSEC_CHROOT_FINDTASK |
869 |
-+ select GRKERNSEC_SYSFS_RESTRICT |
870 |
-+ select GRKERNSEC_PROC |
871 |
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
872 |
-+ select GRKERNSEC_HIDESYM |
873 |
-+ select GRKERNSEC_BRUTE |
874 |
-+ select GRKERNSEC_PROC_USERGROUP |
875 |
-+ select GRKERNSEC_KMEM |
876 |
-+ select GRKERNSEC_RESLOG |
877 |
-+ select GRKERNSEC_AUDIT_PTRACE |
878 |
-+ select GRKERNSEC_RANDNET |
879 |
-+ select GRKERNSEC_PROC_ADD |
880 |
-+ select GRKERNSEC_CHROOT_CHMOD |
881 |
-+ select GRKERNSEC_CHROOT_NICE |
882 |
-+ select GRKERNSEC_AUDIT_MOUNT |
883 |
-+ select GRKERNSEC_MODHARDEN if (MODULES) |
884 |
-+ select GRKERNSEC_HARDEN_PTRACE |
885 |
-+ select GRKERNSEC_PTRACE_READEXEC |
886 |
-+ select GRKERNSEC_SETXID |
887 |
-+ select GRKERNSEC_VM86 if (X86_32) |
888 |
-+ select GRKERNSEC_IO |
889 |
-+ select GRKERNSEC_PROC_IPADDR |
890 |
-+ select GRKERNSEC_RWXMAP_LOG |
891 |
-+ select GRKERNSEC_SYSCTL |
892 |
-+ select GRKERNSEC_SYSCTL_ON |
893 |
-+ select PAX |
894 |
-+ select PAX_ASLR |
895 |
-+ select PAX_RANDKSTACK if (X86_TSC && X86) |
896 |
-+ select PAX_RANDUSTACK |
897 |
-+ select PAX_RANDMMAP |
898 |
-+ select PAX_NOEXEC |
899 |
-+ select PAX_MPROTECT |
900 |
-+ select PAX_EI_PAX |
901 |
-+ select PAX_PT_PAX_FLAGS |
902 |
-+ select PAX_HAVE_ACL_FLAGS |
903 |
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
904 |
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN) |
905 |
-+ select PAX_SEGMEXEC if (X86_32) |
906 |
-+ select PAX_PAGEEXEC |
907 |
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) |
908 |
-+ select PAX_EMUTRAMP if (PARISC) |
909 |
-+ select PAX_EMUSIGRT if (PARISC) |
910 |
-+ select PAX_REFCOUNT if (X86 || SPARC64) |
911 |
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) |
912 |
-+ select PAX_MEMORY_SANITIZE |
913 |
-+ select PAX_MEMORY_STACKLEAK if (!XEN) |
914 |
-+ help |
915 |
-+ If you say Y here, a configuration for grsecurity/PaX features |
916 |
-+ will be used that is endorsed by the Hardened Gentoo project. |
917 |
-+ These pre-defined security levels are designed to provide a high |
918 |
-+ level of security while minimizing incompatibilities with a majority |
919 |
-+ of Gentoo's available software. |
920 |
-+ |
921 |
-+ This "Hardened Gentoo [server]" level is identical to the |
922 |
-+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO, |
923 |
-+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred |
924 |
-+ security level if the system will not be utilizing software incompatible |
925 |
-+ with these features. |
926 |
-+ |
927 |
-+ When this level is selected, some security features will be forced on, |
928 |
-+ while others will default to their suggested values of off or on. The |
929 |
-+ later can be tweaked at the user's discretion, but may cause problems |
930 |
-+ in some situations. You can fully customize all grsecurity/PaX features |
931 |
-+ by choosing "Custom" in the Security Level menu. It may be helpful to |
932 |
-+ inherit the options selected by this security level as a starting point. |
933 |
-+ To accomplish this, select this security level, then exit the menuconfig |
934 |
-+ interface, saving changes when prompted. Run make menuconfig again and |
935 |
-+ select the "Custom" level. |
936 |
-+ |
937 |
-+config GRKERNSEC_HARDENED_WORKSTATION |
938 |
-+ bool "Hardened Gentoo [workstation]" |
939 |
-+ select GRKERNSEC_LINK |
940 |
-+ select GRKERNSEC_FIFO |
941 |
-+ select GRKERNSEC_DMESG |
942 |
-+ select GRKERNSEC_FORKFAIL |
943 |
-+ select GRKERNSEC_TIME |
944 |
-+ select GRKERNSEC_SIGNAL |
945 |
-+ select GRKERNSEC_CHROOT |
946 |
-+ select GRKERNSEC_CHROOT_SHMAT |
947 |
-+ select GRKERNSEC_CHROOT_UNIX |
948 |
-+ select GRKERNSEC_CHROOT_MOUNT |
949 |
-+ select GRKERNSEC_CHROOT_FCHDIR |
950 |
-+ select GRKERNSEC_CHROOT_PIVOT |
951 |
-+ select GRKERNSEC_CHROOT_DOUBLE |
952 |
-+ select GRKERNSEC_CHROOT_CHDIR |
953 |
-+ select GRKERNSEC_CHROOT_MKNOD |
954 |
-+ select GRKERNSEC_CHROOT_CAPS |
955 |
-+ select GRKERNSEC_CHROOT_SYSCTL |
956 |
-+ select GRKERNSEC_CHROOT_FINDTASK |
957 |
-+ select GRKERNSEC_PROC |
958 |
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
959 |
-+ select GRKERNSEC_HIDESYM |
960 |
-+ select GRKERNSEC_BRUTE |
961 |
-+ select GRKERNSEC_PROC_USERGROUP |
962 |
-+ select GRKERNSEC_KMEM |
963 |
-+ select GRKERNSEC_RESLOG |
964 |
-+ select GRKERNSEC_AUDIT_PTRACE |
965 |
-+ select GRKERNSEC_RANDNET |
966 |
-+ select GRKERNSEC_CHROOT_CHMOD |
967 |
-+ select GRKERNSEC_CHROOT_NICE |
968 |
-+ select GRKERNSEC_AUDIT_MOUNT |
969 |
-+ select GRKERNSEC_MODHARDEN if (MODULES) |
970 |
-+ select GRKERNSEC_HARDEN_PTRACE |
971 |
-+ select GRKERNSEC_PTRACE_READEXEC |
972 |
-+ select GRKERNSEC_SETXID |
973 |
-+ select GRKERNSEC_VM86 if (X86_32) |
974 |
-+ select GRKERNSEC_PROC_IPADDR |
975 |
-+ select GRKERNSEC_RWXMAP_LOG |
976 |
-+ select GRKERNSEC_SYSCTL |
977 |
-+ select GRKERNSEC_SYSCTL_ON |
978 |
-+ select PAX |
979 |
-+ select PAX_ASLR |
980 |
-+ select PAX_RANDKSTACK if (X86_TSC && X86) |
981 |
-+ select PAX_RANDUSTACK |
982 |
-+ select PAX_RANDMMAP |
983 |
-+ select PAX_NOEXEC |
984 |
-+ select PAX_MPROTECT |
985 |
-+ select PAX_EI_PAX |
986 |
-+ select PAX_PT_PAX_FLAGS |
987 |
-+ select PAX_HAVE_ACL_FLAGS |
988 |
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
989 |
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN) |
990 |
-+ select PAX_SEGMEXEC if (X86_32) |
991 |
-+ select PAX_PAGEEXEC |
992 |
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) |
993 |
-+ select PAX_EMUTRAMP if (PARISC) |
994 |
-+ select PAX_EMUSIGRT if (PARISC) |
995 |
-+ select PAX_REFCOUNT if (X86 || SPARC64) |
996 |
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) |
997 |
-+ select PAX_MEMORY_SANITIZE |
998 |
-+ select PAX_MEMORY_STACKLEAK if (!XEN) |
999 |
-+ help |
1000 |
-+ If you say Y here, a configuration for grsecurity/PaX features |
1001 |
-+ will be used that is endorsed by the Hardened Gentoo project. |
1002 |
-+ These pre-defined security levels are designed to provide a high |
1003 |
-+ level of security while minimizing incompatibilities with a majority |
1004 |
-+ of Gentoo's available software. |
1005 |
-+ |
1006 |
-+ This "Hardened Gentoo [workstation]" level is identical to the |
1007 |
-+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and |
1008 |
-+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred |
1009 |
-+ security level if the system will be utilizing software incompatible |
1010 |
-+ with these features. |
1011 |
-+ |
1012 |
-+ When this level is selected, some security features will be forced on, |
1013 |
-+ while others will default to their suggested values of off or on. The |
1014 |
-+ later can be tweaked at the user's discretion, but may cause problems |
1015 |
-+ in some situations. You can fully customize all grsecurity/PaX features |
1016 |
-+ by choosing "Custom" in the Security Level menu. It may be helpful to |
1017 |
-+ inherit the options selected by this security level as a starting point. |
1018 |
-+ To accomplish this, select this security level, then exit the menuconfig |
1019 |
-+ interface, saving changes when prompted. Run make menuconfig again and |
1020 |
-+ select the "Custom" level. |
1021 |
-+ |
1022 |
-+config GRKERNSEC_HARDENED_VIRTUALIZATION |
1023 |
-+ bool "Hardened Gentoo [virtualization]" |
1024 |
-+ select GRKERNSEC_LINK |
1025 |
-+ select GRKERNSEC_FIFO |
1026 |
-+ select GRKERNSEC_DMESG |
1027 |
-+ select GRKERNSEC_FORKFAIL |
1028 |
-+ select GRKERNSEC_TIME |
1029 |
-+ select GRKERNSEC_SIGNAL |
1030 |
-+ select GRKERNSEC_CHROOT |
1031 |
-+ select GRKERNSEC_CHROOT_SHMAT |
1032 |
-+ select GRKERNSEC_CHROOT_UNIX |
1033 |
-+ select GRKERNSEC_CHROOT_MOUNT |
1034 |
-+ select GRKERNSEC_CHROOT_FCHDIR |
1035 |
-+ select GRKERNSEC_CHROOT_PIVOT |
1036 |
-+ select GRKERNSEC_CHROOT_DOUBLE |
1037 |
-+ select GRKERNSEC_CHROOT_CHDIR |
1038 |
-+ select GRKERNSEC_CHROOT_MKNOD |
1039 |
-+ select GRKERNSEC_CHROOT_CAPS |
1040 |
-+ select GRKERNSEC_CHROOT_SYSCTL |
1041 |
-+ select GRKERNSEC_CHROOT_FINDTASK |
1042 |
-+ select GRKERNSEC_PROC |
1043 |
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
1044 |
-+ select GRKERNSEC_HIDESYM |
1045 |
-+ select GRKERNSEC_BRUTE |
1046 |
-+ select GRKERNSEC_PROC_USERGROUP |
1047 |
-+ select GRKERNSEC_KMEM |
1048 |
-+ select GRKERNSEC_RESLOG |
1049 |
-+ select GRKERNSEC_AUDIT_PTRACE |
1050 |
-+ select GRKERNSEC_RANDNET |
1051 |
-+ select GRKERNSEC_CHROOT_CHMOD |
1052 |
-+ select GRKERNSEC_CHROOT_NICE |
1053 |
-+ select GRKERNSEC_AUDIT_MOUNT |
1054 |
-+ select GRKERNSEC_MODHARDEN if (MODULES) |
1055 |
-+ select GRKERNSEC_HARDEN_PTRACE |
1056 |
-+ select GRKERNSEC_PTRACE_READEXEC |
1057 |
-+ select GRKERNSEC_SETXID |
1058 |
-+ select GRKERNSEC_VM86 if (X86_32) |
1059 |
-+ select GRKERNSEC_PROC_IPADDR |
1060 |
-+ select GRKERNSEC_RWXMAP_LOG |
1061 |
-+ select GRKERNSEC_SYSCTL |
1062 |
-+ select GRKERNSEC_SYSCTL_ON |
1063 |
-+ select PAX |
1064 |
-+ select PAX_ASLR |
1065 |
-+ select PAX_RANDKSTACK if (X86_TSC && X86) |
1066 |
-+ select PAX_RANDUSTACK |
1067 |
-+ select PAX_RANDMMAP |
1068 |
-+ select PAX_NOEXEC |
1069 |
-+ select PAX_MPROTECT |
1070 |
-+ select PAX_EI_PAX |
1071 |
-+ select PAX_PT_PAX_FLAGS |
1072 |
-+ select PAX_HAVE_ACL_FLAGS |
1073 |
-+ select PAX_SEGMEXEC if (X86_32) |
1074 |
-+ select PAX_PAGEEXEC |
1075 |
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) |
1076 |
-+ select PAX_EMUTRAMP if (PARISC) |
1077 |
-+ select PAX_EMUSIGRT if (PARISC) |
1078 |
-+ select PAX_REFCOUNT if (X86 || SPARC64) |
1079 |
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) |
1080 |
-+ select PAX_MEMORY_SANITIZE |
1081 |
-+ select PAX_MEMORY_STACKLEAK if (!XEN) |
1082 |
-+ help |
1083 |
-+ If you say Y here, a configuration for grsecurity/PaX features |
1084 |
-+ will be used that is endorsed by the Hardened Gentoo project. |
1085 |
-+ These pre-defined security levels are designed to provide a high |
1086 |
-+ level of security while minimizing incompatibilities with a majority |
1087 |
-+ of Gentoo's available software. |
1088 |
-+ |
1089 |
-+ This "Hardened Gentoo [virtualization]" level is identical to the |
1090 |
-+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and |
1091 |
-+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred |
1092 |
-+ security level if the system will be utilizing virtualization software |
1093 |
-+ incompatible with these features, like VirtualBox or kvm. |
1094 |
-+ |
1095 |
-+ When this level is selected, some security features will be forced on, |
1096 |
-+ while others will default to their suggested values of off or on. The |
1097 |
-+ later can be tweaked at the user's discretion, but may cause problems |
1098 |
-+ in some situations. You can fully customize all grsecurity/PaX features |
1099 |
-+ by choosing "Custom" in the Security Level menu. It may be helpful to |
1100 |
-+ inherit the options selected by this security level as a starting point. |
1101 |
-+ To accomplish this, select this security level, then exit the menuconfig |
1102 |
-+ interface, saving changes when prompted. Run make menuconfig again and |
1103 |
-+ select the "Custom" level. |
1104 |
-+ |
1105 |
- config GRKERNSEC_CUSTOM |
1106 |
- bool "Custom" |
1107 |
- help |
1108 |
-diff -Naur a/security/Kconfig b/security/Kconfig |
1109 |
---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500 |
1110 |
-+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500 |
1111 |
-@@ -362,9 +362,10 @@ |
1112 |
- |
1113 |
- config PAX_KERNEXEC |
1114 |
- bool "Enforce non-executable kernel pages" |
1115 |
-- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN |
1116 |
-+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION |
1117 |
- select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) |
1118 |
- select PAX_KERNEXEC_PLUGIN if X86_64 |
1119 |
-+ default y if GRKERNSEC_HARDENED_WORKSTATION |
1120 |
- help |
1121 |
- This is the kernel land equivalent of PAGEEXEC and MPROTECT, |
1122 |
- that is, enabling this option will make it harder to inject |
1123 |
-@@ -375,30 +376,30 @@ |
1124 |
- |
1125 |
- choice |
1126 |
- prompt "Return Address Instrumentation Method" |
1127 |
-- default PAX_KERNEXEC_PLUGIN_METHOD_BTS |
1128 |
-+ default PAX_KERNEXEC_PLUGIN_METHOD_OR |
1129 |
- depends on PAX_KERNEXEC_PLUGIN |
1130 |
- help |
1131 |
- Select the method used to instrument function pointer dereferences. |
1132 |
- Note that binary modules cannot be instrumented by this approach. |
1133 |
- |
1134 |
-- config PAX_KERNEXEC_PLUGIN_METHOD_BTS |
1135 |
-- bool "bts" |
1136 |
-- help |
1137 |
-- This method is compatible with binary only modules but has |
1138 |
-- a higher runtime overhead. |
1139 |
-- |
1140 |
- config PAX_KERNEXEC_PLUGIN_METHOD_OR |
1141 |
- bool "or" |
1142 |
- depends on !PARAVIRT |
1143 |
- help |
1144 |
- This method is incompatible with binary only modules but has |
1145 |
- a lower runtime overhead. |
1146 |
-+ |
1147 |
-+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS |
1148 |
-+ bool "bts" |
1149 |
-+ help |
1150 |
-+ This method is compatible with binary only modules but has |
1151 |
-+ a higher runtime overhead. |
1152 |
- endchoice |
1153 |
- |
1154 |
- config PAX_KERNEXEC_PLUGIN_METHOD |
1155 |
- string |
1156 |
-- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS |
1157 |
- default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR |
1158 |
-+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS |
1159 |
- default "" |
1160 |
- |
1161 |
- config PAX_KERNEXEC_MODULE_TEXT |
1162 |
-@@ -555,8 +556,9 @@ |
1163 |
- |
1164 |
- config PAX_MEMORY_UDEREF |
1165 |
- bool "Prevent invalid userland pointer dereference" |
1166 |
-- depends on X86 && !UML_X86 && !XEN |
1167 |
-+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION |
1168 |
- select PAX_PER_CPU_PGD if X86_64 |
1169 |
-+ default y if GRKERNSEC_HARDENED_WORKSTATION |
1170 |
- help |
1171 |
- By saying Y here the kernel will be prevented from dereferencing |
1172 |
- userland pointers in contexts where the kernel expects only kernel |
1173 |
|
1174 |
diff --git a/3.2.22/4460-grsec-kconfig-proc-user.patch b/3.2.22/4460-grsec-kconfig-proc-user.patch |
1175 |
deleted file mode 100644 |
1176 |
index b2b3188..0000000 |
1177 |
--- a/3.2.22/4460-grsec-kconfig-proc-user.patch |
1178 |
+++ /dev/null |
1179 |
@@ -1,26 +0,0 @@ |
1180 |
-From: Anthony G. Basile <blueness@g.o> |
1181 |
- |
1182 |
-Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP |
1183 |
-in a different way to avoid bug #366019. This patch should eventually go upstream. |
1184 |
- |
1185 |
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1186 |
---- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400 |
1187 |
-+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400 |
1188 |
-@@ -680,7 +680,7 @@ |
1189 |
- |
1190 |
- config GRKERNSEC_PROC_USER |
1191 |
- bool "Restrict /proc to user only" |
1192 |
-- depends on GRKERNSEC_PROC |
1193 |
-+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP |
1194 |
- help |
1195 |
- If you say Y here, non-root users will only be able to view their own |
1196 |
- processes, and restricts them from viewing network-related information, |
1197 |
-@@ -688,7 +688,7 @@ |
1198 |
- |
1199 |
- config GRKERNSEC_PROC_USERGROUP |
1200 |
- bool "Allow special group" |
1201 |
-- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER |
1202 |
-+ depends on GRKERNSEC_PROC |
1203 |
- help |
1204 |
- If you say Y here, you will be able to select a group that will be |
1205 |
- able to view all processes and network-related information. If you've |
1206 |
|
1207 |
diff --git a/3.4.4/0000_README b/3.4.4/0000_README |
1208 |
index be72568..6e60159 100644 |
1209 |
--- a/3.4.4/0000_README |
1210 |
+++ b/3.4.4/0000_README |
1211 |
@@ -2,6 +2,10 @@ README |
1212 |
----------------------------------------------------------------------------- |
1213 |
Individual Patch Descriptions: |
1214 |
----------------------------------------------------------------------------- |
1215 |
+Patch: 2600_FW_MIPS_FILE_06_regression.patch |
1216 |
+From: Anthony G. Basile <blueness@g.o> |
1217 |
+Desc: Fix regressions against bnx2 firmware |
1218 |
+ |
1219 |
Patch: 4420_grsecurity-2.9.1-3.4.4-201207080925.patch |
1220 |
From: http://www.grsecurity.net |
1221 |
Desc: hardened-sources base patch from upstream grsecurity |