Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.22/, 2.6.32/, 3.4.4/
Date: Mon, 09 Jul 2012 23:56:35
Message-Id: 1341878151.386d50181178e9320f033575d3eabc2017a7b7ae.blueness@gentoo
1 commit: 386d50181178e9320f033575d3eabc2017a7b7ae
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Mon Jul 9 23:55:51 2012 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Mon Jul 9 23:55:51 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=386d5018
7
8 Sync gentoo patches with new Kconfig structure
9
10 ---
11 2.6.32/0000_README | 16 -
12 2.6.32/4445_grsec-pax-without-grsec.patch | 91 ------
13 2.6.32/4450_grsec-kconfig-default-gids.patch | 43 ++--
14 2.6.32/4455_grsec-kconfig-gentoo.patch | 357 -----------------------
15 2.6.32/4460-grsec-kconfig-proc-user.patch | 26 --
16 2.6.32/4465_selinux-avc_audit-log-curr_ip.patch | 2 +-
17 2.6.32/4470_disable-compat_vdso.patch | 2 +-
18 3.2.22/0000_README | 16 -
19 3.2.22/4445_grsec-pax-without-grsec.patch | 91 ------
20 3.2.22/4455_grsec-kconfig-gentoo.patch | 357 -----------------------
21 3.2.22/4460-grsec-kconfig-proc-user.patch | 26 --
22 3.4.4/0000_README | 4 +
23 12 files changed, 31 insertions(+), 1000 deletions(-)
24
25 diff --git a/2.6.32/0000_README b/2.6.32/0000_README
26 index 2011830..a0df600 100644
27 --- a/2.6.32/0000_README
28 +++ b/2.6.32/0000_README
29 @@ -48,27 +48,11 @@ Patch: 4440_grsec-remove-protected-paths.patch
30 From: Anthony G. Basile <blueness@g.o>
31 Desc: Removes chmod statements from grsecurity/Makefile
32
33 -Patch: 4445_grsec-pax-without-grsec.patch
34 -From: Gordon Malm <gengor@g.o>
35 -Desc: Allows PaX features to be selected without enabling GRKERNSEC
36 -
37 Patch: 4450_grsec-kconfig-default-gids.patch
38 From: Kerin Millar <kerframil@×××××.com>
39 Desc: Sets sane(r) default GIDs on various grsecurity group-dependent
40 features
41
42 -Patch: 4455_grsec-kconfig-gentoo.patch
43 -From: Gordon Malm <gengor@g.o>
44 - Kerin Millar <kerframil@×××××.com>
45 - Anthony G. Basile <blueness@g.o>
46 -Desc: Adds Hardened Gentoo [server/workstation/virtualization] security
47 - levels, sets Hardened Gentoo [workstation] as default
48 -
49 -Patch: 4460-grsec-kconfig-proc-user.patch
50 -From: Anthony G. Basile <blueness@g.o>
51 -Desc: Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually
52 - exclusive to avoid bug #366019.
53 -
54 Patch: 4465_selinux-avc_audit-log-curr_ip.patch
55 From: Gordon Malm <gengor@g.o>
56 Anthony G. Basile <blueness@g.o>
57
58 diff --git a/2.6.32/4445_grsec-pax-without-grsec.patch b/2.6.32/4445_grsec-pax-without-grsec.patch
59 deleted file mode 100644
60 index f07b2df..0000000
61 --- a/2.6.32/4445_grsec-pax-without-grsec.patch
62 +++ /dev/null
63 @@ -1,91 +0,0 @@
64 -From: Anthony G. Basile <blueness@g.o>
65 -
66 -With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and
67 -pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy.
68 -This patch has been updated to reflect that change.
69 -
70 -With grsecurity-2.9-2.6.32.58-201203131839, NORET_TYPE has been replaced by __noreturn.
71 -This patch has been updated to reflect that change.
72 ---
73 -From: Jory Pratt <anarchy@g.o>
74 -Updated patch for kernel 2.6.32
75 -
76 -The credits/description from the original version of this patch remain accurate
77 -and are included below.
78 ---
79 -From: Gordon Malm <gengor@g.o>
80 -
81 -Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC.
82 -
83 -This patch has been updated to keep current with newer kernel versions.
84 -The original version of this patch contained no credits/description.
85 -
86 -diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
87 ---- a/arch/x86/mm/fault.c 2011-04-17 18:15:54.000000000 -0400
88 -+++ b/arch/x86/mm/fault.c 2011-04-17 18:28:11.000000000 -0400
89 -@@ -662,10 +662,12 @@
90 -
91 - #ifdef CONFIG_PAX_KERNEXEC
92 - if (init_mm.start_code <= address && address < init_mm.end_code) {
93 -+#ifdef CONFIG_GRKERNSEC
94 - if (current->signal->curr_ip)
95 - printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
96 - &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
97 - else
98 -+#endif
99 - printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
100 - current->comm, task_pid_nr(current), current_uid(), current_euid());
101 - }
102 -diff -Naur a/fs/exec.c b/fs/exec.c
103 ---- a/fs/exec.c 2011-04-17 18:15:55.000000000 -0400
104 -+++ b/fs/exec.c 2011-04-17 18:29:40.000000000 -0400
105 -@@ -1849,9 +1849,11 @@
106 - }
107 - up_read(&mm->mmap_sem);
108 - }
109 -+#ifdef CONFIG_GRKERNSEC
110 - if (tsk->signal->curr_ip)
111 - printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
112 - else
113 -+#endif
114 - printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
115 - printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
116 - "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
117 -@@ -1866,10 +1868,12 @@
118 - #ifdef CONFIG_PAX_REFCOUNT
119 - void pax_report_refcount_overflow(struct pt_regs *regs)
120 - {
121 -+#ifdef CONFIG_GRKERNSEC
122 - if (current->signal->curr_ip)
123 - printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
124 - &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
125 - else
126 -+#endif
127 - printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
128 - current->comm, task_pid_nr(current), current_uid(), current_euid());
129 - print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
130 -@@ -1928,10 +1932,12 @@
131 -
132 - __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
133 - {
134 -+#ifdef CONFIG_GRKERNSEC
135 - if (current->signal->curr_ip)
136 - printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
137 - &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
138 - else
139 -+#endif
140 - printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
141 - to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
142 -
143 -diff -Naur a/security/Kconfig b/security/Kconfig
144 ---- a/security/Kconfig 2011-04-17 18:15:55.000000000 -0400
145 -+++ b/security/Kconfig 2011-04-17 18:28:11.000000000 -0400
146 -@@ -29,7 +29,7 @@
147 -
148 - config PAX
149 - bool "Enable various PaX features"
150 -- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
151 -+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
152 - help
153 - This allows you to enable various PaX features. PaX adds
154 - intrusion prevention mechanisms to the kernel that reduce
155
156 diff --git a/2.6.32/4450_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch
157 index 8c6f609..038bb2e 100644
158 --- a/2.6.32/4450_grsec-kconfig-default-gids.patch
159 +++ b/2.6.32/4450_grsec-kconfig-default-gids.patch
160 @@ -1,3 +1,7 @@
161 +From: Anthony G. Basile <blueness@g.o>
162 +Updated patch for the new Kconfig system for >=3.4.4
163 +
164 +---
165 From: Kerin Millar <kerframil@×××××.com>
166
167 grsecurity contains a number of options which allow certain protections
168 @@ -9,19 +13,10 @@ attention to the finer points of kernel configuration, it is probably
169 wise to specify some reasonable defaults so as to stop careless users
170 from shooting themselves in the foot.
171
172 -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
173 ---- a/grsecurity/Kconfig 2011-12-12 15:11:47.000000000 -0500
174 -+++ b/grsecurity/Kconfig 2011-12-12 15:13:17.000000000 -0500
175 -@@ -442,7 +442,7 @@
176 - config GRKERNSEC_PROC_GID
177 - int "GID for special group"
178 - depends on GRKERNSEC_PROC_USERGROUP
179 -- default 1001
180 -+ default 10
181 -
182 - config GRKERNSEC_PROC_ADD
183 - bool "Additional restrictions"
184 -@@ -670,7 +670,7 @@
185 +diff -Nuar a/grsecurity/Kconfig b/Kconfig
186 +--- a/grsecurity/Kconfig 2012-07-01 12:54:58.000000000 -0400
187 ++++ b/grsecurity/Kconfig 2012-07-01 13:00:04.000000000 -0400
188 +@@ -519,7 +519,7 @@
189 config GRKERNSEC_AUDIT_GID
190 int "GID for auditing"
191 depends on GRKERNSEC_AUDIT_GROUP
192 @@ -30,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
193
194 config GRKERNSEC_EXECLOG
195 bool "Exec logging"
196 -@@ -874,7 +874,7 @@
197 +@@ -734,7 +734,7 @@
198 config GRKERNSEC_TPE_GID
199 int "GID for untrusted users"
200 depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
201 @@ -39,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
202 help
203 Setting this GID determines what group TPE restrictions will be
204 *enabled* for. If the sysctl option is enabled, a sysctl option
205 -@@ -883,7 +883,7 @@
206 +@@ -743,7 +743,7 @@
207 config GRKERNSEC_TPE_GID
208 int "GID for trusted users"
209 depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
210 @@ -48,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
211 help
212 Setting this GID determines what group TPE restrictions will be
213 *disabled* for. If the sysctl option is enabled, a sysctl option
214 -@@ -956,7 +956,7 @@
215 +@@ -818,7 +818,7 @@
216 config GRKERNSEC_SOCKET_ALL_GID
217 int "GID to deny all sockets for"
218 depends on GRKERNSEC_SOCKET_ALL
219 @@ -57,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
220 help
221 Here you can choose the GID to disable socket access for. Remember to
222 add the users you want socket access disabled for to the GID
223 -@@ -977,7 +977,7 @@
224 +@@ -839,7 +839,7 @@
225 config GRKERNSEC_SOCKET_CLIENT_GID
226 int "GID to deny client sockets for"
227 depends on GRKERNSEC_SOCKET_CLIENT
228 @@ -66,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
229 help
230 Here you can choose the GID to disable client socket access for.
231 Remember to add the users you want client socket access disabled for to
232 -@@ -995,7 +995,7 @@
233 +@@ -857,7 +857,7 @@
234 config GRKERNSEC_SOCKET_SERVER_GID
235 int "GID to deny server sockets for"
236 depends on GRKERNSEC_SOCKET_SERVER
237 @@ -75,3 +70,15 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
238 help
239 Here you can choose the GID to disable server socket access for.
240 Remember to add the users you want server socket access disabled for to
241 +diff -Nuar a/security/Kconfig b/security/Kconfig
242 +--- a/security/Kconfig 2012-07-01 12:51:41.000000000 -0400
243 ++++ b/security/Kconfig 2012-07-01 13:00:23.000000000 -0400
244 +@@ -186,7 +186,7 @@
245 +
246 + config GRKERNSEC_PROC_GID
247 + int "GID exempted from /proc restrictions"
248 +- default 1001
249 ++ default 10
250 + help
251 + Setting this GID determines which group will be exempted from
252 + grsecurity's /proc restrictions, allowing users of the specified
253
254 diff --git a/2.6.32/4455_grsec-kconfig-gentoo.patch b/2.6.32/4455_grsec-kconfig-gentoo.patch
255 deleted file mode 100644
256 index e18ba0b..0000000
257 --- a/2.6.32/4455_grsec-kconfig-gentoo.patch
258 +++ /dev/null
259 @@ -1,357 +0,0 @@
260 -From: Anthony G. Basile <blueness@g.o>
261 -From: Gordon Malm <gengor@g.o>
262 -From: Jory A. Pratt <anarchy@g.o>
263 -From: Kerin Millar <kerframil@×××××.com>
264 -
265 -Add Hardened Gentoo [server/workstation] predefined grsecurity
266 -levels. They're designed to provide a comparitively high level of
267 -security while remaining generally suitable for as great a majority
268 -of the userbase as possible (particularly new users).
269 -
270 -Make Hardened Gentoo [workstation] predefined grsecurity level the
271 -default. The Hardened Gentoo [server] level is more restrictive
272 -and conflicts with some software and thus would be less suitable.
273 -
274 -The original version of this patch was conceived and created by:
275 -Ned Ludd <solar@g.o>
276 -
277 -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
278 ---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500
279 -+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500
280 -@@ -18,7 +18,7 @@
281 - choice
282 - prompt "Security Level"
283 - depends on GRKERNSEC
284 -- default GRKERNSEC_CUSTOM
285 -+ default GRKERNSEC_HARDENED_WORKSTATION
286 -
287 - config GRKERNSEC_LOW
288 - bool "Low"
289 -@@ -192,6 +192,262 @@
290 - - Restricted sysfs/debugfs
291 - - Active kernel exploit response
292 -
293 -+config GRKERNSEC_HARDENED_SERVER
294 -+ bool "Hardened Gentoo [server]"
295 -+ select GRKERNSEC_LINK
296 -+ select GRKERNSEC_FIFO
297 -+ select GRKERNSEC_DMESG
298 -+ select GRKERNSEC_FORKFAIL
299 -+ select GRKERNSEC_TIME
300 -+ select GRKERNSEC_SIGNAL
301 -+ select GRKERNSEC_CHROOT
302 -+ select GRKERNSEC_CHROOT_SHMAT
303 -+ select GRKERNSEC_CHROOT_UNIX
304 -+ select GRKERNSEC_CHROOT_MOUNT
305 -+ select GRKERNSEC_CHROOT_FCHDIR
306 -+ select GRKERNSEC_CHROOT_PIVOT
307 -+ select GRKERNSEC_CHROOT_DOUBLE
308 -+ select GRKERNSEC_CHROOT_CHDIR
309 -+ select GRKERNSEC_CHROOT_MKNOD
310 -+ select GRKERNSEC_CHROOT_CAPS
311 -+ select GRKERNSEC_CHROOT_SYSCTL
312 -+ select GRKERNSEC_CHROOT_FINDTASK
313 -+ select GRKERNSEC_SYSFS_RESTRICT
314 -+ select GRKERNSEC_PROC
315 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
316 -+ select GRKERNSEC_HIDESYM
317 -+ select GRKERNSEC_BRUTE
318 -+ select GRKERNSEC_PROC_USERGROUP
319 -+ select GRKERNSEC_KMEM
320 -+ select GRKERNSEC_RESLOG
321 -+ select GRKERNSEC_AUDIT_PTRACE
322 -+ select GRKERNSEC_RANDNET
323 -+ select GRKERNSEC_PROC_ADD
324 -+ select GRKERNSEC_CHROOT_CHMOD
325 -+ select GRKERNSEC_CHROOT_NICE
326 -+ select GRKERNSEC_AUDIT_MOUNT
327 -+ select GRKERNSEC_MODHARDEN if (MODULES)
328 -+ select GRKERNSEC_HARDEN_PTRACE
329 -+ select GRKERNSEC_PTRACE_READEXEC
330 -+ select GRKERNSEC_SETXID
331 -+ select GRKERNSEC_VM86 if (X86_32)
332 -+ select GRKERNSEC_IO
333 -+ select GRKERNSEC_PROC_IPADDR
334 -+ select GRKERNSEC_RWXMAP_LOG
335 -+ select GRKERNSEC_SYSCTL
336 -+ select GRKERNSEC_SYSCTL_ON
337 -+ select PAX
338 -+ select PAX_ASLR
339 -+ select PAX_RANDKSTACK if (X86_TSC && X86)
340 -+ select PAX_RANDUSTACK
341 -+ select PAX_RANDMMAP
342 -+ select PAX_NOEXEC
343 -+ select PAX_MPROTECT
344 -+ select PAX_EI_PAX
345 -+ select PAX_PT_PAX_FLAGS
346 -+ select PAX_HAVE_ACL_FLAGS
347 -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
348 -+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
349 -+ select PAX_SEGMEXEC if (X86_32)
350 -+ select PAX_PAGEEXEC
351 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
352 -+ select PAX_EMUTRAMP if (PARISC)
353 -+ select PAX_EMUSIGRT if (PARISC)
354 -+ select PAX_REFCOUNT if (X86 || SPARC64)
355 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
356 -+ select PAX_MEMORY_SANITIZE
357 -+ select PAX_MEMORY_STACKLEAK if (!XEN)
358 -+ help
359 -+ If you say Y here, a configuration for grsecurity/PaX features
360 -+ will be used that is endorsed by the Hardened Gentoo project.
361 -+ These pre-defined security levels are designed to provide a high
362 -+ level of security while minimizing incompatibilities with a majority
363 -+ of Gentoo's available software.
364 -+
365 -+ This "Hardened Gentoo [server]" level is identical to the
366 -+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
367 -+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
368 -+ security level if the system will not be utilizing software incompatible
369 -+ with these features.
370 -+
371 -+ When this level is selected, some security features will be forced on,
372 -+ while others will default to their suggested values of off or on. The
373 -+ later can be tweaked at the user's discretion, but may cause problems
374 -+ in some situations. You can fully customize all grsecurity/PaX features
375 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
376 -+ inherit the options selected by this security level as a starting point.
377 -+ To accomplish this, select this security level, then exit the menuconfig
378 -+ interface, saving changes when prompted. Run make menuconfig again and
379 -+ select the "Custom" level.
380 -+
381 -+config GRKERNSEC_HARDENED_WORKSTATION
382 -+ bool "Hardened Gentoo [workstation]"
383 -+ select GRKERNSEC_LINK
384 -+ select GRKERNSEC_FIFO
385 -+ select GRKERNSEC_DMESG
386 -+ select GRKERNSEC_FORKFAIL
387 -+ select GRKERNSEC_TIME
388 -+ select GRKERNSEC_SIGNAL
389 -+ select GRKERNSEC_CHROOT
390 -+ select GRKERNSEC_CHROOT_SHMAT
391 -+ select GRKERNSEC_CHROOT_UNIX
392 -+ select GRKERNSEC_CHROOT_MOUNT
393 -+ select GRKERNSEC_CHROOT_FCHDIR
394 -+ select GRKERNSEC_CHROOT_PIVOT
395 -+ select GRKERNSEC_CHROOT_DOUBLE
396 -+ select GRKERNSEC_CHROOT_CHDIR
397 -+ select GRKERNSEC_CHROOT_MKNOD
398 -+ select GRKERNSEC_CHROOT_CAPS
399 -+ select GRKERNSEC_CHROOT_SYSCTL
400 -+ select GRKERNSEC_CHROOT_FINDTASK
401 -+ select GRKERNSEC_PROC
402 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
403 -+ select GRKERNSEC_HIDESYM
404 -+ select GRKERNSEC_BRUTE
405 -+ select GRKERNSEC_PROC_USERGROUP
406 -+ select GRKERNSEC_KMEM
407 -+ select GRKERNSEC_RESLOG
408 -+ select GRKERNSEC_AUDIT_PTRACE
409 -+ select GRKERNSEC_RANDNET
410 -+ select GRKERNSEC_CHROOT_CHMOD
411 -+ select GRKERNSEC_CHROOT_NICE
412 -+ select GRKERNSEC_AUDIT_MOUNT
413 -+ select GRKERNSEC_MODHARDEN if (MODULES)
414 -+ select GRKERNSEC_HARDEN_PTRACE
415 -+ select GRKERNSEC_PTRACE_READEXEC
416 -+ select GRKERNSEC_SETXID
417 -+ select GRKERNSEC_VM86 if (X86_32)
418 -+ select GRKERNSEC_PROC_IPADDR
419 -+ select GRKERNSEC_RWXMAP_LOG
420 -+ select GRKERNSEC_SYSCTL
421 -+ select GRKERNSEC_SYSCTL_ON
422 -+ select PAX
423 -+ select PAX_ASLR
424 -+ select PAX_RANDKSTACK if (X86_TSC && X86)
425 -+ select PAX_RANDUSTACK
426 -+ select PAX_RANDMMAP
427 -+ select PAX_NOEXEC
428 -+ select PAX_MPROTECT
429 -+ select PAX_EI_PAX
430 -+ select PAX_PT_PAX_FLAGS
431 -+ select PAX_HAVE_ACL_FLAGS
432 -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
433 -+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
434 -+ select PAX_SEGMEXEC if (X86_32)
435 -+ select PAX_PAGEEXEC
436 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
437 -+ select PAX_EMUTRAMP if (PARISC)
438 -+ select PAX_EMUSIGRT if (PARISC)
439 -+ select PAX_REFCOUNT if (X86 || SPARC64)
440 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
441 -+ select PAX_MEMORY_SANITIZE
442 -+ select PAX_MEMORY_STACKLEAK if (!XEN)
443 -+ help
444 -+ If you say Y here, a configuration for grsecurity/PaX features
445 -+ will be used that is endorsed by the Hardened Gentoo project.
446 -+ These pre-defined security levels are designed to provide a high
447 -+ level of security while minimizing incompatibilities with a majority
448 -+ of Gentoo's available software.
449 -+
450 -+ This "Hardened Gentoo [workstation]" level is identical to the
451 -+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
452 -+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
453 -+ security level if the system will be utilizing software incompatible
454 -+ with these features.
455 -+
456 -+ When this level is selected, some security features will be forced on,
457 -+ while others will default to their suggested values of off or on. The
458 -+ later can be tweaked at the user's discretion, but may cause problems
459 -+ in some situations. You can fully customize all grsecurity/PaX features
460 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
461 -+ inherit the options selected by this security level as a starting point.
462 -+ To accomplish this, select this security level, then exit the menuconfig
463 -+ interface, saving changes when prompted. Run make menuconfig again and
464 -+ select the "Custom" level.
465 -+
466 -+config GRKERNSEC_HARDENED_VIRTUALIZATION
467 -+ bool "Hardened Gentoo [virtualization]"
468 -+ select GRKERNSEC_LINK
469 -+ select GRKERNSEC_FIFO
470 -+ select GRKERNSEC_DMESG
471 -+ select GRKERNSEC_FORKFAIL
472 -+ select GRKERNSEC_TIME
473 -+ select GRKERNSEC_SIGNAL
474 -+ select GRKERNSEC_CHROOT
475 -+ select GRKERNSEC_CHROOT_SHMAT
476 -+ select GRKERNSEC_CHROOT_UNIX
477 -+ select GRKERNSEC_CHROOT_MOUNT
478 -+ select GRKERNSEC_CHROOT_FCHDIR
479 -+ select GRKERNSEC_CHROOT_PIVOT
480 -+ select GRKERNSEC_CHROOT_DOUBLE
481 -+ select GRKERNSEC_CHROOT_CHDIR
482 -+ select GRKERNSEC_CHROOT_MKNOD
483 -+ select GRKERNSEC_CHROOT_CAPS
484 -+ select GRKERNSEC_CHROOT_SYSCTL
485 -+ select GRKERNSEC_CHROOT_FINDTASK
486 -+ select GRKERNSEC_PROC
487 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
488 -+ select GRKERNSEC_HIDESYM
489 -+ select GRKERNSEC_BRUTE
490 -+ select GRKERNSEC_PROC_USERGROUP
491 -+ select GRKERNSEC_KMEM
492 -+ select GRKERNSEC_RESLOG
493 -+ select GRKERNSEC_AUDIT_PTRACE
494 -+ select GRKERNSEC_RANDNET
495 -+ select GRKERNSEC_CHROOT_CHMOD
496 -+ select GRKERNSEC_CHROOT_NICE
497 -+ select GRKERNSEC_AUDIT_MOUNT
498 -+ select GRKERNSEC_MODHARDEN if (MODULES)
499 -+ select GRKERNSEC_HARDEN_PTRACE
500 -+ select GRKERNSEC_PTRACE_READEXEC
501 -+ select GRKERNSEC_SETXID
502 -+ select GRKERNSEC_VM86 if (X86_32)
503 -+ select GRKERNSEC_PROC_IPADDR
504 -+ select GRKERNSEC_RWXMAP_LOG
505 -+ select GRKERNSEC_SYSCTL
506 -+ select GRKERNSEC_SYSCTL_ON
507 -+ select PAX
508 -+ select PAX_ASLR
509 -+ select PAX_RANDKSTACK if (X86_TSC && X86)
510 -+ select PAX_RANDUSTACK
511 -+ select PAX_RANDMMAP
512 -+ select PAX_NOEXEC
513 -+ select PAX_MPROTECT
514 -+ select PAX_EI_PAX
515 -+ select PAX_PT_PAX_FLAGS
516 -+ select PAX_HAVE_ACL_FLAGS
517 -+ select PAX_SEGMEXEC if (X86_32)
518 -+ select PAX_PAGEEXEC
519 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
520 -+ select PAX_EMUTRAMP if (PARISC)
521 -+ select PAX_EMUSIGRT if (PARISC)
522 -+ select PAX_REFCOUNT if (X86 || SPARC64)
523 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
524 -+ select PAX_MEMORY_SANITIZE
525 -+ select PAX_MEMORY_STACKLEAK if (!XEN)
526 -+ help
527 -+ If you say Y here, a configuration for grsecurity/PaX features
528 -+ will be used that is endorsed by the Hardened Gentoo project.
529 -+ These pre-defined security levels are designed to provide a high
530 -+ level of security while minimizing incompatibilities with a majority
531 -+ of Gentoo's available software.
532 -+
533 -+ This "Hardened Gentoo [virtualization]" level is identical to the
534 -+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
535 -+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
536 -+ security level if the system will be utilizing virtualization software
537 -+ incompatible with these features, like VirtualBox or kvm.
538 -+
539 -+ When this level is selected, some security features will be forced on,
540 -+ while others will default to their suggested values of off or on. The
541 -+ later can be tweaked at the user's discretion, but may cause problems
542 -+ in some situations. You can fully customize all grsecurity/PaX features
543 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
544 -+ inherit the options selected by this security level as a starting point.
545 -+ To accomplish this, select this security level, then exit the menuconfig
546 -+ interface, saving changes when prompted. Run make menuconfig again and
547 -+ select the "Custom" level.
548 -+
549 - config GRKERNSEC_CUSTOM
550 - bool "Custom"
551 - help
552 -diff -Naur a/security/Kconfig b/security/Kconfig
553 ---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500
554 -+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500
555 -@@ -360,9 +360,10 @@
556 -
557 - config PAX_KERNEXEC
558 - bool "Enforce non-executable kernel pages"
559 -- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
560 -+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
561 - select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
562 - select PAX_KERNEXEC_PLUGIN if X86_64
563 -+ default y if GRKERNSEC_HARDENED_WORKSTATION
564 - help
565 - This is the kernel land equivalent of PAGEEXEC and MPROTECT,
566 - that is, enabling this option will make it harder to inject
567 -@@ -373,30 +374,30 @@
568 -
569 - choice
570 - prompt "Return Address Instrumentation Method"
571 -- default PAX_KERNEXEC_PLUGIN_METHOD_BTS
572 -+ default PAX_KERNEXEC_PLUGIN_METHOD_OR
573 - depends on PAX_KERNEXEC_PLUGIN
574 - help
575 - Select the method used to instrument function pointer dereferences.
576 - Note that binary modules cannot be instrumented by this approach.
577 -
578 -- config PAX_KERNEXEC_PLUGIN_METHOD_BTS
579 -- bool "bts"
580 -- help
581 -- This method is compatible with binary only modules but has
582 -- a higher runtime overhead.
583 --
584 - config PAX_KERNEXEC_PLUGIN_METHOD_OR
585 - bool "or"
586 - depends on !PARAVIRT
587 - help
588 - This method is incompatible with binary only modules but has
589 - a lower runtime overhead.
590 -+
591 -+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS
592 -+ bool "bts"
593 -+ help
594 -+ This method is compatible with binary only modules but has
595 -+ a higher runtime overhead.
596 - endchoice
597 -
598 - config PAX_KERNEXEC_PLUGIN_METHOD
599 - string
600 -- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
601 - default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
602 -+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
603 - default ""
604 -
605 - config PAX_KERNEXEC_MODULE_TEXT
606 -@@ -553,8 +554,9 @@
607 -
608 - config PAX_MEMORY_UDEREF
609 - bool "Prevent invalid userland pointer dereference"
610 -- depends on X86 && !UML_X86 && !XEN
611 -+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
612 - select PAX_PER_CPU_PGD if X86_64
613 -+ default y if GRKERNSEC_HARDENED_WORKSTATION
614 - help
615 - By saying Y here the kernel will be prevented from dereferencing
616 - userland pointers in contexts where the kernel expects only kernel
617
618 diff --git a/2.6.32/4460-grsec-kconfig-proc-user.patch b/2.6.32/4460-grsec-kconfig-proc-user.patch
619 deleted file mode 100644
620 index 8409e87..0000000
621 --- a/2.6.32/4460-grsec-kconfig-proc-user.patch
622 +++ /dev/null
623 @@ -1,26 +0,0 @@
624 -From: Anthony G. Basile <blueness@g.o>
625 -
626 -Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
627 -in a different way to avoid bug #366019. This patch should eventually go upstream.
628 -
629 -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
630 ---- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400
631 -+++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400
632 -@@ -679,7 +679,7 @@
633 -
634 - config GRKERNSEC_PROC_USER
635 - bool "Restrict /proc to user only"
636 -- depends on GRKERNSEC_PROC
637 -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
638 - help
639 - If you say Y here, non-root users will only be able to view their own
640 - processes, and restricts them from viewing network-related information,
641 -@@ -687,7 +687,7 @@
642 -
643 - config GRKERNSEC_PROC_USERGROUP
644 - bool "Allow special group"
645 -- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
646 -+ depends on GRKERNSEC_PROC
647 - help
648 - If you say Y here, you will be able to select a group that will be
649 - able to view all processes and network-related information. If you've
650
651 diff --git a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
652 index 43147a7..67d09ef 100644
653 --- a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
654 +++ b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
655 @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
656 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
657 --- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400
658 +++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400
659 -@@ -1308,6 +1308,27 @@
660 +@@ -916,6 +916,27 @@
661 menu "Logging Options"
662 depends on GRKERNSEC
663
664
665 diff --git a/2.6.32/4470_disable-compat_vdso.patch b/2.6.32/4470_disable-compat_vdso.patch
666 index c8e1aeb..a54092e 100644
667 --- a/2.6.32/4470_disable-compat_vdso.patch
668 +++ b/2.6.32/4470_disable-compat_vdso.patch
669 @@ -27,7 +27,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
670 diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
671 --- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
672 +++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
673 -@@ -1616,17 +1616,8 @@
674 +@@ -1625,17 +1625,8 @@
675
676 config COMPAT_VDSO
677 def_bool n
678
679 diff --git a/3.2.22/0000_README b/3.2.22/0000_README
680 index b314927..ccfefdd 100644
681 --- a/3.2.22/0000_README
682 +++ b/3.2.22/0000_README
683 @@ -20,27 +20,11 @@ Patch: 4440_grsec-remove-protected-paths.patch
684 From: Anthony G. Basile <blueness@g.o>
685 Desc: Removes chmod statements from grsecurity/Makefile
686
687 -Patch: 4445_grsec-pax-without-grsec.patch
688 -From: Gordon Malm <gengor@g.o>
689 -Desc: Allows PaX features to be selected without enabling GRKERNSEC
690 -
691 Patch: 4450_grsec-kconfig-default-gids.patch
692 From: Kerin Millar <kerframil@×××××.com>
693 Desc: Sets sane(r) default GIDs on various grsecurity group-dependent
694 features
695
696 -Patch: 4455_grsec-kconfig-gentoo.patch
697 -From: Gordon Malm <gengor@g.o>
698 - Kerin Millar <kerframil@×××××.com>
699 - Anthony G. Basile <blueness@g.o>
700 -Desc: Adds Hardened Gentoo [server/workstation/virtualization] security levels,
701 - sets Hardened Gentoo [workstation] as default
702 -
703 -Patch: 4460-grsec-kconfig-proc-user.patch
704 -From: Anthony G. Basile <blueness@g.o>
705 -Desc: Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually
706 - exclusive to avoid bug #366019.
707 -
708 Patch: 4465_selinux-avc_audit-log-curr_ip.patch
709 From: Gordon Malm <gengor@g.o>
710 Anthony G. Basile <blueness@g.o>
711
712 diff --git a/3.2.22/4445_grsec-pax-without-grsec.patch b/3.2.22/4445_grsec-pax-without-grsec.patch
713 deleted file mode 100644
714 index 58301c0..0000000
715 --- a/3.2.22/4445_grsec-pax-without-grsec.patch
716 +++ /dev/null
717 @@ -1,91 +0,0 @@
718 -From: Anthony G. Basile <blueness@g.o>
719 -
720 -With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and
721 -pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy.
722 -This patch has been updated to reflect that change.
723 -
724 -With grsecurity-2.9-2.6.32.58-201203131839, NORET_TYPE has been replaced by __noreturn.
725 -This patch has been updated to reflect that change.
726 ---
727 -From: Jory Pratt <anarchy@g.o>
728 -Updated patch for kernel 2.6.32
729 -
730 -The credits/description from the original version of this patch remain accurate
731 -and are included below.
732 ---
733 -From: Gordon Malm <gengor@g.o>
734 -
735 -Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC.
736 -
737 -This patch has been updated to keep current with newer kernel versions.
738 -The original version of this patch contained no credits/description.
739 -
740 -diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
741 ---- a/arch/x86/mm/fault.c 2011-04-17 19:05:03.000000000 -0400
742 -+++ a/arch/x86/mm/fault.c 2011-04-17 19:20:30.000000000 -0400
743 -@@ -657,10 +657,12 @@
744 -
745 - #ifdef CONFIG_PAX_KERNEXEC
746 - if (init_mm.start_code <= address && address < init_mm.end_code) {
747 -+#ifdef CONFIG_GRKERNSEC
748 - if (current->signal->curr_ip)
749 - printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
750 - &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
751 - else
752 -+#endif
753 - printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
754 - current->comm, task_pid_nr(current), current_uid(), current_euid());
755 - }
756 -diff -Naur a/fs/exec.c b/fs/exec.c
757 ---- a/fs/exec.c 2011-04-17 19:05:03.000000000 -0400
758 -+++ b/fs/exec.c 2011-04-17 19:20:30.000000000 -0400
759 -@@ -2048,9 +2048,11 @@
760 - }
761 - up_read(&mm->mmap_sem);
762 - }
763 -+#ifdef CONFIG_GRKERNSEC
764 - if (tsk->signal->curr_ip)
765 - printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
766 - else
767 -+#endif
768 - printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
769 - printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
770 - "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
771 -@@ -2065,10 +2067,12 @@
772 - #ifdef CONFIG_PAX_REFCOUNT
773 - void pax_report_refcount_overflow(struct pt_regs *regs)
774 - {
775 -+#ifdef CONFIG_GRKERNSEC
776 - if (current->signal->curr_ip)
777 - printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
778 - &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
779 - else
780 -+#endif
781 - printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
782 - current->comm, task_pid_nr(current), current_uid(), current_euid());
783 - print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
784 -@@ -2127,10 +2131,12 @@
785 -
786 - __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
787 - {
788 -+#ifdef CONFIG_GRKERNSEC
789 - if (current->signal->curr_ip)
790 - printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
791 - &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
792 - else
793 -+#endif
794 - printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
795 - to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
796 - dump_stack();
797 -diff -Naur a/security/Kconfig b/security/Kconfig
798 ---- a/security/Kconfig 2011-04-17 19:05:03.000000000 -0400
799 -+++ b/security/Kconfig 2011-04-17 19:20:30.000000000 -0400
800 -@@ -29,7 +29,7 @@
801 -
802 - config PAX
803 - bool "Enable various PaX features"
804 -- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
805 -+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
806 - help
807 - This allows you to enable various PaX features. PaX adds
808 - intrusion prevention mechanisms to the kernel that reduce
809
810 diff --git a/3.2.22/4455_grsec-kconfig-gentoo.patch b/3.2.22/4455_grsec-kconfig-gentoo.patch
811 deleted file mode 100644
812 index 87b5454..0000000
813 --- a/3.2.22/4455_grsec-kconfig-gentoo.patch
814 +++ /dev/null
815 @@ -1,357 +0,0 @@
816 -From: Anthony G. Basile <blueness@g.o>
817 -From: Gordon Malm <gengor@g.o>
818 -From: Jory A. Pratt <anarchy@g.o>
819 -From: Kerin Millar <kerframil@×××××.com>
820 -
821 -Add Hardened Gentoo [server/workstation] predefined grsecurity
822 -levels. They're designed to provide a comparitively high level of
823 -security while remaining generally suitable for as great a majority
824 -of the userbase as possible (particularly new users).
825 -
826 -Make Hardened Gentoo [workstation] predefined grsecurity level the
827 -default. The Hardened Gentoo [server] level is more restrictive
828 -and conflicts with some software and thus would be less suitable.
829 -
830 -The original version of this patch was conceived and created by:
831 -Ned Ludd <solar@g.o>
832 -
833 -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
834 ---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500
835 -+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500
836 -@@ -18,7 +18,7 @@
837 - choice
838 - prompt "Security Level"
839 - depends on GRKERNSEC
840 -- default GRKERNSEC_CUSTOM
841 -+ default GRKERNSEC_HARDENED_WORKSTATION
842 -
843 - config GRKERNSEC_LOW
844 - bool "Low"
845 -@@ -192,6 +192,262 @@
846 - - Restricted sysfs/debugfs
847 - - Active kernel exploit response
848 -
849 -+config GRKERNSEC_HARDENED_SERVER
850 -+ bool "Hardened Gentoo [server]"
851 -+ select GRKERNSEC_LINK
852 -+ select GRKERNSEC_FIFO
853 -+ select GRKERNSEC_DMESG
854 -+ select GRKERNSEC_FORKFAIL
855 -+ select GRKERNSEC_TIME
856 -+ select GRKERNSEC_SIGNAL
857 -+ select GRKERNSEC_CHROOT
858 -+ select GRKERNSEC_CHROOT_SHMAT
859 -+ select GRKERNSEC_CHROOT_UNIX
860 -+ select GRKERNSEC_CHROOT_MOUNT
861 -+ select GRKERNSEC_CHROOT_FCHDIR
862 -+ select GRKERNSEC_CHROOT_PIVOT
863 -+ select GRKERNSEC_CHROOT_DOUBLE
864 -+ select GRKERNSEC_CHROOT_CHDIR
865 -+ select GRKERNSEC_CHROOT_MKNOD
866 -+ select GRKERNSEC_CHROOT_CAPS
867 -+ select GRKERNSEC_CHROOT_SYSCTL
868 -+ select GRKERNSEC_CHROOT_FINDTASK
869 -+ select GRKERNSEC_SYSFS_RESTRICT
870 -+ select GRKERNSEC_PROC
871 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
872 -+ select GRKERNSEC_HIDESYM
873 -+ select GRKERNSEC_BRUTE
874 -+ select GRKERNSEC_PROC_USERGROUP
875 -+ select GRKERNSEC_KMEM
876 -+ select GRKERNSEC_RESLOG
877 -+ select GRKERNSEC_AUDIT_PTRACE
878 -+ select GRKERNSEC_RANDNET
879 -+ select GRKERNSEC_PROC_ADD
880 -+ select GRKERNSEC_CHROOT_CHMOD
881 -+ select GRKERNSEC_CHROOT_NICE
882 -+ select GRKERNSEC_AUDIT_MOUNT
883 -+ select GRKERNSEC_MODHARDEN if (MODULES)
884 -+ select GRKERNSEC_HARDEN_PTRACE
885 -+ select GRKERNSEC_PTRACE_READEXEC
886 -+ select GRKERNSEC_SETXID
887 -+ select GRKERNSEC_VM86 if (X86_32)
888 -+ select GRKERNSEC_IO
889 -+ select GRKERNSEC_PROC_IPADDR
890 -+ select GRKERNSEC_RWXMAP_LOG
891 -+ select GRKERNSEC_SYSCTL
892 -+ select GRKERNSEC_SYSCTL_ON
893 -+ select PAX
894 -+ select PAX_ASLR
895 -+ select PAX_RANDKSTACK if (X86_TSC && X86)
896 -+ select PAX_RANDUSTACK
897 -+ select PAX_RANDMMAP
898 -+ select PAX_NOEXEC
899 -+ select PAX_MPROTECT
900 -+ select PAX_EI_PAX
901 -+ select PAX_PT_PAX_FLAGS
902 -+ select PAX_HAVE_ACL_FLAGS
903 -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
904 -+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
905 -+ select PAX_SEGMEXEC if (X86_32)
906 -+ select PAX_PAGEEXEC
907 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
908 -+ select PAX_EMUTRAMP if (PARISC)
909 -+ select PAX_EMUSIGRT if (PARISC)
910 -+ select PAX_REFCOUNT if (X86 || SPARC64)
911 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
912 -+ select PAX_MEMORY_SANITIZE
913 -+ select PAX_MEMORY_STACKLEAK if (!XEN)
914 -+ help
915 -+ If you say Y here, a configuration for grsecurity/PaX features
916 -+ will be used that is endorsed by the Hardened Gentoo project.
917 -+ These pre-defined security levels are designed to provide a high
918 -+ level of security while minimizing incompatibilities with a majority
919 -+ of Gentoo's available software.
920 -+
921 -+ This "Hardened Gentoo [server]" level is identical to the
922 -+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
923 -+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
924 -+ security level if the system will not be utilizing software incompatible
925 -+ with these features.
926 -+
927 -+ When this level is selected, some security features will be forced on,
928 -+ while others will default to their suggested values of off or on. The
929 -+ later can be tweaked at the user's discretion, but may cause problems
930 -+ in some situations. You can fully customize all grsecurity/PaX features
931 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
932 -+ inherit the options selected by this security level as a starting point.
933 -+ To accomplish this, select this security level, then exit the menuconfig
934 -+ interface, saving changes when prompted. Run make menuconfig again and
935 -+ select the "Custom" level.
936 -+
937 -+config GRKERNSEC_HARDENED_WORKSTATION
938 -+ bool "Hardened Gentoo [workstation]"
939 -+ select GRKERNSEC_LINK
940 -+ select GRKERNSEC_FIFO
941 -+ select GRKERNSEC_DMESG
942 -+ select GRKERNSEC_FORKFAIL
943 -+ select GRKERNSEC_TIME
944 -+ select GRKERNSEC_SIGNAL
945 -+ select GRKERNSEC_CHROOT
946 -+ select GRKERNSEC_CHROOT_SHMAT
947 -+ select GRKERNSEC_CHROOT_UNIX
948 -+ select GRKERNSEC_CHROOT_MOUNT
949 -+ select GRKERNSEC_CHROOT_FCHDIR
950 -+ select GRKERNSEC_CHROOT_PIVOT
951 -+ select GRKERNSEC_CHROOT_DOUBLE
952 -+ select GRKERNSEC_CHROOT_CHDIR
953 -+ select GRKERNSEC_CHROOT_MKNOD
954 -+ select GRKERNSEC_CHROOT_CAPS
955 -+ select GRKERNSEC_CHROOT_SYSCTL
956 -+ select GRKERNSEC_CHROOT_FINDTASK
957 -+ select GRKERNSEC_PROC
958 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
959 -+ select GRKERNSEC_HIDESYM
960 -+ select GRKERNSEC_BRUTE
961 -+ select GRKERNSEC_PROC_USERGROUP
962 -+ select GRKERNSEC_KMEM
963 -+ select GRKERNSEC_RESLOG
964 -+ select GRKERNSEC_AUDIT_PTRACE
965 -+ select GRKERNSEC_RANDNET
966 -+ select GRKERNSEC_CHROOT_CHMOD
967 -+ select GRKERNSEC_CHROOT_NICE
968 -+ select GRKERNSEC_AUDIT_MOUNT
969 -+ select GRKERNSEC_MODHARDEN if (MODULES)
970 -+ select GRKERNSEC_HARDEN_PTRACE
971 -+ select GRKERNSEC_PTRACE_READEXEC
972 -+ select GRKERNSEC_SETXID
973 -+ select GRKERNSEC_VM86 if (X86_32)
974 -+ select GRKERNSEC_PROC_IPADDR
975 -+ select GRKERNSEC_RWXMAP_LOG
976 -+ select GRKERNSEC_SYSCTL
977 -+ select GRKERNSEC_SYSCTL_ON
978 -+ select PAX
979 -+ select PAX_ASLR
980 -+ select PAX_RANDKSTACK if (X86_TSC && X86)
981 -+ select PAX_RANDUSTACK
982 -+ select PAX_RANDMMAP
983 -+ select PAX_NOEXEC
984 -+ select PAX_MPROTECT
985 -+ select PAX_EI_PAX
986 -+ select PAX_PT_PAX_FLAGS
987 -+ select PAX_HAVE_ACL_FLAGS
988 -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
989 -+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
990 -+ select PAX_SEGMEXEC if (X86_32)
991 -+ select PAX_PAGEEXEC
992 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
993 -+ select PAX_EMUTRAMP if (PARISC)
994 -+ select PAX_EMUSIGRT if (PARISC)
995 -+ select PAX_REFCOUNT if (X86 || SPARC64)
996 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
997 -+ select PAX_MEMORY_SANITIZE
998 -+ select PAX_MEMORY_STACKLEAK if (!XEN)
999 -+ help
1000 -+ If you say Y here, a configuration for grsecurity/PaX features
1001 -+ will be used that is endorsed by the Hardened Gentoo project.
1002 -+ These pre-defined security levels are designed to provide a high
1003 -+ level of security while minimizing incompatibilities with a majority
1004 -+ of Gentoo's available software.
1005 -+
1006 -+ This "Hardened Gentoo [workstation]" level is identical to the
1007 -+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
1008 -+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
1009 -+ security level if the system will be utilizing software incompatible
1010 -+ with these features.
1011 -+
1012 -+ When this level is selected, some security features will be forced on,
1013 -+ while others will default to their suggested values of off or on. The
1014 -+ later can be tweaked at the user's discretion, but may cause problems
1015 -+ in some situations. You can fully customize all grsecurity/PaX features
1016 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
1017 -+ inherit the options selected by this security level as a starting point.
1018 -+ To accomplish this, select this security level, then exit the menuconfig
1019 -+ interface, saving changes when prompted. Run make menuconfig again and
1020 -+ select the "Custom" level.
1021 -+
1022 -+config GRKERNSEC_HARDENED_VIRTUALIZATION
1023 -+ bool "Hardened Gentoo [virtualization]"
1024 -+ select GRKERNSEC_LINK
1025 -+ select GRKERNSEC_FIFO
1026 -+ select GRKERNSEC_DMESG
1027 -+ select GRKERNSEC_FORKFAIL
1028 -+ select GRKERNSEC_TIME
1029 -+ select GRKERNSEC_SIGNAL
1030 -+ select GRKERNSEC_CHROOT
1031 -+ select GRKERNSEC_CHROOT_SHMAT
1032 -+ select GRKERNSEC_CHROOT_UNIX
1033 -+ select GRKERNSEC_CHROOT_MOUNT
1034 -+ select GRKERNSEC_CHROOT_FCHDIR
1035 -+ select GRKERNSEC_CHROOT_PIVOT
1036 -+ select GRKERNSEC_CHROOT_DOUBLE
1037 -+ select GRKERNSEC_CHROOT_CHDIR
1038 -+ select GRKERNSEC_CHROOT_MKNOD
1039 -+ select GRKERNSEC_CHROOT_CAPS
1040 -+ select GRKERNSEC_CHROOT_SYSCTL
1041 -+ select GRKERNSEC_CHROOT_FINDTASK
1042 -+ select GRKERNSEC_PROC
1043 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
1044 -+ select GRKERNSEC_HIDESYM
1045 -+ select GRKERNSEC_BRUTE
1046 -+ select GRKERNSEC_PROC_USERGROUP
1047 -+ select GRKERNSEC_KMEM
1048 -+ select GRKERNSEC_RESLOG
1049 -+ select GRKERNSEC_AUDIT_PTRACE
1050 -+ select GRKERNSEC_RANDNET
1051 -+ select GRKERNSEC_CHROOT_CHMOD
1052 -+ select GRKERNSEC_CHROOT_NICE
1053 -+ select GRKERNSEC_AUDIT_MOUNT
1054 -+ select GRKERNSEC_MODHARDEN if (MODULES)
1055 -+ select GRKERNSEC_HARDEN_PTRACE
1056 -+ select GRKERNSEC_PTRACE_READEXEC
1057 -+ select GRKERNSEC_SETXID
1058 -+ select GRKERNSEC_VM86 if (X86_32)
1059 -+ select GRKERNSEC_PROC_IPADDR
1060 -+ select GRKERNSEC_RWXMAP_LOG
1061 -+ select GRKERNSEC_SYSCTL
1062 -+ select GRKERNSEC_SYSCTL_ON
1063 -+ select PAX
1064 -+ select PAX_ASLR
1065 -+ select PAX_RANDKSTACK if (X86_TSC && X86)
1066 -+ select PAX_RANDUSTACK
1067 -+ select PAX_RANDMMAP
1068 -+ select PAX_NOEXEC
1069 -+ select PAX_MPROTECT
1070 -+ select PAX_EI_PAX
1071 -+ select PAX_PT_PAX_FLAGS
1072 -+ select PAX_HAVE_ACL_FLAGS
1073 -+ select PAX_SEGMEXEC if (X86_32)
1074 -+ select PAX_PAGEEXEC
1075 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
1076 -+ select PAX_EMUTRAMP if (PARISC)
1077 -+ select PAX_EMUSIGRT if (PARISC)
1078 -+ select PAX_REFCOUNT if (X86 || SPARC64)
1079 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
1080 -+ select PAX_MEMORY_SANITIZE
1081 -+ select PAX_MEMORY_STACKLEAK if (!XEN)
1082 -+ help
1083 -+ If you say Y here, a configuration for grsecurity/PaX features
1084 -+ will be used that is endorsed by the Hardened Gentoo project.
1085 -+ These pre-defined security levels are designed to provide a high
1086 -+ level of security while minimizing incompatibilities with a majority
1087 -+ of Gentoo's available software.
1088 -+
1089 -+ This "Hardened Gentoo [virtualization]" level is identical to the
1090 -+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
1091 -+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
1092 -+ security level if the system will be utilizing virtualization software
1093 -+ incompatible with these features, like VirtualBox or kvm.
1094 -+
1095 -+ When this level is selected, some security features will be forced on,
1096 -+ while others will default to their suggested values of off or on. The
1097 -+ later can be tweaked at the user's discretion, but may cause problems
1098 -+ in some situations. You can fully customize all grsecurity/PaX features
1099 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
1100 -+ inherit the options selected by this security level as a starting point.
1101 -+ To accomplish this, select this security level, then exit the menuconfig
1102 -+ interface, saving changes when prompted. Run make menuconfig again and
1103 -+ select the "Custom" level.
1104 -+
1105 - config GRKERNSEC_CUSTOM
1106 - bool "Custom"
1107 - help
1108 -diff -Naur a/security/Kconfig b/security/Kconfig
1109 ---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500
1110 -+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500
1111 -@@ -362,9 +362,10 @@
1112 -
1113 - config PAX_KERNEXEC
1114 - bool "Enforce non-executable kernel pages"
1115 -- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
1116 -+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
1117 - select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
1118 - select PAX_KERNEXEC_PLUGIN if X86_64
1119 -+ default y if GRKERNSEC_HARDENED_WORKSTATION
1120 - help
1121 - This is the kernel land equivalent of PAGEEXEC and MPROTECT,
1122 - that is, enabling this option will make it harder to inject
1123 -@@ -375,30 +376,30 @@
1124 -
1125 - choice
1126 - prompt "Return Address Instrumentation Method"
1127 -- default PAX_KERNEXEC_PLUGIN_METHOD_BTS
1128 -+ default PAX_KERNEXEC_PLUGIN_METHOD_OR
1129 - depends on PAX_KERNEXEC_PLUGIN
1130 - help
1131 - Select the method used to instrument function pointer dereferences.
1132 - Note that binary modules cannot be instrumented by this approach.
1133 -
1134 -- config PAX_KERNEXEC_PLUGIN_METHOD_BTS
1135 -- bool "bts"
1136 -- help
1137 -- This method is compatible with binary only modules but has
1138 -- a higher runtime overhead.
1139 --
1140 - config PAX_KERNEXEC_PLUGIN_METHOD_OR
1141 - bool "or"
1142 - depends on !PARAVIRT
1143 - help
1144 - This method is incompatible with binary only modules but has
1145 - a lower runtime overhead.
1146 -+
1147 -+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS
1148 -+ bool "bts"
1149 -+ help
1150 -+ This method is compatible with binary only modules but has
1151 -+ a higher runtime overhead.
1152 - endchoice
1153 -
1154 - config PAX_KERNEXEC_PLUGIN_METHOD
1155 - string
1156 -- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
1157 - default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
1158 -+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
1159 - default ""
1160 -
1161 - config PAX_KERNEXEC_MODULE_TEXT
1162 -@@ -555,8 +556,9 @@
1163 -
1164 - config PAX_MEMORY_UDEREF
1165 - bool "Prevent invalid userland pointer dereference"
1166 -- depends on X86 && !UML_X86 && !XEN
1167 -+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
1168 - select PAX_PER_CPU_PGD if X86_64
1169 -+ default y if GRKERNSEC_HARDENED_WORKSTATION
1170 - help
1171 - By saying Y here the kernel will be prevented from dereferencing
1172 - userland pointers in contexts where the kernel expects only kernel
1173
1174 diff --git a/3.2.22/4460-grsec-kconfig-proc-user.patch b/3.2.22/4460-grsec-kconfig-proc-user.patch
1175 deleted file mode 100644
1176 index b2b3188..0000000
1177 --- a/3.2.22/4460-grsec-kconfig-proc-user.patch
1178 +++ /dev/null
1179 @@ -1,26 +0,0 @@
1180 -From: Anthony G. Basile <blueness@g.o>
1181 -
1182 -Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
1183 -in a different way to avoid bug #366019. This patch should eventually go upstream.
1184 -
1185 -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1186 ---- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400
1187 -+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400
1188 -@@ -680,7 +680,7 @@
1189 -
1190 - config GRKERNSEC_PROC_USER
1191 - bool "Restrict /proc to user only"
1192 -- depends on GRKERNSEC_PROC
1193 -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
1194 - help
1195 - If you say Y here, non-root users will only be able to view their own
1196 - processes, and restricts them from viewing network-related information,
1197 -@@ -688,7 +688,7 @@
1198 -
1199 - config GRKERNSEC_PROC_USERGROUP
1200 - bool "Allow special group"
1201 -- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
1202 -+ depends on GRKERNSEC_PROC
1203 - help
1204 - If you say Y here, you will be able to select a group that will be
1205 - able to view all processes and network-related information. If you've
1206
1207 diff --git a/3.4.4/0000_README b/3.4.4/0000_README
1208 index be72568..6e60159 100644
1209 --- a/3.4.4/0000_README
1210 +++ b/3.4.4/0000_README
1211 @@ -2,6 +2,10 @@ README
1212 -----------------------------------------------------------------------------
1213 Individual Patch Descriptions:
1214 -----------------------------------------------------------------------------
1215 +Patch: 2600_FW_MIPS_FILE_06_regression.patch
1216 +From: Anthony G. Basile <blueness@g.o>
1217 +Desc: Fix regressions against bnx2 firmware
1218 +
1219 Patch: 4420_grsecurity-2.9.1-3.4.4-201207080925.patch
1220 From: http://www.grsecurity.net
1221 Desc: hardened-sources base patch from upstream grsecurity
Report Message
Find on MARC Find on Google Groups