Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.4.4/
Date: Sun, 01 Jul 2012 17:56:57
Message-Id: 1341165387.6ed3a4cda487bd77f4cf449c8041a95569547f94.blueness@gentoo
1 commit: 6ed3a4cda487bd77f4cf449c8041a95569547f94
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Sun Jul 1 17:56:27 2012 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Sun Jul 1 17:56:27 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=6ed3a4cd
7
8 Grsec/PaX: 2.9.1-3.4.4-201206251759: new 3.4.4 Kconfig structure
9
10 ---
11 3.4.4/0000_README | 18 +-
12 ...4420_grsecurity-2.9.1-3.4.4-201206251759.patch} | 488 +++++++++++---------
13 3.4.4/4445_grsec-pax-without-grsec.patch | 91 ----
14 3.4.4/4450_grsec-kconfig-default-gids.patch | 52 ++-
15 3.4.4/4455_grsec-kconfig-gentoo.patch | 357 --------------
16 3.4.4/4460-grsec-kconfig-proc-user.patch | 26 -
17 3.4.4/4465_selinux-avc_audit-log-curr_ip.patch | 2 +-
18 3.4.4/4470_disable-compat_vdso.patch | 2 +-
19 8 files changed, 308 insertions(+), 728 deletions(-)
20
21 diff --git a/3.4.4/0000_README b/3.4.4/0000_README
22 index dbb8629..61e9d20 100644
23 --- a/3.4.4/0000_README
24 +++ b/3.4.4/0000_README
25 @@ -2,7 +2,7 @@ README
26 -----------------------------------------------------------------------------
27 Individual Patch Descriptions:
28 -----------------------------------------------------------------------------
29 -Patch: 4420_grsecurity-2.9.1-3.4.4-201206231147.patch
30 +Patch: 4420_grsecurity-2.9.1-3.4.4-201206251759.patch
31 From: http://www.grsecurity.net
32 Desc: hardened-sources base patch from upstream grsecurity
33
34 @@ -20,27 +20,11 @@ Patch: 4440_grsec-remove-protected-paths.patch
35 From: Anthony G. Basile <blueness@g.o>
36 Desc: Removes chmod statements from grsecurity/Makefile
37
38 -Patch: 4445_grsec-pax-without-grsec.patch
39 -From: Gordon Malm <gengor@g.o>
40 -Desc: Allows PaX features to be selected without enabling GRKERNSEC
41 -
42 Patch: 4450_grsec-kconfig-default-gids.patch
43 From: Kerin Millar <kerframil@×××××.com>
44 Desc: Sets sane(r) default GIDs on various grsecurity group-dependent
45 features
46
47 -Patch: 4455_grsec-kconfig-gentoo.patch
48 -From: Gordon Malm <gengor@g.o>
49 - Kerin Millar <kerframil@×××××.com>
50 - Anthony G. Basile <blueness@g.o>
51 -Desc: Adds Hardened Gentoo [server/workstation/virtualization] security levels,
52 - sets Hardened Gentoo [workstation] as default
53 -
54 -Patch: 4460-grsec-kconfig-proc-user.patch
55 -From: Anthony G. Basile <blueness@g.o>
56 -Desc: Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually
57 - exclusive to avoid bug #366019.
58 -
59 Patch: 4465_selinux-avc_audit-log-curr_ip.patch
60 From: Gordon Malm <gengor@g.o>
61 Anthony G. Basile <blueness@g.o>
62
63 diff --git a/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206231147.patch b/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch
64 similarity index 99%
65 rename from 3.4.4/4420_grsecurity-2.9.1-3.4.4-201206231147.patch
66 rename to 3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch
67 index 758a4c4..083b3e1 100644
68 --- a/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206231147.patch
69 +++ b/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch
70 @@ -7733,7 +7733,7 @@ index 706e12e..62e4feb 100644
71 config X86_MINIMUM_CPU_FAMILY
72 int
73 diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
74 -index e46c214..7c72b55 100644
75 +index e46c214..ab62fd1 100644
76 --- a/arch/x86/Kconfig.debug
77 +++ b/arch/x86/Kconfig.debug
78 @@ -84,7 +84,7 @@ config X86_PTDUMP
79 @@ -7754,6 +7754,15 @@ index e46c214..7c72b55 100644
80 ---help---
81 This option helps catch unintended modifications to loadable
82 kernel module's text and read-only data. It also prevents execution
83 +@@ -275,7 +275,7 @@ config OPTIMIZE_INLINING
84 +
85 + config DEBUG_STRICT_USER_COPY_CHECKS
86 + bool "Strict copy size checks"
87 +- depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING
88 ++ depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING && !PAX_SIZE_OVERFLOW
89 + ---help---
90 + Enabling this option turns a certain set of sanity checks for user
91 + copy operations into compile time failures.
92 diff --git a/arch/x86/Makefile b/arch/x86/Makefile
93 index b1c611e..2c1a823 100644
94 --- a/arch/x86/Makefile
95 @@ -49100,221 +49109,19 @@ index 3011b87..1ab03e9 100644
96 kfree(s);
97 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
98 new file mode 100644
99 -index 0000000..2645296
100 +index 0000000..2d6e3a8
101 --- /dev/null
102 +++ b/grsecurity/Kconfig
103 -@@ -0,0 +1,1079 @@
104 +@@ -0,0 +1,915 @@
105 +#
106 +# grecurity configuration
107 +#
108 -+
109 -+menu "Grsecurity"
110 -+
111 -+config GRKERNSEC
112 -+ bool "Grsecurity"
113 -+ select CRYPTO
114 -+ select CRYPTO_SHA256
115 -+ help
116 -+ If you say Y here, you will be able to configure many features
117 -+ that will enhance the security of your system. It is highly
118 -+ recommended that you say Y here and read through the help
119 -+ for each option so that you fully understand the features and
120 -+ can evaluate their usefulness for your machine.
121 -+
122 -+choice
123 -+ prompt "Security Level"
124 -+ depends on GRKERNSEC
125 -+ default GRKERNSEC_CUSTOM
126 -+
127 -+config GRKERNSEC_LOW
128 -+ bool "Low"
129 -+ select GRKERNSEC_LINK
130 -+ select GRKERNSEC_FIFO
131 -+ select GRKERNSEC_RANDNET
132 -+ select GRKERNSEC_DMESG
133 -+ select GRKERNSEC_CHROOT
134 -+ select GRKERNSEC_CHROOT_CHDIR
135 -+
136 -+ help
137 -+ If you choose this option, several of the grsecurity options will
138 -+ be enabled that will give you greater protection against a number
139 -+ of attacks, while assuring that none of your software will have any
140 -+ conflicts with the additional security measures. If you run a lot
141 -+ of unusual software, or you are having problems with the higher
142 -+ security levels, you should say Y here. With this option, the
143 -+ following features are enabled:
144 -+
145 -+ - Linking restrictions
146 -+ - FIFO restrictions
147 -+ - Restricted dmesg
148 -+ - Enforced chdir("/") on chroot
149 -+ - Runtime module disabling
150 -+
151 -+config GRKERNSEC_MEDIUM
152 -+ bool "Medium"
153 -+ select PAX
154 -+ select PAX_EI_PAX
155 -+ select PAX_PT_PAX_FLAGS
156 -+ select PAX_HAVE_ACL_FLAGS
157 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
158 -+ select GRKERNSEC_CHROOT
159 -+ select GRKERNSEC_CHROOT_SYSCTL
160 -+ select GRKERNSEC_LINK
161 -+ select GRKERNSEC_FIFO
162 -+ select GRKERNSEC_DMESG
163 -+ select GRKERNSEC_RANDNET
164 -+ select GRKERNSEC_FORKFAIL
165 -+ select GRKERNSEC_TIME
166 -+ select GRKERNSEC_SIGNAL
167 -+ select GRKERNSEC_CHROOT
168 -+ select GRKERNSEC_CHROOT_UNIX
169 -+ select GRKERNSEC_CHROOT_MOUNT
170 -+ select GRKERNSEC_CHROOT_PIVOT
171 -+ select GRKERNSEC_CHROOT_DOUBLE
172 -+ select GRKERNSEC_CHROOT_CHDIR
173 -+ select GRKERNSEC_CHROOT_MKNOD
174 -+ select GRKERNSEC_PROC
175 -+ select GRKERNSEC_PROC_USERGROUP
176 -+ select PAX_RANDUSTACK
177 -+ select PAX_ASLR
178 -+ select PAX_RANDMMAP
179 -+ select PAX_REFCOUNT if (X86 || SPARC64)
180 -+ select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
181 -+
182 -+ help
183 -+ If you say Y here, several features in addition to those included
184 -+ in the low additional security level will be enabled. These
185 -+ features provide even more security to your system, though in rare
186 -+ cases they may be incompatible with very old or poorly written
187 -+ software. If you enable this option, make sure that your auth
188 -+ service (identd) is running as gid 1001. With this option,
189 -+ the following features (in addition to those provided in the
190 -+ low additional security level) will be enabled:
191 -+
192 -+ - Failed fork logging
193 -+ - Time change logging
194 -+ - Signal logging
195 -+ - Deny mounts in chroot
196 -+ - Deny double chrooting
197 -+ - Deny sysctl writes in chroot
198 -+ - Deny mknod in chroot
199 -+ - Deny access to abstract AF_UNIX sockets out of chroot
200 -+ - Deny pivot_root in chroot
201 -+ - Denied reads/writes of /dev/kmem, /dev/mem, and /dev/port
202 -+ - /proc restrictions with special GID set to 10 (usually wheel)
203 -+ - Address Space Layout Randomization (ASLR)
204 -+ - Prevent exploitation of most refcount overflows
205 -+ - Bounds checking of copying between the kernel and userland
206 -+
207 -+config GRKERNSEC_HIGH
208 -+ bool "High"
209 -+ select GRKERNSEC_LINK
210 -+ select GRKERNSEC_FIFO
211 -+ select GRKERNSEC_DMESG
212 -+ select GRKERNSEC_FORKFAIL
213 -+ select GRKERNSEC_TIME
214 -+ select GRKERNSEC_SIGNAL
215 -+ select GRKERNSEC_CHROOT
216 -+ select GRKERNSEC_CHROOT_SHMAT
217 -+ select GRKERNSEC_CHROOT_UNIX
218 -+ select GRKERNSEC_CHROOT_MOUNT
219 -+ select GRKERNSEC_CHROOT_FCHDIR
220 -+ select GRKERNSEC_CHROOT_PIVOT
221 -+ select GRKERNSEC_CHROOT_DOUBLE
222 -+ select GRKERNSEC_CHROOT_CHDIR
223 -+ select GRKERNSEC_CHROOT_MKNOD
224 -+ select GRKERNSEC_CHROOT_CAPS
225 -+ select GRKERNSEC_CHROOT_SYSCTL
226 -+ select GRKERNSEC_CHROOT_FINDTASK
227 -+ select GRKERNSEC_SYSFS_RESTRICT
228 -+ select GRKERNSEC_PROC
229 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
230 -+ select GRKERNSEC_HIDESYM
231 -+ select GRKERNSEC_BRUTE
232 -+ select GRKERNSEC_PROC_USERGROUP
233 -+ select GRKERNSEC_KMEM
234 -+ select GRKERNSEC_RESLOG
235 -+ select GRKERNSEC_RANDNET
236 -+ select GRKERNSEC_PROC_ADD
237 -+ select GRKERNSEC_CHROOT_CHMOD
238 -+ select GRKERNSEC_CHROOT_NICE
239 -+ select GRKERNSEC_SETXID if (X86 || SPARC64 || PPC || ARM || MIPS)
240 -+ select GRKERNSEC_AUDIT_MOUNT
241 -+ select GRKERNSEC_MODHARDEN if (MODULES)
242 -+ select GRKERNSEC_HARDEN_PTRACE
243 -+ select GRKERNSEC_PTRACE_READEXEC
244 -+ select GRKERNSEC_VM86 if (X86_32)
245 -+ select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
246 -+ select PAX
247 -+ select PAX_RANDUSTACK
248 -+ select PAX_ASLR
249 -+ select PAX_RANDMMAP
250 -+ select PAX_NOEXEC
251 -+ select PAX_MPROTECT
252 -+ select PAX_EI_PAX
253 -+ select PAX_PT_PAX_FLAGS
254 -+ select PAX_HAVE_ACL_FLAGS
255 -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
256 -+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
257 -+ select PAX_RANDKSTACK if (X86_TSC && X86)
258 -+ select PAX_SEGMEXEC if (X86_32)
259 -+ select PAX_PAGEEXEC
260 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
261 -+ select PAX_EMUTRAMP if (PARISC)
262 -+ select PAX_EMUSIGRT if (PARISC)
263 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
264 -+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
265 -+ select PAX_REFCOUNT if (X86 || SPARC64)
266 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
267 -+ help
268 -+ If you say Y here, many of the features of grsecurity will be
269 -+ enabled, which will protect you against many kinds of attacks
270 -+ against your system. The heightened security comes at a cost
271 -+ of an increased chance of incompatibilities with rare software
272 -+ on your machine. Since this security level enables PaX, you should
273 -+ view <http://pax.grsecurity.net> and read about the PaX
274 -+ project. While you are there, download chpax and run it on
275 -+ binaries that cause problems with PaX. Also remember that
276 -+ since the /proc restrictions are enabled, you must run your
277 -+ identd as gid 1001. This security level enables the following
278 -+ features in addition to those listed in the low and medium
279 -+ security levels:
280 -+
281 -+ - Additional /proc restrictions
282 -+ - Chmod restrictions in chroot
283 -+ - No signals, ptrace, or viewing of processes outside of chroot
284 -+ - Capability restrictions in chroot
285 -+ - Deny fchdir out of chroot
286 -+ - Priority restrictions in chroot
287 -+ - Segmentation-based implementation of PaX
288 -+ - Mprotect restrictions
289 -+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
290 -+ - Kernel stack randomization
291 -+ - Mount/unmount/remount logging
292 -+ - Kernel symbol hiding
293 -+ - Hardening of module auto-loading
294 -+ - Ptrace restrictions
295 -+ - Restricted vm86 mode
296 -+ - Restricted sysfs/debugfs
297 -+ - Active kernel exploit response
298 -+
299 -+config GRKERNSEC_CUSTOM
300 -+ bool "Custom"
301 -+ help
302 -+ If you say Y here, you will be able to configure every grsecurity
303 -+ option, which allows you to enable many more features that aren't
304 -+ covered in the basic security levels. These additional features
305 -+ include TPE, socket restrictions, and the sysctl system for
306 -+ grsecurity. It is advised that you read through the help for
307 -+ each option to determine its usefulness in your situation.
308 -+
309 -+endchoice
310 -+
311 +menu "Memory Protections"
312 +depends on GRKERNSEC
313 +
314 +config GRKERNSEC_KMEM
315 + bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port"
316 ++ default y if GRKERNSEC_CONFIG_AUTO
317 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
318 + help
319 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
320 @@ -49336,6 +49143,7 @@ index 0000000..2645296
321 +
322 +config GRKERNSEC_VM86
323 + bool "Restrict VM86 mode"
324 ++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
325 + depends on X86_32
326 +
327 + help
328 @@ -49349,6 +49157,7 @@ index 0000000..2645296
329 +
330 +config GRKERNSEC_IO
331 + bool "Disable privileged I/O"
332 ++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
333 + depends on X86
334 + select RTC_CLASS
335 + select RTC_INTF_DEV
336 @@ -49368,7 +49177,7 @@ index 0000000..2645296
337 +
338 +config GRKERNSEC_PROC_MEMMAP
339 + bool "Harden ASLR against information leaks and entropy reduction"
340 -+ default y if (PAX_NOEXEC || PAX_ASLR)
341 ++ default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR)
342 + depends on PAX_NOEXEC || PAX_ASLR
343 + help
344 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
345 @@ -49388,6 +49197,7 @@ index 0000000..2645296
346 +
347 +config GRKERNSEC_BRUTE
348 + bool "Deter exploit bruteforcing"
349 ++ default y if GRKERNSEC_CONFIG_AUTO
350 + help
351 + If you say Y here, attempts to bruteforce exploits against forking
352 + daemons such as apache or sshd, as well as against suid/sgid binaries
353 @@ -49408,6 +49218,7 @@ index 0000000..2645296
354 +
355 +config GRKERNSEC_MODHARDEN
356 + bool "Harden module auto-loading"
357 ++ default y if GRKERNSEC_CONFIG_AUTO
358 + depends on MODULES
359 + help
360 + If you say Y here, module auto-loading in response to use of some
361 @@ -49429,6 +49240,7 @@ index 0000000..2645296
362 +
363 +config GRKERNSEC_HIDESYM
364 + bool "Hide kernel symbols"
365 ++ default y if GRKERNSEC_CONFIG_AUTO
366 + help
367 + If you say Y here, getting information on loaded modules, and
368 + displaying all kernel symbols through a syscall will be restricted
369 @@ -49454,11 +49266,12 @@ index 0000000..2645296
370 +
371 +config GRKERNSEC_KERN_LOCKOUT
372 + bool "Active kernel exploit response"
373 ++ default y if GRKERNSEC_CONFIG_AUTO
374 + depends on X86 || ARM || PPC || SPARC
375 + help
376 + If you say Y here, when a PaX alert is triggered due to suspicious
377 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
378 -+ or an OOPs occurs due to bad memory accesses, instead of just
379 ++ or an OOPS occurs due to bad memory accesses, instead of just
380 + terminating the offending process (and potentially allowing
381 + a subsequent exploit from the same user), we will take one of two
382 + actions:
383 @@ -49517,6 +49330,7 @@ index 0000000..2645296
384 +
385 +config GRKERNSEC_PROC
386 + bool "Proc restrictions"
387 ++ default y if GRKERNSEC_CONFIG_AUTO
388 + help
389 + If you say Y here, the permissions of the /proc filesystem
390 + will be altered to enhance system security and privacy. You MUST
391 @@ -49538,6 +49352,7 @@ index 0000000..2645296
392 +
393 +config GRKERNSEC_PROC_USERGROUP
394 + bool "Allow special group"
395 ++ default y if GRKERNSEC_CONFIG_AUTO
396 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
397 + help
398 + If you say Y here, you will be able to select a group that will be
399 @@ -49553,6 +49368,7 @@ index 0000000..2645296
400 +
401 +config GRKERNSEC_PROC_ADD
402 + bool "Additional restrictions"
403 ++ default y if GRKERNSEC_CONFIG_AUTO
404 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
405 + help
406 + If you say Y here, additional restrictions will be placed on
407 @@ -49561,6 +49377,7 @@ index 0000000..2645296
408 +
409 +config GRKERNSEC_LINK
410 + bool "Linking restrictions"
411 ++ default y if GRKERNSEC_CONFIG_AUTO
412 + help
413 + If you say Y here, /tmp race exploits will be prevented, since users
414 + will no longer be able to follow symlinks owned by other users in
415 @@ -49571,6 +49388,7 @@ index 0000000..2645296
416 +
417 +config GRKERNSEC_FIFO
418 + bool "FIFO restrictions"
419 ++ default y if GRKERNSEC_CONFIG_AUTO
420 + help
421 + If you say Y here, users will not be able to write to FIFOs they don't
422 + own in world-writable +t directories (e.g. /tmp), unless the owner of
423 @@ -49580,6 +49398,7 @@ index 0000000..2645296
424 +
425 +config GRKERNSEC_SYSFS_RESTRICT
426 + bool "Sysfs/debugfs restriction"
427 ++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
428 + depends on SYSFS
429 + help
430 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
431 @@ -49613,6 +49432,7 @@ index 0000000..2645296
432 +
433 +config GRKERNSEC_CHROOT
434 + bool "Chroot jail restrictions"
435 ++ default y if GRKERNSEC_CONFIG_AUTO
436 + help
437 + If you say Y here, you will be able to choose several options that will
438 + make breaking out of a chrooted jail much more difficult. If you
439 @@ -49621,6 +49441,7 @@ index 0000000..2645296
440 +
441 +config GRKERNSEC_CHROOT_MOUNT
442 + bool "Deny mounts"
443 ++ default y if GRKERNSEC_CONFIG_AUTO
444 + depends on GRKERNSEC_CHROOT
445 + help
446 + If you say Y here, processes inside a chroot will not be able to
447 @@ -49629,6 +49450,7 @@ index 0000000..2645296
448 +
449 +config GRKERNSEC_CHROOT_DOUBLE
450 + bool "Deny double-chroots"
451 ++ default y if GRKERNSEC_CONFIG_AUTO
452 + depends on GRKERNSEC_CHROOT
453 + help
454 + If you say Y here, processes inside a chroot will not be able to chroot
455 @@ -49639,6 +49461,7 @@ index 0000000..2645296
456 +
457 +config GRKERNSEC_CHROOT_PIVOT
458 + bool "Deny pivot_root in chroot"
459 ++ default y if GRKERNSEC_CONFIG_AUTO
460 + depends on GRKERNSEC_CHROOT
461 + help
462 + If you say Y here, processes inside a chroot will not be able to use
463 @@ -49651,6 +49474,7 @@ index 0000000..2645296
464 +
465 +config GRKERNSEC_CHROOT_CHDIR
466 + bool "Enforce chdir(\"/\") on all chroots"
467 ++ default y if GRKERNSEC_CONFIG_AUTO
468 + depends on GRKERNSEC_CHROOT
469 + help
470 + If you say Y here, the current working directory of all newly-chrooted
471 @@ -49667,6 +49491,7 @@ index 0000000..2645296
472 +
473 +config GRKERNSEC_CHROOT_CHMOD
474 + bool "Deny (f)chmod +s"
475 ++ default y if GRKERNSEC_CONFIG_AUTO
476 + depends on GRKERNSEC_CHROOT
477 + help
478 + If you say Y here, processes inside a chroot will not be able to chmod
479 @@ -49677,6 +49502,7 @@ index 0000000..2645296
480 +
481 +config GRKERNSEC_CHROOT_FCHDIR
482 + bool "Deny fchdir out of chroot"
483 ++ default y if GRKERNSEC_CONFIG_AUTO
484 + depends on GRKERNSEC_CHROOT
485 + help
486 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
487 @@ -49686,6 +49512,7 @@ index 0000000..2645296
488 +
489 +config GRKERNSEC_CHROOT_MKNOD
490 + bool "Deny mknod"
491 ++ default y if GRKERNSEC_CONFIG_AUTO
492 + depends on GRKERNSEC_CHROOT
493 + help
494 + If you say Y here, processes inside a chroot will not be allowed to
495 @@ -49700,6 +49527,7 @@ index 0000000..2645296
496 +
497 +config GRKERNSEC_CHROOT_SHMAT
498 + bool "Deny shmat() out of chroot"
499 ++ default y if GRKERNSEC_CONFIG_AUTO
500 + depends on GRKERNSEC_CHROOT
501 + help
502 + If you say Y here, processes inside a chroot will not be able to attach
503 @@ -49709,6 +49537,7 @@ index 0000000..2645296
504 +
505 +config GRKERNSEC_CHROOT_UNIX
506 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
507 ++ default y if GRKERNSEC_CONFIG_AUTO
508 + depends on GRKERNSEC_CHROOT
509 + help
510 + If you say Y here, processes inside a chroot will not be able to
511 @@ -49719,6 +49548,7 @@ index 0000000..2645296
512 +
513 +config GRKERNSEC_CHROOT_FINDTASK
514 + bool "Protect outside processes"
515 ++ default y if GRKERNSEC_CONFIG_AUTO
516 + depends on GRKERNSEC_CHROOT
517 + help
518 + If you say Y here, processes inside a chroot will not be able to
519 @@ -49729,6 +49559,7 @@ index 0000000..2645296
520 +
521 +config GRKERNSEC_CHROOT_NICE
522 + bool "Restrict priority changes"
523 ++ default y if GRKERNSEC_CONFIG_AUTO
524 + depends on GRKERNSEC_CHROOT
525 + help
526 + If you say Y here, processes inside a chroot will not be able to raise
527 @@ -49740,6 +49571,7 @@ index 0000000..2645296
528 +
529 +config GRKERNSEC_CHROOT_SYSCTL
530 + bool "Deny sysctl writes"
531 ++ default y if GRKERNSEC_CONFIG_AUTO
532 + depends on GRKERNSEC_CHROOT
533 + help
534 + If you say Y here, an attacker in a chroot will not be able to
535 @@ -49750,6 +49582,7 @@ index 0000000..2645296
536 +
537 +config GRKERNSEC_CHROOT_CAPS
538 + bool "Capability restrictions"
539 ++ default y if GRKERNSEC_CONFIG_AUTO
540 + depends on GRKERNSEC_CHROOT
541 + help
542 + If you say Y here, the capabilities on all processes within a
543 @@ -49792,6 +49625,7 @@ index 0000000..2645296
544 +
545 +config GRKERNSEC_RESLOG
546 + bool "Resource logging"
547 ++ default y if GRKERNSEC_CONFIG_AUTO
548 + help
549 + If you say Y here, all attempts to overstep resource limits will
550 + be logged with the resource name, the requested size, and the current
551 @@ -49830,6 +49664,7 @@ index 0000000..2645296
552 +
553 +config GRKERNSEC_SIGNAL
554 + bool "Signal logging"
555 ++ default y if GRKERNSEC_CONFIG_AUTO
556 + help
557 + If you say Y here, certain important signals will be logged, such as
558 + SIGSEGV, which will as a result inform you of when a error in a program
559 @@ -49847,6 +49682,7 @@ index 0000000..2645296
560 +
561 +config GRKERNSEC_TIME
562 + bool "Time change logging"
563 ++ default y if GRKERNSEC_CONFIG_AUTO
564 + help
565 + If you say Y here, any changes of the system clock will be logged.
566 + If the sysctl option is enabled, a sysctl option with name
567 @@ -49854,6 +49690,7 @@ index 0000000..2645296
568 +
569 +config GRKERNSEC_PROC_IPADDR
570 + bool "/proc/<pid>/ipaddr support"
571 ++ default y if GRKERNSEC_CONFIG_AUTO
572 + help
573 + If you say Y here, a new entry will be added to each /proc/<pid>
574 + directory that contains the IP address of the person using the task.
575 @@ -49865,6 +49702,7 @@ index 0000000..2645296
576 +
577 +config GRKERNSEC_RWXMAP_LOG
578 + bool 'Denied RWX mmap/mprotect logging'
579 ++ default y if GRKERNSEC_CONFIG_AUTO
580 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
581 + help
582 + If you say Y here, calls to mmap() and mprotect() with explicit
583 @@ -49893,6 +49731,7 @@ index 0000000..2645296
584 +
585 +config GRKERNSEC_DMESG
586 + bool "Dmesg(8) restriction"
587 ++ default y if GRKERNSEC_CONFIG_AUTO
588 + help
589 + If you say Y here, non-root users will not be able to use dmesg(8)
590 + to view up to the last 4kb of messages in the kernel's log buffer.
591 @@ -49904,6 +49743,7 @@ index 0000000..2645296
592 +
593 +config GRKERNSEC_HARDEN_PTRACE
594 + bool "Deter ptrace-based process snooping"
595 ++ default y if GRKERNSEC_CONFIG_AUTO
596 + help
597 + If you say Y here, TTY sniffers and other malicious monitoring
598 + programs implemented through ptrace will be defeated. If you
599 @@ -49920,6 +49760,7 @@ index 0000000..2645296
600 +
601 +config GRKERNSEC_PTRACE_READEXEC
602 + bool "Require read access to ptrace sensitive binaries"
603 ++ default y if GRKERNSEC_CONFIG_AUTO
604 + help
605 + If you say Y here, unprivileged users will not be able to ptrace unreadable
606 + binaries. This option is useful in environments that
607 @@ -49933,6 +49774,7 @@ index 0000000..2645296
608 +
609 +config GRKERNSEC_SETXID
610 + bool "Enforce consistent multithreaded privileges"
611 ++ default y if GRKERNSEC_CONFIG_AUTO
612 + depends on (X86 || SPARC64 || PPC || ARM || MIPS)
613 + help
614 + If you say Y here, a change from a root uid to a non-root uid
615 @@ -49947,6 +49789,7 @@ index 0000000..2645296
616 +
617 +config GRKERNSEC_TPE
618 + bool "Trusted Path Execution (TPE)"
619 ++ default y if GRKERNSEC_CONFIG_AUTO
620 + help
621 + If you say Y here, you will be able to choose a gid to add to the
622 + supplementary groups of users you want to mark as "untrusted."
623 @@ -50003,6 +49846,7 @@ index 0000000..2645296
624 +
625 +config GRKERNSEC_RANDNET
626 + bool "Larger entropy pools"
627 ++ default y if GRKERNSEC_CONFIG_AUTO
628 + help
629 + If you say Y here, the entropy pools used for many features of Linux
630 + and grsecurity will be doubled in size. Since several grsecurity
631 @@ -50012,6 +49856,7 @@ index 0000000..2645296
632 +
633 +config GRKERNSEC_BLACKHOLE
634 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
635 ++ default y if GRKERNSEC_CONFIG_AUTO
636 + depends on NET
637 + help
638 + If you say Y here, neither TCP resets nor ICMP
639 @@ -50111,11 +49956,12 @@ index 0000000..2645296
640 + option with name "socket_server_gid" is created.
641 +
642 +endmenu
643 -+menu "Sysctl support"
644 ++menu "Sysctl Support"
645 +depends on GRKERNSEC && SYSCTL
646 +
647 +config GRKERNSEC_SYSCTL
648 + bool "Sysctl support"
649 ++ default y if GRKERNSEC_CONFIG_AUTO
650 + help
651 + If you say Y here, you will be able to change the options that
652 + grsecurity runs with at bootup, without having to recompile your
653 @@ -50146,6 +49992,7 @@ index 0000000..2645296
654 +
655 +config GRKERNSEC_SYSCTL_ON
656 + bool "Turn on features by default"
657 ++ default y if GRKERNSEC_CONFIG_AUTO
658 + depends on GRKERNSEC_SYSCTL
659 + help
660 + If you say Y here, instead of having all features enabled in the
661 @@ -50181,8 +50028,6 @@ index 0000000..2645296
662 + raise this value.
663 +
664 +endmenu
665 -+
666 -+endmenu
667 diff --git a/grsecurity/Makefile b/grsecurity/Makefile
668 new file mode 100644
669 index 0000000..1b9afa9
670 @@ -77757,14 +77602,197 @@ index 5c11312..72742b5 100644
671 write_hex_cnt = 0;
672 for (i = 0; i < logo_clutsize; i++) {
673 diff --git a/security/Kconfig b/security/Kconfig
674 -index ccc61f8..5effdb4 100644
675 +index ccc61f8..3334dd6 100644
676 --- a/security/Kconfig
677 +++ b/security/Kconfig
678 -@@ -4,6 +4,640 @@
679 +@@ -4,6 +4,849 @@
680
681 menu "Security options"
682
683 -+source grsecurity/Kconfig
684 ++menu "Grsecurity"
685 ++
686 ++config GRKERNSEC
687 ++ bool "Grsecurity"
688 ++ select CRYPTO
689 ++ select CRYPTO_SHA256
690 ++ help
691 ++ If you say Y here, you will be able to configure many features
692 ++ that will enhance the security of your system. It is highly
693 ++ recommended that you say Y here and read through the help
694 ++ for each option so that you fully understand the features and
695 ++ can evaluate their usefulness for your machine.
696 ++
697 ++choice
698 ++ prompt "Configuration Method"
699 ++ depends on GRKERNSEC
700 ++ default GRKERNSEC_CONFIG_CUSTOM
701 ++ help
702 ++
703 ++config GRKERNSEC_CONFIG_AUTO
704 ++ bool "Automatic"
705 ++ help
706 ++ If you choose this configuration method, you'll be able to answer a small
707 ++ number of simple questions about how you plan to use this kernel.
708 ++ The settings of grsecurity and PaX will be automatically configured for
709 ++ the highest commonly-used settings within the provided constraints.
710 ++
711 ++ If you require additional configuration, custom changes can still be made
712 ++ from the "custom configuration" menu.
713 ++
714 ++config GRKERNSEC_CONFIG_CUSTOM
715 ++ bool "Custom"
716 ++ help
717 ++ If you choose this configuration method, you'll be able to configure all
718 ++ grsecurity and PaX settings manually. Via this method, no options are
719 ++ automatically enabled.
720 ++
721 ++endchoice
722 ++
723 ++choice
724 ++ prompt "Usage Type"
725 ++ depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO)
726 ++ default GRKERNSEC_CONFIG_SERVER
727 ++ help
728 ++
729 ++config GRKERNSEC_CONFIG_SERVER
730 ++ bool "Server"
731 ++ help
732 ++ Choose this option if you plan to use this kernel on a server.
733 ++
734 ++config GRKERNSEC_CONFIG_DESKTOP
735 ++ bool "Desktop"
736 ++ help
737 ++ Choose this option if you plan to use this kernel on a desktop.
738 ++
739 ++endchoice
740 ++
741 ++choice
742 ++ prompt "Virtualization Type"
743 ++ depends on (GRKERNSEC && X86 && GRKERNSEC_CONFIG_AUTO)
744 ++ default GRKERNSEC_CONFIG_VIRT_NONE
745 ++ help
746 ++
747 ++config GRKERNSEC_CONFIG_VIRT_NONE
748 ++ bool "None"
749 ++ help
750 ++ Choose this option if this kernel will be run on bare metal.
751 ++
752 ++config GRKERNSEC_CONFIG_VIRT_GUEST
753 ++ bool "Guest"
754 ++ help
755 ++ Choose this option if this kernel will be run as a VM guest.
756 ++
757 ++config GRKERNSEC_CONFIG_VIRT_HOST
758 ++ bool "Host"
759 ++ help
760 ++ Choose this option if this kernel will be run as a VM host.
761 ++
762 ++endchoice
763 ++
764 ++choice
765 ++ prompt "Virtualization Hardware"
766 ++ depends on (GRKERNSEC && X86 && GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_GUEST || GRKERNSEC_CONFIG_VIRT_HOST))
767 ++ help
768 ++
769 ++config GRKERNSEC_CONFIG_VIRT_EPT
770 ++ bool "EPT/RVI Processor Support"
771 ++ depends on X86
772 ++ help
773 ++ Choose this option if your CPU supports the EPT or RVI features of 2nd-gen
774 ++ hardware virtualization. This allows for additional kernel hardening protections
775 ++ to operate without additional performance impact.
776 ++
777 ++ To see if your Intel processor supports EPT, see:
778 ++ http://ark.intel.com/Products/VirtualizationTechnology
779 ++ (Most Core i3/5/7 support EPT)
780 ++
781 ++ To see if your AMD processor supports RVI, see:
782 ++ http://support.amd.com/us/kbarticles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx
783 ++
784 ++config GRKERNSEC_CONFIG_VIRT_SOFT
785 ++ bool "First-gen/No Hardware Virtualization"
786 ++ help
787 ++ Choose this option if you use an Atom/Pentium/Core 2 processor that either doesn't
788 ++ support hardware virtualization or doesn't support the EPT/RVI extensions.
789 ++
790 ++endchoice
791 ++
792 ++choice
793 ++ prompt "Virtualization Software"
794 ++ depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_GUEST || GRKERNSEC_CONFIG_VIRT_HOST))
795 ++ help
796 ++
797 ++config GRKERNSEC_CONFIG_VIRT_XEN
798 ++ bool "Xen"
799 ++ help
800 ++ Choose this option if this kernel is running as a Xen guest or host.
801 ++
802 ++config GRKERNSEC_CONFIG_VIRT_VMWARE
803 ++ bool "VMWare"
804 ++ help
805 ++ Choose this option if this kernel is running as a VMWare guest or host.
806 ++
807 ++config GRKERNSEC_CONFIG_VIRT_KVM
808 ++ bool "KVM"
809 ++ help
810 ++ Choose this option if this kernel is running as a KVM guest or host.
811 ++
812 ++config GRKERNSEC_CONFIG_VIRT_VIRTUALBOX
813 ++ bool "VirtualBox"
814 ++ help
815 ++ Choose this option if this kernel is running as a VirtualBox guest or host.
816 ++
817 ++endchoice
818 ++
819 ++choice
820 ++ prompt "Required Priorities"
821 ++ depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO)
822 ++ default GRKERNSEC_CONFIG_PRIORITY_PERF
823 ++ help
824 ++
825 ++config GRKERNSEC_CONFIG_PRIORITY_PERF
826 ++ bool "Performance"
827 ++ help
828 ++ Choose this option if performance is of highest priority for this deployment
829 ++ of grsecurity. Features like UDEREF on a 64bit kernel, kernel stack clearing,
830 ++ and freed memory sanitizing will be disabled.
831 ++
832 ++config GRKERNSEC_CONFIG_PRIORITY_SECURITY
833 ++ bool "Security"
834 ++ help
835 ++ Choose this option if security is of highest priority for this deployment of
836 ++ grsecurity. UDEREF, kernel stack clearing, and freed memory sanitizing will
837 ++ be enabled for this kernel. In a worst-case scenario, these features can
838 ++ introduce a 20% performance hit (UDEREF on x64 contributing half of this hit).
839 ++
840 ++endchoice
841 ++
842 ++menu "Default Special Groups"
843 ++depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO)
844 ++
845 ++config GRKERNSEC_PROC_GID
846 ++ int "GID exempted from /proc restrictions"
847 ++ default 1001
848 ++ help
849 ++ Setting this GID determines which group will be exempted from
850 ++ grsecurity's /proc restrictions, allowing users of the specified
851 ++ group to view network statistics and the existence of other users'
852 ++ processes on the system.
853 ++
854 ++config GRKERNSEC_TPE_GID
855 ++ int "GID for untrusted users"
856 ++ default 1005
857 ++ help
858 ++ Setting this GID determines which group untrusted users should
859 ++ be added to. These users will be placed under grsecurity's Trusted Path
860 ++ Execution mechanism, preventing them from executing their own binaries.
861 ++ The users will only be able to execute binaries in directories owned and
862 ++ writable only by the root user.
863 ++
864 ++endmenu
865 ++
866 ++menu "Customize Configuration"
867 ++depends on GRKERNSEC
868 +
869 +menu "PaX"
870 +
871 @@ -77789,6 +77817,7 @@ index ccc61f8..5effdb4 100644
872 +
873 +config PAX
874 + bool "Enable various PaX features"
875 ++ default y if GRKERNSEC_CONFIG_AUTO
876 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
877 + help
878 + This allows you to enable various PaX features. PaX adds
879 @@ -77812,6 +77841,7 @@ index ccc61f8..5effdb4 100644
880 +
881 +config PAX_EI_PAX
882 + bool 'Use legacy ELF header marking'
883 ++ default y if GRKERNSEC_CONFIG_AUTO
884 + help
885 + Enabling this option will allow you to control PaX features on
886 + a per executable basis via the 'chpax' utility available at
887 @@ -77831,6 +77861,7 @@ index ccc61f8..5effdb4 100644
888 +
889 +config PAX_PT_PAX_FLAGS
890 + bool 'Use ELF program header marking'
891 ++ default y if GRKERNSEC_CONFIG_AUTO
892 + help
893 + Enabling this option will allow you to control PaX features on
894 + a per executable basis via the 'paxctl' utility available at
895 @@ -77852,6 +77883,7 @@ index ccc61f8..5effdb4 100644
896 +
897 +config PAX_XATTR_PAX_FLAGS
898 + bool 'Use filesystem extended attributes marking'
899 ++ default y if GRKERNSEC_CONFIG_AUTO
900 + select CIFS_XATTR if CIFS
901 + select EXT2_FS_XATTR if EXT2_FS
902 + select EXT3_FS_XATTR if EXT3_FS
903 @@ -77913,6 +77945,7 @@ index ccc61f8..5effdb4 100644
904 +
905 +config PAX_NOEXEC
906 + bool "Enforce non-executable pages"
907 ++ default y if GRKERNSEC_CONFIG_AUTO
908 + depends on ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86
909 + help
910 + By design some architectures do not allow for protecting memory
911 @@ -77941,6 +77974,7 @@ index ccc61f8..5effdb4 100644
912 +
913 +config PAX_PAGEEXEC
914 + bool "Paging based non-executable pages"
915 ++ default y if GRKERNSEC_CONFIG_AUTO
916 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
917 + select S390_SWITCH_AMODE if S390
918 + select S390_EXEC_PROTECT if S390
919 @@ -77963,6 +77997,7 @@ index ccc61f8..5effdb4 100644
920 +
921 +config PAX_SEGMEXEC
922 + bool "Segmentation based non-executable pages"
923 ++ default y if GRKERNSEC_CONFIG_AUTO
924 + depends on PAX_NOEXEC && X86_32
925 + help
926 + This implementation is based on the segmentation feature of the
927 @@ -78029,6 +78064,7 @@ index ccc61f8..5effdb4 100644
928 +
929 +config PAX_MPROTECT
930 + bool "Restrict mprotect()"
931 ++ default y if GRKERNSEC_CONFIG_AUTO
932 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
933 + help
934 + Enabling this option will prevent programs from
935 @@ -78046,8 +78082,8 @@ index ccc61f8..5effdb4 100644
936 +
937 +config PAX_MPROTECT_COMPAT
938 + bool "Use legacy/compat protection demoting (read help)"
939 ++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_DESKTOP)
940 + depends on PAX_MPROTECT
941 -+ default n
942 + help
943 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
944 + by sending the proper error code to the application. For some broken
945 @@ -78122,6 +78158,7 @@ index ccc61f8..5effdb4 100644
946 +
947 +config PAX_KERNEXEC
948 + bool "Enforce non-executable kernel pages"
949 ++ default y if GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_NONE || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_GUEST) || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_KVM))
950 + depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
951 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
952 + select PAX_KERNEXEC_PLUGIN if X86_64
953 @@ -78163,7 +78200,8 @@ index ccc61f8..5effdb4 100644
954 +
955 +config PAX_KERNEXEC_MODULE_TEXT
956 + int "Minimum amount of memory reserved for module code"
957 -+ default "4"
958 ++ default "4" if (!GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_SERVER)
959 ++ default "12" if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_DESKTOP)
960 + depends on PAX_KERNEXEC && X86_32 && MODULES
961 + help
962 + Due to implementation details the kernel must reserve a fixed
963 @@ -78188,6 +78226,7 @@ index ccc61f8..5effdb4 100644
964 +
965 +config PAX_ASLR
966 + bool "Address Space Layout Randomization"
967 ++ default y if GRKERNSEC_CONFIG_AUTO
968 + help
969 + Many if not most exploit techniques rely on the knowledge of
970 + certain addresses in the attacked program. The following options
971 @@ -78217,6 +78256,7 @@ index ccc61f8..5effdb4 100644
972 +
973 +config PAX_RANDKSTACK
974 + bool "Randomize kernel stack base"
975 ++ default y if GRKERNSEC_CONFIG_AUTO
976 + depends on X86_TSC && X86
977 + help
978 + By saying Y here the kernel will randomize every task's kernel
979 @@ -78231,6 +78271,7 @@ index ccc61f8..5effdb4 100644
980 +
981 +config PAX_RANDUSTACK
982 + bool "Randomize user stack base"
983 ++ default y if GRKERNSEC_CONFIG_AUTO
984 + depends on PAX_ASLR
985 + help
986 + By saying Y here the kernel will randomize every task's userland
987 @@ -78243,6 +78284,7 @@ index ccc61f8..5effdb4 100644
988 +
989 +config PAX_RANDMMAP
990 + bool "Randomize mmap() base"
991 ++ default y if GRKERNSEC_CONFIG_AUTO
992 + depends on PAX_ASLR
993 + help
994 + By saying Y here the kernel will use a randomized base address for
995 @@ -78269,6 +78311,7 @@ index ccc61f8..5effdb4 100644
996 +
997 +config PAX_MEMORY_SANITIZE
998 + bool "Sanitize all freed memory"
999 ++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY)
1000 + depends on !HIBERNATION
1001 + help
1002 + By saying Y here the kernel will erase memory pages as soon as they
1003 @@ -78291,6 +78334,7 @@ index ccc61f8..5effdb4 100644
1004 +
1005 +config PAX_MEMORY_STACKLEAK
1006 + bool "Sanitize kernel stack"
1007 ++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY)
1008 + depends on X86
1009 + help
1010 + By saying Y here the kernel will erase the kernel stack before it
1011 @@ -78315,6 +78359,7 @@ index ccc61f8..5effdb4 100644
1012 +
1013 +config PAX_MEMORY_UDEREF
1014 + bool "Prevent invalid userland pointer dereference"
1015 ++ default y if GRKERNSEC_CONFIG_AUTO && (X86_32 || (X86_64 && GRKERNSEC_CONFIG_PRIORITY_SECURITY)) && (GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT)
1016 + depends on X86 && !UML_X86 && !XEN
1017 + select PAX_PER_CPU_PGD if X86_64
1018 + help
1019 @@ -78334,6 +78379,7 @@ index ccc61f8..5effdb4 100644
1020 +
1021 +config PAX_REFCOUNT
1022 + bool "Prevent various kernel object reference counter overflows"
1023 ++ default y if GRKERNSEC_CONFIG_AUTO
1024 + depends on GRKERNSEC && ((ARM && (CPU_32v6 || CPU_32v6K || CPU_32v7)) || SPARC64 || X86)
1025 + help
1026 + By saying Y here the kernel will detect and prevent overflowing
1027 @@ -78353,6 +78399,7 @@ index ccc61f8..5effdb4 100644
1028 +
1029 +config PAX_USERCOPY
1030 + bool "Harden heap object copies between kernel and userland"
1031 ++ default y if GRKERNSEC_CONFIG_AUTO
1032 + depends on X86 || PPC || SPARC || ARM
1033 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
1034 + help
1035 @@ -78382,6 +78429,7 @@ index ccc61f8..5effdb4 100644
1036 +
1037 +config PAX_SIZE_OVERFLOW
1038 + bool "Prevent various integer overflows in function size parameters"
1039 ++ default y if GRKERNSEC_CONFIG_AUTO
1040 + depends on X86
1041 + help
1042 + By saying Y here the kernel recomputes expressions of function
1043 @@ -78398,10 +78446,16 @@ index ccc61f8..5effdb4 100644
1044 +
1045 +endmenu
1046 +
1047 ++source grsecurity/Kconfig
1048 ++
1049 ++endmenu
1050 ++
1051 ++endmenu
1052 ++
1053 config KEYS
1054 bool "Enable access key retention support"
1055 help
1056 -@@ -169,7 +803,7 @@ config INTEL_TXT
1057 +@@ -169,7 +1012,7 @@ config INTEL_TXT
1058 config LSM_MMAP_MIN_ADDR
1059 int "Low address space for LSM to protect from user allocation"
1060 depends on SECURITY && SECURITY_SELINUX
1061
1062 diff --git a/3.4.4/4445_grsec-pax-without-grsec.patch b/3.4.4/4445_grsec-pax-without-grsec.patch
1063 deleted file mode 100644
1064 index 35255c2..0000000
1065 --- a/3.4.4/4445_grsec-pax-without-grsec.patch
1066 +++ /dev/null
1067 @@ -1,91 +0,0 @@
1068 -ny G. Basile <blueness@g.o>
1069 -
1070 -With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and
1071 -pax_report_om_user in fs/exec.c were consolidated into pax_report_usercopy.
1072 -This patch has been updated to reflect that change.
1073 -
1074 -With grsecurity-2.9-2.6.32.58-201203131839, NORET_TYPE has been replaced by __noreturn.
1075 -This patch has been updated to reflect that change.
1076 ---
1077 -From: Jory Pratt <anarchy@g.o>
1078 -Updated patch for kernel 2.6.32
1079 -
1080 -The credits/description from the original version of this patch remain accurate
1081 -and are included below.
1082 ---
1083 -From: Gordon Malm <gengor@g.o>
1084 -
1085 -Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC.
1086 -
1087 -This patch has been updated to keep current with newer kernel versions.
1088 -The original version of this patch contained no credits/description.
1089 -
1090 -diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
1091 ---- a/arch/x86/mm/fault.c 2011-04-17 19:05:03.000000000 -0400
1092 -+++ a/arch/x86/mm/fault.c 2011-04-17 19:20:30.000000000 -0400
1093 -@@ -657,10 +657,12 @@
1094 -
1095 - #ifdef CONFIG_PAX_KERNEXEC
1096 - if (init_mm.start_code <= address && address < init_mm.end_code) {
1097 -+#ifdef CONFIG_GRKERNSEC
1098 - if (current->signal->curr_ip)
1099 - printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
1100 - &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
1101 - else
1102 -+#endif
1103 - printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
1104 - current->comm, task_pid_nr(current), current_uid(), current_euid());
1105 - }
1106 -diff -Naur a/fs/exec.c b/fs/exec.c
1107 ---- a/fs/exec.c 2011-04-17 19:05:03.000000000 -0400
1108 -+++ b/fs/exec.c 2011-04-17 19:20:30.000000000 -0400
1109 -@@ -2052,9 +2052,11 @@
1110 - }
1111 - up_read(&mm->mmap_sem);
1112 - }
1113 -+#ifdef CONFIG_GRKERNSEC
1114 - if (tsk->signal->curr_ip)
1115 - printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
1116 - else
1117 -+#endif
1118 - printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
1119 - printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
1120 - "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
1121 -@@ -2069,10 +2071,12 @@
1122 - #ifdef CONFIG_PAX_REFCOUNT
1123 - void pax_report_refcount_overflow(struct pt_regs *regs)
1124 - {
1125 -+#ifdef CONFIG_GRKERNSEC
1126 - if (current->signal->curr_ip)
1127 - printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
1128 - &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
1129 - else
1130 -+#endif
1131 - printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
1132 - current->comm, task_pid_nr(current), current_uid(), current_euid());
1133 - print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
1134 -@@ -2131,10 +2135,12 @@
1135 -
1136 - __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
1137 - {
1138 -+#ifdef CONFIG_GRKERNSEC
1139 - if (current->signal->curr_ip)
1140 - printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
1141 - &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
1142 - else
1143 -+#endif
1144 - printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
1145 - to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
1146 - dump_stack();
1147 -diff -Naur a/security/Kconfig b/security/Kconfig
1148 ---- a/security/Kconfig 2011-04-17 19:05:03.000000000 -0400
1149 -+++ b/security/Kconfig 2011-04-17 19:20:30.000000000 -0400
1150 -@@ -29,7 +29,7 @@
1151 -
1152 - config PAX
1153 - bool "Enable various PaX features"
1154 -- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
1155 -+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
1156 - help
1157 - This allows you to enable various PaX features. PaX adds
1158 - intrusion prevention mechanisms to the kernel that reduce
1159
1160 diff --git a/3.4.4/4450_grsec-kconfig-default-gids.patch b/3.4.4/4450_grsec-kconfig-default-gids.patch
1161 index 123f877..a728d1a 100644
1162 --- a/3.4.4/4450_grsec-kconfig-default-gids.patch
1163 +++ b/3.4.4/4450_grsec-kconfig-default-gids.patch
1164 @@ -1,3 +1,7 @@
1165 +From: Anthony G. Basile <blueness@g.o>
1166 +Updated patch for the new Kconfig system for >=3.4.4
1167 +
1168 +---
1169 From: Kerin Millar <kerframil@×××××.com>
1170
1171 grsecurity contains a number of options which allow certain protections
1172 @@ -9,19 +13,10 @@ attention to the finer points of kernel configuration, it is probably
1173 wise to specify some reasonable defaults so as to stop careless users
1174 from shooting themselves in the foot.
1175
1176 -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1177 ---- a/grsecurity/Kconfig 2011-12-12 16:54:30.000000000 -0500
1178 -+++ b/grsecurity/Kconfig 2011-12-12 16:55:09.000000000 -0500
1179 -@@ -443,7 +443,7 @@
1180 - config GRKERNSEC_PROC_GID
1181 - int "GID for special group"
1182 - depends on GRKERNSEC_PROC_USERGROUP
1183 -- default 1001
1184 -+ default 10
1185 -
1186 - config GRKERNSEC_PROC_ADD
1187 - bool "Additional restrictions"
1188 -@@ -671,7 +671,7 @@
1189 +diff -Nuar a/grsecurity/Kconfig b/Kconfig
1190 +--- a/grsecurity/Kconfig 2012-07-01 12:54:58.000000000 -0400
1191 ++++ b/grsecurity/Kconfig 2012-07-01 13:00:04.000000000 -0400
1192 +@@ -495,7 +495,7 @@
1193 config GRKERNSEC_AUDIT_GID
1194 int "GID for auditing"
1195 depends on GRKERNSEC_AUDIT_GROUP
1196 @@ -30,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1197
1198 config GRKERNSEC_EXECLOG
1199 bool "Exec logging"
1200 -@@ -875,7 +875,7 @@
1201 +@@ -710,7 +710,7 @@
1202 config GRKERNSEC_TPE_GID
1203 int "GID for untrusted users"
1204 depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
1205 @@ -39,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1206 help
1207 Setting this GID determines what group TPE restrictions will be
1208 *enabled* for. If the sysctl option is enabled, a sysctl option
1209 -@@ -884,7 +884,7 @@
1210 +@@ -719,7 +719,7 @@
1211 config GRKERNSEC_TPE_GID
1212 int "GID for trusted users"
1213 depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
1214 @@ -48,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1215 help
1216 Setting this GID determines what group TPE restrictions will be
1217 *disabled* for. If the sysctl option is enabled, a sysctl option
1218 -@@ -957,7 +957,7 @@
1219 +@@ -794,7 +794,7 @@
1220 config GRKERNSEC_SOCKET_ALL_GID
1221 int "GID to deny all sockets for"
1222 depends on GRKERNSEC_SOCKET_ALL
1223 @@ -57,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1224 help
1225 Here you can choose the GID to disable socket access for. Remember to
1226 add the users you want socket access disabled for to the GID
1227 -@@ -978,7 +978,7 @@
1228 +@@ -815,7 +815,7 @@
1229 config GRKERNSEC_SOCKET_CLIENT_GID
1230 int "GID to deny client sockets for"
1231 depends on GRKERNSEC_SOCKET_CLIENT
1232 @@ -66,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1233 help
1234 Here you can choose the GID to disable client socket access for.
1235 Remember to add the users you want client socket access disabled for to
1236 -@@ -996,7 +996,7 @@
1237 +@@ -833,7 +833,7 @@
1238 config GRKERNSEC_SOCKET_SERVER_GID
1239 int "GID to deny server sockets for"
1240 depends on GRKERNSEC_SOCKET_SERVER
1241 @@ -75,3 +70,24 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1242 help
1243 Here you can choose the GID to disable server socket access for.
1244 Remember to add the users you want server socket access disabled for to
1245 +diff -Nuar a/security/Kconfig b/security/Kconfig
1246 +--- a/security/Kconfig 2012-07-01 12:51:41.000000000 -0400
1247 ++++ b/security/Kconfig 2012-07-01 13:00:23.000000000 -0400
1248 +@@ -167,7 +167,7 @@
1249 +
1250 + config GRKERNSEC_PROC_GID
1251 + int "GID exempted from /proc restrictions"
1252 +- default 1001
1253 ++ default 10
1254 + help
1255 + Setting this GID determines which group will be exempted from
1256 + grsecurity's /proc restrictions, allowing users of the specified
1257 +@@ -176,7 +176,7 @@
1258 +
1259 + config GRKERNSEC_TPE_GID
1260 + int "GID for untrusted users"
1261 +- default 1005
1262 ++ default 100
1263 + help
1264 + Setting this GID determines which group untrusted users should
1265 + be added to. These users will be placed under grsecurity's Trusted Path
1266
1267 diff --git a/3.4.4/4455_grsec-kconfig-gentoo.patch b/3.4.4/4455_grsec-kconfig-gentoo.patch
1268 deleted file mode 100644
1269 index b9dc3e5..0000000
1270 --- a/3.4.4/4455_grsec-kconfig-gentoo.patch
1271 +++ /dev/null
1272 @@ -1,357 +0,0 @@
1273 -From: Anthony G. Basile <blueness@g.o>
1274 -From: Gordon Malm <gengor@g.o>
1275 -From: Jory A. Pratt <anarchy@g.o>
1276 -From: Kerin Millar <kerframil@×××××.com>
1277 -
1278 -Add Hardened Gentoo [server/workstation] predefined grsecurity
1279 -levels. They're designed to provide a comparitively high level of
1280 -security while remaining generally suitable for as great a majority
1281 -of the userbase as possible (particularly new users).
1282 -
1283 -Make Hardened Gentoo [workstation] predefined grsecurity level the
1284 -default. The Hardened Gentoo [server] level is more restrictive
1285 -and conflicts with some software and thus would be less suitable.
1286 -
1287 -The original version of this patch was conceived and created by:
1288 -Ned Ludd <solar@g.o>
1289 -
1290 -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1291 ---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500
1292 -+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500
1293 -@@ -18,7 +18,7 @@
1294 - choice
1295 - prompt "Security Level"
1296 - depends on GRKERNSEC
1297 -- default GRKERNSEC_CUSTOM
1298 -+ default GRKERNSEC_HARDENED_WORKSTATION
1299 -
1300 - config GRKERNSEC_LOW
1301 - bool "Low"
1302 -@@ -192,6 +192,262 @@
1303 - - Restricted sysfs/debugfs
1304 - - Active kernel exploit response
1305 -
1306 -+config GRKERNSEC_HARDENED_SERVER
1307 -+ bool "Hardened Gentoo [server]"
1308 -+ select GRKERNSEC_LINK
1309 -+ select GRKERNSEC_FIFO
1310 -+ select GRKERNSEC_DMESG
1311 -+ select GRKERNSEC_FORKFAIL
1312 -+ select GRKERNSEC_TIME
1313 -+ select GRKERNSEC_SIGNAL
1314 -+ select GRKERNSEC_CHROOT
1315 -+ select GRKERNSEC_CHROOT_SHMAT
1316 -+ select GRKERNSEC_CHROOT_UNIX
1317 -+ select GRKERNSEC_CHROOT_MOUNT
1318 -+ select GRKERNSEC_CHROOT_FCHDIR
1319 -+ select GRKERNSEC_CHROOT_PIVOT
1320 -+ select GRKERNSEC_CHROOT_DOUBLE
1321 -+ select GRKERNSEC_CHROOT_CHDIR
1322 -+ select GRKERNSEC_CHROOT_MKNOD
1323 -+ select GRKERNSEC_CHROOT_CAPS
1324 -+ select GRKERNSEC_CHROOT_SYSCTL
1325 -+ select GRKERNSEC_CHROOT_FINDTASK
1326 -+ select GRKERNSEC_SYSFS_RESTRICT
1327 -+ select GRKERNSEC_PROC
1328 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
1329 -+ select GRKERNSEC_HIDESYM
1330 -+ select GRKERNSEC_BRUTE
1331 -+ select GRKERNSEC_PROC_USERGROUP
1332 -+ select GRKERNSEC_KMEM
1333 -+ select GRKERNSEC_RESLOG
1334 -+ select GRKERNSEC_AUDIT_PTRACE
1335 -+ select GRKERNSEC_RANDNET
1336 -+ select GRKERNSEC_PROC_ADD
1337 -+ select GRKERNSEC_CHROOT_CHMOD
1338 -+ select GRKERNSEC_CHROOT_NICE
1339 -+ select GRKERNSEC_AUDIT_MOUNT
1340 -+ select GRKERNSEC_MODHARDEN if (MODULES)
1341 -+ select GRKERNSEC_HARDEN_PTRACE
1342 -+ select GRKERNSEC_PTRACE_READEXEC
1343 -+ select GRKERNSEC_SETXID
1344 -+ select GRKERNSEC_VM86 if (X86_32)
1345 -+ select GRKERNSEC_IO
1346 -+ select GRKERNSEC_PROC_IPADDR
1347 -+ select GRKERNSEC_RWXMAP_LOG
1348 -+ select GRKERNSEC_SYSCTL
1349 -+ select GRKERNSEC_SYSCTL_ON
1350 -+ select PAX
1351 -+ select PAX_ASLR
1352 -+ select PAX_RANDKSTACK if (X86_TSC && X86)
1353 -+ select PAX_RANDUSTACK
1354 -+ select PAX_RANDMMAP
1355 -+ select PAX_NOEXEC
1356 -+ select PAX_MPROTECT
1357 -+ select PAX_EI_PAX
1358 -+ select PAX_PT_PAX_FLAGS
1359 -+ select PAX_HAVE_ACL_FLAGS
1360 -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
1361 -+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
1362 -+ select PAX_SEGMEXEC if (X86_32)
1363 -+ select PAX_PAGEEXEC
1364 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
1365 -+ select PAX_EMUTRAMP if (PARISC)
1366 -+ select PAX_EMUSIGRT if (PARISC)
1367 -+ select PAX_REFCOUNT if (X86 || SPARC64)
1368 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
1369 -+ select PAX_MEMORY_SANITIZE
1370 -+ select PAX_MEMORY_STACKLEAK if (!XEN)
1371 -+ help
1372 -+ If you say Y here, a configuration for grsecurity/PaX features
1373 -+ will be used that is endorsed by the Hardened Gentoo project.
1374 -+ These pre-defined security levels are designed to provide a high
1375 -+ level of security while minimizing incompatibilities with a majority
1376 -+ of Gentoo's available software.
1377 -+
1378 -+ This "Hardened Gentoo [server]" level is identical to the
1379 -+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
1380 -+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
1381 -+ security level if the system will not be utilizing software incompatible
1382 -+ with these features.
1383 -+
1384 -+ When this level is selected, some security features will be forced on,
1385 -+ while others will default to their suggested values of off or on. The
1386 -+ later can be tweaked at the user's discretion, but may cause problems
1387 -+ in some situations. You can fully customize all grsecurity/PaX features
1388 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
1389 -+ inherit the options selected by this security level as a starting point.
1390 -+ To accomplish this, select this security level, then exit the menuconfig
1391 -+ interface, saving changes when prompted. Run make menuconfig again and
1392 -+ select the "Custom" level.
1393 -+
1394 -+config GRKERNSEC_HARDENED_WORKSTATION
1395 -+ bool "Hardened Gentoo [workstation]"
1396 -+ select GRKERNSEC_LINK
1397 -+ select GRKERNSEC_FIFO
1398 -+ select GRKERNSEC_DMESG
1399 -+ select GRKERNSEC_FORKFAIL
1400 -+ select GRKERNSEC_TIME
1401 -+ select GRKERNSEC_SIGNAL
1402 -+ select GRKERNSEC_CHROOT
1403 -+ select GRKERNSEC_CHROOT_SHMAT
1404 -+ select GRKERNSEC_CHROOT_UNIX
1405 -+ select GRKERNSEC_CHROOT_MOUNT
1406 -+ select GRKERNSEC_CHROOT_FCHDIR
1407 -+ select GRKERNSEC_CHROOT_PIVOT
1408 -+ select GRKERNSEC_CHROOT_DOUBLE
1409 -+ select GRKERNSEC_CHROOT_CHDIR
1410 -+ select GRKERNSEC_CHROOT_MKNOD
1411 -+ select GRKERNSEC_CHROOT_CAPS
1412 -+ select GRKERNSEC_CHROOT_SYSCTL
1413 -+ select GRKERNSEC_CHROOT_FINDTASK
1414 -+ select GRKERNSEC_PROC
1415 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
1416 -+ select GRKERNSEC_HIDESYM
1417 -+ select GRKERNSEC_BRUTE
1418 -+ select GRKERNSEC_PROC_USERGROUP
1419 -+ select GRKERNSEC_KMEM
1420 -+ select GRKERNSEC_RESLOG
1421 -+ select GRKERNSEC_AUDIT_PTRACE
1422 -+ select GRKERNSEC_RANDNET
1423 -+ select GRKERNSEC_CHROOT_CHMOD
1424 -+ select GRKERNSEC_CHROOT_NICE
1425 -+ select GRKERNSEC_AUDIT_MOUNT
1426 -+ select GRKERNSEC_MODHARDEN if (MODULES)
1427 -+ select GRKERNSEC_HARDEN_PTRACE
1428 -+ select GRKERNSEC_PTRACE_READEXEC
1429 -+ select GRKERNSEC_SETXID
1430 -+ select GRKERNSEC_VM86 if (X86_32)
1431 -+ select GRKERNSEC_PROC_IPADDR
1432 -+ select GRKERNSEC_RWXMAP_LOG
1433 -+ select GRKERNSEC_SYSCTL
1434 -+ select GRKERNSEC_SYSCTL_ON
1435 -+ select PAX
1436 -+ select PAX_ASLR
1437 -+ select PAX_RANDKSTACK if (X86_TSC && X86)
1438 -+ select PAX_RANDUSTACK
1439 -+ select PAX_RANDMMAP
1440 -+ select PAX_NOEXEC
1441 -+ select PAX_MPROTECT
1442 -+ select PAX_EI_PAX
1443 -+ select PAX_PT_PAX_FLAGS
1444 -+ select PAX_HAVE_ACL_FLAGS
1445 -+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
1446 -+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
1447 -+ select PAX_SEGMEXEC if (X86_32)
1448 -+ select PAX_PAGEEXEC
1449 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
1450 -+ select PAX_EMUTRAMP if (PARISC)
1451 -+ select PAX_EMUSIGRT if (PARISC)
1452 -+ select PAX_REFCOUNT if (X86 || SPARC64)
1453 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
1454 -+ select PAX_MEMORY_SANITIZE
1455 -+ select PAX_MEMORY_STACKLEAK if (!XEN)
1456 -+ help
1457 -+ If you say Y here, a configuration for grsecurity/PaX features
1458 -+ will be used that is endorsed by the Hardened Gentoo project.
1459 -+ These pre-defined security levels are designed to provide a high
1460 -+ level of security while minimizing incompatibilities with a majority
1461 -+ of Gentoo's available software.
1462 -+
1463 -+ This "Hardened Gentoo [workstation]" level is identical to the
1464 -+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
1465 -+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
1466 -+ security level if the system will be utilizing software incompatible
1467 -+ with these features.
1468 -+
1469 -+ When this level is selected, some security features will be forced on,
1470 -+ while others will default to their suggested values of off or on. The
1471 -+ later can be tweaked at the user's discretion, but may cause problems
1472 -+ in some situations. You can fully customize all grsecurity/PaX features
1473 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
1474 -+ inherit the options selected by this security level as a starting point.
1475 -+ To accomplish this, select this security level, then exit the menuconfig
1476 -+ interface, saving changes when prompted. Run make menuconfig again and
1477 -+ select the "Custom" level.
1478 -+
1479 -+config GRKERNSEC_HARDENED_VIRTUALIZATION
1480 -+ bool "Hardened Gentoo [virtualization]"
1481 -+ select GRKERNSEC_LINK
1482 -+ select GRKERNSEC_FIFO
1483 -+ select GRKERNSEC_DMESG
1484 -+ select GRKERNSEC_FORKFAIL
1485 -+ select GRKERNSEC_TIME
1486 -+ select GRKERNSEC_SIGNAL
1487 -+ select GRKERNSEC_CHROOT
1488 -+ select GRKERNSEC_CHROOT_SHMAT
1489 -+ select GRKERNSEC_CHROOT_UNIX
1490 -+ select GRKERNSEC_CHROOT_MOUNT
1491 -+ select GRKERNSEC_CHROOT_FCHDIR
1492 -+ select GRKERNSEC_CHROOT_PIVOT
1493 -+ select GRKERNSEC_CHROOT_DOUBLE
1494 -+ select GRKERNSEC_CHROOT_CHDIR
1495 -+ select GRKERNSEC_CHROOT_MKNOD
1496 -+ select GRKERNSEC_CHROOT_CAPS
1497 -+ select GRKERNSEC_CHROOT_SYSCTL
1498 -+ select GRKERNSEC_CHROOT_FINDTASK
1499 -+ select GRKERNSEC_PROC
1500 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
1501 -+ select GRKERNSEC_HIDESYM
1502 -+ select GRKERNSEC_BRUTE
1503 -+ select GRKERNSEC_PROC_USERGROUP
1504 -+ select GRKERNSEC_KMEM
1505 -+ select GRKERNSEC_RESLOG
1506 -+ select GRKERNSEC_AUDIT_PTRACE
1507 -+ select GRKERNSEC_RANDNET
1508 -+ select GRKERNSEC_CHROOT_CHMOD
1509 -+ select GRKERNSEC_CHROOT_NICE
1510 -+ select GRKERNSEC_AUDIT_MOUNT
1511 -+ select GRKERNSEC_MODHARDEN if (MODULES)
1512 -+ select GRKERNSEC_HARDEN_PTRACE
1513 -+ select GRKERNSEC_PTRACE_READEXEC
1514 -+ select GRKERNSEC_SETXID
1515 -+ select GRKERNSEC_VM86 if (X86_32)
1516 -+ select GRKERNSEC_PROC_IPADDR
1517 -+ select GRKERNSEC_RWXMAP_LOG
1518 -+ select GRKERNSEC_SYSCTL
1519 -+ select GRKERNSEC_SYSCTL_ON
1520 -+ select PAX
1521 -+ select PAX_ASLR
1522 -+ select PAX_RANDKSTACK if (X86_TSC && X86)
1523 -+ select PAX_RANDUSTACK
1524 -+ select PAX_RANDMMAP
1525 -+ select PAX_NOEXEC
1526 -+ select PAX_MPROTECT
1527 -+ select PAX_EI_PAX
1528 -+ select PAX_PT_PAX_FLAGS
1529 -+ select PAX_HAVE_ACL_FLAGS
1530 -+ select PAX_SEGMEXEC if (X86_32)
1531 -+ select PAX_PAGEEXEC
1532 -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
1533 -+ select PAX_EMUTRAMP if (PARISC)
1534 -+ select PAX_EMUSIGRT if (PARISC)
1535 -+ select PAX_REFCOUNT if (X86 || SPARC64)
1536 -+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
1537 -+ select PAX_MEMORY_SANITIZE
1538 -+ select PAX_MEMORY_STACKLEAK if (!XEN)
1539 -+ help
1540 -+ If you say Y here, a configuration for grsecurity/PaX features
1541 -+ will be used that is endorsed by the Hardened Gentoo project.
1542 -+ These pre-defined security levels are designed to provide a high
1543 -+ level of security while minimizing incompatibilities with a majority
1544 -+ of Gentoo's available software.
1545 -+
1546 -+ This "Hardened Gentoo [virtualization]" level is identical to the
1547 -+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
1548 -+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
1549 -+ security level if the system will be utilizing virtualization software
1550 -+ incompatible with these features, like VirtualBox or kvm.
1551 -+
1552 -+ When this level is selected, some security features will be forced on,
1553 -+ while others will default to their suggested values of off or on. The
1554 -+ later can be tweaked at the user's discretion, but may cause problems
1555 -+ in some situations. You can fully customize all grsecurity/PaX features
1556 -+ by choosing "Custom" in the Security Level menu. It may be helpful to
1557 -+ inherit the options selected by this security level as a starting point.
1558 -+ To accomplish this, select this security level, then exit the menuconfig
1559 -+ interface, saving changes when prompted. Run make menuconfig again and
1560 -+ select the "Custom" level.
1561 -+
1562 - config GRKERNSEC_CUSTOM
1563 - bool "Custom"
1564 - help
1565 -diff -Naur a/security/Kconfig b/security/Kconfig
1566 ---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500
1567 -+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500
1568 -@@ -363,9 +363,10 @@
1569 -
1570 - config PAX_KERNEXEC
1571 - bool "Enforce non-executable kernel pages"
1572 -- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
1573 -+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
1574 - select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
1575 - select PAX_KERNEXEC_PLUGIN if X86_64
1576 -+ default y if GRKERNSEC_HARDENED_WORKSTATION
1577 - help
1578 - This is the kernel land equivalent of PAGEEXEC and MPROTECT,
1579 - that is, enabling this option will make it harder to inject
1580 -@@ -376,30 +377,30 @@
1581 -
1582 - choice
1583 - prompt "Return Address Instrumentation Method"
1584 -- default PAX_KERNEXEC_PLUGIN_METHOD_BTS
1585 -+ default PAX_KERNEXEC_PLUGIN_METHOD_OR
1586 - depends on PAX_KERNEXEC_PLUGIN
1587 - help
1588 - Select the method used to instrument function pointer dereferences.
1589 - Note that binary modules cannot be instrumented by this approach.
1590 -
1591 -- config PAX_KERNEXEC_PLUGIN_METHOD_BTS
1592 -- bool "bts"
1593 -- help
1594 -- This method is compatible with binary only modules but has
1595 -- a higher runtime overhead.
1596 --
1597 - config PAX_KERNEXEC_PLUGIN_METHOD_OR
1598 - bool "or"
1599 - depends on !PARAVIRT
1600 - help
1601 - This method is incompatible with binary only modules but has
1602 - a lower runtime overhead.
1603 -+
1604 -+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS
1605 -+ bool "bts"
1606 -+ help
1607 -+ This method is compatible with binary only modules but has
1608 -+ a higher runtime overhead.
1609 - endchoice
1610 -
1611 - config PAX_KERNEXEC_PLUGIN_METHOD
1612 - string
1613 -- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
1614 - default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
1615 -+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
1616 - default ""
1617 -
1618 - config PAX_KERNEXEC_MODULE_TEXT
1619 -@@ -556,8 +557,9 @@
1620 -
1621 - config PAX_MEMORY_UDEREF
1622 - bool "Prevent invalid userland pointer dereference"
1623 -- depends on X86 && !UML_X86 && !XEN
1624 -+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
1625 - select PAX_PER_CPU_PGD if X86_64
1626 -+ default y if GRKERNSEC_HARDENED_WORKSTATION
1627 - help
1628 - By saying Y here the kernel will be prevented from dereferencing
1629 - userland pointers in contexts where the kernel expects only kernel
1630
1631 diff --git a/3.4.4/4460-grsec-kconfig-proc-user.patch b/3.4.4/4460-grsec-kconfig-proc-user.patch
1632 deleted file mode 100644
1633 index b2b3188..0000000
1634 --- a/3.4.4/4460-grsec-kconfig-proc-user.patch
1635 +++ /dev/null
1636 @@ -1,26 +0,0 @@
1637 -From: Anthony G. Basile <blueness@g.o>
1638 -
1639 -Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
1640 -in a different way to avoid bug #366019. This patch should eventually go upstream.
1641 -
1642 -diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1643 ---- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400
1644 -+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400
1645 -@@ -680,7 +680,7 @@
1646 -
1647 - config GRKERNSEC_PROC_USER
1648 - bool "Restrict /proc to user only"
1649 -- depends on GRKERNSEC_PROC
1650 -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
1651 - help
1652 - If you say Y here, non-root users will only be able to view their own
1653 - processes, and restricts them from viewing network-related information,
1654 -@@ -688,7 +688,7 @@
1655 -
1656 - config GRKERNSEC_PROC_USERGROUP
1657 - bool "Allow special group"
1658 -- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
1659 -+ depends on GRKERNSEC_PROC
1660 - help
1661 - If you say Y here, you will be able to select a group that will be
1662 - able to view all processes and network-related information. If you've
1663
1664 diff --git a/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch b/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch
1665 index 5a9d80c..fe28523 100644
1666 --- a/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch
1667 +++ b/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch
1668 @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
1669 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1670 --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
1671 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
1672 -@@ -1309,6 +1309,27 @@
1673 +@@ -892,6 +892,27 @@
1674 menu "Logging Options"
1675 depends on GRKERNSEC
1676
1677
1678 diff --git a/3.4.4/4470_disable-compat_vdso.patch b/3.4.4/4470_disable-compat_vdso.patch
1679 index c40f44f..2a637c1 100644
1680 --- a/3.4.4/4470_disable-compat_vdso.patch
1681 +++ b/3.4.4/4470_disable-compat_vdso.patch
1682 @@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
1683 diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
1684 --- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
1685 +++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
1686 -@@ -1694,17 +1694,8 @@
1687 +@@ -1678,17 +1678,8 @@
1688
1689 config COMPAT_VDSO
1690 def_bool n
Report Message
Find on MARC Find on Google Groups