1 |
commit: 6ed3a4cda487bd77f4cf449c8041a95569547f94 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Jul 1 17:56:27 2012 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jul 1 17:56:27 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=6ed3a4cd |
7 |
|
8 |
Grsec/PaX: 2.9.1-3.4.4-201206251759: new 3.4.4 Kconfig structure |
9 |
|
10 |
--- |
11 |
3.4.4/0000_README | 18 +- |
12 |
...4420_grsecurity-2.9.1-3.4.4-201206251759.patch} | 488 +++++++++++--------- |
13 |
3.4.4/4445_grsec-pax-without-grsec.patch | 91 ---- |
14 |
3.4.4/4450_grsec-kconfig-default-gids.patch | 52 ++- |
15 |
3.4.4/4455_grsec-kconfig-gentoo.patch | 357 -------------- |
16 |
3.4.4/4460-grsec-kconfig-proc-user.patch | 26 - |
17 |
3.4.4/4465_selinux-avc_audit-log-curr_ip.patch | 2 +- |
18 |
3.4.4/4470_disable-compat_vdso.patch | 2 +- |
19 |
8 files changed, 308 insertions(+), 728 deletions(-) |
20 |
|
21 |
diff --git a/3.4.4/0000_README b/3.4.4/0000_README |
22 |
index dbb8629..61e9d20 100644 |
23 |
--- a/3.4.4/0000_README |
24 |
+++ b/3.4.4/0000_README |
25 |
@@ -2,7 +2,7 @@ README |
26 |
----------------------------------------------------------------------------- |
27 |
Individual Patch Descriptions: |
28 |
----------------------------------------------------------------------------- |
29 |
-Patch: 4420_grsecurity-2.9.1-3.4.4-201206231147.patch |
30 |
+Patch: 4420_grsecurity-2.9.1-3.4.4-201206251759.patch |
31 |
From: http://www.grsecurity.net |
32 |
Desc: hardened-sources base patch from upstream grsecurity |
33 |
|
34 |
@@ -20,27 +20,11 @@ Patch: 4440_grsec-remove-protected-paths.patch |
35 |
From: Anthony G. Basile <blueness@g.o> |
36 |
Desc: Removes chmod statements from grsecurity/Makefile |
37 |
|
38 |
-Patch: 4445_grsec-pax-without-grsec.patch |
39 |
-From: Gordon Malm <gengor@g.o> |
40 |
-Desc: Allows PaX features to be selected without enabling GRKERNSEC |
41 |
- |
42 |
Patch: 4450_grsec-kconfig-default-gids.patch |
43 |
From: Kerin Millar <kerframil@×××××.com> |
44 |
Desc: Sets sane(r) default GIDs on various grsecurity group-dependent |
45 |
features |
46 |
|
47 |
-Patch: 4455_grsec-kconfig-gentoo.patch |
48 |
-From: Gordon Malm <gengor@g.o> |
49 |
- Kerin Millar <kerframil@×××××.com> |
50 |
- Anthony G. Basile <blueness@g.o> |
51 |
-Desc: Adds Hardened Gentoo [server/workstation/virtualization] security levels, |
52 |
- sets Hardened Gentoo [workstation] as default |
53 |
- |
54 |
-Patch: 4460-grsec-kconfig-proc-user.patch |
55 |
-From: Anthony G. Basile <blueness@g.o> |
56 |
-Desc: Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually |
57 |
- exclusive to avoid bug #366019. |
58 |
- |
59 |
Patch: 4465_selinux-avc_audit-log-curr_ip.patch |
60 |
From: Gordon Malm <gengor@g.o> |
61 |
Anthony G. Basile <blueness@g.o> |
62 |
|
63 |
diff --git a/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206231147.patch b/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch |
64 |
similarity index 99% |
65 |
rename from 3.4.4/4420_grsecurity-2.9.1-3.4.4-201206231147.patch |
66 |
rename to 3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch |
67 |
index 758a4c4..083b3e1 100644 |
68 |
--- a/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206231147.patch |
69 |
+++ b/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch |
70 |
@@ -7733,7 +7733,7 @@ index 706e12e..62e4feb 100644 |
71 |
config X86_MINIMUM_CPU_FAMILY |
72 |
int |
73 |
diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug |
74 |
-index e46c214..7c72b55 100644 |
75 |
+index e46c214..ab62fd1 100644 |
76 |
--- a/arch/x86/Kconfig.debug |
77 |
+++ b/arch/x86/Kconfig.debug |
78 |
@@ -84,7 +84,7 @@ config X86_PTDUMP |
79 |
@@ -7754,6 +7754,15 @@ index e46c214..7c72b55 100644 |
80 |
---help--- |
81 |
This option helps catch unintended modifications to loadable |
82 |
kernel module's text and read-only data. It also prevents execution |
83 |
+@@ -275,7 +275,7 @@ config OPTIMIZE_INLINING |
84 |
+ |
85 |
+ config DEBUG_STRICT_USER_COPY_CHECKS |
86 |
+ bool "Strict copy size checks" |
87 |
+- depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING |
88 |
++ depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING && !PAX_SIZE_OVERFLOW |
89 |
+ ---help--- |
90 |
+ Enabling this option turns a certain set of sanity checks for user |
91 |
+ copy operations into compile time failures. |
92 |
diff --git a/arch/x86/Makefile b/arch/x86/Makefile |
93 |
index b1c611e..2c1a823 100644 |
94 |
--- a/arch/x86/Makefile |
95 |
@@ -49100,221 +49109,19 @@ index 3011b87..1ab03e9 100644 |
96 |
kfree(s); |
97 |
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig |
98 |
new file mode 100644 |
99 |
-index 0000000..2645296 |
100 |
+index 0000000..2d6e3a8 |
101 |
--- /dev/null |
102 |
+++ b/grsecurity/Kconfig |
103 |
-@@ -0,0 +1,1079 @@ |
104 |
+@@ -0,0 +1,915 @@ |
105 |
+# |
106 |
+# grecurity configuration |
107 |
+# |
108 |
-+ |
109 |
-+menu "Grsecurity" |
110 |
-+ |
111 |
-+config GRKERNSEC |
112 |
-+ bool "Grsecurity" |
113 |
-+ select CRYPTO |
114 |
-+ select CRYPTO_SHA256 |
115 |
-+ help |
116 |
-+ If you say Y here, you will be able to configure many features |
117 |
-+ that will enhance the security of your system. It is highly |
118 |
-+ recommended that you say Y here and read through the help |
119 |
-+ for each option so that you fully understand the features and |
120 |
-+ can evaluate their usefulness for your machine. |
121 |
-+ |
122 |
-+choice |
123 |
-+ prompt "Security Level" |
124 |
-+ depends on GRKERNSEC |
125 |
-+ default GRKERNSEC_CUSTOM |
126 |
-+ |
127 |
-+config GRKERNSEC_LOW |
128 |
-+ bool "Low" |
129 |
-+ select GRKERNSEC_LINK |
130 |
-+ select GRKERNSEC_FIFO |
131 |
-+ select GRKERNSEC_RANDNET |
132 |
-+ select GRKERNSEC_DMESG |
133 |
-+ select GRKERNSEC_CHROOT |
134 |
-+ select GRKERNSEC_CHROOT_CHDIR |
135 |
-+ |
136 |
-+ help |
137 |
-+ If you choose this option, several of the grsecurity options will |
138 |
-+ be enabled that will give you greater protection against a number |
139 |
-+ of attacks, while assuring that none of your software will have any |
140 |
-+ conflicts with the additional security measures. If you run a lot |
141 |
-+ of unusual software, or you are having problems with the higher |
142 |
-+ security levels, you should say Y here. With this option, the |
143 |
-+ following features are enabled: |
144 |
-+ |
145 |
-+ - Linking restrictions |
146 |
-+ - FIFO restrictions |
147 |
-+ - Restricted dmesg |
148 |
-+ - Enforced chdir("/") on chroot |
149 |
-+ - Runtime module disabling |
150 |
-+ |
151 |
-+config GRKERNSEC_MEDIUM |
152 |
-+ bool "Medium" |
153 |
-+ select PAX |
154 |
-+ select PAX_EI_PAX |
155 |
-+ select PAX_PT_PAX_FLAGS |
156 |
-+ select PAX_HAVE_ACL_FLAGS |
157 |
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
158 |
-+ select GRKERNSEC_CHROOT |
159 |
-+ select GRKERNSEC_CHROOT_SYSCTL |
160 |
-+ select GRKERNSEC_LINK |
161 |
-+ select GRKERNSEC_FIFO |
162 |
-+ select GRKERNSEC_DMESG |
163 |
-+ select GRKERNSEC_RANDNET |
164 |
-+ select GRKERNSEC_FORKFAIL |
165 |
-+ select GRKERNSEC_TIME |
166 |
-+ select GRKERNSEC_SIGNAL |
167 |
-+ select GRKERNSEC_CHROOT |
168 |
-+ select GRKERNSEC_CHROOT_UNIX |
169 |
-+ select GRKERNSEC_CHROOT_MOUNT |
170 |
-+ select GRKERNSEC_CHROOT_PIVOT |
171 |
-+ select GRKERNSEC_CHROOT_DOUBLE |
172 |
-+ select GRKERNSEC_CHROOT_CHDIR |
173 |
-+ select GRKERNSEC_CHROOT_MKNOD |
174 |
-+ select GRKERNSEC_PROC |
175 |
-+ select GRKERNSEC_PROC_USERGROUP |
176 |
-+ select PAX_RANDUSTACK |
177 |
-+ select PAX_ASLR |
178 |
-+ select PAX_RANDMMAP |
179 |
-+ select PAX_REFCOUNT if (X86 || SPARC64) |
180 |
-+ select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB)) |
181 |
-+ |
182 |
-+ help |
183 |
-+ If you say Y here, several features in addition to those included |
184 |
-+ in the low additional security level will be enabled. These |
185 |
-+ features provide even more security to your system, though in rare |
186 |
-+ cases they may be incompatible with very old or poorly written |
187 |
-+ software. If you enable this option, make sure that your auth |
188 |
-+ service (identd) is running as gid 1001. With this option, |
189 |
-+ the following features (in addition to those provided in the |
190 |
-+ low additional security level) will be enabled: |
191 |
-+ |
192 |
-+ - Failed fork logging |
193 |
-+ - Time change logging |
194 |
-+ - Signal logging |
195 |
-+ - Deny mounts in chroot |
196 |
-+ - Deny double chrooting |
197 |
-+ - Deny sysctl writes in chroot |
198 |
-+ - Deny mknod in chroot |
199 |
-+ - Deny access to abstract AF_UNIX sockets out of chroot |
200 |
-+ - Deny pivot_root in chroot |
201 |
-+ - Denied reads/writes of /dev/kmem, /dev/mem, and /dev/port |
202 |
-+ - /proc restrictions with special GID set to 10 (usually wheel) |
203 |
-+ - Address Space Layout Randomization (ASLR) |
204 |
-+ - Prevent exploitation of most refcount overflows |
205 |
-+ - Bounds checking of copying between the kernel and userland |
206 |
-+ |
207 |
-+config GRKERNSEC_HIGH |
208 |
-+ bool "High" |
209 |
-+ select GRKERNSEC_LINK |
210 |
-+ select GRKERNSEC_FIFO |
211 |
-+ select GRKERNSEC_DMESG |
212 |
-+ select GRKERNSEC_FORKFAIL |
213 |
-+ select GRKERNSEC_TIME |
214 |
-+ select GRKERNSEC_SIGNAL |
215 |
-+ select GRKERNSEC_CHROOT |
216 |
-+ select GRKERNSEC_CHROOT_SHMAT |
217 |
-+ select GRKERNSEC_CHROOT_UNIX |
218 |
-+ select GRKERNSEC_CHROOT_MOUNT |
219 |
-+ select GRKERNSEC_CHROOT_FCHDIR |
220 |
-+ select GRKERNSEC_CHROOT_PIVOT |
221 |
-+ select GRKERNSEC_CHROOT_DOUBLE |
222 |
-+ select GRKERNSEC_CHROOT_CHDIR |
223 |
-+ select GRKERNSEC_CHROOT_MKNOD |
224 |
-+ select GRKERNSEC_CHROOT_CAPS |
225 |
-+ select GRKERNSEC_CHROOT_SYSCTL |
226 |
-+ select GRKERNSEC_CHROOT_FINDTASK |
227 |
-+ select GRKERNSEC_SYSFS_RESTRICT |
228 |
-+ select GRKERNSEC_PROC |
229 |
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
230 |
-+ select GRKERNSEC_HIDESYM |
231 |
-+ select GRKERNSEC_BRUTE |
232 |
-+ select GRKERNSEC_PROC_USERGROUP |
233 |
-+ select GRKERNSEC_KMEM |
234 |
-+ select GRKERNSEC_RESLOG |
235 |
-+ select GRKERNSEC_RANDNET |
236 |
-+ select GRKERNSEC_PROC_ADD |
237 |
-+ select GRKERNSEC_CHROOT_CHMOD |
238 |
-+ select GRKERNSEC_CHROOT_NICE |
239 |
-+ select GRKERNSEC_SETXID if (X86 || SPARC64 || PPC || ARM || MIPS) |
240 |
-+ select GRKERNSEC_AUDIT_MOUNT |
241 |
-+ select GRKERNSEC_MODHARDEN if (MODULES) |
242 |
-+ select GRKERNSEC_HARDEN_PTRACE |
243 |
-+ select GRKERNSEC_PTRACE_READEXEC |
244 |
-+ select GRKERNSEC_VM86 if (X86_32) |
245 |
-+ select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC) |
246 |
-+ select PAX |
247 |
-+ select PAX_RANDUSTACK |
248 |
-+ select PAX_ASLR |
249 |
-+ select PAX_RANDMMAP |
250 |
-+ select PAX_NOEXEC |
251 |
-+ select PAX_MPROTECT |
252 |
-+ select PAX_EI_PAX |
253 |
-+ select PAX_PT_PAX_FLAGS |
254 |
-+ select PAX_HAVE_ACL_FLAGS |
255 |
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
256 |
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN) |
257 |
-+ select PAX_RANDKSTACK if (X86_TSC && X86) |
258 |
-+ select PAX_SEGMEXEC if (X86_32) |
259 |
-+ select PAX_PAGEEXEC |
260 |
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) |
261 |
-+ select PAX_EMUTRAMP if (PARISC) |
262 |
-+ select PAX_EMUSIGRT if (PARISC) |
263 |
-+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) |
264 |
-+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86)) |
265 |
-+ select PAX_REFCOUNT if (X86 || SPARC64) |
266 |
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) |
267 |
-+ help |
268 |
-+ If you say Y here, many of the features of grsecurity will be |
269 |
-+ enabled, which will protect you against many kinds of attacks |
270 |
-+ against your system. The heightened security comes at a cost |
271 |
-+ of an increased chance of incompatibilities with rare software |
272 |
-+ on your machine. Since this security level enables PaX, you should |
273 |
-+ view <http://pax.grsecurity.net> and read about the PaX |
274 |
-+ project. While you are there, download chpax and run it on |
275 |
-+ binaries that cause problems with PaX. Also remember that |
276 |
-+ since the /proc restrictions are enabled, you must run your |
277 |
-+ identd as gid 1001. This security level enables the following |
278 |
-+ features in addition to those listed in the low and medium |
279 |
-+ security levels: |
280 |
-+ |
281 |
-+ - Additional /proc restrictions |
282 |
-+ - Chmod restrictions in chroot |
283 |
-+ - No signals, ptrace, or viewing of processes outside of chroot |
284 |
-+ - Capability restrictions in chroot |
285 |
-+ - Deny fchdir out of chroot |
286 |
-+ - Priority restrictions in chroot |
287 |
-+ - Segmentation-based implementation of PaX |
288 |
-+ - Mprotect restrictions |
289 |
-+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat] |
290 |
-+ - Kernel stack randomization |
291 |
-+ - Mount/unmount/remount logging |
292 |
-+ - Kernel symbol hiding |
293 |
-+ - Hardening of module auto-loading |
294 |
-+ - Ptrace restrictions |
295 |
-+ - Restricted vm86 mode |
296 |
-+ - Restricted sysfs/debugfs |
297 |
-+ - Active kernel exploit response |
298 |
-+ |
299 |
-+config GRKERNSEC_CUSTOM |
300 |
-+ bool "Custom" |
301 |
-+ help |
302 |
-+ If you say Y here, you will be able to configure every grsecurity |
303 |
-+ option, which allows you to enable many more features that aren't |
304 |
-+ covered in the basic security levels. These additional features |
305 |
-+ include TPE, socket restrictions, and the sysctl system for |
306 |
-+ grsecurity. It is advised that you read through the help for |
307 |
-+ each option to determine its usefulness in your situation. |
308 |
-+ |
309 |
-+endchoice |
310 |
-+ |
311 |
+menu "Memory Protections" |
312 |
+depends on GRKERNSEC |
313 |
+ |
314 |
+config GRKERNSEC_KMEM |
315 |
+ bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port" |
316 |
++ default y if GRKERNSEC_CONFIG_AUTO |
317 |
+ select STRICT_DEVMEM if (X86 || ARM || TILE || S390) |
318 |
+ help |
319 |
+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to |
320 |
@@ -49336,6 +49143,7 @@ index 0000000..2645296 |
321 |
+ |
322 |
+config GRKERNSEC_VM86 |
323 |
+ bool "Restrict VM86 mode" |
324 |
++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER) |
325 |
+ depends on X86_32 |
326 |
+ |
327 |
+ help |
328 |
@@ -49349,6 +49157,7 @@ index 0000000..2645296 |
329 |
+ |
330 |
+config GRKERNSEC_IO |
331 |
+ bool "Disable privileged I/O" |
332 |
++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER) |
333 |
+ depends on X86 |
334 |
+ select RTC_CLASS |
335 |
+ select RTC_INTF_DEV |
336 |
@@ -49368,7 +49177,7 @@ index 0000000..2645296 |
337 |
+ |
338 |
+config GRKERNSEC_PROC_MEMMAP |
339 |
+ bool "Harden ASLR against information leaks and entropy reduction" |
340 |
-+ default y if (PAX_NOEXEC || PAX_ASLR) |
341 |
++ default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR) |
342 |
+ depends on PAX_NOEXEC || PAX_ASLR |
343 |
+ help |
344 |
+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will |
345 |
@@ -49388,6 +49197,7 @@ index 0000000..2645296 |
346 |
+ |
347 |
+config GRKERNSEC_BRUTE |
348 |
+ bool "Deter exploit bruteforcing" |
349 |
++ default y if GRKERNSEC_CONFIG_AUTO |
350 |
+ help |
351 |
+ If you say Y here, attempts to bruteforce exploits against forking |
352 |
+ daemons such as apache or sshd, as well as against suid/sgid binaries |
353 |
@@ -49408,6 +49218,7 @@ index 0000000..2645296 |
354 |
+ |
355 |
+config GRKERNSEC_MODHARDEN |
356 |
+ bool "Harden module auto-loading" |
357 |
++ default y if GRKERNSEC_CONFIG_AUTO |
358 |
+ depends on MODULES |
359 |
+ help |
360 |
+ If you say Y here, module auto-loading in response to use of some |
361 |
@@ -49429,6 +49240,7 @@ index 0000000..2645296 |
362 |
+ |
363 |
+config GRKERNSEC_HIDESYM |
364 |
+ bool "Hide kernel symbols" |
365 |
++ default y if GRKERNSEC_CONFIG_AUTO |
366 |
+ help |
367 |
+ If you say Y here, getting information on loaded modules, and |
368 |
+ displaying all kernel symbols through a syscall will be restricted |
369 |
@@ -49454,11 +49266,12 @@ index 0000000..2645296 |
370 |
+ |
371 |
+config GRKERNSEC_KERN_LOCKOUT |
372 |
+ bool "Active kernel exploit response" |
373 |
++ default y if GRKERNSEC_CONFIG_AUTO |
374 |
+ depends on X86 || ARM || PPC || SPARC |
375 |
+ help |
376 |
+ If you say Y here, when a PaX alert is triggered due to suspicious |
377 |
+ activity in the kernel (from KERNEXEC/UDEREF/USERCOPY) |
378 |
-+ or an OOPs occurs due to bad memory accesses, instead of just |
379 |
++ or an OOPS occurs due to bad memory accesses, instead of just |
380 |
+ terminating the offending process (and potentially allowing |
381 |
+ a subsequent exploit from the same user), we will take one of two |
382 |
+ actions: |
383 |
@@ -49517,6 +49330,7 @@ index 0000000..2645296 |
384 |
+ |
385 |
+config GRKERNSEC_PROC |
386 |
+ bool "Proc restrictions" |
387 |
++ default y if GRKERNSEC_CONFIG_AUTO |
388 |
+ help |
389 |
+ If you say Y here, the permissions of the /proc filesystem |
390 |
+ will be altered to enhance system security and privacy. You MUST |
391 |
@@ -49538,6 +49352,7 @@ index 0000000..2645296 |
392 |
+ |
393 |
+config GRKERNSEC_PROC_USERGROUP |
394 |
+ bool "Allow special group" |
395 |
++ default y if GRKERNSEC_CONFIG_AUTO |
396 |
+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER |
397 |
+ help |
398 |
+ If you say Y here, you will be able to select a group that will be |
399 |
@@ -49553,6 +49368,7 @@ index 0000000..2645296 |
400 |
+ |
401 |
+config GRKERNSEC_PROC_ADD |
402 |
+ bool "Additional restrictions" |
403 |
++ default y if GRKERNSEC_CONFIG_AUTO |
404 |
+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP |
405 |
+ help |
406 |
+ If you say Y here, additional restrictions will be placed on |
407 |
@@ -49561,6 +49377,7 @@ index 0000000..2645296 |
408 |
+ |
409 |
+config GRKERNSEC_LINK |
410 |
+ bool "Linking restrictions" |
411 |
++ default y if GRKERNSEC_CONFIG_AUTO |
412 |
+ help |
413 |
+ If you say Y here, /tmp race exploits will be prevented, since users |
414 |
+ will no longer be able to follow symlinks owned by other users in |
415 |
@@ -49571,6 +49388,7 @@ index 0000000..2645296 |
416 |
+ |
417 |
+config GRKERNSEC_FIFO |
418 |
+ bool "FIFO restrictions" |
419 |
++ default y if GRKERNSEC_CONFIG_AUTO |
420 |
+ help |
421 |
+ If you say Y here, users will not be able to write to FIFOs they don't |
422 |
+ own in world-writable +t directories (e.g. /tmp), unless the owner of |
423 |
@@ -49580,6 +49398,7 @@ index 0000000..2645296 |
424 |
+ |
425 |
+config GRKERNSEC_SYSFS_RESTRICT |
426 |
+ bool "Sysfs/debugfs restriction" |
427 |
++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER) |
428 |
+ depends on SYSFS |
429 |
+ help |
430 |
+ If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and |
431 |
@@ -49613,6 +49432,7 @@ index 0000000..2645296 |
432 |
+ |
433 |
+config GRKERNSEC_CHROOT |
434 |
+ bool "Chroot jail restrictions" |
435 |
++ default y if GRKERNSEC_CONFIG_AUTO |
436 |
+ help |
437 |
+ If you say Y here, you will be able to choose several options that will |
438 |
+ make breaking out of a chrooted jail much more difficult. If you |
439 |
@@ -49621,6 +49441,7 @@ index 0000000..2645296 |
440 |
+ |
441 |
+config GRKERNSEC_CHROOT_MOUNT |
442 |
+ bool "Deny mounts" |
443 |
++ default y if GRKERNSEC_CONFIG_AUTO |
444 |
+ depends on GRKERNSEC_CHROOT |
445 |
+ help |
446 |
+ If you say Y here, processes inside a chroot will not be able to |
447 |
@@ -49629,6 +49450,7 @@ index 0000000..2645296 |
448 |
+ |
449 |
+config GRKERNSEC_CHROOT_DOUBLE |
450 |
+ bool "Deny double-chroots" |
451 |
++ default y if GRKERNSEC_CONFIG_AUTO |
452 |
+ depends on GRKERNSEC_CHROOT |
453 |
+ help |
454 |
+ If you say Y here, processes inside a chroot will not be able to chroot |
455 |
@@ -49639,6 +49461,7 @@ index 0000000..2645296 |
456 |
+ |
457 |
+config GRKERNSEC_CHROOT_PIVOT |
458 |
+ bool "Deny pivot_root in chroot" |
459 |
++ default y if GRKERNSEC_CONFIG_AUTO |
460 |
+ depends on GRKERNSEC_CHROOT |
461 |
+ help |
462 |
+ If you say Y here, processes inside a chroot will not be able to use |
463 |
@@ -49651,6 +49474,7 @@ index 0000000..2645296 |
464 |
+ |
465 |
+config GRKERNSEC_CHROOT_CHDIR |
466 |
+ bool "Enforce chdir(\"/\") on all chroots" |
467 |
++ default y if GRKERNSEC_CONFIG_AUTO |
468 |
+ depends on GRKERNSEC_CHROOT |
469 |
+ help |
470 |
+ If you say Y here, the current working directory of all newly-chrooted |
471 |
@@ -49667,6 +49491,7 @@ index 0000000..2645296 |
472 |
+ |
473 |
+config GRKERNSEC_CHROOT_CHMOD |
474 |
+ bool "Deny (f)chmod +s" |
475 |
++ default y if GRKERNSEC_CONFIG_AUTO |
476 |
+ depends on GRKERNSEC_CHROOT |
477 |
+ help |
478 |
+ If you say Y here, processes inside a chroot will not be able to chmod |
479 |
@@ -49677,6 +49502,7 @@ index 0000000..2645296 |
480 |
+ |
481 |
+config GRKERNSEC_CHROOT_FCHDIR |
482 |
+ bool "Deny fchdir out of chroot" |
483 |
++ default y if GRKERNSEC_CONFIG_AUTO |
484 |
+ depends on GRKERNSEC_CHROOT |
485 |
+ help |
486 |
+ If you say Y here, a well-known method of breaking chroots by fchdir'ing |
487 |
@@ -49686,6 +49512,7 @@ index 0000000..2645296 |
488 |
+ |
489 |
+config GRKERNSEC_CHROOT_MKNOD |
490 |
+ bool "Deny mknod" |
491 |
++ default y if GRKERNSEC_CONFIG_AUTO |
492 |
+ depends on GRKERNSEC_CHROOT |
493 |
+ help |
494 |
+ If you say Y here, processes inside a chroot will not be allowed to |
495 |
@@ -49700,6 +49527,7 @@ index 0000000..2645296 |
496 |
+ |
497 |
+config GRKERNSEC_CHROOT_SHMAT |
498 |
+ bool "Deny shmat() out of chroot" |
499 |
++ default y if GRKERNSEC_CONFIG_AUTO |
500 |
+ depends on GRKERNSEC_CHROOT |
501 |
+ help |
502 |
+ If you say Y here, processes inside a chroot will not be able to attach |
503 |
@@ -49709,6 +49537,7 @@ index 0000000..2645296 |
504 |
+ |
505 |
+config GRKERNSEC_CHROOT_UNIX |
506 |
+ bool "Deny access to abstract AF_UNIX sockets out of chroot" |
507 |
++ default y if GRKERNSEC_CONFIG_AUTO |
508 |
+ depends on GRKERNSEC_CHROOT |
509 |
+ help |
510 |
+ If you say Y here, processes inside a chroot will not be able to |
511 |
@@ -49719,6 +49548,7 @@ index 0000000..2645296 |
512 |
+ |
513 |
+config GRKERNSEC_CHROOT_FINDTASK |
514 |
+ bool "Protect outside processes" |
515 |
++ default y if GRKERNSEC_CONFIG_AUTO |
516 |
+ depends on GRKERNSEC_CHROOT |
517 |
+ help |
518 |
+ If you say Y here, processes inside a chroot will not be able to |
519 |
@@ -49729,6 +49559,7 @@ index 0000000..2645296 |
520 |
+ |
521 |
+config GRKERNSEC_CHROOT_NICE |
522 |
+ bool "Restrict priority changes" |
523 |
++ default y if GRKERNSEC_CONFIG_AUTO |
524 |
+ depends on GRKERNSEC_CHROOT |
525 |
+ help |
526 |
+ If you say Y here, processes inside a chroot will not be able to raise |
527 |
@@ -49740,6 +49571,7 @@ index 0000000..2645296 |
528 |
+ |
529 |
+config GRKERNSEC_CHROOT_SYSCTL |
530 |
+ bool "Deny sysctl writes" |
531 |
++ default y if GRKERNSEC_CONFIG_AUTO |
532 |
+ depends on GRKERNSEC_CHROOT |
533 |
+ help |
534 |
+ If you say Y here, an attacker in a chroot will not be able to |
535 |
@@ -49750,6 +49582,7 @@ index 0000000..2645296 |
536 |
+ |
537 |
+config GRKERNSEC_CHROOT_CAPS |
538 |
+ bool "Capability restrictions" |
539 |
++ default y if GRKERNSEC_CONFIG_AUTO |
540 |
+ depends on GRKERNSEC_CHROOT |
541 |
+ help |
542 |
+ If you say Y here, the capabilities on all processes within a |
543 |
@@ -49792,6 +49625,7 @@ index 0000000..2645296 |
544 |
+ |
545 |
+config GRKERNSEC_RESLOG |
546 |
+ bool "Resource logging" |
547 |
++ default y if GRKERNSEC_CONFIG_AUTO |
548 |
+ help |
549 |
+ If you say Y here, all attempts to overstep resource limits will |
550 |
+ be logged with the resource name, the requested size, and the current |
551 |
@@ -49830,6 +49664,7 @@ index 0000000..2645296 |
552 |
+ |
553 |
+config GRKERNSEC_SIGNAL |
554 |
+ bool "Signal logging" |
555 |
++ default y if GRKERNSEC_CONFIG_AUTO |
556 |
+ help |
557 |
+ If you say Y here, certain important signals will be logged, such as |
558 |
+ SIGSEGV, which will as a result inform you of when a error in a program |
559 |
@@ -49847,6 +49682,7 @@ index 0000000..2645296 |
560 |
+ |
561 |
+config GRKERNSEC_TIME |
562 |
+ bool "Time change logging" |
563 |
++ default y if GRKERNSEC_CONFIG_AUTO |
564 |
+ help |
565 |
+ If you say Y here, any changes of the system clock will be logged. |
566 |
+ If the sysctl option is enabled, a sysctl option with name |
567 |
@@ -49854,6 +49690,7 @@ index 0000000..2645296 |
568 |
+ |
569 |
+config GRKERNSEC_PROC_IPADDR |
570 |
+ bool "/proc/<pid>/ipaddr support" |
571 |
++ default y if GRKERNSEC_CONFIG_AUTO |
572 |
+ help |
573 |
+ If you say Y here, a new entry will be added to each /proc/<pid> |
574 |
+ directory that contains the IP address of the person using the task. |
575 |
@@ -49865,6 +49702,7 @@ index 0000000..2645296 |
576 |
+ |
577 |
+config GRKERNSEC_RWXMAP_LOG |
578 |
+ bool 'Denied RWX mmap/mprotect logging' |
579 |
++ default y if GRKERNSEC_CONFIG_AUTO |
580 |
+ depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT |
581 |
+ help |
582 |
+ If you say Y here, calls to mmap() and mprotect() with explicit |
583 |
@@ -49893,6 +49731,7 @@ index 0000000..2645296 |
584 |
+ |
585 |
+config GRKERNSEC_DMESG |
586 |
+ bool "Dmesg(8) restriction" |
587 |
++ default y if GRKERNSEC_CONFIG_AUTO |
588 |
+ help |
589 |
+ If you say Y here, non-root users will not be able to use dmesg(8) |
590 |
+ to view up to the last 4kb of messages in the kernel's log buffer. |
591 |
@@ -49904,6 +49743,7 @@ index 0000000..2645296 |
592 |
+ |
593 |
+config GRKERNSEC_HARDEN_PTRACE |
594 |
+ bool "Deter ptrace-based process snooping" |
595 |
++ default y if GRKERNSEC_CONFIG_AUTO |
596 |
+ help |
597 |
+ If you say Y here, TTY sniffers and other malicious monitoring |
598 |
+ programs implemented through ptrace will be defeated. If you |
599 |
@@ -49920,6 +49760,7 @@ index 0000000..2645296 |
600 |
+ |
601 |
+config GRKERNSEC_PTRACE_READEXEC |
602 |
+ bool "Require read access to ptrace sensitive binaries" |
603 |
++ default y if GRKERNSEC_CONFIG_AUTO |
604 |
+ help |
605 |
+ If you say Y here, unprivileged users will not be able to ptrace unreadable |
606 |
+ binaries. This option is useful in environments that |
607 |
@@ -49933,6 +49774,7 @@ index 0000000..2645296 |
608 |
+ |
609 |
+config GRKERNSEC_SETXID |
610 |
+ bool "Enforce consistent multithreaded privileges" |
611 |
++ default y if GRKERNSEC_CONFIG_AUTO |
612 |
+ depends on (X86 || SPARC64 || PPC || ARM || MIPS) |
613 |
+ help |
614 |
+ If you say Y here, a change from a root uid to a non-root uid |
615 |
@@ -49947,6 +49789,7 @@ index 0000000..2645296 |
616 |
+ |
617 |
+config GRKERNSEC_TPE |
618 |
+ bool "Trusted Path Execution (TPE)" |
619 |
++ default y if GRKERNSEC_CONFIG_AUTO |
620 |
+ help |
621 |
+ If you say Y here, you will be able to choose a gid to add to the |
622 |
+ supplementary groups of users you want to mark as "untrusted." |
623 |
@@ -50003,6 +49846,7 @@ index 0000000..2645296 |
624 |
+ |
625 |
+config GRKERNSEC_RANDNET |
626 |
+ bool "Larger entropy pools" |
627 |
++ default y if GRKERNSEC_CONFIG_AUTO |
628 |
+ help |
629 |
+ If you say Y here, the entropy pools used for many features of Linux |
630 |
+ and grsecurity will be doubled in size. Since several grsecurity |
631 |
@@ -50012,6 +49856,7 @@ index 0000000..2645296 |
632 |
+ |
633 |
+config GRKERNSEC_BLACKHOLE |
634 |
+ bool "TCP/UDP blackhole and LAST_ACK DoS prevention" |
635 |
++ default y if GRKERNSEC_CONFIG_AUTO |
636 |
+ depends on NET |
637 |
+ help |
638 |
+ If you say Y here, neither TCP resets nor ICMP |
639 |
@@ -50111,11 +49956,12 @@ index 0000000..2645296 |
640 |
+ option with name "socket_server_gid" is created. |
641 |
+ |
642 |
+endmenu |
643 |
-+menu "Sysctl support" |
644 |
++menu "Sysctl Support" |
645 |
+depends on GRKERNSEC && SYSCTL |
646 |
+ |
647 |
+config GRKERNSEC_SYSCTL |
648 |
+ bool "Sysctl support" |
649 |
++ default y if GRKERNSEC_CONFIG_AUTO |
650 |
+ help |
651 |
+ If you say Y here, you will be able to change the options that |
652 |
+ grsecurity runs with at bootup, without having to recompile your |
653 |
@@ -50146,6 +49992,7 @@ index 0000000..2645296 |
654 |
+ |
655 |
+config GRKERNSEC_SYSCTL_ON |
656 |
+ bool "Turn on features by default" |
657 |
++ default y if GRKERNSEC_CONFIG_AUTO |
658 |
+ depends on GRKERNSEC_SYSCTL |
659 |
+ help |
660 |
+ If you say Y here, instead of having all features enabled in the |
661 |
@@ -50181,8 +50028,6 @@ index 0000000..2645296 |
662 |
+ raise this value. |
663 |
+ |
664 |
+endmenu |
665 |
-+ |
666 |
-+endmenu |
667 |
diff --git a/grsecurity/Makefile b/grsecurity/Makefile |
668 |
new file mode 100644 |
669 |
index 0000000..1b9afa9 |
670 |
@@ -77757,14 +77602,197 @@ index 5c11312..72742b5 100644 |
671 |
write_hex_cnt = 0; |
672 |
for (i = 0; i < logo_clutsize; i++) { |
673 |
diff --git a/security/Kconfig b/security/Kconfig |
674 |
-index ccc61f8..5effdb4 100644 |
675 |
+index ccc61f8..3334dd6 100644 |
676 |
--- a/security/Kconfig |
677 |
+++ b/security/Kconfig |
678 |
-@@ -4,6 +4,640 @@ |
679 |
+@@ -4,6 +4,849 @@ |
680 |
|
681 |
menu "Security options" |
682 |
|
683 |
-+source grsecurity/Kconfig |
684 |
++menu "Grsecurity" |
685 |
++ |
686 |
++config GRKERNSEC |
687 |
++ bool "Grsecurity" |
688 |
++ select CRYPTO |
689 |
++ select CRYPTO_SHA256 |
690 |
++ help |
691 |
++ If you say Y here, you will be able to configure many features |
692 |
++ that will enhance the security of your system. It is highly |
693 |
++ recommended that you say Y here and read through the help |
694 |
++ for each option so that you fully understand the features and |
695 |
++ can evaluate their usefulness for your machine. |
696 |
++ |
697 |
++choice |
698 |
++ prompt "Configuration Method" |
699 |
++ depends on GRKERNSEC |
700 |
++ default GRKERNSEC_CONFIG_CUSTOM |
701 |
++ help |
702 |
++ |
703 |
++config GRKERNSEC_CONFIG_AUTO |
704 |
++ bool "Automatic" |
705 |
++ help |
706 |
++ If you choose this configuration method, you'll be able to answer a small |
707 |
++ number of simple questions about how you plan to use this kernel. |
708 |
++ The settings of grsecurity and PaX will be automatically configured for |
709 |
++ the highest commonly-used settings within the provided constraints. |
710 |
++ |
711 |
++ If you require additional configuration, custom changes can still be made |
712 |
++ from the "custom configuration" menu. |
713 |
++ |
714 |
++config GRKERNSEC_CONFIG_CUSTOM |
715 |
++ bool "Custom" |
716 |
++ help |
717 |
++ If you choose this configuration method, you'll be able to configure all |
718 |
++ grsecurity and PaX settings manually. Via this method, no options are |
719 |
++ automatically enabled. |
720 |
++ |
721 |
++endchoice |
722 |
++ |
723 |
++choice |
724 |
++ prompt "Usage Type" |
725 |
++ depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO) |
726 |
++ default GRKERNSEC_CONFIG_SERVER |
727 |
++ help |
728 |
++ |
729 |
++config GRKERNSEC_CONFIG_SERVER |
730 |
++ bool "Server" |
731 |
++ help |
732 |
++ Choose this option if you plan to use this kernel on a server. |
733 |
++ |
734 |
++config GRKERNSEC_CONFIG_DESKTOP |
735 |
++ bool "Desktop" |
736 |
++ help |
737 |
++ Choose this option if you plan to use this kernel on a desktop. |
738 |
++ |
739 |
++endchoice |
740 |
++ |
741 |
++choice |
742 |
++ prompt "Virtualization Type" |
743 |
++ depends on (GRKERNSEC && X86 && GRKERNSEC_CONFIG_AUTO) |
744 |
++ default GRKERNSEC_CONFIG_VIRT_NONE |
745 |
++ help |
746 |
++ |
747 |
++config GRKERNSEC_CONFIG_VIRT_NONE |
748 |
++ bool "None" |
749 |
++ help |
750 |
++ Choose this option if this kernel will be run on bare metal. |
751 |
++ |
752 |
++config GRKERNSEC_CONFIG_VIRT_GUEST |
753 |
++ bool "Guest" |
754 |
++ help |
755 |
++ Choose this option if this kernel will be run as a VM guest. |
756 |
++ |
757 |
++config GRKERNSEC_CONFIG_VIRT_HOST |
758 |
++ bool "Host" |
759 |
++ help |
760 |
++ Choose this option if this kernel will be run as a VM host. |
761 |
++ |
762 |
++endchoice |
763 |
++ |
764 |
++choice |
765 |
++ prompt "Virtualization Hardware" |
766 |
++ depends on (GRKERNSEC && X86 && GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_GUEST || GRKERNSEC_CONFIG_VIRT_HOST)) |
767 |
++ help |
768 |
++ |
769 |
++config GRKERNSEC_CONFIG_VIRT_EPT |
770 |
++ bool "EPT/RVI Processor Support" |
771 |
++ depends on X86 |
772 |
++ help |
773 |
++ Choose this option if your CPU supports the EPT or RVI features of 2nd-gen |
774 |
++ hardware virtualization. This allows for additional kernel hardening protections |
775 |
++ to operate without additional performance impact. |
776 |
++ |
777 |
++ To see if your Intel processor supports EPT, see: |
778 |
++ http://ark.intel.com/Products/VirtualizationTechnology |
779 |
++ (Most Core i3/5/7 support EPT) |
780 |
++ |
781 |
++ To see if your AMD processor supports RVI, see: |
782 |
++ http://support.amd.com/us/kbarticles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx |
783 |
++ |
784 |
++config GRKERNSEC_CONFIG_VIRT_SOFT |
785 |
++ bool "First-gen/No Hardware Virtualization" |
786 |
++ help |
787 |
++ Choose this option if you use an Atom/Pentium/Core 2 processor that either doesn't |
788 |
++ support hardware virtualization or doesn't support the EPT/RVI extensions. |
789 |
++ |
790 |
++endchoice |
791 |
++ |
792 |
++choice |
793 |
++ prompt "Virtualization Software" |
794 |
++ depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_GUEST || GRKERNSEC_CONFIG_VIRT_HOST)) |
795 |
++ help |
796 |
++ |
797 |
++config GRKERNSEC_CONFIG_VIRT_XEN |
798 |
++ bool "Xen" |
799 |
++ help |
800 |
++ Choose this option if this kernel is running as a Xen guest or host. |
801 |
++ |
802 |
++config GRKERNSEC_CONFIG_VIRT_VMWARE |
803 |
++ bool "VMWare" |
804 |
++ help |
805 |
++ Choose this option if this kernel is running as a VMWare guest or host. |
806 |
++ |
807 |
++config GRKERNSEC_CONFIG_VIRT_KVM |
808 |
++ bool "KVM" |
809 |
++ help |
810 |
++ Choose this option if this kernel is running as a KVM guest or host. |
811 |
++ |
812 |
++config GRKERNSEC_CONFIG_VIRT_VIRTUALBOX |
813 |
++ bool "VirtualBox" |
814 |
++ help |
815 |
++ Choose this option if this kernel is running as a VirtualBox guest or host. |
816 |
++ |
817 |
++endchoice |
818 |
++ |
819 |
++choice |
820 |
++ prompt "Required Priorities" |
821 |
++ depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO) |
822 |
++ default GRKERNSEC_CONFIG_PRIORITY_PERF |
823 |
++ help |
824 |
++ |
825 |
++config GRKERNSEC_CONFIG_PRIORITY_PERF |
826 |
++ bool "Performance" |
827 |
++ help |
828 |
++ Choose this option if performance is of highest priority for this deployment |
829 |
++ of grsecurity. Features like UDEREF on a 64bit kernel, kernel stack clearing, |
830 |
++ and freed memory sanitizing will be disabled. |
831 |
++ |
832 |
++config GRKERNSEC_CONFIG_PRIORITY_SECURITY |
833 |
++ bool "Security" |
834 |
++ help |
835 |
++ Choose this option if security is of highest priority for this deployment of |
836 |
++ grsecurity. UDEREF, kernel stack clearing, and freed memory sanitizing will |
837 |
++ be enabled for this kernel. In a worst-case scenario, these features can |
838 |
++ introduce a 20% performance hit (UDEREF on x64 contributing half of this hit). |
839 |
++ |
840 |
++endchoice |
841 |
++ |
842 |
++menu "Default Special Groups" |
843 |
++depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO) |
844 |
++ |
845 |
++config GRKERNSEC_PROC_GID |
846 |
++ int "GID exempted from /proc restrictions" |
847 |
++ default 1001 |
848 |
++ help |
849 |
++ Setting this GID determines which group will be exempted from |
850 |
++ grsecurity's /proc restrictions, allowing users of the specified |
851 |
++ group to view network statistics and the existence of other users' |
852 |
++ processes on the system. |
853 |
++ |
854 |
++config GRKERNSEC_TPE_GID |
855 |
++ int "GID for untrusted users" |
856 |
++ default 1005 |
857 |
++ help |
858 |
++ Setting this GID determines which group untrusted users should |
859 |
++ be added to. These users will be placed under grsecurity's Trusted Path |
860 |
++ Execution mechanism, preventing them from executing their own binaries. |
861 |
++ The users will only be able to execute binaries in directories owned and |
862 |
++ writable only by the root user. |
863 |
++ |
864 |
++endmenu |
865 |
++ |
866 |
++menu "Customize Configuration" |
867 |
++depends on GRKERNSEC |
868 |
+ |
869 |
+menu "PaX" |
870 |
+ |
871 |
@@ -77789,6 +77817,7 @@ index ccc61f8..5effdb4 100644 |
872 |
+ |
873 |
+config PAX |
874 |
+ bool "Enable various PaX features" |
875 |
++ default y if GRKERNSEC_CONFIG_AUTO |
876 |
+ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) |
877 |
+ help |
878 |
+ This allows you to enable various PaX features. PaX adds |
879 |
@@ -77812,6 +77841,7 @@ index ccc61f8..5effdb4 100644 |
880 |
+ |
881 |
+config PAX_EI_PAX |
882 |
+ bool 'Use legacy ELF header marking' |
883 |
++ default y if GRKERNSEC_CONFIG_AUTO |
884 |
+ help |
885 |
+ Enabling this option will allow you to control PaX features on |
886 |
+ a per executable basis via the 'chpax' utility available at |
887 |
@@ -77831,6 +77861,7 @@ index ccc61f8..5effdb4 100644 |
888 |
+ |
889 |
+config PAX_PT_PAX_FLAGS |
890 |
+ bool 'Use ELF program header marking' |
891 |
++ default y if GRKERNSEC_CONFIG_AUTO |
892 |
+ help |
893 |
+ Enabling this option will allow you to control PaX features on |
894 |
+ a per executable basis via the 'paxctl' utility available at |
895 |
@@ -77852,6 +77883,7 @@ index ccc61f8..5effdb4 100644 |
896 |
+ |
897 |
+config PAX_XATTR_PAX_FLAGS |
898 |
+ bool 'Use filesystem extended attributes marking' |
899 |
++ default y if GRKERNSEC_CONFIG_AUTO |
900 |
+ select CIFS_XATTR if CIFS |
901 |
+ select EXT2_FS_XATTR if EXT2_FS |
902 |
+ select EXT3_FS_XATTR if EXT3_FS |
903 |
@@ -77913,6 +77945,7 @@ index ccc61f8..5effdb4 100644 |
904 |
+ |
905 |
+config PAX_NOEXEC |
906 |
+ bool "Enforce non-executable pages" |
907 |
++ default y if GRKERNSEC_CONFIG_AUTO |
908 |
+ depends on ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86 |
909 |
+ help |
910 |
+ By design some architectures do not allow for protecting memory |
911 |
@@ -77941,6 +77974,7 @@ index ccc61f8..5effdb4 100644 |
912 |
+ |
913 |
+config PAX_PAGEEXEC |
914 |
+ bool "Paging based non-executable pages" |
915 |
++ default y if GRKERNSEC_CONFIG_AUTO |
916 |
+ depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7) |
917 |
+ select S390_SWITCH_AMODE if S390 |
918 |
+ select S390_EXEC_PROTECT if S390 |
919 |
@@ -77963,6 +77997,7 @@ index ccc61f8..5effdb4 100644 |
920 |
+ |
921 |
+config PAX_SEGMEXEC |
922 |
+ bool "Segmentation based non-executable pages" |
923 |
++ default y if GRKERNSEC_CONFIG_AUTO |
924 |
+ depends on PAX_NOEXEC && X86_32 |
925 |
+ help |
926 |
+ This implementation is based on the segmentation feature of the |
927 |
@@ -78029,6 +78064,7 @@ index ccc61f8..5effdb4 100644 |
928 |
+ |
929 |
+config PAX_MPROTECT |
930 |
+ bool "Restrict mprotect()" |
931 |
++ default y if GRKERNSEC_CONFIG_AUTO |
932 |
+ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) |
933 |
+ help |
934 |
+ Enabling this option will prevent programs from |
935 |
@@ -78046,8 +78082,8 @@ index ccc61f8..5effdb4 100644 |
936 |
+ |
937 |
+config PAX_MPROTECT_COMPAT |
938 |
+ bool "Use legacy/compat protection demoting (read help)" |
939 |
++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_DESKTOP) |
940 |
+ depends on PAX_MPROTECT |
941 |
-+ default n |
942 |
+ help |
943 |
+ The current implementation of PAX_MPROTECT denies RWX allocations/mprotects |
944 |
+ by sending the proper error code to the application. For some broken |
945 |
@@ -78122,6 +78158,7 @@ index ccc61f8..5effdb4 100644 |
946 |
+ |
947 |
+config PAX_KERNEXEC |
948 |
+ bool "Enforce non-executable kernel pages" |
949 |
++ default y if GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_NONE || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_GUEST) || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_KVM)) |
950 |
+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN |
951 |
+ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) |
952 |
+ select PAX_KERNEXEC_PLUGIN if X86_64 |
953 |
@@ -78163,7 +78200,8 @@ index ccc61f8..5effdb4 100644 |
954 |
+ |
955 |
+config PAX_KERNEXEC_MODULE_TEXT |
956 |
+ int "Minimum amount of memory reserved for module code" |
957 |
-+ default "4" |
958 |
++ default "4" if (!GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_SERVER) |
959 |
++ default "12" if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_DESKTOP) |
960 |
+ depends on PAX_KERNEXEC && X86_32 && MODULES |
961 |
+ help |
962 |
+ Due to implementation details the kernel must reserve a fixed |
963 |
@@ -78188,6 +78226,7 @@ index ccc61f8..5effdb4 100644 |
964 |
+ |
965 |
+config PAX_ASLR |
966 |
+ bool "Address Space Layout Randomization" |
967 |
++ default y if GRKERNSEC_CONFIG_AUTO |
968 |
+ help |
969 |
+ Many if not most exploit techniques rely on the knowledge of |
970 |
+ certain addresses in the attacked program. The following options |
971 |
@@ -78217,6 +78256,7 @@ index ccc61f8..5effdb4 100644 |
972 |
+ |
973 |
+config PAX_RANDKSTACK |
974 |
+ bool "Randomize kernel stack base" |
975 |
++ default y if GRKERNSEC_CONFIG_AUTO |
976 |
+ depends on X86_TSC && X86 |
977 |
+ help |
978 |
+ By saying Y here the kernel will randomize every task's kernel |
979 |
@@ -78231,6 +78271,7 @@ index ccc61f8..5effdb4 100644 |
980 |
+ |
981 |
+config PAX_RANDUSTACK |
982 |
+ bool "Randomize user stack base" |
983 |
++ default y if GRKERNSEC_CONFIG_AUTO |
984 |
+ depends on PAX_ASLR |
985 |
+ help |
986 |
+ By saying Y here the kernel will randomize every task's userland |
987 |
@@ -78243,6 +78284,7 @@ index ccc61f8..5effdb4 100644 |
988 |
+ |
989 |
+config PAX_RANDMMAP |
990 |
+ bool "Randomize mmap() base" |
991 |
++ default y if GRKERNSEC_CONFIG_AUTO |
992 |
+ depends on PAX_ASLR |
993 |
+ help |
994 |
+ By saying Y here the kernel will use a randomized base address for |
995 |
@@ -78269,6 +78311,7 @@ index ccc61f8..5effdb4 100644 |
996 |
+ |
997 |
+config PAX_MEMORY_SANITIZE |
998 |
+ bool "Sanitize all freed memory" |
999 |
++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY) |
1000 |
+ depends on !HIBERNATION |
1001 |
+ help |
1002 |
+ By saying Y here the kernel will erase memory pages as soon as they |
1003 |
@@ -78291,6 +78334,7 @@ index ccc61f8..5effdb4 100644 |
1004 |
+ |
1005 |
+config PAX_MEMORY_STACKLEAK |
1006 |
+ bool "Sanitize kernel stack" |
1007 |
++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY) |
1008 |
+ depends on X86 |
1009 |
+ help |
1010 |
+ By saying Y here the kernel will erase the kernel stack before it |
1011 |
@@ -78315,6 +78359,7 @@ index ccc61f8..5effdb4 100644 |
1012 |
+ |
1013 |
+config PAX_MEMORY_UDEREF |
1014 |
+ bool "Prevent invalid userland pointer dereference" |
1015 |
++ default y if GRKERNSEC_CONFIG_AUTO && (X86_32 || (X86_64 && GRKERNSEC_CONFIG_PRIORITY_SECURITY)) && (GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT) |
1016 |
+ depends on X86 && !UML_X86 && !XEN |
1017 |
+ select PAX_PER_CPU_PGD if X86_64 |
1018 |
+ help |
1019 |
@@ -78334,6 +78379,7 @@ index ccc61f8..5effdb4 100644 |
1020 |
+ |
1021 |
+config PAX_REFCOUNT |
1022 |
+ bool "Prevent various kernel object reference counter overflows" |
1023 |
++ default y if GRKERNSEC_CONFIG_AUTO |
1024 |
+ depends on GRKERNSEC && ((ARM && (CPU_32v6 || CPU_32v6K || CPU_32v7)) || SPARC64 || X86) |
1025 |
+ help |
1026 |
+ By saying Y here the kernel will detect and prevent overflowing |
1027 |
@@ -78353,6 +78399,7 @@ index ccc61f8..5effdb4 100644 |
1028 |
+ |
1029 |
+config PAX_USERCOPY |
1030 |
+ bool "Harden heap object copies between kernel and userland" |
1031 |
++ default y if GRKERNSEC_CONFIG_AUTO |
1032 |
+ depends on X86 || PPC || SPARC || ARM |
1033 |
+ depends on GRKERNSEC && (SLAB || SLUB || SLOB) |
1034 |
+ help |
1035 |
@@ -78382,6 +78429,7 @@ index ccc61f8..5effdb4 100644 |
1036 |
+ |
1037 |
+config PAX_SIZE_OVERFLOW |
1038 |
+ bool "Prevent various integer overflows in function size parameters" |
1039 |
++ default y if GRKERNSEC_CONFIG_AUTO |
1040 |
+ depends on X86 |
1041 |
+ help |
1042 |
+ By saying Y here the kernel recomputes expressions of function |
1043 |
@@ -78398,10 +78446,16 @@ index ccc61f8..5effdb4 100644 |
1044 |
+ |
1045 |
+endmenu |
1046 |
+ |
1047 |
++source grsecurity/Kconfig |
1048 |
++ |
1049 |
++endmenu |
1050 |
++ |
1051 |
++endmenu |
1052 |
++ |
1053 |
config KEYS |
1054 |
bool "Enable access key retention support" |
1055 |
help |
1056 |
-@@ -169,7 +803,7 @@ config INTEL_TXT |
1057 |
+@@ -169,7 +1012,7 @@ config INTEL_TXT |
1058 |
config LSM_MMAP_MIN_ADDR |
1059 |
int "Low address space for LSM to protect from user allocation" |
1060 |
depends on SECURITY && SECURITY_SELINUX |
1061 |
|
1062 |
diff --git a/3.4.4/4445_grsec-pax-without-grsec.patch b/3.4.4/4445_grsec-pax-without-grsec.patch |
1063 |
deleted file mode 100644 |
1064 |
index 35255c2..0000000 |
1065 |
--- a/3.4.4/4445_grsec-pax-without-grsec.patch |
1066 |
+++ /dev/null |
1067 |
@@ -1,91 +0,0 @@ |
1068 |
-ny G. Basile <blueness@g.o> |
1069 |
- |
1070 |
-With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and |
1071 |
-pax_report_om_user in fs/exec.c were consolidated into pax_report_usercopy. |
1072 |
-This patch has been updated to reflect that change. |
1073 |
- |
1074 |
-With grsecurity-2.9-2.6.32.58-201203131839, NORET_TYPE has been replaced by __noreturn. |
1075 |
-This patch has been updated to reflect that change. |
1076 |
--- |
1077 |
-From: Jory Pratt <anarchy@g.o> |
1078 |
-Updated patch for kernel 2.6.32 |
1079 |
- |
1080 |
-The credits/description from the original version of this patch remain accurate |
1081 |
-and are included below. |
1082 |
--- |
1083 |
-From: Gordon Malm <gengor@g.o> |
1084 |
- |
1085 |
-Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC. |
1086 |
- |
1087 |
-This patch has been updated to keep current with newer kernel versions. |
1088 |
-The original version of this patch contained no credits/description. |
1089 |
- |
1090 |
-diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c |
1091 |
---- a/arch/x86/mm/fault.c 2011-04-17 19:05:03.000000000 -0400 |
1092 |
-+++ a/arch/x86/mm/fault.c 2011-04-17 19:20:30.000000000 -0400 |
1093 |
-@@ -657,10 +657,12 @@ |
1094 |
- |
1095 |
- #ifdef CONFIG_PAX_KERNEXEC |
1096 |
- if (init_mm.start_code <= address && address < init_mm.end_code) { |
1097 |
-+#ifdef CONFIG_GRKERNSEC |
1098 |
- if (current->signal->curr_ip) |
1099 |
- printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", |
1100 |
- ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); |
1101 |
- else |
1102 |
-+#endif |
1103 |
- printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", |
1104 |
- current->comm, task_pid_nr(current), current_uid(), current_euid()); |
1105 |
- } |
1106 |
-diff -Naur a/fs/exec.c b/fs/exec.c |
1107 |
---- a/fs/exec.c 2011-04-17 19:05:03.000000000 -0400 |
1108 |
-+++ b/fs/exec.c 2011-04-17 19:20:30.000000000 -0400 |
1109 |
-@@ -2052,9 +2052,11 @@ |
1110 |
- } |
1111 |
- up_read(&mm->mmap_sem); |
1112 |
- } |
1113 |
-+#ifdef CONFIG_GRKERNSEC |
1114 |
- if (tsk->signal->curr_ip) |
1115 |
- printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset); |
1116 |
- else |
1117 |
-+#endif |
1118 |
- printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset); |
1119 |
- printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, " |
1120 |
- "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), |
1121 |
-@@ -2069,10 +2071,12 @@ |
1122 |
- #ifdef CONFIG_PAX_REFCOUNT |
1123 |
- void pax_report_refcount_overflow(struct pt_regs *regs) |
1124 |
- { |
1125 |
-+#ifdef CONFIG_GRKERNSEC |
1126 |
- if (current->signal->curr_ip) |
1127 |
- printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", |
1128 |
- ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); |
1129 |
- else |
1130 |
-+#endif |
1131 |
- printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", |
1132 |
- current->comm, task_pid_nr(current), current_uid(), current_euid()); |
1133 |
- print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); |
1134 |
-@@ -2131,10 +2135,12 @@ |
1135 |
- |
1136 |
- __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) |
1137 |
- { |
1138 |
-+#ifdef CONFIG_GRKERNSEC |
1139 |
- if (current->signal->curr_ip) |
1140 |
- printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", |
1141 |
- ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); |
1142 |
- else |
1143 |
-+#endif |
1144 |
- printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", |
1145 |
- to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); |
1146 |
- dump_stack(); |
1147 |
-diff -Naur a/security/Kconfig b/security/Kconfig |
1148 |
---- a/security/Kconfig 2011-04-17 19:05:03.000000000 -0400 |
1149 |
-+++ b/security/Kconfig 2011-04-17 19:20:30.000000000 -0400 |
1150 |
-@@ -29,7 +29,7 @@ |
1151 |
- |
1152 |
- config PAX |
1153 |
- bool "Enable various PaX features" |
1154 |
-- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) |
1155 |
-+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) |
1156 |
- help |
1157 |
- This allows you to enable various PaX features. PaX adds |
1158 |
- intrusion prevention mechanisms to the kernel that reduce |
1159 |
|
1160 |
diff --git a/3.4.4/4450_grsec-kconfig-default-gids.patch b/3.4.4/4450_grsec-kconfig-default-gids.patch |
1161 |
index 123f877..a728d1a 100644 |
1162 |
--- a/3.4.4/4450_grsec-kconfig-default-gids.patch |
1163 |
+++ b/3.4.4/4450_grsec-kconfig-default-gids.patch |
1164 |
@@ -1,3 +1,7 @@ |
1165 |
+From: Anthony G. Basile <blueness@g.o> |
1166 |
+Updated patch for the new Kconfig system for >=3.4.4 |
1167 |
+ |
1168 |
+--- |
1169 |
From: Kerin Millar <kerframil@×××××.com> |
1170 |
|
1171 |
grsecurity contains a number of options which allow certain protections |
1172 |
@@ -9,19 +13,10 @@ attention to the finer points of kernel configuration, it is probably |
1173 |
wise to specify some reasonable defaults so as to stop careless users |
1174 |
from shooting themselves in the foot. |
1175 |
|
1176 |
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1177 |
---- a/grsecurity/Kconfig 2011-12-12 16:54:30.000000000 -0500 |
1178 |
-+++ b/grsecurity/Kconfig 2011-12-12 16:55:09.000000000 -0500 |
1179 |
-@@ -443,7 +443,7 @@ |
1180 |
- config GRKERNSEC_PROC_GID |
1181 |
- int "GID for special group" |
1182 |
- depends on GRKERNSEC_PROC_USERGROUP |
1183 |
-- default 1001 |
1184 |
-+ default 10 |
1185 |
- |
1186 |
- config GRKERNSEC_PROC_ADD |
1187 |
- bool "Additional restrictions" |
1188 |
-@@ -671,7 +671,7 @@ |
1189 |
+diff -Nuar a/grsecurity/Kconfig b/Kconfig |
1190 |
+--- a/grsecurity/Kconfig 2012-07-01 12:54:58.000000000 -0400 |
1191 |
++++ b/grsecurity/Kconfig 2012-07-01 13:00:04.000000000 -0400 |
1192 |
+@@ -495,7 +495,7 @@ |
1193 |
config GRKERNSEC_AUDIT_GID |
1194 |
int "GID for auditing" |
1195 |
depends on GRKERNSEC_AUDIT_GROUP |
1196 |
@@ -30,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1197 |
|
1198 |
config GRKERNSEC_EXECLOG |
1199 |
bool "Exec logging" |
1200 |
-@@ -875,7 +875,7 @@ |
1201 |
+@@ -710,7 +710,7 @@ |
1202 |
config GRKERNSEC_TPE_GID |
1203 |
int "GID for untrusted users" |
1204 |
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT |
1205 |
@@ -39,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1206 |
help |
1207 |
Setting this GID determines what group TPE restrictions will be |
1208 |
*enabled* for. If the sysctl option is enabled, a sysctl option |
1209 |
-@@ -884,7 +884,7 @@ |
1210 |
+@@ -719,7 +719,7 @@ |
1211 |
config GRKERNSEC_TPE_GID |
1212 |
int "GID for trusted users" |
1213 |
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT |
1214 |
@@ -48,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1215 |
help |
1216 |
Setting this GID determines what group TPE restrictions will be |
1217 |
*disabled* for. If the sysctl option is enabled, a sysctl option |
1218 |
-@@ -957,7 +957,7 @@ |
1219 |
+@@ -794,7 +794,7 @@ |
1220 |
config GRKERNSEC_SOCKET_ALL_GID |
1221 |
int "GID to deny all sockets for" |
1222 |
depends on GRKERNSEC_SOCKET_ALL |
1223 |
@@ -57,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1224 |
help |
1225 |
Here you can choose the GID to disable socket access for. Remember to |
1226 |
add the users you want socket access disabled for to the GID |
1227 |
-@@ -978,7 +978,7 @@ |
1228 |
+@@ -815,7 +815,7 @@ |
1229 |
config GRKERNSEC_SOCKET_CLIENT_GID |
1230 |
int "GID to deny client sockets for" |
1231 |
depends on GRKERNSEC_SOCKET_CLIENT |
1232 |
@@ -66,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1233 |
help |
1234 |
Here you can choose the GID to disable client socket access for. |
1235 |
Remember to add the users you want client socket access disabled for to |
1236 |
-@@ -996,7 +996,7 @@ |
1237 |
+@@ -833,7 +833,7 @@ |
1238 |
config GRKERNSEC_SOCKET_SERVER_GID |
1239 |
int "GID to deny server sockets for" |
1240 |
depends on GRKERNSEC_SOCKET_SERVER |
1241 |
@@ -75,3 +70,24 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1242 |
help |
1243 |
Here you can choose the GID to disable server socket access for. |
1244 |
Remember to add the users you want server socket access disabled for to |
1245 |
+diff -Nuar a/security/Kconfig b/security/Kconfig |
1246 |
+--- a/security/Kconfig 2012-07-01 12:51:41.000000000 -0400 |
1247 |
++++ b/security/Kconfig 2012-07-01 13:00:23.000000000 -0400 |
1248 |
+@@ -167,7 +167,7 @@ |
1249 |
+ |
1250 |
+ config GRKERNSEC_PROC_GID |
1251 |
+ int "GID exempted from /proc restrictions" |
1252 |
+- default 1001 |
1253 |
++ default 10 |
1254 |
+ help |
1255 |
+ Setting this GID determines which group will be exempted from |
1256 |
+ grsecurity's /proc restrictions, allowing users of the specified |
1257 |
+@@ -176,7 +176,7 @@ |
1258 |
+ |
1259 |
+ config GRKERNSEC_TPE_GID |
1260 |
+ int "GID for untrusted users" |
1261 |
+- default 1005 |
1262 |
++ default 100 |
1263 |
+ help |
1264 |
+ Setting this GID determines which group untrusted users should |
1265 |
+ be added to. These users will be placed under grsecurity's Trusted Path |
1266 |
|
1267 |
diff --git a/3.4.4/4455_grsec-kconfig-gentoo.patch b/3.4.4/4455_grsec-kconfig-gentoo.patch |
1268 |
deleted file mode 100644 |
1269 |
index b9dc3e5..0000000 |
1270 |
--- a/3.4.4/4455_grsec-kconfig-gentoo.patch |
1271 |
+++ /dev/null |
1272 |
@@ -1,357 +0,0 @@ |
1273 |
-From: Anthony G. Basile <blueness@g.o> |
1274 |
-From: Gordon Malm <gengor@g.o> |
1275 |
-From: Jory A. Pratt <anarchy@g.o> |
1276 |
-From: Kerin Millar <kerframil@×××××.com> |
1277 |
- |
1278 |
-Add Hardened Gentoo [server/workstation] predefined grsecurity |
1279 |
-levels. They're designed to provide a comparitively high level of |
1280 |
-security while remaining generally suitable for as great a majority |
1281 |
-of the userbase as possible (particularly new users). |
1282 |
- |
1283 |
-Make Hardened Gentoo [workstation] predefined grsecurity level the |
1284 |
-default. The Hardened Gentoo [server] level is more restrictive |
1285 |
-and conflicts with some software and thus would be less suitable. |
1286 |
- |
1287 |
-The original version of this patch was conceived and created by: |
1288 |
-Ned Ludd <solar@g.o> |
1289 |
- |
1290 |
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1291 |
---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500 |
1292 |
-+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500 |
1293 |
-@@ -18,7 +18,7 @@ |
1294 |
- choice |
1295 |
- prompt "Security Level" |
1296 |
- depends on GRKERNSEC |
1297 |
-- default GRKERNSEC_CUSTOM |
1298 |
-+ default GRKERNSEC_HARDENED_WORKSTATION |
1299 |
- |
1300 |
- config GRKERNSEC_LOW |
1301 |
- bool "Low" |
1302 |
-@@ -192,6 +192,262 @@ |
1303 |
- - Restricted sysfs/debugfs |
1304 |
- - Active kernel exploit response |
1305 |
- |
1306 |
-+config GRKERNSEC_HARDENED_SERVER |
1307 |
-+ bool "Hardened Gentoo [server]" |
1308 |
-+ select GRKERNSEC_LINK |
1309 |
-+ select GRKERNSEC_FIFO |
1310 |
-+ select GRKERNSEC_DMESG |
1311 |
-+ select GRKERNSEC_FORKFAIL |
1312 |
-+ select GRKERNSEC_TIME |
1313 |
-+ select GRKERNSEC_SIGNAL |
1314 |
-+ select GRKERNSEC_CHROOT |
1315 |
-+ select GRKERNSEC_CHROOT_SHMAT |
1316 |
-+ select GRKERNSEC_CHROOT_UNIX |
1317 |
-+ select GRKERNSEC_CHROOT_MOUNT |
1318 |
-+ select GRKERNSEC_CHROOT_FCHDIR |
1319 |
-+ select GRKERNSEC_CHROOT_PIVOT |
1320 |
-+ select GRKERNSEC_CHROOT_DOUBLE |
1321 |
-+ select GRKERNSEC_CHROOT_CHDIR |
1322 |
-+ select GRKERNSEC_CHROOT_MKNOD |
1323 |
-+ select GRKERNSEC_CHROOT_CAPS |
1324 |
-+ select GRKERNSEC_CHROOT_SYSCTL |
1325 |
-+ select GRKERNSEC_CHROOT_FINDTASK |
1326 |
-+ select GRKERNSEC_SYSFS_RESTRICT |
1327 |
-+ select GRKERNSEC_PROC |
1328 |
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
1329 |
-+ select GRKERNSEC_HIDESYM |
1330 |
-+ select GRKERNSEC_BRUTE |
1331 |
-+ select GRKERNSEC_PROC_USERGROUP |
1332 |
-+ select GRKERNSEC_KMEM |
1333 |
-+ select GRKERNSEC_RESLOG |
1334 |
-+ select GRKERNSEC_AUDIT_PTRACE |
1335 |
-+ select GRKERNSEC_RANDNET |
1336 |
-+ select GRKERNSEC_PROC_ADD |
1337 |
-+ select GRKERNSEC_CHROOT_CHMOD |
1338 |
-+ select GRKERNSEC_CHROOT_NICE |
1339 |
-+ select GRKERNSEC_AUDIT_MOUNT |
1340 |
-+ select GRKERNSEC_MODHARDEN if (MODULES) |
1341 |
-+ select GRKERNSEC_HARDEN_PTRACE |
1342 |
-+ select GRKERNSEC_PTRACE_READEXEC |
1343 |
-+ select GRKERNSEC_SETXID |
1344 |
-+ select GRKERNSEC_VM86 if (X86_32) |
1345 |
-+ select GRKERNSEC_IO |
1346 |
-+ select GRKERNSEC_PROC_IPADDR |
1347 |
-+ select GRKERNSEC_RWXMAP_LOG |
1348 |
-+ select GRKERNSEC_SYSCTL |
1349 |
-+ select GRKERNSEC_SYSCTL_ON |
1350 |
-+ select PAX |
1351 |
-+ select PAX_ASLR |
1352 |
-+ select PAX_RANDKSTACK if (X86_TSC && X86) |
1353 |
-+ select PAX_RANDUSTACK |
1354 |
-+ select PAX_RANDMMAP |
1355 |
-+ select PAX_NOEXEC |
1356 |
-+ select PAX_MPROTECT |
1357 |
-+ select PAX_EI_PAX |
1358 |
-+ select PAX_PT_PAX_FLAGS |
1359 |
-+ select PAX_HAVE_ACL_FLAGS |
1360 |
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
1361 |
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN) |
1362 |
-+ select PAX_SEGMEXEC if (X86_32) |
1363 |
-+ select PAX_PAGEEXEC |
1364 |
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) |
1365 |
-+ select PAX_EMUTRAMP if (PARISC) |
1366 |
-+ select PAX_EMUSIGRT if (PARISC) |
1367 |
-+ select PAX_REFCOUNT if (X86 || SPARC64) |
1368 |
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) |
1369 |
-+ select PAX_MEMORY_SANITIZE |
1370 |
-+ select PAX_MEMORY_STACKLEAK if (!XEN) |
1371 |
-+ help |
1372 |
-+ If you say Y here, a configuration for grsecurity/PaX features |
1373 |
-+ will be used that is endorsed by the Hardened Gentoo project. |
1374 |
-+ These pre-defined security levels are designed to provide a high |
1375 |
-+ level of security while minimizing incompatibilities with a majority |
1376 |
-+ of Gentoo's available software. |
1377 |
-+ |
1378 |
-+ This "Hardened Gentoo [server]" level is identical to the |
1379 |
-+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO, |
1380 |
-+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred |
1381 |
-+ security level if the system will not be utilizing software incompatible |
1382 |
-+ with these features. |
1383 |
-+ |
1384 |
-+ When this level is selected, some security features will be forced on, |
1385 |
-+ while others will default to their suggested values of off or on. The |
1386 |
-+ later can be tweaked at the user's discretion, but may cause problems |
1387 |
-+ in some situations. You can fully customize all grsecurity/PaX features |
1388 |
-+ by choosing "Custom" in the Security Level menu. It may be helpful to |
1389 |
-+ inherit the options selected by this security level as a starting point. |
1390 |
-+ To accomplish this, select this security level, then exit the menuconfig |
1391 |
-+ interface, saving changes when prompted. Run make menuconfig again and |
1392 |
-+ select the "Custom" level. |
1393 |
-+ |
1394 |
-+config GRKERNSEC_HARDENED_WORKSTATION |
1395 |
-+ bool "Hardened Gentoo [workstation]" |
1396 |
-+ select GRKERNSEC_LINK |
1397 |
-+ select GRKERNSEC_FIFO |
1398 |
-+ select GRKERNSEC_DMESG |
1399 |
-+ select GRKERNSEC_FORKFAIL |
1400 |
-+ select GRKERNSEC_TIME |
1401 |
-+ select GRKERNSEC_SIGNAL |
1402 |
-+ select GRKERNSEC_CHROOT |
1403 |
-+ select GRKERNSEC_CHROOT_SHMAT |
1404 |
-+ select GRKERNSEC_CHROOT_UNIX |
1405 |
-+ select GRKERNSEC_CHROOT_MOUNT |
1406 |
-+ select GRKERNSEC_CHROOT_FCHDIR |
1407 |
-+ select GRKERNSEC_CHROOT_PIVOT |
1408 |
-+ select GRKERNSEC_CHROOT_DOUBLE |
1409 |
-+ select GRKERNSEC_CHROOT_CHDIR |
1410 |
-+ select GRKERNSEC_CHROOT_MKNOD |
1411 |
-+ select GRKERNSEC_CHROOT_CAPS |
1412 |
-+ select GRKERNSEC_CHROOT_SYSCTL |
1413 |
-+ select GRKERNSEC_CHROOT_FINDTASK |
1414 |
-+ select GRKERNSEC_PROC |
1415 |
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
1416 |
-+ select GRKERNSEC_HIDESYM |
1417 |
-+ select GRKERNSEC_BRUTE |
1418 |
-+ select GRKERNSEC_PROC_USERGROUP |
1419 |
-+ select GRKERNSEC_KMEM |
1420 |
-+ select GRKERNSEC_RESLOG |
1421 |
-+ select GRKERNSEC_AUDIT_PTRACE |
1422 |
-+ select GRKERNSEC_RANDNET |
1423 |
-+ select GRKERNSEC_CHROOT_CHMOD |
1424 |
-+ select GRKERNSEC_CHROOT_NICE |
1425 |
-+ select GRKERNSEC_AUDIT_MOUNT |
1426 |
-+ select GRKERNSEC_MODHARDEN if (MODULES) |
1427 |
-+ select GRKERNSEC_HARDEN_PTRACE |
1428 |
-+ select GRKERNSEC_PTRACE_READEXEC |
1429 |
-+ select GRKERNSEC_SETXID |
1430 |
-+ select GRKERNSEC_VM86 if (X86_32) |
1431 |
-+ select GRKERNSEC_PROC_IPADDR |
1432 |
-+ select GRKERNSEC_RWXMAP_LOG |
1433 |
-+ select GRKERNSEC_SYSCTL |
1434 |
-+ select GRKERNSEC_SYSCTL_ON |
1435 |
-+ select PAX |
1436 |
-+ select PAX_ASLR |
1437 |
-+ select PAX_RANDKSTACK if (X86_TSC && X86) |
1438 |
-+ select PAX_RANDUSTACK |
1439 |
-+ select PAX_RANDMMAP |
1440 |
-+ select PAX_NOEXEC |
1441 |
-+ select PAX_MPROTECT |
1442 |
-+ select PAX_EI_PAX |
1443 |
-+ select PAX_PT_PAX_FLAGS |
1444 |
-+ select PAX_HAVE_ACL_FLAGS |
1445 |
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
1446 |
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN) |
1447 |
-+ select PAX_SEGMEXEC if (X86_32) |
1448 |
-+ select PAX_PAGEEXEC |
1449 |
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) |
1450 |
-+ select PAX_EMUTRAMP if (PARISC) |
1451 |
-+ select PAX_EMUSIGRT if (PARISC) |
1452 |
-+ select PAX_REFCOUNT if (X86 || SPARC64) |
1453 |
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) |
1454 |
-+ select PAX_MEMORY_SANITIZE |
1455 |
-+ select PAX_MEMORY_STACKLEAK if (!XEN) |
1456 |
-+ help |
1457 |
-+ If you say Y here, a configuration for grsecurity/PaX features |
1458 |
-+ will be used that is endorsed by the Hardened Gentoo project. |
1459 |
-+ These pre-defined security levels are designed to provide a high |
1460 |
-+ level of security while minimizing incompatibilities with a majority |
1461 |
-+ of Gentoo's available software. |
1462 |
-+ |
1463 |
-+ This "Hardened Gentoo [workstation]" level is identical to the |
1464 |
-+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and |
1465 |
-+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred |
1466 |
-+ security level if the system will be utilizing software incompatible |
1467 |
-+ with these features. |
1468 |
-+ |
1469 |
-+ When this level is selected, some security features will be forced on, |
1470 |
-+ while others will default to their suggested values of off or on. The |
1471 |
-+ later can be tweaked at the user's discretion, but may cause problems |
1472 |
-+ in some situations. You can fully customize all grsecurity/PaX features |
1473 |
-+ by choosing "Custom" in the Security Level menu. It may be helpful to |
1474 |
-+ inherit the options selected by this security level as a starting point. |
1475 |
-+ To accomplish this, select this security level, then exit the menuconfig |
1476 |
-+ interface, saving changes when prompted. Run make menuconfig again and |
1477 |
-+ select the "Custom" level. |
1478 |
-+ |
1479 |
-+config GRKERNSEC_HARDENED_VIRTUALIZATION |
1480 |
-+ bool "Hardened Gentoo [virtualization]" |
1481 |
-+ select GRKERNSEC_LINK |
1482 |
-+ select GRKERNSEC_FIFO |
1483 |
-+ select GRKERNSEC_DMESG |
1484 |
-+ select GRKERNSEC_FORKFAIL |
1485 |
-+ select GRKERNSEC_TIME |
1486 |
-+ select GRKERNSEC_SIGNAL |
1487 |
-+ select GRKERNSEC_CHROOT |
1488 |
-+ select GRKERNSEC_CHROOT_SHMAT |
1489 |
-+ select GRKERNSEC_CHROOT_UNIX |
1490 |
-+ select GRKERNSEC_CHROOT_MOUNT |
1491 |
-+ select GRKERNSEC_CHROOT_FCHDIR |
1492 |
-+ select GRKERNSEC_CHROOT_PIVOT |
1493 |
-+ select GRKERNSEC_CHROOT_DOUBLE |
1494 |
-+ select GRKERNSEC_CHROOT_CHDIR |
1495 |
-+ select GRKERNSEC_CHROOT_MKNOD |
1496 |
-+ select GRKERNSEC_CHROOT_CAPS |
1497 |
-+ select GRKERNSEC_CHROOT_SYSCTL |
1498 |
-+ select GRKERNSEC_CHROOT_FINDTASK |
1499 |
-+ select GRKERNSEC_PROC |
1500 |
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
1501 |
-+ select GRKERNSEC_HIDESYM |
1502 |
-+ select GRKERNSEC_BRUTE |
1503 |
-+ select GRKERNSEC_PROC_USERGROUP |
1504 |
-+ select GRKERNSEC_KMEM |
1505 |
-+ select GRKERNSEC_RESLOG |
1506 |
-+ select GRKERNSEC_AUDIT_PTRACE |
1507 |
-+ select GRKERNSEC_RANDNET |
1508 |
-+ select GRKERNSEC_CHROOT_CHMOD |
1509 |
-+ select GRKERNSEC_CHROOT_NICE |
1510 |
-+ select GRKERNSEC_AUDIT_MOUNT |
1511 |
-+ select GRKERNSEC_MODHARDEN if (MODULES) |
1512 |
-+ select GRKERNSEC_HARDEN_PTRACE |
1513 |
-+ select GRKERNSEC_PTRACE_READEXEC |
1514 |
-+ select GRKERNSEC_SETXID |
1515 |
-+ select GRKERNSEC_VM86 if (X86_32) |
1516 |
-+ select GRKERNSEC_PROC_IPADDR |
1517 |
-+ select GRKERNSEC_RWXMAP_LOG |
1518 |
-+ select GRKERNSEC_SYSCTL |
1519 |
-+ select GRKERNSEC_SYSCTL_ON |
1520 |
-+ select PAX |
1521 |
-+ select PAX_ASLR |
1522 |
-+ select PAX_RANDKSTACK if (X86_TSC && X86) |
1523 |
-+ select PAX_RANDUSTACK |
1524 |
-+ select PAX_RANDMMAP |
1525 |
-+ select PAX_NOEXEC |
1526 |
-+ select PAX_MPROTECT |
1527 |
-+ select PAX_EI_PAX |
1528 |
-+ select PAX_PT_PAX_FLAGS |
1529 |
-+ select PAX_HAVE_ACL_FLAGS |
1530 |
-+ select PAX_SEGMEXEC if (X86_32) |
1531 |
-+ select PAX_PAGEEXEC |
1532 |
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) |
1533 |
-+ select PAX_EMUTRAMP if (PARISC) |
1534 |
-+ select PAX_EMUSIGRT if (PARISC) |
1535 |
-+ select PAX_REFCOUNT if (X86 || SPARC64) |
1536 |
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) |
1537 |
-+ select PAX_MEMORY_SANITIZE |
1538 |
-+ select PAX_MEMORY_STACKLEAK if (!XEN) |
1539 |
-+ help |
1540 |
-+ If you say Y here, a configuration for grsecurity/PaX features |
1541 |
-+ will be used that is endorsed by the Hardened Gentoo project. |
1542 |
-+ These pre-defined security levels are designed to provide a high |
1543 |
-+ level of security while minimizing incompatibilities with a majority |
1544 |
-+ of Gentoo's available software. |
1545 |
-+ |
1546 |
-+ This "Hardened Gentoo [virtualization]" level is identical to the |
1547 |
-+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and |
1548 |
-+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred |
1549 |
-+ security level if the system will be utilizing virtualization software |
1550 |
-+ incompatible with these features, like VirtualBox or kvm. |
1551 |
-+ |
1552 |
-+ When this level is selected, some security features will be forced on, |
1553 |
-+ while others will default to their suggested values of off or on. The |
1554 |
-+ later can be tweaked at the user's discretion, but may cause problems |
1555 |
-+ in some situations. You can fully customize all grsecurity/PaX features |
1556 |
-+ by choosing "Custom" in the Security Level menu. It may be helpful to |
1557 |
-+ inherit the options selected by this security level as a starting point. |
1558 |
-+ To accomplish this, select this security level, then exit the menuconfig |
1559 |
-+ interface, saving changes when prompted. Run make menuconfig again and |
1560 |
-+ select the "Custom" level. |
1561 |
-+ |
1562 |
- config GRKERNSEC_CUSTOM |
1563 |
- bool "Custom" |
1564 |
- help |
1565 |
-diff -Naur a/security/Kconfig b/security/Kconfig |
1566 |
---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500 |
1567 |
-+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500 |
1568 |
-@@ -363,9 +363,10 @@ |
1569 |
- |
1570 |
- config PAX_KERNEXEC |
1571 |
- bool "Enforce non-executable kernel pages" |
1572 |
-- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN |
1573 |
-+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION |
1574 |
- select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) |
1575 |
- select PAX_KERNEXEC_PLUGIN if X86_64 |
1576 |
-+ default y if GRKERNSEC_HARDENED_WORKSTATION |
1577 |
- help |
1578 |
- This is the kernel land equivalent of PAGEEXEC and MPROTECT, |
1579 |
- that is, enabling this option will make it harder to inject |
1580 |
-@@ -376,30 +377,30 @@ |
1581 |
- |
1582 |
- choice |
1583 |
- prompt "Return Address Instrumentation Method" |
1584 |
-- default PAX_KERNEXEC_PLUGIN_METHOD_BTS |
1585 |
-+ default PAX_KERNEXEC_PLUGIN_METHOD_OR |
1586 |
- depends on PAX_KERNEXEC_PLUGIN |
1587 |
- help |
1588 |
- Select the method used to instrument function pointer dereferences. |
1589 |
- Note that binary modules cannot be instrumented by this approach. |
1590 |
- |
1591 |
-- config PAX_KERNEXEC_PLUGIN_METHOD_BTS |
1592 |
-- bool "bts" |
1593 |
-- help |
1594 |
-- This method is compatible with binary only modules but has |
1595 |
-- a higher runtime overhead. |
1596 |
-- |
1597 |
- config PAX_KERNEXEC_PLUGIN_METHOD_OR |
1598 |
- bool "or" |
1599 |
- depends on !PARAVIRT |
1600 |
- help |
1601 |
- This method is incompatible with binary only modules but has |
1602 |
- a lower runtime overhead. |
1603 |
-+ |
1604 |
-+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS |
1605 |
-+ bool "bts" |
1606 |
-+ help |
1607 |
-+ This method is compatible with binary only modules but has |
1608 |
-+ a higher runtime overhead. |
1609 |
- endchoice |
1610 |
- |
1611 |
- config PAX_KERNEXEC_PLUGIN_METHOD |
1612 |
- string |
1613 |
-- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS |
1614 |
- default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR |
1615 |
-+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS |
1616 |
- default "" |
1617 |
- |
1618 |
- config PAX_KERNEXEC_MODULE_TEXT |
1619 |
-@@ -556,8 +557,9 @@ |
1620 |
- |
1621 |
- config PAX_MEMORY_UDEREF |
1622 |
- bool "Prevent invalid userland pointer dereference" |
1623 |
-- depends on X86 && !UML_X86 && !XEN |
1624 |
-+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION |
1625 |
- select PAX_PER_CPU_PGD if X86_64 |
1626 |
-+ default y if GRKERNSEC_HARDENED_WORKSTATION |
1627 |
- help |
1628 |
- By saying Y here the kernel will be prevented from dereferencing |
1629 |
- userland pointers in contexts where the kernel expects only kernel |
1630 |
|
1631 |
diff --git a/3.4.4/4460-grsec-kconfig-proc-user.patch b/3.4.4/4460-grsec-kconfig-proc-user.patch |
1632 |
deleted file mode 100644 |
1633 |
index b2b3188..0000000 |
1634 |
--- a/3.4.4/4460-grsec-kconfig-proc-user.patch |
1635 |
+++ /dev/null |
1636 |
@@ -1,26 +0,0 @@ |
1637 |
-From: Anthony G. Basile <blueness@g.o> |
1638 |
- |
1639 |
-Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP |
1640 |
-in a different way to avoid bug #366019. This patch should eventually go upstream. |
1641 |
- |
1642 |
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1643 |
---- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400 |
1644 |
-+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400 |
1645 |
-@@ -680,7 +680,7 @@ |
1646 |
- |
1647 |
- config GRKERNSEC_PROC_USER |
1648 |
- bool "Restrict /proc to user only" |
1649 |
-- depends on GRKERNSEC_PROC |
1650 |
-+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP |
1651 |
- help |
1652 |
- If you say Y here, non-root users will only be able to view their own |
1653 |
- processes, and restricts them from viewing network-related information, |
1654 |
-@@ -688,7 +688,7 @@ |
1655 |
- |
1656 |
- config GRKERNSEC_PROC_USERGROUP |
1657 |
- bool "Allow special group" |
1658 |
-- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER |
1659 |
-+ depends on GRKERNSEC_PROC |
1660 |
- help |
1661 |
- If you say Y here, you will be able to select a group that will be |
1662 |
- able to view all processes and network-related information. If you've |
1663 |
|
1664 |
diff --git a/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch b/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch |
1665 |
index 5a9d80c..fe28523 100644 |
1666 |
--- a/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch |
1667 |
+++ b/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch |
1668 |
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org> |
1669 |
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1670 |
--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 |
1671 |
+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 |
1672 |
-@@ -1309,6 +1309,27 @@ |
1673 |
+@@ -892,6 +892,27 @@ |
1674 |
menu "Logging Options" |
1675 |
depends on GRKERNSEC |
1676 |
|
1677 |
|
1678 |
diff --git a/3.4.4/4470_disable-compat_vdso.patch b/3.4.4/4470_disable-compat_vdso.patch |
1679 |
index c40f44f..2a637c1 100644 |
1680 |
--- a/3.4.4/4470_disable-compat_vdso.patch |
1681 |
+++ b/3.4.4/4470_disable-compat_vdso.patch |
1682 |
@@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 |
1683 |
diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig |
1684 |
--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 |
1685 |
+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 |
1686 |
-@@ -1694,17 +1694,8 @@ |
1687 |
+@@ -1678,17 +1678,8 @@ |
1688 |
|
1689 |
config COMPAT_VDSO |
1690 |
def_bool n |