Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/3.0.7/4435_grsec-kconfig-gentoo.patch
diff options
context:
space:
mode:
Diffstat (limited to '3.0.7/4435_grsec-kconfig-gentoo.patch')
-rw-r--r--3.0.7/4435_grsec-kconfig-gentoo.patch315
1 files changed, 315 insertions, 0 deletions
diff --git a/3.0.7/4435_grsec-kconfig-gentoo.patch b/3.0.7/4435_grsec-kconfig-gentoo.patch
new file mode 100644
index 0000000..1bc9742
--- /dev/null
+++ b/3.0.7/4435_grsec-kconfig-gentoo.patch
@@ -0,0 +1,315 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+From: Gordon Malm <gengor@gentoo.org>
+From: Jory A. Pratt <anarchy@gentoo.org>
+From: Kerin Millar <kerframil@gmail.com>
+
+Add Hardened Gentoo [server/workstation] predefined grsecurity
+levels. They're designed to provide a comparitively high level of
+security while remaining generally suitable for as great a majority
+of the userbase as possible (particularly new users).
+
+Make Hardened Gentoo [workstation] predefined grsecurity level the
+default. The Hardened Gentoo [server] level is more restrictive
+and conflicts with some software and thus would be less suitable.
+
+The original version of this patch was conceived and created by:
+Ned Ludd <solar@gentoo.org>
+
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
++++ b/grsecurity/Kconfig 2011-04-17 19:27:46.000000000 -0400
+@@ -18,7 +18,7 @@
+ choice
+ prompt "Security Level"
+ depends on GRKERNSEC
+- default GRKERNSEC_CUSTOM
++ default GRKERNSEC_HARDENED_WORKSTATION
+
+ config GRKERNSEC_LOW
+ bool "Low"
+@@ -191,6 +191,258 @@
+ - Restricted sysfs/debugfs
+ - Active kernel exploit response
+
++config GRKERNSEC_HARDENED_SERVER
++ bool "Hardened Gentoo [server]"
++ select GRKERNSEC_LINK
++ select GRKERNSEC_FIFO
++ select GRKERNSEC_DMESG
++ select GRKERNSEC_FORKFAIL
++ select GRKERNSEC_TIME
++ select GRKERNSEC_SIGNAL
++ select GRKERNSEC_CHROOT
++ select GRKERNSEC_CHROOT_SHMAT
++ select GRKERNSEC_CHROOT_UNIX
++ select GRKERNSEC_CHROOT_MOUNT
++ select GRKERNSEC_CHROOT_FCHDIR
++ select GRKERNSEC_CHROOT_PIVOT
++ select GRKERNSEC_CHROOT_DOUBLE
++ select GRKERNSEC_CHROOT_CHDIR
++ select GRKERNSEC_CHROOT_MKNOD
++ select GRKERNSEC_CHROOT_CAPS
++ select GRKERNSEC_CHROOT_SYSCTL
++ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_PROC
++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
++ select GRKERNSEC_HIDESYM
++ select GRKERNSEC_BRUTE
++ select GRKERNSEC_PROC_USERGROUP
++ select GRKERNSEC_KMEM
++ select GRKERNSEC_RESLOG
++ select GRKERNSEC_RANDNET
++ select GRKERNSEC_PROC_ADD
++ select GRKERNSEC_CHROOT_CHMOD
++ select GRKERNSEC_CHROOT_NICE
++ select GRKERNSEC_AUDIT_MOUNT
++ select GRKERNSEC_MODHARDEN if (MODULES)
++ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_VM86 if (X86_32)
++ select GRKERNSEC_IO if (X86)
++ select GRKERNSEC_PROC_IPADDR
++ select GRKERNSEC_RWXMAP_LOG
++ select GRKERNSEC_SYSCTL
++ select GRKERNSEC_SYSCTL_ON
++ select PAX
++ select PAX_RANDUSTACK
++ select PAX_ASLR
++ select PAX_RANDMMAP
++ select PAX_NOEXEC
++ select PAX_MPROTECT
++ select PAX_EI_PAX
++ select PAX_PT_PAX_FLAGS
++ select PAX_HAVE_ACL_FLAGS
++ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++ select PAX_MEMORY_UDEREF if (X86 && !XEN)
++ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++ select PAX_SEGMEXEC if (X86_32)
++ select PAX_PAGEEXEC
++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++ select PAX_EMUTRAMP if (PARISC)
++ select PAX_EMUSIGRT if (PARISC)
++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++ select PAX_REFCOUNT if (X86 || SPARC64)
++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_MEMORY_SANITIZE
++ help
++ If you say Y here, a configuration for grsecurity/PaX features
++ will be used that is endorsed by the Hardened Gentoo project.
++ These pre-defined security levels are designed to provide a high
++ level of security while minimizing incompatibilities with a majority
++ of Gentoo's available software.
++
++ This "Hardened Gentoo [server]" level is identical to the
++ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
++ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
++ security level if the system will not be utilizing software incompatible
++ with these features.
++
++ When this level is selected, some security features will be forced on,
++ while others will default to their suggested values of off or on. The
++ later can be tweaked at the user's discretion, but may cause problems
++ in some situations. You can fully customize all grsecurity/PaX features
++ by choosing "Custom" in the Security Level menu. It may be helpful to
++ inherit the options selected by this security level as a starting point.
++ To accomplish this, select this security level, then exit the menuconfig
++ interface, saving changes when prompted. Run make menuconfig again and
++ select the "Custom" level.
++
++config GRKERNSEC_HARDENED_WORKSTATION
++ bool "Hardened Gentoo [workstation]"
++ select GRKERNSEC_LINK
++ select GRKERNSEC_FIFO
++ select GRKERNSEC_DMESG
++ select GRKERNSEC_FORKFAIL
++ select GRKERNSEC_TIME
++ select GRKERNSEC_SIGNAL
++ select GRKERNSEC_CHROOT
++ select GRKERNSEC_CHROOT_SHMAT
++ select GRKERNSEC_CHROOT_UNIX
++ select GRKERNSEC_CHROOT_MOUNT
++ select GRKERNSEC_CHROOT_FCHDIR
++ select GRKERNSEC_CHROOT_PIVOT
++ select GRKERNSEC_CHROOT_DOUBLE
++ select GRKERNSEC_CHROOT_CHDIR
++ select GRKERNSEC_CHROOT_MKNOD
++ select GRKERNSEC_CHROOT_CAPS
++ select GRKERNSEC_CHROOT_SYSCTL
++ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_PROC
++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
++ select GRKERNSEC_HIDESYM
++ select GRKERNSEC_BRUTE
++ select GRKERNSEC_PROC_USERGROUP
++ select GRKERNSEC_KMEM
++ select GRKERNSEC_RESLOG
++ select GRKERNSEC_RANDNET
++ # select GRKERNSEC_PROC_ADD
++ select GRKERNSEC_CHROOT_CHMOD
++ select GRKERNSEC_CHROOT_NICE
++ select GRKERNSEC_AUDIT_MOUNT
++ select GRKERNSEC_MODHARDEN if (MODULES)
++ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_VM86 if (X86_32)
++ # select GRKERNSEC_IO if (X86)
++ select GRKERNSEC_PROC_IPADDR
++ select GRKERNSEC_RWXMAP_LOG
++ select GRKERNSEC_SYSCTL
++ select GRKERNSEC_SYSCTL_ON
++ select PAX
++ select PAX_RANDUSTACK
++ select PAX_ASLR
++ select PAX_RANDMMAP
++ select PAX_NOEXEC
++ select PAX_MPROTECT
++ select PAX_EI_PAX
++ select PAX_PT_PAX_FLAGS
++ select PAX_HAVE_ACL_FLAGS
++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
++ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++ select PAX_SEGMEXEC if (X86_32)
++ select PAX_PAGEEXEC
++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++ select PAX_EMUTRAMP if (PARISC)
++ select PAX_EMUSIGRT if (PARISC)
++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++ select PAX_REFCOUNT if (X86 || SPARC64)
++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_MEMORY_SANITIZE
++ help
++ If you say Y here, a configuration for grsecurity/PaX features
++ will be used that is endorsed by the Hardened Gentoo project.
++ These pre-defined security levels are designed to provide a high
++ level of security while minimizing incompatibilities with a majority
++ of Gentoo's available software.
++
++ This "Hardened Gentoo [workstation]" level is identical to the
++ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
++ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
++ security level if the system will be utilizing software incompatible
++ with these features.
++
++ When this level is selected, some security features will be forced on,
++ while others will default to their suggested values of off or on. The
++ later can be tweaked at the user's discretion, but may cause problems
++ in some situations. You can fully customize all grsecurity/PaX features
++ by choosing "Custom" in the Security Level menu. It may be helpful to
++ inherit the options selected by this security level as a starting point.
++ To accomplish this, select this security level, then exit the menuconfig
++ interface, saving changes when prompted. Run make menuconfig again and
++ select the "Custom" level.
++
++config GRKERNSEC_HARDENED_VIRTUALIZATION
++ bool "Hardened Gentoo [virtualization]"
++ select GRKERNSEC_LINK
++ select GRKERNSEC_FIFO
++ select GRKERNSEC_DMESG
++ select GRKERNSEC_FORKFAIL
++ select GRKERNSEC_TIME
++ select GRKERNSEC_SIGNAL
++ select GRKERNSEC_CHROOT
++ select GRKERNSEC_CHROOT_SHMAT
++ select GRKERNSEC_CHROOT_UNIX
++ select GRKERNSEC_CHROOT_MOUNT
++ select GRKERNSEC_CHROOT_FCHDIR
++ select GRKERNSEC_CHROOT_PIVOT
++ select GRKERNSEC_CHROOT_DOUBLE
++ select GRKERNSEC_CHROOT_CHDIR
++ select GRKERNSEC_CHROOT_MKNOD
++ select GRKERNSEC_CHROOT_CAPS
++ select GRKERNSEC_CHROOT_SYSCTL
++ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_PROC
++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
++ select GRKERNSEC_HIDESYM
++ select GRKERNSEC_BRUTE
++ select GRKERNSEC_PROC_USERGROUP
++ select GRKERNSEC_KMEM
++ select GRKERNSEC_RESLOG
++ select GRKERNSEC_RANDNET
++ # select GRKERNSEC_PROC_ADD
++ select GRKERNSEC_CHROOT_CHMOD
++ select GRKERNSEC_CHROOT_NICE
++ select GRKERNSEC_AUDIT_MOUNT
++ select GRKERNSEC_MODHARDEN if (MODULES)
++ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_VM86 if (X86_32)
++ # select GRKERNSEC_IO if (X86)
++ select GRKERNSEC_PROC_IPADDR
++ select GRKERNSEC_RWXMAP_LOG
++ select GRKERNSEC_SYSCTL
++ select GRKERNSEC_SYSCTL_ON
++ select PAX
++ select PAX_RANDUSTACK
++ select PAX_ASLR
++ select PAX_RANDMMAP
++ select PAX_NOEXEC
++ select PAX_MPROTECT
++ select PAX_EI_PAX
++ select PAX_PT_PAX_FLAGS
++ select PAX_HAVE_ACL_FLAGS
++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
++ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
++ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++ select PAX_SEGMEXEC if (X86_32)
++ select PAX_PAGEEXEC
++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++ select PAX_EMUTRAMP if (PARISC)
++ select PAX_EMUSIGRT if (PARISC)
++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++ select PAX_REFCOUNT if (X86 || SPARC64)
++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_MEMORY_SANITIZE
++ help
++ If you say Y here, a configuration for grsecurity/PaX features
++ will be used that is endorsed by the Hardened Gentoo project.
++ These pre-defined security levels are designed to provide a high
++ level of security while minimizing incompatibilities with a majority
++ of Gentoo's available software.
++
++ This "Hardened Gentoo [virtualization]" level is identical to the
++ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
++ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
++ security level if the system will be utilizing virtualization software
++ incompatible with these features, like VirtualBox or kvm.
++
++ When this level is selected, some security features will be forced on,
++ while others will default to their suggested values of off or on. The
++ later can be tweaked at the user's discretion, but may cause problems
++ in some situations. You can fully customize all grsecurity/PaX features
++ by choosing "Custom" in the Security Level menu. It may be helpful to
++ inherit the options selected by this security level as a starting point.
++ To accomplish this, select this security level, then exit the menuconfig
++ interface, saving changes when prompted. Run make menuconfig again and
++ select the "Custom" level.
++
+ config GRKERNSEC_CUSTOM
+ bool "Custom"
+ help
+diff -Naur a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig 2011-09-21 07:20:02.000000000 -0400
++++ b/security/Kconfig 2011-09-21 07:25:50.000000000 -0400
+@@ -322,9 +322,10 @@
+
+ config PAX_KERNEXEC
+ bool "Enforce non-executable kernel pages"
+- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
++ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
+ select PAX_KERNEXEC_PLUGIN if X86_64
++ default y if GRKERNSEC_HARDENED_WORKSTATION
+ help
+ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
+ that is, enabling this option will make it harder to inject
+@@ -487,8 +488,9 @@
+
+ config PAX_MEMORY_UDEREF
+ bool "Prevent invalid userland pointer dereference"
+- depends on X86 && !UML_X86 && !XEN
++ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
+ select PAX_PER_CPU_PGD if X86_64
++ default y if GRKERNSEC_HARDENED_WORKSTATION
+ help
+ By saying Y here the kernel will be prevented from dereferencing
+ userland pointers in contexts where the kernel expects only kernel
+