diff options
Diffstat (limited to '3.2.17/4455_grsec-kconfig-gentoo.patch')
-rw-r--r-- | 3.2.17/4455_grsec-kconfig-gentoo.patch | 357 |
1 files changed, 357 insertions, 0 deletions
diff --git a/3.2.17/4455_grsec-kconfig-gentoo.patch b/3.2.17/4455_grsec-kconfig-gentoo.patch new file mode 100644 index 0000000..87b5454 --- /dev/null +++ b/3.2.17/4455_grsec-kconfig-gentoo.patch @@ -0,0 +1,357 @@ +From: Anthony G. Basile <blueness@gentoo.org> +From: Gordon Malm <gengor@gentoo.org> +From: Jory A. Pratt <anarchy@gentoo.org> +From: Kerin Millar <kerframil@gmail.com> + +Add Hardened Gentoo [server/workstation] predefined grsecurity +levels. They're designed to provide a comparitively high level of +security while remaining generally suitable for as great a majority +of the userbase as possible (particularly new users). + +Make Hardened Gentoo [workstation] predefined grsecurity level the +default. The Hardened Gentoo [server] level is more restrictive +and conflicts with some software and thus would be less suitable. + +The original version of this patch was conceived and created by: +Ned Ludd <solar@gentoo.org> + +diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig +--- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500 ++++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500 +@@ -18,7 +18,7 @@ + choice + prompt "Security Level" + depends on GRKERNSEC +- default GRKERNSEC_CUSTOM ++ default GRKERNSEC_HARDENED_WORKSTATION + + config GRKERNSEC_LOW + bool "Low" +@@ -192,6 +192,262 @@ + - Restricted sysfs/debugfs + - Active kernel exploit response + ++config GRKERNSEC_HARDENED_SERVER ++ bool "Hardened Gentoo [server]" ++ select GRKERNSEC_LINK ++ select GRKERNSEC_FIFO ++ select GRKERNSEC_DMESG ++ select GRKERNSEC_FORKFAIL ++ select GRKERNSEC_TIME ++ select GRKERNSEC_SIGNAL ++ select GRKERNSEC_CHROOT ++ select GRKERNSEC_CHROOT_SHMAT ++ select GRKERNSEC_CHROOT_UNIX ++ select GRKERNSEC_CHROOT_MOUNT ++ select GRKERNSEC_CHROOT_FCHDIR ++ select GRKERNSEC_CHROOT_PIVOT ++ select GRKERNSEC_CHROOT_DOUBLE ++ select GRKERNSEC_CHROOT_CHDIR ++ select GRKERNSEC_CHROOT_MKNOD ++ select GRKERNSEC_CHROOT_CAPS ++ select GRKERNSEC_CHROOT_SYSCTL ++ select GRKERNSEC_CHROOT_FINDTASK ++ select GRKERNSEC_SYSFS_RESTRICT ++ select GRKERNSEC_PROC ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) ++ select GRKERNSEC_HIDESYM ++ select GRKERNSEC_BRUTE ++ select GRKERNSEC_PROC_USERGROUP ++ select GRKERNSEC_KMEM ++ select GRKERNSEC_RESLOG ++ select GRKERNSEC_AUDIT_PTRACE ++ select GRKERNSEC_RANDNET ++ select GRKERNSEC_PROC_ADD ++ select GRKERNSEC_CHROOT_CHMOD ++ select GRKERNSEC_CHROOT_NICE ++ select GRKERNSEC_AUDIT_MOUNT ++ select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_PTRACE_READEXEC ++ select GRKERNSEC_SETXID ++ select GRKERNSEC_VM86 if (X86_32) ++ select GRKERNSEC_IO ++ select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG ++ select GRKERNSEC_SYSCTL ++ select GRKERNSEC_SYSCTL_ON ++ select PAX ++ select PAX_ASLR ++ select PAX_RANDKSTACK if (X86_TSC && X86) ++ select PAX_RANDUSTACK ++ select PAX_RANDMMAP ++ select PAX_NOEXEC ++ select PAX_MPROTECT ++ select PAX_EI_PAX ++ select PAX_PT_PAX_FLAGS ++ select PAX_HAVE_ACL_FLAGS ++ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ select PAX_MEMORY_UDEREF if (X86 && !XEN) ++ select PAX_SEGMEXEC if (X86_32) ++ select PAX_PAGEEXEC ++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) ++ select PAX_EMUTRAMP if (PARISC) ++ select PAX_EMUSIGRT if (PARISC) ++ select PAX_REFCOUNT if (X86 || SPARC64) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) ++ select PAX_MEMORY_SANITIZE ++ select PAX_MEMORY_STACKLEAK if (!XEN) ++ help ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. ++ ++ This "Hardened Gentoo [server]" level is identical to the ++ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO, ++ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred ++ security level if the system will not be utilizing software incompatible ++ with these features. ++ ++ When this level is selected, some security features will be forced on, ++ while others will default to their suggested values of off or on. The ++ later can be tweaked at the user's discretion, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. ++ ++config GRKERNSEC_HARDENED_WORKSTATION ++ bool "Hardened Gentoo [workstation]" ++ select GRKERNSEC_LINK ++ select GRKERNSEC_FIFO ++ select GRKERNSEC_DMESG ++ select GRKERNSEC_FORKFAIL ++ select GRKERNSEC_TIME ++ select GRKERNSEC_SIGNAL ++ select GRKERNSEC_CHROOT ++ select GRKERNSEC_CHROOT_SHMAT ++ select GRKERNSEC_CHROOT_UNIX ++ select GRKERNSEC_CHROOT_MOUNT ++ select GRKERNSEC_CHROOT_FCHDIR ++ select GRKERNSEC_CHROOT_PIVOT ++ select GRKERNSEC_CHROOT_DOUBLE ++ select GRKERNSEC_CHROOT_CHDIR ++ select GRKERNSEC_CHROOT_MKNOD ++ select GRKERNSEC_CHROOT_CAPS ++ select GRKERNSEC_CHROOT_SYSCTL ++ select GRKERNSEC_CHROOT_FINDTASK ++ select GRKERNSEC_PROC ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) ++ select GRKERNSEC_HIDESYM ++ select GRKERNSEC_BRUTE ++ select GRKERNSEC_PROC_USERGROUP ++ select GRKERNSEC_KMEM ++ select GRKERNSEC_RESLOG ++ select GRKERNSEC_AUDIT_PTRACE ++ select GRKERNSEC_RANDNET ++ select GRKERNSEC_CHROOT_CHMOD ++ select GRKERNSEC_CHROOT_NICE ++ select GRKERNSEC_AUDIT_MOUNT ++ select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_PTRACE_READEXEC ++ select GRKERNSEC_SETXID ++ select GRKERNSEC_VM86 if (X86_32) ++ select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG ++ select GRKERNSEC_SYSCTL ++ select GRKERNSEC_SYSCTL_ON ++ select PAX ++ select PAX_ASLR ++ select PAX_RANDKSTACK if (X86_TSC && X86) ++ select PAX_RANDUSTACK ++ select PAX_RANDMMAP ++ select PAX_NOEXEC ++ select PAX_MPROTECT ++ select PAX_EI_PAX ++ select PAX_PT_PAX_FLAGS ++ select PAX_HAVE_ACL_FLAGS ++ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ select PAX_MEMORY_UDEREF if (X86 && !XEN) ++ select PAX_SEGMEXEC if (X86_32) ++ select PAX_PAGEEXEC ++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) ++ select PAX_EMUTRAMP if (PARISC) ++ select PAX_EMUSIGRT if (PARISC) ++ select PAX_REFCOUNT if (X86 || SPARC64) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) ++ select PAX_MEMORY_SANITIZE ++ select PAX_MEMORY_STACKLEAK if (!XEN) ++ help ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. ++ ++ This "Hardened Gentoo [workstation]" level is identical to the ++ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and ++ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred ++ security level if the system will be utilizing software incompatible ++ with these features. ++ ++ When this level is selected, some security features will be forced on, ++ while others will default to their suggested values of off or on. The ++ later can be tweaked at the user's discretion, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. ++ ++config GRKERNSEC_HARDENED_VIRTUALIZATION ++ bool "Hardened Gentoo [virtualization]" ++ select GRKERNSEC_LINK ++ select GRKERNSEC_FIFO ++ select GRKERNSEC_DMESG ++ select GRKERNSEC_FORKFAIL ++ select GRKERNSEC_TIME ++ select GRKERNSEC_SIGNAL ++ select GRKERNSEC_CHROOT ++ select GRKERNSEC_CHROOT_SHMAT ++ select GRKERNSEC_CHROOT_UNIX ++ select GRKERNSEC_CHROOT_MOUNT ++ select GRKERNSEC_CHROOT_FCHDIR ++ select GRKERNSEC_CHROOT_PIVOT ++ select GRKERNSEC_CHROOT_DOUBLE ++ select GRKERNSEC_CHROOT_CHDIR ++ select GRKERNSEC_CHROOT_MKNOD ++ select GRKERNSEC_CHROOT_CAPS ++ select GRKERNSEC_CHROOT_SYSCTL ++ select GRKERNSEC_CHROOT_FINDTASK ++ select GRKERNSEC_PROC ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) ++ select GRKERNSEC_HIDESYM ++ select GRKERNSEC_BRUTE ++ select GRKERNSEC_PROC_USERGROUP ++ select GRKERNSEC_KMEM ++ select GRKERNSEC_RESLOG ++ select GRKERNSEC_AUDIT_PTRACE ++ select GRKERNSEC_RANDNET ++ select GRKERNSEC_CHROOT_CHMOD ++ select GRKERNSEC_CHROOT_NICE ++ select GRKERNSEC_AUDIT_MOUNT ++ select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_PTRACE_READEXEC ++ select GRKERNSEC_SETXID ++ select GRKERNSEC_VM86 if (X86_32) ++ select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG ++ select GRKERNSEC_SYSCTL ++ select GRKERNSEC_SYSCTL_ON ++ select PAX ++ select PAX_ASLR ++ select PAX_RANDKSTACK if (X86_TSC && X86) ++ select PAX_RANDUSTACK ++ select PAX_RANDMMAP ++ select PAX_NOEXEC ++ select PAX_MPROTECT ++ select PAX_EI_PAX ++ select PAX_PT_PAX_FLAGS ++ select PAX_HAVE_ACL_FLAGS ++ select PAX_SEGMEXEC if (X86_32) ++ select PAX_PAGEEXEC ++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC) ++ select PAX_EMUTRAMP if (PARISC) ++ select PAX_EMUSIGRT if (PARISC) ++ select PAX_REFCOUNT if (X86 || SPARC64) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) ++ select PAX_MEMORY_SANITIZE ++ select PAX_MEMORY_STACKLEAK if (!XEN) ++ help ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. ++ ++ This "Hardened Gentoo [virtualization]" level is identical to the ++ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and ++ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred ++ security level if the system will be utilizing virtualization software ++ incompatible with these features, like VirtualBox or kvm. ++ ++ When this level is selected, some security features will be forced on, ++ while others will default to their suggested values of off or on. The ++ later can be tweaked at the user's discretion, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. ++ + config GRKERNSEC_CUSTOM + bool "Custom" + help +diff -Naur a/security/Kconfig b/security/Kconfig +--- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500 ++++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500 +@@ -362,9 +362,10 @@ + + config PAX_KERNEXEC + bool "Enforce non-executable kernel pages" +- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN ++ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) + select PAX_KERNEXEC_PLUGIN if X86_64 ++ default y if GRKERNSEC_HARDENED_WORKSTATION + help + This is the kernel land equivalent of PAGEEXEC and MPROTECT, + that is, enabling this option will make it harder to inject +@@ -375,30 +376,30 @@ + + choice + prompt "Return Address Instrumentation Method" +- default PAX_KERNEXEC_PLUGIN_METHOD_BTS ++ default PAX_KERNEXEC_PLUGIN_METHOD_OR + depends on PAX_KERNEXEC_PLUGIN + help + Select the method used to instrument function pointer dereferences. + Note that binary modules cannot be instrumented by this approach. + +- config PAX_KERNEXEC_PLUGIN_METHOD_BTS +- bool "bts" +- help +- This method is compatible with binary only modules but has +- a higher runtime overhead. +- + config PAX_KERNEXEC_PLUGIN_METHOD_OR + bool "or" + depends on !PARAVIRT + help + This method is incompatible with binary only modules but has + a lower runtime overhead. ++ ++ config PAX_KERNEXEC_PLUGIN_METHOD_BTS ++ bool "bts" ++ help ++ This method is compatible with binary only modules but has ++ a higher runtime overhead. + endchoice + + config PAX_KERNEXEC_PLUGIN_METHOD + string +- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS + default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR ++ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS + default "" + + config PAX_KERNEXEC_MODULE_TEXT +@@ -555,8 +556,9 @@ + + config PAX_MEMORY_UDEREF + bool "Prevent invalid userland pointer dereference" +- depends on X86 && !UML_X86 && !XEN ++ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION + select PAX_PER_CPU_PGD if X86_64 ++ default y if GRKERNSEC_HARDENED_WORKSTATION + help + By saying Y here the kernel will be prevented from dereferencing + userland pointers in contexts where the kernel expects only kernel |