diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2011-02-25 21:25:45 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2011-02-25 21:25:45 -0500 |
commit | 061c8e2e1fcf85d12bf4cd661d9e8302580511fc (patch) | |
tree | 2ab05a270dfff29f74176ca1da79f9cb1499f57a | |
parent | Update Grsec/PaX (diff) | |
parent | Update Grsec/PaX (diff) | |
download | hardened-patchset-061c8e2e1fcf85d12bf4cd661d9e8302580511fc.tar.gz hardened-patchset-061c8e2e1fcf85d12bf4cd661d9e8302580511fc.tar.bz2 hardened-patchset-061c8e2e1fcf85d12bf4cd661d9e8302580511fc.zip |
Merge branch 'experimental'
-rw-r--r-- | 2.6.32/4435_grsec-kconfig-gentoo.patch | 348 | ||||
-rw-r--r-- | 2.6.32/4440_selinux-avc_audit-log-curr_ip.patch | 2 | ||||
-rw-r--r-- | 2.6.37/4435_grsec-kconfig-gentoo.patch | 348 | ||||
-rw-r--r-- | 2.6.37/4440_selinux-avc_audit-log-curr_ip.patch | 2 |
4 files changed, 222 insertions, 478 deletions
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch index c9fbc5f..d67ab0d 100644 --- a/2.6.32/4435_grsec-kconfig-gentoo.patch +++ b/2.6.32/4435_grsec-kconfig-gentoo.patch @@ -1,3 +1,4 @@ +From: Anthony G. Basile <blueness@gentoo.org> From: Gordon Malm <gengor@gentoo.org> From: Jory A. Pratt <anarchy@gentoo.org> From: Kerin Millar <kerframil@gmail.com> @@ -14,18 +15,19 @@ and conflicts with some software and thus would be less suitable. The original version of this patch was conceived and created by: Ned Ludd <solar@gentoo.org> ---- a/grsecurity/Kconfig 2009-07-31 02:34:44.661115764 +0100 -+++ b/grsecurity/Kconfig 2009-08-01 02:04:02.047475888 +0100 +diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig +--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-21 11:47:15.000000000 -0500 ++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-21 11:48:08.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" depends on GRKERNSEC - default GRKERNSEC_CUSTOM -+ default GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC ++ default GRKERNSEC_HARDENED_WORKSTATION config GRKERNSEC_LOW bool "Low" -@@ -191,6 +191,416 @@ +@@ -191,6 +191,261 @@ - Ptrace restrictions - Restricted vm86 mode @@ -63,9 +65,11 @@ Ned Ludd <solar@gentoo.org> + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) + select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX @@ -77,8 +81,8 @@ Ned Ludd <solar@gentoo.org> + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) ++ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC @@ -87,154 +91,30 @@ Ned Ludd <solar@gentoo.org> + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. + -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. ++ This "Hardened Gentoo [server]" level is identical to the ++ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO, ++ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred ++ security level if the system will not be utilizing software incompatible ++ with these features. + -+ This Hardened Gentoo [server] level is identical to the -+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO, -+ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled. -+ Accordingly, this is the preferred security level if the system will -+ not be utilizing software incompatible with the aforementioned -+ grsecurity/PaX features. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. -+ -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [server]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. -+ -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. -+ -+config GRKERNSEC_HARDENED_SERVER_NO_RBAC -+ bool "Hardened Gentoo [server no rbac]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_EXECVE -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_PROC_ADD -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_IO if (X86) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select GRKERNSEC_NO_RBAC -+ select PAX -+ select PAX_RANDUSTACK -+ select PAX_ASLR -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_NO_ACL_FLAGS -+ select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. -+ -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. -+ -+ This Hardened Gentoo [server] level is identical to the -+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO, -+ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled. -+ Accordingly, this is the preferred security level if the system will -+ not be utilizing software incompatible with the aforementioned -+ grsecurity/PaX features. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. -+ -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [server]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. -+ -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. ++ When this level is selected, some security features will be forced on, ++ while others will default to their suggested values of off or on. The ++ later can be tweaked at the user's discretion, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. + +config GRKERNSEC_HARDENED_WORKSTATION + bool "Hardened Gentoo [workstation]" @@ -265,12 +145,16 @@ Ned Ludd <solar@gentoo.org> + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG + select GRKERNSEC_RANDNET ++ # select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) ++ # select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX @@ -282,8 +166,8 @@ Ned Ludd <solar@gentoo.org> + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ # select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) ++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ # select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC @@ -292,53 +176,33 @@ Ned Ludd <solar@gentoo.org> + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. -+ -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. -+ -+ This Hardened Gentoo [workstation] level is designed for machines -+ which are intended to run software not compatible with the -+ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity. -+ Accordingly, this security level is suitable for use with the X server -+ "Xorg" and/or any system that will act as host OS to the virtualization -+ softwares vmware-server or virtualbox. ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. + -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. ++ This "Hardened Gentoo [workstation]" level is identical to the ++ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and ++ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred ++ security level if the system will be utilizing software incompatible ++ with these features. + -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [workstation]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. ++ When this level is selected, some security features will be forced on, ++ while others will default to their suggested values of off or on. The ++ later can be tweaked at the user's discretion, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. + -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. -+ -+config GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC -+ bool "Hardened Gentoo [workstation no rbac]" ++config GRKERNSEC_HARDENED_VIRTUALIZATION ++ bool "Hardened Gentoo [virtualization]" + select GRKERNSEC_LINK + select GRKERNSEC_FIFO + select GRKERNSEC_EXECVE @@ -366,15 +230,18 @@ Ned Ludd <solar@gentoo.org> + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG + select GRKERNSEC_RANDNET ++ # select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) ++ # select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON -+ select GRKERNSEC_NO_RBAC + select PAX + select PAX_RANDUSTACK + select PAX_ASLR @@ -383,9 +250,9 @@ Ned Ludd <solar@gentoo.org> + select PAX_MPROTECT + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS -+ select PAX_NO_ACL_FLAGS -+ # select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) ++ select PAX_HAVE_ACL_FLAGS ++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ # select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC @@ -394,51 +261,56 @@ Ned Ludd <solar@gentoo.org> + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. -+ -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. -+ -+ This Hardened Gentoo [workstation] level is designed for machines -+ which are intended to run software not compatible with the -+ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity. -+ Accordingly, this security level is suitable for use with the X server -+ "Xorg" and/or any system that will act as host OS to the virtualization -+ softwares vmware-server or virtualbox. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. + -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [workstation]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. ++ This "Hardened Gentoo [virtualization]" level is identical to the ++ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and ++ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred ++ security level if the system will be utilizing virtualization software ++ incompatible with these features, like VirtualBox or kvm. + -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. ++ When this level is selected, some security features will be forced on, ++ while others will default to their suggested values of off or on. The ++ later can be tweaked at the user's discretion, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. + config GRKERNSEC_CUSTOM bool "Custom" help +diff -Naur linux-2.6.37-hardened-r2.orig/security/Kconfig linux-2.6.37-hardened-r2/security/Kconfig +--- linux-2.6.37-hardened-r2.orig/security/Kconfig 2011-02-21 11:46:40.000000000 -0500 ++++ linux-2.6.37-hardened-r2/security/Kconfig 2011-02-21 11:53:42.000000000 -0500 +@@ -324,8 +324,9 @@ + + config PAX_KERNEXEC + bool "Enforce non-executable kernel pages" +- depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN ++ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) ++ default y if GRKERNSEC_HARDENED_WORKSTATION + help + This is the kernel land equivalent of PAGEEXEC and MPROTECT, + that is, enabling this option will make it harder to inject +@@ -461,8 +462,9 @@ + + config PAX_MEMORY_UDEREF + bool "Prevent invalid userland pointer dereference" +- depends on X86 && !UML_X86 && !XEN ++ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION + select PAX_PER_CPU_PGD if X86_64 ++ default y if GRKERNSEC_HARDENED_WORKSTATION + help + By saying Y here the kernel will be prevented from dereferencing + userland pointers in contexts where the kernel expects only kernel diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch index 0049a17..5592c67 100644 --- a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch +++ b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch @@ -27,7 +27,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> --- a/grsecurity/Kconfig +++ b/grsecurity/Kconfig -@@ -1385,6 +1385,27 @@ +@@ -1230,6 +1230,27 @@ menu "Logging Options" depends on GRKERNSEC diff --git a/2.6.37/4435_grsec-kconfig-gentoo.patch b/2.6.37/4435_grsec-kconfig-gentoo.patch index c9fbc5f..d67ab0d 100644 --- a/2.6.37/4435_grsec-kconfig-gentoo.patch +++ b/2.6.37/4435_grsec-kconfig-gentoo.patch @@ -1,3 +1,4 @@ +From: Anthony G. Basile <blueness@gentoo.org> From: Gordon Malm <gengor@gentoo.org> From: Jory A. Pratt <anarchy@gentoo.org> From: Kerin Millar <kerframil@gmail.com> @@ -14,18 +15,19 @@ and conflicts with some software and thus would be less suitable. The original version of this patch was conceived and created by: Ned Ludd <solar@gentoo.org> ---- a/grsecurity/Kconfig 2009-07-31 02:34:44.661115764 +0100 -+++ b/grsecurity/Kconfig 2009-08-01 02:04:02.047475888 +0100 +diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig +--- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-21 11:47:15.000000000 -0500 ++++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-21 11:48:08.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" depends on GRKERNSEC - default GRKERNSEC_CUSTOM -+ default GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC ++ default GRKERNSEC_HARDENED_WORKSTATION config GRKERNSEC_LOW bool "Low" -@@ -191,6 +191,416 @@ +@@ -191,6 +191,261 @@ - Ptrace restrictions - Restricted vm86 mode @@ -63,9 +65,11 @@ Ned Ludd <solar@gentoo.org> + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) + select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX @@ -77,8 +81,8 @@ Ned Ludd <solar@gentoo.org> + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) ++ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC @@ -87,154 +91,30 @@ Ned Ludd <solar@gentoo.org> + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. + -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. ++ This "Hardened Gentoo [server]" level is identical to the ++ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO, ++ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred ++ security level if the system will not be utilizing software incompatible ++ with these features. + -+ This Hardened Gentoo [server] level is identical to the -+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO, -+ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled. -+ Accordingly, this is the preferred security level if the system will -+ not be utilizing software incompatible with the aforementioned -+ grsecurity/PaX features. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. -+ -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [server]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. -+ -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. -+ -+config GRKERNSEC_HARDENED_SERVER_NO_RBAC -+ bool "Hardened Gentoo [server no rbac]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_EXECVE -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_PROC_ADD -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_IO if (X86) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select GRKERNSEC_NO_RBAC -+ select PAX -+ select PAX_RANDUSTACK -+ select PAX_ASLR -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_NO_ACL_FLAGS -+ select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. -+ -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. -+ -+ This Hardened Gentoo [server] level is identical to the -+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO, -+ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled. -+ Accordingly, this is the preferred security level if the system will -+ not be utilizing software incompatible with the aforementioned -+ grsecurity/PaX features. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. -+ -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [server]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. -+ -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. ++ When this level is selected, some security features will be forced on, ++ while others will default to their suggested values of off or on. The ++ later can be tweaked at the user's discretion, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. + +config GRKERNSEC_HARDENED_WORKSTATION + bool "Hardened Gentoo [workstation]" @@ -265,12 +145,16 @@ Ned Ludd <solar@gentoo.org> + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG + select GRKERNSEC_RANDNET ++ # select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) ++ # select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX @@ -282,8 +166,8 @@ Ned Ludd <solar@gentoo.org> + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS -+ # select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) ++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ # select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC @@ -292,53 +176,33 @@ Ned Ludd <solar@gentoo.org> + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. -+ -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. -+ -+ This Hardened Gentoo [workstation] level is designed for machines -+ which are intended to run software not compatible with the -+ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity. -+ Accordingly, this security level is suitable for use with the X server -+ "Xorg" and/or any system that will act as host OS to the virtualization -+ softwares vmware-server or virtualbox. ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. + -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. ++ This "Hardened Gentoo [workstation]" level is identical to the ++ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and ++ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred ++ security level if the system will be utilizing software incompatible ++ with these features. + -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [workstation]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. ++ When this level is selected, some security features will be forced on, ++ while others will default to their suggested values of off or on. The ++ later can be tweaked at the user's discretion, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. + -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. -+ -+config GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC -+ bool "Hardened Gentoo [workstation no rbac]" ++config GRKERNSEC_HARDENED_VIRTUALIZATION ++ bool "Hardened Gentoo [virtualization]" + select GRKERNSEC_LINK + select GRKERNSEC_FIFO + select GRKERNSEC_EXECVE @@ -366,15 +230,18 @@ Ned Ludd <solar@gentoo.org> + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG + select GRKERNSEC_RANDNET ++ # select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) ++ select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) ++ # select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR ++ select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON -+ select GRKERNSEC_NO_RBAC + select PAX + select PAX_RANDUSTACK + select PAX_ASLR @@ -383,9 +250,9 @@ Ned Ludd <solar@gentoo.org> + select PAX_MPROTECT + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS -+ select PAX_NO_ACL_FLAGS -+ # select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) ++ select PAX_HAVE_ACL_FLAGS ++ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) ++ # select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC @@ -394,51 +261,56 @@ Ned Ludd <solar@gentoo.org> + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) ++ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. -+ -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. -+ -+ This Hardened Gentoo [workstation] level is designed for machines -+ which are intended to run software not compatible with the -+ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity. -+ Accordingly, this security level is suitable for use with the X server -+ "Xorg" and/or any system that will act as host OS to the virtualization -+ softwares vmware-server or virtualbox. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. ++ If you say Y here, a configuration for grsecurity/PaX features ++ will be used that is endorsed by the Hardened Gentoo project. ++ These pre-defined security levels are designed to provide a high ++ level of security while minimizing incompatibilities with a majority ++ of Gentoo's available software. + -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [workstation]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. ++ This "Hardened Gentoo [virtualization]" level is identical to the ++ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and ++ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred ++ security level if the system will be utilizing virtualization software ++ incompatible with these features, like VirtualBox or kvm. + -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. ++ When this level is selected, some security features will be forced on, ++ while others will default to their suggested values of off or on. The ++ later can be tweaked at the user's discretion, but may cause problems ++ in some situations. You can fully customize all grsecurity/PaX features ++ by choosing "Custom" in the Security Level menu. It may be helpful to ++ inherit the options selected by this security level as a starting point. ++ To accomplish this, select this security level, then exit the menuconfig ++ interface, saving changes when prompted. Run make menuconfig again and ++ select the "Custom" level. + config GRKERNSEC_CUSTOM bool "Custom" help +diff -Naur linux-2.6.37-hardened-r2.orig/security/Kconfig linux-2.6.37-hardened-r2/security/Kconfig +--- linux-2.6.37-hardened-r2.orig/security/Kconfig 2011-02-21 11:46:40.000000000 -0500 ++++ linux-2.6.37-hardened-r2/security/Kconfig 2011-02-21 11:53:42.000000000 -0500 +@@ -324,8 +324,9 @@ + + config PAX_KERNEXEC + bool "Enforce non-executable kernel pages" +- depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN ++ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) ++ default y if GRKERNSEC_HARDENED_WORKSTATION + help + This is the kernel land equivalent of PAGEEXEC and MPROTECT, + that is, enabling this option will make it harder to inject +@@ -461,8 +462,9 @@ + + config PAX_MEMORY_UDEREF + bool "Prevent invalid userland pointer dereference" +- depends on X86 && !UML_X86 && !XEN ++ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION + select PAX_PER_CPU_PGD if X86_64 ++ default y if GRKERNSEC_HARDENED_WORKSTATION + help + By saying Y here the kernel will be prevented from dereferencing + userland pointers in contexts where the kernel expects only kernel diff --git a/2.6.37/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.37/4440_selinux-avc_audit-log-curr_ip.patch index e8b9c36..c7c942f 100644 --- a/2.6.37/4440_selinux-avc_audit-log-curr_ip.patch +++ b/2.6.37/4440_selinux-avc_audit-log-curr_ip.patch @@ -27,7 +27,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> --- a/grsecurity/Kconfig +++ b/grsecurity/Kconfig -@@ -1385,6 +1385,27 @@ +@@ -1230,6 +1230,27 @@ menu "Logging Options" depends on GRKERNSEC |