* [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.22/, 2.6.32/, 3.4.4/
@ 2012-07-09 23:56 Anthony G. Basile
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2012-07-09 23:56 UTC (permalink / raw
To: gentoo-commits
commit: 386d50181178e9320f033575d3eabc2017a7b7ae
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Jul 9 23:55:51 2012 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Jul 9 23:55:51 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=386d5018
Sync gentoo patches with new Kconfig structure
---
2.6.32/0000_README | 16 -
2.6.32/4445_grsec-pax-without-grsec.patch | 91 ------
2.6.32/4450_grsec-kconfig-default-gids.patch | 43 ++--
2.6.32/4455_grsec-kconfig-gentoo.patch | 357 -----------------------
2.6.32/4460-grsec-kconfig-proc-user.patch | 26 --
2.6.32/4465_selinux-avc_audit-log-curr_ip.patch | 2 +-
2.6.32/4470_disable-compat_vdso.patch | 2 +-
3.2.22/0000_README | 16 -
3.2.22/4445_grsec-pax-without-grsec.patch | 91 ------
3.2.22/4455_grsec-kconfig-gentoo.patch | 357 -----------------------
3.2.22/4460-grsec-kconfig-proc-user.patch | 26 --
3.4.4/0000_README | 4 +
12 files changed, 31 insertions(+), 1000 deletions(-)
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 2011830..a0df600 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -48,27 +48,11 @@ Patch: 4440_grsec-remove-protected-paths.patch
From: Anthony G. Basile <blueness@gentoo.org>
Desc: Removes chmod statements from grsecurity/Makefile
-Patch: 4445_grsec-pax-without-grsec.patch
-From: Gordon Malm <gengor@gentoo.org>
-Desc: Allows PaX features to be selected without enabling GRKERNSEC
-
Patch: 4450_grsec-kconfig-default-gids.patch
From: Kerin Millar <kerframil@gmail.com>
Desc: Sets sane(r) default GIDs on various grsecurity group-dependent
features
-Patch: 4455_grsec-kconfig-gentoo.patch
-From: Gordon Malm <gengor@gentoo.org>
- Kerin Millar <kerframil@gmail.com>
- Anthony G. Basile <blueness@gentoo.org>
-Desc: Adds Hardened Gentoo [server/workstation/virtualization] security
- levels, sets Hardened Gentoo [workstation] as default
-
-Patch: 4460-grsec-kconfig-proc-user.patch
-From: Anthony G. Basile <blueness@gentoo.org>
-Desc: Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually
- exclusive to avoid bug #366019.
-
Patch: 4465_selinux-avc_audit-log-curr_ip.patch
From: Gordon Malm <gengor@gentoo.org>
Anthony G. Basile <blueness@gentoo.org>
diff --git a/2.6.32/4445_grsec-pax-without-grsec.patch b/2.6.32/4445_grsec-pax-without-grsec.patch
deleted file mode 100644
index f07b2df..0000000
--- a/2.6.32/4445_grsec-pax-without-grsec.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-
-With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and
-pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy.
-This patch has been updated to reflect that change.
-
-With grsecurity-2.9-2.6.32.58-201203131839, NORET_TYPE has been replaced by __noreturn.
-This patch has been updated to reflect that change.
---
-From: Jory Pratt <anarchy@gentoo.org>
-Updated patch for kernel 2.6.32
-
-The credits/description from the original version of this patch remain accurate
-and are included below.
---
-From: Gordon Malm <gengor@gentoo.org>
-
-Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC.
-
-This patch has been updated to keep current with newer kernel versions.
-The original version of this patch contained no credits/description.
-
-diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
---- a/arch/x86/mm/fault.c 2011-04-17 18:15:54.000000000 -0400
-+++ b/arch/x86/mm/fault.c 2011-04-17 18:28:11.000000000 -0400
-@@ -662,10 +662,12 @@
-
- #ifdef CONFIG_PAX_KERNEXEC
- if (init_mm.start_code <= address && address < init_mm.end_code) {
-+#ifdef CONFIG_GRKERNSEC
- if (current->signal->curr_ip)
- printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
- ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
- else
-+#endif
- printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
- current->comm, task_pid_nr(current), current_uid(), current_euid());
- }
-diff -Naur a/fs/exec.c b/fs/exec.c
---- a/fs/exec.c 2011-04-17 18:15:55.000000000 -0400
-+++ b/fs/exec.c 2011-04-17 18:29:40.000000000 -0400
-@@ -1849,9 +1849,11 @@
- }
- up_read(&mm->mmap_sem);
- }
-+#ifdef CONFIG_GRKERNSEC
- if (tsk->signal->curr_ip)
- printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
- else
-+#endif
- printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
- printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
- "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
-@@ -1866,10 +1868,12 @@
- #ifdef CONFIG_PAX_REFCOUNT
- void pax_report_refcount_overflow(struct pt_regs *regs)
- {
-+#ifdef CONFIG_GRKERNSEC
- if (current->signal->curr_ip)
- printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
- ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
- else
-+#endif
- printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
- current->comm, task_pid_nr(current), current_uid(), current_euid());
- print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
-@@ -1928,10 +1932,12 @@
-
- __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
- {
-+#ifdef CONFIG_GRKERNSEC
- if (current->signal->curr_ip)
- printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
- ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
- else
-+#endif
- printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
- to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
-
-diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2011-04-17 18:15:55.000000000 -0400
-+++ b/security/Kconfig 2011-04-17 18:28:11.000000000 -0400
-@@ -29,7 +29,7 @@
-
- config PAX
- bool "Enable various PaX features"
-- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
-+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
- help
- This allows you to enable various PaX features. PaX adds
- intrusion prevention mechanisms to the kernel that reduce
diff --git a/2.6.32/4450_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch
index 8c6f609..038bb2e 100644
--- a/2.6.32/4450_grsec-kconfig-default-gids.patch
+++ b/2.6.32/4450_grsec-kconfig-default-gids.patch
@@ -1,3 +1,7 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+Updated patch for the new Kconfig system for >=3.4.4
+
+---
From: Kerin Millar <kerframil@gmail.com>
grsecurity contains a number of options which allow certain protections
@@ -9,19 +13,10 @@ attention to the finer points of kernel configuration, it is probably
wise to specify some reasonable defaults so as to stop careless users
from shooting themselves in the foot.
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig 2011-12-12 15:11:47.000000000 -0500
-+++ b/grsecurity/Kconfig 2011-12-12 15:13:17.000000000 -0500
-@@ -442,7 +442,7 @@
- config GRKERNSEC_PROC_GID
- int "GID for special group"
- depends on GRKERNSEC_PROC_USERGROUP
-- default 1001
-+ default 10
-
- config GRKERNSEC_PROC_ADD
- bool "Additional restrictions"
-@@ -670,7 +670,7 @@
+diff -Nuar a/grsecurity/Kconfig b/Kconfig
+--- a/grsecurity/Kconfig 2012-07-01 12:54:58.000000000 -0400
++++ b/grsecurity/Kconfig 2012-07-01 13:00:04.000000000 -0400
+@@ -519,7 +519,7 @@
config GRKERNSEC_AUDIT_GID
int "GID for auditing"
depends on GRKERNSEC_AUDIT_GROUP
@@ -30,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_EXECLOG
bool "Exec logging"
-@@ -874,7 +874,7 @@
+@@ -734,7 +734,7 @@
config GRKERNSEC_TPE_GID
int "GID for untrusted users"
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -39,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*enabled* for. If the sysctl option is enabled, a sysctl option
-@@ -883,7 +883,7 @@
+@@ -743,7 +743,7 @@
config GRKERNSEC_TPE_GID
int "GID for trusted users"
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -48,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -956,7 +956,7 @@
+@@ -818,7 +818,7 @@
config GRKERNSEC_SOCKET_ALL_GID
int "GID to deny all sockets for"
depends on GRKERNSEC_SOCKET_ALL
@@ -57,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable socket access for. Remember to
add the users you want socket access disabled for to the GID
-@@ -977,7 +977,7 @@
+@@ -839,7 +839,7 @@
config GRKERNSEC_SOCKET_CLIENT_GID
int "GID to deny client sockets for"
depends on GRKERNSEC_SOCKET_CLIENT
@@ -66,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable client socket access for.
Remember to add the users you want client socket access disabled for to
-@@ -995,7 +995,7 @@
+@@ -857,7 +857,7 @@
config GRKERNSEC_SOCKET_SERVER_GID
int "GID to deny server sockets for"
depends on GRKERNSEC_SOCKET_SERVER
@@ -75,3 +70,15 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable server socket access for.
Remember to add the users you want server socket access disabled for to
+diff -Nuar a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig 2012-07-01 12:51:41.000000000 -0400
++++ b/security/Kconfig 2012-07-01 13:00:23.000000000 -0400
+@@ -186,7 +186,7 @@
+
+ config GRKERNSEC_PROC_GID
+ int "GID exempted from /proc restrictions"
+- default 1001
++ default 10
+ help
+ Setting this GID determines which group will be exempted from
+ grsecurity's /proc restrictions, allowing users of the specified
diff --git a/2.6.32/4455_grsec-kconfig-gentoo.patch b/2.6.32/4455_grsec-kconfig-gentoo.patch
deleted file mode 100644
index e18ba0b..0000000
--- a/2.6.32/4455_grsec-kconfig-gentoo.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-From: Gordon Malm <gengor@gentoo.org>
-From: Jory A. Pratt <anarchy@gentoo.org>
-From: Kerin Millar <kerframil@gmail.com>
-
-Add Hardened Gentoo [server/workstation] predefined grsecurity
-levels. They're designed to provide a comparitively high level of
-security while remaining generally suitable for as great a majority
-of the userbase as possible (particularly new users).
-
-Make Hardened Gentoo [workstation] predefined grsecurity level the
-default. The Hardened Gentoo [server] level is more restrictive
-and conflicts with some software and thus would be less suitable.
-
-The original version of this patch was conceived and created by:
-Ned Ludd <solar@gentoo.org>
-
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500
-+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500
-@@ -18,7 +18,7 @@
- choice
- prompt "Security Level"
- depends on GRKERNSEC
-- default GRKERNSEC_CUSTOM
-+ default GRKERNSEC_HARDENED_WORKSTATION
-
- config GRKERNSEC_LOW
- bool "Low"
-@@ -192,6 +192,262 @@
- - Restricted sysfs/debugfs
- - Active kernel exploit response
-
-+config GRKERNSEC_HARDENED_SERVER
-+ bool "Hardened Gentoo [server]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_SYSFS_RESTRICT
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_AUDIT_PTRACE
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_PROC_ADD
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_HARDEN_PTRACE
-+ select GRKERNSEC_PTRACE_READEXEC
-+ select GRKERNSEC_SETXID
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_IO
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_RWXMAP_LOG
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select PAX
-+ select PAX_ASLR
-+ select PAX_RANDKSTACK if (X86_TSC && X86)
-+ select PAX_RANDUSTACK
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ select PAX_MEMORY_STACKLEAK if (!XEN)
-+ help
-+ If you say Y here, a configuration for grsecurity/PaX features
-+ will be used that is endorsed by the Hardened Gentoo project.
-+ These pre-defined security levels are designed to provide a high
-+ level of security while minimizing incompatibilities with a majority
-+ of Gentoo's available software.
-+
-+ This "Hardened Gentoo [server]" level is identical to the
-+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
-+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
-+ security level if the system will not be utilizing software incompatible
-+ with these features.
-+
-+ When this level is selected, some security features will be forced on,
-+ while others will default to their suggested values of off or on. The
-+ later can be tweaked at the user's discretion, but may cause problems
-+ in some situations. You can fully customize all grsecurity/PaX features
-+ by choosing "Custom" in the Security Level menu. It may be helpful to
-+ inherit the options selected by this security level as a starting point.
-+ To accomplish this, select this security level, then exit the menuconfig
-+ interface, saving changes when prompted. Run make menuconfig again and
-+ select the "Custom" level.
-+
-+config GRKERNSEC_HARDENED_WORKSTATION
-+ bool "Hardened Gentoo [workstation]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_AUDIT_PTRACE
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_HARDEN_PTRACE
-+ select GRKERNSEC_PTRACE_READEXEC
-+ select GRKERNSEC_SETXID
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_RWXMAP_LOG
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select PAX
-+ select PAX_ASLR
-+ select PAX_RANDKSTACK if (X86_TSC && X86)
-+ select PAX_RANDUSTACK
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ select PAX_MEMORY_STACKLEAK if (!XEN)
-+ help
-+ If you say Y here, a configuration for grsecurity/PaX features
-+ will be used that is endorsed by the Hardened Gentoo project.
-+ These pre-defined security levels are designed to provide a high
-+ level of security while minimizing incompatibilities with a majority
-+ of Gentoo's available software.
-+
-+ This "Hardened Gentoo [workstation]" level is identical to the
-+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
-+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
-+ security level if the system will be utilizing software incompatible
-+ with these features.
-+
-+ When this level is selected, some security features will be forced on,
-+ while others will default to their suggested values of off or on. The
-+ later can be tweaked at the user's discretion, but may cause problems
-+ in some situations. You can fully customize all grsecurity/PaX features
-+ by choosing "Custom" in the Security Level menu. It may be helpful to
-+ inherit the options selected by this security level as a starting point.
-+ To accomplish this, select this security level, then exit the menuconfig
-+ interface, saving changes when prompted. Run make menuconfig again and
-+ select the "Custom" level.
-+
-+config GRKERNSEC_HARDENED_VIRTUALIZATION
-+ bool "Hardened Gentoo [virtualization]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_AUDIT_PTRACE
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_HARDEN_PTRACE
-+ select GRKERNSEC_PTRACE_READEXEC
-+ select GRKERNSEC_SETXID
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_RWXMAP_LOG
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select PAX
-+ select PAX_ASLR
-+ select PAX_RANDKSTACK if (X86_TSC && X86)
-+ select PAX_RANDUSTACK
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ select PAX_MEMORY_STACKLEAK if (!XEN)
-+ help
-+ If you say Y here, a configuration for grsecurity/PaX features
-+ will be used that is endorsed by the Hardened Gentoo project.
-+ These pre-defined security levels are designed to provide a high
-+ level of security while minimizing incompatibilities with a majority
-+ of Gentoo's available software.
-+
-+ This "Hardened Gentoo [virtualization]" level is identical to the
-+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
-+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
-+ security level if the system will be utilizing virtualization software
-+ incompatible with these features, like VirtualBox or kvm.
-+
-+ When this level is selected, some security features will be forced on,
-+ while others will default to their suggested values of off or on. The
-+ later can be tweaked at the user's discretion, but may cause problems
-+ in some situations. You can fully customize all grsecurity/PaX features
-+ by choosing "Custom" in the Security Level menu. It may be helpful to
-+ inherit the options selected by this security level as a starting point.
-+ To accomplish this, select this security level, then exit the menuconfig
-+ interface, saving changes when prompted. Run make menuconfig again and
-+ select the "Custom" level.
-+
- config GRKERNSEC_CUSTOM
- bool "Custom"
- help
-diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500
-+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500
-@@ -360,9 +360,10 @@
-
- config PAX_KERNEXEC
- bool "Enforce non-executable kernel pages"
-- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
-+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
- select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
- select PAX_KERNEXEC_PLUGIN if X86_64
-+ default y if GRKERNSEC_HARDENED_WORKSTATION
- help
- This is the kernel land equivalent of PAGEEXEC and MPROTECT,
- that is, enabling this option will make it harder to inject
-@@ -373,30 +374,30 @@
-
- choice
- prompt "Return Address Instrumentation Method"
-- default PAX_KERNEXEC_PLUGIN_METHOD_BTS
-+ default PAX_KERNEXEC_PLUGIN_METHOD_OR
- depends on PAX_KERNEXEC_PLUGIN
- help
- Select the method used to instrument function pointer dereferences.
- Note that binary modules cannot be instrumented by this approach.
-
-- config PAX_KERNEXEC_PLUGIN_METHOD_BTS
-- bool "bts"
-- help
-- This method is compatible with binary only modules but has
-- a higher runtime overhead.
--
- config PAX_KERNEXEC_PLUGIN_METHOD_OR
- bool "or"
- depends on !PARAVIRT
- help
- This method is incompatible with binary only modules but has
- a lower runtime overhead.
-+
-+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS
-+ bool "bts"
-+ help
-+ This method is compatible with binary only modules but has
-+ a higher runtime overhead.
- endchoice
-
- config PAX_KERNEXEC_PLUGIN_METHOD
- string
-- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
- default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
-+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
- default ""
-
- config PAX_KERNEXEC_MODULE_TEXT
-@@ -553,8 +554,9 @@
-
- config PAX_MEMORY_UDEREF
- bool "Prevent invalid userland pointer dereference"
-- depends on X86 && !UML_X86 && !XEN
-+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
- select PAX_PER_CPU_PGD if X86_64
-+ default y if GRKERNSEC_HARDENED_WORKSTATION
- help
- By saying Y here the kernel will be prevented from dereferencing
- userland pointers in contexts where the kernel expects only kernel
diff --git a/2.6.32/4460-grsec-kconfig-proc-user.patch b/2.6.32/4460-grsec-kconfig-proc-user.patch
deleted file mode 100644
index 8409e87..0000000
--- a/2.6.32/4460-grsec-kconfig-proc-user.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-
-Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
-in a different way to avoid bug #366019. This patch should eventually go upstream.
-
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400
-+++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400
-@@ -679,7 +679,7 @@
-
- config GRKERNSEC_PROC_USER
- bool "Restrict /proc to user only"
-- depends on GRKERNSEC_PROC
-+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
- help
- If you say Y here, non-root users will only be able to view their own
- processes, and restricts them from viewing network-related information,
-@@ -687,7 +687,7 @@
-
- config GRKERNSEC_PROC_USERGROUP
- bool "Allow special group"
-- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
-+ depends on GRKERNSEC_PROC
- help
- If you say Y here, you will be able to select a group that will be
- able to view all processes and network-related information. If you've
diff --git a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
index 43147a7..67d09ef 100644
--- a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400
-@@ -1308,6 +1308,27 @@
+@@ -916,6 +916,27 @@
menu "Logging Options"
depends on GRKERNSEC
diff --git a/2.6.32/4470_disable-compat_vdso.patch b/2.6.32/4470_disable-compat_vdso.patch
index c8e1aeb..a54092e 100644
--- a/2.6.32/4470_disable-compat_vdso.patch
+++ b/2.6.32/4470_disable-compat_vdso.patch
@@ -27,7 +27,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
-@@ -1616,17 +1616,8 @@
+@@ -1625,17 +1625,8 @@
config COMPAT_VDSO
def_bool n
diff --git a/3.2.22/0000_README b/3.2.22/0000_README
index b314927..ccfefdd 100644
--- a/3.2.22/0000_README
+++ b/3.2.22/0000_README
@@ -20,27 +20,11 @@ Patch: 4440_grsec-remove-protected-paths.patch
From: Anthony G. Basile <blueness@gentoo.org>
Desc: Removes chmod statements from grsecurity/Makefile
-Patch: 4445_grsec-pax-without-grsec.patch
-From: Gordon Malm <gengor@gentoo.org>
-Desc: Allows PaX features to be selected without enabling GRKERNSEC
-
Patch: 4450_grsec-kconfig-default-gids.patch
From: Kerin Millar <kerframil@gmail.com>
Desc: Sets sane(r) default GIDs on various grsecurity group-dependent
features
-Patch: 4455_grsec-kconfig-gentoo.patch
-From: Gordon Malm <gengor@gentoo.org>
- Kerin Millar <kerframil@gmail.com>
- Anthony G. Basile <blueness@gentoo.org>
-Desc: Adds Hardened Gentoo [server/workstation/virtualization] security levels,
- sets Hardened Gentoo [workstation] as default
-
-Patch: 4460-grsec-kconfig-proc-user.patch
-From: Anthony G. Basile <blueness@gentoo.org>
-Desc: Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually
- exclusive to avoid bug #366019.
-
Patch: 4465_selinux-avc_audit-log-curr_ip.patch
From: Gordon Malm <gengor@gentoo.org>
Anthony G. Basile <blueness@gentoo.org>
diff --git a/3.2.22/4445_grsec-pax-without-grsec.patch b/3.2.22/4445_grsec-pax-without-grsec.patch
deleted file mode 100644
index 58301c0..0000000
--- a/3.2.22/4445_grsec-pax-without-grsec.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-
-With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and
-pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy.
-This patch has been updated to reflect that change.
-
-With grsecurity-2.9-2.6.32.58-201203131839, NORET_TYPE has been replaced by __noreturn.
-This patch has been updated to reflect that change.
---
-From: Jory Pratt <anarchy@gentoo.org>
-Updated patch for kernel 2.6.32
-
-The credits/description from the original version of this patch remain accurate
-and are included below.
---
-From: Gordon Malm <gengor@gentoo.org>
-
-Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC.
-
-This patch has been updated to keep current with newer kernel versions.
-The original version of this patch contained no credits/description.
-
-diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
---- a/arch/x86/mm/fault.c 2011-04-17 19:05:03.000000000 -0400
-+++ a/arch/x86/mm/fault.c 2011-04-17 19:20:30.000000000 -0400
-@@ -657,10 +657,12 @@
-
- #ifdef CONFIG_PAX_KERNEXEC
- if (init_mm.start_code <= address && address < init_mm.end_code) {
-+#ifdef CONFIG_GRKERNSEC
- if (current->signal->curr_ip)
- printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
- ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
- else
-+#endif
- printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
- current->comm, task_pid_nr(current), current_uid(), current_euid());
- }
-diff -Naur a/fs/exec.c b/fs/exec.c
---- a/fs/exec.c 2011-04-17 19:05:03.000000000 -0400
-+++ b/fs/exec.c 2011-04-17 19:20:30.000000000 -0400
-@@ -2048,9 +2048,11 @@
- }
- up_read(&mm->mmap_sem);
- }
-+#ifdef CONFIG_GRKERNSEC
- if (tsk->signal->curr_ip)
- printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
- else
-+#endif
- printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
- printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
- "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
-@@ -2065,10 +2067,12 @@
- #ifdef CONFIG_PAX_REFCOUNT
- void pax_report_refcount_overflow(struct pt_regs *regs)
- {
-+#ifdef CONFIG_GRKERNSEC
- if (current->signal->curr_ip)
- printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
- ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
- else
-+#endif
- printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
- current->comm, task_pid_nr(current), current_uid(), current_euid());
- print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
-@@ -2127,10 +2131,12 @@
-
- __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
- {
-+#ifdef CONFIG_GRKERNSEC
- if (current->signal->curr_ip)
- printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
- ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
- else
-+#endif
- printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
- to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
- dump_stack();
-diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2011-04-17 19:05:03.000000000 -0400
-+++ b/security/Kconfig 2011-04-17 19:20:30.000000000 -0400
-@@ -29,7 +29,7 @@
-
- config PAX
- bool "Enable various PaX features"
-- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
-+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
- help
- This allows you to enable various PaX features. PaX adds
- intrusion prevention mechanisms to the kernel that reduce
diff --git a/3.2.22/4455_grsec-kconfig-gentoo.patch b/3.2.22/4455_grsec-kconfig-gentoo.patch
deleted file mode 100644
index 87b5454..0000000
--- a/3.2.22/4455_grsec-kconfig-gentoo.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-From: Gordon Malm <gengor@gentoo.org>
-From: Jory A. Pratt <anarchy@gentoo.org>
-From: Kerin Millar <kerframil@gmail.com>
-
-Add Hardened Gentoo [server/workstation] predefined grsecurity
-levels. They're designed to provide a comparitively high level of
-security while remaining generally suitable for as great a majority
-of the userbase as possible (particularly new users).
-
-Make Hardened Gentoo [workstation] predefined grsecurity level the
-default. The Hardened Gentoo [server] level is more restrictive
-and conflicts with some software and thus would be less suitable.
-
-The original version of this patch was conceived and created by:
-Ned Ludd <solar@gentoo.org>
-
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500
-+++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500
-@@ -18,7 +18,7 @@
- choice
- prompt "Security Level"
- depends on GRKERNSEC
-- default GRKERNSEC_CUSTOM
-+ default GRKERNSEC_HARDENED_WORKSTATION
-
- config GRKERNSEC_LOW
- bool "Low"
-@@ -192,6 +192,262 @@
- - Restricted sysfs/debugfs
- - Active kernel exploit response
-
-+config GRKERNSEC_HARDENED_SERVER
-+ bool "Hardened Gentoo [server]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_SYSFS_RESTRICT
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_AUDIT_PTRACE
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_PROC_ADD
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_HARDEN_PTRACE
-+ select GRKERNSEC_PTRACE_READEXEC
-+ select GRKERNSEC_SETXID
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_IO
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_RWXMAP_LOG
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select PAX
-+ select PAX_ASLR
-+ select PAX_RANDKSTACK if (X86_TSC && X86)
-+ select PAX_RANDUSTACK
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ select PAX_MEMORY_STACKLEAK if (!XEN)
-+ help
-+ If you say Y here, a configuration for grsecurity/PaX features
-+ will be used that is endorsed by the Hardened Gentoo project.
-+ These pre-defined security levels are designed to provide a high
-+ level of security while minimizing incompatibilities with a majority
-+ of Gentoo's available software.
-+
-+ This "Hardened Gentoo [server]" level is identical to the
-+ "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
-+ and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred
-+ security level if the system will not be utilizing software incompatible
-+ with these features.
-+
-+ When this level is selected, some security features will be forced on,
-+ while others will default to their suggested values of off or on. The
-+ later can be tweaked at the user's discretion, but may cause problems
-+ in some situations. You can fully customize all grsecurity/PaX features
-+ by choosing "Custom" in the Security Level menu. It may be helpful to
-+ inherit the options selected by this security level as a starting point.
-+ To accomplish this, select this security level, then exit the menuconfig
-+ interface, saving changes when prompted. Run make menuconfig again and
-+ select the "Custom" level.
-+
-+config GRKERNSEC_HARDENED_WORKSTATION
-+ bool "Hardened Gentoo [workstation]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_AUDIT_PTRACE
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_HARDEN_PTRACE
-+ select GRKERNSEC_PTRACE_READEXEC
-+ select GRKERNSEC_SETXID
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_RWXMAP_LOG
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select PAX
-+ select PAX_ASLR
-+ select PAX_RANDKSTACK if (X86_TSC && X86)
-+ select PAX_RANDUSTACK
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ select PAX_MEMORY_STACKLEAK if (!XEN)
-+ help
-+ If you say Y here, a configuration for grsecurity/PaX features
-+ will be used that is endorsed by the Hardened Gentoo project.
-+ These pre-defined security levels are designed to provide a high
-+ level of security while minimizing incompatibilities with a majority
-+ of Gentoo's available software.
-+
-+ This "Hardened Gentoo [workstation]" level is identical to the
-+ "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
-+ GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred
-+ security level if the system will be utilizing software incompatible
-+ with these features.
-+
-+ When this level is selected, some security features will be forced on,
-+ while others will default to their suggested values of off or on. The
-+ later can be tweaked at the user's discretion, but may cause problems
-+ in some situations. You can fully customize all grsecurity/PaX features
-+ by choosing "Custom" in the Security Level menu. It may be helpful to
-+ inherit the options selected by this security level as a starting point.
-+ To accomplish this, select this security level, then exit the menuconfig
-+ interface, saving changes when prompted. Run make menuconfig again and
-+ select the "Custom" level.
-+
-+config GRKERNSEC_HARDENED_VIRTUALIZATION
-+ bool "Hardened Gentoo [virtualization]"
-+ select GRKERNSEC_LINK
-+ select GRKERNSEC_FIFO
-+ select GRKERNSEC_DMESG
-+ select GRKERNSEC_FORKFAIL
-+ select GRKERNSEC_TIME
-+ select GRKERNSEC_SIGNAL
-+ select GRKERNSEC_CHROOT
-+ select GRKERNSEC_CHROOT_SHMAT
-+ select GRKERNSEC_CHROOT_UNIX
-+ select GRKERNSEC_CHROOT_MOUNT
-+ select GRKERNSEC_CHROOT_FCHDIR
-+ select GRKERNSEC_CHROOT_PIVOT
-+ select GRKERNSEC_CHROOT_DOUBLE
-+ select GRKERNSEC_CHROOT_CHDIR
-+ select GRKERNSEC_CHROOT_MKNOD
-+ select GRKERNSEC_CHROOT_CAPS
-+ select GRKERNSEC_CHROOT_SYSCTL
-+ select GRKERNSEC_CHROOT_FINDTASK
-+ select GRKERNSEC_PROC
-+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-+ select GRKERNSEC_HIDESYM
-+ select GRKERNSEC_BRUTE
-+ select GRKERNSEC_PROC_USERGROUP
-+ select GRKERNSEC_KMEM
-+ select GRKERNSEC_RESLOG
-+ select GRKERNSEC_AUDIT_PTRACE
-+ select GRKERNSEC_RANDNET
-+ select GRKERNSEC_CHROOT_CHMOD
-+ select GRKERNSEC_CHROOT_NICE
-+ select GRKERNSEC_AUDIT_MOUNT
-+ select GRKERNSEC_MODHARDEN if (MODULES)
-+ select GRKERNSEC_HARDEN_PTRACE
-+ select GRKERNSEC_PTRACE_READEXEC
-+ select GRKERNSEC_SETXID
-+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_PROC_IPADDR
-+ select GRKERNSEC_RWXMAP_LOG
-+ select GRKERNSEC_SYSCTL
-+ select GRKERNSEC_SYSCTL_ON
-+ select PAX
-+ select PAX_ASLR
-+ select PAX_RANDKSTACK if (X86_TSC && X86)
-+ select PAX_RANDUSTACK
-+ select PAX_RANDMMAP
-+ select PAX_NOEXEC
-+ select PAX_MPROTECT
-+ select PAX_EI_PAX
-+ select PAX_PT_PAX_FLAGS
-+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_SEGMEXEC if (X86_32)
-+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-+ select PAX_EMUTRAMP if (PARISC)
-+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-+ select PAX_MEMORY_SANITIZE
-+ select PAX_MEMORY_STACKLEAK if (!XEN)
-+ help
-+ If you say Y here, a configuration for grsecurity/PaX features
-+ will be used that is endorsed by the Hardened Gentoo project.
-+ These pre-defined security levels are designed to provide a high
-+ level of security while minimizing incompatibilities with a majority
-+ of Gentoo's available software.
-+
-+ This "Hardened Gentoo [virtualization]" level is identical to the
-+ "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
-+ PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred
-+ security level if the system will be utilizing virtualization software
-+ incompatible with these features, like VirtualBox or kvm.
-+
-+ When this level is selected, some security features will be forced on,
-+ while others will default to their suggested values of off or on. The
-+ later can be tweaked at the user's discretion, but may cause problems
-+ in some situations. You can fully customize all grsecurity/PaX features
-+ by choosing "Custom" in the Security Level menu. It may be helpful to
-+ inherit the options selected by this security level as a starting point.
-+ To accomplish this, select this security level, then exit the menuconfig
-+ interface, saving changes when prompted. Run make menuconfig again and
-+ select the "Custom" level.
-+
- config GRKERNSEC_CUSTOM
- bool "Custom"
- help
-diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500
-+++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500
-@@ -362,9 +362,10 @@
-
- config PAX_KERNEXEC
- bool "Enforce non-executable kernel pages"
-- depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
-+ depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
- select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
- select PAX_KERNEXEC_PLUGIN if X86_64
-+ default y if GRKERNSEC_HARDENED_WORKSTATION
- help
- This is the kernel land equivalent of PAGEEXEC and MPROTECT,
- that is, enabling this option will make it harder to inject
-@@ -375,30 +376,30 @@
-
- choice
- prompt "Return Address Instrumentation Method"
-- default PAX_KERNEXEC_PLUGIN_METHOD_BTS
-+ default PAX_KERNEXEC_PLUGIN_METHOD_OR
- depends on PAX_KERNEXEC_PLUGIN
- help
- Select the method used to instrument function pointer dereferences.
- Note that binary modules cannot be instrumented by this approach.
-
-- config PAX_KERNEXEC_PLUGIN_METHOD_BTS
-- bool "bts"
-- help
-- This method is compatible with binary only modules but has
-- a higher runtime overhead.
--
- config PAX_KERNEXEC_PLUGIN_METHOD_OR
- bool "or"
- depends on !PARAVIRT
- help
- This method is incompatible with binary only modules but has
- a lower runtime overhead.
-+
-+ config PAX_KERNEXEC_PLUGIN_METHOD_BTS
-+ bool "bts"
-+ help
-+ This method is compatible with binary only modules but has
-+ a higher runtime overhead.
- endchoice
-
- config PAX_KERNEXEC_PLUGIN_METHOD
- string
-- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
- default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
-+ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
- default ""
-
- config PAX_KERNEXEC_MODULE_TEXT
-@@ -555,8 +556,9 @@
-
- config PAX_MEMORY_UDEREF
- bool "Prevent invalid userland pointer dereference"
-- depends on X86 && !UML_X86 && !XEN
-+ depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
- select PAX_PER_CPU_PGD if X86_64
-+ default y if GRKERNSEC_HARDENED_WORKSTATION
- help
- By saying Y here the kernel will be prevented from dereferencing
- userland pointers in contexts where the kernel expects only kernel
diff --git a/3.2.22/4460-grsec-kconfig-proc-user.patch b/3.2.22/4460-grsec-kconfig-proc-user.patch
deleted file mode 100644
index b2b3188..0000000
--- a/3.2.22/4460-grsec-kconfig-proc-user.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Anthony G. Basile <blueness@gentoo.org>
-
-Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
-in a different way to avoid bug #366019. This patch should eventually go upstream.
-
-diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400
-+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400
-@@ -680,7 +680,7 @@
-
- config GRKERNSEC_PROC_USER
- bool "Restrict /proc to user only"
-- depends on GRKERNSEC_PROC
-+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP
- help
- If you say Y here, non-root users will only be able to view their own
- processes, and restricts them from viewing network-related information,
-@@ -688,7 +688,7 @@
-
- config GRKERNSEC_PROC_USERGROUP
- bool "Allow special group"
-- depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
-+ depends on GRKERNSEC_PROC
- help
- If you say Y here, you will be able to select a group that will be
- able to view all processes and network-related information. If you've
diff --git a/3.4.4/0000_README b/3.4.4/0000_README
index be72568..6e60159 100644
--- a/3.4.4/0000_README
+++ b/3.4.4/0000_README
@@ -2,6 +2,10 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
+Patch: 2600_FW_MIPS_FILE_06_regression.patch
+From: Anthony G. Basile <blueness@gentoo.org>
+Desc: Fix regressions against bnx2 firmware
+
Patch: 4420_grsecurity-2.9.1-3.4.4-201207080925.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2012-07-09 23:56 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-09 23:56 [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.22/, 2.6.32/, 3.4.4/ Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox