* [gentoo-commits] proj/hardened-patchset:master commit in: 3.1.6/, 2.6.32/
@ 2011-12-26 18:03 Anthony G. Basile
0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2011-12-26 18:03 UTC (permalink / raw
To: gentoo-commits
commit: 835527baca95c642a9edf5920646d9609dc05647
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Dec 26 17:57:21 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Dec 26 17:57:21 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=835527ba
Added predefined selections for GRKERNSEC_HARDENED_{SERVER,WORKSTATION,VIRTUALIZATION}
Forced selection on for:
GRKERNSEC_SYSFS_RESTRICT
GRKERNSEC_AUDIT_PTRACE
CONFIG_GRKERNSEC_SETXID
CONFIG_PAX_RANDKSTACK
CONFIG_PAX_MEMORY_STACKLEAK
default to CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
depened >= gcc-4.5.0
---
2.6.32/4435_grsec-kconfig-gentoo.patch | 104 ++++++++++++++++------
2.6.32/4437-grsec-kconfig-proc-user.patch | 4 +-
2.6.32/4440_selinux-avc_audit-log-curr_ip.patch | 2 +-
3.1.6/4430_grsec-kconfig-default-gids.patch | 14 ++--
3.1.6/4435_grsec-kconfig-gentoo.patch | 105 ++++++++++++++++------
3.1.6/4437-grsec-kconfig-proc-user.patch | 4 +-
3.1.6/4440_selinux-avc_audit-log-curr_ip.patch | 2 +-
7 files changed, 165 insertions(+), 70 deletions(-)
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch
index b9e9d3a..8257202 100644
--- a/2.6.32/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.32/4435_grsec-kconfig-gentoo.patch
@@ -16,8 +16,8 @@ The original version of this patch was conceived and created by:
Ned Ludd <solar@gentoo.org>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig 2011-04-17 18:41:22.000000000 -0400
-+++ b/grsecurity/Kconfig 2011-04-17 18:42:14.000000000 -0400
+--- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500
++++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500
@@ -18,7 +18,7 @@
choice
prompt "Security Level"
@@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_LOW
bool "Low"
-@@ -190,6 +190,258 @@
+@@ -190,6 +190,267 @@
- Restricted sysfs/debugfs
- Active kernel exploit response
@@ -51,6 +51,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_CHROOT_CAPS
+ select GRKERNSEC_CHROOT_SYSCTL
+ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_SYSFS_RESTRICT
+ select GRKERNSEC_PROC
+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
+ select GRKERNSEC_HIDESYM
@@ -58,6 +59,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_PROC_USERGROUP
+ select GRKERNSEC_KMEM
+ select GRKERNSEC_RESLOG
++ select GRKERNSEC_AUDIT_PTRACE
+ select GRKERNSEC_RANDNET
+ select GRKERNSEC_PROC_ADD
+ select GRKERNSEC_CHROOT_CHMOD
@@ -65,33 +67,36 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_SETXID
+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_IO if (X86)
++ select GRKERNSEC_IO
+ select GRKERNSEC_PROC_IPADDR
+ select GRKERNSEC_RWXMAP_LOG
+ select GRKERNSEC_SYSCTL
+ select GRKERNSEC_SYSCTL_ON
+ select PAX
-+ select PAX_RANDUSTACK
+ select PAX_ASLR
++ select PAX_RANDKSTACK
++ select PAX_RANDUSTACK
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++ select PAX_KERNEXEC
++ select PAX_MEMORY_UDEREF
+ select PAX_SEGMEXEC if (X86_32)
+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+ select PAX_EMUTRAMP if (PARISC)
+ select PAX_EMUSIGRT if (PARISC)
+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
++ select PAX_MEMORY_STACKLEAK
+ help
+ If you say Y here, a configuration for grsecurity/PaX features
+ will be used that is endorsed by the Hardened Gentoo project.
@@ -135,6 +140,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_CHROOT_CAPS
+ select GRKERNSEC_CHROOT_SYSCTL
+ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_SYSFS_RESTRICT
+ select GRKERNSEC_PROC
+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
+ select GRKERNSEC_HIDESYM
@@ -142,40 +148,42 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_PROC_USERGROUP
+ select GRKERNSEC_KMEM
+ select GRKERNSEC_RESLOG
++ select GRKERNSEC_AUDIT_PTRACE
+ select GRKERNSEC_RANDNET
-+ # select GRKERNSEC_PROC_ADD
+ select GRKERNSEC_CHROOT_CHMOD
+ select GRKERNSEC_CHROOT_NICE
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_SETXID
+ select GRKERNSEC_VM86 if (X86_32)
-+ # select GRKERNSEC_IO if (X86)
+ select GRKERNSEC_PROC_IPADDR
+ select GRKERNSEC_RWXMAP_LOG
+ select GRKERNSEC_SYSCTL
+ select GRKERNSEC_SYSCTL_ON
+ select PAX
-+ select PAX_RANDUSTACK
+ select PAX_ASLR
++ select PAX_RANDKSTACK
++ select PAX_RANDUSTACK
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
-+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++ select PAX_KERNEXEC
++ select PAX_MEMORY_UDEREF
+ select PAX_SEGMEXEC if (X86_32)
+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+ select PAX_EMUTRAMP if (PARISC)
+ select PAX_EMUSIGRT if (PARISC)
+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
++ select PAX_MEMORY_STACKLEAK
+ help
+ If you say Y here, a configuration for grsecurity/PaX features
+ will be used that is endorsed by the Hardened Gentoo project.
@@ -219,6 +227,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_CHROOT_CAPS
+ select GRKERNSEC_CHROOT_SYSCTL
+ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_SYSFS_RESTRICT
+ select GRKERNSEC_PROC
+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
+ select GRKERNSEC_HIDESYM
@@ -226,40 +235,40 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_PROC_USERGROUP
+ select GRKERNSEC_KMEM
+ select GRKERNSEC_RESLOG
++ select GRKERNSEC_AUDIT_PTRACE
+ select GRKERNSEC_RANDNET
-+ # select GRKERNSEC_PROC_ADD
+ select GRKERNSEC_CHROOT_CHMOD
+ select GRKERNSEC_CHROOT_NICE
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_SETXID
+ select GRKERNSEC_VM86 if (X86_32)
-+ # select GRKERNSEC_IO if (X86)
+ select GRKERNSEC_PROC_IPADDR
+ select GRKERNSEC_RWXMAP_LOG
+ select GRKERNSEC_SYSCTL
+ select GRKERNSEC_SYSCTL_ON
+ select PAX
-+ select PAX_RANDUSTACK
+ select PAX_ASLR
++ select PAX_RANDKSTACK
++ select PAX_RANDUSTACK
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
-+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
+ select PAX_SEGMEXEC if (X86_32)
+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+ select PAX_EMUTRAMP if (PARISC)
+ select PAX_EMUSIGRT if (PARISC)
+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
++ select PAX_MEMORY_STACKLEAK
+ help
+ If you say Y here, a configuration for grsecurity/PaX features
+ will be used that is endorsed by the Hardened Gentoo project.
@@ -287,8 +296,8 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
bool "Custom"
help
diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2011-04-17 18:36:55.000000000 -0400
-+++ b/security/Kconfig 2011-04-17 18:42:14.000000000 -0400
+--- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500
++++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500
@@ -322,9 +322,10 @@
config PAX_KERNEXEC
@@ -301,6 +310,45 @@ diff -Naur a/security/Kconfig b/security/Kconfig
help
This is the kernel land equivalent of PAGEEXEC and MPROTECT,
that is, enabling this option will make it harder to inject
+@@ -335,30 +336,30 @@
+
+ choice
+ prompt "Return Address Instrumentation Method"
+- default PAX_KERNEXEC_PLUGIN_METHOD_BTS
++ default PAX_KERNEXEC_PLUGIN_METHOD_OR
+ depends on PAX_KERNEXEC_PLUGIN
+ help
+ Select the method used to instrument function pointer dereferences.
+ Note that binary modules cannot be instrumented by this approach.
+
+- config PAX_KERNEXEC_PLUGIN_METHOD_BTS
+- bool "bts"
+- help
+- This method is compatible with binary only modules but has
+- a higher runtime overhead.
+-
+ config PAX_KERNEXEC_PLUGIN_METHOD_OR
+ bool "or"
+ depends on !PARAVIRT
+ help
+ This method is incompatible with binary only modules but has
+ a lower runtime overhead.
++
++ config PAX_KERNEXEC_PLUGIN_METHOD_BTS
++ bool "bts"
++ help
++ This method is compatible with binary only modules but has
++ a higher runtime overhead.
+ endchoice
+
+ config PAX_KERNEXEC_PLUGIN_METHOD
+ string
+- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
+ default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
++ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
+ default ""
+
+ config PAX_KERNEXEC_MODULE_TEXT
@@ -515,8 +516,9 @@
config PAX_MEMORY_UDEREF
diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch
index a8ad5ac..1e181f3 100644
--- a/2.6.32/4437-grsec-kconfig-proc-user.patch
+++ b/2.6.32/4437-grsec-kconfig-proc-user.patch
@@ -6,7 +6,7 @@ in a different way to avoid bug #366019. This patch should eventually go upstre
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400
+++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400
-@@ -664,7 +664,7 @@
+@@ -673,7 +673,7 @@
config GRKERNSEC_PROC_USER
bool "Restrict /proc to user only"
@@ -15,7 +15,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
If you say Y here, non-root users will only be able to view their own
processes, and restricts them from viewing network-related information,
-@@ -672,7 +672,7 @@
+@@ -681,7 +681,7 @@
config GRKERNSEC_PROC_USERGROUP
bool "Allow special group"
diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
index fa1d60d..8a6daac 100644
--- a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400
-@@ -1263,6 +1263,27 @@
+@@ -1272,6 +1272,27 @@
menu "Logging Options"
depends on GRKERNSEC
diff --git a/3.1.6/4430_grsec-kconfig-default-gids.patch b/3.1.6/4430_grsec-kconfig-default-gids.patch
index 453cb8d..243fbd5 100644
--- a/3.1.6/4430_grsec-kconfig-default-gids.patch
+++ b/3.1.6/4430_grsec-kconfig-default-gids.patch
@@ -12,7 +12,7 @@ from shooting themselves in the foot.
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-12-12 16:54:30.000000000 -0500
+++ b/grsecurity/Kconfig 2011-12-12 16:55:09.000000000 -0500
-@@ -432,7 +432,7 @@
+@@ -433,7 +433,7 @@
config GRKERNSEC_PROC_GID
int "GID for special group"
depends on GRKERNSEC_PROC_USERGROUP
@@ -21,7 +21,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_PROC_ADD
bool "Additional restrictions"
-@@ -656,7 +656,7 @@
+@@ -657,7 +657,7 @@
config GRKERNSEC_AUDIT_GID
int "GID for auditing"
depends on GRKERNSEC_AUDIT_GROUP
@@ -30,7 +30,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_EXECLOG
bool "Exec logging"
-@@ -834,7 +834,7 @@
+@@ -848,7 +848,7 @@
config GRKERNSEC_TPE_GID
int "GID for untrusted users"
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -39,7 +39,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*enabled* for. If the sysctl option is enabled, a sysctl option
-@@ -843,7 +843,7 @@
+@@ -857,7 +857,7 @@
config GRKERNSEC_TPE_GID
int "GID for trusted users"
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -48,7 +48,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -916,7 +916,7 @@
+@@ -930,7 +930,7 @@
config GRKERNSEC_SOCKET_ALL_GID
int "GID to deny all sockets for"
depends on GRKERNSEC_SOCKET_ALL
@@ -57,7 +57,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable socket access for. Remember to
add the users you want socket access disabled for to the GID
-@@ -937,7 +937,7 @@
+@@ -951,7 +951,7 @@
config GRKERNSEC_SOCKET_CLIENT_GID
int "GID to deny client sockets for"
depends on GRKERNSEC_SOCKET_CLIENT
@@ -66,7 +66,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable client socket access for.
Remember to add the users you want client socket access disabled for to
-@@ -955,7 +955,7 @@
+@@ -969,7 +969,7 @@
config GRKERNSEC_SOCKET_SERVER_GID
int "GID to deny server sockets for"
depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.1.6/4435_grsec-kconfig-gentoo.patch b/3.1.6/4435_grsec-kconfig-gentoo.patch
index d9083f4..bec600b 100644
--- a/3.1.6/4435_grsec-kconfig-gentoo.patch
+++ b/3.1.6/4435_grsec-kconfig-gentoo.patch
@@ -16,8 +16,8 @@ The original version of this patch was conceived and created by:
Ned Ludd <solar@gentoo.org>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
---- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
-+++ b/grsecurity/Kconfig 2011-04-17 19:27:46.000000000 -0400
+--- a/grsecurity/Kconfig 2011-12-26 10:56:24.000000000 -0500
++++ b/grsecurity/Kconfig 2011-12-26 12:20:25.000000000 -0500
@@ -18,7 +18,7 @@
choice
prompt "Security Level"
@@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_LOW
bool "Low"
-@@ -190,6 +190,258 @@
+@@ -191,6 +191,267 @@
- Restricted sysfs/debugfs
- Active kernel exploit response
@@ -51,6 +51,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_CHROOT_CAPS
+ select GRKERNSEC_CHROOT_SYSCTL
+ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_SYSFS_RESTRICT
+ select GRKERNSEC_PROC
+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
+ select GRKERNSEC_HIDESYM
@@ -58,6 +59,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_PROC_USERGROUP
+ select GRKERNSEC_KMEM
+ select GRKERNSEC_RESLOG
++ select GRKERNSEC_AUDIT_PTRACE
+ select GRKERNSEC_RANDNET
+ select GRKERNSEC_PROC_ADD
+ select GRKERNSEC_CHROOT_CHMOD
@@ -65,33 +67,36 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_SETXID
+ select GRKERNSEC_VM86 if (X86_32)
-+ select GRKERNSEC_IO if (X86)
++ select GRKERNSEC_IO
+ select GRKERNSEC_PROC_IPADDR
+ select GRKERNSEC_RWXMAP_LOG
+ select GRKERNSEC_SYSCTL
+ select GRKERNSEC_SYSCTL_ON
+ select PAX
-+ select PAX_RANDUSTACK
+ select PAX_ASLR
++ select PAX_RANDKSTACK
++ select PAX_RANDUSTACK
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
-+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++ select PAX_KERNEXEC
++ select PAX_MEMORY_UDEREF
+ select PAX_SEGMEXEC if (X86_32)
+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+ select PAX_EMUTRAMP if (PARISC)
+ select PAX_EMUSIGRT if (PARISC)
+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
++ select PAX_MEMORY_STACKLEAK
+ help
+ If you say Y here, a configuration for grsecurity/PaX features
+ will be used that is endorsed by the Hardened Gentoo project.
@@ -135,6 +140,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_CHROOT_CAPS
+ select GRKERNSEC_CHROOT_SYSCTL
+ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_SYSFS_RESTRICT
+ select GRKERNSEC_PROC
+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
+ select GRKERNSEC_HIDESYM
@@ -142,40 +148,42 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_PROC_USERGROUP
+ select GRKERNSEC_KMEM
+ select GRKERNSEC_RESLOG
++ select GRKERNSEC_AUDIT_PTRACE
+ select GRKERNSEC_RANDNET
-+ # select GRKERNSEC_PROC_ADD
+ select GRKERNSEC_CHROOT_CHMOD
+ select GRKERNSEC_CHROOT_NICE
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_SETXID
+ select GRKERNSEC_VM86 if (X86_32)
-+ # select GRKERNSEC_IO if (X86)
+ select GRKERNSEC_PROC_IPADDR
+ select GRKERNSEC_RWXMAP_LOG
+ select GRKERNSEC_SYSCTL
+ select GRKERNSEC_SYSCTL_ON
+ select PAX
-+ select PAX_RANDUSTACK
+ select PAX_ASLR
++ select PAX_RANDKSTACK
++ select PAX_RANDUSTACK
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
-+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
++ select PAX_KERNEXEC
++ select PAX_MEMORY_UDEREF
+ select PAX_SEGMEXEC if (X86_32)
+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+ select PAX_EMUTRAMP if (PARISC)
+ select PAX_EMUSIGRT if (PARISC)
+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
++ select PAX_MEMORY_STACKLEAK
+ help
+ If you say Y here, a configuration for grsecurity/PaX features
+ will be used that is endorsed by the Hardened Gentoo project.
@@ -219,6 +227,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_CHROOT_CAPS
+ select GRKERNSEC_CHROOT_SYSCTL
+ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_SYSFS_RESTRICT
+ select GRKERNSEC_PROC
+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
+ select GRKERNSEC_HIDESYM
@@ -226,40 +235,40 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_PROC_USERGROUP
+ select GRKERNSEC_KMEM
+ select GRKERNSEC_RESLOG
++ select GRKERNSEC_AUDIT_PTRACE
+ select GRKERNSEC_RANDNET
-+ # select GRKERNSEC_PROC_ADD
+ select GRKERNSEC_CHROOT_CHMOD
+ select GRKERNSEC_CHROOT_NICE
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_SETXID
+ select GRKERNSEC_VM86 if (X86_32)
-+ # select GRKERNSEC_IO if (X86)
+ select GRKERNSEC_PROC_IPADDR
+ select GRKERNSEC_RWXMAP_LOG
+ select GRKERNSEC_SYSCTL
+ select GRKERNSEC_SYSCTL_ON
+ select PAX
-+ select PAX_RANDUSTACK
+ select PAX_ASLR
++ select PAX_RANDKSTACK
++ select PAX_RANDUSTACK
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
-+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-+ # select PAX_MEMORY_UDEREF if (X86 && !XEN)
-+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
+ select PAX_SEGMEXEC if (X86_32)
+ select PAX_PAGEEXEC
-+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
++ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+ select PAX_EMUTRAMP if (PARISC)
+ select PAX_EMUSIGRT if (PARISC)
+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
++ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
+ select PAX_REFCOUNT if (X86 || SPARC64)
-+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
++ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
++ select PAX_MEMORY_STACKLEAK
+ help
+ If you say Y here, a configuration for grsecurity/PaX features
+ will be used that is endorsed by the Hardened Gentoo project.
@@ -287,8 +296,8 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
bool "Custom"
help
diff -Naur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2011-09-21 07:20:02.000000000 -0400
-+++ b/security/Kconfig 2011-09-21 07:25:50.000000000 -0400
+--- a/security/Kconfig 2011-12-26 12:23:44.000000000 -0500
++++ b/security/Kconfig 2011-12-26 11:14:27.000000000 -0500
@@ -322,9 +322,10 @@
config PAX_KERNEXEC
@@ -301,6 +310,45 @@ diff -Naur a/security/Kconfig b/security/Kconfig
help
This is the kernel land equivalent of PAGEEXEC and MPROTECT,
that is, enabling this option will make it harder to inject
+@@ -335,30 +336,30 @@
+
+ choice
+ prompt "Return Address Instrumentation Method"
+- default PAX_KERNEXEC_PLUGIN_METHOD_BTS
++ default PAX_KERNEXEC_PLUGIN_METHOD_OR
+ depends on PAX_KERNEXEC_PLUGIN
+ help
+ Select the method used to instrument function pointer dereferences.
+ Note that binary modules cannot be instrumented by this approach.
+
+- config PAX_KERNEXEC_PLUGIN_METHOD_BTS
+- bool "bts"
+- help
+- This method is compatible with binary only modules but has
+- a higher runtime overhead.
+-
+ config PAX_KERNEXEC_PLUGIN_METHOD_OR
+ bool "or"
+ depends on !PARAVIRT
+ help
+ This method is incompatible with binary only modules but has
+ a lower runtime overhead.
++
++ config PAX_KERNEXEC_PLUGIN_METHOD_BTS
++ bool "bts"
++ help
++ This method is compatible with binary only modules but has
++ a higher runtime overhead.
+ endchoice
+
+ config PAX_KERNEXEC_PLUGIN_METHOD
+ string
+- default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
+ default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
++ default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
+ default ""
+
+ config PAX_KERNEXEC_MODULE_TEXT
@@ -515,8 +516,9 @@
config PAX_MEMORY_UDEREF
@@ -312,4 +360,3 @@ diff -Naur a/security/Kconfig b/security/Kconfig
help
By saying Y here the kernel will be prevented from dereferencing
userland pointers in contexts where the kernel expects only kernel
-
diff --git a/3.1.6/4437-grsec-kconfig-proc-user.patch b/3.1.6/4437-grsec-kconfig-proc-user.patch
index fb20d59..4c9550b 100644
--- a/3.1.6/4437-grsec-kconfig-proc-user.patch
+++ b/3.1.6/4437-grsec-kconfig-proc-user.patch
@@ -6,7 +6,7 @@ in a different way to avoid bug #366019. This patch should eventually go upstre
diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400
+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400
-@@ -665,7 +665,7 @@
+@@ -675,7 +675,7 @@
config GRKERNSEC_PROC_USER
bool "Restrict /proc to user only"
@@ -15,7 +15,7 @@ diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-harden
help
If you say Y here, non-root users will only be able to view their own
processes, and restricts them from viewing network-related information,
-@@ -673,7 +673,7 @@
+@@ -683,7 +683,7 @@
config GRKERNSEC_PROC_USERGROUP
bool "Allow special group"
diff --git a/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch b/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch
index 56c8ef1..4bce851 100644
--- a/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardened-r1/grsecurity/Kconfig
--- linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
+++ linux-2.6.38-hardened-r1/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
-@@ -1264,6 +1264,27 @@
+@@ -1287,6 +1287,27 @@
menu "Logging Options"
depends on GRKERNSEC
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-patchset:master commit in: 3.1.6/, 2.6.32/
@ 2011-12-26 20:16 Anthony G. Basile
0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2011-12-26 20:16 UTC (permalink / raw
To: gentoo-commits
commit: f18573fca9f346534cbf7aac07390f1e9c540ac9
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Dec 26 20:16:28 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Dec 26 20:16:28 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=f18573fc
PAX_ELFRELOCS: do not force on for x86
---
2.6.32/4435_grsec-kconfig-gentoo.patch | 8 +-------
2.6.32/4437-grsec-kconfig-proc-user.patch | 4 ++--
2.6.32/4440_selinux-avc_audit-log-curr_ip.patch | 2 +-
3.1.6/4435_grsec-kconfig-gentoo.patch | 8 +-------
3.1.6/4437-grsec-kconfig-proc-user.patch | 4 ++--
3.1.6/4440_selinux-avc_audit-log-curr_ip.patch | 2 +-
6 files changed, 8 insertions(+), 20 deletions(-)
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch
index 8257202..5f4693e 100644
--- a/2.6.32/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.32/4435_grsec-kconfig-gentoo.patch
@@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_LOW
bool "Low"
-@@ -190,6 +190,267 @@
+@@ -190,6 +190,261 @@
- Restricted sysfs/debugfs
- Active kernel exploit response
@@ -91,8 +91,6 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+ select PAX_EMUTRAMP if (PARISC)
+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
+ select PAX_REFCOUNT if (X86 || SPARC64)
+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
@@ -178,8 +176,6 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+ select PAX_EMUTRAMP if (PARISC)
+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
+ select PAX_REFCOUNT if (X86 || SPARC64)
+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
@@ -263,8 +259,6 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+ select PAX_EMUTRAMP if (PARISC)
+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
+ select PAX_REFCOUNT if (X86 || SPARC64)
+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch
index 1e181f3..ca88ef7 100644
--- a/2.6.32/4437-grsec-kconfig-proc-user.patch
+++ b/2.6.32/4437-grsec-kconfig-proc-user.patch
@@ -6,7 +6,7 @@ in a different way to avoid bug #366019. This patch should eventually go upstre
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400
+++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400
-@@ -673,7 +673,7 @@
+@@ -667,7 +667,7 @@
config GRKERNSEC_PROC_USER
bool "Restrict /proc to user only"
@@ -15,7 +15,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
If you say Y here, non-root users will only be able to view their own
processes, and restricts them from viewing network-related information,
-@@ -681,7 +681,7 @@
+@@ -675,7 +675,7 @@
config GRKERNSEC_PROC_USERGROUP
bool "Allow special group"
diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
index 8a6daac..34c78d5 100644
--- a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400
-@@ -1272,6 +1272,27 @@
+@@ -1266,6 +1266,27 @@
menu "Logging Options"
depends on GRKERNSEC
diff --git a/3.1.6/4435_grsec-kconfig-gentoo.patch b/3.1.6/4435_grsec-kconfig-gentoo.patch
index bec600b..90b1ec9 100644
--- a/3.1.6/4435_grsec-kconfig-gentoo.patch
+++ b/3.1.6/4435_grsec-kconfig-gentoo.patch
@@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_LOW
bool "Low"
-@@ -191,6 +191,267 @@
+@@ -191,6 +191,261 @@
- Restricted sysfs/debugfs
- Active kernel exploit response
@@ -91,8 +91,6 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+ select PAX_EMUTRAMP if (PARISC)
+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
+ select PAX_REFCOUNT if (X86 || SPARC64)
+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
@@ -178,8 +176,6 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+ select PAX_EMUTRAMP if (PARISC)
+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
+ select PAX_REFCOUNT if (X86 || SPARC64)
+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
@@ -263,8 +259,6 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+ select PAX_EMUTRAMP if (PARISC)
+ select PAX_EMUSIGRT if (PARISC)
-+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
+ select PAX_REFCOUNT if (X86 || SPARC64)
+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+ select PAX_MEMORY_SANITIZE
diff --git a/3.1.6/4437-grsec-kconfig-proc-user.patch b/3.1.6/4437-grsec-kconfig-proc-user.patch
index 4c9550b..4e5acda 100644
--- a/3.1.6/4437-grsec-kconfig-proc-user.patch
+++ b/3.1.6/4437-grsec-kconfig-proc-user.patch
@@ -6,7 +6,7 @@ in a different way to avoid bug #366019. This patch should eventually go upstre
diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400
+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400
-@@ -675,7 +675,7 @@
+@@ -669,7 +669,7 @@
config GRKERNSEC_PROC_USER
bool "Restrict /proc to user only"
@@ -15,7 +15,7 @@ diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-harden
help
If you say Y here, non-root users will only be able to view their own
processes, and restricts them from viewing network-related information,
-@@ -683,7 +683,7 @@
+@@ -677,7 +677,7 @@
config GRKERNSEC_PROC_USERGROUP
bool "Allow special group"
diff --git a/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch b/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch
index 4bce851..b7bcddb 100644
--- a/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardened-r1/grsecurity/Kconfig
--- linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
+++ linux-2.6.38-hardened-r1/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
-@@ -1287,6 +1287,27 @@
+@@ -1281,6 +1281,27 @@
menu "Logging Options"
depends on GRKERNSEC
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-12-26 20:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-26 20:16 [gentoo-commits] proj/hardened-patchset:master commit in: 3.1.6/, 2.6.32/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2011-12-26 18:03 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox