path: root/3.4.3/4455_grsec-kconfig-gentoo.patch

From: Anthony G. Basile <blueness@gentoo.org>
From: Gordon Malm <gengor@gentoo.org>
From: Jory A. Pratt <anarchy@gentoo.org>
From: Kerin Millar <kerframil@gmail.com>

Add Hardened Gentoo [server/workstation] predefined grsecurity
levels. They're designed to provide a comparitively high level of
security while remaining generally suitable for as great a majority
of the userbase as possible (particularly new users).

Make Hardened Gentoo [workstation] predefined grsecurity level the
default. The Hardened Gentoo [server] level is more restrictive
and conflicts with some software and thus would be less suitable.

The original version of this patch was conceived and created by:
Ned Ludd <solar@gentoo.org>

diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig	2011-12-26 10:56:24.000000000 -0500
+++ b/grsecurity/Kconfig	2011-12-26 12:20:25.000000000 -0500
@@ -18,7 +18,7 @@
 choice
 	prompt "Security Level"
 	depends on GRKERNSEC
-	default GRKERNSEC_CUSTOM
+	default GRKERNSEC_HARDENED_WORKSTATION
 
 config GRKERNSEC_LOW
 	bool "Low"
@@ -192,6 +192,262 @@
 	  - Restricted sysfs/debugfs
 	  - Active kernel exploit response
 
+config GRKERNSEC_HARDENED_SERVER
+	bool "Hardened Gentoo [server]"
+	select GRKERNSEC_LINK
+	select GRKERNSEC_FIFO
+	select GRKERNSEC_DMESG
+	select GRKERNSEC_FORKFAIL
+	select GRKERNSEC_TIME
+	select GRKERNSEC_SIGNAL
+	select GRKERNSEC_CHROOT
+	select GRKERNSEC_CHROOT_SHMAT
+	select GRKERNSEC_CHROOT_UNIX
+	select GRKERNSEC_CHROOT_MOUNT
+	select GRKERNSEC_CHROOT_FCHDIR
+	select GRKERNSEC_CHROOT_PIVOT
+	select GRKERNSEC_CHROOT_DOUBLE
+	select GRKERNSEC_CHROOT_CHDIR
+	select GRKERNSEC_CHROOT_MKNOD
+	select GRKERNSEC_CHROOT_CAPS
+	select GRKERNSEC_CHROOT_SYSCTL
+	select GRKERNSEC_CHROOT_FINDTASK
+	select GRKERNSEC_SYSFS_RESTRICT
+	select GRKERNSEC_PROC
+	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
+	select GRKERNSEC_HIDESYM
+	select GRKERNSEC_BRUTE
+	select GRKERNSEC_PROC_USERGROUP
+	select GRKERNSEC_KMEM
+	select GRKERNSEC_RESLOG
+	select GRKERNSEC_AUDIT_PTRACE
+	select GRKERNSEC_RANDNET
+	select GRKERNSEC_PROC_ADD
+	select GRKERNSEC_CHROOT_CHMOD
+	select GRKERNSEC_CHROOT_NICE
+	select GRKERNSEC_AUDIT_MOUNT
+	select GRKERNSEC_MODHARDEN if (MODULES)
+	select GRKERNSEC_HARDEN_PTRACE
+	select GRKERNSEC_PTRACE_READEXEC
+	select GRKERNSEC_SETXID
+	select GRKERNSEC_VM86 if (X86_32)
+	select GRKERNSEC_IO
+	select GRKERNSEC_PROC_IPADDR
+	select GRKERNSEC_RWXMAP_LOG
+	select GRKERNSEC_SYSCTL
+	select GRKERNSEC_SYSCTL_ON
+	select PAX
+	select PAX_ASLR
+	select PAX_RANDKSTACK if (X86_TSC && X86)
+	select PAX_RANDUSTACK
+	select PAX_RANDMMAP
+	select PAX_NOEXEC
+	select PAX_MPROTECT
+	select PAX_EI_PAX
+	select PAX_PT_PAX_FLAGS
+	select PAX_HAVE_ACL_FLAGS
+	select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
+	select PAX_MEMORY_UDEREF if (X86 && !XEN)
+	select PAX_SEGMEXEC if (X86_32)
+	select PAX_PAGEEXEC
+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+	select PAX_EMUTRAMP if (PARISC)
+	select PAX_EMUSIGRT if (PARISC)
+	select PAX_REFCOUNT if (X86 || SPARC64)
+	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+	select PAX_MEMORY_SANITIZE
+	select PAX_MEMORY_STACKLEAK if (!XEN)
+	help
+	  If you say Y here, a configuration for grsecurity/PaX features
+	  will be used that is endorsed by the Hardened Gentoo project.
+	  These pre-defined security levels are designed to provide a high
+	  level of security while minimizing incompatibilities with a majority
+	  of Gentoo's available software.
+
+	  This "Hardened Gentoo [server]" level is identical to the
+	  "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO,
+	  and GRKERNSEC_PROC_ADD enabled.  Accordingly, this is the preferred
+	  security level if the system will not be utilizing software incompatible
+	  with these features.
+
+	  When this level is selected, some security features will be forced on,
+	  while others will default to their suggested values of off or on.  The
+	  later can be tweaked at the user's discretion, but may cause problems
+	  in some situations.  You can fully customize all grsecurity/PaX features
+	  by choosing "Custom" in the Security Level menu.  It may be helpful to
+	  inherit the options selected by this security level as a starting point.
+	  To accomplish this, select this security level, then exit the menuconfig
+	  interface, saving changes when prompted.  Run make menuconfig again and
+	  select the "Custom" level.
+
+config GRKERNSEC_HARDENED_WORKSTATION
+	bool "Hardened Gentoo [workstation]"
+	select GRKERNSEC_LINK
+	select GRKERNSEC_FIFO
+	select GRKERNSEC_DMESG
+	select GRKERNSEC_FORKFAIL
+	select GRKERNSEC_TIME
+	select GRKERNSEC_SIGNAL
+	select GRKERNSEC_CHROOT
+	select GRKERNSEC_CHROOT_SHMAT
+	select GRKERNSEC_CHROOT_UNIX
+	select GRKERNSEC_CHROOT_MOUNT
+	select GRKERNSEC_CHROOT_FCHDIR
+	select GRKERNSEC_CHROOT_PIVOT
+	select GRKERNSEC_CHROOT_DOUBLE
+	select GRKERNSEC_CHROOT_CHDIR
+	select GRKERNSEC_CHROOT_MKNOD
+	select GRKERNSEC_CHROOT_CAPS
+	select GRKERNSEC_CHROOT_SYSCTL
+	select GRKERNSEC_CHROOT_FINDTASK
+	select GRKERNSEC_PROC
+	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
+	select GRKERNSEC_HIDESYM
+	select GRKERNSEC_BRUTE
+	select GRKERNSEC_PROC_USERGROUP
+	select GRKERNSEC_KMEM
+	select GRKERNSEC_RESLOG
+	select GRKERNSEC_AUDIT_PTRACE
+	select GRKERNSEC_RANDNET
+	select GRKERNSEC_CHROOT_CHMOD
+	select GRKERNSEC_CHROOT_NICE
+	select GRKERNSEC_AUDIT_MOUNT
+	select GRKERNSEC_MODHARDEN if (MODULES)
+	select GRKERNSEC_HARDEN_PTRACE
+       select GRKERNSEC_PTRACE_READEXEC
+	select GRKERNSEC_SETXID
+	select GRKERNSEC_VM86 if (X86_32)
+	select GRKERNSEC_PROC_IPADDR
+	select GRKERNSEC_RWXMAP_LOG
+	select GRKERNSEC_SYSCTL
+	select GRKERNSEC_SYSCTL_ON
+	select PAX
+	select PAX_ASLR
+	select PAX_RANDKSTACK if (X86_TSC && X86)
+	select PAX_RANDUSTACK
+	select PAX_RANDMMAP
+	select PAX_NOEXEC
+	select PAX_MPROTECT
+	select PAX_EI_PAX
+	select PAX_PT_PAX_FLAGS
+	select PAX_HAVE_ACL_FLAGS
+	select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
+	select PAX_MEMORY_UDEREF if (X86 && !XEN)
+	select PAX_SEGMEXEC if (X86_32)
+	select PAX_PAGEEXEC
+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+	select PAX_EMUTRAMP if (PARISC)
+	select PAX_EMUSIGRT if (PARISC)
+	select PAX_REFCOUNT if (X86 || SPARC64)
+	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+	select PAX_MEMORY_SANITIZE
+	select PAX_MEMORY_STACKLEAK if (!XEN)
+	help
+	  If you say Y here, a configuration for grsecurity/PaX features
+	  will be used that is endorsed by the Hardened Gentoo project.
+	  These pre-defined security levels are designed to provide a high
+	  level of security while minimizing incompatibilities with a majority
+	  of Gentoo's available software.
+
+	  This "Hardened Gentoo [workstation]" level is identical to the
+	  "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and
+	  GRKERNSEC_PROC_ADD disabled.  Accordingly, this is the preferred
+	  security level if the system will be utilizing software incompatible
+	  with these features.
+
+	  When this level is selected, some security features will be forced on,
+	  while others will default to their suggested values of off or on.  The
+	  later can be tweaked at the user's discretion, but may cause problems
+	  in some situations.  You can fully customize all grsecurity/PaX features
+	  by choosing "Custom" in the Security Level menu.  It may be helpful to
+	  inherit the options selected by this security level as a starting point.
+	  To accomplish this, select this security level, then exit the menuconfig
+	  interface, saving changes when prompted.  Run make menuconfig again and
+	  select the "Custom" level.
+
+config GRKERNSEC_HARDENED_VIRTUALIZATION
+	bool "Hardened Gentoo [virtualization]"
+	select GRKERNSEC_LINK
+	select GRKERNSEC_FIFO
+	select GRKERNSEC_DMESG
+	select GRKERNSEC_FORKFAIL
+	select GRKERNSEC_TIME
+	select GRKERNSEC_SIGNAL
+	select GRKERNSEC_CHROOT
+	select GRKERNSEC_CHROOT_SHMAT
+	select GRKERNSEC_CHROOT_UNIX
+	select GRKERNSEC_CHROOT_MOUNT
+	select GRKERNSEC_CHROOT_FCHDIR
+	select GRKERNSEC_CHROOT_PIVOT
+	select GRKERNSEC_CHROOT_DOUBLE
+	select GRKERNSEC_CHROOT_CHDIR
+	select GRKERNSEC_CHROOT_MKNOD
+	select GRKERNSEC_CHROOT_CAPS
+	select GRKERNSEC_CHROOT_SYSCTL
+	select GRKERNSEC_CHROOT_FINDTASK
+	select GRKERNSEC_PROC
+	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
+	select GRKERNSEC_HIDESYM
+	select GRKERNSEC_BRUTE
+	select GRKERNSEC_PROC_USERGROUP
+	select GRKERNSEC_KMEM
+	select GRKERNSEC_RESLOG
+	select GRKERNSEC_AUDIT_PTRACE
+	select GRKERNSEC_RANDNET
+	select GRKERNSEC_CHROOT_CHMOD
+	select GRKERNSEC_CHROOT_NICE
+	select GRKERNSEC_AUDIT_MOUNT
+	select GRKERNSEC_MODHARDEN if (MODULES)
+	select GRKERNSEC_HARDEN_PTRACE
+       select GRKERNSEC_PTRACE_READEXEC
+	select GRKERNSEC_SETXID
+	select GRKERNSEC_VM86 if (X86_32)
+	select GRKERNSEC_PROC_IPADDR
+	select GRKERNSEC_RWXMAP_LOG
+	select GRKERNSEC_SYSCTL
+	select GRKERNSEC_SYSCTL_ON
+	select PAX
+	select PAX_ASLR
+	select PAX_RANDKSTACK if (X86_TSC && X86)
+	select PAX_RANDUSTACK
+	select PAX_RANDMMAP
+	select PAX_NOEXEC
+	select PAX_MPROTECT
+	select PAX_EI_PAX
+	select PAX_PT_PAX_FLAGS
+	select PAX_HAVE_ACL_FLAGS
+	select PAX_SEGMEXEC if (X86_32)
+	select PAX_PAGEEXEC
+	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
+	select PAX_EMUTRAMP if (PARISC)
+	select PAX_EMUSIGRT if (PARISC)
+	select PAX_REFCOUNT if (X86 || SPARC64)
+	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
+	select PAX_MEMORY_SANITIZE
+	select PAX_MEMORY_STACKLEAK if (!XEN)
+	help
+	  If you say Y here, a configuration for grsecurity/PaX features
+	  will be used that is endorsed by the Hardened Gentoo project.
+	  These pre-defined security levels are designed to provide a high
+	  level of security while minimizing incompatibilities with a majority
+	  of Gentoo's available software.
+
+	  This "Hardened Gentoo [virtualization]" level is identical to the
+	  "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and
+	  PAX_MEMORY_UDEREF defaulting to off.  Accordingly, this is the preferred
+	  security level if the system will be utilizing virtualization software
+	  incompatible with these features, like VirtualBox or kvm.
+
+	  When this level is selected, some security features will be forced on,
+	  while others will default to their suggested values of off or on.  The
+	  later can be tweaked at the user's discretion, but may cause problems
+	  in some situations.  You can fully customize all grsecurity/PaX features
+	  by choosing "Custom" in the Security Level menu.  It may be helpful to
+	  inherit the options selected by this security level as a starting point.
+	  To accomplish this, select this security level, then exit the menuconfig
+	  interface, saving changes when prompted.  Run make menuconfig again and
+	  select the "Custom" level.
+
 config GRKERNSEC_CUSTOM
 	bool "Custom"
 	help
diff -Naur a/security/Kconfig b/security/Kconfig
--- a/security/Kconfig	2011-12-26 12:23:44.000000000 -0500
+++ b/security/Kconfig	2011-12-26 11:14:27.000000000 -0500
@@ -363,9 +363,10 @@
 
 config PAX_KERNEXEC
 	bool "Enforce non-executable kernel pages"
-	depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
+	depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
 	select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
 	select PAX_KERNEXEC_PLUGIN if X86_64
+	default y if GRKERNSEC_HARDENED_WORKSTATION
 	help
 	  This is the kernel land equivalent of PAGEEXEC and MPROTECT,
 	  that is, enabling this option will make it harder to inject
@@ -376,30 +377,30 @@
 
 choice
 	prompt "Return Address Instrumentation Method"
-	default PAX_KERNEXEC_PLUGIN_METHOD_BTS
+	default PAX_KERNEXEC_PLUGIN_METHOD_OR
 	depends on PAX_KERNEXEC_PLUGIN
 	help
 	  Select the method used to instrument function pointer dereferences.
 	  Note that binary modules cannot be instrumented by this approach.
 
-	config PAX_KERNEXEC_PLUGIN_METHOD_BTS
-		bool "bts"
-		help
-		  This method is compatible with binary only modules but has
-		  a higher runtime overhead.
-
 	config PAX_KERNEXEC_PLUGIN_METHOD_OR
 		bool "or"
 		depends on !PARAVIRT
 		help
 		  This method is incompatible with binary only modules but has
 		  a lower runtime overhead.
+
+	config PAX_KERNEXEC_PLUGIN_METHOD_BTS
+		bool "bts"
+		help
+		  This method is compatible with binary only modules but has
+		  a higher runtime overhead.
 endchoice
 
 config PAX_KERNEXEC_PLUGIN_METHOD
 	string
-	default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
 	default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
+	default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
 	default ""
 
 config PAX_KERNEXEC_MODULE_TEXT
@@ -556,8 +557,9 @@
 
 config PAX_MEMORY_UDEREF
 	bool "Prevent invalid userland pointer dereference"
-	depends on X86 && !UML_X86 && !XEN
+	depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION
 	select PAX_PER_CPU_PGD if X86_64
+	default y if GRKERNSEC_HARDENED_WORKSTATION
 	help
 	  By saying Y here the kernel will be prevented from dereferencing
 	  userland pointers in contexts where the kernel expects only kernel