diff options
author | Anthony G. Basile <basile@opensource.dyc.edu> | 2011-01-22 06:44:05 -0500 |
---|---|---|
committer | Anthony G. Basile <basile@opensource.dyc.edu> | 2011-01-22 06:44:05 -0500 |
commit | 6c9f3d0558cda2eb50b130939cf30811b2e21a66 (patch) | |
tree | 2146a9c018ee4ecdb40c3ee83c10ed237739596c | |
parent | Update Grsec/PaX (diff) | |
download | hardened-patchset-6c9f3d0558cda2eb50b130939cf30811b2e21a66.tar.gz hardened-patchset-6c9f3d0558cda2eb50b130939cf30811b2e21a66.tar.bz2 hardened-patchset-6c9f3d0558cda2eb50b130939cf30811b2e21a66.zip |
Change Gentoo's GRSEC settings -- remove NO_RBAC
-rw-r--r-- | 2.6.32/4435_grsec-kconfig-gentoo.patch | 216 | ||||
-rw-r--r-- | 2.6.37/4435_grsec-kconfig-gentoo.patch | 216 |
2 files changed, 12 insertions, 420 deletions
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch index c9fbc5f..837e411 100644 --- a/2.6.32/4435_grsec-kconfig-gentoo.patch +++ b/2.6.32/4435_grsec-kconfig-gentoo.patch @@ -1,3 +1,4 @@ +From: Anthony G. Basile <blueness@gentoo.org> From: Gordon Malm <gengor@gentoo.org> From: Jory A. Pratt <anarchy@gentoo.org> From: Kerin Millar <kerframil@gmail.com> @@ -14,18 +15,19 @@ and conflicts with some software and thus would be less suitable. The original version of this patch was conceived and created by: Ned Ludd <solar@gentoo.org> ---- a/grsecurity/Kconfig 2009-07-31 02:34:44.661115764 +0100 -+++ b/grsecurity/Kconfig 2009-08-01 02:04:02.047475888 +0100 +diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig +--- linux-2.6.37-hardened.orig/grsecurity/Kconfig 2011-01-21 20:13:54.000000000 -0500 ++++ linux-2.6.37-hardened/grsecurity/Kconfig 2011-01-21 20:46:38.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" depends on GRKERNSEC - default GRKERNSEC_CUSTOM -+ default GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC ++ default GRKERNSEC_HARDENED_WORKSTATION config GRKERNSEC_LOW bool "Low" -@@ -191,6 +191,416 @@ +@@ -191,6 +191,210 @@ - Ptrace restrictions - Restricted vm86 mode @@ -132,110 +134,6 @@ Ned Ludd <solar@gentoo.org> + disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable + impact on performance. + -+config GRKERNSEC_HARDENED_SERVER_NO_RBAC -+ bool "Hardened Gentoo [server no rbac]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_EXECVE -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_PROC_ADD -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_IO if (X86) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select GRKERNSEC_NO_RBAC -+ select PAX -+ select PAX_RANDUSTACK -+ select PAX_ASLR -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_NO_ACL_FLAGS -+ select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. -+ -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. -+ -+ This Hardened Gentoo [server] level is identical to the -+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO, -+ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled. -+ Accordingly, this is the preferred security level if the system will -+ not be utilizing software incompatible with the aforementioned -+ grsecurity/PaX features. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. -+ -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [server]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. -+ -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. -+ +config GRKERNSEC_HARDENED_WORKSTATION + bool "Hardened Gentoo [workstation]" + select GRKERNSEC_LINK @@ -337,108 +235,6 @@ Ned Ludd <solar@gentoo.org> + disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable + impact on performance. + -+config GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC -+ bool "Hardened Gentoo [workstation no rbac]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_EXECVE -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select GRKERNSEC_NO_RBAC -+ select PAX -+ select PAX_RANDUSTACK -+ select PAX_ASLR -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_NO_ACL_FLAGS -+ # select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. -+ -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. -+ -+ This Hardened Gentoo [workstation] level is designed for machines -+ which are intended to run software not compatible with the -+ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity. -+ Accordingly, this security level is suitable for use with the X server -+ "Xorg" and/or any system that will act as host OS to the virtualization -+ softwares vmware-server or virtualbox. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. -+ -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [workstation]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. -+ -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. -+ config GRKERNSEC_CUSTOM bool "Custom" help diff --git a/2.6.37/4435_grsec-kconfig-gentoo.patch b/2.6.37/4435_grsec-kconfig-gentoo.patch index c9fbc5f..837e411 100644 --- a/2.6.37/4435_grsec-kconfig-gentoo.patch +++ b/2.6.37/4435_grsec-kconfig-gentoo.patch @@ -1,3 +1,4 @@ +From: Anthony G. Basile <blueness@gentoo.org> From: Gordon Malm <gengor@gentoo.org> From: Jory A. Pratt <anarchy@gentoo.org> From: Kerin Millar <kerframil@gmail.com> @@ -14,18 +15,19 @@ and conflicts with some software and thus would be less suitable. The original version of this patch was conceived and created by: Ned Ludd <solar@gentoo.org> ---- a/grsecurity/Kconfig 2009-07-31 02:34:44.661115764 +0100 -+++ b/grsecurity/Kconfig 2009-08-01 02:04:02.047475888 +0100 +diff -Naur linux-2.6.37-hardened.orig/grsecurity/Kconfig linux-2.6.37-hardened/grsecurity/Kconfig +--- linux-2.6.37-hardened.orig/grsecurity/Kconfig 2011-01-21 20:13:54.000000000 -0500 ++++ linux-2.6.37-hardened/grsecurity/Kconfig 2011-01-21 20:46:38.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" depends on GRKERNSEC - default GRKERNSEC_CUSTOM -+ default GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC ++ default GRKERNSEC_HARDENED_WORKSTATION config GRKERNSEC_LOW bool "Low" -@@ -191,6 +191,416 @@ +@@ -191,6 +191,210 @@ - Ptrace restrictions - Restricted vm86 mode @@ -132,110 +134,6 @@ Ned Ludd <solar@gentoo.org> + disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable + impact on performance. + -+config GRKERNSEC_HARDENED_SERVER_NO_RBAC -+ bool "Hardened Gentoo [server no rbac]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_EXECVE -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_PROC_ADD -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_IO if (X86) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select GRKERNSEC_NO_RBAC -+ select PAX -+ select PAX_RANDUSTACK -+ select PAX_ASLR -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_NO_ACL_FLAGS -+ select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. -+ -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. -+ -+ This Hardened Gentoo [server] level is identical to the -+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO, -+ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled. -+ Accordingly, this is the preferred security level if the system will -+ not be utilizing software incompatible with the aforementioned -+ grsecurity/PaX features. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. -+ -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [server]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. -+ -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. -+ +config GRKERNSEC_HARDENED_WORKSTATION + bool "Hardened Gentoo [workstation]" + select GRKERNSEC_LINK @@ -337,108 +235,6 @@ Ned Ludd <solar@gentoo.org> + disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable + impact on performance. + -+config GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC -+ bool "Hardened Gentoo [workstation no rbac]" -+ select GRKERNSEC_LINK -+ select GRKERNSEC_FIFO -+ select GRKERNSEC_EXECVE -+ select GRKERNSEC_DMESG -+ select GRKERNSEC_FORKFAIL -+ select GRKERNSEC_TIME -+ select GRKERNSEC_SIGNAL -+ select GRKERNSEC_CHROOT -+ select GRKERNSEC_CHROOT_SHMAT -+ select GRKERNSEC_CHROOT_UNIX -+ select GRKERNSEC_CHROOT_MOUNT -+ select GRKERNSEC_CHROOT_FCHDIR -+ select GRKERNSEC_CHROOT_PIVOT -+ select GRKERNSEC_CHROOT_DOUBLE -+ select GRKERNSEC_CHROOT_CHDIR -+ select GRKERNSEC_CHROOT_MKNOD -+ select GRKERNSEC_CHROOT_CAPS -+ select GRKERNSEC_CHROOT_SYSCTL -+ select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_PROC -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) -+ select GRKERNSEC_HIDESYM -+ select GRKERNSEC_BRUTE -+ select GRKERNSEC_PROC_USERGROUP -+ select GRKERNSEC_KMEM -+ select GRKERNSEC_RESLOG -+ select GRKERNSEC_RANDNET -+ select GRKERNSEC_CHROOT_CHMOD -+ select GRKERNSEC_CHROOT_NICE -+ select GRKERNSEC_AUDIT_MOUNT -+ select GRKERNSEC_MODHARDEN if (MODULES) -+ select GRKERNSEC_VM86 if (X86_32) -+ select GRKERNSEC_PROC_IPADDR -+ select GRKERNSEC_SYSCTL -+ select GRKERNSEC_SYSCTL_ON -+ select GRKERNSEC_NO_RBAC -+ select PAX -+ select PAX_RANDUSTACK -+ select PAX_ASLR -+ select PAX_RANDMMAP -+ select PAX_NOEXEC -+ select PAX_MPROTECT -+ select PAX_EI_PAX -+ select PAX_PT_PAX_FLAGS -+ select PAX_NO_ACL_FLAGS -+ # select PAX_KERNEXEC if (X86 && (!X86_32 || X86_WP_WORKS_OK)) -+ select PAX_MEMORY_UDEREF if (X86_32) -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64) -+ select PAX_SEGMEXEC if (X86_32) -+ select PAX_PAGEEXEC -+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) -+ select PAX_EMUTRAMP if (PARISC) -+ select PAX_EMUSIGRT if (PARISC) -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) -+ select PAX_REFCOUNT if (X86 || SPARC64) -+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) -+ select PAX_MEMORY_SANITIZE -+ help -+ If you say Y here, a configuration will be used that is endorsed by -+ the Hardened Gentoo project. Therefore, many of the protections -+ made available by grsecurity and PaX will be enabled. -+ -+ Hardened Gentoo's pre-defined security levels are designed to provide -+ a high level of security while minimizing incompatibilities with the -+ majority of available software. For further information, please -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as -+ well as the Hardened Gentoo Primer at -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>. -+ -+ This Hardened Gentoo [workstation] level is designed for machines -+ which are intended to run software not compatible with the -+ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity. -+ Accordingly, this security level is suitable for use with the X server -+ "Xorg" and/or any system that will act as host OS to the virtualization -+ softwares vmware-server or virtualbox. -+ -+ You may wish to emerge paxctl, a utility which allows you to toggle -+ PaX features on problematic binaries on an individual basis. Note that -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header. -+ Translated, this means that if you wish to toggle PaX features on -+ binaries provided by applications that are distributed only in binary -+ format (rather than being built locally from sources), you will need to -+ run paxctl -C on the binaries beforehand so as to inject the missing -+ headers. -+ -+ When this level is selected, some options cannot be changed. However, -+ you may opt to fully customize the options that are selected by -+ choosing "Custom" in the Security Level menu. You may find it helpful -+ to inherit the options selected by the "Hardened Gentoo [workstation]" -+ security level as a starting point for further configuration. To -+ accomplish this, select this security level then exit the menuconfig -+ interface, saving changes when prompted. Then, run make menuconfig -+ again and select the "Custom" level. -+ -+ Note that this security level probably should not be used if the -+ target system is a 32bit x86 virtualized guest. If you intend to run -+ the kernel in a 32bit x86 virtualized guest you will likely need to -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable -+ impact on performance. -+ config GRKERNSEC_CUSTOM bool "Custom" help |