From: Anthony G. Basile From: Gordon Malm From: Jory A. Pratt From: Kerin Millar Add Hardened Gentoo [server/workstation] predefined grsecurity levels. They're designed to provide a comparitively high level of security while remaining generally suitable for as great a majority of the userbase as possible (particularly new users). Make Hardened Gentoo [workstation] predefined grsecurity level the default. The Hardened Gentoo [server] level is more restrictive and conflicts with some software and thus would be less suitable. The original version of this patch was conceived and created by: Ned Ludd diff -Naur linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig linux-2.6.37-hardened-r2/grsecurity/Kconfig --- linux-2.6.37-hardened-r2.orig/grsecurity/Kconfig 2011-02-21 11:47:15.000000000 -0500 +++ linux-2.6.37-hardened-r2/grsecurity/Kconfig 2011-02-21 11:48:08.000000000 -0500 @@ -18,7 +18,7 @@ choice prompt "Security Level" depends on GRKERNSEC - default GRKERNSEC_CUSTOM + default GRKERNSEC_HARDENED_WORKSTATION config GRKERNSEC_LOW bool "Low" @@ -191,6 +191,261 @@ - Ptrace restrictions - Restricted vm86 mode +config GRKERNSEC_HARDENED_SERVER + bool "Hardened Gentoo [server]" + select GRKERNSEC_LINK + select GRKERNSEC_FIFO + select GRKERNSEC_EXECVE + select GRKERNSEC_DMESG + select GRKERNSEC_FORKFAIL + select GRKERNSEC_TIME + select GRKERNSEC_SIGNAL + select GRKERNSEC_CHROOT + select GRKERNSEC_CHROOT_SHMAT + select GRKERNSEC_CHROOT_UNIX + select GRKERNSEC_CHROOT_MOUNT + select GRKERNSEC_CHROOT_FCHDIR + select GRKERNSEC_CHROOT_PIVOT + select GRKERNSEC_CHROOT_DOUBLE + select GRKERNSEC_CHROOT_CHDIR + select GRKERNSEC_CHROOT_MKNOD + select GRKERNSEC_CHROOT_CAPS + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_CHROOT_FINDTASK + select GRKERNSEC_PROC + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) + select GRKERNSEC_HIDESYM + select GRKERNSEC_BRUTE + select GRKERNSEC_PROC_USERGROUP + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG + select GRKERNSEC_RANDNET + select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) + select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR + select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX + select PAX_RANDUSTACK + select PAX_ASLR + select PAX_RANDMMAP + select PAX_NOEXEC + select PAX_MPROTECT + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) + select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) + select PAX_EMUTRAMP if (PARISC) + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help + If you say Y here, a configuration for grsecurity/PaX features + will be used that is endorsed by the Hardened Gentoo project. + These pre-defined security levels are designed to provide a high + level of security while minimizing incompatibilities with a majority + of Gentoo's available software. + + This "Hardened Gentoo [server]" level is identical to the + "Hardened Gentoo [workstation]" level, but with GRKERNSEC_IO, + and GRKERNSEC_PROC_ADD enabled. Accordingly, this is the preferred + security level if the system will not be utilizing software incompatible + with these features. + + When this level is selected, some security features will be forced on, + while others will default to their suggested values of off or on. The + later can be tweaked at the user's discretion, but may cause problems + in some situations. You can fully customize all grsecurity/PaX features + by choosing "Custom" in the Security Level menu. It may be helpful to + inherit the options selected by this security level as a starting point. + To accomplish this, select this security level, then exit the menuconfig + interface, saving changes when prompted. Run make menuconfig again and + select the "Custom" level. + +config GRKERNSEC_HARDENED_WORKSTATION + bool "Hardened Gentoo [workstation]" + select GRKERNSEC_LINK + select GRKERNSEC_FIFO + select GRKERNSEC_EXECVE + select GRKERNSEC_DMESG + select GRKERNSEC_FORKFAIL + select GRKERNSEC_TIME + select GRKERNSEC_SIGNAL + select GRKERNSEC_CHROOT + select GRKERNSEC_CHROOT_SHMAT + select GRKERNSEC_CHROOT_UNIX + select GRKERNSEC_CHROOT_MOUNT + select GRKERNSEC_CHROOT_FCHDIR + select GRKERNSEC_CHROOT_PIVOT + select GRKERNSEC_CHROOT_DOUBLE + select GRKERNSEC_CHROOT_CHDIR + select GRKERNSEC_CHROOT_MKNOD + select GRKERNSEC_CHROOT_CAPS + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_CHROOT_FINDTASK + select GRKERNSEC_PROC + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) + select GRKERNSEC_HIDESYM + select GRKERNSEC_BRUTE + select GRKERNSEC_PROC_USERGROUP + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG + select GRKERNSEC_RANDNET + # select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) + # select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR + select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX + select PAX_RANDUSTACK + select PAX_ASLR + select PAX_RANDMMAP + select PAX_NOEXEC + select PAX_MPROTECT + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS + # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) + # select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) + select PAX_EMUTRAMP if (PARISC) + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help + If you say Y here, a configuration for grsecurity/PaX features + will be used that is endorsed by the Hardened Gentoo project. + These pre-defined security levels are designed to provide a high + level of security while minimizing incompatibilities with a majority + of Gentoo's available software. + + This "Hardened Gentoo [workstation]" level is identical to the + "Hardened Gentoo [server]" level, but with GRKERNSEC_IO and + GRKERNSEC_PROC_ADD disabled. Accordingly, this is the preferred + security level if the system will be utilizing software incompatible + with these features. + + When this level is selected, some security features will be forced on, + while others will default to their suggested values of off or on. The + later can be tweaked at the user's discretion, but may cause problems + in some situations. You can fully customize all grsecurity/PaX features + by choosing "Custom" in the Security Level menu. It may be helpful to + inherit the options selected by this security level as a starting point. + To accomplish this, select this security level, then exit the menuconfig + interface, saving changes when prompted. Run make menuconfig again and + select the "Custom" level. + +config GRKERNSEC_HARDENED_VIRTUALIZATION + bool "Hardened Gentoo [virtualization]" + select GRKERNSEC_LINK + select GRKERNSEC_FIFO + select GRKERNSEC_EXECVE + select GRKERNSEC_DMESG + select GRKERNSEC_FORKFAIL + select GRKERNSEC_TIME + select GRKERNSEC_SIGNAL + select GRKERNSEC_CHROOT + select GRKERNSEC_CHROOT_SHMAT + select GRKERNSEC_CHROOT_UNIX + select GRKERNSEC_CHROOT_MOUNT + select GRKERNSEC_CHROOT_FCHDIR + select GRKERNSEC_CHROOT_PIVOT + select GRKERNSEC_CHROOT_DOUBLE + select GRKERNSEC_CHROOT_CHDIR + select GRKERNSEC_CHROOT_MKNOD + select GRKERNSEC_CHROOT_CAPS + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_CHROOT_FINDTASK + select GRKERNSEC_PROC + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) + select GRKERNSEC_HIDESYM + select GRKERNSEC_BRUTE + select GRKERNSEC_PROC_USERGROUP + select GRKERNSEC_KMEM + select GRKERNSEC_RESLOG + select GRKERNSEC_RANDNET + # select GRKERNSEC_PROC_ADD + select GRKERNSEC_CHROOT_CHMOD + select GRKERNSEC_CHROOT_NICE + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE + select GRKERNSEC_VM86 if (X86_32) + # select GRKERNSEC_IO if (X86) + select GRKERNSEC_PROC_IPADDR + select GRKERNSEC_RWXMAP_LOG + select GRKERNSEC_SYSCTL + select GRKERNSEC_SYSCTL_ON + select PAX + select PAX_RANDUSTACK + select PAX_ASLR + select PAX_RANDMMAP + select PAX_NOEXEC + select PAX_MPROTECT + select PAX_EI_PAX + select PAX_PT_PAX_FLAGS + select PAX_HAVE_ACL_FLAGS + # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) + # select PAX_MEMORY_UDEREF if (X86 && !XEN) + select PAX_RANDKSTACK if (X86_TSC && !X86_64) + select PAX_SEGMEXEC if (X86_32) + select PAX_PAGEEXEC + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64) + select PAX_EMUTRAMP if (PARISC) + select PAX_EMUSIGRT if (PARISC) + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) + select PAX_REFCOUNT if (X86 || SPARC64) + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB)) + select PAX_MEMORY_SANITIZE + help + If you say Y here, a configuration for grsecurity/PaX features + will be used that is endorsed by the Hardened Gentoo project. + These pre-defined security levels are designed to provide a high + level of security while minimizing incompatibilities with a majority + of Gentoo's available software. + + This "Hardened Gentoo [virtualization]" level is identical to the + "Hardened Gentoo [workstation]" level, but with the PAX_KERNEXEC and + PAX_MEMORY_UDEREF defaulting to off. Accordingly, this is the preferred + security level if the system will be utilizing virtualization software + incompatible with these features, like VirtualBox or kvm. + + When this level is selected, some security features will be forced on, + while others will default to their suggested values of off or on. The + later can be tweaked at the user's discretion, but may cause problems + in some situations. You can fully customize all grsecurity/PaX features + by choosing "Custom" in the Security Level menu. It may be helpful to + inherit the options selected by this security level as a starting point. + To accomplish this, select this security level, then exit the menuconfig + interface, saving changes when prompted. Run make menuconfig again and + select the "Custom" level. + config GRKERNSEC_CUSTOM bool "Custom" help diff -Naur linux-2.6.37-hardened-r2.orig/security/Kconfig linux-2.6.37-hardened-r2/security/Kconfig --- linux-2.6.37-hardened-r2.orig/security/Kconfig 2011-02-21 11:46:40.000000000 -0500 +++ linux-2.6.37-hardened-r2/security/Kconfig 2011-02-21 11:53:42.000000000 -0500 @@ -324,8 +324,9 @@ config PAX_KERNEXEC bool "Enforce non-executable kernel pages" - depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) + default y if GRKERNSEC_HARDENED_WORKSTATION help This is the kernel land equivalent of PAGEEXEC and MPROTECT, that is, enabling this option will make it harder to inject @@ -461,8 +462,9 @@ config PAX_MEMORY_UDEREF bool "Prevent invalid userland pointer dereference" - depends on X86 && !UML_X86 && !XEN + depends on X86 && !UML_X86 && !XEN && !GRKERNSEC_HARDENED_VIRTUALIZATION select PAX_PER_CPU_PGD if X86_64 + default y if GRKERNSEC_HARDENED_WORKSTATION help By saying Y here the kernel will be prevented from dereferencing userland pointers in contexts where the kernel expects only kernel