On mar., 2011-01-04 at 12:25 +0100, Yves-Alexis Perez wrote: > I've put updated patches on > http://molly.corsac.net/~corsac/debian/kernel-grsec/patches/ (kernel is > built but not uploaded to packages/ since it's quite huge, will do that > at one point. Patches are attached to that mail too. > > The first one (add-grsecurity-featureset) is against the debian kernel > svn tree and add the featureset, while the second (debian-grsecurity) is > against the grsecurity upstream patch and adapts it to the current > debian kernel sources (removes the stuff already backported by the > kernel team etc.). > I expect it to be really smaller for 2.6.37.
I've started working on 2.6.37 since Brad Sprengler recently released the grsecurity patch for that kernel. Result is the attached patches. Basically the only thing needed now is to remove the localversion since we already get it from the featureset. Initial packaging for linux-grsec-base is at http://git.debian.org/?p=collab-maint/linux-grsec-base.git;a=summary if needed. Kernel team, what do you think? Could the patches be merged against trunk? Config might still need some reviewing but that can be done once people start testing the packages. Regards, -- Yves-Alexis Perez ANSSI/ACE/LAM
Index: debian/changelog =================================================================== --- debian/changelog (revision 16824) +++ debian/changelog (working copy) @@ -4,6 +4,9 @@ * [arm] ixp4xx: Revert build fix, now applied upstream which resulted in another build failure + [ Yves-Alexis Perez ] + * Add a grsecurity featureset. + -- Ben Hutchings <b...@decadent.org.uk> Mon, 10 Jan 2011 00:39:29 +0000 linux-2.6 (2.6.37-1~experimental.1) experimental; urgency=low Index: debian/patches/series/base-extra =================================================================== --- debian/patches/series/base-extra (revision 16824) +++ debian/patches/series/base-extra (working copy) @@ -1 +1 @@ - ++ features/all/grsec/grsecurity-2.2.1-2.6.37-201101172105+debian.patch featureset=grsec Index: debian/config/i386/grsec/defines =================================================================== --- debian/config/i386/grsec/defines (revision 0) +++ debian/config/i386/grsec/defines (revision 0) @@ -0,0 +1,9 @@ +[base] +flavours: + 686 + amd64 + +[grsec] +flavours: + i386 + amd64 Index: debian/config/i386/defines =================================================================== --- debian/config/i386/defines (revision 16824) +++ debian/config/i386/defines (working copy) @@ -3,6 +3,7 @@ openvz vserver xen + grsec flavours: 486 686 Index: debian/config/featureset-grsec/config =================================================================== --- debian/config/featureset-grsec/config (revision 0) +++ debian/config/featureset-grsec/config (revision 0) @@ -0,0 +1,152 @@ +# Disable XEN for UDEREF support +CONFIG_XEN=n + +CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y +# enforce read-only kernel data +CONFIG_DEBUG_RODATA=y + +# +# Grsecurity +# +CONFIG_GRKERNSEC=y +# CONFIG_GRKERNSEC_LOW is not set +# CONFIG_GRKERNSEC_MEDIUM is not set +CONFIG_GRKERNSEC_HIGH=y +# CONFIG_GRKERNSEC_CUSTOM is not set + +# +# Address Space Protection +# +CONFIG_GRKERNSEC_KMEM=y +CONFIG_GRKERNSEC_IO=y +CONFIG_GRKERNSEC_PROC_MEMMAP=y +CONFIG_GRKERNSEC_BRUTE=y +CONFIG_GRKERNSEC_MODHARDEN=y +CONFIG_GRKERNSEC_HIDESYM=y + +# +# Role Based Access Control Options +# +# CONFIG_GRKERNSEC_NO_RBAC is not set +CONFIG_GRKERNSEC_ACL_HIDEKERN=y +CONFIG_GRKERNSEC_ACL_MAXTRIES=3 +CONFIG_GRKERNSEC_ACL_TIMEOUT=30 + +# +# Filesystem Protections +# +CONFIG_GRKERNSEC_PROC=y +CONFIG_GRKERNSEC_PROC_USER=y +CONFIG_GRKERNSEC_PROC_USERGROUP=y +CONFIG_GRKERNSEC_PROC_GID=64044 +CONFIG_GRKERNSEC_PROC_ADD=y +CONFIG_GRKERNSEC_LINK=y +CONFIG_GRKERNSEC_FIFO=y +CONFIG_GRKERNSEC_ROFS=y +CONFIG_GRKERNSEC_CHROOT=y +CONFIG_GRKERNSEC_CHROOT_MOUNT=y +CONFIG_GRKERNSEC_CHROOT_DOUBLE=y +CONFIG_GRKERNSEC_CHROOT_PIVOT=y +CONFIG_GRKERNSEC_CHROOT_CHDIR=y +CONFIG_GRKERNSEC_CHROOT_CHMOD=y +CONFIG_GRKERNSEC_CHROOT_FCHDIR=y +CONFIG_GRKERNSEC_CHROOT_MKNOD=y +CONFIG_GRKERNSEC_CHROOT_SHMAT=y +CONFIG_GRKERNSEC_CHROOT_UNIX=y +CONFIG_GRKERNSEC_CHROOT_FINDTASK=y +CONFIG_GRKERNSEC_CHROOT_NICE=y +CONFIG_GRKERNSEC_CHROOT_SYSCTL=y +CONFIG_GRKERNSEC_CHROOT_CAPS=y + +# +# Kernel Auditing +# +# CONFIG_GRKERNSEC_AUDIT_GROUP is not set +# CONFIG_GRKERNSEC_EXECLOG is not set +CONFIG_GRKERNSEC_RESLOG=y +CONFIG_GRKERNSEC_CHROOT_EXECLOG=y +CONFIG_GRKERNSEC_AUDIT_PTRACE=y +# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set +CONFIG_GRKERNSEC_AUDIT_MOUNT=y +CONFIG_GRKERNSEC_SIGNAL=y +CONFIG_GRKERNSEC_FORKFAIL=y +CONFIG_GRKERNSEC_TIME=y +CONFIG_GRKERNSEC_PROC_IPADDR=y +# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set + +# +# Executable Protections +# +CONFIG_GRKERNSEC_EXECVE=y +CONFIG_GRKERNSEC_DMESG=y +CONFIG_GRKERNSEC_HARDEN_PTRACE=y +CONFIG_GRKERNSEC_TPE=y +CONFIG_GRKERNSEC_TPE_ALL=y +CONFIG_GRKERNSEC_TPE_INVERT=y +CONFIG_GRKERNSEC_TPE_GID=64040 + +# +# Network Protections +# +CONFIG_GRKERNSEC_RANDNET=y +CONFIG_GRKERNSEC_BLACKHOLE=y +CONFIG_GRKERNSEC_SOCKET=y +CONFIG_GRKERNSEC_SOCKET_ALL=y +CONFIG_GRKERNSEC_SOCKET_ALL_GID=64041 +CONFIG_GRKERNSEC_SOCKET_CLIENT=y +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=64042 +CONFIG_GRKERNSEC_SOCKET_SERVER=y +CONFIG_GRKERNSEC_SOCKET_SERVER_GID=64043 + +# +# Sysctl support +# +CONFIG_GRKERNSEC_SYSCTL=y +CONFIG_GRKERNSEC_SYSCTL_DISTRO=y +CONFIG_GRKERNSEC_SYSCTL_ON=y + +# +# Logging Options +# +CONFIG_GRKERNSEC_FLOODTIME=10 +CONFIG_GRKERNSEC_FLOODBURST=4 + +# +# PaX +# +CONFIG_PAX=y + +# +# PaX Control +# +CONFIG_PAX_SOFTMODE=y +CONFIG_PAX_EI_PAX=y +CONFIG_PAX_PT_PAX_FLAGS=y +# CONFIG_PAX_NO_ACL_FLAGS is not set +CONFIG_PAX_HAVE_ACL_FLAGS=y +# CONFIG_PAX_HOOK_ACL_FLAGS is not set + +# +# Non-executable pages +# +CONFIG_PAX_NOEXEC=y +CONFIG_PAX_PAGEEXEC=y +# CONFIG_PAX_EMUTRAMP is not set +CONFIG_PAX_MPROTECT=y +CONFIG_PAX_ELFRELOCS=y +CONFIG_PAX_KERNEXEC=y + +# +# Address Space Layout Randomization +# +CONFIG_PAX_ASLR=y +CONFIG_PAX_RANDUSTACK=y +CONFIG_PAX_RANDMMAP=y + +# +# Miscellaneous hardening features +# +CONFIG_PAX_MEMORY_SANITIZE=y +CONFIG_PAX_MEMORY_UDEREF=y +CONFIG_PAX_REFCOUNT=y +CONFIG_PAX_USERCOPY=y Index: debian/config/featureset-grsec/defines =================================================================== --- debian/config/featureset-grsec/defines (revision 0) +++ debian/config/featureset-grsec/defines (revision 0) @@ -0,0 +1,8 @@ +[description] +part-long-grsec: This kernel includes support for Grsecurity and PaX security hardening features +part-short-grsec: Grsecurity and PaX protection +parts: grsec + +[image] +depends: linux-grsec-base,, paxctl +recommends: gradm2 Index: debian/config/amd64/grsec/config =================================================================== --- debian/config/amd64/grsec/config (revision 0) +++ debian/config/amd64/grsec/config (revision 0) @@ -0,0 +1,5 @@ +# +# PaX +# +CONFIG_PAX_PER_CPU_PGD=y +CONFIG_TASK_SIZE_MAX_SHIFT=42 Index: debian/config/amd64/grsec/defines =================================================================== --- debian/config/amd64/grsec/defines (revision 0) +++ debian/config/amd64/grsec/defines (revision 0) @@ -0,0 +1,4 @@ +[base] +flavours: + amd64 + Index: debian/config/amd64/defines =================================================================== --- debian/config/amd64/defines (revision 16824) +++ debian/config/amd64/defines (working copy) @@ -3,6 +3,7 @@ openvz vserver xen + grsec flavours: amd64 kernel-arch: x86 Index: debian/config/defines =================================================================== --- debian/config/defines (revision 16824) +++ debian/config/defines (working copy) @@ -23,6 +23,7 @@ openvz vserver xen + grsec [featureset-openvz_base] enabled: false @@ -37,6 +38,9 @@ part-long-xen: This kernel also runs on a Xen hypervisor. It supports only unprivileged (domU) operation. +[featureset-grsec_base] +enabled: true + [image] initramfs-generators: initramfs-tools initramfs-fallback type: plain
--- grsecurity-2.2.1-2.6.37-201101172105.patch 2011-01-18 03:14:16.000000000 +0100 +++ grsecurity-2.2.1-2.6.37-201101172105+debian.patch 2011-01-18 10:41:09.230593756 +0100 @@ -51816,11 +51816,6 @@ diff -urNp linux-2.6.37/lib/vsprintf.c l break; } -diff -urNp linux-2.6.37/localversion-grsec linux-2.6.37/localversion-grsec ---- linux-2.6.37/localversion-grsec 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.37/localversion-grsec 2011-01-17 02:41:02.000000000 -0500 -@@ -0,0 +1 @@ -+-grsec diff -urNp linux-2.6.37/Makefile linux-2.6.37/Makefile --- linux-2.6.37/Makefile 2011-01-04 19:50:19.000000000 -0500 +++ linux-2.6.37/Makefile 2011-01-17 02:41:02.000000000 -0500
signature.asc
Description: This is a digitally signed message part