ENABLE GRSECURITY

pull/5/head
xSmurf 9 years ago
parent d357c15df1
commit 786087a4fa

@ -148,7 +148,6 @@ CONFIG_LOG_BUF_SHIFT=17
CONFIG_LOG_CPU_MAX_BUF_SHIFT=17 CONFIG_LOG_CPU_MAX_BUF_SHIFT=17
CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
CONFIG_ARCH_SUPPORTS_INT128=y
# CONFIG_NUMA_BALANCING is not set # CONFIG_NUMA_BALANCING is not set
CONFIG_CGROUPS=y CONFIG_CGROUPS=y
# CONFIG_CGROUP_DEBUG is not set # CONFIG_CGROUP_DEBUG is not set
@ -165,7 +164,6 @@ CONFIG_FAIR_GROUP_SCHED=y
# CONFIG_CFS_BANDWIDTH is not set # CONFIG_CFS_BANDWIDTH is not set
# CONFIG_RT_GROUP_SCHED is not set # CONFIG_RT_GROUP_SCHED is not set
# CONFIG_BLK_CGROUP is not set # CONFIG_BLK_CGROUP is not set
# CONFIG_CHECKPOINT_RESTORE is not set
CONFIG_NAMESPACES=y CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y CONFIG_UTS_NS=y
CONFIG_IPC_NS=y CONFIG_IPC_NS=y
@ -371,7 +369,6 @@ CONFIG_IOSF_MBI=y
# CONFIG_IOSF_MBI_DEBUG is not set # CONFIG_IOSF_MBI_DEBUG is not set
CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
CONFIG_SCHED_OMIT_FRAME_POINTER=y CONFIG_SCHED_OMIT_FRAME_POINTER=y
# CONFIG_HYPERVISOR_GUEST is not set
CONFIG_NO_BOOTMEM=y CONFIG_NO_BOOTMEM=y
# CONFIG_MK8 is not set # CONFIG_MK8 is not set
# CONFIG_MPSC is not set # CONFIG_MPSC is not set
@ -412,8 +409,6 @@ CONFIG_X86_MCE_INTEL=y
CONFIG_X86_MCE_THRESHOLD=y CONFIG_X86_MCE_THRESHOLD=y
# CONFIG_X86_MCE_INJECT is not set # CONFIG_X86_MCE_INJECT is not set
CONFIG_X86_THERMAL_VECTOR=y CONFIG_X86_THERMAL_VECTOR=y
CONFIG_X86_16BIT=y
CONFIG_X86_ESPFIX64=y
CONFIG_X86_VSYSCALL_EMULATION=y CONFIG_X86_VSYSCALL_EMULATION=y
# CONFIG_I8K is not set # CONFIG_I8K is not set
CONFIG_MICROCODE=y CONFIG_MICROCODE=y
@ -493,18 +488,16 @@ CONFIG_SECCOMP=y
CONFIG_HZ_1000=y CONFIG_HZ_1000=y
CONFIG_HZ=1000 CONFIG_HZ=1000
CONFIG_SCHED_HRTICK=y CONFIG_SCHED_HRTICK=y
CONFIG_KEXEC=y
# CONFIG_KEXEC_FILE is not set
CONFIG_CRASH_DUMP=y CONFIG_CRASH_DUMP=y
CONFIG_PHYSICAL_START=0x1000000 CONFIG_PHYSICAL_START=0x1000000
CONFIG_RELOCATABLE=y CONFIG_RELOCATABLE=y
# CONFIG_RANDOMIZE_BASE is not set # CONFIG_RANDOMIZE_BASE is not set
CONFIG_PHYSICAL_ALIGN=0x200000 CONFIG_PHYSICAL_ALIGN=0x400000
CONFIG_HOTPLUG_CPU=y CONFIG_HOTPLUG_CPU=y
# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
# CONFIG_DEBUG_HOTPLUG_CPU0 is not set # CONFIG_DEBUG_HOTPLUG_CPU0 is not set
# CONFIG_COMPAT_VDSO is not set
# CONFIG_CMDLINE_BOOL is not set # CONFIG_CMDLINE_BOOL is not set
CONFIG_DEFAULT_MODIFY_LDT_SYSCALL=y
CONFIG_HAVE_LIVEPATCH=y CONFIG_HAVE_LIVEPATCH=y
CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
CONFIG_USE_PERCPU_NUMA_NODE_ID=y CONFIG_USE_PERCPU_NUMA_NODE_ID=y
@ -514,7 +507,6 @@ CONFIG_USE_PERCPU_NUMA_NODE_ID=y
# #
CONFIG_SUSPEND=y CONFIG_SUSPEND=y
CONFIG_SUSPEND_FREEZER=y CONFIG_SUSPEND_FREEZER=y
# CONFIG_HIBERNATION is not set
CONFIG_PM_SLEEP=y CONFIG_PM_SLEEP=y
CONFIG_PM_SLEEP_SMP=y CONFIG_PM_SLEEP_SMP=y
# CONFIG_PM_AUTOSLEEP is not set # CONFIG_PM_AUTOSLEEP is not set
@ -1572,7 +1564,6 @@ CONFIG_UNIX98_PTYS=y
# CONFIG_N_GSM is not set # CONFIG_N_GSM is not set
# CONFIG_TRACE_SINK is not set # CONFIG_TRACE_SINK is not set
CONFIG_DEVMEM=y CONFIG_DEVMEM=y
CONFIG_DEVKMEM=y
# #
# Serial drivers # Serial drivers
@ -1615,7 +1606,6 @@ CONFIG_TCG_TIS=y
# CONFIG_TCG_CRB is not set # CONFIG_TCG_CRB is not set
# CONFIG_TCG_TIS_ST33ZP24 is not set # CONFIG_TCG_TIS_ST33ZP24 is not set
# CONFIG_TELCLOCK is not set # CONFIG_TELCLOCK is not set
CONFIG_DEVPORT=y
# CONFIG_XILLYBUS is not set # CONFIG_XILLYBUS is not set
# #
@ -3056,10 +3046,7 @@ CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
# Pseudo filesystems # Pseudo filesystems
# #
CONFIG_PROC_FS=y CONFIG_PROC_FS=y
# CONFIG_PROC_KCORE is not set
CONFIG_PROC_VMCORE=y
CONFIG_PROC_SYSCTL=y CONFIG_PROC_SYSCTL=y
CONFIG_PROC_PAGE_MONITOR=y
CONFIG_KERNFS=y CONFIG_KERNFS=y
CONFIG_SYSFS=y CONFIG_SYSFS=y
CONFIG_TMPFS=y CONFIG_TMPFS=y
@ -3200,10 +3187,6 @@ CONFIG_TIMER_STATS=y
# CONFIG_DEBUG_RT_MUTEXES is not set # CONFIG_DEBUG_RT_MUTEXES is not set
# CONFIG_DEBUG_SPINLOCK is not set # CONFIG_DEBUG_SPINLOCK is not set
# CONFIG_DEBUG_MUTEXES is not set # CONFIG_DEBUG_MUTEXES is not set
# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
# CONFIG_DEBUG_LOCK_ALLOC is not set
# CONFIG_PROVE_LOCKING is not set
# CONFIG_LOCK_STAT is not set
# CONFIG_DEBUG_ATOMIC_SLEEP is not set # CONFIG_DEBUG_ATOMIC_SLEEP is not set
# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set # CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
# CONFIG_LOCK_TORTURE_TEST is not set # CONFIG_LOCK_TORTURE_TEST is not set
@ -3229,9 +3212,7 @@ CONFIG_RCU_CPU_STALL_INFO=y
# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
# CONFIG_NOTIFIER_ERROR_INJECTION is not set # CONFIG_NOTIFIER_ERROR_INJECTION is not set
# CONFIG_FAULT_INJECTION is not set # CONFIG_FAULT_INJECTION is not set
# CONFIG_LATENCYTOP is not set
CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
CONFIG_USER_STACKTRACE_SUPPORT=y CONFIG_USER_STACKTRACE_SUPPORT=y
CONFIG_NOP_TRACER=y CONFIG_NOP_TRACER=y
CONFIG_HAVE_FUNCTION_TRACER=y CONFIG_HAVE_FUNCTION_TRACER=y
@ -3287,7 +3268,6 @@ CONFIG_PROBE_EVENTS=y
# CONFIG_TEST_STRING_HELPERS is not set # CONFIG_TEST_STRING_HELPERS is not set
# CONFIG_TEST_KSTRTOX is not set # CONFIG_TEST_KSTRTOX is not set
# CONFIG_TEST_RHASHTABLE is not set # CONFIG_TEST_RHASHTABLE is not set
# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
# CONFIG_DMA_API_DEBUG is not set # CONFIG_DMA_API_DEBUG is not set
# CONFIG_TEST_LKM is not set # CONFIG_TEST_LKM is not set
# CONFIG_TEST_USER_COPY is not set # CONFIG_TEST_USER_COPY is not set
@ -3298,14 +3278,11 @@ CONFIG_PROBE_EVENTS=y
# CONFIG_SAMPLES is not set # CONFIG_SAMPLES is not set
CONFIG_HAVE_ARCH_KGDB=y CONFIG_HAVE_ARCH_KGDB=y
# CONFIG_KGDB is not set # CONFIG_KGDB is not set
# CONFIG_STRICT_DEVMEM is not set CONFIG_STRICT_DEVMEM=y
CONFIG_X86_VERBOSE_BOOTUP=y CONFIG_X86_VERBOSE_BOOTUP=y
CONFIG_EARLY_PRINTK=y CONFIG_EARLY_PRINTK=y
CONFIG_EARLY_PRINTK_DBGP=y CONFIG_EARLY_PRINTK_DBGP=y
# CONFIG_X86_PTDUMP is not set # CONFIG_X86_PTDUMP is not set
CONFIG_DEBUG_RODATA=y
CONFIG_DEBUG_RODATA_TEST=y
# CONFIG_DEBUG_SET_MODULE_RONX is not set
# CONFIG_DEBUG_NX_TEST is not set # CONFIG_DEBUG_NX_TEST is not set
CONFIG_DOUBLEFAULT=y CONFIG_DOUBLEFAULT=y
# CONFIG_DEBUG_TLBFLUSH is not set # CONFIG_DEBUG_TLBFLUSH is not set
@ -3330,6 +3307,189 @@ CONFIG_OPTIMIZE_INLINING=y
# #
# Security options # Security options
# #
#
# Grsecurity
#
CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_TASK_SIZE_MAX_SHIFT=42
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
CONFIG_GRKERNSEC_CONFIG_VIRT_NONE=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set
#
# Default Special Groups
#
CONFIG_GRKERNSEC_PROC_GID=1001
#
# Customize Configuration
#
#
# PaX
#
CONFIG_PAX=y
#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_XATTR_PAX_FLAGS is not set
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_MPROTECT_COMPAT=y
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_STACKLEAK is not set
# CONFIG_PAX_MEMORY_STRUCTLEAK is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_LATENT_ENTROPY=y
#
# Memory Protections
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_BPF_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_NO_RBAC=y
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_RENAME=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y
#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
# CONFIG_GRKERNSEC_FORKFAIL is not set
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
#
# Executable Protections
#
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
# CONFIG_GRKERNSEC_TPE is not set
#
# Network Protections
#
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
#
# Physical Protections
#
# CONFIG_GRKERNSEC_DENYUSB is not set
#
# Sysctl Support
#
# CONFIG_GRKERNSEC_SYSCTL is not set
#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=3
CONFIG_KEYS=y CONFIG_KEYS=y
# CONFIG_PERSISTENT_KEYRINGS is not set # CONFIG_PERSISTENT_KEYRINGS is not set
# CONFIG_BIG_KEYS is not set # CONFIG_BIG_KEYS is not set
@ -3346,7 +3506,6 @@ CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set # CONFIG_INTEGRITY_SIGNATURE is not set
CONFIG_INTEGRITY_AUDIT=y CONFIG_INTEGRITY_AUDIT=y

Loading…
Cancel
Save