Bug#605090: Updated patch

To: 605090@bugs.debian.org
Cc: kees@debian.org
Subject: Bug#605090: Updated patch
From: Yves-Alexis Perez <yves-alexis.perez@ssi.gouv.fr>
Date: Tue, 18 Jan 2011 18:32:50 +0100
Message-id: <[🔎] 1295371970.2130.4.camel@oban>
Reply-to: Yves-Alexis Perez <yves-alexis.perez@ssi.gouv.fr>, 605090@bugs.debian.org
In-reply-to: <[🔎] 1294140329.2909.69.camel@oban>
References: <[🔎] 1294140329.2909.69.camel@oban>

On mar., 2011-01-04 at 12:25 +0100, Yves-Alexis Perez wrote:
> I've put updated patches on
> http://molly.corsac.net/~corsac/debian/kernel-grsec/patches/ (kernel is
> built but not uploaded to packages/ since it's quite huge, will do that
> at one point. Patches are attached to that mail too. 
> 
> The first one (add-grsecurity-featureset) is against the debian kernel
> svn tree and add the featureset, while the second (debian-grsecurity) is
> against the grsecurity upstream patch and adapts it to the current
> debian kernel sources (removes the stuff already backported by the
> kernel team etc.). 
> I expect it to be really smaller for 2.6.37. 

I've started working on 2.6.37 since Brad Sprengler recently released
the grsecurity patch for that kernel.

Result is the attached patches. Basically the only thing needed now is
to remove the localversion since we already get it from the featureset.

Initial packaging for linux-grsec-base is at
http://git.debian.org/?p=collab-maint/linux-grsec-base.git;a=summary if
needed.

Kernel team, what do you think? Could the patches be merged against
trunk? Config might still need some reviewing but that can be done once
people start testing the packages.

Regards,
-- 
Yves-Alexis Perez
ANSSI/ACE/LAM

Index: debian/changelog
===================================================================
--- debian/changelog	(revision 16824)
+++ debian/changelog	(working copy)
@@ -4,6 +4,9 @@
   * [arm] ixp4xx: Revert build fix, now applied upstream which resulted
     in another build failure
 
+  [ Yves-Alexis Perez ]
+  * Add a grsecurity featureset.
+
  -- Ben Hutchings <ben@decadent.org.uk>  Mon, 10 Jan 2011 00:39:29 +0000
 
 linux-2.6 (2.6.37-1~experimental.1) experimental; urgency=low
Index: debian/patches/series/base-extra
===================================================================
--- debian/patches/series/base-extra	(revision 16824)
+++ debian/patches/series/base-extra	(working copy)
@@ -1 +1 @@
-
++ features/all/grsec/grsecurity-2.2.1-2.6.37-201101172105+debian.patch featureset=grsec
Index: debian/config/i386/grsec/defines
===================================================================
--- debian/config/i386/grsec/defines	(revision 0)
+++ debian/config/i386/grsec/defines	(revision 0)
@@ -0,0 +1,9 @@
+[base]
+flavours:
+ 686
+ amd64
+
+[grsec]
+flavours:
+ i386
+ amd64
Index: debian/config/i386/defines
===================================================================
--- debian/config/i386/defines	(revision 16824)
+++ debian/config/i386/defines	(working copy)
@@ -3,6 +3,7 @@
  openvz
  vserver
  xen
+ grsec
 flavours:
  486
  686
Index: debian/config/featureset-grsec/config
===================================================================
--- debian/config/featureset-grsec/config	(revision 0)
+++ debian/config/featureset-grsec/config	(revision 0)
@@ -0,0 +1,152 @@
+# Disable XEN for UDEREF support
+CONFIG_XEN=n
+
+CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y
+# enforce read-only kernel data
+CONFIG_DEBUG_RODATA=y
+
+#
+# Grsecurity
+#
+CONFIG_GRKERNSEC=y
+# CONFIG_GRKERNSEC_LOW is not set
+# CONFIG_GRKERNSEC_MEDIUM is not set
+CONFIG_GRKERNSEC_HIGH=y
+# CONFIG_GRKERNSEC_CUSTOM is not set
+
+#
+# Address Space Protection
+#
+CONFIG_GRKERNSEC_KMEM=y
+CONFIG_GRKERNSEC_IO=y
+CONFIG_GRKERNSEC_PROC_MEMMAP=y
+CONFIG_GRKERNSEC_BRUTE=y
+CONFIG_GRKERNSEC_MODHARDEN=y
+CONFIG_GRKERNSEC_HIDESYM=y
+
+#
+# Role Based Access Control Options
+#
+# CONFIG_GRKERNSEC_NO_RBAC is not set
+CONFIG_GRKERNSEC_ACL_HIDEKERN=y
+CONFIG_GRKERNSEC_ACL_MAXTRIES=3
+CONFIG_GRKERNSEC_ACL_TIMEOUT=30
+
+#
+# Filesystem Protections
+#
+CONFIG_GRKERNSEC_PROC=y
+CONFIG_GRKERNSEC_PROC_USER=y
+CONFIG_GRKERNSEC_PROC_USERGROUP=y
+CONFIG_GRKERNSEC_PROC_GID=64044
+CONFIG_GRKERNSEC_PROC_ADD=y
+CONFIG_GRKERNSEC_LINK=y
+CONFIG_GRKERNSEC_FIFO=y
+CONFIG_GRKERNSEC_ROFS=y
+CONFIG_GRKERNSEC_CHROOT=y
+CONFIG_GRKERNSEC_CHROOT_MOUNT=y
+CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
+CONFIG_GRKERNSEC_CHROOT_PIVOT=y
+CONFIG_GRKERNSEC_CHROOT_CHDIR=y
+CONFIG_GRKERNSEC_CHROOT_CHMOD=y
+CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
+CONFIG_GRKERNSEC_CHROOT_MKNOD=y
+CONFIG_GRKERNSEC_CHROOT_SHMAT=y
+CONFIG_GRKERNSEC_CHROOT_UNIX=y
+CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
+CONFIG_GRKERNSEC_CHROOT_NICE=y
+CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
+CONFIG_GRKERNSEC_CHROOT_CAPS=y
+
+#
+# Kernel Auditing
+#
+# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
+# CONFIG_GRKERNSEC_EXECLOG is not set
+CONFIG_GRKERNSEC_RESLOG=y
+CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
+CONFIG_GRKERNSEC_AUDIT_PTRACE=y
+# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
+CONFIG_GRKERNSEC_AUDIT_MOUNT=y
+CONFIG_GRKERNSEC_SIGNAL=y
+CONFIG_GRKERNSEC_FORKFAIL=y
+CONFIG_GRKERNSEC_TIME=y
+CONFIG_GRKERNSEC_PROC_IPADDR=y
+# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
+
+#
+# Executable Protections
+#
+CONFIG_GRKERNSEC_EXECVE=y
+CONFIG_GRKERNSEC_DMESG=y
+CONFIG_GRKERNSEC_HARDEN_PTRACE=y
+CONFIG_GRKERNSEC_TPE=y
+CONFIG_GRKERNSEC_TPE_ALL=y
+CONFIG_GRKERNSEC_TPE_INVERT=y
+CONFIG_GRKERNSEC_TPE_GID=64040
+
+#
+# Network Protections
+#
+CONFIG_GRKERNSEC_RANDNET=y
+CONFIG_GRKERNSEC_BLACKHOLE=y
+CONFIG_GRKERNSEC_SOCKET=y
+CONFIG_GRKERNSEC_SOCKET_ALL=y
+CONFIG_GRKERNSEC_SOCKET_ALL_GID=64041
+CONFIG_GRKERNSEC_SOCKET_CLIENT=y
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=64042
+CONFIG_GRKERNSEC_SOCKET_SERVER=y
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID=64043
+
+#
+# Sysctl support
+#
+CONFIG_GRKERNSEC_SYSCTL=y
+CONFIG_GRKERNSEC_SYSCTL_DISTRO=y
+CONFIG_GRKERNSEC_SYSCTL_ON=y
+
+#
+# Logging Options
+#
+CONFIG_GRKERNSEC_FLOODTIME=10
+CONFIG_GRKERNSEC_FLOODBURST=4
+
+#
+# PaX
+#
+CONFIG_PAX=y
+
+#
+# PaX Control
+#
+CONFIG_PAX_SOFTMODE=y
+CONFIG_PAX_EI_PAX=y
+CONFIG_PAX_PT_PAX_FLAGS=y
+# CONFIG_PAX_NO_ACL_FLAGS is not set
+CONFIG_PAX_HAVE_ACL_FLAGS=y
+# CONFIG_PAX_HOOK_ACL_FLAGS is not set
+
+#
+# Non-executable pages
+#
+CONFIG_PAX_NOEXEC=y
+CONFIG_PAX_PAGEEXEC=y
+# CONFIG_PAX_EMUTRAMP is not set
+CONFIG_PAX_MPROTECT=y
+CONFIG_PAX_ELFRELOCS=y
+CONFIG_PAX_KERNEXEC=y
+
+#
+# Address Space Layout Randomization
+#
+CONFIG_PAX_ASLR=y
+CONFIG_PAX_RANDUSTACK=y
+CONFIG_PAX_RANDMMAP=y
+
+#
+# Miscellaneous hardening features
+#
+CONFIG_PAX_MEMORY_SANITIZE=y
+CONFIG_PAX_MEMORY_UDEREF=y
+CONFIG_PAX_REFCOUNT=y
+CONFIG_PAX_USERCOPY=y
Index: debian/config/featureset-grsec/defines
===================================================================
--- debian/config/featureset-grsec/defines	(revision 0)
+++ debian/config/featureset-grsec/defines	(revision 0)
@@ -0,0 +1,8 @@
+[description]
+part-long-grsec: This kernel includes support for Grsecurity and PaX security hardening features
+part-short-grsec: Grsecurity and PaX protection
+parts: grsec
+
+[image]
+depends: linux-grsec-base,, paxctl
+recommends: gradm2
Index: debian/config/amd64/grsec/config
===================================================================
--- debian/config/amd64/grsec/config	(revision 0)
+++ debian/config/amd64/grsec/config	(revision 0)
@@ -0,0 +1,5 @@
+#
+# PaX
+#
+CONFIG_PAX_PER_CPU_PGD=y
+CONFIG_TASK_SIZE_MAX_SHIFT=42
Index: debian/config/amd64/grsec/defines
===================================================================
--- debian/config/amd64/grsec/defines	(revision 0)
+++ debian/config/amd64/grsec/defines	(revision 0)
@@ -0,0 +1,4 @@
+[base]
+flavours:
+ amd64
+
Index: debian/config/amd64/defines
===================================================================
--- debian/config/amd64/defines	(revision 16824)
+++ debian/config/amd64/defines	(working copy)
@@ -3,6 +3,7 @@
  openvz
  vserver
  xen
+ grsec
 flavours:
  amd64
 kernel-arch: x86
Index: debian/config/defines
===================================================================
--- debian/config/defines	(revision 16824)
+++ debian/config/defines	(working copy)
@@ -23,6 +23,7 @@
  openvz
  vserver
  xen
+ grsec
 
 [featureset-openvz_base]
 enabled: false
@@ -37,6 +38,9 @@
 part-long-xen: This kernel also runs on a Xen hypervisor.
  It supports only unprivileged (domU) operation.
 
+[featureset-grsec_base]
+enabled: true
+
 [image]
 initramfs-generators: initramfs-tools initramfs-fallback
 type: plain

--- grsecurity-2.2.1-2.6.37-201101172105.patch	2011-01-18 03:14:16.000000000 +0100
+++ grsecurity-2.2.1-2.6.37-201101172105+debian.patch	2011-01-18 10:41:09.230593756 +0100
@@ -51816,11 +51816,6 @@ diff -urNp linux-2.6.37/lib/vsprintf.c l
  			break;
  		}
  
-diff -urNp linux-2.6.37/localversion-grsec linux-2.6.37/localversion-grsec
---- linux-2.6.37/localversion-grsec	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.37/localversion-grsec	2011-01-17 02:41:02.000000000 -0500
-@@ -0,0 +1 @@
-+-grsec
 diff -urNp linux-2.6.37/Makefile linux-2.6.37/Makefile
 --- linux-2.6.37/Makefile	2011-01-04 19:50:19.000000000 -0500
 +++ linux-2.6.37/Makefile	2011-01-17 02:41:02.000000000 -0500

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#605090: Updated patch
  - From: Bastian Blank <waldi@debian.org>
- Bug#605090: Updated patch
  - From: Bastian Blank <waldi@debian.org>
- Bug#605090: Updated patch
  - From: maximilian attems <max@stro.at>

References:
- Bug#605090: Updated patch
  - From: Yves-Alexis Perez <yves-alexis.perez@ssi.gouv.fr>

Prev by Date: Bug#609371: linux-image-2.6.37-trunk-sparc64: module scsi_mod: Unknown relocation: 36
Next by Date: Bug#609371: linux-image-2.6.37-trunk-sparc64: module scsi_mod: Unknown relocation: 36
Previous by thread: Bug#605090: Updated patch
Next by thread: Bug#605090: Updated patch
Index(es):
- Date
- Thread