kernel: Re-enable capabilities in chroots.

The grsecurity patch creates an option to disallow using most
of the capabilities. This is good to deny non-root users
to allow changing networking stuff (NET_ADMIN) and more.

However, we make a lot use of chroots, but to keep the chrooted
services able to their things, we need to give them the rights
to do so.

The change requires to change the grsecurity security level
option from HIGH to CUSTOM.

diff --git a/kernel/config-armv7hl-omap b/kernel/config-armv7hl-omap
index 66aba75a6e65e94e06dd1d2d9031f51ca4546139..e2fc0999786f3da60b77f1518f065c7cae4fbe47 100644 (file)
--- a/kernel/config-armv7hl-omap
+++ b/kernel/config-armv7hl-omap
@@ -574,6 +574,21 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=60
 # CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set
 CONFIG_OC_ETM=y
 
+#
+# Kernel Auditing
+#
+CONFIG_GRKERNSEC_RWXMAP_LOG=y
+CONFIG_GRKERNSEC_AUDIT_TEXTREL=y
+
+#
+# Non-executable pages
+#
+CONFIG_PAX_NOEXEC=y
+CONFIG_PAX_PAGEEXEC=y
+CONFIG_PAX_MPROTECT=y
+# CONFIG_PAX_MPROTECT_COMPAT is not set
+CONFIG_PAX_ELFRELOCS=y
+
 #
 # Miscellaneous hardening features
 #

diff --git a/kernel/config-generic b/kernel/config-generic
index 79c38a99dfc9650a58d5fea65fb3d1bb8fd93c1d..1703ee3327efe676f35214675b82222c33a2b1ab 100644 (file)
--- a/kernel/config-generic
+++ b/kernel/config-generic
@@ -3852,8 +3852,8 @@ CONFIG_STRICT_DEVMEM=y
 CONFIG_GRKERNSEC=y
 # CONFIG_GRKERNSEC_LOW is not set
 # CONFIG_GRKERNSEC_MEDIUM is not set
-CONFIG_GRKERNSEC_HIGH=y
-# CONFIG_GRKERNSEC_CUSTOM is not set
+# CONFIG_GRKERNSEC_HIGH is not set
+CONFIG_GRKERNSEC_CUSTOM=y
 
 #
 # Memory Protections
@@ -3898,7 +3898,7 @@ CONFIG_GRKERNSEC_CHROOT_UNIX=y
 CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
 CONFIG_GRKERNSEC_CHROOT_NICE=y
 CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
-CONFIG_GRKERNSEC_CHROOT_CAPS=y
+# CONFIG_GRKERNSEC_CHROOT_CAPS is not set
 
 #
 # Kernel Auditing
@@ -3914,8 +3914,6 @@ CONFIG_GRKERNSEC_SIGNAL=y
 CONFIG_GRKERNSEC_FORKFAIL=y
 CONFIG_GRKERNSEC_TIME=y
 CONFIG_GRKERNSEC_PROC_IPADDR=y
-CONFIG_GRKERNSEC_RWXMAP_LOG=y
-CONFIG_GRKERNSEC_AUDIT_TEXTREL=y
 
 #
 # Executable Protections
@@ -3936,8 +3934,7 @@ CONFIG_GRKERNSEC_BLACKHOLE=y
 #
 # Sysctl support
 #
-CONFIG_GRKERNSEC_SYSCTL=y
-CONFIG_GRKERNSEC_SYSCTL_ON=y
+# CONFIG_GRKERNSEC_SYSCTL is not set
 
 #
 # Logging Options
@@ -3964,11 +3961,6 @@ CONFIG_PAX_HAVE_ACL_FLAGS=y
 #
 # Non-executable pages
 #
-CONFIG_PAX_NOEXEC=y
-CONFIG_PAX_PAGEEXEC=y
-CONFIG_PAX_MPROTECT=y
-# CONFIG_PAX_MPROTECT_COMPAT is not set
-CONFIG_PAX_ELFRELOCS=y
 CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
 
 #

diff --git a/kernel/config-x86-generic b/kernel/config-x86-generic
index 0d707563c03c21972e239ccd78790756ee6c55aa..b9a309b400fc1f3edc5b11a5fb408fa388d2aaaf 100644 (file)
--- a/kernel/config-x86-generic
+++ b/kernel/config-x86-generic
@@ -774,10 +774,21 @@ CONFIG_OPTIMIZE_INLINING=y
 #
 # CONFIG_GRKERNSEC_IO is not set
 
+#
+# Kernel Auditing
+#
+CONFIG_GRKERNSEC_RWXMAP_LOG=y
+CONFIG_GRKERNSEC_AUDIT_TEXTREL=y
+
 #
 # Non-executable pages
 #
+CONFIG_PAX_NOEXEC=y
+CONFIG_PAX_PAGEEXEC=y
 CONFIG_PAX_EMUTRAMP=y
+CONFIG_PAX_MPROTECT=y
+# CONFIG_PAX_MPROTECT_COMPAT is not set
+CONFIG_PAX_ELFRELOCS=y
 
 #
 # Address Space Layout Randomization

diff --git a/kernel/kernel.nm b/kernel/kernel.nm
index ec46938c2d52832f82c7c3d74a5ba510bbd45064..f515447e726d526410275ede5d7951593ec1dd57 100644 (file)
--- a/kernel/kernel.nm
+++ b/kernel/kernel.nm
@@ -5,7 +5,7 @@
 
 name       = kernel
 version    = 3.2.12
-release    = 2
+release    = 3
 thisapp    = linux-%{version}
 
 maintainer = Michael Tremer <michael.tremer@ipfire.org>