From: Michael Tremer Date: Sun, 22 Apr 2012 12:26:16 +0000 (+0200) Subject: kernel: Re-enable capabilities in chroots. X-Git-Url: http://git.ipfire.org/?p=people%2Famarx%2Fipfire-3.x.git;a=commitdiff_plain;h=920b801b6e82dcc46a2d52e52167d977e281b5a6 kernel: Re-enable capabilities in chroots. The grsecurity patch creates an option to disallow using most of the capabilities. This is good to deny non-root users to allow changing networking stuff (NET_ADMIN) and more. However, we make a lot use of chroots, but to keep the chrooted services able to their things, we need to give them the rights to do so. The change requires to change the grsecurity security level option from HIGH to CUSTOM. --- diff --git a/kernel/config-armv7hl-omap b/kernel/config-armv7hl-omap index 66aba75a6..e2fc09997 100644 --- a/kernel/config-armv7hl-omap +++ b/kernel/config-armv7hl-omap @@ -574,6 +574,21 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=60 # CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set CONFIG_OC_ETM=y +# +# Kernel Auditing +# +CONFIG_GRKERNSEC_RWXMAP_LOG=y +CONFIG_GRKERNSEC_AUDIT_TEXTREL=y + +# +# Non-executable pages +# +CONFIG_PAX_NOEXEC=y +CONFIG_PAX_PAGEEXEC=y +CONFIG_PAX_MPROTECT=y +# CONFIG_PAX_MPROTECT_COMPAT is not set +CONFIG_PAX_ELFRELOCS=y + # # Miscellaneous hardening features # diff --git a/kernel/config-generic b/kernel/config-generic index 79c38a99d..1703ee332 100644 --- a/kernel/config-generic +++ b/kernel/config-generic @@ -3852,8 +3852,8 @@ CONFIG_STRICT_DEVMEM=y CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MEDIUM is not set -CONFIG_GRKERNSEC_HIGH=y -# CONFIG_GRKERNSEC_CUSTOM is not set +# CONFIG_GRKERNSEC_HIGH is not set +CONFIG_GRKERNSEC_CUSTOM=y # # Memory Protections @@ -3898,7 +3898,7 @@ CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y -CONFIG_GRKERNSEC_CHROOT_CAPS=y +# CONFIG_GRKERNSEC_CHROOT_CAPS is not set # # Kernel Auditing @@ -3914,8 +3914,6 @@ CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y -CONFIG_GRKERNSEC_RWXMAP_LOG=y -CONFIG_GRKERNSEC_AUDIT_TEXTREL=y # # Executable Protections @@ -3936,8 +3934,7 @@ CONFIG_GRKERNSEC_BLACKHOLE=y # # Sysctl support # -CONFIG_GRKERNSEC_SYSCTL=y -CONFIG_GRKERNSEC_SYSCTL_ON=y +# CONFIG_GRKERNSEC_SYSCTL is not set # # Logging Options @@ -3964,11 +3961,6 @@ CONFIG_PAX_HAVE_ACL_FLAGS=y # # Non-executable pages # -CONFIG_PAX_NOEXEC=y -CONFIG_PAX_PAGEEXEC=y -CONFIG_PAX_MPROTECT=y -# CONFIG_PAX_MPROTECT_COMPAT is not set -CONFIG_PAX_ELFRELOCS=y CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" # diff --git a/kernel/config-x86-generic b/kernel/config-x86-generic index 0d707563c..b9a309b40 100644 --- a/kernel/config-x86-generic +++ b/kernel/config-x86-generic @@ -774,10 +774,21 @@ CONFIG_OPTIMIZE_INLINING=y # # CONFIG_GRKERNSEC_IO is not set +# +# Kernel Auditing +# +CONFIG_GRKERNSEC_RWXMAP_LOG=y +CONFIG_GRKERNSEC_AUDIT_TEXTREL=y + # # Non-executable pages # +CONFIG_PAX_NOEXEC=y +CONFIG_PAX_PAGEEXEC=y CONFIG_PAX_EMUTRAMP=y +CONFIG_PAX_MPROTECT=y +# CONFIG_PAX_MPROTECT_COMPAT is not set +CONFIG_PAX_ELFRELOCS=y # # Address Space Layout Randomization diff --git a/kernel/kernel.nm b/kernel/kernel.nm index ec46938c2..f515447e7 100644 --- a/kernel/kernel.nm +++ b/kernel/kernel.nm @@ -5,7 +5,7 @@ name = kernel version = 3.2.12 -release = 2 +release = 3 thisapp = linux-%{version} maintainer = Michael Tremer