From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Sun, 8 Dec 2013 15:03:25 +0000 (+0100)
Subject: kernel: enable grsecurity on rpi kernel.
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=8a2cf24a1f5de1e236d5514863b1f57cdd343f27

kernel: enable grsecurity on rpi kernel.
---

diff --git a/config/kernel/kernel.config.armv5tel-ipfire-rpi b/config/kernel/kernel.config.armv5tel-ipfire-rpi
index d343a9d35..3f6c8da3b 100644
--- a/config/kernel/kernel.config.armv5tel-ipfire-rpi
+++ b/config/kernel/kernel.config.armv5tel-ipfire-rpi
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm 3.10.11 Kernel Configuration
+# Linux/arm 3.10.22 Kernel Configuration
 #
 CONFIG_ARM=y
 CONFIG_SYS_SUPPORTS_APM_EMULATION=y
@@ -94,7 +94,6 @@ CONFIG_TINY_RCU=y
 # CONFIG_IKCONFIG is not set
 CONFIG_LOG_BUF_SHIFT=19
 # CONFIG_CGROUPS is not set
-# CONFIG_CHECKPOINT_RESTORE is not set
 CONFIG_NAMESPACES=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
@@ -187,6 +186,7 @@ CONFIG_MODULE_FORCE_UNLOAD=y
 # CONFIG_MODVERSIONS is not set
 # CONFIG_MODULE_SRCVERSION_ALL is not set
 # CONFIG_MODULE_SIG is not set
+CONFIG_STOP_MACHINE=y
 CONFIG_BLOCK=y
 CONFIG_LBDAF=y
 CONFIG_BLK_DEV_BSG=y
@@ -305,7 +305,6 @@ CONFIG_CPU_TLB_V6=y
 CONFIG_CPU_HAS_ASID=y
 CONFIG_CPU_CP15=y
 CONFIG_CPU_CP15_MMU=y
-CONFIG_CPU_USE_DOMAINS=y
 
 #
 # Processor Features
@@ -370,7 +369,6 @@ CONFIG_CLEANCACHE=y
 CONFIG_FRONTSWAP=y
 CONFIG_FORCE_MAX_ZONEORDER=11
 CONFIG_ALIGNMENT_TRAP=y
-# CONFIG_UACCESS_WITH_MEMCPY is not set
 CONFIG_SECCOMP=y
 CONFIG_CC_STACKPROTECTOR=y
 
@@ -825,7 +823,6 @@ CONFIG_L2TP_IP=m
 CONFIG_L2TP_ETH=m
 CONFIG_STP=m
 CONFIG_GARP=m
-CONFIG_MRP=m
 CONFIG_BRIDGE=m
 CONFIG_BRIDGE_IGMP_SNOOPING=y
 CONFIG_BRIDGE_VLAN_FILTERING=y
@@ -1012,7 +1009,8 @@ CONFIG_HAVE_BPF_JIT=y
 # Generic Driver Options
 #
 CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
-# CONFIG_DEVTMPFS is not set
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
 # CONFIG_STANDALONE is not set
 # CONFIG_PREVENT_FIRMWARE_BUILD is not set
 CONFIG_FW_LOADER=y
@@ -3766,7 +3764,6 @@ CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
 #
 CONFIG_PROC_FS=y
 CONFIG_PROC_SYSCTL=y
-CONFIG_PROC_PAGE_MONITOR=y
 CONFIG_SYSFS=y
 CONFIG_TMPFS=y
 CONFIG_TMPFS_POSIX_ACL=y
@@ -3977,7 +3974,6 @@ CONFIG_FRAME_POINTER=y
 # CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
 # CONFIG_NOTIFIER_ERROR_INJECTION is not set
 # CONFIG_FAULT_INJECTION is not set
-# CONFIG_LATENCYTOP is not set
 # CONFIG_DEBUG_PAGEALLOC is not set
 CONFIG_HAVE_FUNCTION_TRACER=y
 CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
@@ -4014,6 +4010,158 @@ CONFIG_EARLY_PRINTK=y
 #
 # Security options
 #
+
+#
+# Grsecurity
+#
+CONFIG_PAX_USERCOPY_SLABS=y
+CONFIG_GRKERNSEC=y
+# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
+CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
+
+#
+# Customize Configuration
+#
+
+#
+# PaX
+#
+CONFIG_PAX=y
+
+#
+# PaX Control
+#
+# CONFIG_PAX_SOFTMODE is not set
+CONFIG_PAX_EI_PAX=y
+CONFIG_PAX_PT_PAX_FLAGS=y
+# CONFIG_PAX_XATTR_PAX_FLAGS is not set
+# CONFIG_PAX_NO_ACL_FLAGS is not set
+CONFIG_PAX_HAVE_ACL_FLAGS=y
+# CONFIG_PAX_HOOK_ACL_FLAGS is not set
+
+#
+# Non-executable pages
+#
+CONFIG_PAX_NOEXEC=y
+CONFIG_PAX_PAGEEXEC=y
+CONFIG_PAX_MPROTECT=y
+# CONFIG_PAX_MPROTECT_COMPAT is not set
+CONFIG_PAX_ELFRELOCS=y
+# CONFIG_PAX_KERNEXEC is not set
+CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
+
+#
+# Address Space Layout Randomization
+#
+CONFIG_PAX_ASLR=y
+CONFIG_PAX_RANDUSTACK=y
+CONFIG_PAX_RANDMMAP=y
+
+#
+# Miscellaneous hardening features
+#
+CONFIG_PAX_MEMORY_SANITIZE=y
+CONFIG_PAX_MEMORY_STRUCTLEAK=y
+CONFIG_PAX_MEMORY_UDEREF=y
+CONFIG_PAX_REFCOUNT=y
+CONFIG_PAX_USERCOPY=y
+# CONFIG_PAX_LATENT_ENTROPY is not set
+
+#
+# Memory Protections
+#
+# CONFIG_GRKERNSEC_KMEM is not set
+CONFIG_GRKERNSEC_JIT_HARDEN=y
+# CONFIG_GRKERNSEC_PERF_HARDEN is not set
+CONFIG_GRKERNSEC_RAND_THREADSTACK=y
+CONFIG_GRKERNSEC_PROC_MEMMAP=y
+CONFIG_GRKERNSEC_BRUTE=y
+CONFIG_GRKERNSEC_MODHARDEN=y
+CONFIG_GRKERNSEC_HIDESYM=y
+CONFIG_GRKERNSEC_KERN_LOCKOUT=y
+
+#
+# Role Based Access Control Options
+#
+CONFIG_GRKERNSEC_NO_RBAC=y
+# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
+CONFIG_GRKERNSEC_ACL_MAXTRIES=3
+CONFIG_GRKERNSEC_ACL_TIMEOUT=30
+
+#
+# Filesystem Protections
+#
+# CONFIG_GRKERNSEC_PROC is not set
+CONFIG_GRKERNSEC_LINK=y
+# CONFIG_GRKERNSEC_SYMLINKOWN is not set
+CONFIG_GRKERNSEC_FIFO=y
+# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
+# CONFIG_GRKERNSEC_ROFS is not set
+CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
+CONFIG_GRKERNSEC_CHROOT=y
+# CONFIG_GRKERNSEC_CHROOT_MOUNT is not set
+CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
+CONFIG_GRKERNSEC_CHROOT_PIVOT=y
+CONFIG_GRKERNSEC_CHROOT_CHDIR=y
+# CONFIG_GRKERNSEC_CHROOT_CHMOD is not set
+CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
+# CONFIG_GRKERNSEC_CHROOT_MKNOD is not set
+CONFIG_GRKERNSEC_CHROOT_SHMAT=y
+CONFIG_GRKERNSEC_CHROOT_UNIX=y
+CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
+CONFIG_GRKERNSEC_CHROOT_NICE=y
+CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
+# CONFIG_GRKERNSEC_CHROOT_CAPS is not set
+CONFIG_GRKERNSEC_CHROOT_INITRD=y
+
+#
+# Kernel Auditing
+#
+# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
+# CONFIG_GRKERNSEC_EXECLOG is not set
+CONFIG_GRKERNSEC_RESLOG=y
+# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
+# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
+# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
+# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
+CONFIG_GRKERNSEC_SIGNAL=y
+CONFIG_GRKERNSEC_FORKFAIL=y
+# CONFIG_GRKERNSEC_TIME is not set
+CONFIG_GRKERNSEC_PROC_IPADDR=y
+# CONFIG_GRKERNSEC_RWXMAP_LOG is not set
+
+#
+# Executable Protections
+#
+CONFIG_GRKERNSEC_DMESG=y
+CONFIG_GRKERNSEC_HARDEN_PTRACE=y
+CONFIG_GRKERNSEC_PTRACE_READEXEC=y
+CONFIG_GRKERNSEC_SETXID=y
+# CONFIG_GRKERNSEC_TPE is not set
+
+#
+# Network Protections
+#
+CONFIG_GRKERNSEC_RANDNET=y
+CONFIG_GRKERNSEC_BLACKHOLE=y
+CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
+# CONFIG_GRKERNSEC_SOCKET is not set
+
+#
+# Physical Protections
+#
+# CONFIG_GRKERNSEC_DENYUSB is not set
+
+#
+# Sysctl Support
+#
+# CONFIG_GRKERNSEC_SYSCTL is not set
+
+#
+# Logging Options
+#
+CONFIG_GRKERNSEC_FLOODTIME=10
+CONFIG_GRKERNSEC_FLOODBURST=6
 CONFIG_KEYS=y
 # CONFIG_ENCRYPTED_KEYS is not set
 CONFIG_KEYS_DEBUG_PROC_KEYS=y
@@ -4027,7 +4175,6 @@ CONFIG_SECURITY_NETWORK_XFRM=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_YAMA is not set
 # CONFIG_IMA is not set
 # CONFIG_EVM is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
diff --git a/lfs/linux b/lfs/linux
index b35813a82..1a9f77038 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -26,7 +26,7 @@ include Config
 
 VER        = 3.10.22
 
-RPI_PATCHES = linux-3.10.10-c1af7c6
+RPI_PATCHES = linux-3.10.10-grsec-c1af7c6
 GRS_PATCHES = grsecurity-2.9.1-3.10.22-ipfire1.patch.xz
 
 THISAPP    = linux-$(VER)
@@ -75,7 +75,7 @@ rpi-patches-$(RPI_PATCHES).patch.xz	= $(URL_IPFIRE)/rpi-patches-$(RPI_PATCHES).p
 $(GRS_PATCHES)				= $(URL_IPFIRE)/$(GRS_PATCHES)
 
 $(DL_FILE)_MD5				= d2b030e809d0f03d2d6ddfcc5108d641
-rpi-patches-$(RPI_PATCHES).patch.xz_MD5	= ef9274b3ff5d05daaaa4bdbe86ad00fc
+rpi-patches-$(RPI_PATCHES).patch.xz_MD5	= f55981853573236069db5ad9fb7a4bd9
 $(GRS_PATCHES)_MD5			= 2fe9cf094b9069918f66b2b1895431eb
 
 install : $(TARGET)
@@ -122,11 +122,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Grsecurity-patches
 ifneq "$(KCFG)" "-headers"
-ifneq "$(KCFG)" "-rpi"
+#ifneq "$(KCFG)" "-rpi"
 	cd $(DIR_APP) && xz -c -d $(DIR_DL)/$(GRS_PATCHES) | patch -Np1
 	cd $(DIR_APP) && rm localversion-grsec
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.7-disable-compat_vdso.patch
-endif
+#endif
 endif
 
 	# Disable pcspeaker autoload