diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig index 2645296..2d6e3a8 100644 --- a/grsecurity/Kconfig +++ b/grsecurity/Kconfig @@ -1,214 +1,12 @@ # # grecurity configuration # - -menu "Grsecurity" - -config GRKERNSEC - bool "Grsecurity" - select CRYPTO - select CRYPTO_SHA256 - help - If you say Y here, you will be able to configure many features - that will enhance the security of your system. It is highly - recommended that you say Y here and read through the help - for each option so that you fully understand the features and - can evaluate their usefulness for your machine. - -choice - prompt "Security Level" - depends on GRKERNSEC - default GRKERNSEC_CUSTOM - -config GRKERNSEC_LOW - bool "Low" - select GRKERNSEC_LINK - select GRKERNSEC_FIFO - select GRKERNSEC_RANDNET - select GRKERNSEC_DMESG - select GRKERNSEC_CHROOT - select GRKERNSEC_CHROOT_CHDIR - - help - If you choose this option, several of the grsecurity options will - be enabled that will give you greater protection against a number - of attacks, while assuring that none of your software will have any - conflicts with the additional security measures. If you run a lot - of unusual software, or you are having problems with the higher - security levels, you should say Y here. With this option, the - following features are enabled: - - - Linking restrictions - - FIFO restrictions - - Restricted dmesg - - Enforced chdir("/") on chroot - - Runtime module disabling - -config GRKERNSEC_MEDIUM - bool "Medium" - select PAX - select PAX_EI_PAX - select PAX_PT_PAX_FLAGS - select PAX_HAVE_ACL_FLAGS - select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) - select GRKERNSEC_CHROOT - select GRKERNSEC_CHROOT_SYSCTL - select GRKERNSEC_LINK - select GRKERNSEC_FIFO - select GRKERNSEC_DMESG - select GRKERNSEC_RANDNET - select GRKERNSEC_FORKFAIL - select GRKERNSEC_TIME - select GRKERNSEC_SIGNAL - select GRKERNSEC_CHROOT - select GRKERNSEC_CHROOT_UNIX - select GRKERNSEC_CHROOT_MOUNT - select GRKERNSEC_CHROOT_PIVOT - select GRKERNSEC_CHROOT_DOUBLE - select GRKERNSEC_CHROOT_CHDIR - select GRKERNSEC_CHROOT_MKNOD - select GRKERNSEC_PROC - select GRKERNSEC_PROC_USERGROUP - select PAX_RANDUSTACK - select PAX_ASLR - select PAX_RANDMMAP - select PAX_REFCOUNT if (X86 || SPARC64) - select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB)) - - help - If you say Y here, several features in addition to those included - in the low additional security level will be enabled. These - features provide even more security to your system, though in rare - cases they may be incompatible with very old or poorly written - software. If you enable this option, make sure that your auth - service (identd) is running as gid 1001. With this option, - the following features (in addition to those provided in the - low additional security level) will be enabled: - - - Failed fork logging - - Time change logging - - Signal logging - - Deny mounts in chroot - - Deny double chrooting - - Deny sysctl writes in chroot - - Deny mknod in chroot - - Deny access to abstract AF_UNIX sockets out of chroot - - Deny pivot_root in chroot - - Denied reads/writes of /dev/kmem, /dev/mem, and /dev/port - - /proc restrictions with special GID set to 10 (usually wheel) - - Address Space Layout Randomization (ASLR) - - Prevent exploitation of most refcount overflows - - Bounds checking of copying between the kernel and userland - -config GRKERNSEC_HIGH - bool "High" - select GRKERNSEC_LINK - select GRKERNSEC_FIFO - select GRKERNSEC_DMESG - select GRKERNSEC_FORKFAIL - select GRKERNSEC_TIME - select GRKERNSEC_SIGNAL - select GRKERNSEC_CHROOT - select GRKERNSEC_CHROOT_SHMAT - select GRKERNSEC_CHROOT_UNIX - select GRKERNSEC_CHROOT_MOUNT - select GRKERNSEC_CHROOT_FCHDIR - select GRKERNSEC_CHROOT_PIVOT - select GRKERNSEC_CHROOT_DOUBLE - select GRKERNSEC_CHROOT_CHDIR - select GRKERNSEC_CHROOT_MKNOD - select GRKERNSEC_CHROOT_CAPS - select GRKERNSEC_CHROOT_SYSCTL - select GRKERNSEC_CHROOT_FINDTASK - select GRKERNSEC_SYSFS_RESTRICT - select GRKERNSEC_PROC - select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) - select GRKERNSEC_HIDESYM - select GRKERNSEC_BRUTE - select GRKERNSEC_PROC_USERGROUP - select GRKERNSEC_KMEM - select GRKERNSEC_RESLOG - select GRKERNSEC_RANDNET - select GRKERNSEC_PROC_ADD - select GRKERNSEC_CHROOT_CHMOD - select GRKERNSEC_CHROOT_NICE - select GRKERNSEC_SETXID if (X86 || SPARC64 || PPC || ARM || MIPS) - select GRKERNSEC_AUDIT_MOUNT - select GRKERNSEC_MODHARDEN if (MODULES) - select GRKERNSEC_HARDEN_PTRACE - select GRKERNSEC_PTRACE_READEXEC - select GRKERNSEC_VM86 if (X86_32) - select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC) - select PAX - select PAX_RANDUSTACK - select PAX_ASLR - select PAX_RANDMMAP - select PAX_NOEXEC - select PAX_MPROTECT - select PAX_EI_PAX - select PAX_PT_PAX_FLAGS - select PAX_HAVE_ACL_FLAGS - select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) - select PAX_MEMORY_UDEREF if (X86 && !XEN) - select PAX_RANDKSTACK if (X86_TSC && X86) - select PAX_SEGMEXEC if (X86_32) - select PAX_PAGEEXEC - select PAX_EMUPLT if (ALPHA || PARISC || SPARC) - select PAX_EMUTRAMP if (PARISC) - select PAX_EMUSIGRT if (PARISC) - select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC) - select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86)) - select PAX_REFCOUNT if (X86 || SPARC64) - select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB)) - help - If you say Y here, many of the features of grsecurity will be - enabled, which will protect you against many kinds of attacks - against your system. The heightened security comes at a cost - of an increased chance of incompatibilities with rare software - on your machine. Since this security level enables PaX, you should - view and read about the PaX - project. While you are there, download chpax and run it on - binaries that cause problems with PaX. Also remember that - since the /proc restrictions are enabled, you must run your - identd as gid 1001. This security level enables the following - features in addition to those listed in the low and medium - security levels: - - - Additional /proc restrictions - - Chmod restrictions in chroot - - No signals, ptrace, or viewing of processes outside of chroot - - Capability restrictions in chroot - - Deny fchdir out of chroot - - Priority restrictions in chroot - - Segmentation-based implementation of PaX - - Mprotect restrictions - - Removal of addresses from /proc//[smaps|maps|stat] - - Kernel stack randomization - - Mount/unmount/remount logging - - Kernel symbol hiding - - Hardening of module auto-loading - - Ptrace restrictions - - Restricted vm86 mode - - Restricted sysfs/debugfs - - Active kernel exploit response - -config GRKERNSEC_CUSTOM - bool "Custom" - help - If you say Y here, you will be able to configure every grsecurity - option, which allows you to enable many more features that aren't - covered in the basic security levels. These additional features - include TPE, socket restrictions, and the sysctl system for - grsecurity. It is advised that you read through the help for - each option to determine its usefulness in your situation. - -endchoice - menu "Memory Protections" depends on GRKERNSEC config GRKERNSEC_KMEM bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port" + default y if GRKERNSEC_CONFIG_AUTO select STRICT_DEVMEM if (X86 || ARM || TILE || S390) help If you say Y here, /dev/kmem and /dev/mem won't be allowed to @@ -230,6 +28,7 @@ config GRKERNSEC_KMEM config GRKERNSEC_VM86 bool "Restrict VM86 mode" + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER) depends on X86_32 help @@ -243,6 +42,7 @@ config GRKERNSEC_VM86 config GRKERNSEC_IO bool "Disable privileged I/O" + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER) depends on X86 select RTC_CLASS select RTC_INTF_DEV @@ -262,7 +62,7 @@ config GRKERNSEC_IO config GRKERNSEC_PROC_MEMMAP bool "Harden ASLR against information leaks and entropy reduction" - default y if (PAX_NOEXEC || PAX_ASLR) + default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR) depends on PAX_NOEXEC || PAX_ASLR help If you say Y here, the /proc//maps and /proc//stat files will @@ -282,6 +82,7 @@ config GRKERNSEC_PROC_MEMMAP config GRKERNSEC_BRUTE bool "Deter exploit bruteforcing" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, attempts to bruteforce exploits against forking daemons such as apache or sshd, as well as against suid/sgid binaries @@ -302,6 +103,7 @@ config GRKERNSEC_BRUTE config GRKERNSEC_MODHARDEN bool "Harden module auto-loading" + default y if GRKERNSEC_CONFIG_AUTO depends on MODULES help If you say Y here, module auto-loading in response to use of some @@ -323,6 +125,7 @@ config GRKERNSEC_MODHARDEN config GRKERNSEC_HIDESYM bool "Hide kernel symbols" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, getting information on loaded modules, and displaying all kernel symbols through a syscall will be restricted @@ -348,11 +151,12 @@ config GRKERNSEC_HIDESYM config GRKERNSEC_KERN_LOCKOUT bool "Active kernel exploit response" + default y if GRKERNSEC_CONFIG_AUTO depends on X86 || ARM || PPC || SPARC help If you say Y here, when a PaX alert is triggered due to suspicious activity in the kernel (from KERNEXEC/UDEREF/USERCOPY) - or an OOPs occurs due to bad memory accesses, instead of just + or an OOPS occurs due to bad memory accesses, instead of just terminating the offending process (and potentially allowing a subsequent exploit from the same user), we will take one of two actions: @@ -411,6 +215,7 @@ depends on GRKERNSEC config GRKERNSEC_PROC bool "Proc restrictions" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, the permissions of the /proc filesystem will be altered to enhance system security and privacy. You MUST @@ -432,6 +237,7 @@ config GRKERNSEC_PROC_USER config GRKERNSEC_PROC_USERGROUP bool "Allow special group" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER help If you say Y here, you will be able to select a group that will be @@ -447,6 +253,7 @@ config GRKERNSEC_PROC_GID config GRKERNSEC_PROC_ADD bool "Additional restrictions" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP help If you say Y here, additional restrictions will be placed on @@ -455,6 +262,7 @@ config GRKERNSEC_PROC_ADD config GRKERNSEC_LINK bool "Linking restrictions" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, /tmp race exploits will be prevented, since users will no longer be able to follow symlinks owned by other users in @@ -465,6 +273,7 @@ config GRKERNSEC_LINK config GRKERNSEC_FIFO bool "FIFO restrictions" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, users will not be able to write to FIFOs they don't own in world-writable +t directories (e.g. /tmp), unless the owner of @@ -474,6 +283,7 @@ config GRKERNSEC_FIFO config GRKERNSEC_SYSFS_RESTRICT bool "Sysfs/debugfs restriction" + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER) depends on SYSFS help If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and @@ -507,6 +317,7 @@ config GRKERNSEC_ROFS config GRKERNSEC_CHROOT bool "Chroot jail restrictions" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, you will be able to choose several options that will make breaking out of a chrooted jail much more difficult. If you @@ -515,6 +326,7 @@ config GRKERNSEC_CHROOT config GRKERNSEC_CHROOT_MOUNT bool "Deny mounts" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, processes inside a chroot will not be able to @@ -523,6 +335,7 @@ config GRKERNSEC_CHROOT_MOUNT config GRKERNSEC_CHROOT_DOUBLE bool "Deny double-chroots" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, processes inside a chroot will not be able to chroot @@ -533,6 +346,7 @@ config GRKERNSEC_CHROOT_DOUBLE config GRKERNSEC_CHROOT_PIVOT bool "Deny pivot_root in chroot" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, processes inside a chroot will not be able to use @@ -545,6 +359,7 @@ config GRKERNSEC_CHROOT_PIVOT config GRKERNSEC_CHROOT_CHDIR bool "Enforce chdir(\"/\") on all chroots" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, the current working directory of all newly-chrooted @@ -561,6 +376,7 @@ config GRKERNSEC_CHROOT_CHDIR config GRKERNSEC_CHROOT_CHMOD bool "Deny (f)chmod +s" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, processes inside a chroot will not be able to chmod @@ -571,6 +387,7 @@ config GRKERNSEC_CHROOT_CHMOD config GRKERNSEC_CHROOT_FCHDIR bool "Deny fchdir out of chroot" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, a well-known method of breaking chroots by fchdir'ing @@ -580,6 +397,7 @@ config GRKERNSEC_CHROOT_FCHDIR config GRKERNSEC_CHROOT_MKNOD bool "Deny mknod" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, processes inside a chroot will not be allowed to @@ -594,6 +412,7 @@ config GRKERNSEC_CHROOT_MKNOD config GRKERNSEC_CHROOT_SHMAT bool "Deny shmat() out of chroot" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, processes inside a chroot will not be able to attach @@ -603,6 +422,7 @@ config GRKERNSEC_CHROOT_SHMAT config GRKERNSEC_CHROOT_UNIX bool "Deny access to abstract AF_UNIX sockets out of chroot" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, processes inside a chroot will not be able to @@ -613,6 +433,7 @@ config GRKERNSEC_CHROOT_UNIX config GRKERNSEC_CHROOT_FINDTASK bool "Protect outside processes" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, processes inside a chroot will not be able to @@ -623,6 +444,7 @@ config GRKERNSEC_CHROOT_FINDTASK config GRKERNSEC_CHROOT_NICE bool "Restrict priority changes" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, processes inside a chroot will not be able to raise @@ -634,6 +456,7 @@ config GRKERNSEC_CHROOT_NICE config GRKERNSEC_CHROOT_SYSCTL bool "Deny sysctl writes" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, an attacker in a chroot will not be able to @@ -644,6 +467,7 @@ config GRKERNSEC_CHROOT_SYSCTL config GRKERNSEC_CHROOT_CAPS bool "Capability restrictions" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_CHROOT help If you say Y here, the capabilities on all processes within a @@ -686,6 +510,7 @@ config GRKERNSEC_EXECLOG config GRKERNSEC_RESLOG bool "Resource logging" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, all attempts to overstep resource limits will be logged with the resource name, the requested size, and the current @@ -724,6 +549,7 @@ config GRKERNSEC_AUDIT_MOUNT config GRKERNSEC_SIGNAL bool "Signal logging" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, certain important signals will be logged, such as SIGSEGV, which will as a result inform you of when a error in a program @@ -741,6 +567,7 @@ config GRKERNSEC_FORKFAIL config GRKERNSEC_TIME bool "Time change logging" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, any changes of the system clock will be logged. If the sysctl option is enabled, a sysctl option with name @@ -748,6 +575,7 @@ config GRKERNSEC_TIME config GRKERNSEC_PROC_IPADDR bool "/proc//ipaddr support" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, a new entry will be added to each /proc/ directory that contains the IP address of the person using the task. @@ -759,6 +587,7 @@ config GRKERNSEC_PROC_IPADDR config GRKERNSEC_RWXMAP_LOG bool 'Denied RWX mmap/mprotect logging' + default y if GRKERNSEC_CONFIG_AUTO depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT help If you say Y here, calls to mmap() and mprotect() with explicit @@ -787,6 +616,7 @@ depends on GRKERNSEC config GRKERNSEC_DMESG bool "Dmesg(8) restriction" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, non-root users will not be able to use dmesg(8) to view up to the last 4kb of messages in the kernel's log buffer. @@ -798,6 +628,7 @@ config GRKERNSEC_DMESG config GRKERNSEC_HARDEN_PTRACE bool "Deter ptrace-based process snooping" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, TTY sniffers and other malicious monitoring programs implemented through ptrace will be defeated. If you @@ -814,6 +645,7 @@ config GRKERNSEC_HARDEN_PTRACE config GRKERNSEC_PTRACE_READEXEC bool "Require read access to ptrace sensitive binaries" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, unprivileged users will not be able to ptrace unreadable binaries. This option is useful in environments that @@ -827,6 +659,7 @@ config GRKERNSEC_PTRACE_READEXEC config GRKERNSEC_SETXID bool "Enforce consistent multithreaded privileges" + default y if GRKERNSEC_CONFIG_AUTO depends on (X86 || SPARC64 || PPC || ARM || MIPS) help If you say Y here, a change from a root uid to a non-root uid @@ -841,6 +674,7 @@ config GRKERNSEC_SETXID config GRKERNSEC_TPE bool "Trusted Path Execution (TPE)" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, you will be able to choose a gid to add to the supplementary groups of users you want to mark as "untrusted." @@ -897,6 +731,7 @@ depends on GRKERNSEC config GRKERNSEC_RANDNET bool "Larger entropy pools" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, the entropy pools used for many features of Linux and grsecurity will be doubled in size. Since several grsecurity @@ -906,6 +741,7 @@ config GRKERNSEC_RANDNET config GRKERNSEC_BLACKHOLE bool "TCP/UDP blackhole and LAST_ACK DoS prevention" + default y if GRKERNSEC_CONFIG_AUTO depends on NET help If you say Y here, neither TCP resets nor ICMP @@ -1005,11 +841,12 @@ config GRKERNSEC_SOCKET_SERVER_GID option with name "socket_server_gid" is created. endmenu -menu "Sysctl support" +menu "Sysctl Support" depends on GRKERNSEC && SYSCTL config GRKERNSEC_SYSCTL bool "Sysctl support" + default y if GRKERNSEC_CONFIG_AUTO help If you say Y here, you will be able to change the options that grsecurity runs with at bootup, without having to recompile your @@ -1040,6 +877,7 @@ config GRKERNSEC_SYSCTL_DISTRO config GRKERNSEC_SYSCTL_ON bool "Turn on features by default" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC_SYSCTL help If you say Y here, instead of having all features enabled in the @@ -1075,5 +913,3 @@ config GRKERNSEC_FLOODBURST raise this value. endmenu - -endmenu diff --git a/security/Kconfig b/security/Kconfig index 5effdb4..7356014 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -4,7 +4,137 @@ menu "Security options" -source grsecurity/Kconfig +menu "Grsecurity" + +config GRKERNSEC + bool "Grsecurity" + select CRYPTO + select CRYPTO_SHA256 + help + If you say Y here, you will be able to configure many features + that will enhance the security of your system. It is highly + recommended that you say Y here and read through the help + for each option so that you fully understand the features and + can evaluate their usefulness for your machine. + +choice + prompt "Configuration Method" + depends on GRKERNSEC + default GRKERNSEC_CONFIG_CUSTOM + help + +config GRKERNSEC_CONFIG_AUTO + bool "Automatic" + help + +config GRKERNSEC_CONFIG_CUSTOM + bool "Custom" + help + +endchoice + +choice + prompt "Usage Type" + depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO) + default GRKERNSEC_CONFIG_SERVER + help + +config GRKERNSEC_CONFIG_SERVER + bool "Server" + help + +config GRKERNSEC_CONFIG_DESKTOP + bool "Desktop" + help + +endchoice + +choice + prompt "Virtualization Type" + depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO) + default GRKERNSEC_CONFIG_VIRT_NONE + help + +config GRKERNSEC_CONFIG_VIRT_NONE + bool "None" + help + +config GRKERNSEC_CONFIG_VIRT_GUEST + bool "Guest" + help + +config GRKERNSEC_CONFIG_VIRT_HOST + bool "Host" + help + +endchoice + +choice + prompt "Virtualization Software" + depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_GUEST || GRKERNSEC_CONFIG_VIRT_HOST)) + help + +config GRKERNSEC_CONFIG_VIRT_XEN + bool "Xen" + help + +config GRKERNSEC_CONFIG_VIRT_VMWARE + bool "VMWare" + help + +config GRKERNSEC_CONFIG_VIRT_KVM + bool "KVM" + help + +config GRKERNSEC_CONFIG_VIRT_VIRTUALBOX + bool "VirtualBox" + help + +config GRKERNSEC_CONFIG_VIRT_ANY + bool "All" + help + +endchoice + +choice + prompt "Required Priorities" + depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO) + default GRKERNSEC_CONFIG_PRIORITY_PERF + help + +config GRKERNSEC_CONFIG_PRIORITY_PERF + bool "Performance" + help + +config GRKERNSEC_CONFIG_PRIORITY_SECURITY + bool "Security" + help + +endchoice + +menu "Default Special Groups" +depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO) + +config GRKERNSEC_PROC_GID + int "GID exempted from /proc restrictions" + default 1001 + +config GRKERNSEC_AUDIT_GID + int "GID of audited group" + default 1007 + +config GRKERNSEC_TPE_GID + int "GID for untrusted users" + default 1005 + help + Setting this GID determines what group TPE restrictions will be + *enabled* for. If the sysctl option is enabled, a sysctl option + with name "tpe_gid" is created. + +endmenu + +menu "Customize Configuration" +depends on GRKERNSEC menu "PaX" @@ -29,6 +159,7 @@ menu "PaX" config PAX bool "Enable various PaX features" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) help This allows you to enable various PaX features. PaX adds @@ -52,6 +183,7 @@ config PAX_SOFTMODE config PAX_EI_PAX bool 'Use legacy ELF header marking' + default y if GRKERNSEC_CONFIG_AUTO help Enabling this option will allow you to control PaX features on a per executable basis via the 'chpax' utility available at @@ -71,6 +203,7 @@ config PAX_EI_PAX config PAX_PT_PAX_FLAGS bool 'Use ELF program header marking' + default y if GRKERNSEC_CONFIG_AUTO help Enabling this option will allow you to control PaX features on a per executable basis via the 'paxctl' utility available at @@ -92,6 +225,7 @@ config PAX_PT_PAX_FLAGS config PAX_XATTR_PAX_FLAGS bool 'Use filesystem extended attributes marking' + default y if GRKERNSEC_CONFIG_AUTO select CIFS_XATTR if CIFS select EXT2_FS_XATTR if EXT2_FS select EXT3_FS_XATTR if EXT3_FS @@ -153,6 +287,7 @@ menu "Non-executable pages" config PAX_NOEXEC bool "Enforce non-executable pages" + default y if GRKERNSEC_CONFIG_AUTO depends on ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86 help By design some architectures do not allow for protecting memory @@ -181,6 +316,7 @@ config PAX_NOEXEC config PAX_PAGEEXEC bool "Paging based non-executable pages" + default y if GRKERNSEC_CONFIG_AUTO depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7) select S390_SWITCH_AMODE if S390 select S390_EXEC_PROTECT if S390 @@ -203,6 +339,7 @@ config PAX_PAGEEXEC config PAX_SEGMEXEC bool "Segmentation based non-executable pages" + default y if GRKERNSEC_CONFIG_AUTO depends on PAX_NOEXEC && X86_32 help This implementation is based on the segmentation feature of the @@ -269,6 +406,7 @@ config PAX_EMUSIGRT config PAX_MPROTECT bool "Restrict mprotect()" + default y if GRKERNSEC_CONFIG_AUTO depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) help Enabling this option will prevent programs from @@ -286,8 +424,8 @@ config PAX_MPROTECT config PAX_MPROTECT_COMPAT bool "Use legacy/compat protection demoting (read help)" + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_DESKTOP) depends on PAX_MPROTECT - default n help The current implementation of PAX_MPROTECT denies RWX allocations/mprotects by sending the proper error code to the application. For some broken @@ -362,6 +500,7 @@ config PAX_DLRESOLVE config PAX_KERNEXEC bool "Enforce non-executable kernel pages" + default y if GRKERNSEC_CONFIG_AUTO depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) select PAX_KERNEXEC_PLUGIN if X86_64 @@ -403,7 +542,8 @@ config PAX_KERNEXEC_PLUGIN_METHOD config PAX_KERNEXEC_MODULE_TEXT int "Minimum amount of memory reserved for module code" - default "4" + default "4" if (!GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_SERVER) + default "12" if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_DESKTOP) depends on PAX_KERNEXEC && X86_32 && MODULES help Due to implementation details the kernel must reserve a fixed @@ -428,6 +568,7 @@ menu "Address Space Layout Randomization" config PAX_ASLR bool "Address Space Layout Randomization" + default y if GRKERNSEC_CONFIG_AUTO help Many if not most exploit techniques rely on the knowledge of certain addresses in the attacked program. The following options @@ -457,6 +598,7 @@ config PAX_ASLR config PAX_RANDKSTACK bool "Randomize kernel stack base" + default y if GRKERNSEC_CONFIG_AUTO depends on X86_TSC && X86 help By saying Y here the kernel will randomize every task's kernel @@ -471,6 +613,7 @@ config PAX_RANDKSTACK config PAX_RANDUSTACK bool "Randomize user stack base" + default y if GRKERNSEC_CONFIG_AUTO depends on PAX_ASLR help By saying Y here the kernel will randomize every task's userland @@ -483,6 +626,7 @@ config PAX_RANDUSTACK config PAX_RANDMMAP bool "Randomize mmap() base" + default y if GRKERNSEC_CONFIG_AUTO depends on PAX_ASLR help By saying Y here the kernel will use a randomized base address for @@ -509,6 +653,7 @@ menu "Miscellaneous hardening features" config PAX_MEMORY_SANITIZE bool "Sanitize all freed memory" + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY) depends on !HIBERNATION help By saying Y here the kernel will erase memory pages as soon as they @@ -531,6 +676,7 @@ config PAX_MEMORY_SANITIZE config PAX_MEMORY_STACKLEAK bool "Sanitize kernel stack" + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY) depends on X86 help By saying Y here the kernel will erase the kernel stack before it @@ -555,6 +701,7 @@ config PAX_MEMORY_STACKLEAK config PAX_MEMORY_UDEREF bool "Prevent invalid userland pointer dereference" + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY) depends on X86 && !UML_X86 && !XEN select PAX_PER_CPU_PGD if X86_64 help @@ -574,6 +721,7 @@ config PAX_MEMORY_UDEREF config PAX_REFCOUNT bool "Prevent various kernel object reference counter overflows" + default y if GRKERNSEC_CONFIG_AUTO depends on GRKERNSEC && ((ARM && (CPU_32v6 || CPU_32v6K || CPU_32v7)) || SPARC64 || X86) help By saying Y here the kernel will detect and prevent overflowing @@ -593,6 +741,7 @@ config PAX_REFCOUNT config PAX_USERCOPY bool "Harden heap object copies between kernel and userland" + default y if GRKERNSEC_CONFIG_AUTO depends on X86 || PPC || SPARC || ARM depends on GRKERNSEC && (SLAB || SLUB || SLOB) help @@ -622,6 +771,7 @@ config PAX_USERCOPY config PAX_SIZE_OVERFLOW bool "Prevent various integer overflows in function size parameters" + default y if GRKERNSEC_CONFIG_AUTO depends on X86 help By saying Y here the kernel recomputes expressions of function @@ -638,6 +788,12 @@ endmenu endmenu +source grsecurity/Kconfig + +endmenu + +endmenu + config KEYS bool "Enable access key retention support" help