SOURCES: kernel-grsec+pax.config (NEW) - initial pax config for SE...
mguevara
mguevara at pld-linux.org
Thu Jul 20 18:15:46 CEST 2006
Author: mguevara Date: Thu Jul 20 16:15:46 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- initial pax config for SEGMEXEC archs x86/32bit includes grsecurity
entries taken and modified from kernel-grsec.config
---- Files affected:
SOURCES:
kernel-grsec+pax.config (1.3 -> 1.4) (NEW)
---- Diffs:
================================================================
Index: SOURCES/kernel-grsec+pax.config
diff -u /dev/null SOURCES/kernel-grsec+pax.config:1.4
--- /dev/null Thu Jul 20 18:15:46 2006
+++ SOURCES/kernel-grsec+pax.config Thu Jul 20 18:15:41 2006
@@ -0,0 +1,145 @@
+#
+# PaX
+#
+CONFIG_PAX=y
+
+#
+# PaX Control
+#
+CONFIG_PAX_SOFTMODE=y
+# CONFIG_PAX_EI_PAX is not set
+CONFIG_PAX_PT_PAX_FLAGS=y
+# CONFIG_PAX_NO_ACL_FLAGS is not set
+CONFIG_PAX_HAVE_ACL_FLAGS=y
+# CONFIG_PAX_HOOK_ACL_FLAGS is not set
+
+#
+# Non-executable pages
+#
+CONFIG_PAX_NOEXEC=y
+CONFIG_PAX_PAGEEXEC=y
+CONFIG_PAX_SEGMEXEC=y
+# CONFIG_PAX_DEFAULT_PAGEEXEC is not set
+CONFIG_PAX_DEFAULT_SEGMEXEC=y
+CONFIG_PAX_EMUTRAMP=y
+CONFIG_PAX_MPROTECT=y
+# CONFIG_PAX_NOELFRELOCS is not set
+
+#
+# Address Space Layout Randomization
+#
+CONFIG_PAX_ASLR=y
+# CONFIG_PAX_RANDKSTACK is not set
+CONFIG_PAX_RANDUSTACK=y
+CONFIG_PAX_RANDMMAP=y
+CONFIG_PAX_NOVSYSCALL=y
+
+#
+# Grsecurity
+#
+CONFIG_GRKERNSEC=y
+# CONFIG_GRKERNSEC_LOW is not set
+# CONFIG_GRKERNSEC_MEDIUM is not set
+# CONFIG_GRKERNSEC_HIGH is not set
+CONFIG_GRKERNSEC_CUSTOM=y
+
+#
+# Address Space Protection
+#
+CONFIG_GRKERNSEC_KMEM=y
+# CONFIG_GRKERNSEC_IO is not set
+CONFIG_GRKERNSEC_PROC_MEMMAP=y
+CONFIG_GRKERNSEC_BRUTE=y
+CONFIG_GRKERNSEC_MODSTOP=y
+# CONFIG_GRKERNSEC_HIDESYM is not set
+
+#
+# Role Based Access Control Options
+#
+CONFIG_GRKERNSEC_ACL_HIDEKERN=y
+CONFIG_GRKERNSEC_ACL_MAXTRIES=3
+CONFIG_GRKERNSEC_ACL_TIMEOUT=30
+
+#
+# Filesystem Protections
+#
+CONFIG_GRKERNSEC_PROC=y
+# CONFIG_GRKERNSEC_PROC_USER is not set
+CONFIG_GRKERNSEC_PROC_USERGROUP=y
+CONFIG_GRKERNSEC_PROC_GID=17
+CONFIG_GRKERNSEC_PROC_ADD=y
+CONFIG_GRKERNSEC_LINK=y
+CONFIG_GRKERNSEC_FIFO=y
+CONFIG_GRKERNSEC_CHROOT=y
+CONFIG_GRKERNSEC_CHROOT_MOUNT=y
+CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
+CONFIG_GRKERNSEC_CHROOT_PIVOT=y
+CONFIG_GRKERNSEC_CHROOT_CHDIR=y
+CONFIG_GRKERNSEC_CHROOT_CHMOD=y
+CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
+CONFIG_GRKERNSEC_CHROOT_MKNOD=y
+CONFIG_GRKERNSEC_CHROOT_SHMAT=y
+CONFIG_GRKERNSEC_CHROOT_UNIX=y
+CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
+CONFIG_GRKERNSEC_CHROOT_NICE=y
+CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
+CONFIG_GRKERNSEC_CHROOT_CAPS=y
+
+#
+# Kernel Auditing
+#
+CONFIG_GRKERNSEC_AUDIT_GROUP=y
+CONFIG_GRKERNSEC_AUDIT_GID=1007
+CONFIG_GRKERNSEC_EXECLOG=y
+CONFIG_GRKERNSEC_RESLOG=y
+CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
+CONFIG_GRKERNSEC_AUDIT_CHDIR=y
+CONFIG_GRKERNSEC_AUDIT_MOUNT=y
+CONFIG_GRKERNSEC_AUDIT_IPC=y
+CONFIG_GRKERNSEC_SIGNAL=y
+CONFIG_GRKERNSEC_FORKFAIL=y
+CONFIG_GRKERNSEC_TIME=y
+CONFIG_GRKERNSEC_PROC_IPADDR=y
+# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
+
+#
+# Executable Protections
+#
+CONFIG_GRKERNSEC_EXECVE=y
+CONFIG_GRKERNSEC_SHM=y
+CONFIG_GRKERNSEC_DMESG=y
+CONFIG_GRKERNSEC_RANDPID=y
+CONFIG_GRKERNSEC_TPE=y
+CONFIG_GRKERNSEC_TPE_ALL=y
+# CONFIG_GRKERNSEC_TPE_INVERT is not set
+CONFIG_GRKERNSEC_TPE_GID=65500
+
+#
+# Network Protections
+#
+CONFIG_GRKERNSEC_RANDNET=y
+CONFIG_GRKERNSEC_SOCKET=y
+CONFIG_GRKERNSEC_SOCKET_ALL=y
+CONFIG_GRKERNSEC_SOCKET_ALL_GID=65501
+CONFIG_GRKERNSEC_SOCKET_CLIENT=y
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=65502
+CONFIG_GRKERNSEC_SOCKET_SERVER=y
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID=65503
+
+#
+# Sysctl support
+#
+CONFIG_GRKERNSEC_SYSCTL=y
+# CONFIG_GRKERNSEC_SYSCTL_ON is not set
+
+#
+# Logging Options
+#
+CONFIG_GRKERNSEC_FLOODTIME=10
+CONFIG_GRKERNSEC_FLOODBURST=10
+
+#
+# Some Netfilter stuff
+#
+CONFIG_IP_NF_MATCH_STEALTH=m
+
================================================================
More information about the pld-cvs-commit
mailing list