SPECS (LINUX_2_6): kernel.spec - kernel-grsec_fixes.patch added; h...

zbyniu zbyniu at pld-linux.org
Tue Feb 26 03:01:33 CET 2008 

Author: zbyniu                       Date: Tue Feb 26 02:01:33 2008 GMT
Module: SPECS                         Tag: LINUX_2_6
---- Log message:
- kernel-grsec_fixes.patch added; hardening grsec options if with pax

---- Files affected:
SPECS:
   kernel.spec (1.441.2.1843 -> 1.441.2.1844) 

---- Diffs:

================================================================
Index: SPECS/kernel.spec
diff -u SPECS/kernel.spec:1.441.2.1843 SPECS/kernel.spec:1.441.2.1844
--- SPECS/kernel.spec:1.441.2.1843	Tue Feb 26 00:01:04 2008
+++ SPECS/kernel.spec	Tue Feb 26 03:01:28 2008
@@ -344,6 +344,7 @@
 Patch9999:	linux-2.6-grsec_full.patch
 Patch10000:	linux-2.6-grsec-caps.patch
 Patch10001:	linux-2.6-grsec-common.patch
+Patch10002:	kernel-grsec_fixes.patch
 
 URL:		http://www.kernel.org/
 BuildRequires:	binutils >= 3:2.14.90.0.7
@@ -893,12 +894,14 @@
 %patch9999 -p1
 %{?with_vserver:%patch10000 -p1}
 %{?with_vserver:%patch10001 -p1}
+%{?with_vserver:%patch10002 -p1}
 %else
 
 %if %{with grsec_full}
 %patch9999 -p1
 %{?with_vserver:%patch10000 -p1}
 %{?with_vserver:%patch10001 -p1}
+%{?with_vserver:%patch10002 -p1}
 %else
 %if %{with grsec_minimal}
 %patch1000 -p1
@@ -998,7 +1001,7 @@
 	%ifarch %{ix86}
 		sed -i 's:# CONFIG_PAX_SEGMEXEC is not set:CONFIG_PAX_SEGMEXEC=y:' $1
 		# performance impact on CPUs without NX bit
-		sed -i 's:# CONFIG_PAX_PAGEEXEC=y:# CONFIG_PAX_PAGEEXEC is not set:' $1
+		sed -i 's:CONFIG_PAX_PAGEEXEC=y:# CONFIG_PAX_PAGEEXEC is not set:' $1
 		# Testing KERNEXEC
 
 		# sed -i 's:CONFIG_HOTPLUG_PCI_COMPAQ_NVRAM=y:# CONFIG_HOTPLUG_PCI_COMPAQ_NVRAM is not set:' $1
@@ -1025,9 +1028,14 @@
 	# PAX_HOOK_ACL_FLAGS. SELinux should also be able to make PaX settings via hooks
 
 	%if %{with grsec_full}
+		# Hardening grsec options if with pax 
+		sed -i "s:# CONFIG_GRKERNSEC_PROC_MEMMAP is not set:CONFIG_GRKERNSEC_PROC_MEMMAP=y:" $1
+		# almost rational (see HIDESYM help) 
+		sed -i "s:# CONFIG_GRKERNSEC_HIDESYM is not set:CONFIG_GRKERNSEC_HIDESYM=y:" $1
+
 		# no change needed CONFIG=PAX_HAVE_ACL_FLAGS=y is taken from the kernel-pax.config
 	%else
-		# grsec_minimal or selinux ?
+		# selinux or other hooks?
 		sed -i 's:CONFIG_PAX_HAVE_ACL_FLAGS=y:# CONFIG_PAX_HAVE_ACL_FLAGS is not set:' $1
 		sed -i 's:# CONFIG_PAX_HOOK_ACL_FLAGS is not set:CONFIG_PAX_HOOK_ACL_FLAGS=y:' $1
 	%endif
@@ -1594,6 +1602,9 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.441.2.1844  2008-02-26 02:01:28  zbyniu
+- kernel-grsec_fixes.patch added; hardening grsec options if with pax
+
 Revision 1.441.2.1843  2008-02-25 23:01:04  zbyniu
 - grsec_full.patch is ready; PaX config magic cleanup; rel 0.4
 
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SPECS/kernel.spec?r1=1.441.2.1843&r2=1.441.2.1844&f=u

More information about the pld-cvs-commit mailing list