stealth networking support

CONFIG_IP_NF_MATCH_STEALTH

  Enabling this option will drop all syn packets coming to unserved tcp

  ports as well as all packets coming to unserved udp ports.  If you

  are using your system to route any type of packets (ie. via NAT)

  you should put this module at the end of your ruleset, since it will 

  drop packets that aren't going to ports that are listening on your 

  machine itself, it doesn't take into account that the packet might be 

  destined for someone on your internal network if you're using NAT for 

  instance.

  If you want to compile it as a module, say M here and read

  Documentation/modules.txt.  If unsure, say `N'.

Grsecurity

CONFIG_GRKERNSEC

  If you say Y here, you will be able to configure many features that

  will enhance the security of your system.  It is highly recommended

  that you say Y here and read through the help for each option so

  you fully understand the features and can evaluate their usefulness

  for your machine.

Additional security levels

CONFIG_GRKERNSEC_LOW

  Low additional security

  -----------------------------------------------------------------------

  If you choose this option, several of the grsecurity options will

  be enabled that will give you greater protection against a number

  of attacks, while assuring that none of your software will have any 

  conflicts with the additional security measures.  If you run a lot of 

  unusual software, or you are having problems with the higher security 

  levels, you should say Y here.  With this option, the following features

  are enabled:

  linking restrictions

  fifo restrictions

  random pids

  enforcing nproc on execve()

  restricted dmesg

  random ip ids

  enforced chdir("/") on chroot

  Medium additional security

  -----------------------------------------------------------------------

  If you say Y here, several features in addition to those included in the 

  low additional security level will be enabled.  These features provide

  even more security to your system, though in rare cases they may

  be incompatible with very old or poorly written software.  If you 

  enable this option, make sure that your auth service (identd) is 

  running as gid 10 (usually group wheel). With this option the following 

  features (in addition to those provided in the low additional security 

  level) will be enabled:

  random tcp source ports

  altered ping ids

  failed fork logging

  time change logging

  signal logging

  deny mounts in chroot

  deny double chrooting

  deny sysctl writes in chroot

  deny mknod in chroot

  deny access to abstract AF_UNIX sockets out of chroot

  deny pivot_root in chroot

  denied writes of /dev/kmem, /dev/mem, and /dev/port

  /proc restrictions with special gid set to 10 (usually wheel)

  address space layout randomization

  High additional security

  ----------------------------------------------------------------------

  If you say Y here, many of the features of grsecurity will be enabled,

  that will protect you against many kinds of attacks against

  your system.  The heightened security comes at a cost of an 

  increased chance of incompatibilities with rare software on your 

  machine.  It is highly recommended that you view 

  <http://grsecurity.net/features.htm> and read about each option.  Since 

  this security level enabled PaX, you should also view 

  <http://pageexec.virtualave.net> and read about the PaX project.  While 

  you are there, download chpax.c and run chpax -p on binaries that cause 

  problems with PaX.  Also remember that since the /proc restrictions are 

  enabled, you must run your identd as group wheel (gid 10).  

  This security level enables the following features in addition to those

  listed in the low and medium security levels:

  additional /proc restrictions

  chmod restrictions in chroot

  no signals, ptrace, or viewing processes outside of chroot

  capability restrictions in chroot

  deny fchdir out of chroot

  priority restrictions in chroot

  segmentation-based implementation of PaX

  mprotect restrictions

  removal of /proc/<pid>/[maps|mem]

  kernel stack randomization

  mount/unmount/remount logging

  kernel symbol hiding

Customized additional security

CONFIG_GRKERNSEC_CUSTOM

  If you say Y here, you will be able to configure every grsecurity 

  option, which allows you to enable many more features that aren't 

  covered in the basic security levels.  These additional features include 

  TPE, socket restrictions, and the sysctl system for grsecurity.  It is 

  advised that you read through the help for each option to determine its 

  usefulness in your situation.

Enforce non-executable pages

CONFIG_GRKERNSEC_PAX_NOEXEC

  By design some architectures do not allow for protecting memory

  pages against execution or even if they do, Linux does not make

  use of this feature.  In practice this means that if a page is

  readable (such as the stack or heap) it is also executable.

  There is a well known exploit technique that makes use of this

  fact and a common programming mistake where an attacker can

  introduce code of his choice somewhere in the attacked program's

  memory (typically the stack or the heap) and then execute it.

  If the attacked program was running with different (typically

  higher) privileges than that of the attacker, then he can elevate

  his own privilege level (e.g. get a root shell, write to files for

  which he does not have write access to, etc).

  Enabling this option will let you choose from various features

  that prevent the injection and execution of 'foreign' code in

  a program.

  This will also break programs that rely on the old behaviour and

  expect that dynamically allocated memory via the malloc() family

  of functions is executable (which it is not).  Notable examples

  are the XFree86 4.x server, the java runtime and wine.

  NOTE: you can use the 'chpax' utility to enable/disable this

  feature on a per file basis.  chpax is available at

  <http://pageexec.virtualave.net>

Paging based non-executable pages

CONFIG_GRKERNSEC_PAX_PAGEEXEC

  This implementation is based on the paging feature of the CPU.

  On i386 it has a variable performance impact on applications

  depending on their memory usage pattern.  You should carefully

  test your applications before using this feature in production.

  On alpha, parisc, sparc and sparc64 there is no performance

  impact.  On ppc there is a slight performance impact.

Segmentation based non-executable pages

CONFIG_GRKERNSEC_PAX_SEGMEXEC

  This implementation is based on the segmentation feature of the

  CPU and has little performance impact, however applications will

  be limited to a 1.5 GB address space instead of the normal 3 GB.

Emulate trampolines

CONFIG_GRKERNSEC_PAX_EMUTRAMP

  There are some programs and libraries that for one reason or

  another attempt to execute special small code snippets from

  non-executable memory pages.  Most notable examples are the

  signal handler return code generated by the kernel itself and

  the GCC trampolines.

  If you enabled CONFIG_GRKERNSEC_PAX_PAGEEXEC or 

  CONFIG_GRKERNSEC_PAX_SEGMEXEC then such programs will no longer

  work under your kernel.

  As a remedy you can say Y here and use the 'chpax' utility to

  enable trampoline emulation for the affected programs yet still

  have the protection provided by the non-executable pages.

  On parisc and ppc you MUST enable this option and EMUSIGRT as

  well, otherwise your system will not even boot.

  Alternatively you can say N here and use the 'chpax' utility

  to disable CONFIG_GRKERNSEC_PAX_PAGEEXEC and 

  CONFIG_GRKERNSEC_PAX_SEGMEXEC for the affected files.

  NOTE: enabling this feature *may* open up a loophole in the

  protection provided by non-executable pages that an attacker

  could abuse.  Therefore the best solution is to not have any

  files on your system that would require this option.  This can

  be achieved by not using libc5 (which relies on the kernel

  signal handler return code) and not using or rewriting programs

  that make use of the nested function implementation of GCC.

  Skilled users can just fix GCC itself so that it implements

  nested function calls in a way that does not interfere with PaX.

Automatically emulate sigreturn trampolines

CONFIG_GRKERNSEC_PAX_EMUSIGRT

  Enabling this option will have the kernel automatically detect

  and emulate signal return trampolines executing on the stack

  that would otherwise lead to task termination.

  This solution is intended as a temporary one for users with

  legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,

  Modula-3 runtime, etc) or executables linked to such, basically

  everything that does not specify its own SA_RESTORER function in

  normal executable memory like glibc 2.1+ does.

  On parisc and ppc you MUST enable this option, otherwise your

  system will not even boot.

  NOTE: this feature cannot be disabled on a per executable basis

  and since it *does* open up a loophole in the protection provided

  by non-executable pages, the best solution is to not have any

  files on your system that would require this option.

Restrict mprotect()

CONFIG_GRKERNSEC_PAX_MPROTECT

  Enabling this option will prevent programs from

   - changing the executable status of memory pages that were

     not originally created as executable,

   - making read-only executable pages writable again,

   - creating executable pages from anonymous memory.

  You should say Y here to complete the protection provided by

  the enforcement of non-executable pages.

  NOTE: you can use the 'chpax' utility to control this

  feature on a per file basis. chpax is available at

  <http://pageexec.virtualave.net>

Disallow ELF text relocations

CONFIG_GRKERNSEC_PAX_NOELFRELOCS

  Non-executable pages and mprotect() restrictions are effective

  in preventing the introduction of new executable code into an

  attacked task's address space.  There remain only two venues

  for this kind of attack: if the attacker can execute already

  existing code in the attacked task then he can either have it

  create and mmap() a file containing his code or have it mmap()

  an already existing ELF library that does not have position

  independent code in it and use mprotect() on it to make it

  writable and copy his code there.  While protecting against

  the former approach is beyond PaX, the latter can be prevented

  by having only PIC ELF libraries on one's system (which do not

  need to relocate their code).  If you are sure this is your case,

  then enable this option otherwise be careful as you may not even

  be able to boot or log on your system (for example, some PAM

  modules are erroneously compiled as non-PIC by default).

  NOTE: if you are using dynamic ELF executables (as suggested

  when using ASLR) then you must have made sure that you linked

  your files using the PIC version of crt1 (the et_dyn.zip package

  referenced there has already been updated to support this).

Enforce non-executable kernel pages

CONFIG_GRKERNSEC_PAX_KERNEXEC

  This is the kernel land equivalent of PAGEEXEC and MPROTECT,

  that is, enabling this option will make it harder to inject

  and execute 'foreign' code in kernel memory itself.

Address Space Layout Randomization

CONFIG_GRKERNSEC_PAX_ASLR

  Many if not most exploit techniques rely on the knowledge of

  certain addresses in the attacked program.  The following options

  will allow the kernel to apply a certain amount of randomization

  to specific parts of the program thereby forcing an attacker to

  guess them in most cases.  Any failed guess will most likely crash

  the attacked program which allows the kernel to detect such attempts

  and react on them.  PaX itself provides no reaction mechanisms,

  instead it is strongly encouraged that you make use of grsecurity's

  built-in crash detection features or develop one yourself.

  By saying Y here you can choose to randomize the following areas:

   - top of the task's kernel stack

   - top of the task's userland stack

   - base address for mmap() requests that do not specify one

     (this includes all libraries)

   - base address of the main executable

  It is strongly recommended to say Y here as address space layout

  randomization has negligible impact on performance yet it provides

  a very effective protection.

  NOTE: you can use the 'chpax' utility to control most of these features

  on a per file basis.

Randomize kernel stack base

CONFIG_GRKERNSEC_PAX_RANDKSTACK

  By saying Y here the kernel will randomize every task's kernel

  stack on every system call.  This will not only force an attacker

  to guess it but also prevent him from making use of possible

  leaked information about it.

  Since the kernel stack is a rather scarce resource, randomization

  may cause unexpected stack overflows, therefore you should very

  carefully test your system.  Note that once enabled in the kernel

  configuration, this feature cannot be disabled on a per file basis.

Randomize user stack base

CONFIG_GRKERNSEC_PAX_RANDUSTACK

  By saying Y here the kernel will randomize every task's userland

  stack.  The randomization is done in two steps where the second

  one may apply a big amount of shift to the top of the stack and

  cause problems for programs that want to use lots of memory (more

  than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).

  For this reason the second step can be controlled by 'chpax' on

  a per file basis.

Randomize ET_EXEC base

CONFIG_GRKERNSEC_PAX_RANDEXEC     

  By saying Y here the kernel will randomize the base address of normal

  ET_EXEC ELF executables as well.  This is accomplished by mapping the

  executable in memory in a special way which also allows for detecting

  attackers who attempt to execute its code for their purposes.  Since

  this special mapping causes performance degradation and the attack

  detection may create false alarms as well, you should carefully test

  your executables when this feature is enabled.

  This solution is intended only as a temporary one until you relink

  your programs as a dynamic ELF file.

  NOTE: you can use the 'chpax' utility to control this feature

  on a per file basis.

Allow ELF ET_EXEC text relocations

CONFIG_GRKERNSEC_PAX_ETEXECRELOCS

  On some architectures like the alpha there are incorrectly

  created applications that require text relocations and would

  not work without enabling this option.  If you are an alpha

  user, you should enable this option and disable it once you

  have made sure that none of your applications need it.

Automatically emulate ELF PLT

CONFIG_GRKERNSEC_PAX_EMUPLT

  Enabling this option will have the kernel automatically detect

  and emulate the Procedure Linkage Table entries in ELF files.

  On some architectures such entries are in writable memory, and

  become non-executable leading to task termination.  Therefore

  it is mandatory that you enable this option on alpha, parisc, ppc,

  sparc and sparc64, otherwise your system would not even boot.

  NOTE: this feature *does* open up a loophole in the protection

  provided by the non-executable pages, therefore the proper

  solution is to modify the toolchain to produce a PLT that does

  not need to be writable.

Randomize mmap() base

CONFIG_GRKERNSEC_PAX_RANDMMAP

  By saying Y here the kernel will use a randomized base address for

  mmap() requests that do not specify one themselves.  As a result

  all dynamically loaded libraries will appear at random addresses

  and therefore be harder to exploit by a technique where an attacker

  attempts to execute library code for his purposes (e.g. spawn a

  shell from an exploited program that is running at an elevated

  privilege level).

  Furthermore, if a program is relinked as a dynamic ELF file, its

  base address will be randomized as well, completing the full

  randomization of the address space layout.  Attacking such programs

  becomes a guess game.  You can find an example of doing this at

  <http://pageexec.virtualave.net/et_dyn.zip> and practical samples at

  <http://www.grsecurity.net/grsec-gcc-specs.tar.gz> .

  NOTE: you can use the 'chpax' utility to control this feature

  on a per file basis.

Deny writing to /dev/kmem, /dev/mem, and /dev/port

CONFIG_GRKERNSEC_KMEM

  If you say Y here, /dev/kmem and /dev/mem won't be allowed to

  be written to via mmap or otherwise to modify the running kernel.

  /dev/port will also not be allowed to be opened. If you have module

  support disabled, enabling this will close up four ways that are

  currently used  to insert malicious code into the running kernel.

  Even with all these features enabled, we still highly recommend that

  you use the ACL system, as it is still possible for an attacker to 

  modify the running kernel through privileged I/O granted by ioperm/iopl.

  If you are not using XFree86, you may be able to stop this additional

  case by enabling the 'Disable privileged I/O' option. Though nothing

  legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,

  but only to video memory, which is the only writing we allow in this

  case.  If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will

  not be allowed to mprotect it with PROT_WRITE later.

  Enabling this feature could make certain apps like VMWare stop working,

  as they need to write to other locations in /dev/mem.

  It is highly recommended that you say Y here if you meet all the 

  conditions above.

Disable privileged I/O

CONFIG_GRKERNSEC_IO

  If you say Y here, all ioperm and iopl calls will return an error.

  Ioperm and iopl can be used to modify the running kernel.

  Unfortunately, some programs need this access to operate properly,

  the most notable of which are XFree86 and hwclock.  hwclock can be

  remedied by having RTC support in the kernel, so CONFIG_RTC is

  enabled if this option is enabled, to ensure that hwclock operates

  correctly.  XFree86 still will not operate correctly with this option

  enabled, so DO NOT CHOOSE Y IF YOU USE XFree86.  If you use XFree86

  and you still want to protect your kernel against modification,

  use the ACL system.

Hide kernel symbols

CONFIG_GRKERNSEC_HIDESYM

  If you say Y here, getting information on loaded modules, and 

  displaying all kernel symbols through a syscall will be restricted

  to users with CAP_SYS_MODULE.  This option is only effective 

  provided the following conditions are met:

  1) The kernel using grsecurity is not precompiled by some distribution

  2) You are using the ACL system and hiding other files such as your

     kernel image and System.map

  3) You have the additional /proc restrictions enabled, which removes

     /proc/kcore

  If the above conditions are met, this option will aid to provide a

  useful protection against local and remote kernel exploitation of

  overflows and arbitrary read/write vulnerabilities.

/proc/<pid>/ipaddr support

CONFIG_GRKERNSEC_PROC_IPADDR

  If you say Y here, a new entry will be added to each /proc/<pid>

  directory that contains the IP address of the person using the task.

  The IP is carried across local TCP and AF_UNIX stream sockets.

  This information can be useful for IDS/IPSes to perform remote response

  to a local attack.  The entry is readable by only the owner of the 

  process (and root if he has CAP_DAC_OVERRIDE, which can be removed via

  the RBAC system), and thus does not create privacy concerns.

Proc Restrictions

CONFIG_GRKERNSEC_PROC

  If you say Y here, the permissions of the /proc filesystem

  will be altered to enhance system security and privacy.  Depending

  upon the options you choose, you can either restrict users to see

  only the processes they themselves run, or choose a group that can

  view all processes and files normally restricted to root if you choose

  the "restrict to user only" option.  NOTE: If you're running identd as 

  a non-root user, you will have to run it as the group you specify here.

Restrict /proc to user only

CONFIG_GRKERNSEC_PROC_USER

  If you say Y here, non-root users will only be able to view their own 

  processes, and restricts them from viewing network-related information,  

  and viewing kernel symbol and module information.

Restrict /proc to user and group

CONFIG_GRKERNSEC_PROC_USERGROUP

  If you say Y here, you will be able to select a group that will be

  able to view all processes, network-related information, and

  kernel and symbol information.  This option is useful if you want

  to run identd as a non-root user.

Remove addresses from /proc/pid/[maps|stat]

CONFIG_GRKERNSEC_PROC_MEMMAP

  If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will

  give no information about the addresses of its mappings if

  PaX features that rely on random addresses are enabled on the task.

  If you use PaX it is greatly recommended that you say Y here as it 

  closes up a hole that makes the full ASLR useless for suid 

  binaries.

Additional proc restrictions

CONFIG_GRKERNSEC_PROC_ADD

  If you say Y here, additional restrictions will be placed on

  /proc that keep normal users from viewing cpu and device information.

Dmesg(8) Restriction

CONFIG_GRKERNSEC_DMESG

  If you say Y here, non-root users will not be able to use dmesg(8)

  to view up to the last 4kb of messages in the kernel's log buffer.

  If the sysctl option is enabled, a sysctl option with name "dmesg" is 

  created.

Linking restrictions

CONFIG_GRKERNSEC_LINK

  If you say Y here, /tmp race exploits will be prevented, since users

  will no longer be able to follow symlinks owned by other users in 

  world-writable +t directories (i.e. /tmp), unless the owner of the 

  symlink is the owner of the directory. users will also not be

  able to hardlink to files they do not own.  If the sysctl option is

  enabled, a sysctl option with name "linking_restrictions" is created.

FIFO restrictions

CONFIG_GRKERNSEC_FIFO

  If you say Y here, users will not be able to write to FIFOs they don't

  own in world-writable +t directories (i.e. /tmp), unless the owner of

  the FIFO is the same owner of the directory it's held in.  If the sysctl

  option is enabled, a sysctl option with name "fifo_restrictions" is 

  created.

Enforce RLIMIT_NPROC on execs

CONFIG_GRKERNSEC_EXECVE

  If you say Y here, users with a resource limit on processes will

  have the value checked during execve() calls.  The current system

  only checks the system limit during fork() calls.  If the sysctl option

  is enabled, a sysctl option with name "execve_limiting" is created.

Single group for auditing

CONFIG_GRKERNSEC_AUDIT_GROUP

  If you say Y here, the exec, chdir, (un)mount, and ipc logging features

  will only operate on a group you specify.  This option is recommended

  if you only want to watch certain users instead of having a large

  amount of logs from the entire system.  If the sysctl option is enabled,

  a sysctl option with name "audit_group" is created.

GID for auditing

CONFIG_GRKERNSEC_AUDIT_GID

  Here you can choose the GID that will be the target of kernel auditing.

  Remember to add the users you want to log to the GID specified here.

  If the sysctl option is enabled, whatever you choose here won't matter. 

  You'll have to specify the GID in your bootup script by echoing the GID 

  to the proper /proc entry.  View the help on the sysctl option for more 

  information.  If the sysctl option is enabled, a sysctl option with name 

  "audit_gid" is created.

Chdir logging

CONFIG_GRKERNSEC_AUDIT_CHDIR

  If you say Y here, all chdir() calls will be logged.  If the sysctl 

  option is enabled, a sysctl option with name "audit_chdir" is created.

(Un)Mount logging

CONFIG_GRKERNSEC_AUDIT_MOUNT

  If you say Y here, all mounts and unmounts will be logged.  If the 

  sysctl option is enabled, a sysctl option with name "audit_mount" is 

  created.

IPC logging

CONFIG_GRKERNSEC_AUDIT_IPC

  If you say Y here, creation and removal of message queues, semaphores,

  and shared memory will be logged.  If the sysctl option is enabled, a

  sysctl option with name "audit_ipc" is created.

Exec logging

CONFIG_GRKERNSEC_EXECLOG

  If you say Y here, all execve() calls will be logged (since the

  other exec*() calls are frontends to execve(), all execution

  will be logged).  Useful for shell-servers that like to keep track

  of their users.  If the sysctl option is enabled, a sysctl option with

  name "exec_logging" is created.

  WARNING: This option when enabled will produce a LOT of logs, especially

  on an active system.

Resource logging

CONFIG_GRKERNSEC_RESLOG

  If you say Y here, all attempts to overstep resource limits will

  be logged with the resource name, the requested size, and the current

  limit.  It is highly recommended that you say Y here.

Signal logging

CONFIG_GRKERNSEC_SIGNAL

  If you say Y here, certain important signals will be logged, such as

  SIGSEGV, which will as a result inform you of when a error in a program

  occurred, which in some cases could mean a possible exploit attempt.

  If the sysctl option is enabled, a sysctl option with name 

  "signal_logging" is created.

Fork failure logging

CONFIG_GRKERNSEC_FORKFAIL

  If you say Y here, all failed fork() attempts will be logged.

  This could suggest a fork bomb, or someone attempting to overstep

  their process limit.  If the sysctl option is enabled, a sysctl option

  with name "forkfail_logging" is created.

Time change logging

CONFIG_GRKERNSEC_TIME

  If you say Y here, any changes of the system clock will be logged.

  If the sysctl option is enabled, a sysctl option with name 

  "timechange_logging" is created.

Chroot jail restrictions

CONFIG_GRKERNSEC_CHROOT

  If you say Y here, you will be able to choose several options that will

  make breaking out of a chrooted jail much more difficult.  If you

  encounter no software incompatibilities with the following options, it

  is recommended that you enable each one.

Deny access to abstract AF_UNIX sockets out of chroot

CONFIG_GRKERNSEC_CHROOT_UNIX

  If you say Y here, processes inside a chroot will not be able to

  connect to abstract (meaning not belonging to a filesystem) Unix

  domain sockets that were bound outside of a chroot.  It is recommended

  that you say Y here.  If the sysctl option is enabled, a sysctl option

  with name "chroot_deny_unix" is created.

Deny shmat() out of chroot

CONFIG_GRKERNSEC_CHROOT_SHMAT

  If you say Y here, processes inside a chroot will not be able to attach

  to shared memory segments that were created outside of the chroot jail.

  It is recommended that you say Y here.  If the sysctl option is enabled,

  a sysctl option with name "chroot_deny_shmat" is created.

Protect outside processes

CONFIG_GRKERNSEC_CHROOT_FINDTASK

  If you say Y here, processes inside a chroot will not be able to

  kill, send signals with fcntl, ptrace, capget, setpgid, getpgid, 

  getsid, or view any process outside of the chroot.  If the sysctl 

  option is enabled, a sysctl option with name "chroot_findtask" is 

  created.

Deny mounts in chroot

CONFIG_GRKERNSEC_CHROOT_MOUNT

  If you say Y here, processes inside a chroot will not be able to

  mount or remount filesystems.  If the sysctl option is enabled, a 

  sysctl option with name "chroot_deny_mount" is created.

Deny pivot_root in chroot

CONFIG_GRKERNSEC_CHROOT_PIVOT

  If you say Y here, processes inside a chroot will not be able to use

  a function called pivot_root() that was introduced in Linux 2.3.41.  It 

  works similar to chroot in that it changes the root filesystem.  This 

  function could be misused in a chrooted process to attempt to break out 

  of the chroot, and therefore should not be allowed.  If the sysctl 

  option is enabled, a sysctl option with name "chroot_deny_pivot" is 

  created.

Deny double-chroots

CONFIG_GRKERNSEC_CHROOT_DOUBLE

  If you say Y here, processes inside a chroot will not be able to chroot

  again.  This is a widely used method of breaking out of a chroot jail

  and should not be allowed.  If the sysctl option is enabled, a sysctl

  option with name "chroot_deny_chroot" is created.

Deny fchdir outside of chroot

CONFIG_GRKERNSEC_CHROOT_FCHDIR

  If you say Y here, a well-known method of breaking chroots by fchdir'ing

  to a file descriptor of the chrooting process that points to a directory

  outside the filesystem will be stopped.  If the sysctl option

  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.

Enforce chdir("/") on all chroots

CONFIG_GRKERNSEC_CHROOT_CHDIR

  If you say Y here, the current working directory of all newly-chrooted

  applications will be set to the the root directory of the chroot.

  The man page on chroot(2) states:

  Note that this call does not change  the  current  working

  directory,  so  that `.' can be outside the tree rooted at

  `/'.  In particular, the  super-user  can  escape  from  a

  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.  

  It is recommended that you say Y here, since it's not known to break

  any software.  If the sysctl option is enabled, a sysctl option with

  name "chroot_enforce_chdir" is created.

Deny (f)chmod +s in chroot

CONFIG_GRKERNSEC_CHROOT_CHMOD

  If you say Y here, processes inside a chroot will not be able to chmod

  or fchmod files to make them have suid or sgid bits.  This protects 

  against another published method of breaking a chroot.  If the sysctl 

  option is enabled, a sysctl option with name "chroot_deny_chmod" is

  created.

Deny mknod in chroot

CONFIG_GRKERNSEC_CHROOT_MKNOD

  If you say Y here, processes inside a chroot will not be allowed to

  mknod.  The problem with using mknod inside a chroot is that it

  would allow an attacker to create a device entry that is the same

  as one on the physical root of your system, which could range from

  anything from the console device to a device for your harddrive (which

  they could then use to wipe the drive or steal data).  It is recommended

  that you say Y here, unless you run into software incompatibilities.

  If the sysctl option is enabled, a sysctl option with name

  "chroot_deny_mknod" is created.

Restrict priority changes in chroot

CONFIG_GRKERNSEC_CHROOT_NICE

  If you say Y here, processes inside a chroot will not be able to raise

  the priority of processes in the chroot, or alter the priority of 

  processes outside the chroot.  This provides more security than simply

  removing CAP_SYS_NICE from the process' capability set.  If the

  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"

  is created.

Log all execs within chroot

CONFIG_GRKERNSEC_CHROOT_EXECLOG

  If you say Y here, all executions inside a chroot jail will be logged 

  to syslog.  This can cause a large amount of logs if certain

  applications (eg. djb's daemontools) are installed on the system, and

  is therefore left as an option.  If the sysctl option is enabled, a 

  sysctl option with name "chroot_execlog" is created.

Deny sysctl writes in chroot

CONFIG_GRKERNSEC_CHROOT_SYSCTL

  If you say Y here, an attacker in a chroot will not be able to

  write to sysctl entries, either by sysctl(2) or through a /proc

  interface.  It is strongly recommended that you say Y here. If the

  sysctl option is enabled, a sysctl option with name 

  "chroot_deny_sysctl" is created.

Chroot jail capability restrictions

CONFIG_GRKERNSEC_CHROOT_CAPS

  If you say Y here, the capabilities on all root processes within a

  chroot jail will be lowered to stop module insertion, raw i/o,

  system and net admin tasks, rebooting the system, modifying immutable 

  files, modifying IPC owned by another, and changing the system time.

  This is left an option because it can break some apps.  Disable this

  if your chrooted apps are having problems performing those kinds of

  tasks.  If the sysctl option is enabled, a sysctl option with

  name "chroot_caps" is created.

Trusted path execution

CONFIG_GRKERNSEC_TPE

  If you say Y here, you will be able to choose a gid to add to the

  supplementary groups of users you want to mark as "untrusted."

  These users will not be able to execute any files that are not in

  root-owned directories writable only by root.  If the sysctl option

  is enabled, a sysctl option with name "tpe" is created.

Group for trusted path execution

CONFIG_GRKERNSEC_TPE_GID

  Here you can choose the GID to enable trusted path protection for.

  Remember to add the users you want protection enabled for to the GID 

  specified here.  If the sysctl option is enabled, whatever you choose

  here won't matter. You'll have to specify the GID in your bootup 

  script by echoing the GID to the proper /proc entry.  View the help

  on the sysctl option for more information.  If the sysctl option is

  enabled, a sysctl option with name "tpe_gid" is created.

Partially restrict non-root users

CONFIG_GRKERNSEC_TPE_ALL

  If you say Y here, All non-root users other than the ones in the 

  group specified in the main TPE option will only be allowed to

  execute files in directories they own that are not group or

  world-writable, or in directories owned by root and writable only by

  root.  If the sysctl option is enabled, a sysctl option with name 

  "tpe_restrict_all" is created.

Randomized PIDs

CONFIG_GRKERNSEC_RANDPID

  If you say Y here, all PIDs created on the system will be

  pseudo-randomly generated.  This is extremely effective along

  with the /proc restrictions to disallow an attacker from guessing

  pids of daemons, etc.  PIDs are also used in some cases as part

  of a naming system for temporary files, so this option would keep

  those filenames from being predicted as well.  We also use code

  to make sure that PID numbers aren't reused too soon.  If the sysctl

  option is enabled, a sysctl option with name "rand_pids" is created.

Larger entropy pools

CONFIG_GRKERNSEC_RANDNET

  If you say Y here, the entropy pools used for many features of Linux

  and grsecurity will be doubled in size.  Since several grsecurity 

  features use additional randomness, it is recommended that you say Y 

  here.  Saying Y here has a similar effect as modifying

  /proc/sys/kernel/random/poolsize.

Truly random TCP ISN selection

CONFIG_GRKERNSEC_RANDISN

  If you say Y here, Linux's default selection of TCP Initial Sequence

  Numbers (ISNs) will be replaced with that of OpenBSD.  Linux uses

  an MD4 hash based on the connection plus a time value to create the

  ISN, while OpenBSD's selection is random.  If the sysctl option is 

  enabled, a sysctl option with name "rand_isns" is created.

Randomized IP IDs

CONFIG_GRKERNSEC_RANDID

  If you say Y here, all the id field on all outgoing packets

  will be randomized.  This hinders os fingerprinters and

  keeps your machine from being used as a bounce for an untraceable

  portscan.  Ids are used for fragmented packets, fragments belonging

  to the same packet have the same id.  By default linux only

  increments the id value on each packet sent to an individual host.

  We use a port of the OpenBSD random ip id code to achieve the

  randomness, while keeping the possibility of id duplicates to

  near none.  If the sysctl option is enabled, a sysctl option with name

  "rand_ip_ids" is created.

Randomized TCP source ports

CONFIG_GRKERNSEC_RANDSRC

  If you say Y here, situations where a source port is generated on the

  fly for the TCP protocol (ie. with connect() ) will be altered so that

  the source port is generated at random, instead of a simple incrementing

  algorithm.  If the sysctl option is enabled, a sysctl option with name

  "rand_tcp_src_ports" is created.

Randomized RPC XIDs

CONFIG_GRKERNSEC_RANDRPC

  If you say Y here, the method of determining XIDs for RPC requests will

  be randomized, instead of using linux's default behavior of simply

  incrementing the XID.  If you want your RPC connections to be more

  secure, say Y here.  If the sysctl option is enabled, a sysctl option 

  with name "rand_rpc" is created.

Socket restrictions

CONFIG_GRKERNSEC_SOCKET

  If you say Y here, you will be able to choose from several options.

  If you assign a GID on your system and add it to the supplementary

  groups of users you want to restrict socket access to, this patch

  will perform up to three things, based on the option(s) you choose.

Deny all socket access

CONFIG_GRKERNSEC_SOCKET_ALL

  If you say Y here, you will be able to choose a GID of whose users will

  be unable to connect to other hosts from your machine or run server

  applications from your machine.  If the sysctl option is enabled, a

  sysctl option with name "socket_all" is created.

Group for disabled socket access

CONFIG_GRKERNSEC_SOCKET_ALL_GID

  Here you can choose the GID to disable socket access for. Remember to 

  add the users you want socket access disabled for to the GID 

  specified here.  If the sysctl option is enabled, whatever you choose

  here won't matter. You'll have to specify the GID in your bootup 

  script by echoing the GID to the proper /proc entry.  View the help

  on the sysctl option for more information.  If the sysctl option is

  enabled, a sysctl option with name "socket_all_gid" is created.

Deny all client socket access

CONFIG_GRKERNSEC_SOCKET_CLIENT

  If you say Y here, you will be able to choose a GID of whose users will

  be unable to connect to other hosts from your machine, but will be

  able to run servers.  If this option is enabled, all users in the group

  you specify will have to use passive mode when initiating ftp transfers

  from the shell on your machine.  If the sysctl option is enabled, a

  sysctl option with name "socket_client" is created.

Group for disabled client socket access

CONFIG_GRKERNSEC_SOCKET_CLIENT_GID

  Here you can choose the GID to disable client socket access for. 

  Remember to add the users you want client socket access disabled for to 

  the GID specified here.  If the sysctl option is enabled, whatever you 

  choose here won't matter. You'll have to specify the GID in your bootup 

  script by echoing the GID to the proper /proc entry.  View the help

  on the sysctl option for more information.  If the sysctl option is

  enabled, a sysctl option with name "socket_client_gid" is created.

Deny all server socket access

CONFIG_GRKERNSEC_SOCKET_SERVER

  If you say Y here, you will be able to choose a GID of whose users will

  be unable to run server applications from your machine.  If the sysctl 

  option is enabled, a sysctl option with name "socket_server" is created.

Group for disabled server socket access

CONFIG_GRKERNSEC_SOCKET_SERVER_GID

  Here you can choose the GID to disable server socket access for. 

  Remember to add the users you want server socket access disabled for to 

  the GID specified here.  If the sysctl option is enabled, whatever you 

  choose here won't matter. You'll have to specify the GID in your bootup 

  script by echoing the GID to the proper /proc entry.  View the help

  on the sysctl option for more information.  If the sysctl option is

  enabled, a sysctl option with name "socket_server_gid" is created.

Sysctl support

CONFIG_GRKERNSEC_SYSCTL

  If you say Y here, you will be able to change the options that

  grsecurity runs with at bootup, without having to recompile your

  kernel.  You can echo values to files in /proc/sys/kernel/grsecurity

  to enable (1) or disable (0) various features.  All the sysctl entries

  are mutable until the "grsec_lock" entry is set to a non-zero value.

  All features are disabled by default. Please note that this option could 

  reduce the effectiveness of the added security of this patch if an ACL 

  system is not put in place.  Your init scripts should be read-only, and 

  root should not have access to adding modules or performing raw i/o 

  operations.  All options should be set at startup, and the grsec_lock 

  entry should be set to a non-zero value after all the options are set.  

  *THIS IS EXTREMELY IMPORTANT*

Number of burst messages

CONFIG_GRKERNSEC_FLOODBURST

  This option allows you to choose the maximum number of messages allowed

  within the flood time interval you chose in a separate option.  The 

  default should be suitable for most people, however if you find that 

  many of your logs are being interpreted as flooding, you may want to 

  raise this value.

Seconds in between log messages

CONFIG_GRKERNSEC_FLOODTIME

  This option allows you to enforce the number of seconds between

  grsecurity log messages.  The default should be suitable for most 

  people, however, if you choose to change it, choose a value small enough

  to allow informative logs to be produced, but large enough to

  prevent flooding.

Hide kernel processes

CONFIG_GRKERNSEC_ACL_HIDEKERN

  If you say Y here, when the ACL system is enabled via gradm -E,

  an additional ACL will be passed to the kernel that hides all kernel

  processes.  These processes will only be viewable by the authenticated

  admin, or processes that have viewing access set.

Maximum tries before password lockout

CONFIG_GRKERNSEC_ACL_MAXTRIES

  This option enforces the maximum number of times a user can attempt

  to authorize themselves with the grsecurity ACL system before being

  denied the ability to attempt authorization again for a specified time.  

  The lower the number, the harder it will be to brute-force a password.

Time to wait after max password tries, in seconds

CONFIG_GRKERNSEC_ACL_TIMEOUT

  This option specifies the time the user must wait after attempting to 

  authorize to the ACL system with the maximum number of invalid 

  passwords.  The higher the number, the harder it will be to brute-force 

  a password.

GRSECURITY	=grsecurity/grsec.o

		$(GRSECURITY) \

mainmenu_option next_comment

comment 'Grsecurity'

bool 'Grsecurity' CONFIG_GRKERNSEC

if [ "$CONFIG_GRKERNSEC" = "y" ]; then

	source grsecurity/Config.in

fi

endmenu

#include <linux/grsecurity.h>

#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC

	if (flags & MAP_MIRROR)

		return -EINVAL;

#endif

	if(gr_handle_mmap(file, prot)) {

		fput(file);

		ret = -EACCES;

		goto out;

	}

#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP

	if (!(current->flags & PF_PAX_RANDMMAP) || !filp)

#endif

#include <linux/grsecurity.h>

	if(gr_handle_ptrace(child, request))

		goto out;

/*

 * PaX: decide what to do with offenders (regs->pc = fault address)

 *

 * returns 1 when task should be killed

 *         2 when patched PLT trampoline was detected

 *         3 when unpatched PLT trampoline was detected

 *	   4 when legitimate ET_EXEC was detected

 */

#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC

static int pax_handle_fetch_fault(struct pt_regs *regs)

{

	int err;

#ifdef CONFIG_GRKERNSEC_PAX_RANDEXEC

	if (current->flags & PF_PAX_RANDEXEC) {

		if (regs->pc >= current->mm->start_code &&

		    regs->pc < current->mm->end_code)

		{

			if (regs->r26 == regs->pc)

				return 1;

			regs->pc += current->mm->delta_exec;

			return 4;

		}

	}

#endif

#ifdef CONFIG_GRKERNSEC_PAX_EMUPLT

	do { /* PaX: patched PLT emulation #1 */

		unsigned int ldah, ldq, jmp;

		err = get_user(ldah, (unsigned int *)regs->pc);

		err |= get_user(ldq, (unsigned int *)(regs->pc+4));

		err |= get_user(jmp, (unsigned int *)(regs->pc+8));

		if (err)

			break;

		if ((ldah & 0xFFFF0000U)== 0x277B0000U &&

		    (ldq & 0xFFFF0000U) == 0xA77B0000U &&

		    jmp == 0x6BFB0000U)

		{

			unsigned long r27, addr;

			unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;

			unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;

			addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);

			err = get_user(r27, (unsigned long*)addr);

			if (err)

				break;

			regs->r27 = r27;

			regs->pc = r27;

			return 2;

		}

	} while (0);

	do { /* PaX: patched PLT emulation #2 */

		unsigned int ldah, lda, br;

		err = get_user(ldah, (unsigned int *)regs->pc);

		err |= get_user(lda, (unsigned int *)(regs->pc+4));

		err |= get_user(br, (unsigned int *)(regs->pc+8));

		if (err)

			break;

		if ((ldah & 0xFFFF0000U)== 0x277B0000U &&

		    (lda & 0xFFFF0000U) == 0xA77B0000U &&

		    (br & 0xFFE00000U) == 0xC3E00000U)

		{

			unsigned long addr = br | 0xFFFFFFFFFFE00000UL;

			unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;

			unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;

			regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);

			regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);

			return 2;

		}

	} while (0);

	do { /* PaX: unpatched PLT emulation */

		unsigned int br;

		err = get_user(br, (unsigned int *)regs->pc);

		if (!err && (br & 0xFFE00000U) == 0xC3800000U) {

			unsigned int br2, ldq, nop, jmp;

			unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;

			addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);

			err = get_user(br2, (unsigned int *)addr);  

			err |= get_user(ldq, (unsigned int *)(addr+4));

			err |= get_user(nop, (unsigned int *)(addr+8));

			err |= get_user(jmp, (unsigned int *)(addr+12));

			err |= get_user(resolver, (unsigned long *)(addr+16));

			if (err)

				break;

			if (br2 == 0xC3600000U &&

			    ldq == 0xA77B000CU &&

			    nop == 0x47FF041FU &&

			    jmp == 0x6B7B0000U)

			{

				regs->r28 = regs->pc+4;

				regs->r27 = addr+16;

				regs->pc = resolver;

				return 3;

			}

		}

	} while (0);

#endif

	return 1;

}

void pax_report_insns(void *pc)

{

	unsigned long i;

	printk(KERN_ERR "PAX: bytes at PC: ");

	for (i = 0; i < 5; i++) {

		unsigned int c;

		if (get_user(c, (unsigned int*)pc+i)) {

			printk("<invalid address>.");

			break;

		}

		printk("%08x ", c);

	}

	printk("\n");

}

#endif

#endif

		}

mainmenu_option next_comment

comment 'Grsecurity'

bool 'Grsecurity' CONFIG_GRKERNSEC

if [ "$CONFIG_GRKERNSEC" = "y" ]; then

	source grsecurity/Config.in

fi

endmenu

mainmenu_option next_comment

comment 'Grsecurity'

bool 'Grsecurity' CONFIG_GRKERNSEC

if [ "$CONFIG_GRKERNSEC" = "y" ]; then

    source grsecurity/Config.in

fi

endmenu

arch/i386/vmlinux.lds: arch/i386/vmlinux.lds.S FORCE

	$(CPP) -C -P -I$(HPATH) -imacros $(HPATH)/linux/config.h -imacros $(HPATH)/asm-i386/segment.h -imacros $(HPATH)/asm-i386/page_offset.h -Ui386 arch/i386/vmlinux.lds.S >arch/i386/vmlinux.lds

	rm -f arch/i386/vmlinux.lds

mainmenu_option next_comment

comment 'Grsecurity'

bool 'Grsecurity' CONFIG_GRKERNSEC

if [ "$CONFIG_GRKERNSEC" = "y" ]; then

	source grsecurity/Config.in

fi

endmenu

#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC

	set_base(gdt2[APM_40 >> 3],

		__va((unsigned long)0x40 << 4));

	_set_limit((char *)&gdt2[APM_40 >> 3], 4095 - (0x40 << 4));

#endif

#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC

	set_base(gdt2[APM_CS >> 3],

		__va((unsigned long)apm_info.bios.cseg << 4));

	set_base(gdt2[APM_CS_16 >> 3],

		__va((unsigned long)apm_info.bios.cseg_16 << 4));

	set_base(gdt2[APM_DS >> 3],

		__va((unsigned long)apm_info.bios.dseg << 4));

#endif

#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC

		_set_limit((char *)&gdt2[APM_CS >> 3], 64 * 1024 - 1);

		_set_limit((char *)&gdt2[APM_CS_16 >> 3], 64 * 1024 - 1);

		_set_limit((char *)&gdt2[APM_DS >> 3], 64 * 1024 - 1);

#endif

#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC

		_set_limit((char *)&gdt2[APM_CS >> 3],

			(apm_info.bios.cseg_len - 1) & 0xffff);

		_set_limit((char *)&gdt2[APM_CS_16 >> 3],

			(apm_info.bios.cseg_16_len - 1) & 0xffff);

		_set_limit((char *)&gdt2[APM_DS >> 3],

			(apm_info.bios.dseg_len - 1) & 0xffff);

#endif

#ifdef CONFIG_GRKERNSEC_PAX_RANDKSTACK

	cli                             # need_resched and signals atomic test

	cmpl $0,need_resched(%ebx)

	jne reschedule

	cmpl $0,sigpending(%ebx)

	jne signal_return

	call SYMBOL_NAME(pax_randomize_kstack)

	jmp restore_all

#endif

#ifdef CONFIG_GRKERNSEC_PAX_PAGEEXEC

	ALIGN

	pushl $ SYMBOL_NAME(pax_do_page_fault)

#else

#endif

#ifndef CONFIG_GRKERNSEC_PAX_EMUTRAMP

#else

	pushl %ds

	pushl %eax

	xorl %eax,%eax

	pushl %ebp

	pushl %edi

	pushl %esi

	pushl %edx

	decl %eax			# eax = -1

	pushl %ecx

	pushl %ebx

	cld

	movl %es,%ecx

	movl ORIG_EAX(%esp), %esi	# get the error code

	movl ES(%esp), %edi		# get the function address

	movl %eax, ORIG_EAX(%esp)

	movl %ecx, ES(%esp)

	movl %esp,%edx

	pushl %esi			# push the error code

	pushl %edx			# push the pt_regs pointer

	movl $(__KERNEL_DS),%edx

	movl %edx,%ds

	movl %edx,%es

	GET_CURRENT(%ebx)

	call *%edi

	addl $8,%esp

	decl %eax

	jnz ret_from_exception

	popl %ebx

	popl %ecx

	popl %edx

	popl %esi

	popl %edi

	popl %ebp

	popl %eax

	popl %ds

	popl %es

	addl $4,%esp

	jmp system_call

#endif

.global startup_32

#if !defined(CONFIG_GRKERNSEC_PAX_KERNEXEC) || defined(CONFIG_SMP)

#ifdef CONFIG_GRKERNSEC_PAX_KERNEXEC

	orw  %bx,%bx

	jz  1f

#endif

#endif

.data

ready:	.byte 0

ENTRY(stack_start)

	.long SYMBOL_NAME(init_task_union)+8192

	.long __KERNEL_DS

.section .rodata,"a"

/* This is the default interrupt "handler" :-) */

int_msg:

	.asciz "Unknown interrupt\n"

#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC

.globl SYMBOL_NAME(gdt2)

	.word 0

gdt_descr2:

	.word GDT_ENTRIES*8-1

SYMBOL_NAME(gdt2):

	.long SYMBOL_NAME(gdt_table2)

#endif

	.fill 1024,4,0

	.fill 1024,4,0

.section .data.pg2,"a"

ENTRY(pg2)

	.fill 1024,4,0

	.fill 1024,4,0

#endif

#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC

EXPORT_SYMBOL(gdt2);

#endif

#include <linux/grsecurity.h>

#ifdef CONFIG_GRKERNSEC_IO

	if (turn_on) {

		gr_handle_ioperm();

#else

#endif

#ifdef CONFIG_GRKERNSEC_IO

	}

#endif

#ifdef CONFIG_GRKERNSEC_IO

		gr_handle_iopl();

		return -EPERM;

#else

#endif