--- linux-3.12.6/.config	2013-12-29 19:00:33.834921351 +0400
+++ linux-3.12.6-hardened-r2/.config	2013-12-29 21:45:32.646044784 +0400
@@ -159,7 +159,6 @@ CONFIG_CFS_BANDWIDTH=y
 CONFIG_RT_GROUP_SCHED=y
 CONFIG_BLK_CGROUP=y
 # CONFIG_DEBUG_BLK_CGROUP is not set
-# CONFIG_CHECKPOINT_RESTORE is not set
 CONFIG_NAMESPACES=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
@@ -374,6 +373,7 @@ CONFIG_MCORE2=y
 # CONFIG_GENERIC_CPU is not set
 CONFIG_X86_INTERNODE_CACHE_SHIFT=6
 CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_ALIGNMENT_16=y
 CONFIG_X86_INTEL_USERCOPY=y
 CONFIG_X86_USE_PPRO_CHECKSUM=y
 CONFIG_X86_P6_NOP=y
@@ -466,7 +466,6 @@ CONFIG_KSM=y
 CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
 CONFIG_MEMORY_FAILURE=y
-# CONFIG_HWPOISON_INJECT is not set
 CONFIG_TRANSPARENT_HUGEPAGE=y
 CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
 # CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set
@@ -505,7 +504,6 @@ CONFIG_PHYSICAL_ALIGN=0x1000000
 CONFIG_HOTPLUG_CPU=y
 # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
 # CONFIG_DEBUG_HOTPLUG_CPU0 is not set
-CONFIG_COMPAT_VDSO=y
 # CONFIG_CMDLINE_BOOL is not set
 CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
 CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
@@ -888,6 +886,7 @@ CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
 CONFIG_NETFILTER_XT_MATCH_DSCP=y
 CONFIG_NETFILTER_XT_MATCH_ECN=y
 CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_GRADM=y
 CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
 CONFIG_NETFILTER_XT_MATCH_HELPER=y
 CONFIG_NETFILTER_XT_MATCH_HL=y
@@ -1733,7 +1732,12 @@ CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
 # CONFIG_NOZOMI is not set
 # CONFIG_N_GSM is not set
 # CONFIG_TRACE_SINK is not set
-CONFIG_DEVKMEM=y
+
+#
+# KCopy
+#
+CONFIG_KCOPY=y
+# CONFIG_DEVKMEM is not set
 
 #
 # Serial drivers
@@ -2749,10 +2753,7 @@ CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
 # Pseudo filesystems
 #
 CONFIG_PROC_FS=y
-# CONFIG_PROC_KCORE is not set
-CONFIG_PROC_VMCORE=y
 CONFIG_PROC_SYSCTL=y
-CONFIG_PROC_PAGE_MONITOR=y
 CONFIG_SYSFS=y
 CONFIG_TMPFS=y
 CONFIG_TMPFS_POSIX_ACL=y
@@ -2982,9 +2983,7 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=21
 # CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
 # CONFIG_NOTIFIER_ERROR_INJECTION is not set
 # CONFIG_FAULT_INJECTION is not set
-# CONFIG_LATENCYTOP is not set
 CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
-# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
 CONFIG_USER_STACKTRACE_SUPPORT=y
 CONFIG_NOP_TRACER=y
 CONFIG_HAVE_FUNCTION_TRACER=y
@@ -3035,7 +3034,6 @@ CONFIG_PROBE_EVENTS=y
 # CONFIG_ATOMIC64_SELFTEST is not set
 # CONFIG_TEST_STRING_HELPERS is not set
 # CONFIG_TEST_KSTRTOX is not set
-# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
 # CONFIG_DMA_API_DEBUG is not set
 # CONFIG_SAMPLES is not set
 CONFIG_HAVE_ARCH_KGDB=y
@@ -3045,9 +3043,6 @@ CONFIG_X86_VERBOSE_BOOTUP=y
 CONFIG_EARLY_PRINTK=y
 CONFIG_EARLY_PRINTK_DBGP=y
 # CONFIG_X86_PTDUMP is not set
-CONFIG_DEBUG_RODATA=y
-CONFIG_DEBUG_RODATA_TEST=y
-# CONFIG_DEBUG_SET_MODULE_RONX is not set
 # CONFIG_DEBUG_NX_TEST is not set
 CONFIG_DOUBLEFAULT=y
 # CONFIG_DEBUG_TLBFLUSH is not set
@@ -3073,6 +3068,193 @@ CONFIG_OPTIMIZE_INLINING=y
 #
 # Security options
 #
+
+#
+# Grsecurity
+#
+CONFIG_TASK_SIZE_MAX_SHIFT=47
+CONFIG_PAX_USERCOPY_SLABS=y
+CONFIG_GRKERNSEC=y
+CONFIG_GRKERNSEC_CONFIG_AUTO=y
+# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
+CONFIG_GRKERNSEC_CONFIG_SERVER=y
+# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
+# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
+# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
+CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
+CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
+# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
+CONFIG_GRKERNSEC_CONFIG_VIRT_XEN=y
+# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
+# CONFIG_GRKERNSEC_CONFIG_VIRT_KVM is not set
+# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
+CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
+# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set
+
+#
+# Default Special Groups
+#
+CONFIG_GRKERNSEC_PROC_GID=10
+CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=100
+CONFIG_GRKERNSEC_SYMLINKOWN_GID=100
+
+#
+# Customize Configuration
+#
+
+#
+# PaX
+#
+CONFIG_PAX=y
+
+#
+# PaX Control
+#
+# CONFIG_PAX_SOFTMODE is not set
+# CONFIG_PAX_PT_PAX_FLAGS is not set
+CONFIG_PAX_XATTR_PAX_FLAGS=y
+# CONFIG_PAX_NO_ACL_FLAGS is not set
+CONFIG_PAX_HAVE_ACL_FLAGS=y
+# CONFIG_PAX_HOOK_ACL_FLAGS is not set
+
+#
+# Non-executable pages
+#
+CONFIG_PAX_NOEXEC=y
+CONFIG_PAX_PAGEEXEC=y
+CONFIG_PAX_EMUTRAMP=y
+CONFIG_PAX_MPROTECT=y
+# CONFIG_PAX_MPROTECT_COMPAT is not set
+# CONFIG_PAX_ELFRELOCS is not set
+CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
+
+#
+# Address Space Layout Randomization
+#
+CONFIG_PAX_ASLR=y
+CONFIG_PAX_RANDKSTACK=y
+CONFIG_PAX_RANDUSTACK=y
+CONFIG_PAX_RANDMMAP=y
+
+#
+# Miscellaneous hardening features
+#
+# CONFIG_PAX_MEMORY_SANITIZE is not set
+# CONFIG_PAX_MEMORY_STACKLEAK is not set
+# CONFIG_PAX_MEMORY_STRUCTLEAK is not set
+CONFIG_PAX_REFCOUNT=y
+CONFIG_PAX_USERCOPY=y
+# CONFIG_PAX_USERCOPY_DEBUG is not set
+CONFIG_PAX_SIZE_OVERFLOW=y
+CONFIG_PAX_LATENT_ENTROPY=y
+
+#
+# Memory Protections
+#
+# CONFIG_GRKERNSEC_KMEM is not set
+CONFIG_GRKERNSEC_IO=y
+CONFIG_GRKERNSEC_JIT_HARDEN=y
+CONFIG_GRKERNSEC_PERF_HARDEN=y
+CONFIG_GRKERNSEC_RAND_THREADSTACK=y
+CONFIG_GRKERNSEC_PROC_MEMMAP=y
+CONFIG_GRKERNSEC_BRUTE=y
+CONFIG_GRKERNSEC_MODHARDEN=y
+CONFIG_GRKERNSEC_HIDESYM=y
+CONFIG_GRKERNSEC_KERN_LOCKOUT=y
+
+#
+# Role Based Access Control Options
+#
+# CONFIG_GRKERNSEC_NO_RBAC is not set
+# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
+CONFIG_GRKERNSEC_ACL_MAXTRIES=3
+CONFIG_GRKERNSEC_ACL_TIMEOUT=30
+
+#
+# Filesystem Protections
+#
+CONFIG_GRKERNSEC_PROC=y
+# CONFIG_GRKERNSEC_PROC_USER is not set
+CONFIG_GRKERNSEC_PROC_USERGROUP=y
+CONFIG_GRKERNSEC_PROC_ADD=y
+CONFIG_GRKERNSEC_LINK=y
+CONFIG_GRKERNSEC_SYMLINKOWN=y
+CONFIG_GRKERNSEC_FIFO=y
+CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
+# CONFIG_GRKERNSEC_ROFS is not set
+CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
+CONFIG_GRKERNSEC_CHROOT=y
+CONFIG_GRKERNSEC_CHROOT_MOUNT=y
+CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
+CONFIG_GRKERNSEC_CHROOT_PIVOT=y
+CONFIG_GRKERNSEC_CHROOT_CHDIR=y
+CONFIG_GRKERNSEC_CHROOT_CHMOD=y
+CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
+CONFIG_GRKERNSEC_CHROOT_MKNOD=y
+CONFIG_GRKERNSEC_CHROOT_SHMAT=y
+CONFIG_GRKERNSEC_CHROOT_UNIX=y
+CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
+CONFIG_GRKERNSEC_CHROOT_NICE=y
+CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
+CONFIG_GRKERNSEC_CHROOT_CAPS=y
+CONFIG_GRKERNSEC_CHROOT_INITRD=y
+
+#
+# Kernel Auditing
+#
+# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
+# CONFIG_GRKERNSEC_EXECLOG is not set
+CONFIG_GRKERNSEC_RESLOG=y
+# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
+# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
+# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
+# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
+CONFIG_GRKERNSEC_SIGNAL=y
+# CONFIG_GRKERNSEC_FORKFAIL is not set
+CONFIG_GRKERNSEC_TIME=y
+CONFIG_GRKERNSEC_PROC_IPADDR=y
+CONFIG_GRKERNSEC_RWXMAP_LOG=y
+
+#
+# Executable Protections
+#
+CONFIG_GRKERNSEC_DMESG=y
+CONFIG_GRKERNSEC_HARDEN_PTRACE=y
+CONFIG_GRKERNSEC_PTRACE_READEXEC=y
+CONFIG_GRKERNSEC_SETXID=y
+CONFIG_GRKERNSEC_HARDEN_IPC=y
+CONFIG_GRKERNSEC_TPE=y
+# CONFIG_GRKERNSEC_TPE_ALL is not set
+# CONFIG_GRKERNSEC_TPE_INVERT is not set
+CONFIG_GRKERNSEC_TPE_GID=100
+
+#
+# Network Protections
+#
+CONFIG_GRKERNSEC_RANDNET=y
+CONFIG_GRKERNSEC_BLACKHOLE=y
+CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
+# CONFIG_GRKERNSEC_SOCKET is not set
+
+#
+# Physical Protections
+#
+CONFIG_GRKERNSEC_DENYUSB=y
+# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
+
+#
+# Sysctl Support
+#
+CONFIG_GRKERNSEC_SYSCTL=y
+# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
+CONFIG_GRKERNSEC_SYSCTL_ON=y
+
+#
+# Logging Options
+#
+# CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
+CONFIG_GRKERNSEC_FLOODTIME=10
+CONFIG_GRKERNSEC_FLOODBURST=6
 CONFIG_KEYS=y
 # CONFIG_ENCRYPTED_KEYS is not set
 CONFIG_KEYS_DEBUG_PROC_KEYS=y
@@ -3094,7 +3276,6 @@ CONFIG_SECURITY_SELINUX_CHECKREQPROT_VAL
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_YAMA is not set
 # CONFIG_IMA is not set
 # CONFIG_EVM is not set
 CONFIG_DEFAULT_SECURITY_SELINUX=y