Author: mguevara Date: Thu Jul 20 16:15:46 2006 GMT Module: SOURCES Tag: HEAD ---- Log message: - initial pax config for SEGMEXEC archs x86/32bit includes grsecurity entries taken and modified from kernel-grsec.config
---- Files affected: SOURCES: kernel-grsec+pax.config (1.3 -> 1.4) (NEW) ---- Diffs: ================================================================ Index: SOURCES/kernel-grsec+pax.config diff -u /dev/null SOURCES/kernel-grsec+pax.config:1.4 --- /dev/null Thu Jul 20 18:15:46 2006 +++ SOURCES/kernel-grsec+pax.config Thu Jul 20 18:15:41 2006 @@ -0,0 +1,145 @@ +# +# PaX +# +CONFIG_PAX=y + +# +# PaX Control +# +CONFIG_PAX_SOFTMODE=y +# CONFIG_PAX_EI_PAX is not set +CONFIG_PAX_PT_PAX_FLAGS=y +# CONFIG_PAX_NO_ACL_FLAGS is not set +CONFIG_PAX_HAVE_ACL_FLAGS=y +# CONFIG_PAX_HOOK_ACL_FLAGS is not set + +# +# Non-executable pages +# +CONFIG_PAX_NOEXEC=y +CONFIG_PAX_PAGEEXEC=y +CONFIG_PAX_SEGMEXEC=y +# CONFIG_PAX_DEFAULT_PAGEEXEC is not set +CONFIG_PAX_DEFAULT_SEGMEXEC=y +CONFIG_PAX_EMUTRAMP=y +CONFIG_PAX_MPROTECT=y +# CONFIG_PAX_NOELFRELOCS is not set + +# +# Address Space Layout Randomization +# +CONFIG_PAX_ASLR=y +# CONFIG_PAX_RANDKSTACK is not set +CONFIG_PAX_RANDUSTACK=y +CONFIG_PAX_RANDMMAP=y +CONFIG_PAX_NOVSYSCALL=y + +# +# Grsecurity +# +CONFIG_GRKERNSEC=y +# CONFIG_GRKERNSEC_LOW is not set +# CONFIG_GRKERNSEC_MEDIUM is not set +# CONFIG_GRKERNSEC_HIGH is not set +CONFIG_GRKERNSEC_CUSTOM=y + +# +# Address Space Protection +# +CONFIG_GRKERNSEC_KMEM=y +# CONFIG_GRKERNSEC_IO is not set +CONFIG_GRKERNSEC_PROC_MEMMAP=y +CONFIG_GRKERNSEC_BRUTE=y +CONFIG_GRKERNSEC_MODSTOP=y +# CONFIG_GRKERNSEC_HIDESYM is not set + +# +# Role Based Access Control Options +# +CONFIG_GRKERNSEC_ACL_HIDEKERN=y +CONFIG_GRKERNSEC_ACL_MAXTRIES=3 +CONFIG_GRKERNSEC_ACL_TIMEOUT=30 + +# +# Filesystem Protections +# +CONFIG_GRKERNSEC_PROC=y +# CONFIG_GRKERNSEC_PROC_USER is not set +CONFIG_GRKERNSEC_PROC_USERGROUP=y +CONFIG_GRKERNSEC_PROC_GID=17 +CONFIG_GRKERNSEC_PROC_ADD=y +CONFIG_GRKERNSEC_LINK=y +CONFIG_GRKERNSEC_FIFO=y +CONFIG_GRKERNSEC_CHROOT=y +CONFIG_GRKERNSEC_CHROOT_MOUNT=y +CONFIG_GRKERNSEC_CHROOT_DOUBLE=y +CONFIG_GRKERNSEC_CHROOT_PIVOT=y +CONFIG_GRKERNSEC_CHROOT_CHDIR=y +CONFIG_GRKERNSEC_CHROOT_CHMOD=y +CONFIG_GRKERNSEC_CHROOT_FCHDIR=y +CONFIG_GRKERNSEC_CHROOT_MKNOD=y +CONFIG_GRKERNSEC_CHROOT_SHMAT=y +CONFIG_GRKERNSEC_CHROOT_UNIX=y +CONFIG_GRKERNSEC_CHROOT_FINDTASK=y +CONFIG_GRKERNSEC_CHROOT_NICE=y +CONFIG_GRKERNSEC_CHROOT_SYSCTL=y +CONFIG_GRKERNSEC_CHROOT_CAPS=y + +# +# Kernel Auditing +# +CONFIG_GRKERNSEC_AUDIT_GROUP=y +CONFIG_GRKERNSEC_AUDIT_GID=1007 +CONFIG_GRKERNSEC_EXECLOG=y +CONFIG_GRKERNSEC_RESLOG=y +CONFIG_GRKERNSEC_CHROOT_EXECLOG=y +CONFIG_GRKERNSEC_AUDIT_CHDIR=y +CONFIG_GRKERNSEC_AUDIT_MOUNT=y +CONFIG_GRKERNSEC_AUDIT_IPC=y +CONFIG_GRKERNSEC_SIGNAL=y +CONFIG_GRKERNSEC_FORKFAIL=y +CONFIG_GRKERNSEC_TIME=y +CONFIG_GRKERNSEC_PROC_IPADDR=y +# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set + +# +# Executable Protections +# +CONFIG_GRKERNSEC_EXECVE=y +CONFIG_GRKERNSEC_SHM=y +CONFIG_GRKERNSEC_DMESG=y +CONFIG_GRKERNSEC_RANDPID=y +CONFIG_GRKERNSEC_TPE=y +CONFIG_GRKERNSEC_TPE_ALL=y +# CONFIG_GRKERNSEC_TPE_INVERT is not set +CONFIG_GRKERNSEC_TPE_GID=65500 + +# +# Network Protections +# +CONFIG_GRKERNSEC_RANDNET=y +CONFIG_GRKERNSEC_SOCKET=y +CONFIG_GRKERNSEC_SOCKET_ALL=y +CONFIG_GRKERNSEC_SOCKET_ALL_GID=65501 +CONFIG_GRKERNSEC_SOCKET_CLIENT=y +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=65502 +CONFIG_GRKERNSEC_SOCKET_SERVER=y +CONFIG_GRKERNSEC_SOCKET_SERVER_GID=65503 + +# +# Sysctl support +# +CONFIG_GRKERNSEC_SYSCTL=y +# CONFIG_GRKERNSEC_SYSCTL_ON is not set + +# +# Logging Options +# +CONFIG_GRKERNSEC_FLOODTIME=10 +CONFIG_GRKERNSEC_FLOODBURST=10 + +# +# Some Netfilter stuff +# +CONFIG_IP_NF_MATCH_STEALTH=m + ================================================================ _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
