diff options
Diffstat (limited to 'core')
26 files changed, 1417 insertions, 562 deletions
diff --git a/core/conf/fstab b/core/conf/fstab index da3c9dd..d3fc878 100644 --- a/core/conf/fstab +++ b/core/conf/fstab @@ -13,9 +13,20 @@ #/dev/cdrom /cdrom iso9660 ro,user,noauto,unhide 0 0 #/dev/dvd /dvd udf ro,user,noauto,unhide 0 0 #/dev/floppy/0 /floppy vfat user,noauto,unhide 0 0 -devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 #tmp /tmp tmpfs defaults 0 0 #shm /dev/shm tmpfs defaults 0 0 #usb /proc/bus/usb usbfs defaults 0 0 # End of file +#/dev/sda3 on / type ext4 (rw,relatime,data=ordered) +#UUID=3bab76f8-e714-45f1-8e30-04cc8a09c3d1 / ext4 ro,relatime,data=ordered 0 1 +/dev/sda3 / ext4 defaults,noatime,ro 0 1 +devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 +UUID=3b408790-65e1-4638-9591-7ba61f266913 /boot ext4 defaults,ro,noatime 0 0 +UUID=962D-0DE1 /boot/efi vfat ro,noauto,umask=0077 0 0 +UUID=f2336a56-fbe6-444c-bdbf-f0e6c209c237 /var ext4 defaults,nodev,noexec,nosuid,errors=remount-ro 0 0 +UUID=20bd3948-0877-4192-af52-ad87d6f96db0 /usr ext4 defaults,ro,nodev,errors=remount-ro 0 0 +UUID=66c083d6-b8f2-4a98-ae55-9412f98cc089 /usr/ports ext4 defaults,ro,nodev,errors=remount-ro 0 0 +pkgmk /usr/ports/work tmpfs size=30G,gid=101,uid=100,defaults 0 0 +UUID=36e9e1d5-8356-451e-a301-81098b9a15ea /srv ext4 defaults,nodev,errors=remount-ro 0 0 +UUID=cd15196a-69f1-4fb4-9730-a384c62add91 /home ext4 defaults,nodev,nosuid,errors=remount-ro 0 0 diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index 3533ba7..4ef372e 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -2,7 +2,7 @@ # /etc/pkgmk.conf: pkgmk(8) configuration # -export CFLAGS="-O2 -march=x86-64" +export CFLAGS="-O2 -march=native -mtune=native" export CXXFLAGS="${CFLAGS}" export MAKEFLAGS="-j4" @@ -22,7 +22,7 @@ case ${PKGMK_ARCH} in ;; esac -PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/) +#PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/) PKGMK_SOURCE_DIR="/usr/ports/distfiles" PKGMK_PACKAGE_DIR="/usr/ports/packages" PKGMK_WORK_DIR="/usr/ports/work/$name" diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf index f6b6d16..0504d3e 100644 --- a/core/conf/prt-get.conf +++ b/core/conf/prt-get.conf @@ -38,7 +38,7 @@ logfile /usr/ports/pkgbuild/%n-%v-%r.log readme verbose # (verbose|compact|disabled) ### prefer higher versions in sysup / diff -preferhigher no # (yes|no) +#preferhigher yes # (yes|no) ### use regexp search # useregex no # (yes|no) @@ -51,7 +51,7 @@ runscripts yes # (no|yes) ### EXPERT SECTION ### ### alternative commands -makecommand sudo -H -u pkgmk fakeroot pkgmk +makecommand sudo -H -u pkgmk -g pkgmk fakeroot pkgmk addcommand sudo pkgadd removecommand sudo pkgrm runscriptcommand sudo sh diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan index 8800148..86910bc 100755 --- a/core/conf/rc.d/wlan +++ b/core/conf/rc.d/wlan @@ -15,7 +15,6 @@ PID_WIFI=/var/run/wpa_supplicant.pid OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV" OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV" - print_status() { $SSD --status --pidfile $2 case $? in @@ -35,7 +34,13 @@ case $1 in stop) ( $SSD --stop --retry 10 --pidfile $PID_DHCP $SSD --stop --retry 10 --pidfile $PID_WIFI ) + RETVAL=$? + /sbin/ip route del default dev ${DEV} + /sbin/ip route flush dev ${DEV} + /sbin/ip link set ${DEV} down + /sbin/ip addr flush dev ${DEV} + ;; restart) $0 stop diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index b419628..b60d3e6 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -3,20 +3,420 @@ # kernel.printk = 15 1 1 4 +kernel.randomize_va_space = 1 +kernel.shmmax = 500000000 +# Allow for more PIDs (to reduce rollover problems); may break some programs 32768 +kernel.pid_max = 65536 + +# +# Memory Protections +# + +# If you say Y here, all ioperm and iopl calls will return an error. +# Ioperm and iopl can be used to modify the running kernel. +# Unfortunately, some programs need this access to operate properly, +# the most notable of which are XFree86 and hwclock. hwclock can be +# remedied by having RTC support in the kernel, so real-time +# clock support is enabled if this option is enabled, to ensure +# that hwclock operates correctly. +# +# If you're using XFree86 or a version of Xorg from 2012 or earlier, +# you may not be able to boot into a graphical environment with this +# option enabled. In this case, you should use the RBAC system instead. +#kernel.grsecurity.disable_priv_io = 1 +kernel.grsecurity.disable_priv_io = 0 + +# If you say Y here, attempts to bruteforce exploits against forking +# daemons such as apache or sshd, as well as against suid/sgid binaries +# will be deterred. When a child of a forking daemon is killed by PaX +# or crashes due to an illegal instruction or other suspicious signal, +# the parent process will be delayed 30 seconds upon every subsequent +# fork until the administrator is able to assess the situation and +# restart the daemon. +# In the suid/sgid case, the attempt is logged, the user has all their +# existing instances of the suid/sgid binary terminated and will +# be unable to execute any suid/sgid binaries for 15 minutes. +# +# It is recommended that you also enable signal logging in the auditing +# section so that logs are generated when a process triggers a suspicious +# signal. +# If the sysctl option is enabled, a sysctl option with name +# "deter_bruteforce" is created. +#kernel.grsecurity.deter_bruteforce = 1 + +# +# Filesystem Protections +# + +# Optimization for port usefor LBs +# Increase system file descriptor limit +fs.file-max = 65535 + +# If you say Y here, /tmp race exploits will be prevented, since users +# will no longer be able to follow symlinks owned by other users in +# world-writable +t directories (e.g. /tmp), unless the owner of the +# symlink is the owner of the directory. users will also not be +# able to hardlink to files they do not own. If the sysctl option is +# enabled, a sysctl option with name "linking_restrictions" is created. +kernel.grsecurity.linking_restrictions = 1 + + +# Apache's SymlinksIfOwnerMatch option has an inherent race condition +# that prevents it from being used as a security feature. As Apache +# verifies the symlink by performing a stat() against the target of +# the symlink before it is followed, an attacker can setup a symlink +# to point to a same-owned file, then replace the symlink with one +# that targets another user's file just after Apache "validates" the +# symlink -- a classic TOCTOU race. If you say Y here, a complete, +# race-free replacement for Apache's "SymlinksIfOwnerMatch" option +# will be in place for the group you specify. If the sysctl option +# is enabled, a sysctl option with name "enforce_symlinksifowner" is +# created. +#kernel.grsecurity.enforce_symlinksifowner = 1 +#kernel.grsecurity.symlinkown_gid = 33 + +# if you say Y here, users will not be able to write to FIFOs they don't +# own in world-writable +t directories (e.g. /tmp), unless the owner of +# the FIFO is the same owner of the directory it's held in. If the sysctl +# option is enabled, a sysctl option with name "fifo_restrictions" is +# created. +#kernel.grsecurity.fifo_restrictions = 1 + +# If you say Y here, a sysctl option with name "romount_protect" will +# be created. By setting this option to 1 at runtime, filesystems +# will be protected in the following ways: +# * No new writable mounts will be allowed +# * Existing read-only mounts won't be able to be remounted read/write +# * Write operations will be denied on all block devices +# This option acts independently of grsec_lock: once it is set to 1, +# it cannot be turned off. Therefore, please be mindful of the resulting +# behavior if this option is enabled in an init script on a read-only +# filesystem. +# Also be aware that as with other root-focused features, GRKERNSEC_KMEM +# and GRKERNSEC_IO should be enabled and module loading disabled via +# config or at runtime. +# This feature is mainly intended for secure embedded systems. +#kernel.grsecurity.romount_protect = 0 + +# if you say Y here, the capabilities on all processes within a +# chroot jail will be lowered to stop module insertion, raw i/o, +# system and net admin tasks, rebooting the system, modifying immutable +# files, modifying IPC owned by another, and changing the system time. +# This is left an option because it can break some apps. Disable this +# if your chrooted apps are having problems performing those kinds of +# tasks. If the sysctl option is enabled, a sysctl option with +# name "chroot_caps" is created. +kernel.grsecurity.chroot_caps = 1 + +#kernel.grsecurity.chroot_deny_bad_rename = 1 + +# If you say Y here, processes inside a chroot will not be able to chmod +# or fchmod files to make them have suid or sgid bits. This protects +# against another published method of breaking a chroot. If the sysctl +# option is enabled, a sysctl option with name "chroot_deny_chmod" is +# created. +kernel.grsecurity.chroot_deny_chmod = 1 + +# If you say Y here, processes inside a chroot will not be able to chroot +# again outside the chroot. This is a widely used method of breaking +# out of a chroot jail and should not be allowed. If the sysctl +# option is enabled, a sysctl option with name +# "chroot_deny_chroot" is created. +kernel.grsecurity.chroot_deny_chroot = 1 + +# If you say Y here, a well-known method of breaking chroots by fchdir'ing +# to a file descriptor of the chrooting process that points to a directory +# outside the filesystem will be stopped. If the sysctl option +# is enabled, a sysctl option with name "chroot_deny_fchdir" is created. +kernel.grsecurity.chroot_deny_fchdir = 1 + +# If you say Y here, processes inside a chroot will not be allowed to +# mknod. The problem with using mknod inside a chroot is that it +# would allow an attacker to create a device entry that is the same +# as one on the physical root of your system, which could range from +# anything from the console device to a device for your harddrive (which +# they could then use to wipe the drive or steal data). It is recommended +# that you say Y here, unless you run into software incompatibilities. +# If the sysctl option is enabled, a sysctl option with name +# "chroot_deny_mknod" is created. +kernel.grsecurity.chroot_deny_mknod = 1 + +# If you say Y here, processes inside a chroot will not be able to +# mount or remount filesystems. If the sysctl option is enabled, a +# sysctl option with name "chroot_deny_mount" is created. +kernel.grsecurity.chroot_deny_mount = 1 + +# If you say Y here, processes inside a chroot will not be able to use +# a function called pivot_root() that was introduced in Linux 2.3.41. It +# works similar to chroot in that it changes the root filesystem. This +# function could be misused in a chrooted process to attempt to break out +# of the chroot, and therefore should not be allowed. If the sysctl +# option is enabled, a sysctl option with name "chroot_deny_pivot" is +# created. +kernel.grsecurity.chroot_deny_pivot = 1 + +# If you say Y here, processes inside a chroot will not be able to attach +# to shared memory segments that were created outside of the chroot jail. +# It is recommended that you say Y here. If the sysctl option is enabled, +# a sysctl option with name "chroot_deny_shmat" is created. +kernel.grsecurity.chroot_deny_shmat = 1 + +# If you say Y here, an attacker in a chroot will not be able to +# write to sysctl entries, either by sysctl(2) or through a /proc +# interface. It is strongly recommended that you say Y here. If the +# sysctl option is enabled, a sysctl option with name +# "chroot_deny_sysctl" is created. +kernel.grsecurity.chroot_deny_sysctl = 1 + +# If you say Y here, processes inside a chroot will not be able to +# connect to abstract (meaning not belonging to a filesystem) Unix +# domain sockets that were bound outside of a chroot. It is recommended +# that you say Y here. If the sysctl option is enabled, a sysctl option +# with name "chroot_deny_unix" is created. +kernel.grsecurity.chroot_deny_unix = 1 + +# If you say Y here, the current working directory of all newly-chrooted +# applications will be set to the the root directory of the chroot. +# The man page on chroot(2) states: +# Note that usually chhroot does not change the current working +# directory, so that `.' can be outside the tree rooted at +# `/'. In particular, the super-user can escape from a +# `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. +# +# It is recommended that you say Y here, since it's not known to break +# any software. If the sysctl option is enabled, a sysctl option with +# name "chroot_enforce_chdir" is created. +kernel.grsecurity.chroot_enforce_chdir = 1 + +# If you say Y here, processes inside a chroot will not be able to +# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, +# getsid, or view any process outside of the chroot. If the sysctl +# option is enabled, a sysctl option with name "chroot_findtask" is +# created. +kernel.grsecurity.chroot_findtask = 1 + +# If you say Y here, processes inside a chroot will not be able to raise +# the priority of processes in the chroot, or alter the priority of +# processes outside the chroot. This provides more security than simply +# removing CAP_SYS_NICE from the process' capability set. If the +# sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" +# is created. +kernel.grsecurity.chroot_restrict_nice = 1 + +# +# Kernel Auditing +# + +# If you say Y here, the exec and chdir logging features will only operate +# on a group you specify. This option is recommended if you only want to +# watch certain users instead of having a large amount of logs from the +# entire system. If the sysctl option is enabled, a sysctl option with +# name "audit_group" is created. +kernel.grsecurity.audit_group = 0 + +# If you say Y here, the exec and chdir logging features will only operate +# on a group you specify. This option is recommended if you only want to +# watch certain users instead of having a large amount of logs from the +# entire system. If the sysctl option is enabled, a sysctl option with +# name "audit_group" is created. +#kernel.grsecurity.audit_gid = 201 + +# If you say Y here, all execve() calls will be logged (since the +# other exec*() calls are frontends to execve(), all execution +# will be logged). Useful for shell-servers that like to keep track +# of their users. If the sysctl option is enabled, a sysctl option with +# name "exec_logging" is created. +# WARNING: This option when enabled will produce a LOT of logs, especially +# on an active system. +kernel.grsecurity.exec_logging = 0 + +# If you say Y here, all attempts to overstep resource limits will +# be logged with the resource name, the requested size, and the current +# limit. It is highly recommended that you say Y here. If the sysctl +# option is enabled, a sysctl option with name "resource_logging" is +# created. If the RBAC system is enabled, the sysctl value is ignored. +#kernel.grsecurity.resource_logging = 1 +kernel.grsecurity.resource_logging = 0 + +# If you say Y here, all executions inside a chroot jail will be logged +# to syslog. This can cause a large amount of logs if certain +# applications (eg. djb's daemontools) are installed on the system, and +# is therefore left as an option. If the sysctl option is enabled, a +# sysctl option with name "chroot_execlog" is created. +kernel.grsecurity.chroot_execlog = 0 + +# If you say Y here, all attempts to attach to a process via ptrace +# will be logged. If the sysctl option is enabled, a sysctl option +# with name "audit_ptrace" is created. +#kernel.grsecurity.audit_ptrace = 1 +kernel.grsecurity.audit_ptrace = 0 + +# If you say Y here, all attempts to attach to a process via ptrace +# will be logged. If the sysctl option is enabled, a sysctl option +# with name "audit_ptrace" is created. +kernel.grsecurity.audit_chdir = 0 + +# If you say Y here, all mounts and unmounts will be logged. If the +# sysctl option is enabled, a sysctl option with name "audit_mount" is +# created. +#kernel.grsecurity.audit_mount = 1 +kernel.grsecurity.audit_mount = 0 + +# If you say Y here, certain important signals will be logged, such as +# SIGSEGV, which will as a result inform you of when a error in a program +# occurred, which in some cases could mean a possible exploit attempt. +# If the sysctl option is enabled, a sysctl option with name +# "signal_logging" is created. +kernel.grsecurity.signal_logging = 0 + +# If you say Y here, all failed fork() attempts will be logged. +# This could suggest a fork bomb, or someone attempting to overstep +# their process limit. If the sysctl option is enabled, a sysctl option +# with name "forkfail_logging" is created. +#kernel.grsecurity.forkfail_logging = 1 +kernel.grsecurity.forkfail_logging = 0 + +# If you say Y here, any changes of the system clock will be logged. +# If the sysctl option is enabled, a sysctl option with name +# "timechange_logging" is created. +#kernel.grsecurity.timechange_logging = 1 + +# if you say Y here, calls to mmap() and mprotect() with explicit +# usage of PROT_WRITE and PROT_EXEC together will be logged when +# denied by the PAX_MPROTECT feature. This feature will also +# log other problematic scenarios that can occur when PAX_MPROTECT +# is enabled on a binary, like textrels and PT_GNU_STACK. If the +# sysctl option is enabled, a sysctl option with name "rwxmap_logging" +# is created. +#kernel.grsecurity.rwxmap_logging = 1 + +# +# Executable Protections +# + +# if you say Y here, non-root users will not be able to use dmesg(8) +# to view the contents of the kernel's circular log buffer. +# The kernel's log buffer often contains kernel addresses and other +# identifying information useful to an attacker in fingerprinting a +# system for a targeted exploit. +# If the sysctl option is enabled, a sysctl option with name "dmesg" is +# created. +kernel.grsecurity.dmesg = 1 + +# Hide symbol addresses in /proc/kallsyms +kernel.kptr_restrict = 1 + +# If you say Y here, TTY sniffers and other malicious monitoring +# programs implemented through ptrace will be defeated. If you +# have been using the RBAC system, this option has already been +# enabled for several years for all users, with the ability to make +# fine-grained exceptions. +# +# This option only affects the ability of non-root users to ptrace +# processes that are not a descendent of the ptracing process. +# This means that strace ./binary and gdb ./binary will still work, +# but attaching to arbitrary processes will not. If the sysctl +# option is enabled, a sysctl option with name "harden_ptrace" is +# created. +kernel.grsecurity.harden_ptrace = 1 + +# If you say Y here, unprivileged users will not be able to ptrace unreadable +# binaries. This option is useful in environments that +# remove the read bits (e.g. file mode 4711) from suid binaries to +# prevent infoleaking of their contents. This option adds +# consistency to the use of that file mode, as the binary could normally +# be read out when run without privileges while ptracing. +# +# If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" +# is created. +kernel.grsecurity.ptrace_readexec = 1 + +# If you say Y here, a change from a root uid to a non-root uid +# in a multithreaded application will cause the resulting uids, +# gids, supplementary groups, and capabilities in that thread +# to be propagated to the other threads of the process. In most +# cases this is unnecessary, as glibc will emulate this behavior +# on behalf of the application. Other libcs do not act in the +# same way, allowing the other threads of the process to continue +# running with root privileges. If the sysctl option is enabled, +# a sysctl option with name "consistent_setxid" is created. +#kernel.grsecurity.consistent_setxid = 1 + +# If you say Y here, access to overly-permissive IPC objects (shared +# memory, message queues, and semaphores) will be denied for processes +# given the following criteria beyond normal permission checks: +# 1) If the IPC object is world-accessible and the euid doesn't match +# that of the creator or current uid for the IPC object +# 2) If the IPC object is group-accessible and the egid doesn't +# match that of the creator or current gid for the IPC object +# It's a common error to grant too much permission to these objects, +# with impact ranging from denial of service and information leaking to +# privilege escalation. This feature was developed in response to +# research by Tim Brown: +# http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ +# who found hundreds of such insecure usages. Processes with +# CAP_IPC_OWNER are still permitted to access these IPC objects. +# If the sysctl option is enabled, a sysctl option with name +# "harden_ipc" is created. +kernel.grsecurity.harden_ipc = 1 + +# If you say Y here, you will be able to choose a gid to add to the +# supplementary groups of users you want to mark as "untrusted." +# These users will not be able to execute any files that are not in +# root-owned directories writable only by root. If the sysctl option +# is enabled, a sysctl option with name "tpe" is created. +kernel.grsecurity.tpe = 1 +kernel.grsecurity.tpe_gid = 101 + +# If you say Y here, the group you specify in the TPE configuration will +# decide what group TPE restrictions will be *disabled* for. This +# option is useful if you want TPE restrictions to be applied to most +# users on the system. If the sysctl option is enabled, a sysctl option +# with name "tpe_invert" is created. Unlike other sysctl options, this +# entry will default to on for backward-compatibility. +kernel.grsecurity.tpe_invert = 1 + +# If you say Y here, all non-root users will be covered under +# a weaker TPE restriction. This is separate from, and in addition to, +# the main TPE options that you have selected elsewhere. Thus, if a +# "trusted" GID is chosen, this restriction applies to even that GID. +# Under this restriction, all non-root users will only be allowed to +# execute files in directories they own that are not group or +# world-writable, or in directories owned by root and writable only by +# root. If the sysctl option is enabled, a sysctl option with name +# "tpe_restrict_all" is created. +kernel.grsecurity.tpe_restrict_all = 0 + + +#kernel.grsecurity.harden_tty = 1 +# +# Network Protections +# + +# Increase Linux auto tuning TCP buffer limits +# min, default, and max number of bytes to use +# set max to at least 4MB, or higher if you use very high BDP paths +# Tcp Windows etc +net.core.rmem_max = 8388608 +net.core.wmem_max = 8388608 +net.core.netdev_max_backlog = 5000 +net.ipv4.tcp_window_scaling = 1 + +# Both ports linux-blob and linux-libre don't build with ipv6 # Disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # Tuen IPv6 -net.ipv6.conf.default.router_solicitations = 0 -net.ipv6.conf.default.accept_ra_rtr_pref = 0 -net.ipv6.conf.default.accept_ra_pinfo = 0 -net.ipv6.conf.default.accept_ra_defrtr = 0 -net.ipv6.conf.default.autoconf = 0 -net.ipv6.conf.default.dad_transmits = 0 -net.ipv6.conf.default.max_addresses = 0 +#net.ipv6.conf.default.router_solicitations = 0 +#net.ipv6.conf.default.accept_ra_rtr_pref = 0 +#net.ipv6.conf.default.accept_ra_pinfo = 0 +#net.ipv6.conf.default.accept_ra_defrtr = 0 +#net.ipv6.conf.default.autoconf = 0 +#net.ipv6.conf.default.dad_transmits = 0 +#net.ipv6.conf.default.max_addresses = 0 # Avoid a smurf attack net.ipv4.icmp_echo_ignore_broadcasts = 1 @@ -56,8 +456,8 @@ net.ipv4.conf.default.accept_source_route = 0 ## protects from attackers that are using ip spoofing methods to do harm net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 -net.ipv6.conf.default.rp_filter = 1 -net.ipv6.conf.all.rp_filter = 1 +#net.ipv6.conf.default.rp_filter = 1 +#net.ipv6.conf.all.rp_filter = 1 # Make sure no one can alter the routing tables net.ipv4.conf.all.accept_redirects = 0 @@ -70,18 +470,6 @@ net.ipv4.ip_forward = 1 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.default.send_redirects = 1 -kernel.shmmax = 500000000 -# Turn on execshild -kernel.exec-shield = 1 -kernel.randomize_va_space = 1 - -# Optimization for port usefor LBs -# Increase system file descriptor limit -fs.file-max = 65535 - -# Allow for more PIDs (to reduce rollover problems); may break some programs 32768 -kernel.pid_max = 65536 - # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 @@ -89,25 +477,99 @@ net.ipv4.ip_local_port_range = 2000 65000 net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 -# Increase Linux auto tuning TCP buffer limits -# min, default, and max number of bytes to use -# set max to at least 4MB, or higher if you use very high BDP paths -# Tcp Windows etc -net.core.rmem_max = 8388608 -net.core.wmem_max = 8388608 -net.core.netdev_max_backlog = 5000 -net.ipv4.tcp_window_scaling = 1 -# Grsecurity stuff +# If you say Y here, neither TCP resets nor ICMP +# destination-unreachable packets will be sent in response to packets +# sent to ports for which no associated listening process exists. +# This feature supports both IPV4 and IPV6 and exempts the +# loopback interface from blackholing. Enabling this feature +# makes a host more resilient to DoS attacks and reduces network +# visibility against scanners. +# +# The blackhole feature as-implemented is equivalent to the FreeBSD +# blackhole feature, as it prevents RST responses to all packets, not +# just SYNs. Under most application behavior this causes no +# problems, but applications (like haproxy) may not close certain +# connections in a way that cleanly terminates them on the remote +# end, leaving the remote host in LAST_ACK state. Because of this +# side-effect and to prevent intentional LAST_ACK DoSes, this +# feature also adds automatic mitigation against such attacks. +# The mitigation drastically reduces the amount of time a socket +# can spend in LAST_ACK state. If you're using haproxy and not +# all servers it connects to have this option enabled, consider +# disabling this feature on the haproxy host. +# +# If the sysctl option is enabled, two sysctl options with names +# "ip_blackhole" and "lastack_retries" will be created. +# While "ip_blackhole" takes the standard zero/non-zero on/off +# toggle, "lastack_retries" uses the same kinds of values as +# "tcp_retries1" and "tcp_retries2". The default value of 4 +# prevents a socket from lasting more than 45 seconds in LAST_ACK +# state. +#kernel.grsecurity.ip_blackhole = 1 +#kernel.grsecurity.lastack_retries = 4 + +# If you say Y here, you will be able to choose a GID of whose users will +# be unable to connect to other hosts from your machine or run server +# applications from your machine. If the sysctl option is enabled, a +# sysctl option with name "socket_all" is created. +#kernel.grsecurity.socket_all = 1 + +# Here you can choose the GID to disable socket access for. Remember to +# add the users you want socket access disabled for to the GID +# specified here. If the sysctl option is enabled, a sysctl option +# with name "socket_all_gid" is created. +#kernel.grsecurity.socket_all_gid = 202 + +# If you say Y here, you will be able to choose a GID of whose users will +# be unable to connect to other hosts from your machine, but will be +# able to run servers. If this option is enabled, all users in the group +# you specify will have to use passive mode when initiating ftp transfers +# from the shell on your machine. If the sysctl option is enabled, a +# sysctl option with name "socket_client" is created. +#kernel.grsecurity.socket_client = 1 + +# Here you can choose the GID to disable client socket access for. +# Remember to add the users you want client socket access disabled for to +# the GID specified here. If the sysctl option is enabled, a sysctl +# option with name "socket_client_gid" is created. +#kernel.grsecurity.socket_client_gid = 203 + +# If you say Y here, you will be able to choose a GID of whose users will +# be unable to connect to other hosts from your machine, but will be +# able to run servers. If this option is enabled, all users in the group +# you specify will have to use passive mode when initiating ftp transfers +# from the shell on your machine. If the sysctl option is enabled, a +# sysctl option with name "socket_client" is created. +#kernel.grsecurity.socket_server = 1 + +# Here you can choose the GID to disable server socket access for. +# Remember to add the users you want server socket access disabled for to +# the GID specified here. If the sysctl option is enabled, a sysctl +# option with name "socket_server_gid" is created. +#kernel.grsecurity.socket_server_gid = 204 + +# +# Physical Protections +# + +# If you say Y here, a new sysctl option with name "deny_new_usb" +# will be created. Setting its value to 1 will prevent any new +# USB devices from being recognized by the OS. Any attempted USB +# device insertion will be logged. This option is intended to be +# used against custom USB devices designed to exploit vulnerabilities +# in various USB device drivers. +# +# For greatest effectiveness, this sysctl should be set after any +# relevant init scripts. This option is safe to enable in distros +# as each user can choose whether or not to toggle the sysctl. +#kernel.grsecurity.deny_new_usb = 0 + +# +# Restrict grsec sysctl changes after this was set +# +#kernel.grsecurity.grsec_lock = 1 -# cant chroot to outside chroot used to break chroot -kernel.grsecurity.chroot_deny_chroot = 1 -# function related to filesystems used to exploit -kernel.grsecurity.chroot_deny_pivot = 1 -# enforce current directory to chroot -kernel.grsecurity.chroot_enforce_chdir = 1 -# cant chmod inside chroot used to break chroot -kernel.grsecurity.chroot_deny_chmod = 0 # End of file diff --git a/core/configure.html b/core/configure.html index ffcb0f7..1ca655f 100644 --- a/core/configure.html +++ b/core/configure.html @@ -215,7 +215,7 @@ <a href="install.html#step2">target partition</a>, blkid list all while vol_id --uuid /dev/sdb1 returns only uuid. Add all block ids to the end of file - /etc/fstab + /etc/fstab; </p> <pre> @@ -223,27 +223,40 @@ </pre> <p>Read <a href="http://linux-audit.com/securing-mount-points-on-linux/" title="Securing mount points">Securing mount points</a>, - and edit /etc/fstab according to your disk layout.</p> + and edit /etc/fstab according to your disk layout. Blocks with uuid will later be created at lvm</p> <pre> # # /etc/fstab: static file system information # # <file system> <dir> <type> <options> <dump> <pass> - /dev/sda4 on / type ext4 (rw,relatime,data=ordered) - /dev/sda3 on /boot type ext4 (rw,relatime,data=ordered) - /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro) - /dev/sda5 on /var type ext4 (rw,relatime,data=ordered) - /dev/sda6 on /usr type ext4 (rw,relatime,data=ordered) - /dev/sda8 on /home type ext4 (rw,relatime,data=ordered) - - devtmpfs on /dev type devtmpfs (rw,nosuid,noatime,size=8192k,nr_inodes=16384,mode=755) - devpts on /dev/pts type devpts (rw,relatime,mode=600) - shm on /dev/shm type tmpfs (rw,relatime) - proc on /proc type proc (rw,relatime) - sysfs on /sys type sysfs (rw,relatime) - - pkgmk /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults 0 0 + + #/dev/#EXT4FS_ROOT# / ext4 defaults 0 1 + #/dev/#BTRFS_ROOT# / btrfs defaults 0 0 + #/dev/#XFS_ROOT# / xfs defaults 0 0 + #/dev/#SWAP# swap swap defaults 0 0 + #/dev/#EXT4FS_HOME# /home ext4 defaults 0 2 + #/dev/#BTRFS_HOME# /home btrfs defaults 0 0 + #/dev/#XFS_HOME# /home xfs defaults 0 0 + #/dev/cdrom /cdrom iso9660 ro,user,noauto,unhide 0 0 + #/dev/dvd /dvd udf ro,user,noauto,unhide 0 0 + #/dev/floppy/0 /floppy vfat user,noauto,unhide 0 0 + #tmp /tmp tmpfs defaults 0 0 + #shm /dev/shm tmpfs defaults 0 0 + #usb /proc/bus/usb usbfs defaults 0 0 + + /dev/sda3 / ext4 defaults,noatime,ro 0 1 + devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 + /dev/sda2 /boot ext4 defaults,ro,noatime 0 0 + /dev/sda1 /boot/efi vfat ro,noauto,umask=0077 0 0 + /dev/sda4 /var ext4 defaults,nodev,noexec,nosuid,errors=remount-ro 0 0 + /dev/sda5 /usr ext4 defaults,ro,nodev,errors=remount-ro 0 0 + + UUID=66c083d6-b8f2-4a98-ae55-9412f98cc089 /usr/ports ext4 defaults,ro,nodev,errors=remount-ro 0 0 + pkgmk /usr/ports/work tmpfs size=30G,gid=101,uid=100,defaults 0 0 + UUID=36e9e1d5-8356-451e-a301-81098b9a15ea /srv ext4 defaults,nodev,errors=remount-ro 0 0 + UUID=cd15196a-69f1-4fb4-9730-a384c62add91 /home ext4 defaults,nodev,nosuid,errors=remount-ro 0 0 + # End of file </pre> diff --git a/core/dash.html b/core/dash.html index 18045e5..ed6dbab 100644 --- a/core/dash.html +++ b/core/dash.html @@ -20,7 +20,7 @@ <a href="index.html">Core OS Index</a> <p>This is part of the c9 Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/exim.html b/core/exim.html index c4b3c95..c1fd494 100644 --- a/core/exim.html +++ b/core/exim.html @@ -216,7 +216,7 @@ <a href="index.html">Core OS Index</a> <p> This is part of the c9 Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/index.html b/core/index.html index bc8dad5..abff93d 100644 --- a/core/index.html +++ b/core/index.html @@ -59,8 +59,7 @@ <li><a href="reboot.html">1.4. Prepare for reboot</a> <ul> - <li><a href="reboot.html#linux">1.4.1. Linux Kernel</a></li> - <li><a href="reboot.html#dracut">1.4.2. Dracut - Initramfs</a></li> + <li><a href="reboot.html#linux">1.4.1. Kernel Ports</a></li> <li><a href="reboot.html#grub">1.4.3. Configuring Grub</a></li> <li><a href="reboot.html#checkup">1.4.4. Checkup</a></li> </ul> @@ -70,32 +69,33 @@ <h2>2. System Administration</h2> <ul> - <li><a href="network.html">2.1. Network</a> + + <li><a href="linux.html">2.1. Linux Kernel</a> <ul> - <li><a href="network.html#resolv">2.1.1. Resolver</a></li> - <li><a href="network.html#static">2.1.2. Static ip</a></li> - <li><a href="network.html#iptables">2.1.3. Iptables</a></li> - <li><a href="network.html#wpa">2.1.4. Wpa and dhcpd</a></li> - <li><a href="network.html#sysctl">2.1.5. Sysctl</a></li> + <li><a href="linux.html#linuxlibre">2.1.1. Port Linux libre</a></li> + <li><a href="linux.html#kinstall">2.1.2. Manual install</a></li> + <li><a href="linux.html#kuninstall">2.1.3. Manual remove</a></li> + <li><a href="linux.html#sysctl">2.1.4. Sysctl</a></li> </ul> </li> - <li><a href="package.html">2.2. Package Management</a> + <li><a href="network.html">2.2. Network</a> <ul> - <li><a href="package.html#sysup">2.2.1. Update system</a></li> - <li><a href="package.html#depinst">2.2.2. Install ports and dependencies</a></li> - <li><a href="package.html#ports">2.2.3. Ports collections</a></li> - <li><a href="package.html#info">2.2.3. Show port information</a></li> - <li><a href="package.html#depends">2.2.4. Show port dependencies</a></li> - <li><a href="package.html#printf">2.2.5. Print information</a></li> + <li><a href="network.html#resolv">2.2.1. Resolver</a></li> + <li><a href="network.html#static">2.2.2. Static ip</a></li> + <li><a href="network.html#iptables">2.2.3. Iptables</a></li> + <li><a href="network.html#wpa">2.2.4. Wpa and dhcpd</a></li> </ul> </li> - <li><a href="linux.html">2.3. Linux Kernel</a> + <li><a href="package.html">2.3. Package Management</a> <ul> - <li><a href="linux.html#linuxlibre">2.3.1. Port Linux libre</a></li> - <li><a href="linux.html#kinstall">2.3.2. Manual install</a></li> - <li><a href="linux.html#kuninstall">2.3.3. Manual remove</a></li> + <li><a href="package.html#sysup">2.3.1. Update system</a></li> + <li><a href="package.html#depinst">2.3.2. Install ports and dependencies</a></li> + <li><a href="package.html#ports">2.3.3. Ports collections</a></li> + <li><a href="package.html#info">2.3.3. Show port information</a></li> + <li><a href="package.html#depends">2.3.4. Show port dependencies</a></li> + <li><a href="package.html#printf">2.3.5. Print information</a></li> </ul> </li> diff --git a/core/linux.html b/core/linux.html index 53fc304..0304884 100644 --- a/core/linux.html +++ b/core/linux.html @@ -2,12 +2,12 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.3. Kernel Linux</title> + <title>2.1. Kernel Linux</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1 id="kernel">2.3. Kernel Linux</h1> + <h1 id="kernel">2.1. Kernel Linux</h1> <p>Linux is a monolith kernel, a big one ! Visit <a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">Linux Libre</a> @@ -15,58 +15,41 @@ <a href="https://www.kernel.org/">Linux Non-Libre</a> pages for more links and information.</p> - <h2 id="#linuxlibre">2.3.1. Port Linux Libre</h2> + <h2 id="#linuxlibre">2.1.1. Port Linux Libre</h2> - <p>Collection c9-ports have linux-libre port with default crux - configuration, this port depends on dracut and grub but is not - required to install them. To build and install this port using - prt-get;</p> + <p>Default crux configuration can be obtained from iso, this port depends + on dracut and grub but is not required to install them. To build and install + this port using prt-get;</p> <pre> $ prt-get depinst linux-libre </pre> - <h2 id="kinstall">2.3.2. Manual Install</h2> + <h2 id="kinstall">2.1.2. Manual Install</h2> <p>Download Linux Source from <a href="http://linux-libre.fsfla.org/pub/linux-libre/releases/">linux libre</a>, or using the port system;</p> - <pre> - $ cd /usr/ports/c9-ports/linux-libre - $ sudo -u pkgmk pkgmk -do - </pre> - - <p>Crux iso comes with config that is used in this port, is - a good starting point to personalize according to your needs;</p> + <p>Crux iso comes with config that is more generic than used on linux-libre + port, crux default is a good starting point to personalize according to your + needs (build default, detect modules needed);</p> <pre> $ mkdir ~/kernel $ cd ~/kernel - $ cp /usr/ports/c9-ports/linux-libre/linux-4.1.32.defconfig . - $ cp /usr/ports/distfiles/linux-libre-4.1.32-gnu.tar.xz . - $ tar xf linux-libre-4.1.32-gnu.tar.xz - $ cp linux-4.1.32.defconfig linux-4.1.32/.config + $ cp /usr/ports/distfiles/linux-libre-4.9.11-gnu.tar.xz . + $ tar xf linux-libre-4.9.11-gnu.tar.xz + $ cd linux-4.9.11/ </pre> - <p>If you like <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">download master</a>) that adds more cpu options (FLAGS native)</p> - - <pre> - $ cp /usr/ports/distfiles/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch cpu_optimizations.patch - </pre> - - <pre> - $ cd ~/linux-4.1.32/ - $ patch -p1 < ../cpu_optimizations.patch - patching file arch/x86/include/asm/module.h - patching file arch/x86/Kconfig.cpu - patching file arch/x86/Makefile - Hunk #1 succeeded at 85 with fuzz 1 (offset -9 lines). - patching file arch/x86/Makefile_32.cpu - $ - </pre> - - <p>Read <a href="https://en.wikibooks.org/wiki/Grsecurity/Configuring_and_Installing_grsecurity#Patching_Your_Kernel_with_grsecurity">Gresecurity</a>.</p> + <p><a href="grsecurity.net">Grsecurity</a> patch for + <a href="https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch">4.9.11</a>. + Gcc <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">master.zip</a>) + that adds more cpu options (FLAGS native). + Check <a href="ports/linux-libre/Pkgfile">Pkgfile</a> for instructions and + more patches used on linux-libre port. Read patching your kernel with + <a href="https://en.wikibooks.org/wiki/Grsecurity/Configuring_and_Installing_grsecurity#Patching_Your_Kernel_with_grsecurity">gresecurity</a>.</p> <p>Configure kernel according to your current kernel hardware support;</p> @@ -77,11 +60,10 @@ <p>This will disable all unloaded modules, you can use localyesconfig mark all loaded - to be built in the kernel.</p> - - <p>To get information about your hardware, - for example information about which graphic - module (driver) is in use as root run;</p> + to be built in the kernel. To get information + about your hardware, for example information + about which graphic module (driver) is in use + as root run;</p> <pre> # lspci -nnk | grep -i vga -A3 | grep 'in use' @@ -95,16 +77,16 @@ </pre> <pre> - $ make -j $(nproc) all + $ make -j $(nproc) bzImage modules $ sudo make modules_install - $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.1.32-gnu_crux - $ sudo cp System.map /boot/System.map-4.1.32-gnu_crux + $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.11-gnu + $ sudo cp System.map /boot/System.map-4.9.11-gnu </pre> <p>Create dracut initramfs;</p> <pre> - $sudo dracut --fstab /boot/initramfs-4.1.32-gnu_crux.img 4.1.32-gnu_crux + $sudo dracut --fstab /boot/initramfs-4.9.11-gnu.img 4.9.11-gnu </pre> <p>Update grub;</p> @@ -113,17 +95,609 @@ # grub-mkconfig -o /boot/grub/grub.cfg </pre> - <h2 id="kuninstall">2.3.3. Manual Remove</h2> + <h2 id="kuninstall">2.1.3. Manual Remove</h2> <pre> - $ sudo rm -r /lib/modules/4.1.12-gnu_crux - $ sudo rm /boot/vmlinuz-4.1.12-gnu_crux - $ sudo rm /boot/System.map-4.1.12-gnu_crux + $ sudo rm -r /lib/modules/4.9.11-gnu + $ sudo rm /boot/vmlinuz-4.9.11-gnu + $ sudo rm /boot/System.map-4.9.11-gnu </pre> + <h2 id="sysctl">2.1.4. Sysctl</h2> + + <p>Sysctl references + <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>, + <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>, + <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>, + <a href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">Grsecurity and PaX Configuration</a>.</p> + + <p>Since kernels on c9-ports have <a href="pax.grsecurity.net">PaX</a> + and <a href="http://grsecurity.net/announce.php">grsecurity</a>, + <a href="conf/sysctl.conf">/etc/sysctl.conf</a> can have follow + values;</p> + + <pre> + # + # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) + # + + kernel.printk = 15 1 1 4 + kernel.randomize_va_space = 1 + kernel.shmmax = 500000000 + # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 + kernel.pid_max = 65536 + + # + # Memory Protections + # + + # If you say Y here, all ioperm and iopl calls will return an error. + # Ioperm and iopl can be used to modify the running kernel. + # Unfortunately, some programs need this access to operate properly, + # the most notable of which are XFree86 and hwclock. hwclock can be + # remedied by having RTC support in the kernel, so real-time + # clock support is enabled if this option is enabled, to ensure + # that hwclock operates correctly. + # + # If you're using XFree86 or a version of Xorg from 2012 or earlier, + # you may not be able to boot into a graphical environment with this + # option enabled. In this case, you should use the RBAC system instead. + #kernel.grsecurity.disable_priv_io = 1 + kernel.grsecurity.disable_priv_io = 0 + + # If you say Y here, attempts to bruteforce exploits against forking + # daemons such as apache or sshd, as well as against suid/sgid binaries + # will be deterred. When a child of a forking daemon is killed by PaX + # or crashes due to an illegal instruction or other suspicious signal, + # the parent process will be delayed 30 seconds upon every subsequent + # fork until the administrator is able to assess the situation and + # restart the daemon. + # In the suid/sgid case, the attempt is logged, the user has all their + # existing instances of the suid/sgid binary terminated and will + # be unable to execute any suid/sgid binaries for 15 minutes. + # + # It is recommended that you also enable signal logging in the auditing + # section so that logs are generated when a process triggers a suspicious + # signal. + # If the sysctl option is enabled, a sysctl option with name + # "deter_bruteforce" is created. + #kernel.grsecurity.deter_bruteforce = 1 + + # + # Filesystem Protections + # + + # Optimization for port usefor LBs + # Increase system file descriptor limit + fs.file-max = 65535 + + # If you say Y here, /tmp race exploits will be prevented, since users + # will no longer be able to follow symlinks owned by other users in + # world-writable +t directories (e.g. /tmp), unless the owner of the + # symlink is the owner of the directory. users will also not be + # able to hardlink to files they do not own. If the sysctl option is + # enabled, a sysctl option with name "linking_restrictions" is created. + kernel.grsecurity.linking_restrictions = 1 + + + # Apache's SymlinksIfOwnerMatch option has an inherent race condition + # that prevents it from being used as a security feature. As Apache + # verifies the symlink by performing a stat() against the target of + # the symlink before it is followed, an attacker can setup a symlink + # to point to a same-owned file, then replace the symlink with one + # that targets another user's file just after Apache "validates" the + # symlink -- a classic TOCTOU race. If you say Y here, a complete, + # race-free replacement for Apache's "SymlinksIfOwnerMatch" option + # will be in place for the group you specify. If the sysctl option + # is enabled, a sysctl option with name "enforce_symlinksifowner" is + # created. + #kernel.grsecurity.enforce_symlinksifowner = 1 + #kernel.grsecurity.symlinkown_gid = 33 + + # if you say Y here, users will not be able to write to FIFOs they don't + # own in world-writable +t directories (e.g. /tmp), unless the owner of + # the FIFO is the same owner of the directory it's held in. If the sysctl + # option is enabled, a sysctl option with name "fifo_restrictions" is + # created. + #kernel.grsecurity.fifo_restrictions = 1 + + # If you say Y here, a sysctl option with name "romount_protect" will + # be created. By setting this option to 1 at runtime, filesystems + # will be protected in the following ways: + # * No new writable mounts will be allowed + # * Existing read-only mounts won't be able to be remounted read/write + # * Write operations will be denied on all block devices + # This option acts independently of grsec_lock: once it is set to 1, + # it cannot be turned off. Therefore, please be mindful of the resulting + # behavior if this option is enabled in an init script on a read-only + # filesystem. + # Also be aware that as with other root-focused features, GRKERNSEC_KMEM + # and GRKERNSEC_IO should be enabled and module loading disabled via + # config or at runtime. + # This feature is mainly intended for secure embedded systems. + #kernel.grsecurity.romount_protect = 0 + + # if you say Y here, the capabilities on all processes within a + # chroot jail will be lowered to stop module insertion, raw i/o, + # system and net admin tasks, rebooting the system, modifying immutable + # files, modifying IPC owned by another, and changing the system time. + # This is left an option because it can break some apps. Disable this + # if your chrooted apps are having problems performing those kinds of + # tasks. If the sysctl option is enabled, a sysctl option with + # name "chroot_caps" is created. + kernel.grsecurity.chroot_caps = 1 + + #kernel.grsecurity.chroot_deny_bad_rename = 1 + + # If you say Y here, processes inside a chroot will not be able to chmod + # or fchmod files to make them have suid or sgid bits. This protects + # against another published method of breaking a chroot. If the sysctl + # option is enabled, a sysctl option with name "chroot_deny_chmod" is + # created. + kernel.grsecurity.chroot_deny_chmod = 1 + + # If you say Y here, processes inside a chroot will not be able to chroot + # again outside the chroot. This is a widely used method of breaking + # out of a chroot jail and should not be allowed. If the sysctl + # option is enabled, a sysctl option with name + # "chroot_deny_chroot" is created. + kernel.grsecurity.chroot_deny_chroot = 1 + + # If you say Y here, a well-known method of breaking chroots by fchdir'ing + # to a file descriptor of the chrooting process that points to a directory + # outside the filesystem will be stopped. If the sysctl option + # is enabled, a sysctl option with name "chroot_deny_fchdir" is created. + kernel.grsecurity.chroot_deny_fchdir = 1 + + # If you say Y here, processes inside a chroot will not be allowed to + # mknod. The problem with using mknod inside a chroot is that it + # would allow an attacker to create a device entry that is the same + # as one on the physical root of your system, which could range from + # anything from the console device to a device for your harddrive (which + # they could then use to wipe the drive or steal data). It is recommended + # that you say Y here, unless you run into software incompatibilities. + # If the sysctl option is enabled, a sysctl option with name + # "chroot_deny_mknod" is created. + kernel.grsecurity.chroot_deny_mknod = 1 + + # If you say Y here, processes inside a chroot will not be able to + # mount or remount filesystems. If the sysctl option is enabled, a + # sysctl option with name "chroot_deny_mount" is created. + kernel.grsecurity.chroot_deny_mount = 1 + + # If you say Y here, processes inside a chroot will not be able to use + # a function called pivot_root() that was introduced in Linux 2.3.41. It + # works similar to chroot in that it changes the root filesystem. This + # function could be misused in a chrooted process to attempt to break out + # of the chroot, and therefore should not be allowed. If the sysctl + # option is enabled, a sysctl option with name "chroot_deny_pivot" is + # created. + kernel.grsecurity.chroot_deny_pivot = 1 + + # If you say Y here, processes inside a chroot will not be able to attach + # to shared memory segments that were created outside of the chroot jail. + # It is recommended that you say Y here. If the sysctl option is enabled, + # a sysctl option with name "chroot_deny_shmat" is created. + kernel.grsecurity.chroot_deny_shmat = 1 + + # If you say Y here, an attacker in a chroot will not be able to + # write to sysctl entries, either by sysctl(2) or through a /proc + # interface. It is strongly recommended that you say Y here. If the + # sysctl option is enabled, a sysctl option with name + # "chroot_deny_sysctl" is created. + kernel.grsecurity.chroot_deny_sysctl = 1 + + # If you say Y here, processes inside a chroot will not be able to + # connect to abstract (meaning not belonging to a filesystem) Unix + # domain sockets that were bound outside of a chroot. It is recommended + # that you say Y here. If the sysctl option is enabled, a sysctl option + # with name "chroot_deny_unix" is created. + kernel.grsecurity.chroot_deny_unix = 1 + + # If you say Y here, the current working directory of all newly-chrooted + # applications will be set to the the root directory of the chroot. + # The man page on chroot(2) states: + # Note that usually chhroot does not change the current working + # directory, so that `.' can be outside the tree rooted at + # `/'. In particular, the super-user can escape from a + # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. + # + # It is recommended that you say Y here, since it's not known to break + # any software. If the sysctl option is enabled, a sysctl option with + # name "chroot_enforce_chdir" is created. + kernel.grsecurity.chroot_enforce_chdir = 1 + + # If you say Y here, processes inside a chroot will not be able to + # kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, + # getsid, or view any process outside of the chroot. If the sysctl + # option is enabled, a sysctl option with name "chroot_findtask" is + # created. + kernel.grsecurity.chroot_findtask = 1 + + # If you say Y here, processes inside a chroot will not be able to raise + # the priority of processes in the chroot, or alter the priority of + # processes outside the chroot. This provides more security than simply + # removing CAP_SYS_NICE from the process' capability set. If the + # sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" + # is created. + kernel.grsecurity.chroot_restrict_nice = 1 + + # + # Kernel Auditing + # + + # If you say Y here, the exec and chdir logging features will only operate + # on a group you specify. This option is recommended if you only want to + # watch certain users instead of having a large amount of logs from the + # entire system. If the sysctl option is enabled, a sysctl option with + # name "audit_group" is created. + kernel.grsecurity.audit_group = 0 + + # If you say Y here, the exec and chdir logging features will only operate + # on a group you specify. This option is recommended if you only want to + # watch certain users instead of having a large amount of logs from the + # entire system. If the sysctl option is enabled, a sysctl option with + # name "audit_group" is created. + #kernel.grsecurity.audit_gid = 201 + + # If you say Y here, all execve() calls will be logged (since the + # other exec*() calls are frontends to execve(), all execution + # will be logged). Useful for shell-servers that like to keep track + # of their users. If the sysctl option is enabled, a sysctl option with + # name "exec_logging" is created. + # WARNING: This option when enabled will produce a LOT of logs, especially + # on an active system. + kernel.grsecurity.exec_logging = 0 + + # If you say Y here, all attempts to overstep resource limits will + # be logged with the resource name, the requested size, and the current + # limit. It is highly recommended that you say Y here. If the sysctl + # option is enabled, a sysctl option with name "resource_logging" is + # created. If the RBAC system is enabled, the sysctl value is ignored. + #kernel.grsecurity.resource_logging = 1 + kernel.grsecurity.resource_logging = 0 + + # If you say Y here, all executions inside a chroot jail will be logged + # to syslog. This can cause a large amount of logs if certain + # applications (eg. djb's daemontools) are installed on the system, and + # is therefore left as an option. If the sysctl option is enabled, a + # sysctl option with name "chroot_execlog" is created. + kernel.grsecurity.chroot_execlog = 0 + + # If you say Y here, all attempts to attach to a process via ptrace + # will be logged. If the sysctl option is enabled, a sysctl option + # with name "audit_ptrace" is created. + #kernel.grsecurity.audit_ptrace = 1 + kernel.grsecurity.audit_ptrace = 0 + + # If you say Y here, all attempts to attach to a process via ptrace + # will be logged. If the sysctl option is enabled, a sysctl option + # with name "audit_ptrace" is created. + kernel.grsecurity.audit_chdir = 0 + + # If you say Y here, all mounts and unmounts will be logged. If the + # sysctl option is enabled, a sysctl option with name "audit_mount" is + # created. + #kernel.grsecurity.audit_mount = 1 + kernel.grsecurity.audit_mount = 0 + + # If you say Y here, certain important signals will be logged, such as + # SIGSEGV, which will as a result inform you of when a error in a program + # occurred, which in some cases could mean a possible exploit attempt. + # If the sysctl option is enabled, a sysctl option with name + # "signal_logging" is created. + kernel.grsecurity.signal_logging = 0 + + # If you say Y here, all failed fork() attempts will be logged. + # This could suggest a fork bomb, or someone attempting to overstep + # their process limit. If the sysctl option is enabled, a sysctl option + # with name "forkfail_logging" is created. + #kernel.grsecurity.forkfail_logging = 1 + kernel.grsecurity.forkfail_logging = 0 + + # If you say Y here, any changes of the system clock will be logged. + # If the sysctl option is enabled, a sysctl option with name + # "timechange_logging" is created. + #kernel.grsecurity.timechange_logging = 1 + + # if you say Y here, calls to mmap() and mprotect() with explicit + # usage of PROT_WRITE and PROT_EXEC together will be logged when + # denied by the PAX_MPROTECT feature. This feature will also + # log other problematic scenarios that can occur when PAX_MPROTECT + # is enabled on a binary, like textrels and PT_GNU_STACK. If the + # sysctl option is enabled, a sysctl option with name "rwxmap_logging" + # is created. + #kernel.grsecurity.rwxmap_logging = 1 + + # + # Executable Protections + # + + + # if you say Y here, non-root users will not be able to use dmesg(8) + # to view the contents of the kernel's circular log buffer. + # The kernel's log buffer often contains kernel addresses and other + # identifying information useful to an attacker in fingerprinting a + # system for a targeted exploit. + # If the sysctl option is enabled, a sysctl option with name "dmesg" is + # created. + kernel.grsecurity.dmesg = 1 + + # Hide symbol addresses in /proc/kallsyms + kernel.kptr_restrict = 1 + + # If you say Y here, TTY sniffers and other malicious monitoring + # programs implemented through ptrace will be defeated. If you + # have been using the RBAC system, this option has already been + # enabled for several years for all users, with the ability to make + # fine-grained exceptions. + # + # This option only affects the ability of non-root users to ptrace + # processes that are not a descendent of the ptracing process. + # This means that strace ./binary and gdb ./binary will still work, + # but attaching to arbitrary processes will not. If the sysctl + # option is enabled, a sysctl option with name "harden_ptrace" is + # created. + kernel.grsecurity.harden_ptrace = 1 + + # If you say Y here, unprivileged users will not be able to ptrace unreadable + # binaries. This option is useful in environments that + # remove the read bits (e.g. file mode 4711) from suid binaries to + # prevent infoleaking of their contents. This option adds + # consistency to the use of that file mode, as the binary could normally + # be read out when run without privileges while ptracing. + # + # If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" + # is created. + kernel.grsecurity.ptrace_readexec = 1 + + # If you say Y here, a change from a root uid to a non-root uid + # in a multithreaded application will cause the resulting uids, + # gids, supplementary groups, and capabilities in that thread + # to be propagated to the other threads of the process. In most + # cases this is unnecessary, as glibc will emulate this behavior + # on behalf of the application. Other libcs do not act in the + # same way, allowing the other threads of the process to continue + # running with root privileges. If the sysctl option is enabled, + # a sysctl option with name "consistent_setxid" is created. + #kernel.grsecurity.consistent_setxid = 1 + + # If you say Y here, access to overly-permissive IPC objects (shared + # memory, message queues, and semaphores) will be denied for processes + # given the following criteria beyond normal permission checks: + # 1) If the IPC object is world-accessible and the euid doesn't match + # that of the creator or current uid for the IPC object + # 2) If the IPC object is group-accessible and the egid doesn't + # match that of the creator or current gid for the IPC object + # It's a common error to grant too much permission to these objects, + # with impact ranging from denial of service and information leaking to + # privilege escalation. This feature was developed in response to + # research by Tim Brown: + # http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ + # who found hundreds of such insecure usages. Processes with + # CAP_IPC_OWNER are still permitted to access these IPC objects. + # If the sysctl option is enabled, a sysctl option with name + # "harden_ipc" is created. + kernel.grsecurity.harden_ipc = 1 + + # If you say Y here, you will be able to choose a gid to add to the + # supplementary groups of users you want to mark as "untrusted." + # These users will not be able to execute any files that are not in + # root-owned directories writable only by root. If the sysctl option + # is enabled, a sysctl option with name "tpe" is created. + kernel.grsecurity.tpe = 1 + kernel.grsecurity.tpe_gid = 101 + + # If you say Y here, the group you specify in the TPE configuration will + # decide what group TPE restrictions will be *disabled* for. This + # option is useful if you want TPE restrictions to be applied to most + # users on the system. If the sysctl option is enabled, a sysctl option + # with name "tpe_invert" is created. Unlike other sysctl options, this + # entry will default to on for backward-compatibility. + kernel.grsecurity.tpe_invert = 1 + + # If you say Y here, all non-root users will be covered under + # a weaker TPE restriction. This is separate from, and in addition to, + # the main TPE options that you have selected elsewhere. Thus, if a + # "trusted" GID is chosen, this restriction applies to even that GID. + # Under this restriction, all non-root users will only be allowed to + # execute files in directories they own that are not group or + # world-writable, or in directories owned by root and writable only by + # root. If the sysctl option is enabled, a sysctl option with name + # "tpe_restrict_all" is created. + kernel.grsecurity.tpe_restrict_all = 0 + + + #kernel.grsecurity.harden_tty = 1 + # + # Network Protections + # + + # Increase Linux auto tuning TCP buffer limits + # min, default, and max number of bytes to use + # set max to at least 4MB, or higher if you use very high BDP paths + # Tcp Windows etc + net.core.rmem_max = 8388608 + net.core.wmem_max = 8388608 + net.core.netdev_max_backlog = 5000 + net.ipv4.tcp_window_scaling = 1 + + # Both ports linux-blob and linux-libre don't build with ipv6 + # Disable ipv6 + net.ipv6.conf.all.disable_ipv6 = 1 + net.ipv6.conf.default.disable_ipv6 = 1 + net.ipv6.conf.lo.disable_ipv6 = 1 + + # Tuen IPv6 + #net.ipv6.conf.default.router_solicitations = 0 + #net.ipv6.conf.default.accept_ra_rtr_pref = 0 + #net.ipv6.conf.default.accept_ra_pinfo = 0 + #net.ipv6.conf.default.accept_ra_defrtr = 0 + #net.ipv6.conf.default.autoconf = 0 + #net.ipv6.conf.default.dad_transmits = 0 + #net.ipv6.conf.default.max_addresses = 0 + + # Avoid a smurf attack + net.ipv4.icmp_echo_ignore_broadcasts = 1 + + # Turn on protection for bad icmp error messages + net.ipv4.icmp_ignore_bogus_error_responses = 1 + + # Turn on syncookies for SYN flood attack protection + net.ipv4.tcp_syncookies = 1 + + ## protect against tcp time-wait assassination hazards + ## drop RST packets for sockets in the time-wait state + ## (not widely supported outside of linux, but conforms to RFC) + net.ipv4.tcp_rfc1337 = 1 + + ## tcp timestamps + ## + protect against wrapping sequence numbers (at gigabit speeds) + ## + round trip time calculation implemented in TCP + ## - causes extra overhead and allows uptime detection by scanners like nmap + ## enable @ gigabit speeds + net.ipv4.tcp_timestamps = 0 + #net.ipv4.tcp_timestamps = 1 + + # Turn on and log spoofed, source routed, and redirect packets + net.ipv4.conf.all.log_martians = 1 + net.ipv4.conf.default.log_martians = 1 + + ## ignore echo broadcast requests to prevent being part of smurf attacks (default) + net.ipv4.icmp_echo_ignore_broadcasts = 1 + + # No source routed packets here + net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 + + ## sets the kernels reverse path filtering mechanism to value 1(on) + ## will do source validation of the packet's recieved from all the interfaces on the machine + ## protects from attackers that are using ip spoofing methods to do harm + net.ipv4.conf.all.rp_filter = 1 + net.ipv4.conf.default.rp_filter = 1 + #net.ipv6.conf.default.rp_filter = 1 + #net.ipv6.conf.all.rp_filter = 1 + + # Make sure no one can alter the routing tables + net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 + net.ipv4.conf.all.secure_redirects = 0 + net.ipv4.conf.default.secure_redirects = 0 + + # Act as a router, necessary for Access Point + net.ipv4.ip_forward = 1 + net.ipv4.conf.all.send_redirects = 1 + net.ipv4.conf.default.send_redirects = 1 + + # Increase system IP port limits + net.ipv4.ip_local_port_range = 2000 65000 + + # Increase TCP max buffer size setable using setsockopt() + net.ipv4.tcp_rmem = 4096 87380 8388608 + net.ipv4.tcp_wmem = 4096 87380 8388608 + + + # If you say Y here, neither TCP resets nor ICMP + # destination-unreachable packets will be sent in response to packets + # sent to ports for which no associated listening process exists. + # This feature supports both IPV4 and IPV6 and exempts the + # loopback interface from blackholing. Enabling this feature + # makes a host more resilient to DoS attacks and reduces network + # visibility against scanners. + # + # The blackhole feature as-implemented is equivalent to the FreeBSD + # blackhole feature, as it prevents RST responses to all packets, not + # just SYNs. Under most application behavior this causes no + # problems, but applications (like haproxy) may not close certain + # connections in a way that cleanly terminates them on the remote + # end, leaving the remote host in LAST_ACK state. Because of this + # side-effect and to prevent intentional LAST_ACK DoSes, this + # feature also adds automatic mitigation against such attacks. + # The mitigation drastically reduces the amount of time a socket + # can spend in LAST_ACK state. If you're using haproxy and not + # all servers it connects to have this option enabled, consider + # disabling this feature on the haproxy host. + # + # If the sysctl option is enabled, two sysctl options with names + # "ip_blackhole" and "lastack_retries" will be created. + # While "ip_blackhole" takes the standard zero/non-zero on/off + # toggle, "lastack_retries" uses the same kinds of values as + # "tcp_retries1" and "tcp_retries2". The default value of 4 + # prevents a socket from lasting more than 45 seconds in LAST_ACK + # state. + #kernel.grsecurity.ip_blackhole = 1 + #kernel.grsecurity.lastack_retries = 4 + + # If you say Y here, you will be able to choose a GID of whose users will + # be unable to connect to other hosts from your machine or run server + # applications from your machine. If the sysctl option is enabled, a + # sysctl option with name "socket_all" is created. + #kernel.grsecurity.socket_all = 1 + + # Here you can choose the GID to disable socket access for. Remember to + # add the users you want socket access disabled for to the GID + # specified here. If the sysctl option is enabled, a sysctl option + # with name "socket_all_gid" is created. + #kernel.grsecurity.socket_all_gid = 202 + + # If you say Y here, you will be able to choose a GID of whose users will + # be unable to connect to other hosts from your machine, but will be + # able to run servers. If this option is enabled, all users in the group + # you specify will have to use passive mode when initiating ftp transfers + # from the shell on your machine. If the sysctl option is enabled, a + # sysctl option with name "socket_client" is created. + #kernel.grsecurity.socket_client = 1 + + # Here you can choose the GID to disable client socket access for. + # Remember to add the users you want client socket access disabled for to + # the GID specified here. If the sysctl option is enabled, a sysctl + # option with name "socket_client_gid" is created. + #kernel.grsecurity.socket_client_gid = 203 + + # If you say Y here, you will be able to choose a GID of whose users will + # be unable to connect to other hosts from your machine, but will be + # able to run servers. If this option is enabled, all users in the group + # you specify will have to use passive mode when initiating ftp transfers + # from the shell on your machine. If the sysctl option is enabled, a + # sysctl option with name "socket_client" is created. + #kernel.grsecurity.socket_server = 1 + + # Here you can choose the GID to disable server socket access for. + # Remember to add the users you want server socket access disabled for to + # the GID specified here. If the sysctl option is enabled, a sysctl + # option with name "socket_server_gid" is created. + #kernel.grsecurity.socket_server_gid = 204 + + # + # Physical Protections + # + + # If you say Y here, a new sysctl option with name "deny_new_usb" + # will be created. Setting its value to 1 will prevent any new + # USB devices from being recognized by the OS. Any attempted USB + # device insertion will be logged. This option is intended to be + # used against custom USB devices designed to exploit vulnerabilities + # in various USB device drivers. + # + # For greatest effectiveness, this sysctl should be set after any + # relevant init scripts. This option is safe to enable in distros + # as each user can choose whether or not to toggle the sysctl. + #kernel.grsecurity.deny_new_usb = 0 + + # + # Restrict grsec sysctl changes after this was set + # + #kernel.grsecurity.grsec_lock = 1 + + + + # End of file + </pre> + + <a href="index.html">Core OS Index</a> <p>This is part of the c9-doc Manual. -Copyright (C) 2016 +Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/network.html b/core/network.html index c14f3db..ebea495 100644 --- a/core/network.html +++ b/core/network.html @@ -49,7 +49,7 @@ described scripts then proceed to <a href="package.html#sysup">update system.</a></p> - <h2 id="resolv">2.1.1. Resolver</h2> + <h2 id="resolv">2.2.1. Resolver</h2> <p>This example will use <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a> @@ -65,7 +65,7 @@ # chattr +i /etc/resolv.conf </pre> - <h2 id="static">2.1.2. Static IP</h2> + <h2 id="static">2.2.2. Static IP</h2> <p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p> @@ -112,7 +112,7 @@ # ip route add default via ${GW} </pre> - <h2 id="iptables">2.1.3. Iptables</h2> + <h2 id="iptables">2.2.3. Iptables</h2> <p>For more information about iptables read <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>. @@ -147,7 +147,7 @@ <p> - <h2 id="wpa">2.1.4. Wpa and dhcpd</h2> + <h2 id="wpa">2.2.4. Wpa and dhcpd</h2> <p>There is more information on <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and @@ -165,7 +165,7 @@ # iwconfig wlp2s0 essid NAME key s:ABCDE12345 </pre> - <h3>2.1.4.1. Wpa Supplicant</h3> + <h3>2.2.4.1. Wpa Supplicant</h3> <p>Configure wpa supplicant edit;</p> @@ -195,7 +195,7 @@ init script to auto load wpa configuration and dhcp client.</p> - <h3>2.1.4.2. Wpa Cli</h3> + <h3>2.2.4.2. Wpa Cli</h3> <pre> # wpa_cli @@ -235,137 +235,10 @@ </pre> - <h2 id="sysctl">2.1.5. Sysctl</h2> - - <p>Sysctl references - <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>, - <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>, - <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>, - edit /etc/sysctl.conf;</p> - - <pre> - # - # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) - # - - kernel.printk = 1 4 1 7 - - # Disable ipv6 - net.ipv6.conf.all.disable_ipv6 = 1 - net.ipv6.conf.default.disable_ipv6 = 1 - net.ipv6.conf.lo.disable_ipv6 = 1 - - # Tuen IPv6 - # net.ipv6.conf.default.router_solicitations = 0 - # net.ipv6.conf.default.accept_ra_rtr_pref = 0 - # net.ipv6.conf.default.accept_ra_pinfo = 0 - # net.ipv6.conf.default.accept_ra_defrtr = 0 - # net.ipv6.conf.default.autoconf = 0 - # net.ipv6.conf.default.dad_transmits = 0 - # net.ipv6.conf.default.max_addresses = 0 - - # Avoid a smurf attack - net.ipv4.icmp_echo_ignore_broadcasts = 1 - - # Turn on protection for bad icmp error messages - net.ipv4.icmp_ignore_bogus_error_responses = 1 - - # Turn on syncookies for SYN flood attack protection - net.ipv4.tcp_syncookies = 1 - - ## protect against tcp time-wait assassination hazards - ## drop RST packets for sockets in the time-wait state - ## (not widely supported outside of linux, but conforms to RFC) - net.ipv4.tcp_rfc1337 = 1 - - ## tcp timestamps - ## + protect against wrapping sequence numbers (at gigabit speeds) - ## + round trip time calculation implemented in TCP - ## - causes extra overhead and allows uptime detection by scanners like nmap - ## enable @ gigabit speeds - net.ipv4.tcp_timestamps = 0 - #net.ipv4.tcp_timestamps = 1 - - # Turn on and log spoofed, source routed, and redirect packets - net.ipv4.conf.all.log_martians = 1 - net.ipv4.conf.default.log_martians = 1 - - ## ignore echo broadcast requests to prevent being part of smurf attacks (default) - net.ipv4.icmp_echo_ignore_broadcasts = 1 - - # No source routed packets here - net.ipv4.conf.all.accept_source_route = 0 - net.ipv4.conf.default.accept_source_route = 0 - - ## sets the kernels reverse path filtering mechanism to value 1(on) - ## will do source validation of the packet's recieved from all the interfaces on the machine - ## protects from attackers that are using ip spoofing methods to do harm - net.ipv4.conf.all.rp_filter = 1 - net.ipv4.conf.default.rp_filter = 1 - net.ipv6.conf.default.rp_filter = 1 - net.ipv6.conf.all.rp_filter = 1 - - # Make sure no one can alter the routing tables - net.ipv4.conf.all.accept_redirects = 0 - net.ipv4.conf.default.accept_redirects = 0 - net.ipv4.conf.all.secure_redirects = 0 - net.ipv4.conf.default.secure_redirects = 0 - - # Don't act as a router - net.ipv4.ip_forward = 0 - net.ipv4.conf.all.send_redirects = 0 - net.ipv4.conf.default.send_redirects = 0 - - kernel.shmmax = 500000000 - # Turn on execshild - kernel.exec-shield = 1 - kernel.randomize_va_space = 1 - - # Optimization for port usefor LBs - # Increase system file descriptor limit - fs.file-max = 65535 - - # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 - kernel.pid_max = 65536 - - # Increase system IP port limits - net.ipv4.ip_local_port_range = 2000 65000 - - # Increase TCP max buffer size setable using setsockopt() - net.ipv4.tcp_rmem = 4096 87380 8388608 - net.ipv4.tcp_wmem = 4096 87380 8388608 - - # Increase Linux auto tuning TCP buffer limits - # min, default, and max number of bytes to use - # set max to at least 4MB, or higher if you use very high BDP paths - # Tcp Windows etc - net.core.rmem_max = 8388608 - net.core.wmem_max = 8388608 - net.core.netdev_max_backlog = 5000 - net.ipv4.tcp_window_scaling = 1 - - # End of file - </pre> - - <p>Change to act as a router (default of conf/sysctl.conf);</p> - - <pre> - # Act as a router, necessary for Access Point - net.ipv4.ip_forward = 1 - net.ipv4.conf.all.send_redirects = 1 - net.ipv4.conf.default.send_redirects = 1 - </pre> - - <p>Load new settings;</p> - - <pre> - # sysctl -p - </pre> - <a href="index.html">Core OS Index</a> <p> This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/package.html b/core/package.html index 475d94b..3c59669 100644 --- a/core/package.html +++ b/core/package.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.2. Package Management</title> + <title>2.3. Package Management</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2.2. Package Management</h1> + <h1>2.3. Package Management</h1> <p>For more information read crux handbook Package management front-end: @@ -57,7 +57,7 @@ $ prt-get depinst prt-utils prt-get-bashcompletion </pre> - <h2 id="sysup">2.2.1. Update System</h2> + <h2 id="sysup">2.3.1. Update System</h2> <p>Before build software get latest version of port collections;</p> @@ -87,7 +87,7 @@ $ prt-get update -fr $(revdep) </pre> - <h2 id="depinst">2.2.2. Install port and dependencies</h2> + <h2 id="depinst">2.3.2. Install port and dependencies</h2> <p>Installing using prt-get tool;</p> @@ -111,7 +111,7 @@ <p>If you user pkgmk and pkgadd allways check if README, pre and post instal files exist.</p> - <h3 id="ports">2.2.3. Ports collections</h3> + <h3 id="ports">2.3.3. Ports collections</h3> <p>Clone this documentation;</p> @@ -146,7 +146,7 @@ $ sudo ports -u 6c37 </pre> - <h2 id="info">2.2.4. Show port information</h2> + <h2 id="info">2.3.4. Show port information</h2> <pre> $ prt-get info port_name @@ -164,13 +164,13 @@ $ pkginfo -o filename </pre> - <h2 id="depends">2.2.5. Show port dependencies</h2> + <h2 id="depends">2.3.5. Show port dependencies</h2> <pre> $ prt-get depends port_name </pre> - <h2 id="printf">2.2.6. Print information</h2> + <h2 id="printf">2.3.6. Print information</h2> <p>Example how to get ports installed from contrib. Maybe there is a "cleaner" way to this, for now is ok;</p> @@ -181,7 +181,7 @@ <a href="index.html">Core OS Index</a> <p>This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/ports.html b/core/ports.html index 489e728..98ccbba 100644 --- a/core/ports.html +++ b/core/ports.html @@ -23,7 +23,8 @@ # useradd -U -M -d /usr/ports -s /bin/false pkgmk </pre> - <p>You can add your self to group pkgmk,</p> + <p>You can add your self to group pkgmk, Members of this group will + not be under <a href="linux.html#sysctl">tpe</a> protection.</p> <pre> # usermod -a -G pkgmk c9admin @@ -85,6 +86,8 @@ export CFLAGS="-O2 -march=native -mtune=native" </pre> + <p>"-protector-strong" which only insert stack canaries in fuctions where overflow might actually happen</p> + <p>Discover number of cores/cpus to hard code -j option.</p> <pre> @@ -107,7 +110,7 @@ # /etc/pkgmk.conf: pkgmk(8) configuration # - export CFLAGS="-O2 -march=x86-64" + export CFLAGS="-O2 -march=native -mtune=native" export CXXFLAGS="${CFLAGS}" export MAKEFLAGS="-j4" @@ -127,7 +130,7 @@ ;; esac - PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/) + #PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/) PKGMK_SOURCE_DIR="/usr/ports/distfiles" PKGMK_PACKAGE_DIR="/usr/ports/packages" PKGMK_WORK_DIR="/usr/ports/work/$name" @@ -163,6 +166,9 @@ # the following line enables the user maintained contrib collection prtdir /usr/ports/contrib + # ports described on this documentation + #prtdir /usr/ports/c9-ports + # 6c37 team provides a collection with freetype-iu, fontconfig-iu # and cairo-iu ports. #prtdir /usr/ports/6c37 @@ -185,7 +191,7 @@ readme verbose # (verbose|compact|disabled) ### prefer higher versions in sysup / diff - preferhigher no # (yes|no) + preferhigher yes # (yes|no) ### use regexp search # useregex no # (yes|no) @@ -198,7 +204,7 @@ ### EXPERT SECTION ### ### alternative commands - makecommand sudo -H -u pkgmk fakeroot pkgmk + makecommand sudo -H -u pkgmk -g pkgmk fakeroot pkgmk addcommand sudo pkgadd removecommand sudo pkgrm runscriptcommand sudo sh diff --git a/core/ports/linux-blob/.footprint b/core/ports/linux-blob/.footprint index f00d7fc..02c767e 100644 --- a/core/ports/linux-blob/.footprint +++ b/core/ports/linux-blob/.footprint @@ -1,61 +1,56 @@ drwxr-xr-x root/root boot/ --rw-r--r-- root/root boot/System.map-4.9.10-blob --rw-r--r-- root/root boot/config-4.9.10-blob --rw-r--r-- root/root boot/vmlinuz-4.9.10-blob +-rw-r--r-- root/root boot/System.map-4.9.11-blob +-rw-r--r-- root/root boot/config-4.9.11-blob +-rw-r--r-- root/root boot/vmlinuz-4.9.11-blob drwxr-xr-x root/root lib/ drwxr-xr-x root/root lib/modules/ -drwxr-xr-x root/root lib/modules/<kernel-version>/ -lrwxrwxrwx root/root lib/modules/<kernel-version>/build -> /usr/src/linux-4.9.10 -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/ -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/ -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/media/ -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/media/platform/ -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/media/platform/soc_camera/ --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/media/platform/soc_camera/soc_camera.ko --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/media/usb/ -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/media/usb/gspca/ --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/media/usb/gspca/gspca_main.ko -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/media/usb/uvc/ --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/media/usb/uvc/uvcvideo.ko -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/media/v4l2-core/ --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/media/v4l2-core/videobuf-core.ko --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/media/v4l2-core/videobuf2-core.ko --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/media/v4l2-core/videobuf2-memops.ko --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/misc/ -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/misc/eeprom/ --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/misc/eeprom/eeprom_93cx6.ko -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/net/ -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/net/wireless/ -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/ -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/iwlwifi/ -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/iwlwifi/dvm/ --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/iwlwifi/mvm/ --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/fs/ -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/fs/ntfs/ --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/fs/ntfs/ntfs.ko -drwxr-xr-x root/root lib/modules/<kernel-version>/kernel/lib/ --rw-r--r-- root/root lib/modules/<kernel-version>/kernel/lib/crc-ccitt.ko --rw-r--r-- root/root lib/modules/<kernel-version>/modules.alias --rw-r--r-- root/root lib/modules/<kernel-version>/modules.alias.bin --rw-r--r-- root/root lib/modules/<kernel-version>/modules.builtin --rw-r--r-- root/root lib/modules/<kernel-version>/modules.builtin.bin --rw-r--r-- root/root lib/modules/<kernel-version>/modules.dep --rw-r--r-- root/root lib/modules/<kernel-version>/modules.dep.bin --rw-r--r-- root/root lib/modules/<kernel-version>/modules.devname (EMPTY) --rw-r--r-- root/root lib/modules/<kernel-version>/modules.order --rw-r--r-- root/root lib/modules/<kernel-version>/modules.softdep --rw-r--r-- root/root lib/modules/<kernel-version>/modules.symbols --rw-r--r-- root/root lib/modules/<kernel-version>/modules.symbols.bin -lrwxrwxrwx root/root lib/modules/<kernel-version>/source -> /usr/src/linux-4.9.10 +drwxr-xr-x root/root lib/modules/4.9.11-blob/ +lrwxrwxrwx root/root lib/modules/4.9.11-blob/build -> /usr/src/linux-4.9.11 +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/ +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/ +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/ +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/ +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/ +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_camera.ko +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/ +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/gspca/ +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/gspca/gspca_main.ko +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/uvc/ +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/usb/uvc/uvcvideo.ko +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/ +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf-core.ko +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-core.ko +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-memops.ko +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/ +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/ +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/ +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/ +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/dvm/ +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/mvm/ +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/fs/ +drwxr-xr-x root/root lib/modules/4.9.11-blob/kernel/fs/ntfs/ +-rw-r--r-- root/root lib/modules/4.9.11-blob/kernel/fs/ntfs/ntfs.ko +-rw-r--r-- root/root lib/modules/4.9.11-blob/modules.alias +-rw-r--r-- root/root lib/modules/4.9.11-blob/modules.alias.bin +-rw-r--r-- root/root lib/modules/4.9.11-blob/modules.builtin +-rw-r--r-- root/root lib/modules/4.9.11-blob/modules.builtin.bin +-rw-r--r-- root/root lib/modules/4.9.11-blob/modules.dep +-rw-r--r-- root/root lib/modules/4.9.11-blob/modules.dep.bin +-rw-r--r-- root/root lib/modules/4.9.11-blob/modules.devname (EMPTY) +-rw-r--r-- root/root lib/modules/4.9.11-blob/modules.order +-rw-r--r-- root/root lib/modules/4.9.11-blob/modules.softdep +-rw-r--r-- root/root lib/modules/4.9.11-blob/modules.symbols +-rw-r--r-- root/root lib/modules/4.9.11-blob/modules.symbols.bin +lrwxrwxrwx root/root lib/modules/4.9.11-blob/source -> /usr/src/linux-4.9.11 drwxr-xr-x root/root usr/ drwxr-xr-x root/root usr/src/ --rw-r--r-- root/root usr/src/4.9.10-blob-config --rw-r--r-- root/root usr/src/4.9.10-cpu_optimizations.patch --rw-r--r-- root/root usr/src/grsecurity-3.1-4.9.9-201702122044.patch +-rw-r--r-- root/root usr/src/4.9.11-blob-config +-rw-r--r-- root/root usr/src/4.9.11-cpu_optimizations.patch +-rw-r--r-- root/root usr/src/grsecurity-3.1-4.9.11-201702181444.patch diff --git a/core/ports/linux-blob/.md5sum b/core/ports/linux-blob/.md5sum index 614a350..8516def 100644 --- a/core/ports/linux-blob/.md5sum +++ b/core/ports/linux-blob/.md5sum @@ -1,7 +1,7 @@ -7140b24a6e9e13286515e807c2fd4572 config-c9 +dc71c8f55df123437c468dad7be88757 config-c9 00bc0d70f200c2673fe7dd6f02053fa4 enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch -85155985089acdb7c77e8e30fa135c86 grsecurity-3.1-4.9.9-201702122044.patch -ce5ab2a86c9b880617e36e84aa2deb6c linux-4.9.10.tar.xz +e4eb7eab3a40968c3bd4a0a19339a6a1 grsecurity-3.1-4.9.11-201702181444.patch +98761ce71c603199fe6fcce600c60772 linux-4.9.11.tar.xz bcf38b0fbf7bd83323f3202ec082b15a port-blob-cpu.patch -8f47b022540141ceb6a3ac5bc2a3531e port-blob-grsecurity.patch -712ea2454ba5181e999661c94d12c629 port-blob-make.patch +48908f447c73e31c2428cb68b00d1e9c port-blob-grsecurity.patch +4a443bf320ede9f5cb183843e85b3b62 port-blob-make.patch diff --git a/core/ports/linux-blob/Pkgfile b/core/ports/linux-blob/Pkgfile index ecb228d..b312361 100644 --- a/core/ports/linux-blob/Pkgfile +++ b/core/ports/linux-blob/Pkgfile @@ -4,11 +4,11 @@ # Depends on: grub2 dracut name=linux-blob -version=4.9.10 -release=1 +version=4.9.11 +release=3 source=(https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-$version.tar.xz \ https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \ - https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch \ + http://grsecurity.net/test/grsecurity-3.1-4.9.11-201702181444.patch \ port-blob-grsecurity.patch \ port-blob-make.patch \ port-blob-cpu.patch \ @@ -18,12 +18,11 @@ build() { mkdir -p $PKG/usr/src - # /usr/src/version-cpu_optimizations.patch install -m 0644 $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch # /usr/src/grsecurity-version.patch - install -m 0644 $SRC/grsecurity-3.1-4.9.9-201702122044.patch $PKG/usr/src/ + install -m 0644 $SRC/grsecurity-3.1-4.9.11-201702181444.patch $PKG/usr/src/ patch < port-blob-grsecurity.patch patch < port-blob-cpu.patch @@ -34,7 +33,7 @@ build() { make distclean - patch -p1 < $SRC/grsecurity-3.1-4.9.9-201702122044.patch + patch -p1 < $SRC/grsecurity-3.1-4.9.11-201702181444.patch patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch cp $SRC/config-c9 .config diff --git a/core/ports/linux-blob/config-c9 b/core/ports/linux-blob/config-c9 index b6750ec..2b0bb4b 100644 --- a/core/ports/linux-blob/config-c9 +++ b/core/ports/linux-blob/config-c9 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.9.10-blob Kernel Configuration +# Linux/x86 4.9.11-blob Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -215,7 +215,7 @@ CONFIG_EVENTFD=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y -CONFIG_PCI_QUIRKS=y +# CONFIG_PCI_QUIRKS is not set CONFIG_MEMBARRIER=y # CONFIG_EMBEDDED is not set CONFIG_HAVE_PERF_EVENTS=y @@ -329,7 +329,7 @@ CONFIG_MODULE_SIG_SHA256=y # CONFIG_MODULE_SIG_SHA512 is not set CONFIG_MODULE_SIG_HASH="sha256" # CONFIG_MODULE_COMPRESS is not set -# CONFIG_TRIM_UNUSED_KSYMS is not set +CONFIG_TRIM_UNUSED_KSYMS=y CONFIG_MODULES_TREE_LOOKUP=y CONFIG_BLOCK=y CONFIG_BLK_DEV_BSG=y @@ -455,7 +455,7 @@ CONFIG_SWIOTLB=y CONFIG_IOMMU_HELPER=y # CONFIG_MAXSMP is not set CONFIG_NR_CPUS=4 -# CONFIG_SCHED_SMT is not set +CONFIG_SCHED_SMT=y CONFIG_SCHED_MC=y CONFIG_PREEMPT_NONE=y # CONFIG_PREEMPT_VOLUNTARY is not set @@ -1357,7 +1357,7 @@ CONFIG_SRAM=y # CONFIG_EEPROM_AT25 is not set # CONFIG_EEPROM_LEGACY is not set # CONFIG_EEPROM_MAX6875 is not set -CONFIG_EEPROM_93CX6=m +# CONFIG_EEPROM_93CX6 is not set # CONFIG_EEPROM_93XX46 is not set # CONFIG_CB710_CORE is not set @@ -4209,8 +4209,8 @@ CONFIG_TASK_SIZE_MAX_SHIFT=42 CONFIG_GRKERNSEC=y CONFIG_GRKERNSEC_CONFIG_AUTO=y # CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set -CONFIG_GRKERNSEC_CONFIG_SERVER=y -# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set +# CONFIG_GRKERNSEC_CONFIG_SERVER is not set +CONFIG_GRKERNSEC_CONFIG_DESKTOP=y # CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set # CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y @@ -4228,7 +4228,7 @@ CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y # Default Special Groups # CONFIG_GRKERNSEC_PROC_GID=1001 -CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=1005 +CONFIG_GRKERNSEC_TPE_TRUSTED_GID=1005 CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006 # @@ -4328,7 +4328,7 @@ CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_SYMLINKOWN=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_SYSFS_RESTRICT=y -# CONFIG_GRKERNSEC_ROFS is not set +CONFIG_GRKERNSEC_ROFS=y CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y @@ -4350,15 +4350,16 @@ CONFIG_GRKERNSEC_CHROOT_INITRD=y # # Kernel Auditing # -# CONFIG_GRKERNSEC_AUDIT_GROUP is not set -# CONFIG_GRKERNSEC_EXECLOG is not set +CONFIG_GRKERNSEC_AUDIT_GROUP=y +CONFIG_GRKERNSEC_AUDIT_GID=1007 +CONFIG_GRKERNSEC_EXECLOG=y CONFIG_GRKERNSEC_RESLOG=y -# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set -# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set -# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set -# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set +CONFIG_GRKERNSEC_CHROOT_EXECLOG=y +CONFIG_GRKERNSEC_AUDIT_PTRACE=y +CONFIG_GRKERNSEC_AUDIT_CHDIR=y +CONFIG_GRKERNSEC_AUDIT_MOUNT=y CONFIG_GRKERNSEC_SIGNAL=y -# CONFIG_GRKERNSEC_FORKFAIL is not set +CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y CONFIG_GRKERNSEC_RWXMAP_LOG=y @@ -4373,8 +4374,8 @@ CONFIG_GRKERNSEC_SETXID=y CONFIG_GRKERNSEC_HARDEN_IPC=y CONFIG_GRKERNSEC_HARDEN_TTY=y CONFIG_GRKERNSEC_TPE=y -# CONFIG_GRKERNSEC_TPE_ALL is not set -# CONFIG_GRKERNSEC_TPE_INVERT is not set +CONFIG_GRKERNSEC_TPE_ALL=y +CONFIG_GRKERNSEC_TPE_INVERT=y CONFIG_GRKERNSEC_TPE_GID=1005 # @@ -4382,13 +4383,19 @@ CONFIG_GRKERNSEC_TPE_GID=1005 # CONFIG_GRKERNSEC_BLACKHOLE=y CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y -# CONFIG_GRKERNSEC_SOCKET is not set +CONFIG_GRKERNSEC_SOCKET=y +CONFIG_GRKERNSEC_SOCKET_ALL=y +CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004 +CONFIG_GRKERNSEC_SOCKET_CLIENT=y +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003 +CONFIG_GRKERNSEC_SOCKET_SERVER=y +CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002 # # Physical Protections # CONFIG_GRKERNSEC_DENYUSB=y -# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set +CONFIG_GRKERNSEC_DENYUSB_FORCE=y # # Sysctl Support @@ -4649,7 +4656,7 @@ CONFIG_GENERIC_IOMAP=y CONFIG_GENERIC_IO=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y -CONFIG_CRC_CCITT=m +CONFIG_CRC_CCITT=y CONFIG_CRC16=y CONFIG_CRC_T10DIF=y CONFIG_CRC_ITU_T=y diff --git a/core/ports/linux-blob/port-blob-grsecurity.patch b/core/ports/linux-blob/port-blob-grsecurity.patch index 6d27cb4..22d4580 100644 --- a/core/ports/linux-blob/port-blob-grsecurity.patch +++ b/core/ports/linux-blob/port-blob-grsecurity.patch @@ -1,5 +1,5 @@ ---- grsecurity-3.1-4.9.9-201702122044.patch 2017-02-18 05:14:08.682388834 +0000 -+++ grsecurity-3.1-4.9.9-201702122044.patch 2017-02-18 05:15:45.579051680 +0000 +--- grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 05:14:08.682388834 +0000 ++++ grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 05:15:45.579051680 +0000 -diff --git a/localversion-grsec b/localversion-grsec -new file mode 100644 -index 0000000..7cd6065 @@ -10,8 +10,8 @@ diff --git a/mm/Kconfig b/mm/Kconfig index 86e3e0e..ab679cf 100644 --- a/mm/Kconfig ---- grsecurity-3.1-4.9.9-201702122044.patch.orig 2017-02-18 09:07:57.220274062 +0000 -+++ grsecurity-3.1-4.9.9-201702122044.patch 2017-02-18 09:08:16.380274647 +0000 +--- grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 09:07:57.220274062 +0000 ++++ grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 09:08:16.380274647 +0000 @@ -156547,13 +156547,6 @@ break; } diff --git a/core/ports/linux-blob/port-blob-make.patch b/core/ports/linux-blob/port-blob-make.patch index 9184cb5..368d592 100644 --- a/core/ports/linux-blob/port-blob-make.patch +++ b/core/ports/linux-blob/port-blob-make.patch @@ -3,7 +3,7 @@ @@ -1,7 +1,7 @@ VERSION = 4 PATCHLEVEL = 9 - SUBLEVEL = 10 + SUBLEVEL = 11 -EXTRAVERSION = +EXTRAVERSION = -blob NAME = Roaring Lionus diff --git a/core/ports/linux-libre/.footprint b/core/ports/linux-libre/.footprint index 5d223e7..1279a5d 100644 --- a/core/ports/linux-libre/.footprint +++ b/core/ports/linux-libre/.footprint @@ -1,64 +1,59 @@ drwxr-xr-x root/root boot/ --rw-r--r-- root/root boot/System.map-4.9.10-grsec --rw-r--r-- root/root boot/config-4.9.10-grsec --rw-r--r-- root/root boot/vmlinuz-4.9.10-grsec +-rw-r--r-- root/root boot/System.map-4.9.11-grsec +-rw-r--r-- root/root boot/config-4.9.11-grsec +-rw-r--r-- root/root boot/vmlinuz-4.9.11-grsec drwxr-xr-x root/root lib/ drwxr-xr-x root/root lib/modules/ -drwxr-xr-x root/root lib/modules/4.9.10-grsec/ -lrwxrwxrwx root/root lib/modules/4.9.10-grsec/build -> /usr/src/linux-4.9.10 -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/ -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/ -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/media/ -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/media/platform/ -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/media/platform/soc_camera/ --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/media/platform/soc_camera/soc_camera.ko --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/media/usb/ -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/media/usb/gspca/ --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/media/usb/gspca/gspca_main.ko -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/media/usb/uvc/ --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/media/usb/uvc/uvcvideo.ko -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/ --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf-core.ko --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf2-core.ko --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf2-memops.ko --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/misc/ -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/misc/eeprom/ --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/misc/eeprom/eeprom_93cx6.ko -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/net/ -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/ -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/ -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/ -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/ --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/ --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/fs/ -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/fs/ntfs/ --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/fs/ntfs/ntfs.ko -drwxr-xr-x root/root lib/modules/4.9.10-grsec/kernel/lib/ --rw-r--r-- root/root lib/modules/4.9.10-grsec/kernel/lib/crc-ccitt.ko --rw-r--r-- root/root lib/modules/4.9.10-grsec/modules.alias --rw-r--r-- root/root lib/modules/4.9.10-grsec/modules.alias.bin --rw-r--r-- root/root lib/modules/4.9.10-grsec/modules.builtin --rw-r--r-- root/root lib/modules/4.9.10-grsec/modules.builtin.bin --rw-r--r-- root/root lib/modules/4.9.10-grsec/modules.dep --rw-r--r-- root/root lib/modules/4.9.10-grsec/modules.dep.bin --rw-r--r-- root/root lib/modules/4.9.10-grsec/modules.devname (EMPTY) --rw-r--r-- root/root lib/modules/4.9.10-grsec/modules.order --rw-r--r-- root/root lib/modules/4.9.10-grsec/modules.softdep --rw-r--r-- root/root lib/modules/4.9.10-grsec/modules.symbols --rw-r--r-- root/root lib/modules/4.9.10-grsec/modules.symbols.bin -lrwxrwxrwx root/root lib/modules/4.9.10-grsec/source -> /usr/src/linux-4.9.10 +drwxr-xr-x root/root lib/modules/4.9.11-grsec/ +lrwxrwxrwx root/root lib/modules/4.9.11-grsec/build -> /usr/src/linux-4.9.11 +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/ +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/ +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/ +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/ +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/ +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_camera.ko +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/ +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/gspca/ +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/gspca/gspca_main.ko +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/uvc/ +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/usb/uvc/uvcvideo.ko +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/ +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf-core.ko +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-core.ko +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-memops.ko +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/ +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/ +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/ +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/ +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/ +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/ +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/fs/ +drwxr-xr-x root/root lib/modules/4.9.11-grsec/kernel/fs/ntfs/ +-rw-r--r-- root/root lib/modules/4.9.11-grsec/kernel/fs/ntfs/ntfs.ko +-rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.alias +-rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.alias.bin +-rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.builtin +-rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.builtin.bin +-rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.dep +-rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.dep.bin +-rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.devname (EMPTY) +-rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.order +-rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.softdep +-rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.symbols +-rw-r--r-- root/root lib/modules/4.9.11-grsec/modules.symbols.bin +lrwxrwxrwx root/root lib/modules/4.9.11-grsec/source -> /usr/src/linux-4.9.11 drwxr-xr-x root/root usr/ drwxr-xr-x root/root usr/src/ --rw-r--r-- root/root usr/src/4.9.10-cpu_optimizations.patch --rw-r--r-- root/root usr/src/4.9.10-libre-config --rw-r--r-- root/root usr/src/grsecurity-3.1-4.9.9-201702122044.patch +-rw-r--r-- root/root usr/src/4.9.11-cpu_optimizations.patch +-rw-r--r-- root/root usr/src/4.9.11-libre-config +-rw-r--r-- root/root usr/src/grsecurity-3.1-4.9.11-201702181444.patch -rw-r--r-- root/root usr/src/port-libre-cpu.patch -rw-r--r-- root/root usr/src/port-libre-grsecurity.patch -rw-r--r-- root/root usr/src/port-libre-make.patch diff --git a/core/ports/linux-libre/.md5sum b/core/ports/linux-libre/.md5sum index b481c10..ddd1878 100644 --- a/core/ports/linux-libre/.md5sum +++ b/core/ports/linux-libre/.md5sum @@ -1,7 +1,7 @@ -7140b24a6e9e13286515e807c2fd4572 config-c9 +bf30b0af56c2621e317cab5e44d4235e config-c9 00bc0d70f200c2673fe7dd6f02053fa4 enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch -85155985089acdb7c77e8e30fa135c86 grsecurity-3.1-4.9.9-201702122044.patch -d68753b73b7c87d53424146eceb291f8 linux-libre-4.9.10-gnu.tar.xz +e4eb7eab3a40968c3bd4a0a19339a6a1 grsecurity-3.1-4.9.11-201702181444.patch +2af743d6b73201d5db83c1ccb175ed30 linux-libre-4.9.11-gnu.tar.xz bcf38b0fbf7bd83323f3202ec082b15a port-libre-cpu.patch -470face301667e4a88a7664f69c1ae29 port-libre-grsecurity.patch -f8ba546153f4cdcd47b97bd2f8785af1 port-libre-make.patch +f9b2f7572adec2c46c1f1be2b784490e port-libre-grsecurity.patch +ce88c28573de7b41ef686f4201d0abfa port-libre-make.patch diff --git a/core/ports/linux-libre/Pkgfile b/core/ports/linux-libre/Pkgfile index 9f7a3d0..154435f 100644 --- a/core/ports/linux-libre/Pkgfile +++ b/core/ports/linux-libre/Pkgfile @@ -4,11 +4,11 @@ # Depends on: grub2 dracut name=linux-libre -version=4.9.10 -release=3 +version=4.9.11 +release=2 source=(http://linux-libre.fsfla.org/pub/linux-libre/releases/$version-gnu/$name-$version-gnu.tar.xz \ https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \ - https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch \ + http://grsecurity.net/test/grsecurity-3.1-4.9.11-201702181444.patch \ port-libre-grsecurity.patch \ port-libre-cpu.patch \ port-libre-make.patch \ @@ -24,7 +24,7 @@ build() { install -m 0644 $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch # /usr/src/grsecurity-version.patch - install -m 0644 $SRC/grsecurity-3.1-4.9.9-201702122044.patch $PKG/usr/src/ + install -m 0644 $SRC/grsecurity-3.1-4.9.11-201702181444.patch $PKG/usr/src/ install -m 0644 $SRC/port-libre-grsecurity.patch $PKG/usr/src/ install -m 0644 $SRC/port-libre-cpu.patch $PKG/usr/src/ install -m 0644 $SRC/port-libre-make.patch $PKG/usr/src/ @@ -38,7 +38,7 @@ build() { make distclean - patch -p1 < $SRC/grsecurity-3.1-4.9.9-201702122044.patch + patch -p1 < $SRC/grsecurity-3.1-4.9.11-201702181444.patch patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch cp $SRC/config-c9 .config diff --git a/core/ports/linux-libre/config-c9 b/core/ports/linux-libre/config-c9 index b6750ec..236d79e 100644 --- a/core/ports/linux-libre/config-c9 +++ b/core/ports/linux-libre/config-c9 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.9.10-blob Kernel Configuration +# Linux/x86 4.9.11-grsec Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -215,7 +215,7 @@ CONFIG_EVENTFD=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y -CONFIG_PCI_QUIRKS=y +# CONFIG_PCI_QUIRKS is not set CONFIG_MEMBARRIER=y # CONFIG_EMBEDDED is not set CONFIG_HAVE_PERF_EVENTS=y @@ -329,7 +329,7 @@ CONFIG_MODULE_SIG_SHA256=y # CONFIG_MODULE_SIG_SHA512 is not set CONFIG_MODULE_SIG_HASH="sha256" # CONFIG_MODULE_COMPRESS is not set -# CONFIG_TRIM_UNUSED_KSYMS is not set +CONFIG_TRIM_UNUSED_KSYMS=y CONFIG_MODULES_TREE_LOOKUP=y CONFIG_BLOCK=y CONFIG_BLK_DEV_BSG=y @@ -455,7 +455,7 @@ CONFIG_SWIOTLB=y CONFIG_IOMMU_HELPER=y # CONFIG_MAXSMP is not set CONFIG_NR_CPUS=4 -# CONFIG_SCHED_SMT is not set +CONFIG_SCHED_SMT=y CONFIG_SCHED_MC=y CONFIG_PREEMPT_NONE=y # CONFIG_PREEMPT_VOLUNTARY is not set @@ -1357,7 +1357,7 @@ CONFIG_SRAM=y # CONFIG_EEPROM_AT25 is not set # CONFIG_EEPROM_LEGACY is not set # CONFIG_EEPROM_MAX6875 is not set -CONFIG_EEPROM_93CX6=m +# CONFIG_EEPROM_93CX6 is not set # CONFIG_EEPROM_93XX46 is not set # CONFIG_CB710_CORE is not set @@ -4209,8 +4209,8 @@ CONFIG_TASK_SIZE_MAX_SHIFT=42 CONFIG_GRKERNSEC=y CONFIG_GRKERNSEC_CONFIG_AUTO=y # CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set -CONFIG_GRKERNSEC_CONFIG_SERVER=y -# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set +# CONFIG_GRKERNSEC_CONFIG_SERVER is not set +CONFIG_GRKERNSEC_CONFIG_DESKTOP=y # CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set # CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y @@ -4228,7 +4228,7 @@ CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y # Default Special Groups # CONFIG_GRKERNSEC_PROC_GID=1001 -CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=1005 +CONFIG_GRKERNSEC_TPE_TRUSTED_GID=1005 CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006 # @@ -4328,7 +4328,7 @@ CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_SYMLINKOWN=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_SYSFS_RESTRICT=y -# CONFIG_GRKERNSEC_ROFS is not set +CONFIG_GRKERNSEC_ROFS=y CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y @@ -4350,15 +4350,16 @@ CONFIG_GRKERNSEC_CHROOT_INITRD=y # # Kernel Auditing # -# CONFIG_GRKERNSEC_AUDIT_GROUP is not set -# CONFIG_GRKERNSEC_EXECLOG is not set +CONFIG_GRKERNSEC_AUDIT_GROUP=y +CONFIG_GRKERNSEC_AUDIT_GID=1007 +CONFIG_GRKERNSEC_EXECLOG=y CONFIG_GRKERNSEC_RESLOG=y -# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set -# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set -# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set -# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set +CONFIG_GRKERNSEC_CHROOT_EXECLOG=y +CONFIG_GRKERNSEC_AUDIT_PTRACE=y +CONFIG_GRKERNSEC_AUDIT_CHDIR=y +CONFIG_GRKERNSEC_AUDIT_MOUNT=y CONFIG_GRKERNSEC_SIGNAL=y -# CONFIG_GRKERNSEC_FORKFAIL is not set +CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y CONFIG_GRKERNSEC_RWXMAP_LOG=y @@ -4373,8 +4374,8 @@ CONFIG_GRKERNSEC_SETXID=y CONFIG_GRKERNSEC_HARDEN_IPC=y CONFIG_GRKERNSEC_HARDEN_TTY=y CONFIG_GRKERNSEC_TPE=y -# CONFIG_GRKERNSEC_TPE_ALL is not set -# CONFIG_GRKERNSEC_TPE_INVERT is not set +CONFIG_GRKERNSEC_TPE_ALL=y +CONFIG_GRKERNSEC_TPE_INVERT=y CONFIG_GRKERNSEC_TPE_GID=1005 # @@ -4382,13 +4383,19 @@ CONFIG_GRKERNSEC_TPE_GID=1005 # CONFIG_GRKERNSEC_BLACKHOLE=y CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y -# CONFIG_GRKERNSEC_SOCKET is not set +CONFIG_GRKERNSEC_SOCKET=y +CONFIG_GRKERNSEC_SOCKET_ALL=y +CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004 +CONFIG_GRKERNSEC_SOCKET_CLIENT=y +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003 +CONFIG_GRKERNSEC_SOCKET_SERVER=y +CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002 # # Physical Protections # CONFIG_GRKERNSEC_DENYUSB=y -# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set +CONFIG_GRKERNSEC_DENYUSB_FORCE=y # # Sysctl Support @@ -4649,7 +4656,7 @@ CONFIG_GENERIC_IOMAP=y CONFIG_GENERIC_IO=y CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y CONFIG_ARCH_HAS_FAST_MULTIPLIER=y -CONFIG_CRC_CCITT=m +CONFIG_CRC_CCITT=y CONFIG_CRC16=y CONFIG_CRC_T10DIF=y CONFIG_CRC_ITU_T=y diff --git a/core/ports/linux-libre/port-libre-grsecurity.patch b/core/ports/linux-libre/port-libre-grsecurity.patch index d437421..cecd956 100644 --- a/core/ports/linux-libre/port-libre-grsecurity.patch +++ b/core/ports/linux-libre/port-libre-grsecurity.patch @@ -1,5 +1,5 @@ ---- grsecurity-3.1-4.9.9-201702122044.patch 2017-02-18 05:14:08.682388834 +0000 -+++ grsecurity-3.1-4.9.9-201702122044.patch 2017-02-18 05:15:45.579051680 +0000 +--- grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 05:14:08.682388834 +0000 ++++ grsecurity-3.1-4.9.11-201702181444.patch 2017-02-18 05:15:45.579051680 +0000 @@ -90805,59 +90805,6 @@ if (!file->private_data) return -ENOMEM; diff --git a/core/ports/linux-libre/port-libre-make.patch b/core/ports/linux-libre/port-libre-make.patch index 6a32ba8..dfbd8af 100644 --- a/core/ports/linux-libre/port-libre-make.patch +++ b/core/ports/linux-libre/port-libre-make.patch @@ -3,7 +3,7 @@ @@ -1,7 +1,7 @@ VERSION = 4 PATCHLEVEL = 9 - SUBLEVEL = 10 + SUBLEVEL = 11 -EXTRAVERSION = -gnu +EXTRAVERSION = -grsec NAME = Roaring Lionus diff --git a/core/reboot.html b/core/reboot.html index c63f9bc..7bc22ea 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -33,109 +33,17 @@ <h2 id="linux">1.4.1. Linux Kernel</h2> - <p>c9-ports have two kernels, linux libre and linux blob. + <p>Core ports have two kernels, linux-libre and linux-blob. Port linux-libre kernel is a true source based kernel that respects your freedoms, is x86_64 but not generic configured, - with all drivers as modules or correct graphic driver. - Port linux-blob contain blobs and loads firmware.</p> + select modules (drivers) for your hardware, for example + correct graphic driver and disk. Port linux-blob is dangerous, + contain blobs (from bad corporations).</p> <pre> # cd /usr/ports/c9-ports/linux-libre # pkgmk -d - # pkgadd /usr/ports/packages/linux-libre#4.9.9-3.pkg.tar.gz - </pre> - - <h2 id="dracut">1.4.2. Dracut - Initramfs</h2> - - <p>Install dracut;</p> - - <pre> - # cd /usr/ports/c9-ports/dracut - # pkgmk -d - # pkgadd /usr/ports/packages/dracut#044-2.pkg.tar.gz - </pre> - - <p>Review configuration file;</p> - - <pre> - # PUT YOUR CONFIG IN separate files - # in /etc/dracut.conf.d named "<name>.conf" - - # Equivalent to -H - hostonly="yes" - - # Mount / and /usr read-only by default. - ro_mnt="no" - - # Equivalent to -m "module module module" - dracutmodules+="dash kernel-modules rootfs-block udev-rules usrmount base fs-lib shutdown" - - # Equivalent to -a "module" - add_dracutmodules+="caps debug" - - # Equivalent to -o "module" - #omit_dracutmodules+="systemd systemd-bootchart systemd-networkd systemd-initrd" - - # SEE man dracut.conf(5) for options - </pre> - - <p>Run dracut to create init ram filesystem for - port linux-blob kernel;</p> - - <pre> - # dracut -v /boot/initramfs-4.9.9-blob.img 4.9.9-blob - </pre> - - <h2 id="grub">1.4.3. Configuring Grub2</h2> - - <p>Create grub file in /etc/default/grub with values;</p> - - <pre> - GRUB_DISABLE_LINUX_UUID=false - GRUB_ENABLE_LINUX_LABEL=false - </pre> - - <p><a href="http://www.gnu.org/software/grub/manual/grub.html">Grub Manual</a>, - install grub on MBR of disk sdb;</p> - - <pre> - # grub-install /dev/sdb - Installation finished. No error reported. - </pre> - - <p>If you are installing on removable media;</p> - - <pre> - # grub-install --removable /dev/sdb - Installation finished. No error reported. - </pre> - - <p>grub-mkconfig generates grub.cfg, it will try to discover - available kernels and attempt to generate menu entries for - them;</p> - - <pre> - # grub-mkconfig -o /boot/grub/grub.cfg - Generating grub.cfg ... - Found linux image: /boot/vmlinuz-4.9.9-grsec - done - # - </pre> - - <p>Check /boot/grub/grub.cfg, if is wrong add menu to - /etc/grub.d/40_custom, replace correct msdos partition - from grub-prob output and correct UUID from fstab or blkid</p> - - <pre> - # grub-probe --target=hints_string / - </pre> - - <p>To add rw as default edit /etc/grub.d/10_linux file, current - version change line 138 to;</p> - - <pre> - echo '$message' - linux ${rel_dirname}/${basename} root=${linux_root_device_thisversion} rw ${args} + # pkgadd /usr/ports/packages/linux-libre#4.9.11-2.pkg.tar.gz </pre> <h2 id="checkup">1.4.4. Checkup</h2> @@ -152,13 +60,13 @@ <h3>Debug initram</h3> <pre> - /usr/lib/dracut/skipcpio /boot/initramfs-4.9.9-blob.img | gunzip -c | cpio -i -d + /usr/lib/dracut/skipcpio /boot/initramfs-4.9.11-blob.img | gunzip -c | cpio -i -d 36875 blocks </pre> <a href="index.html">Core OS Index</a> <p>This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> |