[packages/kernel.git] / kernel-grsec+pax.config

#
# PaX
#  
CONFIG_PAX=y
       
#
# PaX Control
#      
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#      
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_DEFAULT_PAGEEXEC is not set
CONFIG_PAX_DEFAULT_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
	             
#
# Address Space Layout Randomization
#      
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_NOVSYSCALL=y

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
# CONFIG_GRKERNSEC_HIDESYM is not set

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=17
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=1007
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
# CONFIG_GRKERNSEC_TPE_INVERT is not set
CONFIG_GRKERNSEC_TPE_GID=65500

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=65501
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=65502
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=65503

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_ON is not set

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=10

#
# Some Netfilter stuff
#
CONFIG_IP_NF_MATCH_STEALTH=m
Commit	Line	Data
7383e370	1	#
	2	# PaX
	3	#
	4	CONFIG_PAX=y
	5
	6	#
	7	# PaX Control
	8	#
	9	CONFIG_PAX_SOFTMODE=y
	10	# CONFIG_PAX_EI_PAX is not set
	11	CONFIG_PAX_PT_PAX_FLAGS=y
	12	# CONFIG_PAX_NO_ACL_FLAGS is not set
	13	CONFIG_PAX_HAVE_ACL_FLAGS=y
	14	# CONFIG_PAX_HOOK_ACL_FLAGS is not set
	15
	16	#
	17	# Non-executable pages
	18	#
	19	CONFIG_PAX_NOEXEC=y
	20	CONFIG_PAX_PAGEEXEC=y
	21	CONFIG_PAX_SEGMEXEC=y
	22	# CONFIG_PAX_DEFAULT_PAGEEXEC is not set
	23	CONFIG_PAX_DEFAULT_SEGMEXEC=y
	24	CONFIG_PAX_EMUTRAMP=y
	25	CONFIG_PAX_MPROTECT=y
	26	# CONFIG_PAX_NOELFRELOCS is not set
	27
	28	#
	29	# Address Space Layout Randomization
	30	#
	31	CONFIG_PAX_ASLR=y
	32	# CONFIG_PAX_RANDKSTACK is not set
	33	CONFIG_PAX_RANDUSTACK=y
	34	CONFIG_PAX_RANDMMAP=y
	35	CONFIG_PAX_NOVSYSCALL=y
	36
	37	#
	38	# Grsecurity
	39	#
	40	CONFIG_GRKERNSEC=y
	41	# CONFIG_GRKERNSEC_LOW is not set
	42	# CONFIG_GRKERNSEC_MEDIUM is not set
	43	# CONFIG_GRKERNSEC_HIGH is not set
	44	CONFIG_GRKERNSEC_CUSTOM=y
	45
	46	#
	47	# Address Space Protection
	48	#
	49	CONFIG_GRKERNSEC_KMEM=y
	50	# CONFIG_GRKERNSEC_IO is not set
	51	CONFIG_GRKERNSEC_PROC_MEMMAP=y
	52	CONFIG_GRKERNSEC_BRUTE=y
	53	CONFIG_GRKERNSEC_MODSTOP=y
	54	# CONFIG_GRKERNSEC_HIDESYM is not set
	55
	56	#
	57	# Role Based Access Control Options
	58	#
	59	CONFIG_GRKERNSEC_ACL_HIDEKERN=y
	60	CONFIG_GRKERNSEC_ACL_MAXTRIES=3
	61	CONFIG_GRKERNSEC_ACL_TIMEOUT=30
	62
	63	#
	64	# Filesystem Protections
65	#
66	CONFIG_GRKERNSEC_PROC=y
67	# CONFIG_GRKERNSEC_PROC_USER is not set
68	CONFIG_GRKERNSEC_PROC_USERGROUP=y
69	CONFIG_GRKERNSEC_PROC_GID=17
70	CONFIG_GRKERNSEC_PROC_ADD=y
71	CONFIG_GRKERNSEC_LINK=y
72	CONFIG_GRKERNSEC_FIFO=y
73	CONFIG_GRKERNSEC_CHROOT=y
74	CONFIG_GRKERNSEC_CHROOT_MOUNT=y
75	CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
76	CONFIG_GRKERNSEC_CHROOT_PIVOT=y
77	CONFIG_GRKERNSEC_CHROOT_CHDIR=y
78	CONFIG_GRKERNSEC_CHROOT_CHMOD=y
79	CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
80	CONFIG_GRKERNSEC_CHROOT_MKNOD=y
81	CONFIG_GRKERNSEC_CHROOT_SHMAT=y
82	CONFIG_GRKERNSEC_CHROOT_UNIX=y
83	CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
84	CONFIG_GRKERNSEC_CHROOT_NICE=y
85	CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
86	CONFIG_GRKERNSEC_CHROOT_CAPS=y
87
88	#
89	# Kernel Auditing
90	#
91	CONFIG_GRKERNSEC_AUDIT_GROUP=y
92	CONFIG_GRKERNSEC_AUDIT_GID=1007
93	CONFIG_GRKERNSEC_EXECLOG=y
94	CONFIG_GRKERNSEC_RESLOG=y
95	CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
96	CONFIG_GRKERNSEC_AUDIT_CHDIR=y
97	CONFIG_GRKERNSEC_AUDIT_MOUNT=y
98	CONFIG_GRKERNSEC_AUDIT_IPC=y
99	CONFIG_GRKERNSEC_SIGNAL=y
100	CONFIG_GRKERNSEC_FORKFAIL=y
101	CONFIG_GRKERNSEC_TIME=y
102	CONFIG_GRKERNSEC_PROC_IPADDR=y
103	# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
104
105	#
106	# Executable Protections
107	#
108	CONFIG_GRKERNSEC_EXECVE=y
109	CONFIG_GRKERNSEC_SHM=y
110	CONFIG_GRKERNSEC_DMESG=y
111	CONFIG_GRKERNSEC_RANDPID=y
112	CONFIG_GRKERNSEC_TPE=y
113	CONFIG_GRKERNSEC_TPE_ALL=y
114	# CONFIG_GRKERNSEC_TPE_INVERT is not set
115	CONFIG_GRKERNSEC_TPE_GID=65500
116
117	#
118	# Network Protections
119	#
120	CONFIG_GRKERNSEC_RANDNET=y
121	CONFIG_GRKERNSEC_SOCKET=y
122	CONFIG_GRKERNSEC_SOCKET_ALL=y
123	CONFIG_GRKERNSEC_SOCKET_ALL_GID=65501
124	CONFIG_GRKERNSEC_SOCKET_CLIENT=y
125	CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=65502
126	CONFIG_GRKERNSEC_SOCKET_SERVER=y
127	CONFIG_GRKERNSEC_SOCKET_SERVER_GID=65503
128
129	#
130	# Sysctl support
131	#
132	CONFIG_GRKERNSEC_SYSCTL=y
133	# CONFIG_GRKERNSEC_SYSCTL_ON is not set
134
135	#
136	# Logging Options
137	#
138	CONFIG_GRKERNSEC_FLOODTIME=10
139	CONFIG_GRKERNSEC_FLOODBURST=10
140
141	#
142	# Some Netfilter stuff
143	#
144	CONFIG_IP_NF_MATCH_STEALTH=m
145