summaryrefslogtreecommitdiff
path: root/sys-kernel/linux-image-redcore-lts-legacy/files
diff options
context:
space:
mode:
authorV3n3RiX <venerix@redcorelinux.org>2020-03-07 22:47:44 +0000
committerV3n3RiX <venerix@redcorelinux.org>2020-03-07 22:47:44 +0000
commit82c955a2272cee67c30ba142697ad8870ce0edda (patch)
tree17d59e7037f103f7c730cc3a746aae108667ca99 /sys-kernel/linux-image-redcore-lts-legacy/files
parent313f638adcc80d1c03e79a350a56f8901b64bc41 (diff)
Revert "sys-kernel/linux-{image,sources}-redcore-lts-legacy : drop/disable GRSECURITY stealth networking, breaks IPv6"
This reverts commit 313f638adcc80d1c03e79a350a56f8901b64bc41.
Diffstat (limited to 'sys-kernel/linux-image-redcore-lts-legacy/files')
-rw-r--r--sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config1
-rw-r--r--sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch426
2 files changed, 1 insertions, 426 deletions
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config
index a04d18cc..7dbc8f7a 100644
--- a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config
+++ b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config
@@ -8749,6 +8749,7 @@ CONFIG_DEFAULT_SECURITY="apparmor"
# Hardened Enhancements
#
CONFIG_HARDENED_RANDOM=y
+CONFIG_HARDENED_STEALTH_NETWORKING=y
CONFIG_HARDENED_NO_SIMULT_CONNECT=y
CONFIG_HARDENED_SYSFS_RESTRICT=y
CONFIG_HARDENED_FIFO=y
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch
deleted file mode 100644
index d290f937..00000000
--- a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch
+++ /dev/null
@@ -1,426 +0,0 @@
-diff -Nur a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
---- a/include/uapi/linux/ip.h 2020-03-07 21:59:46.833570272 +0000
-+++ b/include/uapi/linux/ip.h 2020-03-07 22:06:28.909470648 +0000
-@@ -66,9 +66,6 @@
-
- #define IPVERSION 4
- #define MAXTTL 255
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--#define IPDEFTTL 128
--#else
- #define IPDEFTTL 64
- #endif
-
-diff -Nur a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
---- a/net/core/sysctl_net_core.c 2020-03-07 21:59:46.853570565 +0000
-+++ b/net/core/sysctl_net_core.c 2020-03-07 22:07:10.190076177 +0000
-@@ -36,10 +36,6 @@
- int sysctl_fb_tunnels_only_for_init_net __read_mostly = 0;
- EXPORT_SYMBOL(sysctl_fb_tunnels_only_for_init_net);
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--int sysctl_stealth_blackhole __read_mostly = 1;
--#endif
--
- #ifdef CONFIG_RPS
- static int rps_sock_flow_sysctl(struct ctl_table *table, int write,
- void __user *buffer, size_t *lenp, loff_t *ppos)
-@@ -509,17 +505,6 @@
- .proc_handler = set_default_qdisc
- },
- #endif
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- {
-- .procname = "ip_blackhole",
-- .data = &sysctl_stealth_blackhole,
-- .maxlen = sizeof(int),
-- .mode = 0644,
-- .proc_handler = proc_dointvec_minmax,
-- .extra1 = &zero,
-- .extra2 = &one,
-- },
--#endif
- #endif /* CONFIG_NET */
- {
- .procname = "netdev_budget",
-diff -Nur a/net/ipv4/icmp.c b/net/ipv4/icmp.c
---- a/net/ipv4/icmp.c 2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/icmp.c 2020-03-07 22:08:25.271177396 +0000
-@@ -195,10 +195,6 @@
- short error; /* This ICMP is classed as an error message */
- };
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static const struct icmp_control icmp_pointers[NR_ICMP_TYPES+1];
-
- /*
-@@ -938,11 +934,6 @@
- {
- struct net *net;
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK))
-- return true;
--#endif
--
- net = dev_net(skb_dst(skb)->dev);
- if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
- struct icmp_bxm icmp_param;
-@@ -970,11 +961,6 @@
- {
- struct icmp_bxm icmp_param;
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK))
-- return true;
--#endif
--
- /*
- * Too short.
- */
-diff -Nur a/net/ipv4/igmp.c b/net/ipv4/igmp.c
---- a/net/ipv4/igmp.c 2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/igmp.c 2020-03-07 22:09:13.161879736 +0000
-@@ -136,10 +136,6 @@
- ((in_dev)->mr_v2_seen && \
- time_before(jiffies, (in_dev)->mr_v2_seen)))
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static int unsolicited_report_interval(struct in_device *in_dev)
- {
- int interval_ms, interval_jiffies;
-@@ -741,11 +737,6 @@
- __be32 dst;
- int hlen, tlen;
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (likely(sysctl_stealth_blackhole))
-- return -1;
--#endif
--
- if (type == IGMPV3_HOST_MEMBERSHIP_REPORT)
- return igmpv3_send_report(in_dev, pmc);
-
-diff -Nur a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
---- a/net/ipv4/tcp_ipv4.c 2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/tcp_ipv4.c 2020-03-07 22:12:16.564568875 +0000
-@@ -95,10 +95,6 @@
- struct inet_hashinfo tcp_hashinfo;
- EXPORT_SYMBOL(tcp_hashinfo);
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static u32 tcp_v4_init_seq(const struct sk_buff *skb)
- {
- return secure_tcp_seq(ip_hdr(skb)->daddr,
-@@ -1565,9 +1561,6 @@
- return 0;
-
- reset:
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (!likely(sysctl_stealth_blackhole))
--#endif
- tcp_v4_send_reset(rsk, skb);
- discard:
- kfree_skb(skb);
-@@ -1716,27 +1709,6 @@
- if (!pskb_may_pull(skb, th->doff * 4))
- goto discard_it;
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (likely(sysctl_stealth_blackhole) &&
-- (
-- th->res1 || !tcp_flag_word(th) ||
-- tcp_flag_word(th) == TCP_FLAG_PSH ||
-- tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) ||
-- (
-- tcp_flag_word(th) &
-- (TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) &&
-- tcp_flag_word(th) & TCP_FLAG_URG
-- ) ||
-- (
-- tcp_flag_word(th) &
-- (TCP_FLAG_FIN | TCP_FLAG_RST) &&
-- tcp_flag_word(th) & TCP_FLAG_SYN
-- )
-- )
-- )
-- goto discard_it;
--#endif
--
- /* An explanation is required here, I think.
- * Packet length and doff are validated by header prediction,
- * provided case of th->doff==0 is eliminated.
-@@ -1750,22 +1722,12 @@
- lookup:
- sk = __inet_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), th->source,
- th->dest, sdif, &refcounted);
-- if (!sk) {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- ret = 1;
--#endif
--
-+ if (!sk)
- goto no_tcp_socket;
-- }
-
- process:
-- if (sk->sk_state == TCP_TIME_WAIT) {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- ret = 2;
--#endif
--
-+ if (sk->sk_state == TCP_TIME_WAIT)
- goto do_time_wait;
-- }
-
- if (sk->sk_state == TCP_NEW_SYN_RECV) {
- struct request_sock *req = inet_reqsk(sk);
-@@ -1879,10 +1841,6 @@
- bad_packet:
- __TCP_INC_STATS(net, TCP_MIB_INERRS);
- } else {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (!sysctl_stealth_blackhole || (ret == 1 &&
-- (skb->dev->flags & IFF_LOOPBACK)))
--#endif
-
- tcp_v4_send_reset(NULL, skb);
- }
-diff -Nur a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
---- a/net/ipv4/tcp_minisocks.c 2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/tcp_minisocks.c 2020-03-07 22:12:39.754908842 +0000
-@@ -29,10 +29,6 @@
- #include <net/xfrm.h>
- #include <net/busy_poll.h>
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static bool tcp_in_window(u32 seq, u32 end_seq, u32 s_win, u32 e_win)
- {
- if (seq == s_win)
-@@ -813,10 +809,6 @@
- * avoid becoming vulnerable to outside attack aiming at
- * resetting legit local connections.
- */
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK)
--#endif
--
- req->rsk_ops->send_reset(sk, skb);
- } else if (fastopen) { /* received a valid RST pkt */
- reqsk_fastopen_remove(sk, req, true);
-diff -Nur a/net/ipv4/udp.c b/net/ipv4/udp.c
---- a/net/ipv4/udp.c 2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/udp.c 2020-03-07 22:13:06.595302301 +0000
-@@ -128,10 +128,6 @@
- #define MAX_UDP_PORTS 65536
- #define PORTS_PER_CHAIN (MAX_UDP_PORTS / UDP_HTABLE_SIZE_MIN)
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- /* IPCB reference means this can not be used from early demux */
- static bool udp_lib_exact_dif_match(struct net *net, struct sk_buff *skb)
- {
-@@ -2266,9 +2262,6 @@
- goto csum_error;
-
- __UDP_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (!likely(sysctl_stealth_blackhole) || (skb->dev->flags & IFF_LOOPBACK))
--#endif
- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
-
- /*
-diff -Nur a/net/ipv6/icmp.c b/net/ipv6/icmp.c
---- a/net/ipv6/icmp.c 2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv6/icmp.c 2020-03-07 22:16:58.198696714 +0000
-@@ -72,10 +72,6 @@
-
- #include <linux/uaccess.h>
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- /*
- * The ICMP socket(s). This is the most convenient way to flow control
- * our ICMP output as well as maintain a clean interface throughout
-@@ -852,9 +848,6 @@
-
- switch (type) {
- case ICMPV6_ECHO_REQUEST:
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK)
--#endif
- if (!net->ipv6.sysctl.icmpv6_echo_ignore_all)
- icmpv6_echo_reply(skb);
- break;
-diff -Nur a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
---- a/net/ipv6/tcp_ipv6.c 2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv6/tcp_ipv6.c 2020-03-07 22:20:43.832029273 +0000
-@@ -71,10 +71,6 @@
-
- #include <trace/events/tcp.h>
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb);
- static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
- struct request_sock *req);
-@@ -1360,10 +1356,6 @@
- return 0;
-
- reset:
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (!likely(sysctl_stealth_blackhole))
--#endif
--
- tcp_v6_send_reset(sk, skb);
- discard:
- if (opt_skb)
-@@ -1461,27 +1453,6 @@
- if (!pskb_may_pull(skb, th->doff*4))
- goto discard_it;
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (likely(sysctl_stealth_blackhole) &&
-- (
-- th->res1 || !tcp_flag_word(th) ||
-- tcp_flag_word(th) == TCP_FLAG_PSH ||
-- tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) ||
-- (
-- tcp_flag_word(th) &
-- (TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) &&
-- tcp_flag_word(th) & TCP_FLAG_URG
-- ) ||
-- (
-- tcp_flag_word(th) &
-- (TCP_FLAG_FIN | TCP_FLAG_RST) &&
-- tcp_flag_word(th) & TCP_FLAG_SYN
-- )
-- )
-- )
-- goto discard_it;
--#endif
--
- if (skb_checksum_init(skb, IPPROTO_TCP, ip6_compute_pseudo))
- goto csum_error;
-
-@@ -1492,22 +1463,12 @@
- sk = __inet6_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th),
- th->source, th->dest, inet6_iif(skb), sdif,
- &refcounted);
-- if (!sk) {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- ret = 1;
--#endif
--
-+ if (!sk)
- goto no_tcp_socket;
-- }
-
- process:
-- if (sk->sk_state == TCP_TIME_WAIT) {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- ret = 2;
--#endif
--
-+ if (sk->sk_state == TCP_TIME_WAIT)
- goto do_time_wait;
-- }
-
- if (sk->sk_state == TCP_NEW_SYN_RECV) {
- struct request_sock *req = inet_reqsk(sk);
-@@ -1615,11 +1576,6 @@
- bad_packet:
- __TCP_INC_STATS(net, TCP_MIB_INERRS);
- } else {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (!sysctl_stealth_blackhole || (ret == 1 &&
-- (skb->dev->flags & IFF_LOOPBACK)))
--#endif
--
- tcp_v6_send_reset(NULL, skb);
- }
-
-diff -Nur a/net/ipv6/udp.c b/net/ipv6/udp.c
---- a/net/ipv6/udp.c 2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv6/udp.c 2020-03-07 22:21:22.692605157 +0000
-@@ -56,10 +56,6 @@
- #include <trace/events/skb.h>
- #include "udp_impl.h"
-
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static bool udp6_lib_exact_dif_match(struct net *net, struct sk_buff *skb)
- {
- #if defined(CONFIG_NET_L3_MASTER_DEV)
-@@ -867,9 +863,6 @@
- goto csum_error;
-
- __UDP6_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
-- if (!likely(sysctl_stealth_blackhole) || skb->dev->flags & IFF_LOOPBACK)
--#endif
- icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
-
- kfree_skb(skb);
-diff -Nur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig 2020-03-07 21:59:46.853570565 +0000
-+++ b/security/Kconfig 2020-03-07 22:21:47.792977092 +0000
-@@ -345,38 +345,6 @@
- enhances the random number generator.
-
-
--config HARDENED_STEALTH_NETWORKING
-- bool "Enable stealth networking [GRSECURITY]"
-- default n
-- depends on NET
-- help
-- If you say Y here, neither TCP resets nor ICMP
-- destination-unreachable packets will be sent in response to packets
-- sent to ports for which no associated listening process exists.
-- This feature supports both IPV4 and IPV6 and exempts the
-- loopback interface from blackholing. Enabling this feature
-- makes a host more resilient to DoS attacks and reduces network
-- visibility against scanners.
--
-- The blackhole feature as-implemented is equivalent to the FreeBSD
-- blackhole feature, as it prevents RST responses to all packets, not
-- just SYNs. Under most application behavior this causes no
-- problems, but applications (like haproxy) may not close certain
-- connections in a way that cleanly terminates them on the remote
-- end, leaving the remote host in LAST_ACK state. Because of this
-- side-effect and to prevent intentional LAST_ACK DoSes, this
-- feature also adds automatic mitigation against such attacks.
-- The mitigation drastically reduces the amount of time a socket
-- can spend in LAST_ACK state. If you're using haproxy and not
-- all servers it connects to have this option enabled, consider
-- disabling this feature on the haproxy host.
--
-- If the sysctl option is enabled, a sysctl option with names
-- "ip_blackhole" will be created.
-- This sysctl, "ip_blackhole" takes the standard zero/non-zero
-- on/off toggle to enable or disable this feature.
--
--
- config HARDENED_NO_SIMULT_CONNECT
- bool "Disable simultaneous TCP connections [GRSECURITY]"
- default n