From 82c955a2272cee67c30ba142697ad8870ce0edda Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sat, 7 Mar 2020 22:47:44 +0000 Subject: Revert "sys-kernel/linux-{image,sources}-redcore-lts-legacy : drop/disable GRSECURITY stealth networking, breaks IPv6" This reverts commit 313f638adcc80d1c03e79a350a56f8901b64bc41. --- .../files/4.19-amd64.config | 1 + ...linux-hardened-disable-stealth-networking.patch | 426 --------------------- 2 files changed, 1 insertion(+), 426 deletions(-) delete mode 100644 sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch (limited to 'sys-kernel/linux-image-redcore-lts-legacy/files') diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config index a04d18cc..7dbc8f7a 100644 --- a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config +++ b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config @@ -8749,6 +8749,7 @@ CONFIG_DEFAULT_SECURITY="apparmor" # Hardened Enhancements # CONFIG_HARDENED_RANDOM=y +CONFIG_HARDENED_STEALTH_NETWORKING=y CONFIG_HARDENED_NO_SIMULT_CONNECT=y CONFIG_HARDENED_SYSFS_RESTRICT=y CONFIG_HARDENED_FIFO=y diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch deleted file mode 100644 index d290f937..00000000 --- a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch +++ /dev/null @@ -1,426 +0,0 @@ -diff -Nur a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h ---- a/include/uapi/linux/ip.h 2020-03-07 21:59:46.833570272 +0000 -+++ b/include/uapi/linux/ip.h 2020-03-07 22:06:28.909470648 +0000 -@@ -66,9 +66,6 @@ - - #define IPVERSION 4 - #define MAXTTL 255 --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING --#define IPDEFTTL 128 --#else - #define IPDEFTTL 64 - #endif - -diff -Nur a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c ---- a/net/core/sysctl_net_core.c 2020-03-07 21:59:46.853570565 +0000 -+++ b/net/core/sysctl_net_core.c 2020-03-07 22:07:10.190076177 +0000 -@@ -36,10 +36,6 @@ - int sysctl_fb_tunnels_only_for_init_net __read_mostly = 0; - EXPORT_SYMBOL(sysctl_fb_tunnels_only_for_init_net); - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING --int sysctl_stealth_blackhole __read_mostly = 1; --#endif -- - #ifdef CONFIG_RPS - static int rps_sock_flow_sysctl(struct ctl_table *table, int write, - void __user *buffer, size_t *lenp, loff_t *ppos) -@@ -509,17 +505,6 @@ - .proc_handler = set_default_qdisc - }, - #endif --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- { -- .procname = "ip_blackhole", -- .data = &sysctl_stealth_blackhole, -- .maxlen = sizeof(int), -- .mode = 0644, -- .proc_handler = proc_dointvec_minmax, -- .extra1 = &zero, -- .extra2 = &one, -- }, --#endif - #endif /* CONFIG_NET */ - { - .procname = "netdev_budget", -diff -Nur a/net/ipv4/icmp.c b/net/ipv4/icmp.c ---- a/net/ipv4/icmp.c 2020-03-07 21:59:46.853570565 +0000 -+++ b/net/ipv4/icmp.c 2020-03-07 22:08:25.271177396 +0000 -@@ -195,10 +195,6 @@ - short error; /* This ICMP is classed as an error message */ - }; - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING --extern int sysctl_stealth_blackhole; --#endif -- - static const struct icmp_control icmp_pointers[NR_ICMP_TYPES+1]; - - /* -@@ -938,11 +934,6 @@ - { - struct net *net; - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK)) -- return true; --#endif -- - net = dev_net(skb_dst(skb)->dev); - if (!net->ipv4.sysctl_icmp_echo_ignore_all) { - struct icmp_bxm icmp_param; -@@ -970,11 +961,6 @@ - { - struct icmp_bxm icmp_param; - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK)) -- return true; --#endif -- - /* - * Too short. - */ -diff -Nur a/net/ipv4/igmp.c b/net/ipv4/igmp.c ---- a/net/ipv4/igmp.c 2020-03-07 21:59:46.853570565 +0000 -+++ b/net/ipv4/igmp.c 2020-03-07 22:09:13.161879736 +0000 -@@ -136,10 +136,6 @@ - ((in_dev)->mr_v2_seen && \ - time_before(jiffies, (in_dev)->mr_v2_seen))) - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING --extern int sysctl_stealth_blackhole; --#endif -- - static int unsolicited_report_interval(struct in_device *in_dev) - { - int interval_ms, interval_jiffies; -@@ -741,11 +737,6 @@ - __be32 dst; - int hlen, tlen; - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (likely(sysctl_stealth_blackhole)) -- return -1; --#endif -- - if (type == IGMPV3_HOST_MEMBERSHIP_REPORT) - return igmpv3_send_report(in_dev, pmc); - -diff -Nur a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c ---- a/net/ipv4/tcp_ipv4.c 2020-03-07 21:59:46.853570565 +0000 -+++ b/net/ipv4/tcp_ipv4.c 2020-03-07 22:12:16.564568875 +0000 -@@ -95,10 +95,6 @@ - struct inet_hashinfo tcp_hashinfo; - EXPORT_SYMBOL(tcp_hashinfo); - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING --extern int sysctl_stealth_blackhole; --#endif -- - static u32 tcp_v4_init_seq(const struct sk_buff *skb) - { - return secure_tcp_seq(ip_hdr(skb)->daddr, -@@ -1565,9 +1561,6 @@ - return 0; - - reset: --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (!likely(sysctl_stealth_blackhole)) --#endif - tcp_v4_send_reset(rsk, skb); - discard: - kfree_skb(skb); -@@ -1716,27 +1709,6 @@ - if (!pskb_may_pull(skb, th->doff * 4)) - goto discard_it; - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (likely(sysctl_stealth_blackhole) && -- ( -- th->res1 || !tcp_flag_word(th) || -- tcp_flag_word(th) == TCP_FLAG_PSH || -- tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) || -- ( -- tcp_flag_word(th) & -- (TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) && -- tcp_flag_word(th) & TCP_FLAG_URG -- ) || -- ( -- tcp_flag_word(th) & -- (TCP_FLAG_FIN | TCP_FLAG_RST) && -- tcp_flag_word(th) & TCP_FLAG_SYN -- ) -- ) -- ) -- goto discard_it; --#endif -- - /* An explanation is required here, I think. - * Packet length and doff are validated by header prediction, - * provided case of th->doff==0 is eliminated. -@@ -1750,22 +1722,12 @@ - lookup: - sk = __inet_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), th->source, - th->dest, sdif, &refcounted); -- if (!sk) { --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- ret = 1; --#endif -- -+ if (!sk) - goto no_tcp_socket; -- } - - process: -- if (sk->sk_state == TCP_TIME_WAIT) { --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- ret = 2; --#endif -- -+ if (sk->sk_state == TCP_TIME_WAIT) - goto do_time_wait; -- } - - if (sk->sk_state == TCP_NEW_SYN_RECV) { - struct request_sock *req = inet_reqsk(sk); -@@ -1879,10 +1841,6 @@ - bad_packet: - __TCP_INC_STATS(net, TCP_MIB_INERRS); - } else { --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (!sysctl_stealth_blackhole || (ret == 1 && -- (skb->dev->flags & IFF_LOOPBACK))) --#endif - - tcp_v4_send_reset(NULL, skb); - } -diff -Nur a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c ---- a/net/ipv4/tcp_minisocks.c 2020-03-07 21:59:46.853570565 +0000 -+++ b/net/ipv4/tcp_minisocks.c 2020-03-07 22:12:39.754908842 +0000 -@@ -29,10 +29,6 @@ - #include - #include - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING --extern int sysctl_stealth_blackhole; --#endif -- - static bool tcp_in_window(u32 seq, u32 end_seq, u32 s_win, u32 e_win) - { - if (seq == s_win) -@@ -813,10 +809,6 @@ - * avoid becoming vulnerable to outside attack aiming at - * resetting legit local connections. - */ --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK) --#endif -- - req->rsk_ops->send_reset(sk, skb); - } else if (fastopen) { /* received a valid RST pkt */ - reqsk_fastopen_remove(sk, req, true); -diff -Nur a/net/ipv4/udp.c b/net/ipv4/udp.c ---- a/net/ipv4/udp.c 2020-03-07 21:59:46.853570565 +0000 -+++ b/net/ipv4/udp.c 2020-03-07 22:13:06.595302301 +0000 -@@ -128,10 +128,6 @@ - #define MAX_UDP_PORTS 65536 - #define PORTS_PER_CHAIN (MAX_UDP_PORTS / UDP_HTABLE_SIZE_MIN) - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING --extern int sysctl_stealth_blackhole; --#endif -- - /* IPCB reference means this can not be used from early demux */ - static bool udp_lib_exact_dif_match(struct net *net, struct sk_buff *skb) - { -@@ -2266,9 +2262,6 @@ - goto csum_error; - - __UDP_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (!likely(sysctl_stealth_blackhole) || (skb->dev->flags & IFF_LOOPBACK)) --#endif - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); - - /* -diff -Nur a/net/ipv6/icmp.c b/net/ipv6/icmp.c ---- a/net/ipv6/icmp.c 2020-03-07 21:59:46.853570565 +0000 -+++ b/net/ipv6/icmp.c 2020-03-07 22:16:58.198696714 +0000 -@@ -72,10 +72,6 @@ - - #include - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING --extern int sysctl_stealth_blackhole; --#endif -- - /* - * The ICMP socket(s). This is the most convenient way to flow control - * our ICMP output as well as maintain a clean interface throughout -@@ -852,9 +848,6 @@ - - switch (type) { - case ICMPV6_ECHO_REQUEST: --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK) --#endif - if (!net->ipv6.sysctl.icmpv6_echo_ignore_all) - icmpv6_echo_reply(skb); - break; -diff -Nur a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c ---- a/net/ipv6/tcp_ipv6.c 2020-03-07 21:59:46.853570565 +0000 -+++ b/net/ipv6/tcp_ipv6.c 2020-03-07 22:20:43.832029273 +0000 -@@ -71,10 +71,6 @@ - - #include - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING --extern int sysctl_stealth_blackhole; --#endif -- - static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb); - static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, - struct request_sock *req); -@@ -1360,10 +1356,6 @@ - return 0; - - reset: --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (!likely(sysctl_stealth_blackhole)) --#endif -- - tcp_v6_send_reset(sk, skb); - discard: - if (opt_skb) -@@ -1461,27 +1453,6 @@ - if (!pskb_may_pull(skb, th->doff*4)) - goto discard_it; - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (likely(sysctl_stealth_blackhole) && -- ( -- th->res1 || !tcp_flag_word(th) || -- tcp_flag_word(th) == TCP_FLAG_PSH || -- tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) || -- ( -- tcp_flag_word(th) & -- (TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) && -- tcp_flag_word(th) & TCP_FLAG_URG -- ) || -- ( -- tcp_flag_word(th) & -- (TCP_FLAG_FIN | TCP_FLAG_RST) && -- tcp_flag_word(th) & TCP_FLAG_SYN -- ) -- ) -- ) -- goto discard_it; --#endif -- - if (skb_checksum_init(skb, IPPROTO_TCP, ip6_compute_pseudo)) - goto csum_error; - -@@ -1492,22 +1463,12 @@ - sk = __inet6_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), - th->source, th->dest, inet6_iif(skb), sdif, - &refcounted); -- if (!sk) { --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- ret = 1; --#endif -- -+ if (!sk) - goto no_tcp_socket; -- } - - process: -- if (sk->sk_state == TCP_TIME_WAIT) { --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- ret = 2; --#endif -- -+ if (sk->sk_state == TCP_TIME_WAIT) - goto do_time_wait; -- } - - if (sk->sk_state == TCP_NEW_SYN_RECV) { - struct request_sock *req = inet_reqsk(sk); -@@ -1615,11 +1576,6 @@ - bad_packet: - __TCP_INC_STATS(net, TCP_MIB_INERRS); - } else { --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (!sysctl_stealth_blackhole || (ret == 1 && -- (skb->dev->flags & IFF_LOOPBACK))) --#endif -- - tcp_v6_send_reset(NULL, skb); - } - -diff -Nur a/net/ipv6/udp.c b/net/ipv6/udp.c ---- a/net/ipv6/udp.c 2020-03-07 21:59:46.853570565 +0000 -+++ b/net/ipv6/udp.c 2020-03-07 22:21:22.692605157 +0000 -@@ -56,10 +56,6 @@ - #include - #include "udp_impl.h" - --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING --extern int sysctl_stealth_blackhole; --#endif -- - static bool udp6_lib_exact_dif_match(struct net *net, struct sk_buff *skb) - { - #if defined(CONFIG_NET_L3_MASTER_DEV) -@@ -867,9 +863,6 @@ - goto csum_error; - - __UDP6_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); --#ifdef CONFIG_HARDENED_STEALTH_NETWORKING -- if (!likely(sysctl_stealth_blackhole) || skb->dev->flags & IFF_LOOPBACK) --#endif - icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0); - - kfree_skb(skb); -diff -Nur a/security/Kconfig b/security/Kconfig ---- a/security/Kconfig 2020-03-07 21:59:46.853570565 +0000 -+++ b/security/Kconfig 2020-03-07 22:21:47.792977092 +0000 -@@ -345,38 +345,6 @@ - enhances the random number generator. - - --config HARDENED_STEALTH_NETWORKING -- bool "Enable stealth networking [GRSECURITY]" -- default n -- depends on NET -- help -- If you say Y here, neither TCP resets nor ICMP -- destination-unreachable packets will be sent in response to packets -- sent to ports for which no associated listening process exists. -- This feature supports both IPV4 and IPV6 and exempts the -- loopback interface from blackholing. Enabling this feature -- makes a host more resilient to DoS attacks and reduces network -- visibility against scanners. -- -- The blackhole feature as-implemented is equivalent to the FreeBSD -- blackhole feature, as it prevents RST responses to all packets, not -- just SYNs. Under most application behavior this causes no -- problems, but applications (like haproxy) may not close certain -- connections in a way that cleanly terminates them on the remote -- end, leaving the remote host in LAST_ACK state. Because of this -- side-effect and to prevent intentional LAST_ACK DoSes, this -- feature also adds automatic mitigation against such attacks. -- The mitigation drastically reduces the amount of time a socket -- can spend in LAST_ACK state. If you're using haproxy and not -- all servers it connects to have this option enabled, consider -- disabling this feature on the haproxy host. -- -- If the sysctl option is enabled, a sysctl option with names -- "ip_blackhole" will be created. -- This sysctl, "ip_blackhole" takes the standard zero/non-zero -- on/off toggle to enable or disable this feature. -- -- - config HARDENED_NO_SIMULT_CONNECT - bool "Disable simultaneous TCP connections [GRSECURITY]" - default n -- cgit v1.2.3