Revert "sys-kernel/linux-{image,sources}-redcore-lts-legacy : drop/disable GRSECURITY stealth networking, breaks IPv6"

This reverts commit 313f638adcc80d1c03e79a350a56f8901b64bc41.
author: V3n3RiX <venerix@redcorelinux.org> 2020-03-07 22:47:44 +0000
committer: V3n3RiX <venerix@redcorelinux.org> 2020-03-07 22:47:44 +0000
commit: 82c955a2272cee67c30ba142697ad8870ce0edda (patch)
tree: 17d59e7037f103f7c730cc3a746aae108667ca99 /sys-kernel
parent: 313f638adcc80d1c03e79a350a56f8901b64bc41 (diff)
6 files changed, 2 insertions, 854 deletions
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config
index a04d18cc..7dbc8f7a 100644
--- a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config
+++ b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config
@@ -8749,6 +8749,7 @@ CONFIG_DEFAULT_SECURITY="apparmor"
 # Hardened Enhancements
 #
 CONFIG_HARDENED_RANDOM=y
+CONFIG_HARDENED_STEALTH_NETWORKING=y
 CONFIG_HARDENED_NO_SIMULT_CONNECT=y
 CONFIG_HARDENED_SYSFS_RESTRICT=y
 CONFIG_HARDENED_FIFO=y
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch
deleted file mode 100644
index d290f937..00000000
--- a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch
+++ /dev/null
@@ -1,426 +0,0 @@
-diff -Nur a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
---- a/include/uapi/linux/ip.h	2020-03-07 21:59:46.833570272 +0000
-+++ b/include/uapi/linux/ip.h	2020-03-07 22:06:28.909470648 +0000
-@@ -66,9 +66,6 @@
- 
- #define IPVERSION	4
- #define MAXTTL		255
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--#define IPDEFTTL	128
--#else
- #define IPDEFTTL	64
- #endif
- 
-diff -Nur a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
---- a/net/core/sysctl_net_core.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/core/sysctl_net_core.c	2020-03-07 22:07:10.190076177 +0000
-@@ -36,10 +36,6 @@
- int sysctl_fb_tunnels_only_for_init_net __read_mostly = 0;
- EXPORT_SYMBOL(sysctl_fb_tunnels_only_for_init_net);
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--int sysctl_stealth_blackhole __read_mostly = 1;
--#endif
--
- #ifdef CONFIG_RPS
- static int rps_sock_flow_sysctl(struct ctl_table *table, int write,
- 				void __user *buffer, size_t *lenp, loff_t *ppos)
-@@ -509,17 +505,6 @@
- 		.proc_handler	= set_default_qdisc
- 	},
- #endif
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	{
--		.procname	= "ip_blackhole",
--		.data		= &sysctl_stealth_blackhole,
--		.maxlen		= sizeof(int),
--		.mode		= 0644,
--		.proc_handler   = proc_dointvec_minmax,
--		.extra1		= &zero,
--		.extra2		= &one,
--	},
--#endif
- #endif /* CONFIG_NET */
- 	{
- 		.procname	= "netdev_budget",
-diff -Nur a/net/ipv4/icmp.c b/net/ipv4/icmp.c
---- a/net/ipv4/icmp.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/icmp.c	2020-03-07 22:08:25.271177396 +0000
-@@ -195,10 +195,6 @@
- 	short   error;		/* This ICMP is classed as an error message */
- };
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static const struct icmp_control icmp_pointers[NR_ICMP_TYPES+1];
- 
- /*
-@@ -938,11 +934,6 @@
- {
- 	struct net *net;
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK))
--		return true;
--#endif
--
- 	net = dev_net(skb_dst(skb)->dev);
- 	if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
- 		struct icmp_bxm icmp_param;
-@@ -970,11 +961,6 @@
- {
- 	struct icmp_bxm icmp_param;
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK))
--		return true;
--#endif
--
- 	/*
- 	 *	Too short.
- 	 */
-diff -Nur a/net/ipv4/igmp.c b/net/ipv4/igmp.c
---- a/net/ipv4/igmp.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/igmp.c	2020-03-07 22:09:13.161879736 +0000
-@@ -136,10 +136,6 @@
- 	 ((in_dev)->mr_v2_seen && \
- 	  time_before(jiffies, (in_dev)->mr_v2_seen)))
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static int unsolicited_report_interval(struct in_device *in_dev)
- {
- 	int interval_ms, interval_jiffies;
-@@ -741,11 +737,6 @@
- 	__be32	dst;
- 	int hlen, tlen;
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (likely(sysctl_stealth_blackhole))
--		return -1;
--#endif
--
- 	if (type == IGMPV3_HOST_MEMBERSHIP_REPORT)
- 		return igmpv3_send_report(in_dev, pmc);
- 
-diff -Nur a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
---- a/net/ipv4/tcp_ipv4.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/tcp_ipv4.c	2020-03-07 22:12:16.564568875 +0000
-@@ -95,10 +95,6 @@
- struct inet_hashinfo tcp_hashinfo;
- EXPORT_SYMBOL(tcp_hashinfo);
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static u32 tcp_v4_init_seq(const struct sk_buff *skb)
- {
- 	return secure_tcp_seq(ip_hdr(skb)->daddr,
-@@ -1565,9 +1561,6 @@
- 	return 0;
- 
- reset:
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (!likely(sysctl_stealth_blackhole))
--#endif
- 	tcp_v4_send_reset(rsk, skb);
- discard:
- 	kfree_skb(skb);
-@@ -1716,27 +1709,6 @@
- 	if (!pskb_may_pull(skb, th->doff * 4))
- 		goto discard_it;
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (likely(sysctl_stealth_blackhole) &&
--	    (
--			th->res1 || !tcp_flag_word(th) ||
--			tcp_flag_word(th) == TCP_FLAG_PSH ||
--			tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) ||
--			(
--				tcp_flag_word(th) &
--					(TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) &&
--				tcp_flag_word(th) & TCP_FLAG_URG
--			) ||
--			(
--				tcp_flag_word(th) &
--					(TCP_FLAG_FIN | TCP_FLAG_RST) &&
--				tcp_flag_word(th) & TCP_FLAG_SYN
--			)
--		)
--	)
--		goto discard_it;
--#endif
--
- 	/* An explanation is required here, I think.
- 	 * Packet length and doff are validated by header prediction,
- 	 * provided case of th->doff==0 is eliminated.
-@@ -1750,22 +1722,12 @@
- lookup:
- 	sk = __inet_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), th->source,
- 			       th->dest, sdif, &refcounted);
--	if (!sk) {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		ret = 1;
--#endif
--
-+	if (!sk)
- 		goto no_tcp_socket;
--	}
- 
- process:
--	if (sk->sk_state == TCP_TIME_WAIT) {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		ret = 2;
--#endif
--
-+	if (sk->sk_state == TCP_TIME_WAIT)
- 		goto do_time_wait;
--	}
- 
- 	if (sk->sk_state == TCP_NEW_SYN_RECV) {
- 		struct request_sock *req = inet_reqsk(sk);
-@@ -1879,10 +1841,6 @@
- bad_packet:
- 		__TCP_INC_STATS(net, TCP_MIB_INERRS);
- 	} else {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		if (!sysctl_stealth_blackhole || (ret == 1 &&
--						  (skb->dev->flags & IFF_LOOPBACK)))
--#endif
- 
- 		tcp_v4_send_reset(NULL, skb);
- 	}
-diff -Nur a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
---- a/net/ipv4/tcp_minisocks.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/tcp_minisocks.c	2020-03-07 22:12:39.754908842 +0000
-@@ -29,10 +29,6 @@
- #include <net/xfrm.h>
- #include <net/busy_poll.h>
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static bool tcp_in_window(u32 seq, u32 end_seq, u32 s_win, u32 e_win)
- {
- 	if (seq == s_win)
-@@ -813,10 +809,6 @@
- 		 * avoid becoming vulnerable to outside attack aiming at
- 		 * resetting legit local connections.
- 		 */
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK)
--#endif
--
- 		req->rsk_ops->send_reset(sk, skb);
- 	} else if (fastopen) { /* received a valid RST pkt */
- 		reqsk_fastopen_remove(sk, req, true);
-diff -Nur a/net/ipv4/udp.c b/net/ipv4/udp.c
---- a/net/ipv4/udp.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/udp.c	2020-03-07 22:13:06.595302301 +0000
-@@ -128,10 +128,6 @@
- #define MAX_UDP_PORTS 65536
- #define PORTS_PER_CHAIN (MAX_UDP_PORTS / UDP_HTABLE_SIZE_MIN)
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- /* IPCB reference means this can not be used from early demux */
- static bool udp_lib_exact_dif_match(struct net *net, struct sk_buff *skb)
- {
-@@ -2266,9 +2262,6 @@
- 		goto csum_error;
- 
- 	__UDP_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (!likely(sysctl_stealth_blackhole) || (skb->dev->flags & IFF_LOOPBACK))
--#endif
- 	icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
- 
- 	/*
-diff -Nur a/net/ipv6/icmp.c b/net/ipv6/icmp.c
---- a/net/ipv6/icmp.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv6/icmp.c	2020-03-07 22:16:58.198696714 +0000
-@@ -72,10 +72,6 @@
- 
- #include <linux/uaccess.h>
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- /*
-  *	The ICMP socket(s). This is the most convenient way to flow control
-  *	our ICMP output as well as maintain a clean interface throughout
-@@ -852,9 +848,6 @@
- 
- 	switch (type) {
- 	case ICMPV6_ECHO_REQUEST:
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK)
--#endif
- 		if (!net->ipv6.sysctl.icmpv6_echo_ignore_all)
- 			icmpv6_echo_reply(skb);
- 		break;
-diff -Nur a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
---- a/net/ipv6/tcp_ipv6.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv6/tcp_ipv6.c	2020-03-07 22:20:43.832029273 +0000
-@@ -71,10 +71,6 @@
- 
- #include <trace/events/tcp.h>
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static void	tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb);
- static void	tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
- 				      struct request_sock *req);
-@@ -1360,10 +1356,6 @@
- 	return 0;
- 
- reset:
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (!likely(sysctl_stealth_blackhole))
--#endif
--
- 	tcp_v6_send_reset(sk, skb);
- discard:
- 	if (opt_skb)
-@@ -1461,27 +1453,6 @@
- 	if (!pskb_may_pull(skb, th->doff*4))
- 		goto discard_it;
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (likely(sysctl_stealth_blackhole) &&
--	    (
--			th->res1 || !tcp_flag_word(th) ||
--			tcp_flag_word(th) == TCP_FLAG_PSH ||
--			tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) ||
--			(
--				tcp_flag_word(th) &
--					(TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) &&
--				tcp_flag_word(th) & TCP_FLAG_URG
--			) ||
--			(
--				tcp_flag_word(th) &
--					(TCP_FLAG_FIN | TCP_FLAG_RST) &&
--				tcp_flag_word(th) & TCP_FLAG_SYN
--			)
--		)
--	)
--		goto discard_it;
--#endif
--
- 	if (skb_checksum_init(skb, IPPROTO_TCP, ip6_compute_pseudo))
- 		goto csum_error;
- 
-@@ -1492,22 +1463,12 @@
- 	sk = __inet6_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th),
- 				th->source, th->dest, inet6_iif(skb), sdif,
- 				&refcounted);
--	if (!sk) {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		ret = 1;
--#endif
--
-+	if (!sk)
- 		goto no_tcp_socket;
--	}
- 
- process:
--	if (sk->sk_state == TCP_TIME_WAIT) {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		ret = 2;
--#endif
--
-+	if (sk->sk_state == TCP_TIME_WAIT)
- 		goto do_time_wait;
--	}
- 
- 	if (sk->sk_state == TCP_NEW_SYN_RECV) {
- 		struct request_sock *req = inet_reqsk(sk);
-@@ -1615,11 +1576,6 @@
- bad_packet:
- 		__TCP_INC_STATS(net, TCP_MIB_INERRS);
- 	} else {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		if (!sysctl_stealth_blackhole || (ret == 1 &&
--						  (skb->dev->flags & IFF_LOOPBACK)))
--#endif
--
- 		tcp_v6_send_reset(NULL, skb);
- 	}
- 
-diff -Nur a/net/ipv6/udp.c b/net/ipv6/udp.c
---- a/net/ipv6/udp.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv6/udp.c	2020-03-07 22:21:22.692605157 +0000
-@@ -56,10 +56,6 @@
- #include <trace/events/skb.h>
- #include "udp_impl.h"
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static bool udp6_lib_exact_dif_match(struct net *net, struct sk_buff *skb)
- {
- #if defined(CONFIG_NET_L3_MASTER_DEV)
-@@ -867,9 +863,6 @@
- 		goto csum_error;
- 
- 	__UDP6_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (!likely(sysctl_stealth_blackhole) || skb->dev->flags & IFF_LOOPBACK)
--#endif
- 	icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
- 
- 	kfree_skb(skb);
-diff -Nur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig	2020-03-07 21:59:46.853570565 +0000
-+++ b/security/Kconfig	2020-03-07 22:21:47.792977092 +0000
-@@ -345,38 +345,6 @@
- 		enhances the random number generator.
- 
- 
--config HARDENED_STEALTH_NETWORKING
--	bool "Enable stealth networking [GRSECURITY]"
--	default n
--	depends on NET
--	help
--		If you say Y here, neither TCP resets nor ICMP
--		destination-unreachable packets will be sent in response to packets
--		sent to ports for which no associated listening process exists.
--		This feature supports both IPV4 and IPV6 and exempts the
--		loopback interface from blackholing.  Enabling this feature
--		makes a host more resilient to DoS attacks and reduces network
--		visibility against scanners.
--
--		The blackhole feature as-implemented is equivalent to the FreeBSD
--		blackhole feature, as it prevents RST responses to all packets, not
--		just SYNs.  Under most application behavior this causes no
--		problems, but applications (like haproxy) may not close certain
--		connections in a way that cleanly terminates them on the remote
--		end, leaving the remote host in LAST_ACK state.  Because of this
--		side-effect and to prevent intentional LAST_ACK DoSes, this
--		feature also adds automatic mitigation against such attacks.
--		The mitigation drastically reduces the amount of time a socket
--		can spend in LAST_ACK state.  If you're using haproxy and not
--		all servers it connects to have this option enabled, consider
--		disabling this feature on the haproxy host.
--
--		If the sysctl option is enabled, a sysctl option with names
--		"ip_blackhole" will be created.
--		This sysctl, "ip_blackhole" takes the standard zero/non-zero
--		on/off toggle to enable or disable this feature.
--
--
- config HARDENED_NO_SIMULT_CONNECT
- 	bool "Disable simultaneous TCP connections [GRSECURITY]"
- 	default n
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/linux-image-redcore-lts-legacy-4.19.108.ebuild b/sys-kernel/linux-image-redcore-lts-legacy/linux-image-redcore-lts-legacy-4.19.108.ebuild
index 73ab24bc..f7975ac8 100644
--- a/sys-kernel/linux-image-redcore-lts-legacy/linux-image-redcore-lts-legacy-4.19.108.ebuild
+++ b/sys-kernel/linux-image-redcore-lts-legacy/linux-image-redcore-lts-legacy-4.19.108.ebuild
@@ -41,7 +41,6 @@ PATCHES=(
 	"${FILESDIR}"/"${KV_MAJOR}"-nouveau-pascal-backlight.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-radeon_dp_aux_transfer_native-no-ratelimited_debug.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-linux-hardened.patch
-	"${FILESDIR}"/"${KV_MAJOR}"-linux-hardened-disable-stealth-networking.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-uksm-linux-hardened.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-0001-MultiQueue-Skiplist-Scheduler-version-v0.180-linux-hardened.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-0002-Fix-Werror-build-failure-in-tools.patch
diff --git a/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-amd64.config b/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-amd64.config
index a04d18cc..7dbc8f7a 100644
--- a/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-amd64.config
+++ b/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-amd64.config
@@ -8749,6 +8749,7 @@ CONFIG_DEFAULT_SECURITY="apparmor"
 # Hardened Enhancements
 #
 CONFIG_HARDENED_RANDOM=y
+CONFIG_HARDENED_STEALTH_NETWORKING=y
 CONFIG_HARDENED_NO_SIMULT_CONNECT=y
 CONFIG_HARDENED_SYSFS_RESTRICT=y
 CONFIG_HARDENED_FIFO=y
diff --git a/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch b/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch
deleted file mode 100644
index d290f937..00000000
--- a/sys-kernel/linux-sources-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch
+++ /dev/null
@@ -1,426 +0,0 @@
-diff -Nur a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
---- a/include/uapi/linux/ip.h	2020-03-07 21:59:46.833570272 +0000
-+++ b/include/uapi/linux/ip.h	2020-03-07 22:06:28.909470648 +0000
-@@ -66,9 +66,6 @@
- 
- #define IPVERSION	4
- #define MAXTTL		255
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--#define IPDEFTTL	128
--#else
- #define IPDEFTTL	64
- #endif
- 
-diff -Nur a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
---- a/net/core/sysctl_net_core.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/core/sysctl_net_core.c	2020-03-07 22:07:10.190076177 +0000
-@@ -36,10 +36,6 @@
- int sysctl_fb_tunnels_only_for_init_net __read_mostly = 0;
- EXPORT_SYMBOL(sysctl_fb_tunnels_only_for_init_net);
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--int sysctl_stealth_blackhole __read_mostly = 1;
--#endif
--
- #ifdef CONFIG_RPS
- static int rps_sock_flow_sysctl(struct ctl_table *table, int write,
- 				void __user *buffer, size_t *lenp, loff_t *ppos)
-@@ -509,17 +505,6 @@
- 		.proc_handler	= set_default_qdisc
- 	},
- #endif
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	{
--		.procname	= "ip_blackhole",
--		.data		= &sysctl_stealth_blackhole,
--		.maxlen		= sizeof(int),
--		.mode		= 0644,
--		.proc_handler   = proc_dointvec_minmax,
--		.extra1		= &zero,
--		.extra2		= &one,
--	},
--#endif
- #endif /* CONFIG_NET */
- 	{
- 		.procname	= "netdev_budget",
-diff -Nur a/net/ipv4/icmp.c b/net/ipv4/icmp.c
---- a/net/ipv4/icmp.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/icmp.c	2020-03-07 22:08:25.271177396 +0000
-@@ -195,10 +195,6 @@
- 	short   error;		/* This ICMP is classed as an error message */
- };
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static const struct icmp_control icmp_pointers[NR_ICMP_TYPES+1];
- 
- /*
-@@ -938,11 +934,6 @@
- {
- 	struct net *net;
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK))
--		return true;
--#endif
--
- 	net = dev_net(skb_dst(skb)->dev);
- 	if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
- 		struct icmp_bxm icmp_param;
-@@ -970,11 +961,6 @@
- {
- 	struct icmp_bxm icmp_param;
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK))
--		return true;
--#endif
--
- 	/*
- 	 *	Too short.
- 	 */
-diff -Nur a/net/ipv4/igmp.c b/net/ipv4/igmp.c
---- a/net/ipv4/igmp.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/igmp.c	2020-03-07 22:09:13.161879736 +0000
-@@ -136,10 +136,6 @@
- 	 ((in_dev)->mr_v2_seen && \
- 	  time_before(jiffies, (in_dev)->mr_v2_seen)))
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static int unsolicited_report_interval(struct in_device *in_dev)
- {
- 	int interval_ms, interval_jiffies;
-@@ -741,11 +737,6 @@
- 	__be32	dst;
- 	int hlen, tlen;
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (likely(sysctl_stealth_blackhole))
--		return -1;
--#endif
--
- 	if (type == IGMPV3_HOST_MEMBERSHIP_REPORT)
- 		return igmpv3_send_report(in_dev, pmc);
- 
-diff -Nur a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
---- a/net/ipv4/tcp_ipv4.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/tcp_ipv4.c	2020-03-07 22:12:16.564568875 +0000
-@@ -95,10 +95,6 @@
- struct inet_hashinfo tcp_hashinfo;
- EXPORT_SYMBOL(tcp_hashinfo);
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static u32 tcp_v4_init_seq(const struct sk_buff *skb)
- {
- 	return secure_tcp_seq(ip_hdr(skb)->daddr,
-@@ -1565,9 +1561,6 @@
- 	return 0;
- 
- reset:
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (!likely(sysctl_stealth_blackhole))
--#endif
- 	tcp_v4_send_reset(rsk, skb);
- discard:
- 	kfree_skb(skb);
-@@ -1716,27 +1709,6 @@
- 	if (!pskb_may_pull(skb, th->doff * 4))
- 		goto discard_it;
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (likely(sysctl_stealth_blackhole) &&
--	    (
--			th->res1 || !tcp_flag_word(th) ||
--			tcp_flag_word(th) == TCP_FLAG_PSH ||
--			tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) ||
--			(
--				tcp_flag_word(th) &
--					(TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) &&
--				tcp_flag_word(th) & TCP_FLAG_URG
--			) ||
--			(
--				tcp_flag_word(th) &
--					(TCP_FLAG_FIN | TCP_FLAG_RST) &&
--				tcp_flag_word(th) & TCP_FLAG_SYN
--			)
--		)
--	)
--		goto discard_it;
--#endif
--
- 	/* An explanation is required here, I think.
- 	 * Packet length and doff are validated by header prediction,
- 	 * provided case of th->doff==0 is eliminated.
-@@ -1750,22 +1722,12 @@
- lookup:
- 	sk = __inet_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), th->source,
- 			       th->dest, sdif, &refcounted);
--	if (!sk) {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		ret = 1;
--#endif
--
-+	if (!sk)
- 		goto no_tcp_socket;
--	}
- 
- process:
--	if (sk->sk_state == TCP_TIME_WAIT) {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		ret = 2;
--#endif
--
-+	if (sk->sk_state == TCP_TIME_WAIT)
- 		goto do_time_wait;
--	}
- 
- 	if (sk->sk_state == TCP_NEW_SYN_RECV) {
- 		struct request_sock *req = inet_reqsk(sk);
-@@ -1879,10 +1841,6 @@
- bad_packet:
- 		__TCP_INC_STATS(net, TCP_MIB_INERRS);
- 	} else {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		if (!sysctl_stealth_blackhole || (ret == 1 &&
--						  (skb->dev->flags & IFF_LOOPBACK)))
--#endif
- 
- 		tcp_v4_send_reset(NULL, skb);
- 	}
-diff -Nur a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
---- a/net/ipv4/tcp_minisocks.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/tcp_minisocks.c	2020-03-07 22:12:39.754908842 +0000
-@@ -29,10 +29,6 @@
- #include <net/xfrm.h>
- #include <net/busy_poll.h>
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static bool tcp_in_window(u32 seq, u32 end_seq, u32 s_win, u32 e_win)
- {
- 	if (seq == s_win)
-@@ -813,10 +809,6 @@
- 		 * avoid becoming vulnerable to outside attack aiming at
- 		 * resetting legit local connections.
- 		 */
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK)
--#endif
--
- 		req->rsk_ops->send_reset(sk, skb);
- 	} else if (fastopen) { /* received a valid RST pkt */
- 		reqsk_fastopen_remove(sk, req, true);
-diff -Nur a/net/ipv4/udp.c b/net/ipv4/udp.c
---- a/net/ipv4/udp.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv4/udp.c	2020-03-07 22:13:06.595302301 +0000
-@@ -128,10 +128,6 @@
- #define MAX_UDP_PORTS 65536
- #define PORTS_PER_CHAIN (MAX_UDP_PORTS / UDP_HTABLE_SIZE_MIN)
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- /* IPCB reference means this can not be used from early demux */
- static bool udp_lib_exact_dif_match(struct net *net, struct sk_buff *skb)
- {
-@@ -2266,9 +2262,6 @@
- 		goto csum_error;
- 
- 	__UDP_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (!likely(sysctl_stealth_blackhole) || (skb->dev->flags & IFF_LOOPBACK))
--#endif
- 	icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
- 
- 	/*
-diff -Nur a/net/ipv6/icmp.c b/net/ipv6/icmp.c
---- a/net/ipv6/icmp.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv6/icmp.c	2020-03-07 22:16:58.198696714 +0000
-@@ -72,10 +72,6 @@
- 
- #include <linux/uaccess.h>
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- /*
-  *	The ICMP socket(s). This is the most convenient way to flow control
-  *	our ICMP output as well as maintain a clean interface throughout
-@@ -852,9 +848,6 @@
- 
- 	switch (type) {
- 	case ICMPV6_ECHO_REQUEST:
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK)
--#endif
- 		if (!net->ipv6.sysctl.icmpv6_echo_ignore_all)
- 			icmpv6_echo_reply(skb);
- 		break;
-diff -Nur a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
---- a/net/ipv6/tcp_ipv6.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv6/tcp_ipv6.c	2020-03-07 22:20:43.832029273 +0000
-@@ -71,10 +71,6 @@
- 
- #include <trace/events/tcp.h>
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static void	tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb);
- static void	tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
- 				      struct request_sock *req);
-@@ -1360,10 +1356,6 @@
- 	return 0;
- 
- reset:
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (!likely(sysctl_stealth_blackhole))
--#endif
--
- 	tcp_v6_send_reset(sk, skb);
- discard:
- 	if (opt_skb)
-@@ -1461,27 +1453,6 @@
- 	if (!pskb_may_pull(skb, th->doff*4))
- 		goto discard_it;
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (likely(sysctl_stealth_blackhole) &&
--	    (
--			th->res1 || !tcp_flag_word(th) ||
--			tcp_flag_word(th) == TCP_FLAG_PSH ||
--			tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) ||
--			(
--				tcp_flag_word(th) &
--					(TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) &&
--				tcp_flag_word(th) & TCP_FLAG_URG
--			) ||
--			(
--				tcp_flag_word(th) &
--					(TCP_FLAG_FIN | TCP_FLAG_RST) &&
--				tcp_flag_word(th) & TCP_FLAG_SYN
--			)
--		)
--	)
--		goto discard_it;
--#endif
--
- 	if (skb_checksum_init(skb, IPPROTO_TCP, ip6_compute_pseudo))
- 		goto csum_error;
- 
-@@ -1492,22 +1463,12 @@
- 	sk = __inet6_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th),
- 				th->source, th->dest, inet6_iif(skb), sdif,
- 				&refcounted);
--	if (!sk) {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		ret = 1;
--#endif
--
-+	if (!sk)
- 		goto no_tcp_socket;
--	}
- 
- process:
--	if (sk->sk_state == TCP_TIME_WAIT) {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		ret = 2;
--#endif
--
-+	if (sk->sk_state == TCP_TIME_WAIT)
- 		goto do_time_wait;
--	}
- 
- 	if (sk->sk_state == TCP_NEW_SYN_RECV) {
- 		struct request_sock *req = inet_reqsk(sk);
-@@ -1615,11 +1576,6 @@
- bad_packet:
- 		__TCP_INC_STATS(net, TCP_MIB_INERRS);
- 	} else {
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--		if (!sysctl_stealth_blackhole || (ret == 1 &&
--						  (skb->dev->flags & IFF_LOOPBACK)))
--#endif
--
- 		tcp_v6_send_reset(NULL, skb);
- 	}
- 
-diff -Nur a/net/ipv6/udp.c b/net/ipv6/udp.c
---- a/net/ipv6/udp.c	2020-03-07 21:59:46.853570565 +0000
-+++ b/net/ipv6/udp.c	2020-03-07 22:21:22.692605157 +0000
-@@ -56,10 +56,6 @@
- #include <trace/events/skb.h>
- #include "udp_impl.h"
- 
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--extern int sysctl_stealth_blackhole;
--#endif
--
- static bool udp6_lib_exact_dif_match(struct net *net, struct sk_buff *skb)
- {
- #if defined(CONFIG_NET_L3_MASTER_DEV)
-@@ -867,9 +863,6 @@
- 		goto csum_error;
- 
- 	__UDP6_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
--#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
--	if (!likely(sysctl_stealth_blackhole) || skb->dev->flags & IFF_LOOPBACK)
--#endif
- 	icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
- 
- 	kfree_skb(skb);
-diff -Nur a/security/Kconfig b/security/Kconfig
---- a/security/Kconfig	2020-03-07 21:59:46.853570565 +0000
-+++ b/security/Kconfig	2020-03-07 22:21:47.792977092 +0000
-@@ -345,38 +345,6 @@
- 		enhances the random number generator.
- 
- 
--config HARDENED_STEALTH_NETWORKING
--	bool "Enable stealth networking [GRSECURITY]"
--	default n
--	depends on NET
--	help
--		If you say Y here, neither TCP resets nor ICMP
--		destination-unreachable packets will be sent in response to packets
--		sent to ports for which no associated listening process exists.
--		This feature supports both IPV4 and IPV6 and exempts the
--		loopback interface from blackholing.  Enabling this feature
--		makes a host more resilient to DoS attacks and reduces network
--		visibility against scanners.
--
--		The blackhole feature as-implemented is equivalent to the FreeBSD
--		blackhole feature, as it prevents RST responses to all packets, not
--		just SYNs.  Under most application behavior this causes no
--		problems, but applications (like haproxy) may not close certain
--		connections in a way that cleanly terminates them on the remote
--		end, leaving the remote host in LAST_ACK state.  Because of this
--		side-effect and to prevent intentional LAST_ACK DoSes, this
--		feature also adds automatic mitigation against such attacks.
--		The mitigation drastically reduces the amount of time a socket
--		can spend in LAST_ACK state.  If you're using haproxy and not
--		all servers it connects to have this option enabled, consider
--		disabling this feature on the haproxy host.
--
--		If the sysctl option is enabled, a sysctl option with names
--		"ip_blackhole" will be created.
--		This sysctl, "ip_blackhole" takes the standard zero/non-zero
--		on/off toggle to enable or disable this feature.
--
--
- config HARDENED_NO_SIMULT_CONNECT
- 	bool "Disable simultaneous TCP connections [GRSECURITY]"
- 	default n
diff --git a/sys-kernel/linux-sources-redcore-lts-legacy/linux-sources-redcore-lts-legacy-4.19.108.ebuild b/sys-kernel/linux-sources-redcore-lts-legacy/linux-sources-redcore-lts-legacy-4.19.108.ebuild
index b50fa254..2f7dc850 100644
--- a/sys-kernel/linux-sources-redcore-lts-legacy/linux-sources-redcore-lts-legacy-4.19.108.ebuild
+++ b/sys-kernel/linux-sources-redcore-lts-legacy/linux-sources-redcore-lts-legacy-4.19.108.ebuild
@@ -35,7 +35,6 @@ PATCHES=(
 	"${FILESDIR}"/"${KV_MAJOR}"-nouveau-pascal-backlight.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-radeon_dp_aux_transfer_native-no-ratelimited_debug.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-linux-hardened.patch
-	"${FILESDIR}"/"${KV_MAJOR}"-linux-hardened-disable-stealth-networking.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-uksm-linux-hardened.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-0001-MultiQueue-Skiplist-Scheduler-version-v0.180-linux-hardened.patch
 	"${FILESDIR}"/"${KV_MAJOR}"-0002-Fix-Werror-build-failure-in-tools.patch
author	V3n3RiX <venerix@redcorelinux.org>	2020-03-07 22:47:44 +0000
committer	V3n3RiX <venerix@redcorelinux.org>	2020-03-07 22:47:44 +0000
commit	82c955a2272cee67c30ba142697ad8870ce0edda (patch)
tree	17d59e7037f103f7c730cc3a746aae108667ca99 /sys-kernel
parent	313f638adcc80d1c03e79a350a56f8901b64bc41 (diff)