summaryrefslogtreecommitdiff
path: root/sys-kernel/linux-image-redcore-lts-legacy/files
diff options
context:
space:
mode:
Diffstat (limited to 'sys-kernel/linux-image-redcore-lts-legacy/files')
-rw-r--r--sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config1
-rw-r--r--sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch426
2 files changed, 426 insertions, 1 deletions
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config
index 7dbc8f7a..a04d18cc 100644
--- a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config
+++ b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config
@@ -8749,7 +8749,6 @@ CONFIG_DEFAULT_SECURITY="apparmor"
# Hardened Enhancements
#
CONFIG_HARDENED_RANDOM=y
-CONFIG_HARDENED_STEALTH_NETWORKING=y
CONFIG_HARDENED_NO_SIMULT_CONNECT=y
CONFIG_HARDENED_SYSFS_RESTRICT=y
CONFIG_HARDENED_FIFO=y
diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch
new file mode 100644
index 00000000..d290f937
--- /dev/null
+++ b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch
@@ -0,0 +1,426 @@
+diff -Nur a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
+--- a/include/uapi/linux/ip.h 2020-03-07 21:59:46.833570272 +0000
++++ b/include/uapi/linux/ip.h 2020-03-07 22:06:28.909470648 +0000
+@@ -66,9 +66,6 @@
+
+ #define IPVERSION 4
+ #define MAXTTL 255
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-#define IPDEFTTL 128
+-#else
+ #define IPDEFTTL 64
+ #endif
+
+diff -Nur a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
+--- a/net/core/sysctl_net_core.c 2020-03-07 21:59:46.853570565 +0000
++++ b/net/core/sysctl_net_core.c 2020-03-07 22:07:10.190076177 +0000
+@@ -36,10 +36,6 @@
+ int sysctl_fb_tunnels_only_for_init_net __read_mostly = 0;
+ EXPORT_SYMBOL(sysctl_fb_tunnels_only_for_init_net);
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-int sysctl_stealth_blackhole __read_mostly = 1;
+-#endif
+-
+ #ifdef CONFIG_RPS
+ static int rps_sock_flow_sysctl(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+@@ -509,17 +505,6 @@
+ .proc_handler = set_default_qdisc
+ },
+ #endif
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- {
+- .procname = "ip_blackhole",
+- .data = &sysctl_stealth_blackhole,
+- .maxlen = sizeof(int),
+- .mode = 0644,
+- .proc_handler = proc_dointvec_minmax,
+- .extra1 = &zero,
+- .extra2 = &one,
+- },
+-#endif
+ #endif /* CONFIG_NET */
+ {
+ .procname = "netdev_budget",
+diff -Nur a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+--- a/net/ipv4/icmp.c 2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/icmp.c 2020-03-07 22:08:25.271177396 +0000
+@@ -195,10 +195,6 @@
+ short error; /* This ICMP is classed as an error message */
+ };
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static const struct icmp_control icmp_pointers[NR_ICMP_TYPES+1];
+
+ /*
+@@ -938,11 +934,6 @@
+ {
+ struct net *net;
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK))
+- return true;
+-#endif
+-
+ net = dev_net(skb_dst(skb)->dev);
+ if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
+ struct icmp_bxm icmp_param;
+@@ -970,11 +961,6 @@
+ {
+ struct icmp_bxm icmp_param;
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK))
+- return true;
+-#endif
+-
+ /*
+ * Too short.
+ */
+diff -Nur a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+--- a/net/ipv4/igmp.c 2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/igmp.c 2020-03-07 22:09:13.161879736 +0000
+@@ -136,10 +136,6 @@
+ ((in_dev)->mr_v2_seen && \
+ time_before(jiffies, (in_dev)->mr_v2_seen)))
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static int unsolicited_report_interval(struct in_device *in_dev)
+ {
+ int interval_ms, interval_jiffies;
+@@ -741,11 +737,6 @@
+ __be32 dst;
+ int hlen, tlen;
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (likely(sysctl_stealth_blackhole))
+- return -1;
+-#endif
+-
+ if (type == IGMPV3_HOST_MEMBERSHIP_REPORT)
+ return igmpv3_send_report(in_dev, pmc);
+
+diff -Nur a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+--- a/net/ipv4/tcp_ipv4.c 2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/tcp_ipv4.c 2020-03-07 22:12:16.564568875 +0000
+@@ -95,10 +95,6 @@
+ struct inet_hashinfo tcp_hashinfo;
+ EXPORT_SYMBOL(tcp_hashinfo);
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static u32 tcp_v4_init_seq(const struct sk_buff *skb)
+ {
+ return secure_tcp_seq(ip_hdr(skb)->daddr,
+@@ -1565,9 +1561,6 @@
+ return 0;
+
+ reset:
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (!likely(sysctl_stealth_blackhole))
+-#endif
+ tcp_v4_send_reset(rsk, skb);
+ discard:
+ kfree_skb(skb);
+@@ -1716,27 +1709,6 @@
+ if (!pskb_may_pull(skb, th->doff * 4))
+ goto discard_it;
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (likely(sysctl_stealth_blackhole) &&
+- (
+- th->res1 || !tcp_flag_word(th) ||
+- tcp_flag_word(th) == TCP_FLAG_PSH ||
+- tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) ||
+- (
+- tcp_flag_word(th) &
+- (TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) &&
+- tcp_flag_word(th) & TCP_FLAG_URG
+- ) ||
+- (
+- tcp_flag_word(th) &
+- (TCP_FLAG_FIN | TCP_FLAG_RST) &&
+- tcp_flag_word(th) & TCP_FLAG_SYN
+- )
+- )
+- )
+- goto discard_it;
+-#endif
+-
+ /* An explanation is required here, I think.
+ * Packet length and doff are validated by header prediction,
+ * provided case of th->doff==0 is eliminated.
+@@ -1750,22 +1722,12 @@
+ lookup:
+ sk = __inet_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), th->source,
+ th->dest, sdif, &refcounted);
+- if (!sk) {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- ret = 1;
+-#endif
+-
++ if (!sk)
+ goto no_tcp_socket;
+- }
+
+ process:
+- if (sk->sk_state == TCP_TIME_WAIT) {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- ret = 2;
+-#endif
+-
++ if (sk->sk_state == TCP_TIME_WAIT)
+ goto do_time_wait;
+- }
+
+ if (sk->sk_state == TCP_NEW_SYN_RECV) {
+ struct request_sock *req = inet_reqsk(sk);
+@@ -1879,10 +1841,6 @@
+ bad_packet:
+ __TCP_INC_STATS(net, TCP_MIB_INERRS);
+ } else {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (!sysctl_stealth_blackhole || (ret == 1 &&
+- (skb->dev->flags & IFF_LOOPBACK)))
+-#endif
+
+ tcp_v4_send_reset(NULL, skb);
+ }
+diff -Nur a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
+--- a/net/ipv4/tcp_minisocks.c 2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/tcp_minisocks.c 2020-03-07 22:12:39.754908842 +0000
+@@ -29,10 +29,6 @@
+ #include <net/xfrm.h>
+ #include <net/busy_poll.h>
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static bool tcp_in_window(u32 seq, u32 end_seq, u32 s_win, u32 e_win)
+ {
+ if (seq == s_win)
+@@ -813,10 +809,6 @@
+ * avoid becoming vulnerable to outside attack aiming at
+ * resetting legit local connections.
+ */
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK)
+-#endif
+-
+ req->rsk_ops->send_reset(sk, skb);
+ } else if (fastopen) { /* received a valid RST pkt */
+ reqsk_fastopen_remove(sk, req, true);
+diff -Nur a/net/ipv4/udp.c b/net/ipv4/udp.c
+--- a/net/ipv4/udp.c 2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv4/udp.c 2020-03-07 22:13:06.595302301 +0000
+@@ -128,10 +128,6 @@
+ #define MAX_UDP_PORTS 65536
+ #define PORTS_PER_CHAIN (MAX_UDP_PORTS / UDP_HTABLE_SIZE_MIN)
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ /* IPCB reference means this can not be used from early demux */
+ static bool udp_lib_exact_dif_match(struct net *net, struct sk_buff *skb)
+ {
+@@ -2266,9 +2262,6 @@
+ goto csum_error;
+
+ __UDP_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (!likely(sysctl_stealth_blackhole) || (skb->dev->flags & IFF_LOOPBACK))
+-#endif
+ icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+
+ /*
+diff -Nur a/net/ipv6/icmp.c b/net/ipv6/icmp.c
+--- a/net/ipv6/icmp.c 2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv6/icmp.c 2020-03-07 22:16:58.198696714 +0000
+@@ -72,10 +72,6 @@
+
+ #include <linux/uaccess.h>
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ /*
+ * The ICMP socket(s). This is the most convenient way to flow control
+ * our ICMP output as well as maintain a clean interface throughout
+@@ -852,9 +848,6 @@
+
+ switch (type) {
+ case ICMPV6_ECHO_REQUEST:
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK)
+-#endif
+ if (!net->ipv6.sysctl.icmpv6_echo_ignore_all)
+ icmpv6_echo_reply(skb);
+ break;
+diff -Nur a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+--- a/net/ipv6/tcp_ipv6.c 2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv6/tcp_ipv6.c 2020-03-07 22:20:43.832029273 +0000
+@@ -71,10 +71,6 @@
+
+ #include <trace/events/tcp.h>
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb);
+ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
+ struct request_sock *req);
+@@ -1360,10 +1356,6 @@
+ return 0;
+
+ reset:
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (!likely(sysctl_stealth_blackhole))
+-#endif
+-
+ tcp_v6_send_reset(sk, skb);
+ discard:
+ if (opt_skb)
+@@ -1461,27 +1453,6 @@
+ if (!pskb_may_pull(skb, th->doff*4))
+ goto discard_it;
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (likely(sysctl_stealth_blackhole) &&
+- (
+- th->res1 || !tcp_flag_word(th) ||
+- tcp_flag_word(th) == TCP_FLAG_PSH ||
+- tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) ||
+- (
+- tcp_flag_word(th) &
+- (TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) &&
+- tcp_flag_word(th) & TCP_FLAG_URG
+- ) ||
+- (
+- tcp_flag_word(th) &
+- (TCP_FLAG_FIN | TCP_FLAG_RST) &&
+- tcp_flag_word(th) & TCP_FLAG_SYN
+- )
+- )
+- )
+- goto discard_it;
+-#endif
+-
+ if (skb_checksum_init(skb, IPPROTO_TCP, ip6_compute_pseudo))
+ goto csum_error;
+
+@@ -1492,22 +1463,12 @@
+ sk = __inet6_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th),
+ th->source, th->dest, inet6_iif(skb), sdif,
+ &refcounted);
+- if (!sk) {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- ret = 1;
+-#endif
+-
++ if (!sk)
+ goto no_tcp_socket;
+- }
+
+ process:
+- if (sk->sk_state == TCP_TIME_WAIT) {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- ret = 2;
+-#endif
+-
++ if (sk->sk_state == TCP_TIME_WAIT)
+ goto do_time_wait;
+- }
+
+ if (sk->sk_state == TCP_NEW_SYN_RECV) {
+ struct request_sock *req = inet_reqsk(sk);
+@@ -1615,11 +1576,6 @@
+ bad_packet:
+ __TCP_INC_STATS(net, TCP_MIB_INERRS);
+ } else {
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (!sysctl_stealth_blackhole || (ret == 1 &&
+- (skb->dev->flags & IFF_LOOPBACK)))
+-#endif
+-
+ tcp_v6_send_reset(NULL, skb);
+ }
+
+diff -Nur a/net/ipv6/udp.c b/net/ipv6/udp.c
+--- a/net/ipv6/udp.c 2020-03-07 21:59:46.853570565 +0000
++++ b/net/ipv6/udp.c 2020-03-07 22:21:22.692605157 +0000
+@@ -56,10 +56,6 @@
+ #include <trace/events/skb.h>
+ #include "udp_impl.h"
+
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+-extern int sysctl_stealth_blackhole;
+-#endif
+-
+ static bool udp6_lib_exact_dif_match(struct net *net, struct sk_buff *skb)
+ {
+ #if defined(CONFIG_NET_L3_MASTER_DEV)
+@@ -867,9 +863,6 @@
+ goto csum_error;
+
+ __UDP6_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
+-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING
+- if (!likely(sysctl_stealth_blackhole) || skb->dev->flags & IFF_LOOPBACK)
+-#endif
+ icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
+
+ kfree_skb(skb);
+diff -Nur a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig 2020-03-07 21:59:46.853570565 +0000
++++ b/security/Kconfig 2020-03-07 22:21:47.792977092 +0000
+@@ -345,38 +345,6 @@
+ enhances the random number generator.
+
+
+-config HARDENED_STEALTH_NETWORKING
+- bool "Enable stealth networking [GRSECURITY]"
+- default n
+- depends on NET
+- help
+- If you say Y here, neither TCP resets nor ICMP
+- destination-unreachable packets will be sent in response to packets
+- sent to ports for which no associated listening process exists.
+- This feature supports both IPV4 and IPV6 and exempts the
+- loopback interface from blackholing. Enabling this feature
+- makes a host more resilient to DoS attacks and reduces network
+- visibility against scanners.
+-
+- The blackhole feature as-implemented is equivalent to the FreeBSD
+- blackhole feature, as it prevents RST responses to all packets, not
+- just SYNs. Under most application behavior this causes no
+- problems, but applications (like haproxy) may not close certain
+- connections in a way that cleanly terminates them on the remote
+- end, leaving the remote host in LAST_ACK state. Because of this
+- side-effect and to prevent intentional LAST_ACK DoSes, this
+- feature also adds automatic mitigation against such attacks.
+- The mitigation drastically reduces the amount of time a socket
+- can spend in LAST_ACK state. If you're using haproxy and not
+- all servers it connects to have this option enabled, consider
+- disabling this feature on the haproxy host.
+-
+- If the sysctl option is enabled, a sysctl option with names
+- "ip_blackhole" will be created.
+- This sysctl, "ip_blackhole" takes the standard zero/non-zero
+- on/off toggle to enable or disable this feature.
+-
+-
+ config HARDENED_NO_SIMULT_CONNECT
+ bool "Disable simultaneous TCP connections [GRSECURITY]"
+ default n