From 313f638adcc80d1c03e79a350a56f8901b64bc41 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sat, 7 Mar 2020 22:35:28 +0000 Subject: sys-kernel/linux-{image,sources}-redcore-lts-legacy : drop/disable GRSECURITY stealth networking, breaks IPv6 --- .../files/4.19-amd64.config | 1 - ...linux-hardened-disable-stealth-networking.patch | 426 +++++++++++++++++++++ 2 files changed, 426 insertions(+), 1 deletion(-) create mode 100644 sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch (limited to 'sys-kernel/linux-image-redcore-lts-legacy/files') diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config index 7dbc8f7a..a04d18cc 100644 --- a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config +++ b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-amd64.config @@ -8749,7 +8749,6 @@ CONFIG_DEFAULT_SECURITY="apparmor" # Hardened Enhancements # CONFIG_HARDENED_RANDOM=y -CONFIG_HARDENED_STEALTH_NETWORKING=y CONFIG_HARDENED_NO_SIMULT_CONNECT=y CONFIG_HARDENED_SYSFS_RESTRICT=y CONFIG_HARDENED_FIFO=y diff --git a/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch new file mode 100644 index 00000000..d290f937 --- /dev/null +++ b/sys-kernel/linux-image-redcore-lts-legacy/files/4.19-linux-hardened-disable-stealth-networking.patch @@ -0,0 +1,426 @@ +diff -Nur a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h +--- a/include/uapi/linux/ip.h 2020-03-07 21:59:46.833570272 +0000 ++++ b/include/uapi/linux/ip.h 2020-03-07 22:06:28.909470648 +0000 +@@ -66,9 +66,6 @@ + + #define IPVERSION 4 + #define MAXTTL 255 +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +-#define IPDEFTTL 128 +-#else + #define IPDEFTTL 64 + #endif + +diff -Nur a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c +--- a/net/core/sysctl_net_core.c 2020-03-07 21:59:46.853570565 +0000 ++++ b/net/core/sysctl_net_core.c 2020-03-07 22:07:10.190076177 +0000 +@@ -36,10 +36,6 @@ + int sysctl_fb_tunnels_only_for_init_net __read_mostly = 0; + EXPORT_SYMBOL(sysctl_fb_tunnels_only_for_init_net); + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +-int sysctl_stealth_blackhole __read_mostly = 1; +-#endif +- + #ifdef CONFIG_RPS + static int rps_sock_flow_sysctl(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) +@@ -509,17 +505,6 @@ + .proc_handler = set_default_qdisc + }, + #endif +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- { +- .procname = "ip_blackhole", +- .data = &sysctl_stealth_blackhole, +- .maxlen = sizeof(int), +- .mode = 0644, +- .proc_handler = proc_dointvec_minmax, +- .extra1 = &zero, +- .extra2 = &one, +- }, +-#endif + #endif /* CONFIG_NET */ + { + .procname = "netdev_budget", +diff -Nur a/net/ipv4/icmp.c b/net/ipv4/icmp.c +--- a/net/ipv4/icmp.c 2020-03-07 21:59:46.853570565 +0000 ++++ b/net/ipv4/icmp.c 2020-03-07 22:08:25.271177396 +0000 +@@ -195,10 +195,6 @@ + short error; /* This ICMP is classed as an error message */ + }; + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +-extern int sysctl_stealth_blackhole; +-#endif +- + static const struct icmp_control icmp_pointers[NR_ICMP_TYPES+1]; + + /* +@@ -938,11 +934,6 @@ + { + struct net *net; + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK)) +- return true; +-#endif +- + net = dev_net(skb_dst(skb)->dev); + if (!net->ipv4.sysctl_icmp_echo_ignore_all) { + struct icmp_bxm icmp_param; +@@ -970,11 +961,6 @@ + { + struct icmp_bxm icmp_param; + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (likely(sysctl_stealth_blackhole) && !(skb->dev->flags & IFF_LOOPBACK)) +- return true; +-#endif +- + /* + * Too short. + */ +diff -Nur a/net/ipv4/igmp.c b/net/ipv4/igmp.c +--- a/net/ipv4/igmp.c 2020-03-07 21:59:46.853570565 +0000 ++++ b/net/ipv4/igmp.c 2020-03-07 22:09:13.161879736 +0000 +@@ -136,10 +136,6 @@ + ((in_dev)->mr_v2_seen && \ + time_before(jiffies, (in_dev)->mr_v2_seen))) + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +-extern int sysctl_stealth_blackhole; +-#endif +- + static int unsolicited_report_interval(struct in_device *in_dev) + { + int interval_ms, interval_jiffies; +@@ -741,11 +737,6 @@ + __be32 dst; + int hlen, tlen; + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (likely(sysctl_stealth_blackhole)) +- return -1; +-#endif +- + if (type == IGMPV3_HOST_MEMBERSHIP_REPORT) + return igmpv3_send_report(in_dev, pmc); + +diff -Nur a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +--- a/net/ipv4/tcp_ipv4.c 2020-03-07 21:59:46.853570565 +0000 ++++ b/net/ipv4/tcp_ipv4.c 2020-03-07 22:12:16.564568875 +0000 +@@ -95,10 +95,6 @@ + struct inet_hashinfo tcp_hashinfo; + EXPORT_SYMBOL(tcp_hashinfo); + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +-extern int sysctl_stealth_blackhole; +-#endif +- + static u32 tcp_v4_init_seq(const struct sk_buff *skb) + { + return secure_tcp_seq(ip_hdr(skb)->daddr, +@@ -1565,9 +1561,6 @@ + return 0; + + reset: +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (!likely(sysctl_stealth_blackhole)) +-#endif + tcp_v4_send_reset(rsk, skb); + discard: + kfree_skb(skb); +@@ -1716,27 +1709,6 @@ + if (!pskb_may_pull(skb, th->doff * 4)) + goto discard_it; + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (likely(sysctl_stealth_blackhole) && +- ( +- th->res1 || !tcp_flag_word(th) || +- tcp_flag_word(th) == TCP_FLAG_PSH || +- tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) || +- ( +- tcp_flag_word(th) & +- (TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) && +- tcp_flag_word(th) & TCP_FLAG_URG +- ) || +- ( +- tcp_flag_word(th) & +- (TCP_FLAG_FIN | TCP_FLAG_RST) && +- tcp_flag_word(th) & TCP_FLAG_SYN +- ) +- ) +- ) +- goto discard_it; +-#endif +- + /* An explanation is required here, I think. + * Packet length and doff are validated by header prediction, + * provided case of th->doff==0 is eliminated. +@@ -1750,22 +1722,12 @@ + lookup: + sk = __inet_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), th->source, + th->dest, sdif, &refcounted); +- if (!sk) { +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- ret = 1; +-#endif +- ++ if (!sk) + goto no_tcp_socket; +- } + + process: +- if (sk->sk_state == TCP_TIME_WAIT) { +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- ret = 2; +-#endif +- ++ if (sk->sk_state == TCP_TIME_WAIT) + goto do_time_wait; +- } + + if (sk->sk_state == TCP_NEW_SYN_RECV) { + struct request_sock *req = inet_reqsk(sk); +@@ -1879,10 +1841,6 @@ + bad_packet: + __TCP_INC_STATS(net, TCP_MIB_INERRS); + } else { +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (!sysctl_stealth_blackhole || (ret == 1 && +- (skb->dev->flags & IFF_LOOPBACK))) +-#endif + + tcp_v4_send_reset(NULL, skb); + } +diff -Nur a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +--- a/net/ipv4/tcp_minisocks.c 2020-03-07 21:59:46.853570565 +0000 ++++ b/net/ipv4/tcp_minisocks.c 2020-03-07 22:12:39.754908842 +0000 +@@ -29,10 +29,6 @@ + #include + #include + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +-extern int sysctl_stealth_blackhole; +-#endif +- + static bool tcp_in_window(u32 seq, u32 end_seq, u32 s_win, u32 e_win) + { + if (seq == s_win) +@@ -813,10 +809,6 @@ + * avoid becoming vulnerable to outside attack aiming at + * resetting legit local connections. + */ +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK) +-#endif +- + req->rsk_ops->send_reset(sk, skb); + } else if (fastopen) { /* received a valid RST pkt */ + reqsk_fastopen_remove(sk, req, true); +diff -Nur a/net/ipv4/udp.c b/net/ipv4/udp.c +--- a/net/ipv4/udp.c 2020-03-07 21:59:46.853570565 +0000 ++++ b/net/ipv4/udp.c 2020-03-07 22:13:06.595302301 +0000 +@@ -128,10 +128,6 @@ + #define MAX_UDP_PORTS 65536 + #define PORTS_PER_CHAIN (MAX_UDP_PORTS / UDP_HTABLE_SIZE_MIN) + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +-extern int sysctl_stealth_blackhole; +-#endif +- + /* IPCB reference means this can not be used from early demux */ + static bool udp_lib_exact_dif_match(struct net *net, struct sk_buff *skb) + { +@@ -2266,9 +2262,6 @@ + goto csum_error; + + __UDP_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (!likely(sysctl_stealth_blackhole) || (skb->dev->flags & IFF_LOOPBACK)) +-#endif + icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); + + /* +diff -Nur a/net/ipv6/icmp.c b/net/ipv6/icmp.c +--- a/net/ipv6/icmp.c 2020-03-07 21:59:46.853570565 +0000 ++++ b/net/ipv6/icmp.c 2020-03-07 22:16:58.198696714 +0000 +@@ -72,10 +72,6 @@ + + #include + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +-extern int sysctl_stealth_blackhole; +-#endif +- + /* + * The ICMP socket(s). This is the most convenient way to flow control + * our ICMP output as well as maintain a clean interface throughout +@@ -852,9 +848,6 @@ + + switch (type) { + case ICMPV6_ECHO_REQUEST: +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (!sysctl_stealth_blackhole || skb->dev->flags & IFF_LOOPBACK) +-#endif + if (!net->ipv6.sysctl.icmpv6_echo_ignore_all) + icmpv6_echo_reply(skb); + break; +diff -Nur a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +--- a/net/ipv6/tcp_ipv6.c 2020-03-07 21:59:46.853570565 +0000 ++++ b/net/ipv6/tcp_ipv6.c 2020-03-07 22:20:43.832029273 +0000 +@@ -71,10 +71,6 @@ + + #include + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +-extern int sysctl_stealth_blackhole; +-#endif +- + static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb); + static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + struct request_sock *req); +@@ -1360,10 +1356,6 @@ + return 0; + + reset: +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (!likely(sysctl_stealth_blackhole)) +-#endif +- + tcp_v6_send_reset(sk, skb); + discard: + if (opt_skb) +@@ -1461,27 +1453,6 @@ + if (!pskb_may_pull(skb, th->doff*4)) + goto discard_it; + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (likely(sysctl_stealth_blackhole) && +- ( +- th->res1 || !tcp_flag_word(th) || +- tcp_flag_word(th) == TCP_FLAG_PSH || +- tcp_flag_word(th) & (TCP_FLAG_CWR | TCP_FLAG_ECE) || +- ( +- tcp_flag_word(th) & +- (TCP_FLAG_SYN | TCP_FLAG_FIN | TCP_FLAG_RST) && +- tcp_flag_word(th) & TCP_FLAG_URG +- ) || +- ( +- tcp_flag_word(th) & +- (TCP_FLAG_FIN | TCP_FLAG_RST) && +- tcp_flag_word(th) & TCP_FLAG_SYN +- ) +- ) +- ) +- goto discard_it; +-#endif +- + if (skb_checksum_init(skb, IPPROTO_TCP, ip6_compute_pseudo)) + goto csum_error; + +@@ -1492,22 +1463,12 @@ + sk = __inet6_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), + th->source, th->dest, inet6_iif(skb), sdif, + &refcounted); +- if (!sk) { +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- ret = 1; +-#endif +- ++ if (!sk) + goto no_tcp_socket; +- } + + process: +- if (sk->sk_state == TCP_TIME_WAIT) { +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- ret = 2; +-#endif +- ++ if (sk->sk_state == TCP_TIME_WAIT) + goto do_time_wait; +- } + + if (sk->sk_state == TCP_NEW_SYN_RECV) { + struct request_sock *req = inet_reqsk(sk); +@@ -1615,11 +1576,6 @@ + bad_packet: + __TCP_INC_STATS(net, TCP_MIB_INERRS); + } else { +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (!sysctl_stealth_blackhole || (ret == 1 && +- (skb->dev->flags & IFF_LOOPBACK))) +-#endif +- + tcp_v6_send_reset(NULL, skb); + } + +diff -Nur a/net/ipv6/udp.c b/net/ipv6/udp.c +--- a/net/ipv6/udp.c 2020-03-07 21:59:46.853570565 +0000 ++++ b/net/ipv6/udp.c 2020-03-07 22:21:22.692605157 +0000 +@@ -56,10 +56,6 @@ + #include + #include "udp_impl.h" + +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +-extern int sysctl_stealth_blackhole; +-#endif +- + static bool udp6_lib_exact_dif_match(struct net *net, struct sk_buff *skb) + { + #if defined(CONFIG_NET_L3_MASTER_DEV) +@@ -867,9 +863,6 @@ + goto csum_error; + + __UDP6_INC_STATS(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); +-#ifdef CONFIG_HARDENED_STEALTH_NETWORKING +- if (!likely(sysctl_stealth_blackhole) || skb->dev->flags & IFF_LOOPBACK) +-#endif + icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0); + + kfree_skb(skb); +diff -Nur a/security/Kconfig b/security/Kconfig +--- a/security/Kconfig 2020-03-07 21:59:46.853570565 +0000 ++++ b/security/Kconfig 2020-03-07 22:21:47.792977092 +0000 +@@ -345,38 +345,6 @@ + enhances the random number generator. + + +-config HARDENED_STEALTH_NETWORKING +- bool "Enable stealth networking [GRSECURITY]" +- default n +- depends on NET +- help +- If you say Y here, neither TCP resets nor ICMP +- destination-unreachable packets will be sent in response to packets +- sent to ports for which no associated listening process exists. +- This feature supports both IPV4 and IPV6 and exempts the +- loopback interface from blackholing. Enabling this feature +- makes a host more resilient to DoS attacks and reduces network +- visibility against scanners. +- +- The blackhole feature as-implemented is equivalent to the FreeBSD +- blackhole feature, as it prevents RST responses to all packets, not +- just SYNs. Under most application behavior this causes no +- problems, but applications (like haproxy) may not close certain +- connections in a way that cleanly terminates them on the remote +- end, leaving the remote host in LAST_ACK state. Because of this +- side-effect and to prevent intentional LAST_ACK DoSes, this +- feature also adds automatic mitigation against such attacks. +- The mitigation drastically reduces the amount of time a socket +- can spend in LAST_ACK state. If you're using haproxy and not +- all servers it connects to have this option enabled, consider +- disabling this feature on the haproxy host. +- +- If the sysctl option is enabled, a sysctl option with names +- "ip_blackhole" will be created. +- This sysctl, "ip_blackhole" takes the standard zero/non-zero +- on/off toggle to enable or disable this feature. +- +- + config HARDENED_NO_SIMULT_CONNECT + bool "Disable simultaneous TCP connections [GRSECURITY]" + default n -- cgit v1.2.3