6 files changed, 23 insertions, 381 deletions
diff --git a/libre/linux-libre-grsec/0013-efistub-fix.patch b/libre/linux-libre-grsec/0013-efistub-fix.patch
deleted file mode 100644
index a2da3b63a..000000000
--- a/libre/linux-libre-grsec/0013-efistub-fix.patch
+++ /dev/null
@@ -1,177 +0,0 @@
-From c7fb93ec51d462ec3540a729ba446663c26a0505 Mon Sep 17 00:00:00 2001
-From: Michael Brown <mbrown@fensystems.co.uk>
-Date: Thu, 10 Jul 2014 12:26:20 +0100
-Subject: x86/efi: Include a .bss section within the PE/COFF headers
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The PE/COFF headers currently describe only the initialised-data
-portions of the image, and result in no space being allocated for the
-uninitialised-data portions.  Consequently, the EFI boot stub will end
-up overwriting unexpected areas of memory, with unpredictable results.
-
-Fix by including a .bss section in the PE/COFF headers (functionally
-equivalent to the init_size field in the bzImage header).
-
-Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
-Cc: Thomas Bächler <thomas@archlinux.org>
-Cc: Josh Boyer <jwboyer@fedoraproject.org>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Matt Fleming <matt.fleming@intel.com>
-
-diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
-index 84c2234..7a6d43a 100644
---- a/arch/x86/boot/header.S
-+++ b/arch/x86/boot/header.S
-@@ -91,10 +91,9 @@ bs_die:
- 
- 	.section ".bsdata", "a"
- bugger_off_msg:
--	.ascii	"Direct floppy boot is not supported. "
--	.ascii	"Use a boot loader program instead.\r\n"
-+	.ascii	"Use a boot loader.\r\n"
- 	.ascii	"\n"
--	.ascii	"Remove disk and press any key to reboot ...\r\n"
-+	.ascii	"Remove disk and press any key to reboot...\r\n"
- 	.byte	0
- 
- #ifdef CONFIG_EFI_STUB
-@@ -108,7 +107,7 @@ coff_header:
- #else
- 	.word	0x8664				# x86-64
- #endif
--	.word	3				# nr_sections
-+	.word	4				# nr_sections
- 	.long	0 				# TimeDateStamp
- 	.long	0				# PointerToSymbolTable
- 	.long	1				# NumberOfSymbols
-@@ -250,6 +249,25 @@ section_table:
- 	.word	0				# NumberOfLineNumbers
- 	.long	0x60500020			# Characteristics (section flags)
- 
-+	#
-+	# The offset & size fields are filled in by build.c.
-+	#
-+	.ascii	".bss"
-+	.byte	0
-+	.byte	0
-+	.byte	0
-+	.byte	0
-+	.long	0
-+	.long	0x0
-+	.long	0				# Size of initialized data
-+						# on disk
-+	.long	0x0
-+	.long	0				# PointerToRelocations
-+	.long	0				# PointerToLineNumbers
-+	.word	0				# NumberOfRelocations
-+	.word	0				# NumberOfLineNumbers
-+	.long	0xc8000080			# Characteristics (section flags)
-+
- #endif /* CONFIG_EFI_STUB */
- 
- 	# Kernel attributes; used by setup.  This is part 1 of the
-diff --git a/arch/x86/boot/tools/build.c b/arch/x86/boot/tools/build.c
-index 1a2f212..a7661c4 100644
---- a/arch/x86/boot/tools/build.c
-+++ b/arch/x86/boot/tools/build.c
-@@ -143,7 +143,7 @@ static void usage(void)
- 
- #ifdef CONFIG_EFI_STUB
- 
--static void update_pecoff_section_header(char *section_name, u32 offset, u32 size)
-+static void update_pecoff_section_header_fields(char *section_name, u32 vma, u32 size, u32 datasz, u32 offset)
- {
- 	unsigned int pe_header;
- 	unsigned short num_sections;
-@@ -164,10 +164,10 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz
- 			put_unaligned_le32(size, section + 0x8);
- 
- 			/* section header vma field */
--			put_unaligned_le32(offset, section + 0xc);
-+			put_unaligned_le32(vma, section + 0xc);
- 
- 			/* section header 'size of initialised data' field */
--			put_unaligned_le32(size, section + 0x10);
-+			put_unaligned_le32(datasz, section + 0x10);
- 
- 			/* section header 'file offset' field */
- 			put_unaligned_le32(offset, section + 0x14);
-@@ -179,6 +179,11 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz
- 	}
- }
- 
-+static void update_pecoff_section_header(char *section_name, u32 offset, u32 size)
-+{
-+	update_pecoff_section_header_fields(section_name, offset, size, size, offset);
-+}
-+
- static void update_pecoff_setup_and_reloc(unsigned int size)
- {
- 	u32 setup_offset = 0x200;
-@@ -203,9 +208,6 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz)
- 
- 	pe_header = get_unaligned_le32(&buf[0x3c]);
- 
--	/* Size of image */
--	put_unaligned_le32(file_sz, &buf[pe_header + 0x50]);
--
- 	/*
- 	 * Size of code: Subtract the size of the first sector (512 bytes)
- 	 * which includes the header.
-@@ -220,6 +222,22 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz)
- 	update_pecoff_section_header(".text", text_start, text_sz);
- }
- 
-+static void update_pecoff_bss(unsigned int file_sz, unsigned int init_sz)
-+{
-+	unsigned int pe_header;
-+	unsigned int bss_sz = init_sz - file_sz;
-+
-+	pe_header = get_unaligned_le32(&buf[0x3c]);
-+
-+	/* Size of uninitialized data */
-+	put_unaligned_le32(bss_sz, &buf[pe_header + 0x24]);
-+
-+	/* Size of image */
-+	put_unaligned_le32(init_sz, &buf[pe_header + 0x50]);
-+
-+	update_pecoff_section_header_fields(".bss", file_sz, bss_sz, 0, 0);
-+}
-+
- static int reserve_pecoff_reloc_section(int c)
- {
- 	/* Reserve 0x20 bytes for .reloc section */
-@@ -259,6 +277,8 @@ static void efi_stub_entry_update(void)
- static inline void update_pecoff_setup_and_reloc(unsigned int size) {}
- static inline void update_pecoff_text(unsigned int text_start,
- 				      unsigned int file_sz) {}
-+static inline void update_pecoff_bss(unsigned int file_sz,
-+				     unsigned int init_sz) {}
- static inline void efi_stub_defaults(void) {}
- static inline void efi_stub_entry_update(void) {}
- 
-@@ -310,7 +330,7 @@ static void parse_zoffset(char *fname)
- 
- int main(int argc, char ** argv)
- {
--	unsigned int i, sz, setup_sectors;
-+	unsigned int i, sz, setup_sectors, init_sz;
- 	int c;
- 	u32 sys_size;
- 	struct stat sb;
-@@ -376,7 +396,9 @@ int main(int argc, char ** argv)
- 	buf[0x1f1] = setup_sectors-1;
- 	put_unaligned_le32(sys_size, &buf[0x1f4]);
- 
--	update_pecoff_text(setup_sectors * 512, sz + i + ((sys_size * 16) - sz));
-+	update_pecoff_text(setup_sectors * 512, i + (sys_size * 16));
-+	init_sz = get_unaligned_le32(&buf[0x260]);
-+	update_pecoff_bss(i + (sys_size * 16), init_sz);
- 
- 	efi_stub_entry_update();
- 
--- 
-cgit v0.10.1
-
diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD
index 9d404588d..872a8cdbd 100644
--- a/libre/linux-libre-grsec/PKGBUILD
+++ b/libre/linux-libre-grsec/PKGBUILD
@@ -1,3 +1,4 @@
+# $Id: PKGBUILD 117382 2014-08-14 07:07:04Z thestinger $
 # Maintainer (Arch): Daniel Micay <danielmicay@gmail.com>
 # Contributor (Arch): Tobias Powalowski <tpowa@archlinux.org>
 # Contributor (Arch): Thomas Baechler <thomas@archlinux.org>
@@ -13,13 +14,13 @@
 pkgbase=linux-libre-grsec   # Build stock -libre-grsec kernel
 #pkgbase=linux-libre-custom # Build kernel with a different name
 _basekernel=3.15
-_sublevel=6
+_sublevel=10
 _grsecver=3.0
-_timestamp=201407280729
+_timestamp=201408140023
 _pkgver=${_basekernel}.${_sublevel}
 pkgver=${_basekernel}.${_sublevel}.${_timestamp}
 pkgrel=1
-_lxopkgver=${_basekernel}.6 # nearly always the same as pkgver
+_lxopkgver=${_basekernel}.9 # nearly always the same as pkgver
 arch=('i686' 'x86_64' 'mips64el')
 url="https://grsecurity.net/"
 license=('GPL2')
@@ -37,23 +38,19 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn
         'Kbuild.platforms'
         'boot-logo.patch'
         'change-default-console-loglevel.patch'
-        '0013-efistub-fix.patch'
-        'sysctl.conf'
         "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz")
 sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688'
-            '1966964395bd9331843c8d6dacbf661c9061e90c81bf8609d995ed458d57e358'
-            '28f31111afab6e7d23c1bf486537c68ef0bb72f90e8504ef7202d6cb85b27cfd'
+            'c58b09c71666a79f5dcf83d05aaa5d64ab3fb83782a7dadabdc1a4e29c5b09ab'
+            'b4072cb368bba37ff8d538068016f60891d5d0c1206bb9821090b08a44bf3d11'
             'SKIP'
-            '9d926dcaf6ae07359619337ba2e17e36e8b23837b9e423e391f304f21c95de75'
-            '5037a8058ee020195d99b7c127d8634e77a281e31fa56c656b7d8661cac63665'
+            'd47cc4487a687782d4010c81002a48ee0171981863ab38b9f656d6e780d4a297'
+            'b4e55b41c014df808daad8105e4cbbf684df94641c213d2d9e6fc87e2a4ea59f'
             '9d2f34f1a8c514a7117b9b017a1f7312fb351f4d0b079eed102f89361534d486'
             'c5451d5e1eafc4f8d28b1a2958ec3102c124433a414a86450fc32058e004156b'
             '55bf07738a3286168a7929ae16dbca29defd14e77b9d24c487ae4c3d12bb9eb9'
             'f913384dd6dbafca476fcf4ccd35f0f497dda5f3074866022facdb92647771f6'
             'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182'
-            '937dc895b4f5948381775a75bd198ed2f157a9f356da0ab5a5006f9f1dacde5c'
-            'd4d4ae0b9c510547f47d94582e4ca08a7f12e9baf324181cb54d328027305e31'
-            '38beb22b3d9f548fff897c0690dad330443ef24e48d414cf8dbc682f40501fab')
+            '1a0c1d5e3c46306766304663e9d4503ca452c4f93d5154a4ca43a03588e20d00')
 if [ "$CARCH" != "mips64el" ]; then
     # don't use the Loongson-specific patches on non-mips64el arches.
     unset source[${#source[@]}-1]
@@ -85,10 +82,6 @@ prepare() {
   # (relevant patch sent upstream: https://lkml.org/lkml/2011/7/26/227)
   patch -p1 -i "${srcdir}/change-default-console-loglevel.patch"
 
-  # fix efistub hang #33745
-  # https://git.kernel.org/cgit/linux/kernel/git/mfleming/efi.git/patch/?id=c7fb93ec51d462ec3540a729ba446663c26a0505
-  patch -Np1 -i "${srcdir}/0013-efistub-fix.patch"
-
   if [ "$CARCH" == "mips64el" ]; then
     sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-grsec|" Makefile
     sed -r "s|^( SUBLEVEL = ).*|\1$_sublevel|" \
@@ -155,14 +148,14 @@ build() {
 _package() {
   pkgdesc="The ${pkgbase^} kernel and modules with grsecurity/PaX patches"
   [ "${pkgbase}" = "linux-libre" ] && groups=('base')
-  depends=('coreutils' 'linux-libre-firmware' 'kmod')
+  depends=('coreutils' 'linux-libre-firmware' 'kmod' 'grsec-common')
   optdepends=('crda: to set the correct wireless channels of your country'
               'gradm: to configure and enable Role Based Access Control (RBAC)'
               'paxd: to enable PaX exploit mitigations and apply exceptions automatically')
   provides=("kernel26${_kernelname}=${pkgver}" "linux${_kernelname}=${pkgver}")
   conflicts=("kernel26${_kernelname}" "kernel26-libre${_kernelname}" "linux${_kernelname}")
   replaces=("kernel26${_kernelname}" "kernel26-libre${_kernelname}" "linux${_kernelname}")
-  backup=("etc/mkinitcpio.d/${pkgbase}.preset" 'etc/sysctl.d/05-grsecurity.conf')
+  backup=("etc/mkinitcpio.d/${pkgbase}.preset")
   install=${pkgbase}.install
   if [ "$CARCH" = "mips64el" ]; then
       optdepends+=('mkinitcpio: to make the initramfs (needs reinstall of this package)')
@@ -244,9 +237,6 @@ _package() {
   mkdir -p "$pkgdir/usr/lib/modules/${_kernver}/build/tools/gcc/size_overflow_plugin"
   install -m644 tools/gcc/size_overflow_plugin/Makefile tools/gcc/size_overflow_plugin/*.so \
     "$pkgdir/usr/lib/modules/${_kernver}/build/tools/gcc/size_overflow_plugin"
-
-  # install sysctl configuration for grsecurity switches
-  install -Dm600 "${srcdir}/sysctl.conf" "${pkgdir}/etc/sysctl.d/05-grsecurity.conf"
 }
 
 _package-headers() {
diff --git a/libre/linux-libre-grsec/config.i686 b/libre/linux-libre-grsec/config.i686
index d0db896c0..170ee212b 100644
--- a/libre/linux-libre-grsec/config.i686
+++ b/libre/linux-libre-grsec/config.i686
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.15.6.201407232200-2 Kernel Configuration
+# Linux/x86 3.15.10.201408140023-1 Kernel Configuration
 #
 # CONFIG_64BIT is not set
 CONFIG_X86_32=y
@@ -157,7 +157,7 @@ CONFIG_BLK_CGROUP=y
 CONFIG_NAMESPACES=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
-# CONFIG_USER_NS is not set
+CONFIG_USER_NS=y
 CONFIG_PID_NS=y
 CONFIG_NET_NS=y
 CONFIG_SCHED_AUTOGROUP=y
@@ -326,6 +326,7 @@ CONFIG_PREEMPT_NOTIFIERS=y
 CONFIG_PADATA=y
 CONFIG_ASN1=m
 CONFIG_UNINLINE_SPIN_UNLOCK=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
 CONFIG_MUTEX_SPIN_ON_OWNER=y
 CONFIG_FREEZER=y
 
@@ -413,6 +414,8 @@ CONFIG_X86_MCE_THRESHOLD=y
 # CONFIG_X86_MCE_INJECT is not set
 CONFIG_X86_THERMAL_VECTOR=y
 CONFIG_VM86=y
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX32=y
 CONFIG_TOSHIBA=m
 CONFIG_I8K=m
 CONFIG_X86_REBOOTFIXUPS=y
@@ -1643,8 +1646,8 @@ CONFIG_OF_MDIO=m
 CONFIG_OF_PCI=y
 CONFIG_OF_PCI_IRQ=y
 CONFIG_OF_MTD=y
-CONFIG_PARPORT=m
 CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+CONFIG_PARPORT=m
 CONFIG_PARPORT_PC=m
 CONFIG_PARPORT_SERIAL=m
 # CONFIG_PARPORT_PC_FIFO is not set
diff --git a/libre/linux-libre-grsec/config.x86_64 b/libre/linux-libre-grsec/config.x86_64
index d42ce144f..121a42e4d 100644
--- a/libre/linux-libre-grsec/config.x86_64
+++ b/libre/linux-libre-grsec/config.x86_64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.15.6.201407232200-2 Kernel Configuration
+# Linux/x86 3.15.10.201408140023-1 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -164,7 +164,7 @@ CONFIG_BLK_CGROUP=y
 CONFIG_NAMESPACES=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
-# CONFIG_USER_NS is not set
+CONFIG_USER_NS=y
 CONFIG_PID_NS=y
 CONFIG_NET_NS=y
 CONFIG_SCHED_AUTOGROUP=y
@@ -339,6 +339,7 @@ CONFIG_PREEMPT_NOTIFIERS=y
 CONFIG_PADATA=y
 CONFIG_ASN1=m
 CONFIG_UNINLINE_SPIN_UNLOCK=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
 CONFIG_MUTEX_SPIN_ON_OWNER=y
 CONFIG_FREEZER=y
 
@@ -404,6 +405,8 @@ CONFIG_X86_MCE_AMD=y
 CONFIG_X86_MCE_THRESHOLD=y
 # CONFIG_X86_MCE_INJECT is not set
 CONFIG_X86_THERMAL_VECTOR=y
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
 CONFIG_I8K=m
 CONFIG_MICROCODE=m
 # CONFIG_MICROCODE_INTEL is not set
@@ -1602,8 +1605,8 @@ CONFIG_MTD_UBI_BEB_LIMIT=20
 # CONFIG_MTD_UBI_FASTMAP is not set
 # CONFIG_MTD_UBI_GLUEBI is not set
 # CONFIG_MTD_UBI_BLOCK is not set
-CONFIG_PARPORT=m
 CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+CONFIG_PARPORT=m
 CONFIG_PARPORT_PC=m
 CONFIG_PARPORT_SERIAL=m
 # CONFIG_PARPORT_PC_FIFO is not set
@@ -2990,7 +2993,6 @@ CONFIG_INPUT_ADXL34X_SPI=m
 # CONFIG_INPUT_IMS_PCU is not set
 CONFIG_INPUT_CMA3000=m
 CONFIG_INPUT_CMA3000_I2C=m
-CONFIG_INPUT_XEN_KBDDEV_FRONTEND=m
 CONFIG_INPUT_IDEAPAD_SLIDEBAR=m
 
 #
diff --git a/libre/linux-libre-grsec/linux-libre-grsec.install b/libre/linux-libre-grsec/linux-libre-grsec.install
index 22a798dfa..572c893d1 100644
--- a/libre/linux-libre-grsec/linux-libre-grsec.install
+++ b/libre/linux-libre-grsec/linux-libre-grsec.install
@@ -15,46 +15,6 @@ EOF
   fi
 }
 
-_add_groups() {
-  if getent group tpe-trusted >/dev/null; then
-    groupmod -g 200 -n tpe tpe-trusted
-  fi
-
-  if ! getent group tpe >/dev/null; then
-    groupadd -g 200 -r tpe
-  fi
-
-  if ! getent group audit >/dev/null; then
-    groupadd -g 201 -r audit
-  fi
-
-  if getent group socket-deny-all >/dev/null; then
-    groupmod -g 202 socket-deny-all
-  else
-    groupadd -g 202 -r socket-deny-all
-  fi
-
-  if getent group socket-deny-client >/dev/null; then
-    groupmod -g 203 socket-deny-client
-  else
-    groupadd -g 203 -r socket-deny-client
-  fi
-
-  if getent group socket-deny-server >/dev/null; then
-    groupmod -g 204 socket-deny-server
-  else
-    groupadd -g 204 -r socket-deny-server
-  fi
-}
-
-_remove_groups() {
-  for group in tpe socket-deny-server socket-deny-client socket-deny-all; do
-    if getent group $group >/dev/null; then
-      groupdel $group
-    fi
-  done
-}
-
 post_install () {
   # updating module dependencies
   echo ">>> Updating module dependencies. Please wait ..."
@@ -64,7 +24,6 @@ post_install () {
     mkinitcpio -p linux-libre${KERNEL_NAME}
   fi
 
-  _add_groups
   _uderef_warning
 }
 
@@ -91,8 +50,6 @@ post_upgrade() {
     echo ">>>          include the 'keyboard' hook in your mkinitcpio.conf."
   fi
 
-  _add_groups
-
   if [[ $(vercmp $2 3.15.6.201407232200-2) -lt 0 ]]; then
     _uderef_warning
   fi
@@ -102,6 +59,4 @@ post_remove() {
   # also remove the compat symlinks
   rm -f boot/initramfs-linux-libre${KERNEL_NAME}.img
   rm -f boot/initramfs-linux-libre${KERNEL_NAME}-fallback.img
-
-  _remove_groups
 }
diff --git a/libre/linux-libre-grsec/sysctl.conf b/libre/linux-libre-grsec/sysctl.conf
deleted file mode 100644
index a5f6bf83e..000000000
--- a/libre/linux-libre-grsec/sysctl.conf
+++ /dev/null
@@ -1,131 +0,0 @@
-# All features in the kernel.grsecurity namespace are disabled by default in
-# the kernel and must be enabled here.
-
-#
-# Disable PaX enforcement by default.
-#
-# The `paxd` package sets softmode back to 0 in a configuration file loaded
-# after this one. It automatically handles setting exceptions from the PaX
-# exploit mitigations after Pacman operations. Altering the setting here rather
-# than using `paxd` is not recommended.
-#
-
-kernel.pax.softmode = 1
-
-#
-# Memory protections
-#
-
-#kernel.grsecurity.disable_priv_io = 1
-kernel.grsecurity.deter_bruteforce = 1
-
-#
-# Race free SymLinksIfOwnerMatch for web servers
-#
-# symlinkown_gid: http group
-#
-
-kernel.grsecurity.enforce_symlinksifowner = 1
-kernel.grsecurity.symlinkown_gid = 33
-
-#
-# FIFO restrictions
-#
-# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp),
-# unless the owner of the FIFO is the same owner of the directory it's held in.
-#
-
-kernel.grsecurity.fifo_restrictions = 1
-
-#
-# Deny any further rw mounts
-#
-
-#kernel.grsecurity.romount_protect = 1
-
-#
-# chroot restrictions (the commented options will break containers)
-#
-
-#kernel.grsecurity.chroot_caps = 1
-#kernel.grsecurity.chroot_deny_chmod = 1
-#kernel.grsecurity.chroot_deny_chroot = 1
-kernel.grsecurity.chroot_deny_fchdir = 1
-#kernel.grsecurity.chroot_deny_mknod = 1
-#kernel.grsecurity.chroot_deny_mount = 1
-#kernel.grsecurity.chroot_deny_pivot = 1
-kernel.grsecurity.chroot_deny_shmat = 1
-kernel.grsecurity.chroot_deny_sysctl = 1
-kernel.grsecurity.chroot_deny_unix = 1
-kernel.grsecurity.chroot_enforce_chdir = 1
-kernel.grsecurity.chroot_findtask = 1
-#kernel.grsecurity.chroot_restrict_nice = 1
-
-#
-# Kernel auditing
-#
-# audit_group: Restrict exec/chdir logging to a group.
-# audit_gid: audit group
-#
-
-#kernel.grsecurity.audit_group = 1
-kernel.grsecurity.audit_gid = 201
-#kernel.grsecurity.exec_logging = 1
-#kernel.grsecurity.resource_logging = 1
-#kernel.grsecurity.chroot_execlog = 1
-#kernel.grsecurity.audit_ptrace = 1
-#kernel.grsecurity.audit_chdir = 1
-#kernel.grsecurity.audit_mount = 1
-#kernel.grsecurity.signal_logging = 1
-#kernel.grsecurity.forkfail_logging = 1
-#kernel.grsecurity.timechange_logging = 1
-kernel.grsecurity.rwxmap_logging = 1
-
-#
-# Executable protections
-#
-
-kernel.grsecurity.harden_ptrace = 1
-kernel.grsecurity.ptrace_readexec = 1
-kernel.grsecurity.consistent_setxid = 1
-kernel.grsecurity.harden_ipc = 1
-
-#
-# Trusted Path Execution
-#
-# tpe_gid: tpe group
-#
-
-#kernel.grsecurity.tpe = 1
-kernel.grsecurity.tpe_gid = 200
-#kernel.grsecurity.tpe_invert = 1
-#kernel.grsecurity.tpe_restrict_all = 1
-
-#
-# Network protections
-#
-# socket_all_gid:    socket-deny-all group
-# socket_client_gid: socket-deny-client group
-# socket_server_gid: socket-deny-server group
-#
-
-#kernel.grsecurity.ip_blackhole = 1
-kernel.grsecurity.lastack_retries = 4
-kernel.grsecurity.socket_all = 1
-kernel.grsecurity.socket_all_gid = 202
-kernel.grsecurity.socket_client = 1
-kernel.grsecurity.socket_client_gid = 203
-kernel.grsecurity.socket_server = 1
-kernel.grsecurity.socket_server_gid = 204
-
-#
-# Prevent any new USB devices from being recognized by the OS.
-#
-
-#kernel.grsecurity.deny_new_usb = 1
-
-#
-# Restrict grsec sysctl changes after this was set
-#
-
-kernel.grsecurity.grsec_lock = 0