config GRKERNSEC_RAND_THREADSTACK
        bool "Insert random gaps between thread stacks"
        default y if GRKERNSEC_CONFIG_AUTO
        depends on PAX_RANDMMAP && !PPC
        help
          If you say Y here, a random-sized gap will be enforced between allocated
          thread stacks.  Glibc's NPTL and other threading libraries that
          pass MAP_STACK to the kernel for thread stack allocation are supported.
          The implementation currently provides 8 bits of entropy for the gap.

          Many distributions do not compile threaded remote services with the
          -fstack-check argument to GCC, causing the variable-sized stack-based
          allocator, alloca(), to not probe the stack on allocation.  This
          permits an unbounded alloca() to skip over any guard page and potentially
          modify another thread's stack reliably.  An enforced random gap
          reduces the reliability of such an attack and increases the chance
          that such a read/write to another thread's stack instead lands in
          an unmapped area, causing a crash and triggering grsecurity's
          anti-bruteforcing logic.


config GRKERNSEC_DEVICE_SIDECHANNEL
        bool "Eliminate stat/notify-based device sidechannels"
        default y if GRKERNSEC_CONFIG_AUTO
        help
          If you say Y here, timing analyses on block or character
          devices like /dev/ptmx using stat or inotify/dnotify/fanotify
          will be thwarted for unprivileged users.  If a process without
          CAP_MKNOD stats such a device, the last access and last modify times
          will match the device's create time.  No access or modify events
          will be triggered through inotify/dnotify/fanotify for such devices.
          This feature will prevent attacks that may at a minimum
          allow an attacker to determine the administrator's password length.

config GRKERNSEC_NO_SIMULT_CONNECT
        bool "Disable TCP Simultaneous Connect"
        default y if GRKERNSEC_CONFIG_AUTO
        depends on NET
        help
          If you say Y here, a feature by Willy Tarreau will be enabled that
          removes a weakness in Linux's strict implementation of TCP that
          allows two clients to connect to each other without either entering
          a listening state.  The weakness allows an attacker to easily prevent
          a client from connecting to a known server provided the source port
          for the connection is guessed correctly.

          As the weakness could be used to prevent an antivirus or IPS from
          fetching updates, or prevent an SSL gateway from fetching a CRL,
          it should be eliminated by enabling this option.  Though Linux is
          one of few operating systems supporting simultaneous connect, it
          has no legitimate use in practice and is rarely supported by firewalls.