1 |
commit: 65c697fdf79d5963e55e40a17b1f148164143416 |
2 |
Author: Anthony G. Basile <basile <AT> opensource <DOT> dyc <DOT> edu> |
3 |
AuthorDate: Sun Feb 13 17:03:56 2011 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 13 17:03:56 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=65c697fd |
7 |
|
8 |
Update Grsec/PaX |
9 |
2.2.1-2.6.32.28-201102121148 |
10 |
2.2.1-2.6.37-201102121148 |
11 |
|
12 |
--- |
13 |
2.6.32/0000_README | 2 +- |
14 |
..._grsecurity-2.2.1-2.6.32.28-201102121148.patch} | 290 +++++++++++---- |
15 |
2.6.37/0000_README | 2 +- |
16 |
...420_grsecurity-2.2.1-2.6.37-201102121148.patch} | 392 +++++++++++++++----- |
17 |
4 files changed, 523 insertions(+), 163 deletions(-) |
18 |
|
19 |
diff --git a/2.6.32/0000_README b/2.6.32/0000_README |
20 |
index d19cb36..c1feb8d 100644 |
21 |
--- a/2.6.32/0000_README |
22 |
+++ b/2.6.32/0000_README |
23 |
@@ -3,7 +3,7 @@ README |
24 |
|
25 |
Individual Patch Descriptions: |
26 |
----------------------------------------------------------------------------- |
27 |
-Patch: 4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch |
28 |
+Patch: 4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch |
29 |
From: http://www.grsecurity.net |
30 |
Desc: hardened-sources base patch from upstream grsecurity |
31 |
|
32 |
|
33 |
diff --git a/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch b/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch |
34 |
similarity index 99% |
35 |
rename from 2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch |
36 |
rename to 2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch |
37 |
index 578be36..b1b6990 100644 |
38 |
--- a/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch |
39 |
+++ b/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch |
40 |
@@ -8043,7 +8043,7 @@ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mman.h linux-2.6.32.28/arch/x86/ |
41 |
#endif /* _ASM_X86_MMAN_H */ |
42 |
diff -urNp linux-2.6.32.28/arch/x86/include/asm/mmu_context.h linux-2.6.32.28/arch/x86/include/asm/mmu_context.h |
43 |
--- linux-2.6.32.28/arch/x86/include/asm/mmu_context.h 2010-08-13 16:24:37.000000000 -0400 |
44 |
-+++ linux-2.6.32.28/arch/x86/include/asm/mmu_context.h 2010-12-31 14:46:53.000000000 -0500 |
45 |
++++ linux-2.6.32.28/arch/x86/include/asm/mmu_context.h 2011-02-12 11:05:01.000000000 -0500 |
46 |
@@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m |
47 |
|
48 |
static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) |
49 |
@@ -8075,8 +8075,8 @@ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mmu_context.h linux-2.6.32.28/ar |
50 |
+#endif |
51 |
|
52 |
if (likely(prev != next)) { |
53 |
- /* stop flush ipis for the previous mm */ |
54 |
- cpumask_clear_cpu(cpu, mm_cpumask(prev)); |
55 |
+- /* stop flush ipis for the previous mm */ |
56 |
+- cpumask_clear_cpu(cpu, mm_cpumask(prev)); |
57 |
#ifdef CONFIG_SMP |
58 |
+#ifdef CONFIG_X86_32 |
59 |
+ tlbstate = percpu_read(cpu_tlbstate.state); |
60 |
@@ -8096,6 +8096,8 @@ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mmu_context.h linux-2.6.32.28/ar |
61 |
+#else |
62 |
load_cr3(next->pgd); |
63 |
+#endif |
64 |
++ /* stop flush ipis for the previous mm */ |
65 |
++ cpumask_clear_cpu(cpu, mm_cpumask(prev)); |
66 |
|
67 |
/* |
68 |
* load the LDT, if the LDT is different: |
69 |
@@ -32254,7 +32256,7 @@ diff -urNp linux-2.6.32.28/fs/ecryptfs/inode.c linux-2.6.32.28/fs/ecryptfs/inode |
70 |
goto out_free; |
71 |
diff -urNp linux-2.6.32.28/fs/exec.c linux-2.6.32.28/fs/exec.c |
72 |
--- linux-2.6.32.28/fs/exec.c 2011-01-11 23:55:35.000000000 -0500 |
73 |
-+++ linux-2.6.32.28/fs/exec.c 2011-01-11 23:56:03.000000000 -0500 |
74 |
++++ linux-2.6.32.28/fs/exec.c 2011-02-12 11:21:23.000000000 -0500 |
75 |
@@ -56,12 +56,24 @@ |
76 |
#include <linux/fsnotify.h> |
77 |
#include <linux/fs_struct.h> |
78 |
@@ -32839,7 +32841,7 @@ diff -urNp linux-2.6.32.28/fs/exec.c linux-2.6.32.28/fs/exec.c |
79 |
*/ |
80 |
clear_thread_flag(TIF_SIGPENDING); |
81 |
|
82 |
-+ if (signr == SIGKILL || signr == SIGILL) |
83 |
++ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL) |
84 |
+ gr_handle_brute_attach(current); |
85 |
+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1); |
86 |
+ |
87 |
@@ -51234,7 +51236,24 @@ diff -urNp linux-2.6.32.28/kernel/cpu.c linux-2.6.32.28/kernel/cpu.c |
88 |
* Should always be manipulated under cpu_add_remove_lock |
89 |
diff -urNp linux-2.6.32.28/kernel/cred.c linux-2.6.32.28/kernel/cred.c |
90 |
--- linux-2.6.32.28/kernel/cred.c 2010-08-13 16:24:37.000000000 -0400 |
91 |
-+++ linux-2.6.32.28/kernel/cred.c 2010-12-31 14:46:53.000000000 -0500 |
92 |
++++ linux-2.6.32.28/kernel/cred.c 2011-02-12 10:44:11.000000000 -0500 |
93 |
+@@ -231,13 +231,13 @@ struct cred *cred_alloc_blank(void) |
94 |
+ #endif |
95 |
+ |
96 |
+ atomic_set(&new->usage, 1); |
97 |
++#ifdef CONFIG_DEBUG_CREDENTIALS |
98 |
++ new->magic = CRED_MAGIC; |
99 |
++#endif |
100 |
+ |
101 |
+ if (security_cred_alloc_blank(new, GFP_KERNEL) < 0) |
102 |
+ goto error; |
103 |
+ |
104 |
+-#ifdef CONFIG_DEBUG_CREDENTIALS |
105 |
+- new->magic = CRED_MAGIC; |
106 |
+-#endif |
107 |
+ return new; |
108 |
+ |
109 |
+ error: |
110 |
@@ -520,6 +520,8 @@ int commit_creds(struct cred *new) |
111 |
|
112 |
get_cred(new); /* we will require a ref for the subj creds too */ |
113 |
@@ -51244,6 +51263,37 @@ diff -urNp linux-2.6.32.28/kernel/cred.c linux-2.6.32.28/kernel/cred.c |
114 |
/* dumpability changes */ |
115 |
if (old->euid != new->euid || |
116 |
old->egid != new->egid || |
117 |
+@@ -696,6 +698,8 @@ struct cred *prepare_kernel_cred(struct |
118 |
+ validate_creds(old); |
119 |
+ |
120 |
+ *new = *old; |
121 |
++ atomic_set(&new->usage, 1); |
122 |
++ set_cred_subscribers(new, 0); |
123 |
+ get_uid(new->user); |
124 |
+ get_group_info(new->group_info); |
125 |
+ |
126 |
+@@ -713,8 +717,6 @@ struct cred *prepare_kernel_cred(struct |
127 |
+ if (security_prepare_creds(new, old, GFP_KERNEL) < 0) |
128 |
+ goto error; |
129 |
+ |
130 |
+- atomic_set(&new->usage, 1); |
131 |
+- set_cred_subscribers(new, 0); |
132 |
+ put_cred(old); |
133 |
+ validate_creds(new); |
134 |
+ return new; |
135 |
+@@ -787,7 +789,11 @@ bool creds_are_invalid(const struct cred |
136 |
+ if (cred->magic != CRED_MAGIC) |
137 |
+ return true; |
138 |
+ #ifdef CONFIG_SECURITY_SELINUX |
139 |
+- if (selinux_is_enabled()) { |
140 |
++ /* |
141 |
++ * cred->security == NULL if security_cred_alloc_blank() or |
142 |
++ * security_prepare_creds() returned an error. |
143 |
++ */ |
144 |
++ if (selinux_is_enabled() && cred->security) { |
145 |
+ if ((unsigned long) cred->security < PAGE_SIZE) |
146 |
+ return true; |
147 |
+ if ((*(u32 *)cred->security & 0xffffff00) == |
148 |
diff -urNp linux-2.6.32.28/kernel/exit.c linux-2.6.32.28/kernel/exit.c |
149 |
--- linux-2.6.32.28/kernel/exit.c 2011-01-11 23:55:35.000000000 -0500 |
150 |
+++ linux-2.6.32.28/kernel/exit.c 2010-12-31 14:46:53.000000000 -0500 |
151 |
@@ -51816,8 +51866,8 @@ diff -urNp linux-2.6.32.28/kernel/kgdb.c linux-2.6.32.28/kernel/kgdb.c |
152 |
|
153 |
diff -urNp linux-2.6.32.28/kernel/kmod.c linux-2.6.32.28/kernel/kmod.c |
154 |
--- linux-2.6.32.28/kernel/kmod.c 2010-08-13 16:24:37.000000000 -0400 |
155 |
-+++ linux-2.6.32.28/kernel/kmod.c 2010-12-31 14:46:53.000000000 -0500 |
156 |
-@@ -90,6 +90,18 @@ int __request_module(bool wait, const ch |
157 |
++++ linux-2.6.32.28/kernel/kmod.c 2011-02-12 10:58:19.000000000 -0500 |
158 |
+@@ -90,6 +90,28 @@ int __request_module(bool wait, const ch |
159 |
if (ret >= MODULE_NAME_LEN) |
160 |
return -ENAMETOOLONG; |
161 |
|
162 |
@@ -51828,7 +51878,17 @@ diff -urNp linux-2.6.32.28/kernel/kmod.c linux-2.6.32.28/kernel/kmod.c |
163 |
+ auto-loaded |
164 |
+ */ |
165 |
+ if (current_uid()) { |
166 |
-+ gr_log_nonroot_mod_load(module_name); |
167 |
++#if !defined(CONFIG_IPV6) && !defined(CONFIG_IPV6_MODULE) |
168 |
++ /* There are known knowns. These are things we know |
169 |
++ that we know. There are known unknowns. That is to say, |
170 |
++ there are things that we know we don't know. But there are |
171 |
++ also unknown unknowns. There are things we don't know |
172 |
++ we don't know. |
173 |
++ This here is a known unknown. |
174 |
++ */ |
175 |
++ if (strcmp(module_name, "net-pf-10")) |
176 |
++#endif |
177 |
++ gr_log_nonroot_mod_load(module_name); |
178 |
+ return -EPERM; |
179 |
+ } |
180 |
+#endif |
181 |
@@ -52015,7 +52075,7 @@ diff -urNp linux-2.6.32.28/kernel/lockdep_proc.c linux-2.6.32.28/kernel/lockdep_ |
182 |
if (!name) { |
183 |
diff -urNp linux-2.6.32.28/kernel/module.c linux-2.6.32.28/kernel/module.c |
184 |
--- linux-2.6.32.28/kernel/module.c 2010-08-13 16:24:37.000000000 -0400 |
185 |
-+++ linux-2.6.32.28/kernel/module.c 2010-12-31 14:46:53.000000000 -0500 |
186 |
++++ linux-2.6.32.28/kernel/module.c 2011-02-02 20:27:32.000000000 -0500 |
187 |
@@ -89,7 +89,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq |
188 |
static BLOCKING_NOTIFIER_HEAD(module_notify_list); |
189 |
|
190 |
@@ -52053,6 +52113,15 @@ diff -urNp linux-2.6.32.28/kernel/module.c linux-2.6.32.28/kernel/module.c |
191 |
printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n", |
192 |
name, align, PAGE_SIZE); |
193 |
align = PAGE_SIZE; |
194 |
+@@ -1158,7 +1159,7 @@ static const struct kernel_symbol *resol |
195 |
+ * /sys/module/foo/sections stuff |
196 |
+ * J. Corbet <corbet@×××.net> |
197 |
+ */ |
198 |
+-#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) |
199 |
++#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_HIDESYM) |
200 |
+ |
201 |
+ static inline bool sect_empty(const Elf_Shdr *sect) |
202 |
+ { |
203 |
@@ -1545,7 +1546,8 @@ static void free_module(struct module *m |
204 |
destroy_params(mod->kp, mod->num_kp); |
205 |
|
206 |
@@ -52784,7 +52853,7 @@ diff -urNp linux-2.6.32.28/kernel/printk.c linux-2.6.32.28/kernel/printk.c |
207 |
return error; |
208 |
diff -urNp linux-2.6.32.28/kernel/ptrace.c linux-2.6.32.28/kernel/ptrace.c |
209 |
--- linux-2.6.32.28/kernel/ptrace.c 2010-08-13 16:24:37.000000000 -0400 |
210 |
-+++ linux-2.6.32.28/kernel/ptrace.c 2011-01-01 00:19:08.000000000 -0500 |
211 |
++++ linux-2.6.32.28/kernel/ptrace.c 2011-02-12 10:37:47.000000000 -0500 |
212 |
@@ -141,7 +141,7 @@ int __ptrace_may_access(struct task_stru |
213 |
cred->gid != tcred->egid || |
214 |
cred->gid != tcred->sgid || |
215 |
@@ -52812,6 +52881,15 @@ diff -urNp linux-2.6.32.28/kernel/ptrace.c linux-2.6.32.28/kernel/ptrace.c |
216 |
task->ptrace |= PT_PTRACE_CAP; |
217 |
|
218 |
__ptrace_link(task, current); |
219 |
+@@ -314,7 +314,7 @@ int ptrace_detach(struct task_struct *ch |
220 |
+ child->exit_code = data; |
221 |
+ dead = __ptrace_detach(current, child); |
222 |
+ if (!child->exit_state) |
223 |
+- wake_up_process(child); |
224 |
++ wake_up_state(child, TASK_TRACED | TASK_STOPPED); |
225 |
+ } |
226 |
+ write_unlock_irq(&tasklist_lock); |
227 |
+ |
228 |
@@ -532,18 +532,18 @@ int ptrace_request(struct task_struct *c |
229 |
ret = ptrace_setoptions(child, data); |
230 |
break; |
231 |
@@ -53036,7 +53114,7 @@ diff -urNp linux-2.6.32.28/kernel/sched.c linux-2.6.32.28/kernel/sched.c |
232 |
return; |
233 |
diff -urNp linux-2.6.32.28/kernel/signal.c linux-2.6.32.28/kernel/signal.c |
234 |
--- linux-2.6.32.28/kernel/signal.c 2010-08-13 16:24:37.000000000 -0400 |
235 |
-+++ linux-2.6.32.28/kernel/signal.c 2010-12-31 14:46:53.000000000 -0500 |
236 |
++++ linux-2.6.32.28/kernel/signal.c 2011-02-12 11:22:46.000000000 -0500 |
237 |
@@ -41,12 +41,12 @@ |
238 |
|
239 |
static struct kmem_cache *sigqueue_cachep; |
240 |
@@ -53099,17 +53177,34 @@ diff -urNp linux-2.6.32.28/kernel/signal.c linux-2.6.32.28/kernel/signal.c |
241 |
specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t) |
242 |
{ |
243 |
return send_signal(sig, info, t, 0); |
244 |
-@@ -1022,6 +1028,9 @@ force_sig_info(int sig, struct siginfo * |
245 |
+@@ -1005,6 +1011,7 @@ force_sig_info(int sig, struct siginfo * |
246 |
+ unsigned long int flags; |
247 |
+ int ret, blocked, ignored; |
248 |
+ struct k_sigaction *action; |
249 |
++ int is_unhandled = 0; |
250 |
+ |
251 |
+ spin_lock_irqsave(&t->sighand->siglock, flags); |
252 |
+ action = &t->sighand->action[sig-1]; |
253 |
+@@ -1019,9 +1026,18 @@ force_sig_info(int sig, struct siginfo * |
254 |
+ } |
255 |
+ if (action->sa.sa_handler == SIG_DFL) |
256 |
+ t->signal->flags &= ~SIGNAL_UNKILLABLE; |
257 |
++ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL) |
258 |
++ is_unhandled = 1; |
259 |
ret = specific_send_sig_info(sig, info, t); |
260 |
spin_unlock_irqrestore(&t->sighand->siglock, flags); |
261 |
|
262 |
-+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t); |
263 |
-+ gr_handle_crash(t, sig); |
264 |
++ /* only deal with unhandled signals, java etc trigger SIGSEGV during |
265 |
++ normal operation */ |
266 |
++ if (is_unhandled) { |
267 |
++ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t); |
268 |
++ gr_handle_crash(t, sig); |
269 |
++ } |
270 |
+ |
271 |
return ret; |
272 |
} |
273 |
|
274 |
-@@ -1081,8 +1090,11 @@ int group_send_sig_info(int sig, struct |
275 |
+@@ -1081,8 +1097,11 @@ int group_send_sig_info(int sig, struct |
276 |
{ |
277 |
int ret = check_kill_permission(sig, info, p); |
278 |
|
279 |
@@ -55257,7 +55352,7 @@ diff -urNp linux-2.6.32.28/mm/mlock.c linux-2.6.32.28/mm/mlock.c |
280 |
ret = do_mlockall(flags); |
281 |
diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
282 |
--- linux-2.6.32.28/mm/mmap.c 2011-01-11 23:55:35.000000000 -0500 |
283 |
-+++ linux-2.6.32.28/mm/mmap.c 2010-12-31 14:46:53.000000000 -0500 |
284 |
++++ linux-2.6.32.28/mm/mmap.c 2011-02-12 11:38:46.000000000 -0500 |
285 |
@@ -45,6 +45,16 @@ |
286 |
#define arch_rebalance_pgtables(addr, len) (addr) |
287 |
#endif |
288 |
@@ -55479,12 +55574,13 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
289 |
if (addr & ~PAGE_MASK) |
290 |
return addr; |
291 |
|
292 |
-@@ -969,6 +1046,31 @@ unsigned long do_mmap_pgoff(struct file |
293 |
+@@ -969,6 +1046,36 @@ unsigned long do_mmap_pgoff(struct file |
294 |
vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | |
295 |
mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; |
296 |
|
297 |
+#ifdef CONFIG_PAX_MPROTECT |
298 |
+ if (mm->pax_flags & MF_PAX_MPROTECT) { |
299 |
++#ifndef CONFIG_PAX_MPROTECT_COMPAT |
300 |
+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) { |
301 |
+ gr_log_rwxmmap(file); |
302 |
+ |
303 |
@@ -55498,6 +55594,10 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
304 |
+ |
305 |
+ if (!(vm_flags & VM_EXEC)) |
306 |
+ vm_flags &= ~VM_MAYEXEC; |
307 |
++#else |
308 |
++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC) |
309 |
++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC); |
310 |
++#endif |
311 |
+ else |
312 |
+ vm_flags &= ~VM_MAYWRITE; |
313 |
+ } |
314 |
@@ -55511,7 +55611,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
315 |
if (flags & MAP_LOCKED) |
316 |
if (!can_do_mlock()) |
317 |
return -EPERM; |
318 |
-@@ -980,6 +1082,7 @@ unsigned long do_mmap_pgoff(struct file |
319 |
+@@ -980,6 +1087,7 @@ unsigned long do_mmap_pgoff(struct file |
320 |
locked += mm->locked_vm; |
321 |
lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; |
322 |
lock_limit >>= PAGE_SHIFT; |
323 |
@@ -55519,7 +55619,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
324 |
if (locked > lock_limit && !capable(CAP_IPC_LOCK)) |
325 |
return -EAGAIN; |
326 |
} |
327 |
-@@ -1053,6 +1156,9 @@ unsigned long do_mmap_pgoff(struct file |
328 |
+@@ -1053,6 +1161,9 @@ unsigned long do_mmap_pgoff(struct file |
329 |
if (error) |
330 |
return error; |
331 |
|
332 |
@@ -55529,7 +55629,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
333 |
return mmap_region(file, addr, len, flags, vm_flags, pgoff); |
334 |
} |
335 |
EXPORT_SYMBOL(do_mmap_pgoff); |
336 |
-@@ -1065,10 +1171,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); |
337 |
+@@ -1065,10 +1176,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); |
338 |
*/ |
339 |
int vma_wants_writenotify(struct vm_area_struct *vma) |
340 |
{ |
341 |
@@ -55542,7 +55642,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
342 |
return 0; |
343 |
|
344 |
/* The backer wishes to know when pages are first written to? */ |
345 |
-@@ -1117,14 +1223,24 @@ unsigned long mmap_region(struct file *f |
346 |
+@@ -1117,14 +1228,24 @@ unsigned long mmap_region(struct file *f |
347 |
unsigned long charged = 0; |
348 |
struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; |
349 |
|
350 |
@@ -55569,7 +55669,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
351 |
} |
352 |
|
353 |
/* Check against address space limit. */ |
354 |
-@@ -1173,6 +1289,16 @@ munmap_back: |
355 |
+@@ -1173,6 +1294,16 @@ munmap_back: |
356 |
goto unacct_error; |
357 |
} |
358 |
|
359 |
@@ -55586,7 +55686,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
360 |
vma->vm_mm = mm; |
361 |
vma->vm_start = addr; |
362 |
vma->vm_end = addr + len; |
363 |
-@@ -1195,6 +1321,19 @@ munmap_back: |
364 |
+@@ -1195,6 +1326,19 @@ munmap_back: |
365 |
error = file->f_op->mmap(file, vma); |
366 |
if (error) |
367 |
goto unmap_and_free_vma; |
368 |
@@ -55606,7 +55706,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
369 |
if (vm_flags & VM_EXECUTABLE) |
370 |
added_exe_file_vma(mm); |
371 |
|
372 |
-@@ -1218,6 +1357,11 @@ munmap_back: |
373 |
+@@ -1218,6 +1362,11 @@ munmap_back: |
374 |
vma_link(mm, vma, prev, rb_link, rb_parent); |
375 |
file = vma->vm_file; |
376 |
|
377 |
@@ -55618,7 +55718,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
378 |
/* Once vma denies write, undo our temporary denial count */ |
379 |
if (correct_wcount) |
380 |
atomic_inc(&inode->i_writecount); |
381 |
-@@ -1226,6 +1370,7 @@ out: |
382 |
+@@ -1226,6 +1375,7 @@ out: |
383 |
|
384 |
mm->total_vm += len >> PAGE_SHIFT; |
385 |
vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); |
386 |
@@ -55626,7 +55726,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
387 |
if (vm_flags & VM_LOCKED) { |
388 |
/* |
389 |
* makes pages present; downgrades, drops, reacquires mmap_sem |
390 |
-@@ -1248,6 +1393,12 @@ unmap_and_free_vma: |
391 |
+@@ -1248,6 +1398,12 @@ unmap_and_free_vma: |
392 |
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); |
393 |
charged = 0; |
394 |
free_vma: |
395 |
@@ -55639,7 +55739,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
396 |
kmem_cache_free(vm_area_cachep, vma); |
397 |
unacct_error: |
398 |
if (charged) |
399 |
-@@ -1255,6 +1406,33 @@ unacct_error: |
400 |
+@@ -1255,6 +1411,33 @@ unacct_error: |
401 |
return error; |
402 |
} |
403 |
|
404 |
@@ -55673,7 +55773,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
405 |
/* Get an address range which is currently unmapped. |
406 |
* For shmat() with addr=0. |
407 |
* |
408 |
-@@ -1281,18 +1459,23 @@ arch_get_unmapped_area(struct file *filp |
409 |
+@@ -1281,18 +1464,23 @@ arch_get_unmapped_area(struct file *filp |
410 |
if (flags & MAP_FIXED) |
411 |
return addr; |
412 |
|
413 |
@@ -55704,7 +55804,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
414 |
} |
415 |
|
416 |
full_search: |
417 |
-@@ -1303,34 +1486,40 @@ full_search: |
418 |
+@@ -1303,34 +1491,40 @@ full_search: |
419 |
* Start a new search - just in case we missed |
420 |
* some holes. |
421 |
*/ |
422 |
@@ -55756,7 +55856,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
423 |
mm->free_area_cache = addr; |
424 |
mm->cached_hole_size = ~0UL; |
425 |
} |
426 |
-@@ -1348,7 +1537,7 @@ arch_get_unmapped_area_topdown(struct fi |
427 |
+@@ -1348,7 +1542,7 @@ arch_get_unmapped_area_topdown(struct fi |
428 |
{ |
429 |
struct vm_area_struct *vma; |
430 |
struct mm_struct *mm = current->mm; |
431 |
@@ -55765,7 +55865,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
432 |
|
433 |
/* requested length too big for entire address space */ |
434 |
if (len > TASK_SIZE) |
435 |
-@@ -1357,13 +1546,18 @@ arch_get_unmapped_area_topdown(struct fi |
436 |
+@@ -1357,13 +1551,18 @@ arch_get_unmapped_area_topdown(struct fi |
437 |
if (flags & MAP_FIXED) |
438 |
return addr; |
439 |
|
440 |
@@ -55788,7 +55888,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
441 |
} |
442 |
|
443 |
/* check if free_area_cache is useful for us */ |
444 |
-@@ -1378,7 +1572,7 @@ arch_get_unmapped_area_topdown(struct fi |
445 |
+@@ -1378,7 +1577,7 @@ arch_get_unmapped_area_topdown(struct fi |
446 |
/* make sure it can fit in the remaining address space */ |
447 |
if (addr > len) { |
448 |
vma = find_vma(mm, addr-len); |
449 |
@@ -55797,7 +55897,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
450 |
/* remember the address as a hint for next time */ |
451 |
return (mm->free_area_cache = addr-len); |
452 |
} |
453 |
-@@ -1395,7 +1589,7 @@ arch_get_unmapped_area_topdown(struct fi |
454 |
+@@ -1395,7 +1594,7 @@ arch_get_unmapped_area_topdown(struct fi |
455 |
* return with success: |
456 |
*/ |
457 |
vma = find_vma(mm, addr); |
458 |
@@ -55806,7 +55906,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
459 |
/* remember the address as a hint for next time */ |
460 |
return (mm->free_area_cache = addr); |
461 |
|
462 |
-@@ -1414,13 +1608,21 @@ bottomup: |
463 |
+@@ -1414,13 +1613,21 @@ bottomup: |
464 |
* can happen with large stack limits and large mmap() |
465 |
* allocations. |
466 |
*/ |
467 |
@@ -55830,7 +55930,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
468 |
mm->cached_hole_size = ~0UL; |
469 |
|
470 |
return addr; |
471 |
-@@ -1429,6 +1631,12 @@ bottomup: |
472 |
+@@ -1429,6 +1636,12 @@ bottomup: |
473 |
|
474 |
void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) |
475 |
{ |
476 |
@@ -55843,7 +55943,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
477 |
/* |
478 |
* Is this a new hole at the highest possible address? |
479 |
*/ |
480 |
-@@ -1436,8 +1644,10 @@ void arch_unmap_area_topdown(struct mm_s |
481 |
+@@ -1436,8 +1649,10 @@ void arch_unmap_area_topdown(struct mm_s |
482 |
mm->free_area_cache = addr; |
483 |
|
484 |
/* dont allow allocations above current base */ |
485 |
@@ -55855,7 +55955,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
486 |
} |
487 |
|
488 |
unsigned long |
489 |
-@@ -1545,6 +1755,27 @@ out: |
490 |
+@@ -1545,6 +1760,27 @@ out: |
491 |
return prev ? prev->vm_next : vma; |
492 |
} |
493 |
|
494 |
@@ -55883,7 +55983,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
495 |
/* |
496 |
* Verify that the stack growth is acceptable and |
497 |
* update accounting. This is shared with both the |
498 |
-@@ -1561,6 +1792,7 @@ static int acct_stack_growth(struct vm_a |
499 |
+@@ -1561,6 +1797,7 @@ static int acct_stack_growth(struct vm_a |
500 |
return -ENOMEM; |
501 |
|
502 |
/* Stack limit test */ |
503 |
@@ -55891,7 +55991,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
504 |
if (size > rlim[RLIMIT_STACK].rlim_cur) |
505 |
return -ENOMEM; |
506 |
|
507 |
-@@ -1570,6 +1802,7 @@ static int acct_stack_growth(struct vm_a |
508 |
+@@ -1570,6 +1807,7 @@ static int acct_stack_growth(struct vm_a |
509 |
unsigned long limit; |
510 |
locked = mm->locked_vm + grow; |
511 |
limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT; |
512 |
@@ -55899,7 +55999,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
513 |
if (locked > limit && !capable(CAP_IPC_LOCK)) |
514 |
return -ENOMEM; |
515 |
} |
516 |
-@@ -1600,37 +1833,48 @@ static int acct_stack_growth(struct vm_a |
517 |
+@@ -1600,37 +1838,48 @@ static int acct_stack_growth(struct vm_a |
518 |
* PA-RISC uses this for its stack; IA64 for its Register Backing Store. |
519 |
* vma is the last one with address > vma->vm_end. Have to extend vma. |
520 |
*/ |
521 |
@@ -55957,7 +56057,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
522 |
unsigned long size, grow; |
523 |
|
524 |
size = address - vma->vm_start; |
525 |
-@@ -1640,6 +1884,8 @@ int expand_upwards(struct vm_area_struct |
526 |
+@@ -1640,6 +1889,8 @@ int expand_upwards(struct vm_area_struct |
527 |
if (!error) |
528 |
vma->vm_end = address; |
529 |
} |
530 |
@@ -55966,7 +56066,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
531 |
anon_vma_unlock(vma); |
532 |
return error; |
533 |
} |
534 |
-@@ -1652,6 +1898,8 @@ static int expand_downwards(struct vm_ar |
535 |
+@@ -1652,6 +1903,8 @@ static int expand_downwards(struct vm_ar |
536 |
unsigned long address) |
537 |
{ |
538 |
int error; |
539 |
@@ -55975,7 +56075,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
540 |
|
541 |
/* |
542 |
* We must make sure the anon_vma is allocated |
543 |
-@@ -1665,6 +1913,15 @@ static int expand_downwards(struct vm_ar |
544 |
+@@ -1665,6 +1918,15 @@ static int expand_downwards(struct vm_ar |
545 |
if (error) |
546 |
return error; |
547 |
|
548 |
@@ -55991,7 +56091,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
549 |
anon_vma_lock(vma); |
550 |
|
551 |
/* |
552 |
-@@ -1674,9 +1931,17 @@ static int expand_downwards(struct vm_ar |
553 |
+@@ -1674,9 +1936,17 @@ static int expand_downwards(struct vm_ar |
554 |
*/ |
555 |
|
556 |
/* Somebody else might have raced and expanded it already */ |
557 |
@@ -56010,7 +56110,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
558 |
size = vma->vm_end - address; |
559 |
grow = (vma->vm_start - address) >> PAGE_SHIFT; |
560 |
|
561 |
-@@ -1684,9 +1949,20 @@ static int expand_downwards(struct vm_ar |
562 |
+@@ -1684,9 +1954,20 @@ static int expand_downwards(struct vm_ar |
563 |
if (!error) { |
564 |
vma->vm_start = address; |
565 |
vma->vm_pgoff -= grow; |
566 |
@@ -56031,7 +56131,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
567 |
return error; |
568 |
} |
569 |
|
570 |
-@@ -1762,6 +2038,13 @@ static void remove_vma_list(struct mm_st |
571 |
+@@ -1762,6 +2043,13 @@ static void remove_vma_list(struct mm_st |
572 |
do { |
573 |
long nrpages = vma_pages(vma); |
574 |
|
575 |
@@ -56045,7 +56145,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
576 |
mm->total_vm -= nrpages; |
577 |
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); |
578 |
vma = remove_vma(vma); |
579 |
-@@ -1807,6 +2090,16 @@ detach_vmas_to_be_unmapped(struct mm_str |
580 |
+@@ -1807,6 +2095,16 @@ detach_vmas_to_be_unmapped(struct mm_str |
581 |
insertion_point = (prev ? &prev->vm_next : &mm->mmap); |
582 |
vma->vm_prev = NULL; |
583 |
do { |
584 |
@@ -56062,7 +56162,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
585 |
rb_erase(&vma->vm_rb, &mm->mm_rb); |
586 |
mm->map_count--; |
587 |
tail_vma = vma; |
588 |
-@@ -1834,10 +2127,25 @@ int split_vma(struct mm_struct * mm, str |
589 |
+@@ -1834,10 +2132,25 @@ int split_vma(struct mm_struct * mm, str |
590 |
struct mempolicy *pol; |
591 |
struct vm_area_struct *new; |
592 |
|
593 |
@@ -56088,7 +56188,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
594 |
if (mm->map_count >= sysctl_max_map_count) |
595 |
return -ENOMEM; |
596 |
|
597 |
-@@ -1845,6 +2153,16 @@ int split_vma(struct mm_struct * mm, str |
598 |
+@@ -1845,6 +2158,16 @@ int split_vma(struct mm_struct * mm, str |
599 |
if (!new) |
600 |
return -ENOMEM; |
601 |
|
602 |
@@ -56105,7 +56205,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
603 |
/* most fields are the same, copy all, and then fixup */ |
604 |
*new = *vma; |
605 |
|
606 |
-@@ -1855,8 +2173,29 @@ int split_vma(struct mm_struct * mm, str |
607 |
+@@ -1855,8 +2178,29 @@ int split_vma(struct mm_struct * mm, str |
608 |
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); |
609 |
} |
610 |
|
611 |
@@ -56135,7 +56235,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
612 |
kmem_cache_free(vm_area_cachep, new); |
613 |
return PTR_ERR(pol); |
614 |
} |
615 |
-@@ -1877,6 +2216,28 @@ int split_vma(struct mm_struct * mm, str |
616 |
+@@ -1877,6 +2221,28 @@ int split_vma(struct mm_struct * mm, str |
617 |
else |
618 |
vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); |
619 |
|
620 |
@@ -56164,13 +56264,13 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
621 |
return 0; |
622 |
} |
623 |
|
624 |
-@@ -1885,11 +2246,30 @@ int split_vma(struct mm_struct * mm, str |
625 |
+@@ -1885,11 +2251,30 @@ int split_vma(struct mm_struct * mm, str |
626 |
* work. This now handles partial unmappings. |
627 |
* Jeremy Fitzhardinge <jeremy@××××.org> |
628 |
*/ |
629 |
+#ifdef CONFIG_PAX_SEGMEXEC |
630 |
- int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) |
631 |
- { |
632 |
++int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) |
633 |
++{ |
634 |
+ int ret = __do_munmap(mm, start, len); |
635 |
+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC)) |
636 |
+ return ret; |
637 |
@@ -56180,9 +56280,9 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
638 |
+ |
639 |
+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len) |
640 |
+#else |
641 |
-+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) |
642 |
+ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) |
643 |
+#endif |
644 |
-+{ |
645 |
+ { |
646 |
unsigned long end; |
647 |
struct vm_area_struct *vma, *prev, *last; |
648 |
|
649 |
@@ -56195,7 +56295,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
650 |
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) |
651 |
return -EINVAL; |
652 |
|
653 |
-@@ -1953,6 +2333,8 @@ int do_munmap(struct mm_struct *mm, unsi |
654 |
+@@ -1953,6 +2338,8 @@ int do_munmap(struct mm_struct *mm, unsi |
655 |
/* Fix up all other VM information */ |
656 |
remove_vma_list(mm, vma); |
657 |
|
658 |
@@ -56204,7 +56304,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
659 |
return 0; |
660 |
} |
661 |
|
662 |
-@@ -1965,22 +2347,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a |
663 |
+@@ -1965,22 +2352,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a |
664 |
|
665 |
profile_munmap(addr); |
666 |
|
667 |
@@ -56233,7 +56333,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
668 |
/* |
669 |
* this is really a simplified "do_mmap". it only handles |
670 |
* anonymous maps. eventually we may be able to do some |
671 |
-@@ -1994,6 +2372,7 @@ unsigned long do_brk(unsigned long addr, |
672 |
+@@ -1994,6 +2377,7 @@ unsigned long do_brk(unsigned long addr, |
673 |
struct rb_node ** rb_link, * rb_parent; |
674 |
pgoff_t pgoff = addr >> PAGE_SHIFT; |
675 |
int error; |
676 |
@@ -56241,7 +56341,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
677 |
|
678 |
len = PAGE_ALIGN(len); |
679 |
if (!len) |
680 |
-@@ -2005,16 +2384,30 @@ unsigned long do_brk(unsigned long addr, |
681 |
+@@ -2005,16 +2389,30 @@ unsigned long do_brk(unsigned long addr, |
682 |
|
683 |
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; |
684 |
|
685 |
@@ -56273,7 +56373,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
686 |
locked += mm->locked_vm; |
687 |
lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; |
688 |
lock_limit >>= PAGE_SHIFT; |
689 |
-@@ -2031,22 +2424,22 @@ unsigned long do_brk(unsigned long addr, |
690 |
+@@ -2031,22 +2429,22 @@ unsigned long do_brk(unsigned long addr, |
691 |
/* |
692 |
* Clear old maps. this also does some error checking for us |
693 |
*/ |
694 |
@@ -56300,7 +56400,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
695 |
return -ENOMEM; |
696 |
|
697 |
/* Can we just expand an old private anonymous mapping? */ |
698 |
-@@ -2060,7 +2453,7 @@ unsigned long do_brk(unsigned long addr, |
699 |
+@@ -2060,7 +2458,7 @@ unsigned long do_brk(unsigned long addr, |
700 |
*/ |
701 |
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); |
702 |
if (!vma) { |
703 |
@@ -56309,7 +56409,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
704 |
return -ENOMEM; |
705 |
} |
706 |
|
707 |
-@@ -2072,11 +2465,12 @@ unsigned long do_brk(unsigned long addr, |
708 |
+@@ -2072,11 +2470,12 @@ unsigned long do_brk(unsigned long addr, |
709 |
vma->vm_page_prot = vm_get_page_prot(flags); |
710 |
vma_link(mm, vma, prev, rb_link, rb_parent); |
711 |
out: |
712 |
@@ -56324,7 +56424,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
713 |
return addr; |
714 |
} |
715 |
|
716 |
-@@ -2123,8 +2517,10 @@ void exit_mmap(struct mm_struct *mm) |
717 |
+@@ -2123,8 +2522,10 @@ void exit_mmap(struct mm_struct *mm) |
718 |
* Walk the list again, actually closing and freeing it, |
719 |
* with preemption enabled, without holding any MM locks. |
720 |
*/ |
721 |
@@ -56336,7 +56436,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
722 |
|
723 |
BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); |
724 |
} |
725 |
-@@ -2138,6 +2534,10 @@ int insert_vm_struct(struct mm_struct * |
726 |
+@@ -2138,6 +2539,10 @@ int insert_vm_struct(struct mm_struct * |
727 |
struct vm_area_struct * __vma, * prev; |
728 |
struct rb_node ** rb_link, * rb_parent; |
729 |
|
730 |
@@ -56347,7 +56447,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
731 |
/* |
732 |
* The vm_pgoff of a purely anonymous vma should be irrelevant |
733 |
* until its first write fault, when page's anon_vma and index |
734 |
-@@ -2160,7 +2560,22 @@ int insert_vm_struct(struct mm_struct * |
735 |
+@@ -2160,7 +2565,22 @@ int insert_vm_struct(struct mm_struct * |
736 |
if ((vma->vm_flags & VM_ACCOUNT) && |
737 |
security_vm_enough_memory_mm(mm, vma_pages(vma))) |
738 |
return -ENOMEM; |
739 |
@@ -56370,7 +56470,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
740 |
return 0; |
741 |
} |
742 |
|
743 |
-@@ -2178,6 +2593,8 @@ struct vm_area_struct *copy_vma(struct v |
744 |
+@@ -2178,6 +2598,8 @@ struct vm_area_struct *copy_vma(struct v |
745 |
struct rb_node **rb_link, *rb_parent; |
746 |
struct mempolicy *pol; |
747 |
|
748 |
@@ -56379,7 +56479,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
749 |
/* |
750 |
* If anonymous vma has not yet been faulted, update new pgoff |
751 |
* to match new location, to increase its chance of merging. |
752 |
-@@ -2221,6 +2638,35 @@ struct vm_area_struct *copy_vma(struct v |
753 |
+@@ -2221,6 +2643,35 @@ struct vm_area_struct *copy_vma(struct v |
754 |
return new_vma; |
755 |
} |
756 |
|
757 |
@@ -56415,7 +56515,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
758 |
/* |
759 |
* Return true if the calling process may expand its vm space by the passed |
760 |
* number of pages |
761 |
-@@ -2231,7 +2677,7 @@ int may_expand_vm(struct mm_struct *mm, |
762 |
+@@ -2231,7 +2682,7 @@ int may_expand_vm(struct mm_struct *mm, |
763 |
unsigned long lim; |
764 |
|
765 |
lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT; |
766 |
@@ -56424,16 +56524,21 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c |
767 |
if (cur + npages > lim) |
768 |
return 0; |
769 |
return 1; |
770 |
-@@ -2301,6 +2747,17 @@ int install_special_mapping(struct mm_st |
771 |
+@@ -2301,6 +2752,22 @@ int install_special_mapping(struct mm_st |
772 |
vma->vm_start = addr; |
773 |
vma->vm_end = addr + len; |
774 |
|
775 |
+#ifdef CONFIG_PAX_MPROTECT |
776 |
+ if (mm->pax_flags & MF_PAX_MPROTECT) { |
777 |
++#ifndef CONFIG_PAX_MPROTECT_COMPAT |
778 |
+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) |
779 |
+ return -EPERM; |
780 |
+ if (!(vm_flags & VM_EXEC)) |
781 |
+ vm_flags &= ~VM_MAYEXEC; |
782 |
++#else |
783 |
++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC) |
784 |
++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC); |
785 |
++#endif |
786 |
+ else |
787 |
+ vm_flags &= ~VM_MAYWRITE; |
788 |
+ } |
789 |
@@ -60064,8 +60169,8 @@ diff -urNp linux-2.6.32.28/security/integrity/ima/ima_queue.c linux-2.6.32.28/se |
790 |
return 0; |
791 |
diff -urNp linux-2.6.32.28/security/Kconfig linux-2.6.32.28/security/Kconfig |
792 |
--- linux-2.6.32.28/security/Kconfig 2010-08-13 16:24:37.000000000 -0400 |
793 |
-+++ linux-2.6.32.28/security/Kconfig 2011-01-04 17:43:17.000000000 -0500 |
794 |
-@@ -4,6 +4,509 @@ |
795 |
++++ linux-2.6.32.28/security/Kconfig 2011-02-12 11:33:55.000000000 -0500 |
796 |
+@@ -4,6 +4,527 @@ |
797 |
|
798 |
menu "Security options" |
799 |
|
800 |
@@ -60311,6 +60416,24 @@ diff -urNp linux-2.6.32.28/security/Kconfig linux-2.6.32.28/security/Kconfig |
801 |
+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control |
802 |
+ this feature on a per file basis. |
803 |
+ |
804 |
++config PAX_MPROTECT_COMPAT |
805 |
++ bool "Use legacy/compat protection demoting (read help)" |
806 |
++ depends on PAX_MPROTECT |
807 |
++ default n |
808 |
++ help |
809 |
++ The current implementation of PAX_MPROTECT denies RWX allocations/mprotects |
810 |
++ by sending the proper error code to the application. For some broken |
811 |
++ userland, this can cause problems with Python or other applications. The |
812 |
++ current implementation however allows for applications like clamav to |
813 |
++ detect if JIT compilation/execution is allowed and to fall back gracefully |
814 |
++ to an interpreter-based mode if it does not. While we encourage everyone |
815 |
++ to use the current implementation as-is and push upstream to fix broken |
816 |
++ userland (note that the RWX logging option can assist with this), in some |
817 |
++ environments this may not be possible. Having to disable MPROTECT |
818 |
++ completely on certain binaries reduces the security benefit of PaX, |
819 |
++ so this option is provided for those environments to revert to the old |
820 |
++ behavior. |
821 |
++ |
822 |
+config PAX_ELFRELOCS |
823 |
+ bool "Allow ELF text relocations (read help)" |
824 |
+ depends on PAX_MPROTECT |
825 |
@@ -60575,7 +60698,7 @@ diff -urNp linux-2.6.32.28/security/Kconfig linux-2.6.32.28/security/Kconfig |
826 |
config KEYS |
827 |
bool "Enable access key retention support" |
828 |
help |
829 |
-@@ -146,7 +649,7 @@ config INTEL_TXT |
830 |
+@@ -146,7 +667,7 @@ config INTEL_TXT |
831 |
config LSM_MMAP_MIN_ADDR |
832 |
int "Low address space for LSM to protect from user allocation" |
833 |
depends on SECURITY && SECURITY_SELINUX |
834 |
@@ -60638,7 +60761,7 @@ diff -urNp linux-2.6.32.28/security/security.c linux-2.6.32.28/security/security |
835 |
printk(KERN_DEBUG "%s could not verify " |
836 |
diff -urNp linux-2.6.32.28/security/selinux/hooks.c linux-2.6.32.28/security/selinux/hooks.c |
837 |
--- linux-2.6.32.28/security/selinux/hooks.c 2010-08-13 16:24:37.000000000 -0400 |
838 |
-+++ linux-2.6.32.28/security/selinux/hooks.c 2010-12-31 14:46:53.000000000 -0500 |
839 |
++++ linux-2.6.32.28/security/selinux/hooks.c 2011-02-12 11:03:00.000000000 -0500 |
840 |
@@ -131,7 +131,7 @@ int selinux_enabled = 1; |
841 |
* Minimal support for a secondary security module, |
842 |
* just to allow the use of the capability module. |
843 |
@@ -60648,7 +60771,20 @@ diff -urNp linux-2.6.32.28/security/selinux/hooks.c linux-2.6.32.28/security/sel |
844 |
|
845 |
/* Lists of inode and superblock security structures initialized |
846 |
before the policy was loaded. */ |
847 |
-@@ -5450,7 +5450,7 @@ static int selinux_key_getsecurity(struc |
848 |
+@@ -3259,7 +3259,11 @@ static void selinux_cred_free(struct cre |
849 |
+ { |
850 |
+ struct task_security_struct *tsec = cred->security; |
851 |
+ |
852 |
+- BUG_ON((unsigned long) cred->security < PAGE_SIZE); |
853 |
++ /* |
854 |
++ * cred->security == NULL if security_cred_alloc_blank() or |
855 |
++ * security_prepare_creds() returned an error. |
856 |
++ */ |
857 |
++ BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); |
858 |
+ cred->security = (void *) 0x7UL; |
859 |
+ kfree(tsec); |
860 |
+ } |
861 |
+@@ -5450,7 +5454,7 @@ static int selinux_key_getsecurity(struc |
862 |
|
863 |
#endif |
864 |
|
865 |
@@ -60657,7 +60793,7 @@ diff -urNp linux-2.6.32.28/security/selinux/hooks.c linux-2.6.32.28/security/sel |
866 |
.name = "selinux", |
867 |
|
868 |
.ptrace_access_check = selinux_ptrace_access_check, |
869 |
-@@ -5834,7 +5834,9 @@ int selinux_disable(void) |
870 |
+@@ -5834,7 +5838,9 @@ int selinux_disable(void) |
871 |
avc_disable(); |
872 |
|
873 |
/* Reset security_ops to the secondary module, dummy or capability. */ |
874 |
|
875 |
diff --git a/2.6.37/0000_README b/2.6.37/0000_README |
876 |
index 2c6b512..16e7e24 100644 |
877 |
--- a/2.6.37/0000_README |
878 |
+++ b/2.6.37/0000_README |
879 |
@@ -3,7 +3,7 @@ README |
880 |
|
881 |
Individual Patch Descriptions: |
882 |
----------------------------------------------------------------------------- |
883 |
-Patch 4420_grsecurity-2.2.1-2.6.37-201101272240.patch |
884 |
+Patch: 4420_grsecurity-2.2.1-2.6.37-201102121148.patch |
885 |
From: http://www.grsecurity.net |
886 |
Desc: hardened-sources base patch from upstream grsecurity |
887 |
|
888 |
|
889 |
diff --git a/2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch b/2.6.37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch |
890 |
similarity index 99% |
891 |
rename from 2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch |
892 |
rename to 2.6.37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch |
893 |
index 053126a..e66397d 100644 |
894 |
--- a/2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch |
895 |
+++ b/2.6.37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch |
896 |
@@ -8049,7 +8049,7 @@ diff -urNp linux-2.6.37/arch/x86/include/asm/mman.h linux-2.6.37/arch/x86/includ |
897 |
#endif /* _ASM_X86_MMAN_H */ |
898 |
diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_context.h linux-2.6.37/arch/x86/include/asm/mmu_context.h |
899 |
--- linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-01-04 19:50:19.000000000 -0500 |
900 |
-+++ linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-01-17 02:41:00.000000000 -0500 |
901 |
++++ linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-02-12 11:04:35.000000000 -0500 |
902 |
@@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m |
903 |
|
904 |
static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) |
905 |
@@ -8081,8 +8081,8 @@ diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_context.h linux-2.6.37/arch/x86 |
906 |
+#endif |
907 |
|
908 |
if (likely(prev != next)) { |
909 |
- /* stop flush ipis for the previous mm */ |
910 |
- cpumask_clear_cpu(cpu, mm_cpumask(prev)); |
911 |
+- /* stop flush ipis for the previous mm */ |
912 |
+- cpumask_clear_cpu(cpu, mm_cpumask(prev)); |
913 |
#ifdef CONFIG_SMP |
914 |
+#ifdef CONFIG_X86_32 |
915 |
+ tlbstate = percpu_read(cpu_tlbstate.state); |
916 |
@@ -8102,6 +8102,8 @@ diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_context.h linux-2.6.37/arch/x86 |
917 |
+#else |
918 |
load_cr3(next->pgd); |
919 |
+#endif |
920 |
++ /* stop flush ipis for the previous mm */ |
921 |
++ cpumask_clear_cpu(cpu, mm_cpumask(prev)); |
922 |
|
923 |
/* |
924 |
* load the LDT, if the LDT is different: |
925 |
@@ -27044,6 +27046,26 @@ diff -urNp linux-2.6.37/drivers/pci/pcie/portdrv_pci.c linux-2.6.37/drivers/pci/ |
926 |
}; |
927 |
MODULE_DEVICE_TABLE(pci, port_pci_ids); |
928 |
|
929 |
+diff -urNp linux-2.6.37/drivers/pci/pci-sysfs.c linux-2.6.37/drivers/pci/pci-sysfs.c |
930 |
+--- linux-2.6.37/drivers/pci/pci-sysfs.c 2011-01-04 19:50:19.000000000 -0500 |
931 |
++++ linux-2.6.37/drivers/pci/pci-sysfs.c 2011-02-12 10:32:55.000000000 -0500 |
932 |
+@@ -23,6 +23,7 @@ |
933 |
+ #include <linux/mm.h> |
934 |
+ #include <linux/fs.h> |
935 |
+ #include <linux/capability.h> |
936 |
++#include <linux/security.h> |
937 |
+ #include <linux/pci-aspm.h> |
938 |
+ #include <linux/slab.h> |
939 |
+ #include "pci.h" |
940 |
+@@ -368,7 +369,7 @@ pci_read_config(struct file *filp, struc |
941 |
+ u8 *data = (u8*) buf; |
942 |
+ |
943 |
+ /* Several chips lock up trying to read undefined config space */ |
944 |
+- if (cap_raised(filp->f_cred->cap_effective, CAP_SYS_ADMIN)) { |
945 |
++ if (security_capable(filp->f_cred, CAP_SYS_ADMIN)) { |
946 |
+ size = dev->cfg_size; |
947 |
+ } else if (dev->hdr_type == PCI_HEADER_TYPE_CARDBUS) { |
948 |
+ size = 128; |
949 |
diff -urNp linux-2.6.37/drivers/pci/probe.c linux-2.6.37/drivers/pci/probe.c |
950 |
--- linux-2.6.37/drivers/pci/probe.c 2011-01-04 19:50:19.000000000 -0500 |
951 |
+++ linux-2.6.37/drivers/pci/probe.c 2011-01-17 02:41:01.000000000 -0500 |
952 |
@@ -30248,6 +30270,40 @@ diff -urNp linux-2.6.37/fs/btrfs/inode.c linux-2.6.37/fs/btrfs/inode.c |
953 |
.fill_delalloc = run_delalloc_range, |
954 |
.submit_bio_hook = btrfs_submit_bio_hook, |
955 |
.merge_bio_hook = btrfs_merge_bio_hook, |
956 |
+diff -urNp linux-2.6.37/fs/btrfs/ioctl.c linux-2.6.37/fs/btrfs/ioctl.c |
957 |
+--- linux-2.6.37/fs/btrfs/ioctl.c 2011-01-04 19:50:19.000000000 -0500 |
958 |
++++ linux-2.6.37/fs/btrfs/ioctl.c 2011-02-12 10:29:31.000000000 -0500 |
959 |
+@@ -2087,7 +2087,7 @@ long btrfs_ioctl_space_info(struct btrfs |
960 |
+ int num_types = 4; |
961 |
+ int alloc_size; |
962 |
+ int ret = 0; |
963 |
+- int slot_count = 0; |
964 |
++ u64 slot_count = 0; |
965 |
+ int i, c; |
966 |
+ |
967 |
+ if (copy_from_user(&space_args, |
968 |
+@@ -2126,7 +2126,7 @@ long btrfs_ioctl_space_info(struct btrfs |
969 |
+ goto out; |
970 |
+ } |
971 |
+ |
972 |
+- slot_count = min_t(int, space_args.space_slots, slot_count); |
973 |
++ slot_count = min_t(u64, space_args.space_slots, slot_count); |
974 |
+ |
975 |
+ alloc_size = sizeof(*dest) * slot_count; |
976 |
+ |
977 |
+@@ -2146,6 +2146,12 @@ long btrfs_ioctl_space_info(struct btrfs |
978 |
+ for (i = 0; i < num_types; i++) { |
979 |
+ struct btrfs_space_info *tmp; |
980 |
+ |
981 |
++ /* Don't copy in more than we allocated */ |
982 |
++ if (!slot_count) |
983 |
++ break; |
984 |
++ |
985 |
++ slot_count--; |
986 |
++ |
987 |
+ info = NULL; |
988 |
+ rcu_read_lock(); |
989 |
+ list_for_each_entry_rcu(tmp, &root->fs_info->space_info, |
990 |
diff -urNp linux-2.6.37/fs/btrfs/relocation.c linux-2.6.37/fs/btrfs/relocation.c |
991 |
--- linux-2.6.37/fs/btrfs/relocation.c 2011-01-04 19:50:19.000000000 -0500 |
992 |
+++ linux-2.6.37/fs/btrfs/relocation.c 2011-01-17 02:41:01.000000000 -0500 |
993 |
@@ -30668,7 +30724,7 @@ diff -urNp linux-2.6.37/fs/ecryptfs/miscdev.c linux-2.6.37/fs/ecryptfs/miscdev.c |
994 |
if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) |
995 |
diff -urNp linux-2.6.37/fs/exec.c linux-2.6.37/fs/exec.c |
996 |
--- linux-2.6.37/fs/exec.c 2011-01-04 19:50:19.000000000 -0500 |
997 |
-+++ linux-2.6.37/fs/exec.c 2011-01-17 02:41:01.000000000 -0500 |
998 |
++++ linux-2.6.37/fs/exec.c 2011-02-12 11:21:04.000000000 -0500 |
999 |
@@ -55,12 +55,24 @@ |
1000 |
#include <linux/fs_struct.h> |
1001 |
#include <linux/pipe_fs_i.h> |
1002 |
@@ -31194,7 +31250,7 @@ diff -urNp linux-2.6.37/fs/exec.c linux-2.6.37/fs/exec.c |
1003 |
goto fail_corename; |
1004 |
} |
1005 |
|
1006 |
-+ if (signr == SIGKILL || signr == SIGILL) |
1007 |
++ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL) |
1008 |
+ gr_handle_brute_attach(current); |
1009 |
+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1); |
1010 |
+ |
1011 |
@@ -47851,7 +47907,7 @@ diff -urNp linux-2.6.37/include/linux/screen_info.h linux-2.6.37/include/linux/s |
1012 |
#define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */ |
1013 |
diff -urNp linux-2.6.37/include/linux/security.h linux-2.6.37/include/linux/security.h |
1014 |
--- linux-2.6.37/include/linux/security.h 2011-01-04 19:50:19.000000000 -0500 |
1015 |
-+++ linux-2.6.37/include/linux/security.h 2011-01-17 02:41:02.000000000 -0500 |
1016 |
++++ linux-2.6.37/include/linux/security.h 2011-02-12 10:34:03.000000000 -0500 |
1017 |
@@ -35,6 +35,7 @@ |
1018 |
#include <linux/key.h> |
1019 |
#include <linux/xfrm.h> |
1020 |
@@ -47860,6 +47916,27 @@ diff -urNp linux-2.6.37/include/linux/security.h linux-2.6.37/include/linux/secu |
1021 |
#include <net/flow.h> |
1022 |
|
1023 |
/* Maximum number of letters for an LSM name string */ |
1024 |
+@@ -1664,7 +1665,7 @@ int security_capset(struct cred *new, co |
1025 |
+ const kernel_cap_t *effective, |
1026 |
+ const kernel_cap_t *inheritable, |
1027 |
+ const kernel_cap_t *permitted); |
1028 |
+-int security_capable(int cap); |
1029 |
++int security_capable(const struct cred *cred, int cap); |
1030 |
+ int security_real_capable(struct task_struct *tsk, int cap); |
1031 |
+ int security_real_capable_noaudit(struct task_struct *tsk, int cap); |
1032 |
+ int security_sysctl(struct ctl_table *table, int op); |
1033 |
+@@ -1857,9 +1858,9 @@ static inline int security_capset(struct |
1034 |
+ return cap_capset(new, old, effective, inheritable, permitted); |
1035 |
+ } |
1036 |
+ |
1037 |
+-static inline int security_capable(int cap) |
1038 |
++static inline int security_capable(const struct cred *cred, int cap) |
1039 |
+ { |
1040 |
+- return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT); |
1041 |
++ return cap_capable(current, cred, cap, SECURITY_CAP_AUDIT); |
1042 |
+ } |
1043 |
+ |
1044 |
+ static inline int security_real_capable(struct task_struct *tsk, int cap) |
1045 |
diff -urNp linux-2.6.37/include/linux/shm.h linux-2.6.37/include/linux/shm.h |
1046 |
--- linux-2.6.37/include/linux/shm.h 2011-01-04 19:50:19.000000000 -0500 |
1047 |
+++ linux-2.6.37/include/linux/shm.h 2011-01-17 02:41:02.000000000 -0500 |
1048 |
@@ -49247,7 +49324,7 @@ diff -urNp linux-2.6.37/kernel/acct.c linux-2.6.37/kernel/acct.c |
1049 |
set_fs(fs); |
1050 |
diff -urNp linux-2.6.37/kernel/capability.c linux-2.6.37/kernel/capability.c |
1051 |
--- linux-2.6.37/kernel/capability.c 2011-01-04 19:50:19.000000000 -0500 |
1052 |
-+++ linux-2.6.37/kernel/capability.c 2011-01-17 02:41:02.000000000 -0500 |
1053 |
++++ linux-2.6.37/kernel/capability.c 2011-02-12 11:48:20.000000000 -0500 |
1054 |
@@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_ |
1055 |
* before modification is attempted and the application |
1056 |
* fails. |
1057 |
@@ -49263,7 +49340,7 @@ diff -urNp linux-2.6.37/kernel/capability.c linux-2.6.37/kernel/capability.c |
1058 |
} |
1059 |
|
1060 |
- if (security_capable(cap) == 0) { |
1061 |
-+ if (security_capable(cap) == 0 && gr_is_capable(cap)) { |
1062 |
++ if (security_capable(current_cred(), cap) == 0 && gr_is_capable(cap)) { |
1063 |
current->flags |= PF_SUPERPRIV; |
1064 |
return 1; |
1065 |
} |
1066 |
@@ -49277,7 +49354,7 @@ diff -urNp linux-2.6.37/kernel/capability.c linux-2.6.37/kernel/capability.c |
1067 |
+ BUG(); |
1068 |
+ } |
1069 |
+ |
1070 |
-+ if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) { |
1071 |
++ if (security_capable(current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) { |
1072 |
+ current->flags |= PF_SUPERPRIV; |
1073 |
+ return 1; |
1074 |
+ } |
1075 |
@@ -49322,7 +49399,24 @@ diff -urNp linux-2.6.37/kernel/configs.c linux-2.6.37/kernel/configs.c |
1076 |
|
1077 |
diff -urNp linux-2.6.37/kernel/cred.c linux-2.6.37/kernel/cred.c |
1078 |
--- linux-2.6.37/kernel/cred.c 2011-01-04 19:50:19.000000000 -0500 |
1079 |
-+++ linux-2.6.37/kernel/cred.c 2011-01-17 02:41:02.000000000 -0500 |
1080 |
++++ linux-2.6.37/kernel/cred.c 2011-02-12 11:03:34.000000000 -0500 |
1081 |
+@@ -252,13 +252,13 @@ struct cred *cred_alloc_blank(void) |
1082 |
+ #endif |
1083 |
+ |
1084 |
+ atomic_set(&new->usage, 1); |
1085 |
++#ifdef CONFIG_DEBUG_CREDENTIALS |
1086 |
++ new->magic = CRED_MAGIC; |
1087 |
++#endif |
1088 |
+ |
1089 |
+ if (security_cred_alloc_blank(new, GFP_KERNEL) < 0) |
1090 |
+ goto error; |
1091 |
+ |
1092 |
+-#ifdef CONFIG_DEBUG_CREDENTIALS |
1093 |
+- new->magic = CRED_MAGIC; |
1094 |
+-#endif |
1095 |
+ return new; |
1096 |
+ |
1097 |
+ error: |
1098 |
@@ -483,6 +483,8 @@ int commit_creds(struct cred *new) |
1099 |
|
1100 |
get_cred(new); /* we will require a ref for the subj creds too */ |
1101 |
@@ -49332,6 +49426,37 @@ diff -urNp linux-2.6.37/kernel/cred.c linux-2.6.37/kernel/cred.c |
1102 |
/* dumpability changes */ |
1103 |
if (old->euid != new->euid || |
1104 |
old->egid != new->egid || |
1105 |
+@@ -657,6 +659,8 @@ struct cred *prepare_kernel_cred(struct |
1106 |
+ validate_creds(old); |
1107 |
+ |
1108 |
+ *new = *old; |
1109 |
++ atomic_set(&new->usage, 1); |
1110 |
++ set_cred_subscribers(new, 0); |
1111 |
+ get_uid(new->user); |
1112 |
+ get_group_info(new->group_info); |
1113 |
+ |
1114 |
+@@ -674,8 +678,6 @@ struct cred *prepare_kernel_cred(struct |
1115 |
+ if (security_prepare_creds(new, old, GFP_KERNEL) < 0) |
1116 |
+ goto error; |
1117 |
+ |
1118 |
+- atomic_set(&new->usage, 1); |
1119 |
+- set_cred_subscribers(new, 0); |
1120 |
+ put_cred(old); |
1121 |
+ validate_creds(new); |
1122 |
+ return new; |
1123 |
+@@ -748,7 +750,11 @@ bool creds_are_invalid(const struct cred |
1124 |
+ if (cred->magic != CRED_MAGIC) |
1125 |
+ return true; |
1126 |
+ #ifdef CONFIG_SECURITY_SELINUX |
1127 |
+- if (selinux_is_enabled()) { |
1128 |
++ /* |
1129 |
++ * cred->security == NULL if security_cred_alloc_blank() or |
1130 |
++ * security_prepare_creds() returned an error. |
1131 |
++ */ |
1132 |
++ if (selinux_is_enabled() && cred->security) { |
1133 |
+ if ((unsigned long) cred->security < PAGE_SIZE) |
1134 |
+ return true; |
1135 |
+ if ((*(u32 *)cred->security & 0xffffff00) == |
1136 |
diff -urNp linux-2.6.37/kernel/debug/debug_core.c linux-2.6.37/kernel/debug/debug_core.c |
1137 |
--- linux-2.6.37/kernel/debug/debug_core.c 2011-01-04 19:50:19.000000000 -0500 |
1138 |
+++ linux-2.6.37/kernel/debug/debug_core.c 2011-01-17 02:41:02.000000000 -0500 |
1139 |
@@ -50099,8 +50224,8 @@ diff -urNp linux-2.6.37/kernel/kallsyms.c linux-2.6.37/kernel/kallsyms.c |
1140 |
reset_iter(iter, 0); |
1141 |
diff -urNp linux-2.6.37/kernel/kmod.c linux-2.6.37/kernel/kmod.c |
1142 |
--- linux-2.6.37/kernel/kmod.c 2011-01-04 19:50:19.000000000 -0500 |
1143 |
-+++ linux-2.6.37/kernel/kmod.c 2011-01-17 02:41:02.000000000 -0500 |
1144 |
-@@ -90,6 +90,18 @@ int __request_module(bool wait, const ch |
1145 |
++++ linux-2.6.37/kernel/kmod.c 2011-02-12 10:56:18.000000000 -0500 |
1146 |
+@@ -90,6 +90,28 @@ int __request_module(bool wait, const ch |
1147 |
if (ret) |
1148 |
return ret; |
1149 |
|
1150 |
@@ -50111,7 +50236,17 @@ diff -urNp linux-2.6.37/kernel/kmod.c linux-2.6.37/kernel/kmod.c |
1151 |
+ auto-loaded |
1152 |
+ */ |
1153 |
+ if (current_uid()) { |
1154 |
-+ gr_log_nonroot_mod_load(module_name); |
1155 |
++#if !defined(CONFIG_IPV6) && !defined(CONFIG_IPV6_MODULE) |
1156 |
++ /* There are known knowns. These are things we know |
1157 |
++ that we know. There are known unknowns. That is to say, |
1158 |
++ there are things that we know we don't know. But there are |
1159 |
++ also unknown unknowns. There are things we don't know |
1160 |
++ we don't know. |
1161 |
++ This here is a known unknown. |
1162 |
++ */ |
1163 |
++ if (strcmp(module_name, "net-pf-10")) |
1164 |
++#endif |
1165 |
++ gr_log_nonroot_mod_load(module_name); |
1166 |
+ return -EPERM; |
1167 |
+ } |
1168 |
+#endif |
1169 |
@@ -50203,7 +50338,7 @@ diff -urNp linux-2.6.37/kernel/lockdep_proc.c linux-2.6.37/kernel/lockdep_proc.c |
1170 |
if (!name) { |
1171 |
diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c |
1172 |
--- linux-2.6.37/kernel/module.c 2011-01-04 19:50:19.000000000 -0500 |
1173 |
-+++ linux-2.6.37/kernel/module.c 2011-01-17 02:41:02.000000000 -0500 |
1174 |
++++ linux-2.6.37/kernel/module.c 2011-02-02 20:28:40.000000000 -0500 |
1175 |
@@ -97,7 +97,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not |
1176 |
|
1177 |
/* Bounds of module allocation, for speeding __module_address. |
1178 |
@@ -50241,6 +50376,15 @@ diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c |
1179 |
printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n", |
1180 |
mod->name, align, PAGE_SIZE); |
1181 |
align = PAGE_SIZE; |
1182 |
+@@ -1122,7 +1123,7 @@ resolve_symbol_wait(struct module *mod, |
1183 |
+ */ |
1184 |
+ #ifdef CONFIG_SYSFS |
1185 |
+ |
1186 |
+-#ifdef CONFIG_KALLSYMS |
1187 |
++#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM) |
1188 |
+ static inline bool sect_empty(const Elf_Shdr *sect) |
1189 |
+ { |
1190 |
+ return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0; |
1191 |
@@ -1566,15 +1567,18 @@ static void free_module(struct module *m |
1192 |
destroy_params(mod->kp, mod->num_kp); |
1193 |
|
1194 |
@@ -50461,10 +50605,8 @@ diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c |
1195 |
+ if (!ptr) { |
1196 |
+ module_free(mod, mod->module_init_rw); |
1197 |
+ module_free(mod, mod->module_core_rw); |
1198 |
- return -ENOMEM; |
1199 |
- } |
1200 |
-- memset(ptr, 0, mod->init_size); |
1201 |
-- mod->module_init = ptr; |
1202 |
++ return -ENOMEM; |
1203 |
++ } |
1204 |
+ |
1205 |
+ pax_open_kernel(); |
1206 |
+ memset(ptr, 0, mod->core_size_rx); |
1207 |
@@ -50477,8 +50619,10 @@ diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c |
1208 |
+ module_free_exec(mod, mod->module_core_rx); |
1209 |
+ module_free(mod, mod->module_init_rw); |
1210 |
+ module_free(mod, mod->module_core_rw); |
1211 |
-+ return -ENOMEM; |
1212 |
-+ } |
1213 |
+ return -ENOMEM; |
1214 |
+ } |
1215 |
+- memset(ptr, 0, mod->init_size); |
1216 |
+- mod->module_init = ptr; |
1217 |
+ |
1218 |
+ pax_open_kernel(); |
1219 |
+ memset(ptr, 0, mod->init_size_rx); |
1220 |
@@ -50893,7 +51037,7 @@ diff -urNp linux-2.6.37/kernel/printk.c linux-2.6.37/kernel/printk.c |
1221 |
* at open time. |
1222 |
diff -urNp linux-2.6.37/kernel/ptrace.c linux-2.6.37/kernel/ptrace.c |
1223 |
--- linux-2.6.37/kernel/ptrace.c 2011-01-04 19:50:19.000000000 -0500 |
1224 |
-+++ linux-2.6.37/kernel/ptrace.c 2011-01-17 02:41:02.000000000 -0500 |
1225 |
++++ linux-2.6.37/kernel/ptrace.c 2011-02-12 10:37:18.000000000 -0500 |
1226 |
@@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru |
1227 |
cred->gid != tcred->egid || |
1228 |
cred->gid != tcred->sgid || |
1229 |
@@ -50921,6 +51065,15 @@ diff -urNp linux-2.6.37/kernel/ptrace.c linux-2.6.37/kernel/ptrace.c |
1230 |
task->ptrace |= PT_PTRACE_CAP; |
1231 |
|
1232 |
__ptrace_link(task, current); |
1233 |
+@@ -313,7 +313,7 @@ int ptrace_detach(struct task_struct *ch |
1234 |
+ child->exit_code = data; |
1235 |
+ dead = __ptrace_detach(current, child); |
1236 |
+ if (!child->exit_state) |
1237 |
+- wake_up_process(child); |
1238 |
++ wake_up_state(child, TASK_TRACED | TASK_STOPPED); |
1239 |
+ } |
1240 |
+ write_unlock_irq(&tasklist_lock); |
1241 |
+ |
1242 |
@@ -369,7 +369,7 @@ int ptrace_readdata(struct task_struct * |
1243 |
break; |
1244 |
return -EIO; |
1245 |
@@ -51105,7 +51258,7 @@ diff -urNp linux-2.6.37/kernel/sched_fair.c linux-2.6.37/kernel/sched_fair.c |
1246 |
struct rq *this_rq = cpu_rq(this_cpu); |
1247 |
diff -urNp linux-2.6.37/kernel/signal.c linux-2.6.37/kernel/signal.c |
1248 |
--- linux-2.6.37/kernel/signal.c 2011-01-04 19:50:19.000000000 -0500 |
1249 |
-+++ linux-2.6.37/kernel/signal.c 2011-01-17 02:41:02.000000000 -0500 |
1250 |
++++ linux-2.6.37/kernel/signal.c 2011-02-12 11:22:39.000000000 -0500 |
1251 |
@@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache |
1252 |
|
1253 |
int print_fatal_signals __read_mostly; |
1254 |
@@ -51168,17 +51321,34 @@ diff -urNp linux-2.6.37/kernel/signal.c linux-2.6.37/kernel/signal.c |
1255 |
specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t) |
1256 |
{ |
1257 |
return send_signal(sig, info, t, 0); |
1258 |
-@@ -1079,6 +1085,9 @@ force_sig_info(int sig, struct siginfo * |
1259 |
+@@ -1062,6 +1068,7 @@ force_sig_info(int sig, struct siginfo * |
1260 |
+ unsigned long int flags; |
1261 |
+ int ret, blocked, ignored; |
1262 |
+ struct k_sigaction *action; |
1263 |
++ int is_unhandled = 0; |
1264 |
+ |
1265 |
+ spin_lock_irqsave(&t->sighand->siglock, flags); |
1266 |
+ action = &t->sighand->action[sig-1]; |
1267 |
+@@ -1076,9 +1083,18 @@ force_sig_info(int sig, struct siginfo * |
1268 |
+ } |
1269 |
+ if (action->sa.sa_handler == SIG_DFL) |
1270 |
+ t->signal->flags &= ~SIGNAL_UNKILLABLE; |
1271 |
++ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL) |
1272 |
++ is_unhandled = 1; |
1273 |
ret = specific_send_sig_info(sig, info, t); |
1274 |
spin_unlock_irqrestore(&t->sighand->siglock, flags); |
1275 |
|
1276 |
-+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t); |
1277 |
-+ gr_handle_crash(t, sig); |
1278 |
++ /* only deal with unhandled signals, java etc trigger SIGSEGV during |
1279 |
++ normal operation */ |
1280 |
++ if (is_unhandled) { |
1281 |
++ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t); |
1282 |
++ gr_handle_crash(t, sig); |
1283 |
++ } |
1284 |
+ |
1285 |
return ret; |
1286 |
} |
1287 |
|
1288 |
-@@ -1137,8 +1146,11 @@ int group_send_sig_info(int sig, struct |
1289 |
+@@ -1137,8 +1153,11 @@ int group_send_sig_info(int sig, struct |
1290 |
ret = check_kill_permission(sig, info, p); |
1291 |
rcu_read_unlock(); |
1292 |
|
1293 |
@@ -53219,7 +53389,7 @@ diff -urNp linux-2.6.37/mm/mlock.c linux-2.6.37/mm/mlock.c |
1294 |
ret = do_mlockall(flags); |
1295 |
diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1296 |
--- linux-2.6.37/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500 |
1297 |
-+++ linux-2.6.37/mm/mmap.c 2011-01-17 02:41:02.000000000 -0500 |
1298 |
++++ linux-2.6.37/mm/mmap.c 2011-02-12 11:36:29.000000000 -0500 |
1299 |
@@ -45,6 +45,16 @@ |
1300 |
#define arch_rebalance_pgtables(addr, len) (addr) |
1301 |
#endif |
1302 |
@@ -53442,12 +53612,13 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1303 |
if (addr & ~PAGE_MASK) |
1304 |
return addr; |
1305 |
|
1306 |
-@@ -1016,6 +1093,31 @@ unsigned long do_mmap_pgoff(struct file |
1307 |
+@@ -1016,6 +1093,36 @@ unsigned long do_mmap_pgoff(struct file |
1308 |
vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | |
1309 |
mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; |
1310 |
|
1311 |
+#ifdef CONFIG_PAX_MPROTECT |
1312 |
+ if (mm->pax_flags & MF_PAX_MPROTECT) { |
1313 |
++#ifndef CONFIG_PAX_MPROTECT_COMPAT |
1314 |
+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) { |
1315 |
+ gr_log_rwxmmap(file); |
1316 |
+ |
1317 |
@@ -53461,6 +53632,10 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1318 |
+ |
1319 |
+ if (!(vm_flags & VM_EXEC)) |
1320 |
+ vm_flags &= ~VM_MAYEXEC; |
1321 |
++#else |
1322 |
++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC) |
1323 |
++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC); |
1324 |
++#endif |
1325 |
+ else |
1326 |
+ vm_flags &= ~VM_MAYWRITE; |
1327 |
+ } |
1328 |
@@ -53474,7 +53649,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1329 |
if (flags & MAP_LOCKED) |
1330 |
if (!can_do_mlock()) |
1331 |
return -EPERM; |
1332 |
-@@ -1027,6 +1129,7 @@ unsigned long do_mmap_pgoff(struct file |
1333 |
+@@ -1027,6 +1134,7 @@ unsigned long do_mmap_pgoff(struct file |
1334 |
locked += mm->locked_vm; |
1335 |
lock_limit = rlimit(RLIMIT_MEMLOCK); |
1336 |
lock_limit >>= PAGE_SHIFT; |
1337 |
@@ -53482,7 +53657,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1338 |
if (locked > lock_limit && !capable(CAP_IPC_LOCK)) |
1339 |
return -EAGAIN; |
1340 |
} |
1341 |
-@@ -1097,6 +1200,9 @@ unsigned long do_mmap_pgoff(struct file |
1342 |
+@@ -1097,6 +1205,9 @@ unsigned long do_mmap_pgoff(struct file |
1343 |
if (error) |
1344 |
return error; |
1345 |
|
1346 |
@@ -53492,7 +53667,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1347 |
return mmap_region(file, addr, len, flags, vm_flags, pgoff); |
1348 |
} |
1349 |
EXPORT_SYMBOL(do_mmap_pgoff); |
1350 |
-@@ -1174,10 +1280,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar |
1351 |
+@@ -1174,10 +1285,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar |
1352 |
*/ |
1353 |
int vma_wants_writenotify(struct vm_area_struct *vma) |
1354 |
{ |
1355 |
@@ -53505,7 +53680,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1356 |
return 0; |
1357 |
|
1358 |
/* The backer wishes to know when pages are first written to? */ |
1359 |
-@@ -1226,14 +1332,24 @@ unsigned long mmap_region(struct file *f |
1360 |
+@@ -1226,14 +1337,24 @@ unsigned long mmap_region(struct file *f |
1361 |
unsigned long charged = 0; |
1362 |
struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; |
1363 |
|
1364 |
@@ -53532,7 +53707,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1365 |
} |
1366 |
|
1367 |
/* Check against address space limit. */ |
1368 |
-@@ -1282,6 +1398,16 @@ munmap_back: |
1369 |
+@@ -1282,6 +1403,16 @@ munmap_back: |
1370 |
goto unacct_error; |
1371 |
} |
1372 |
|
1373 |
@@ -53549,7 +53724,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1374 |
vma->vm_mm = mm; |
1375 |
vma->vm_start = addr; |
1376 |
vma->vm_end = addr + len; |
1377 |
-@@ -1305,6 +1431,19 @@ munmap_back: |
1378 |
+@@ -1305,6 +1436,19 @@ munmap_back: |
1379 |
error = file->f_op->mmap(file, vma); |
1380 |
if (error) |
1381 |
goto unmap_and_free_vma; |
1382 |
@@ -53569,7 +53744,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1383 |
if (vm_flags & VM_EXECUTABLE) |
1384 |
added_exe_file_vma(mm); |
1385 |
|
1386 |
-@@ -1340,6 +1479,11 @@ munmap_back: |
1387 |
+@@ -1340,6 +1484,11 @@ munmap_back: |
1388 |
vma_link(mm, vma, prev, rb_link, rb_parent); |
1389 |
file = vma->vm_file; |
1390 |
|
1391 |
@@ -53581,7 +53756,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1392 |
/* Once vma denies write, undo our temporary denial count */ |
1393 |
if (correct_wcount) |
1394 |
atomic_inc(&inode->i_writecount); |
1395 |
-@@ -1348,6 +1492,7 @@ out: |
1396 |
+@@ -1348,6 +1497,7 @@ out: |
1397 |
|
1398 |
mm->total_vm += len >> PAGE_SHIFT; |
1399 |
vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); |
1400 |
@@ -53589,7 +53764,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1401 |
if (vm_flags & VM_LOCKED) { |
1402 |
if (!mlock_vma_pages_range(vma, addr, addr + len)) |
1403 |
mm->locked_vm += (len >> PAGE_SHIFT); |
1404 |
-@@ -1365,6 +1510,12 @@ unmap_and_free_vma: |
1405 |
+@@ -1365,6 +1515,12 @@ unmap_and_free_vma: |
1406 |
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); |
1407 |
charged = 0; |
1408 |
free_vma: |
1409 |
@@ -53602,7 +53777,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1410 |
kmem_cache_free(vm_area_cachep, vma); |
1411 |
unacct_error: |
1412 |
if (charged) |
1413 |
-@@ -1372,6 +1523,33 @@ unacct_error: |
1414 |
+@@ -1372,6 +1528,33 @@ unacct_error: |
1415 |
return error; |
1416 |
} |
1417 |
|
1418 |
@@ -53636,7 +53811,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1419 |
/* Get an address range which is currently unmapped. |
1420 |
* For shmat() with addr=0. |
1421 |
* |
1422 |
-@@ -1398,18 +1576,23 @@ arch_get_unmapped_area(struct file *filp |
1423 |
+@@ -1398,18 +1581,23 @@ arch_get_unmapped_area(struct file *filp |
1424 |
if (flags & MAP_FIXED) |
1425 |
return addr; |
1426 |
|
1427 |
@@ -53667,7 +53842,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1428 |
} |
1429 |
|
1430 |
full_search: |
1431 |
-@@ -1420,34 +1603,40 @@ full_search: |
1432 |
+@@ -1420,34 +1608,40 @@ full_search: |
1433 |
* Start a new search - just in case we missed |
1434 |
* some holes. |
1435 |
*/ |
1436 |
@@ -53719,7 +53894,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1437 |
mm->free_area_cache = addr; |
1438 |
mm->cached_hole_size = ~0UL; |
1439 |
} |
1440 |
-@@ -1465,7 +1654,7 @@ arch_get_unmapped_area_topdown(struct fi |
1441 |
+@@ -1465,7 +1659,7 @@ arch_get_unmapped_area_topdown(struct fi |
1442 |
{ |
1443 |
struct vm_area_struct *vma; |
1444 |
struct mm_struct *mm = current->mm; |
1445 |
@@ -53728,7 +53903,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1446 |
|
1447 |
/* requested length too big for entire address space */ |
1448 |
if (len > TASK_SIZE) |
1449 |
-@@ -1474,13 +1663,18 @@ arch_get_unmapped_area_topdown(struct fi |
1450 |
+@@ -1474,13 +1668,18 @@ arch_get_unmapped_area_topdown(struct fi |
1451 |
if (flags & MAP_FIXED) |
1452 |
return addr; |
1453 |
|
1454 |
@@ -53751,7 +53926,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1455 |
} |
1456 |
|
1457 |
/* check if free_area_cache is useful for us */ |
1458 |
-@@ -1495,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi |
1459 |
+@@ -1495,7 +1694,7 @@ arch_get_unmapped_area_topdown(struct fi |
1460 |
/* make sure it can fit in the remaining address space */ |
1461 |
if (addr > len) { |
1462 |
vma = find_vma(mm, addr-len); |
1463 |
@@ -53760,7 +53935,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1464 |
/* remember the address as a hint for next time */ |
1465 |
return (mm->free_area_cache = addr-len); |
1466 |
} |
1467 |
-@@ -1512,7 +1706,7 @@ arch_get_unmapped_area_topdown(struct fi |
1468 |
+@@ -1512,7 +1711,7 @@ arch_get_unmapped_area_topdown(struct fi |
1469 |
* return with success: |
1470 |
*/ |
1471 |
vma = find_vma(mm, addr); |
1472 |
@@ -53769,7 +53944,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1473 |
/* remember the address as a hint for next time */ |
1474 |
return (mm->free_area_cache = addr); |
1475 |
|
1476 |
-@@ -1531,13 +1725,21 @@ bottomup: |
1477 |
+@@ -1531,13 +1730,21 @@ bottomup: |
1478 |
* can happen with large stack limits and large mmap() |
1479 |
* allocations. |
1480 |
*/ |
1481 |
@@ -53793,7 +53968,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1482 |
mm->cached_hole_size = ~0UL; |
1483 |
|
1484 |
return addr; |
1485 |
-@@ -1546,6 +1748,12 @@ bottomup: |
1486 |
+@@ -1546,6 +1753,12 @@ bottomup: |
1487 |
|
1488 |
void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) |
1489 |
{ |
1490 |
@@ -53806,7 +53981,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1491 |
/* |
1492 |
* Is this a new hole at the highest possible address? |
1493 |
*/ |
1494 |
-@@ -1553,8 +1761,10 @@ void arch_unmap_area_topdown(struct mm_s |
1495 |
+@@ -1553,8 +1766,10 @@ void arch_unmap_area_topdown(struct mm_s |
1496 |
mm->free_area_cache = addr; |
1497 |
|
1498 |
/* dont allow allocations above current base */ |
1499 |
@@ -53818,7 +53993,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1500 |
} |
1501 |
|
1502 |
unsigned long |
1503 |
-@@ -1662,6 +1872,28 @@ out: |
1504 |
+@@ -1662,6 +1877,28 @@ out: |
1505 |
return prev ? prev->vm_next : vma; |
1506 |
} |
1507 |
|
1508 |
@@ -53847,7 +54022,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1509 |
/* |
1510 |
* Verify that the stack growth is acceptable and |
1511 |
* update accounting. This is shared with both the |
1512 |
-@@ -1678,6 +1910,7 @@ static int acct_stack_growth(struct vm_a |
1513 |
+@@ -1678,6 +1915,7 @@ static int acct_stack_growth(struct vm_a |
1514 |
return -ENOMEM; |
1515 |
|
1516 |
/* Stack limit test */ |
1517 |
@@ -53855,7 +54030,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1518 |
if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) |
1519 |
return -ENOMEM; |
1520 |
|
1521 |
-@@ -1688,6 +1921,7 @@ static int acct_stack_growth(struct vm_a |
1522 |
+@@ -1688,6 +1926,7 @@ static int acct_stack_growth(struct vm_a |
1523 |
locked = mm->locked_vm + grow; |
1524 |
limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); |
1525 |
limit >>= PAGE_SHIFT; |
1526 |
@@ -53863,7 +54038,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1527 |
if (locked > limit && !capable(CAP_IPC_LOCK)) |
1528 |
return -ENOMEM; |
1529 |
} |
1530 |
-@@ -1718,37 +1952,48 @@ static int acct_stack_growth(struct vm_a |
1531 |
+@@ -1718,37 +1957,48 @@ static int acct_stack_growth(struct vm_a |
1532 |
* PA-RISC uses this for its stack; IA64 for its Register Backing Store. |
1533 |
* vma is the last one with address > vma->vm_end. Have to extend vma. |
1534 |
*/ |
1535 |
@@ -53921,7 +54096,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1536 |
unsigned long size, grow; |
1537 |
|
1538 |
size = address - vma->vm_start; |
1539 |
-@@ -1760,6 +2005,8 @@ int expand_upwards(struct vm_area_struct |
1540 |
+@@ -1760,6 +2010,8 @@ int expand_upwards(struct vm_area_struct |
1541 |
perf_event_mmap(vma); |
1542 |
} |
1543 |
} |
1544 |
@@ -53930,7 +54105,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1545 |
vma_unlock_anon_vma(vma); |
1546 |
return error; |
1547 |
} |
1548 |
-@@ -1772,6 +2019,8 @@ static int expand_downwards(struct vm_ar |
1549 |
+@@ -1772,6 +2024,8 @@ static int expand_downwards(struct vm_ar |
1550 |
unsigned long address) |
1551 |
{ |
1552 |
int error; |
1553 |
@@ -53939,7 +54114,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1554 |
|
1555 |
/* |
1556 |
* We must make sure the anon_vma is allocated |
1557 |
-@@ -1785,6 +2034,15 @@ static int expand_downwards(struct vm_ar |
1558 |
+@@ -1785,6 +2039,15 @@ static int expand_downwards(struct vm_ar |
1559 |
if (error) |
1560 |
return error; |
1561 |
|
1562 |
@@ -53955,7 +54130,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1563 |
vma_lock_anon_vma(vma); |
1564 |
|
1565 |
/* |
1566 |
-@@ -1794,9 +2052,17 @@ static int expand_downwards(struct vm_ar |
1567 |
+@@ -1794,9 +2057,17 @@ static int expand_downwards(struct vm_ar |
1568 |
*/ |
1569 |
|
1570 |
/* Somebody else might have raced and expanded it already */ |
1571 |
@@ -53974,7 +54149,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1572 |
size = vma->vm_end - address; |
1573 |
grow = (vma->vm_start - address) >> PAGE_SHIFT; |
1574 |
|
1575 |
-@@ -1804,10 +2070,21 @@ static int expand_downwards(struct vm_ar |
1576 |
+@@ -1804,10 +2075,21 @@ static int expand_downwards(struct vm_ar |
1577 |
if (!error) { |
1578 |
vma->vm_start = address; |
1579 |
vma->vm_pgoff -= grow; |
1580 |
@@ -53996,7 +54171,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1581 |
return error; |
1582 |
} |
1583 |
|
1584 |
-@@ -1881,6 +2158,13 @@ static void remove_vma_list(struct mm_st |
1585 |
+@@ -1881,6 +2163,13 @@ static void remove_vma_list(struct mm_st |
1586 |
do { |
1587 |
long nrpages = vma_pages(vma); |
1588 |
|
1589 |
@@ -54010,7 +54185,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1590 |
mm->total_vm -= nrpages; |
1591 |
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); |
1592 |
vma = remove_vma(vma); |
1593 |
-@@ -1926,6 +2210,16 @@ detach_vmas_to_be_unmapped(struct mm_str |
1594 |
+@@ -1926,6 +2215,16 @@ detach_vmas_to_be_unmapped(struct mm_str |
1595 |
insertion_point = (prev ? &prev->vm_next : &mm->mmap); |
1596 |
vma->vm_prev = NULL; |
1597 |
do { |
1598 |
@@ -54027,7 +54202,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1599 |
rb_erase(&vma->vm_rb, &mm->mm_rb); |
1600 |
mm->map_count--; |
1601 |
tail_vma = vma; |
1602 |
-@@ -1954,14 +2248,33 @@ static int __split_vma(struct mm_struct |
1603 |
+@@ -1954,14 +2253,33 @@ static int __split_vma(struct mm_struct |
1604 |
struct vm_area_struct *new; |
1605 |
int err = -ENOMEM; |
1606 |
|
1607 |
@@ -54061,7 +54236,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1608 |
/* most fields are the same, copy all, and then fixup */ |
1609 |
*new = *vma; |
1610 |
|
1611 |
-@@ -1974,6 +2287,22 @@ static int __split_vma(struct mm_struct |
1612 |
+@@ -1974,6 +2292,22 @@ static int __split_vma(struct mm_struct |
1613 |
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); |
1614 |
} |
1615 |
|
1616 |
@@ -54084,7 +54259,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1617 |
pol = mpol_dup(vma_policy(vma)); |
1618 |
if (IS_ERR(pol)) { |
1619 |
err = PTR_ERR(pol); |
1620 |
-@@ -1999,6 +2328,42 @@ static int __split_vma(struct mm_struct |
1621 |
+@@ -1999,6 +2333,42 @@ static int __split_vma(struct mm_struct |
1622 |
else |
1623 |
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); |
1624 |
|
1625 |
@@ -54127,7 +54302,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1626 |
/* Success. */ |
1627 |
if (!err) |
1628 |
return 0; |
1629 |
-@@ -2011,10 +2376,18 @@ static int __split_vma(struct mm_struct |
1630 |
+@@ -2011,10 +2381,18 @@ static int __split_vma(struct mm_struct |
1631 |
removed_exe_file_vma(mm); |
1632 |
fput(new->vm_file); |
1633 |
} |
1634 |
@@ -54147,7 +54322,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1635 |
kmem_cache_free(vm_area_cachep, new); |
1636 |
out_err: |
1637 |
return err; |
1638 |
-@@ -2027,6 +2400,15 @@ static int __split_vma(struct mm_struct |
1639 |
+@@ -2027,6 +2405,15 @@ static int __split_vma(struct mm_struct |
1640 |
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, |
1641 |
unsigned long addr, int new_below) |
1642 |
{ |
1643 |
@@ -54163,7 +54338,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1644 |
if (mm->map_count >= sysctl_max_map_count) |
1645 |
return -ENOMEM; |
1646 |
|
1647 |
-@@ -2038,11 +2420,30 @@ int split_vma(struct mm_struct *mm, stru |
1648 |
+@@ -2038,11 +2425,30 @@ int split_vma(struct mm_struct *mm, stru |
1649 |
* work. This now handles partial unmappings. |
1650 |
* Jeremy Fitzhardinge <jeremy@××××.org> |
1651 |
*/ |
1652 |
@@ -54194,7 +54369,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1653 |
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) |
1654 |
return -EINVAL; |
1655 |
|
1656 |
-@@ -2116,6 +2517,8 @@ int do_munmap(struct mm_struct *mm, unsi |
1657 |
+@@ -2116,6 +2522,8 @@ int do_munmap(struct mm_struct *mm, unsi |
1658 |
/* Fix up all other VM information */ |
1659 |
remove_vma_list(mm, vma); |
1660 |
|
1661 |
@@ -54203,7 +54378,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1662 |
return 0; |
1663 |
} |
1664 |
|
1665 |
-@@ -2128,22 +2531,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a |
1666 |
+@@ -2128,22 +2536,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a |
1667 |
|
1668 |
profile_munmap(addr); |
1669 |
|
1670 |
@@ -54232,7 +54407,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1671 |
/* |
1672 |
* this is really a simplified "do_mmap". it only handles |
1673 |
* anonymous maps. eventually we may be able to do some |
1674 |
-@@ -2157,6 +2556,7 @@ unsigned long do_brk(unsigned long addr, |
1675 |
+@@ -2157,6 +2561,7 @@ unsigned long do_brk(unsigned long addr, |
1676 |
struct rb_node ** rb_link, * rb_parent; |
1677 |
pgoff_t pgoff = addr >> PAGE_SHIFT; |
1678 |
int error; |
1679 |
@@ -54240,7 +54415,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1680 |
|
1681 |
len = PAGE_ALIGN(len); |
1682 |
if (!len) |
1683 |
-@@ -2168,16 +2568,30 @@ unsigned long do_brk(unsigned long addr, |
1684 |
+@@ -2168,16 +2573,30 @@ unsigned long do_brk(unsigned long addr, |
1685 |
|
1686 |
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; |
1687 |
|
1688 |
@@ -54272,7 +54447,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1689 |
locked += mm->locked_vm; |
1690 |
lock_limit = rlimit(RLIMIT_MEMLOCK); |
1691 |
lock_limit >>= PAGE_SHIFT; |
1692 |
-@@ -2194,22 +2608,22 @@ unsigned long do_brk(unsigned long addr, |
1693 |
+@@ -2194,22 +2613,22 @@ unsigned long do_brk(unsigned long addr, |
1694 |
/* |
1695 |
* Clear old maps. this also does some error checking for us |
1696 |
*/ |
1697 |
@@ -54299,7 +54474,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1698 |
return -ENOMEM; |
1699 |
|
1700 |
/* Can we just expand an old private anonymous mapping? */ |
1701 |
-@@ -2223,7 +2637,7 @@ unsigned long do_brk(unsigned long addr, |
1702 |
+@@ -2223,7 +2642,7 @@ unsigned long do_brk(unsigned long addr, |
1703 |
*/ |
1704 |
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); |
1705 |
if (!vma) { |
1706 |
@@ -54308,7 +54483,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1707 |
return -ENOMEM; |
1708 |
} |
1709 |
|
1710 |
-@@ -2237,11 +2651,12 @@ unsigned long do_brk(unsigned long addr, |
1711 |
+@@ -2237,11 +2656,12 @@ unsigned long do_brk(unsigned long addr, |
1712 |
vma_link(mm, vma, prev, rb_link, rb_parent); |
1713 |
out: |
1714 |
perf_event_mmap(vma); |
1715 |
@@ -54323,7 +54498,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1716 |
return addr; |
1717 |
} |
1718 |
|
1719 |
-@@ -2288,8 +2703,10 @@ void exit_mmap(struct mm_struct *mm) |
1720 |
+@@ -2288,8 +2708,10 @@ void exit_mmap(struct mm_struct *mm) |
1721 |
* Walk the list again, actually closing and freeing it, |
1722 |
* with preemption enabled, without holding any MM locks. |
1723 |
*/ |
1724 |
@@ -54335,7 +54510,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1725 |
|
1726 |
BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); |
1727 |
} |
1728 |
-@@ -2303,6 +2720,13 @@ int insert_vm_struct(struct mm_struct * |
1729 |
+@@ -2303,6 +2725,13 @@ int insert_vm_struct(struct mm_struct * |
1730 |
struct vm_area_struct * __vma, * prev; |
1731 |
struct rb_node ** rb_link, * rb_parent; |
1732 |
|
1733 |
@@ -54349,7 +54524,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1734 |
/* |
1735 |
* The vm_pgoff of a purely anonymous vma should be irrelevant |
1736 |
* until its first write fault, when page's anon_vma and index |
1737 |
-@@ -2325,7 +2749,22 @@ int insert_vm_struct(struct mm_struct * |
1738 |
+@@ -2325,7 +2754,22 @@ int insert_vm_struct(struct mm_struct * |
1739 |
if ((vma->vm_flags & VM_ACCOUNT) && |
1740 |
security_vm_enough_memory_mm(mm, vma_pages(vma))) |
1741 |
return -ENOMEM; |
1742 |
@@ -54372,7 +54547,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1743 |
return 0; |
1744 |
} |
1745 |
|
1746 |
-@@ -2343,6 +2782,8 @@ struct vm_area_struct *copy_vma(struct v |
1747 |
+@@ -2343,6 +2787,8 @@ struct vm_area_struct *copy_vma(struct v |
1748 |
struct rb_node **rb_link, *rb_parent; |
1749 |
struct mempolicy *pol; |
1750 |
|
1751 |
@@ -54381,7 +54556,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1752 |
/* |
1753 |
* If anonymous vma has not yet been faulted, update new pgoff |
1754 |
* to match new location, to increase its chance of merging. |
1755 |
-@@ -2392,6 +2833,39 @@ struct vm_area_struct *copy_vma(struct v |
1756 |
+@@ -2392,6 +2838,39 @@ struct vm_area_struct *copy_vma(struct v |
1757 |
kmem_cache_free(vm_area_cachep, new_vma); |
1758 |
return NULL; |
1759 |
} |
1760 |
@@ -54421,7 +54596,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1761 |
|
1762 |
/* |
1763 |
* Return true if the calling process may expand its vm space by the passed |
1764 |
-@@ -2403,7 +2877,7 @@ int may_expand_vm(struct mm_struct *mm, |
1765 |
+@@ -2403,7 +2882,7 @@ int may_expand_vm(struct mm_struct *mm, |
1766 |
unsigned long lim; |
1767 |
|
1768 |
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; |
1769 |
@@ -54430,16 +54605,21 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c |
1770 |
if (cur + npages > lim) |
1771 |
return 0; |
1772 |
return 1; |
1773 |
-@@ -2474,6 +2948,17 @@ int install_special_mapping(struct mm_st |
1774 |
+@@ -2474,6 +2953,22 @@ int install_special_mapping(struct mm_st |
1775 |
vma->vm_start = addr; |
1776 |
vma->vm_end = addr + len; |
1777 |
|
1778 |
+#ifdef CONFIG_PAX_MPROTECT |
1779 |
+ if (mm->pax_flags & MF_PAX_MPROTECT) { |
1780 |
++#ifndef CONFIG_PAX_MPROTECT_COMPAT |
1781 |
+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) |
1782 |
+ return -EPERM; |
1783 |
+ if (!(vm_flags & VM_EXEC)) |
1784 |
+ vm_flags &= ~VM_MAYEXEC; |
1785 |
++#else |
1786 |
++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC) |
1787 |
++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC); |
1788 |
++#endif |
1789 |
+ else |
1790 |
+ vm_flags &= ~VM_MAYWRITE; |
1791 |
+ } |
1792 |
@@ -57966,8 +58146,8 @@ diff -urNp linux-2.6.37/security/integrity/ima/ima_queue.c linux-2.6.37/security |
1793 |
return 0; |
1794 |
diff -urNp linux-2.6.37/security/Kconfig linux-2.6.37/security/Kconfig |
1795 |
--- linux-2.6.37/security/Kconfig 2011-01-04 19:50:19.000000000 -0500 |
1796 |
-+++ linux-2.6.37/security/Kconfig 2011-01-17 02:41:02.000000000 -0500 |
1797 |
-@@ -4,6 +4,509 @@ |
1798 |
++++ linux-2.6.37/security/Kconfig 2011-02-12 11:32:56.000000000 -0500 |
1799 |
+@@ -4,6 +4,527 @@ |
1800 |
|
1801 |
menu "Security options" |
1802 |
|
1803 |
@@ -58213,6 +58393,24 @@ diff -urNp linux-2.6.37/security/Kconfig linux-2.6.37/security/Kconfig |
1804 |
+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control |
1805 |
+ this feature on a per file basis. |
1806 |
+ |
1807 |
++config PAX_MPROTECT_COMPAT |
1808 |
++ bool "Use legacy/compat protection demoting (read help)" |
1809 |
++ depends on PAX_MPROTECT |
1810 |
++ default n |
1811 |
++ help |
1812 |
++ The current implementation of PAX_MPROTECT denies RWX allocations/mprotects |
1813 |
++ by sending the proper error code to the application. For some broken |
1814 |
++ userland, this can cause problems with Python or other applications. The |
1815 |
++ current implementation however allows for applications like clamav to |
1816 |
++ detect if JIT compilation/execution is allowed and to fall back gracefully |
1817 |
++ to an interpreter-based mode if it does not. While we encourage everyone |
1818 |
++ to use the current implementation as-is and push upstream to fix broken |
1819 |
++ userland (note that the RWX logging option can assist with this), in some |
1820 |
++ environments this may not be possible. Having to disable MPROTECT |
1821 |
++ completely on certain binaries reduces the security benefit of PaX, |
1822 |
++ so this option is provided for those environments to revert to the old |
1823 |
++ behavior. |
1824 |
++ |
1825 |
+config PAX_ELFRELOCS |
1826 |
+ bool "Allow ELF text relocations (read help)" |
1827 |
+ depends on PAX_MPROTECT |
1828 |
@@ -58477,7 +58675,7 @@ diff -urNp linux-2.6.37/security/Kconfig linux-2.6.37/security/Kconfig |
1829 |
config KEYS |
1830 |
bool "Enable access key retention support" |
1831 |
help |
1832 |
-@@ -136,7 +639,7 @@ config INTEL_TXT |
1833 |
+@@ -136,7 +657,7 @@ config INTEL_TXT |
1834 |
config LSM_MMAP_MIN_ADDR |
1835 |
int "Low address space for LSM to protect from user allocation" |
1836 |
depends on SECURITY && SECURITY_SELINUX |
1837 |
@@ -58507,7 +58705,7 @@ diff -urNp linux-2.6.37/security/min_addr.c linux-2.6.37/security/min_addr.c |
1838 |
/* |
1839 |
diff -urNp linux-2.6.37/security/security.c linux-2.6.37/security/security.c |
1840 |
--- linux-2.6.37/security/security.c 2011-01-04 19:50:19.000000000 -0500 |
1841 |
-+++ linux-2.6.37/security/security.c 2011-01-17 02:41:02.000000000 -0500 |
1842 |
++++ linux-2.6.37/security/security.c 2011-02-12 10:36:34.000000000 -0500 |
1843 |
@@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI |
1844 |
/* things that live in capability.c */ |
1845 |
extern void __init security_fixup_ops(struct security_operations *ops); |
1846 |
@@ -58529,9 +58727,22 @@ diff -urNp linux-2.6.37/security/security.c linux-2.6.37/security/security.c |
1847 |
} |
1848 |
|
1849 |
/* Save user chosen LSM */ |
1850 |
+@@ -154,10 +156,9 @@ int security_capset(struct cred *new, co |
1851 |
+ effective, inheritable, permitted); |
1852 |
+ } |
1853 |
+ |
1854 |
+-int security_capable(int cap) |
1855 |
++int security_capable(const struct cred *cred, int cap) |
1856 |
+ { |
1857 |
+- return security_ops->capable(current, current_cred(), cap, |
1858 |
+- SECURITY_CAP_AUDIT); |
1859 |
++ return security_ops->capable(current, cred, cap, SECURITY_CAP_AUDIT); |
1860 |
+ } |
1861 |
+ |
1862 |
+ int security_real_capable(struct task_struct *tsk, int cap) |
1863 |
diff -urNp linux-2.6.37/security/selinux/hooks.c linux-2.6.37/security/selinux/hooks.c |
1864 |
--- linux-2.6.37/security/selinux/hooks.c 2011-01-04 19:50:19.000000000 -0500 |
1865 |
-+++ linux-2.6.37/security/selinux/hooks.c 2011-01-17 02:41:02.000000000 -0500 |
1866 |
++++ linux-2.6.37/security/selinux/hooks.c 2011-02-12 11:02:14.000000000 -0500 |
1867 |
@@ -90,7 +90,6 @@ |
1868 |
#define NUM_SEL_MNT_OPTS 5 |
1869 |
|
1870 |
@@ -58540,7 +58751,20 @@ diff -urNp linux-2.6.37/security/selinux/hooks.c linux-2.6.37/security/selinux/h |
1871 |
|
1872 |
/* SECMARK reference count */ |
1873 |
atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); |
1874 |
-@@ -5388,7 +5387,7 @@ static int selinux_key_getsecurity(struc |
1875 |
+@@ -3195,7 +3194,11 @@ static void selinux_cred_free(struct cre |
1876 |
+ { |
1877 |
+ struct task_security_struct *tsec = cred->security; |
1878 |
+ |
1879 |
+- BUG_ON((unsigned long) cred->security < PAGE_SIZE); |
1880 |
++ /* |
1881 |
++ * cred->security == NULL if security_cred_alloc_blank() or |
1882 |
++ * security_prepare_creds() returned an error. |
1883 |
++ */ |
1884 |
++ BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); |
1885 |
+ cred->security = (void *) 0x7UL; |
1886 |
+ kfree(tsec); |
1887 |
+ } |
1888 |
+@@ -5388,7 +5391,7 @@ static int selinux_key_getsecurity(struc |
1889 |
|
1890 |
#endif |