Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.37/, 2.6.32/
Date: Sun, 13 Feb 2011 17:04:45
Message-Id: 65c697fdf79d5963e55e40a17b1f148164143416.blueness@gentoo
1 commit: 65c697fdf79d5963e55e40a17b1f148164143416
2 Author: Anthony G. Basile <basile <AT> opensource <DOT> dyc <DOT> edu>
3 AuthorDate: Sun Feb 13 17:03:56 2011 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Sun Feb 13 17:03:56 2011 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=65c697fd
7
8 Update Grsec/PaX
9 2.2.1-2.6.32.28-201102121148
10 2.2.1-2.6.37-201102121148
11
12 ---
13 2.6.32/0000_README | 2 +-
14 ..._grsecurity-2.2.1-2.6.32.28-201102121148.patch} | 290 +++++++++++----
15 2.6.37/0000_README | 2 +-
16 ...420_grsecurity-2.2.1-2.6.37-201102121148.patch} | 392 +++++++++++++++-----
17 4 files changed, 523 insertions(+), 163 deletions(-)
18
19 diff --git a/2.6.32/0000_README b/2.6.32/0000_README
20 index d19cb36..c1feb8d 100644
21 --- a/2.6.32/0000_README
22 +++ b/2.6.32/0000_README
23 @@ -3,7 +3,7 @@ README
24
25 Individual Patch Descriptions:
26 -----------------------------------------------------------------------------
27 -Patch: 4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch
28 +Patch: 4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch
29 From: http://www.grsecurity.net
30 Desc: hardened-sources base patch from upstream grsecurity
31
32
33 diff --git a/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch b/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch
34 similarity index 99%
35 rename from 2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch
36 rename to 2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch
37 index 578be36..b1b6990 100644
38 --- a/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch
39 +++ b/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch
40 @@ -8043,7 +8043,7 @@ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mman.h linux-2.6.32.28/arch/x86/
41 #endif /* _ASM_X86_MMAN_H */
42 diff -urNp linux-2.6.32.28/arch/x86/include/asm/mmu_context.h linux-2.6.32.28/arch/x86/include/asm/mmu_context.h
43 --- linux-2.6.32.28/arch/x86/include/asm/mmu_context.h 2010-08-13 16:24:37.000000000 -0400
44 -+++ linux-2.6.32.28/arch/x86/include/asm/mmu_context.h 2010-12-31 14:46:53.000000000 -0500
45 ++++ linux-2.6.32.28/arch/x86/include/asm/mmu_context.h 2011-02-12 11:05:01.000000000 -0500
46 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
47
48 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
49 @@ -8075,8 +8075,8 @@ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mmu_context.h linux-2.6.32.28/ar
50 +#endif
51
52 if (likely(prev != next)) {
53 - /* stop flush ipis for the previous mm */
54 - cpumask_clear_cpu(cpu, mm_cpumask(prev));
55 +- /* stop flush ipis for the previous mm */
56 +- cpumask_clear_cpu(cpu, mm_cpumask(prev));
57 #ifdef CONFIG_SMP
58 +#ifdef CONFIG_X86_32
59 + tlbstate = percpu_read(cpu_tlbstate.state);
60 @@ -8096,6 +8096,8 @@ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mmu_context.h linux-2.6.32.28/ar
61 +#else
62 load_cr3(next->pgd);
63 +#endif
64 ++ /* stop flush ipis for the previous mm */
65 ++ cpumask_clear_cpu(cpu, mm_cpumask(prev));
66
67 /*
68 * load the LDT, if the LDT is different:
69 @@ -32254,7 +32256,7 @@ diff -urNp linux-2.6.32.28/fs/ecryptfs/inode.c linux-2.6.32.28/fs/ecryptfs/inode
70 goto out_free;
71 diff -urNp linux-2.6.32.28/fs/exec.c linux-2.6.32.28/fs/exec.c
72 --- linux-2.6.32.28/fs/exec.c 2011-01-11 23:55:35.000000000 -0500
73 -+++ linux-2.6.32.28/fs/exec.c 2011-01-11 23:56:03.000000000 -0500
74 ++++ linux-2.6.32.28/fs/exec.c 2011-02-12 11:21:23.000000000 -0500
75 @@ -56,12 +56,24 @@
76 #include <linux/fsnotify.h>
77 #include <linux/fs_struct.h>
78 @@ -32839,7 +32841,7 @@ diff -urNp linux-2.6.32.28/fs/exec.c linux-2.6.32.28/fs/exec.c
79 */
80 clear_thread_flag(TIF_SIGPENDING);
81
82 -+ if (signr == SIGKILL || signr == SIGILL)
83 ++ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
84 + gr_handle_brute_attach(current);
85 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
86 +
87 @@ -51234,7 +51236,24 @@ diff -urNp linux-2.6.32.28/kernel/cpu.c linux-2.6.32.28/kernel/cpu.c
88 * Should always be manipulated under cpu_add_remove_lock
89 diff -urNp linux-2.6.32.28/kernel/cred.c linux-2.6.32.28/kernel/cred.c
90 --- linux-2.6.32.28/kernel/cred.c 2010-08-13 16:24:37.000000000 -0400
91 -+++ linux-2.6.32.28/kernel/cred.c 2010-12-31 14:46:53.000000000 -0500
92 ++++ linux-2.6.32.28/kernel/cred.c 2011-02-12 10:44:11.000000000 -0500
93 +@@ -231,13 +231,13 @@ struct cred *cred_alloc_blank(void)
94 + #endif
95 +
96 + atomic_set(&new->usage, 1);
97 ++#ifdef CONFIG_DEBUG_CREDENTIALS
98 ++ new->magic = CRED_MAGIC;
99 ++#endif
100 +
101 + if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
102 + goto error;
103 +
104 +-#ifdef CONFIG_DEBUG_CREDENTIALS
105 +- new->magic = CRED_MAGIC;
106 +-#endif
107 + return new;
108 +
109 + error:
110 @@ -520,6 +520,8 @@ int commit_creds(struct cred *new)
111
112 get_cred(new); /* we will require a ref for the subj creds too */
113 @@ -51244,6 +51263,37 @@ diff -urNp linux-2.6.32.28/kernel/cred.c linux-2.6.32.28/kernel/cred.c
114 /* dumpability changes */
115 if (old->euid != new->euid ||
116 old->egid != new->egid ||
117 +@@ -696,6 +698,8 @@ struct cred *prepare_kernel_cred(struct
118 + validate_creds(old);
119 +
120 + *new = *old;
121 ++ atomic_set(&new->usage, 1);
122 ++ set_cred_subscribers(new, 0);
123 + get_uid(new->user);
124 + get_group_info(new->group_info);
125 +
126 +@@ -713,8 +717,6 @@ struct cred *prepare_kernel_cred(struct
127 + if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
128 + goto error;
129 +
130 +- atomic_set(&new->usage, 1);
131 +- set_cred_subscribers(new, 0);
132 + put_cred(old);
133 + validate_creds(new);
134 + return new;
135 +@@ -787,7 +789,11 @@ bool creds_are_invalid(const struct cred
136 + if (cred->magic != CRED_MAGIC)
137 + return true;
138 + #ifdef CONFIG_SECURITY_SELINUX
139 +- if (selinux_is_enabled()) {
140 ++ /*
141 ++ * cred->security == NULL if security_cred_alloc_blank() or
142 ++ * security_prepare_creds() returned an error.
143 ++ */
144 ++ if (selinux_is_enabled() && cred->security) {
145 + if ((unsigned long) cred->security < PAGE_SIZE)
146 + return true;
147 + if ((*(u32 *)cred->security & 0xffffff00) ==
148 diff -urNp linux-2.6.32.28/kernel/exit.c linux-2.6.32.28/kernel/exit.c
149 --- linux-2.6.32.28/kernel/exit.c 2011-01-11 23:55:35.000000000 -0500
150 +++ linux-2.6.32.28/kernel/exit.c 2010-12-31 14:46:53.000000000 -0500
151 @@ -51816,8 +51866,8 @@ diff -urNp linux-2.6.32.28/kernel/kgdb.c linux-2.6.32.28/kernel/kgdb.c
152
153 diff -urNp linux-2.6.32.28/kernel/kmod.c linux-2.6.32.28/kernel/kmod.c
154 --- linux-2.6.32.28/kernel/kmod.c 2010-08-13 16:24:37.000000000 -0400
155 -+++ linux-2.6.32.28/kernel/kmod.c 2010-12-31 14:46:53.000000000 -0500
156 -@@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
157 ++++ linux-2.6.32.28/kernel/kmod.c 2011-02-12 10:58:19.000000000 -0500
158 +@@ -90,6 +90,28 @@ int __request_module(bool wait, const ch
159 if (ret >= MODULE_NAME_LEN)
160 return -ENAMETOOLONG;
161
162 @@ -51828,7 +51878,17 @@ diff -urNp linux-2.6.32.28/kernel/kmod.c linux-2.6.32.28/kernel/kmod.c
163 + auto-loaded
164 + */
165 + if (current_uid()) {
166 -+ gr_log_nonroot_mod_load(module_name);
167 ++#if !defined(CONFIG_IPV6) && !defined(CONFIG_IPV6_MODULE)
168 ++ /* There are known knowns. These are things we know
169 ++ that we know. There are known unknowns. That is to say,
170 ++ there are things that we know we don't know. But there are
171 ++ also unknown unknowns. There are things we don't know
172 ++ we don't know.
173 ++ This here is a known unknown.
174 ++ */
175 ++ if (strcmp(module_name, "net-pf-10"))
176 ++#endif
177 ++ gr_log_nonroot_mod_load(module_name);
178 + return -EPERM;
179 + }
180 +#endif
181 @@ -52015,7 +52075,7 @@ diff -urNp linux-2.6.32.28/kernel/lockdep_proc.c linux-2.6.32.28/kernel/lockdep_
182 if (!name) {
183 diff -urNp linux-2.6.32.28/kernel/module.c linux-2.6.32.28/kernel/module.c
184 --- linux-2.6.32.28/kernel/module.c 2010-08-13 16:24:37.000000000 -0400
185 -+++ linux-2.6.32.28/kernel/module.c 2010-12-31 14:46:53.000000000 -0500
186 ++++ linux-2.6.32.28/kernel/module.c 2011-02-02 20:27:32.000000000 -0500
187 @@ -89,7 +89,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
188 static BLOCKING_NOTIFIER_HEAD(module_notify_list);
189
190 @@ -52053,6 +52113,15 @@ diff -urNp linux-2.6.32.28/kernel/module.c linux-2.6.32.28/kernel/module.c
191 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
192 name, align, PAGE_SIZE);
193 align = PAGE_SIZE;
194 +@@ -1158,7 +1159,7 @@ static const struct kernel_symbol *resol
195 + * /sys/module/foo/sections stuff
196 + * J. Corbet <corbet@×××.net>
197 + */
198 +-#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS)
199 ++#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
200 +
201 + static inline bool sect_empty(const Elf_Shdr *sect)
202 + {
203 @@ -1545,7 +1546,8 @@ static void free_module(struct module *m
204 destroy_params(mod->kp, mod->num_kp);
205
206 @@ -52784,7 +52853,7 @@ diff -urNp linux-2.6.32.28/kernel/printk.c linux-2.6.32.28/kernel/printk.c
207 return error;
208 diff -urNp linux-2.6.32.28/kernel/ptrace.c linux-2.6.32.28/kernel/ptrace.c
209 --- linux-2.6.32.28/kernel/ptrace.c 2010-08-13 16:24:37.000000000 -0400
210 -+++ linux-2.6.32.28/kernel/ptrace.c 2011-01-01 00:19:08.000000000 -0500
211 ++++ linux-2.6.32.28/kernel/ptrace.c 2011-02-12 10:37:47.000000000 -0500
212 @@ -141,7 +141,7 @@ int __ptrace_may_access(struct task_stru
213 cred->gid != tcred->egid ||
214 cred->gid != tcred->sgid ||
215 @@ -52812,6 +52881,15 @@ diff -urNp linux-2.6.32.28/kernel/ptrace.c linux-2.6.32.28/kernel/ptrace.c
216 task->ptrace |= PT_PTRACE_CAP;
217
218 __ptrace_link(task, current);
219 +@@ -314,7 +314,7 @@ int ptrace_detach(struct task_struct *ch
220 + child->exit_code = data;
221 + dead = __ptrace_detach(current, child);
222 + if (!child->exit_state)
223 +- wake_up_process(child);
224 ++ wake_up_state(child, TASK_TRACED | TASK_STOPPED);
225 + }
226 + write_unlock_irq(&tasklist_lock);
227 +
228 @@ -532,18 +532,18 @@ int ptrace_request(struct task_struct *c
229 ret = ptrace_setoptions(child, data);
230 break;
231 @@ -53036,7 +53114,7 @@ diff -urNp linux-2.6.32.28/kernel/sched.c linux-2.6.32.28/kernel/sched.c
232 return;
233 diff -urNp linux-2.6.32.28/kernel/signal.c linux-2.6.32.28/kernel/signal.c
234 --- linux-2.6.32.28/kernel/signal.c 2010-08-13 16:24:37.000000000 -0400
235 -+++ linux-2.6.32.28/kernel/signal.c 2010-12-31 14:46:53.000000000 -0500
236 ++++ linux-2.6.32.28/kernel/signal.c 2011-02-12 11:22:46.000000000 -0500
237 @@ -41,12 +41,12 @@
238
239 static struct kmem_cache *sigqueue_cachep;
240 @@ -53099,17 +53177,34 @@ diff -urNp linux-2.6.32.28/kernel/signal.c linux-2.6.32.28/kernel/signal.c
241 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
242 {
243 return send_signal(sig, info, t, 0);
244 -@@ -1022,6 +1028,9 @@ force_sig_info(int sig, struct siginfo *
245 +@@ -1005,6 +1011,7 @@ force_sig_info(int sig, struct siginfo *
246 + unsigned long int flags;
247 + int ret, blocked, ignored;
248 + struct k_sigaction *action;
249 ++ int is_unhandled = 0;
250 +
251 + spin_lock_irqsave(&t->sighand->siglock, flags);
252 + action = &t->sighand->action[sig-1];
253 +@@ -1019,9 +1026,18 @@ force_sig_info(int sig, struct siginfo *
254 + }
255 + if (action->sa.sa_handler == SIG_DFL)
256 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
257 ++ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
258 ++ is_unhandled = 1;
259 ret = specific_send_sig_info(sig, info, t);
260 spin_unlock_irqrestore(&t->sighand->siglock, flags);
261
262 -+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
263 -+ gr_handle_crash(t, sig);
264 ++ /* only deal with unhandled signals, java etc trigger SIGSEGV during
265 ++ normal operation */
266 ++ if (is_unhandled) {
267 ++ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
268 ++ gr_handle_crash(t, sig);
269 ++ }
270 +
271 return ret;
272 }
273
274 -@@ -1081,8 +1090,11 @@ int group_send_sig_info(int sig, struct
275 +@@ -1081,8 +1097,11 @@ int group_send_sig_info(int sig, struct
276 {
277 int ret = check_kill_permission(sig, info, p);
278
279 @@ -55257,7 +55352,7 @@ diff -urNp linux-2.6.32.28/mm/mlock.c linux-2.6.32.28/mm/mlock.c
280 ret = do_mlockall(flags);
281 diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
282 --- linux-2.6.32.28/mm/mmap.c 2011-01-11 23:55:35.000000000 -0500
283 -+++ linux-2.6.32.28/mm/mmap.c 2010-12-31 14:46:53.000000000 -0500
284 ++++ linux-2.6.32.28/mm/mmap.c 2011-02-12 11:38:46.000000000 -0500
285 @@ -45,6 +45,16 @@
286 #define arch_rebalance_pgtables(addr, len) (addr)
287 #endif
288 @@ -55479,12 +55574,13 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
289 if (addr & ~PAGE_MASK)
290 return addr;
291
292 -@@ -969,6 +1046,31 @@ unsigned long do_mmap_pgoff(struct file
293 +@@ -969,6 +1046,36 @@ unsigned long do_mmap_pgoff(struct file
294 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
295 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
296
297 +#ifdef CONFIG_PAX_MPROTECT
298 + if (mm->pax_flags & MF_PAX_MPROTECT) {
299 ++#ifndef CONFIG_PAX_MPROTECT_COMPAT
300 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
301 + gr_log_rwxmmap(file);
302 +
303 @@ -55498,6 +55594,10 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
304 +
305 + if (!(vm_flags & VM_EXEC))
306 + vm_flags &= ~VM_MAYEXEC;
307 ++#else
308 ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
309 ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
310 ++#endif
311 + else
312 + vm_flags &= ~VM_MAYWRITE;
313 + }
314 @@ -55511,7 +55611,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
315 if (flags & MAP_LOCKED)
316 if (!can_do_mlock())
317 return -EPERM;
318 -@@ -980,6 +1082,7 @@ unsigned long do_mmap_pgoff(struct file
319 +@@ -980,6 +1087,7 @@ unsigned long do_mmap_pgoff(struct file
320 locked += mm->locked_vm;
321 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
322 lock_limit >>= PAGE_SHIFT;
323 @@ -55519,7 +55619,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
324 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
325 return -EAGAIN;
326 }
327 -@@ -1053,6 +1156,9 @@ unsigned long do_mmap_pgoff(struct file
328 +@@ -1053,6 +1161,9 @@ unsigned long do_mmap_pgoff(struct file
329 if (error)
330 return error;
331
332 @@ -55529,7 +55629,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
333 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
334 }
335 EXPORT_SYMBOL(do_mmap_pgoff);
336 -@@ -1065,10 +1171,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
337 +@@ -1065,10 +1176,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
338 */
339 int vma_wants_writenotify(struct vm_area_struct *vma)
340 {
341 @@ -55542,7 +55642,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
342 return 0;
343
344 /* The backer wishes to know when pages are first written to? */
345 -@@ -1117,14 +1223,24 @@ unsigned long mmap_region(struct file *f
346 +@@ -1117,14 +1228,24 @@ unsigned long mmap_region(struct file *f
347 unsigned long charged = 0;
348 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
349
350 @@ -55569,7 +55669,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
351 }
352
353 /* Check against address space limit. */
354 -@@ -1173,6 +1289,16 @@ munmap_back:
355 +@@ -1173,6 +1294,16 @@ munmap_back:
356 goto unacct_error;
357 }
358
359 @@ -55586,7 +55686,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
360 vma->vm_mm = mm;
361 vma->vm_start = addr;
362 vma->vm_end = addr + len;
363 -@@ -1195,6 +1321,19 @@ munmap_back:
364 +@@ -1195,6 +1326,19 @@ munmap_back:
365 error = file->f_op->mmap(file, vma);
366 if (error)
367 goto unmap_and_free_vma;
368 @@ -55606,7 +55706,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
369 if (vm_flags & VM_EXECUTABLE)
370 added_exe_file_vma(mm);
371
372 -@@ -1218,6 +1357,11 @@ munmap_back:
373 +@@ -1218,6 +1362,11 @@ munmap_back:
374 vma_link(mm, vma, prev, rb_link, rb_parent);
375 file = vma->vm_file;
376
377 @@ -55618,7 +55718,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
378 /* Once vma denies write, undo our temporary denial count */
379 if (correct_wcount)
380 atomic_inc(&inode->i_writecount);
381 -@@ -1226,6 +1370,7 @@ out:
382 +@@ -1226,6 +1375,7 @@ out:
383
384 mm->total_vm += len >> PAGE_SHIFT;
385 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
386 @@ -55626,7 +55726,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
387 if (vm_flags & VM_LOCKED) {
388 /*
389 * makes pages present; downgrades, drops, reacquires mmap_sem
390 -@@ -1248,6 +1393,12 @@ unmap_and_free_vma:
391 +@@ -1248,6 +1398,12 @@ unmap_and_free_vma:
392 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
393 charged = 0;
394 free_vma:
395 @@ -55639,7 +55739,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
396 kmem_cache_free(vm_area_cachep, vma);
397 unacct_error:
398 if (charged)
399 -@@ -1255,6 +1406,33 @@ unacct_error:
400 +@@ -1255,6 +1411,33 @@ unacct_error:
401 return error;
402 }
403
404 @@ -55673,7 +55773,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
405 /* Get an address range which is currently unmapped.
406 * For shmat() with addr=0.
407 *
408 -@@ -1281,18 +1459,23 @@ arch_get_unmapped_area(struct file *filp
409 +@@ -1281,18 +1464,23 @@ arch_get_unmapped_area(struct file *filp
410 if (flags & MAP_FIXED)
411 return addr;
412
413 @@ -55704,7 +55804,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
414 }
415
416 full_search:
417 -@@ -1303,34 +1486,40 @@ full_search:
418 +@@ -1303,34 +1491,40 @@ full_search:
419 * Start a new search - just in case we missed
420 * some holes.
421 */
422 @@ -55756,7 +55856,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
423 mm->free_area_cache = addr;
424 mm->cached_hole_size = ~0UL;
425 }
426 -@@ -1348,7 +1537,7 @@ arch_get_unmapped_area_topdown(struct fi
427 +@@ -1348,7 +1542,7 @@ arch_get_unmapped_area_topdown(struct fi
428 {
429 struct vm_area_struct *vma;
430 struct mm_struct *mm = current->mm;
431 @@ -55765,7 +55865,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
432
433 /* requested length too big for entire address space */
434 if (len > TASK_SIZE)
435 -@@ -1357,13 +1546,18 @@ arch_get_unmapped_area_topdown(struct fi
436 +@@ -1357,13 +1551,18 @@ arch_get_unmapped_area_topdown(struct fi
437 if (flags & MAP_FIXED)
438 return addr;
439
440 @@ -55788,7 +55888,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
441 }
442
443 /* check if free_area_cache is useful for us */
444 -@@ -1378,7 +1572,7 @@ arch_get_unmapped_area_topdown(struct fi
445 +@@ -1378,7 +1577,7 @@ arch_get_unmapped_area_topdown(struct fi
446 /* make sure it can fit in the remaining address space */
447 if (addr > len) {
448 vma = find_vma(mm, addr-len);
449 @@ -55797,7 +55897,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
450 /* remember the address as a hint for next time */
451 return (mm->free_area_cache = addr-len);
452 }
453 -@@ -1395,7 +1589,7 @@ arch_get_unmapped_area_topdown(struct fi
454 +@@ -1395,7 +1594,7 @@ arch_get_unmapped_area_topdown(struct fi
455 * return with success:
456 */
457 vma = find_vma(mm, addr);
458 @@ -55806,7 +55906,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
459 /* remember the address as a hint for next time */
460 return (mm->free_area_cache = addr);
461
462 -@@ -1414,13 +1608,21 @@ bottomup:
463 +@@ -1414,13 +1613,21 @@ bottomup:
464 * can happen with large stack limits and large mmap()
465 * allocations.
466 */
467 @@ -55830,7 +55930,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
468 mm->cached_hole_size = ~0UL;
469
470 return addr;
471 -@@ -1429,6 +1631,12 @@ bottomup:
472 +@@ -1429,6 +1636,12 @@ bottomup:
473
474 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
475 {
476 @@ -55843,7 +55943,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
477 /*
478 * Is this a new hole at the highest possible address?
479 */
480 -@@ -1436,8 +1644,10 @@ void arch_unmap_area_topdown(struct mm_s
481 +@@ -1436,8 +1649,10 @@ void arch_unmap_area_topdown(struct mm_s
482 mm->free_area_cache = addr;
483
484 /* dont allow allocations above current base */
485 @@ -55855,7 +55955,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
486 }
487
488 unsigned long
489 -@@ -1545,6 +1755,27 @@ out:
490 +@@ -1545,6 +1760,27 @@ out:
491 return prev ? prev->vm_next : vma;
492 }
493
494 @@ -55883,7 +55983,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
495 /*
496 * Verify that the stack growth is acceptable and
497 * update accounting. This is shared with both the
498 -@@ -1561,6 +1792,7 @@ static int acct_stack_growth(struct vm_a
499 +@@ -1561,6 +1797,7 @@ static int acct_stack_growth(struct vm_a
500 return -ENOMEM;
501
502 /* Stack limit test */
503 @@ -55891,7 +55991,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
504 if (size > rlim[RLIMIT_STACK].rlim_cur)
505 return -ENOMEM;
506
507 -@@ -1570,6 +1802,7 @@ static int acct_stack_growth(struct vm_a
508 +@@ -1570,6 +1807,7 @@ static int acct_stack_growth(struct vm_a
509 unsigned long limit;
510 locked = mm->locked_vm + grow;
511 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
512 @@ -55899,7 +55999,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
513 if (locked > limit && !capable(CAP_IPC_LOCK))
514 return -ENOMEM;
515 }
516 -@@ -1600,37 +1833,48 @@ static int acct_stack_growth(struct vm_a
517 +@@ -1600,37 +1838,48 @@ static int acct_stack_growth(struct vm_a
518 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
519 * vma is the last one with address > vma->vm_end. Have to extend vma.
520 */
521 @@ -55957,7 +56057,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
522 unsigned long size, grow;
523
524 size = address - vma->vm_start;
525 -@@ -1640,6 +1884,8 @@ int expand_upwards(struct vm_area_struct
526 +@@ -1640,6 +1889,8 @@ int expand_upwards(struct vm_area_struct
527 if (!error)
528 vma->vm_end = address;
529 }
530 @@ -55966,7 +56066,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
531 anon_vma_unlock(vma);
532 return error;
533 }
534 -@@ -1652,6 +1898,8 @@ static int expand_downwards(struct vm_ar
535 +@@ -1652,6 +1903,8 @@ static int expand_downwards(struct vm_ar
536 unsigned long address)
537 {
538 int error;
539 @@ -55975,7 +56075,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
540
541 /*
542 * We must make sure the anon_vma is allocated
543 -@@ -1665,6 +1913,15 @@ static int expand_downwards(struct vm_ar
544 +@@ -1665,6 +1918,15 @@ static int expand_downwards(struct vm_ar
545 if (error)
546 return error;
547
548 @@ -55991,7 +56091,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
549 anon_vma_lock(vma);
550
551 /*
552 -@@ -1674,9 +1931,17 @@ static int expand_downwards(struct vm_ar
553 +@@ -1674,9 +1936,17 @@ static int expand_downwards(struct vm_ar
554 */
555
556 /* Somebody else might have raced and expanded it already */
557 @@ -56010,7 +56110,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
558 size = vma->vm_end - address;
559 grow = (vma->vm_start - address) >> PAGE_SHIFT;
560
561 -@@ -1684,9 +1949,20 @@ static int expand_downwards(struct vm_ar
562 +@@ -1684,9 +1954,20 @@ static int expand_downwards(struct vm_ar
563 if (!error) {
564 vma->vm_start = address;
565 vma->vm_pgoff -= grow;
566 @@ -56031,7 +56131,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
567 return error;
568 }
569
570 -@@ -1762,6 +2038,13 @@ static void remove_vma_list(struct mm_st
571 +@@ -1762,6 +2043,13 @@ static void remove_vma_list(struct mm_st
572 do {
573 long nrpages = vma_pages(vma);
574
575 @@ -56045,7 +56145,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
576 mm->total_vm -= nrpages;
577 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
578 vma = remove_vma(vma);
579 -@@ -1807,6 +2090,16 @@ detach_vmas_to_be_unmapped(struct mm_str
580 +@@ -1807,6 +2095,16 @@ detach_vmas_to_be_unmapped(struct mm_str
581 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
582 vma->vm_prev = NULL;
583 do {
584 @@ -56062,7 +56162,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
585 rb_erase(&vma->vm_rb, &mm->mm_rb);
586 mm->map_count--;
587 tail_vma = vma;
588 -@@ -1834,10 +2127,25 @@ int split_vma(struct mm_struct * mm, str
589 +@@ -1834,10 +2132,25 @@ int split_vma(struct mm_struct * mm, str
590 struct mempolicy *pol;
591 struct vm_area_struct *new;
592
593 @@ -56088,7 +56188,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
594 if (mm->map_count >= sysctl_max_map_count)
595 return -ENOMEM;
596
597 -@@ -1845,6 +2153,16 @@ int split_vma(struct mm_struct * mm, str
598 +@@ -1845,6 +2158,16 @@ int split_vma(struct mm_struct * mm, str
599 if (!new)
600 return -ENOMEM;
601
602 @@ -56105,7 +56205,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
603 /* most fields are the same, copy all, and then fixup */
604 *new = *vma;
605
606 -@@ -1855,8 +2173,29 @@ int split_vma(struct mm_struct * mm, str
607 +@@ -1855,8 +2178,29 @@ int split_vma(struct mm_struct * mm, str
608 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
609 }
610
611 @@ -56135,7 +56235,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
612 kmem_cache_free(vm_area_cachep, new);
613 return PTR_ERR(pol);
614 }
615 -@@ -1877,6 +2216,28 @@ int split_vma(struct mm_struct * mm, str
616 +@@ -1877,6 +2221,28 @@ int split_vma(struct mm_struct * mm, str
617 else
618 vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
619
620 @@ -56164,13 +56264,13 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
621 return 0;
622 }
623
624 -@@ -1885,11 +2246,30 @@ int split_vma(struct mm_struct * mm, str
625 +@@ -1885,11 +2251,30 @@ int split_vma(struct mm_struct * mm, str
626 * work. This now handles partial unmappings.
627 * Jeremy Fitzhardinge <jeremy@××××.org>
628 */
629 +#ifdef CONFIG_PAX_SEGMEXEC
630 - int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
631 - {
632 ++int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
633 ++{
634 + int ret = __do_munmap(mm, start, len);
635 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
636 + return ret;
637 @@ -56180,9 +56280,9 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
638 +
639 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
640 +#else
641 -+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
642 + int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
643 +#endif
644 -+{
645 + {
646 unsigned long end;
647 struct vm_area_struct *vma, *prev, *last;
648
649 @@ -56195,7 +56295,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
650 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
651 return -EINVAL;
652
653 -@@ -1953,6 +2333,8 @@ int do_munmap(struct mm_struct *mm, unsi
654 +@@ -1953,6 +2338,8 @@ int do_munmap(struct mm_struct *mm, unsi
655 /* Fix up all other VM information */
656 remove_vma_list(mm, vma);
657
658 @@ -56204,7 +56304,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
659 return 0;
660 }
661
662 -@@ -1965,22 +2347,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
663 +@@ -1965,22 +2352,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
664
665 profile_munmap(addr);
666
667 @@ -56233,7 +56333,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
668 /*
669 * this is really a simplified "do_mmap". it only handles
670 * anonymous maps. eventually we may be able to do some
671 -@@ -1994,6 +2372,7 @@ unsigned long do_brk(unsigned long addr,
672 +@@ -1994,6 +2377,7 @@ unsigned long do_brk(unsigned long addr,
673 struct rb_node ** rb_link, * rb_parent;
674 pgoff_t pgoff = addr >> PAGE_SHIFT;
675 int error;
676 @@ -56241,7 +56341,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
677
678 len = PAGE_ALIGN(len);
679 if (!len)
680 -@@ -2005,16 +2384,30 @@ unsigned long do_brk(unsigned long addr,
681 +@@ -2005,16 +2389,30 @@ unsigned long do_brk(unsigned long addr,
682
683 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
684
685 @@ -56273,7 +56373,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
686 locked += mm->locked_vm;
687 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
688 lock_limit >>= PAGE_SHIFT;
689 -@@ -2031,22 +2424,22 @@ unsigned long do_brk(unsigned long addr,
690 +@@ -2031,22 +2429,22 @@ unsigned long do_brk(unsigned long addr,
691 /*
692 * Clear old maps. this also does some error checking for us
693 */
694 @@ -56300,7 +56400,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
695 return -ENOMEM;
696
697 /* Can we just expand an old private anonymous mapping? */
698 -@@ -2060,7 +2453,7 @@ unsigned long do_brk(unsigned long addr,
699 +@@ -2060,7 +2458,7 @@ unsigned long do_brk(unsigned long addr,
700 */
701 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
702 if (!vma) {
703 @@ -56309,7 +56409,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
704 return -ENOMEM;
705 }
706
707 -@@ -2072,11 +2465,12 @@ unsigned long do_brk(unsigned long addr,
708 +@@ -2072,11 +2470,12 @@ unsigned long do_brk(unsigned long addr,
709 vma->vm_page_prot = vm_get_page_prot(flags);
710 vma_link(mm, vma, prev, rb_link, rb_parent);
711 out:
712 @@ -56324,7 +56424,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
713 return addr;
714 }
715
716 -@@ -2123,8 +2517,10 @@ void exit_mmap(struct mm_struct *mm)
717 +@@ -2123,8 +2522,10 @@ void exit_mmap(struct mm_struct *mm)
718 * Walk the list again, actually closing and freeing it,
719 * with preemption enabled, without holding any MM locks.
720 */
721 @@ -56336,7 +56436,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
722
723 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
724 }
725 -@@ -2138,6 +2534,10 @@ int insert_vm_struct(struct mm_struct *
726 +@@ -2138,6 +2539,10 @@ int insert_vm_struct(struct mm_struct *
727 struct vm_area_struct * __vma, * prev;
728 struct rb_node ** rb_link, * rb_parent;
729
730 @@ -56347,7 +56447,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
731 /*
732 * The vm_pgoff of a purely anonymous vma should be irrelevant
733 * until its first write fault, when page's anon_vma and index
734 -@@ -2160,7 +2560,22 @@ int insert_vm_struct(struct mm_struct *
735 +@@ -2160,7 +2565,22 @@ int insert_vm_struct(struct mm_struct *
736 if ((vma->vm_flags & VM_ACCOUNT) &&
737 security_vm_enough_memory_mm(mm, vma_pages(vma)))
738 return -ENOMEM;
739 @@ -56370,7 +56470,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
740 return 0;
741 }
742
743 -@@ -2178,6 +2593,8 @@ struct vm_area_struct *copy_vma(struct v
744 +@@ -2178,6 +2598,8 @@ struct vm_area_struct *copy_vma(struct v
745 struct rb_node **rb_link, *rb_parent;
746 struct mempolicy *pol;
747
748 @@ -56379,7 +56479,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
749 /*
750 * If anonymous vma has not yet been faulted, update new pgoff
751 * to match new location, to increase its chance of merging.
752 -@@ -2221,6 +2638,35 @@ struct vm_area_struct *copy_vma(struct v
753 +@@ -2221,6 +2643,35 @@ struct vm_area_struct *copy_vma(struct v
754 return new_vma;
755 }
756
757 @@ -56415,7 +56515,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
758 /*
759 * Return true if the calling process may expand its vm space by the passed
760 * number of pages
761 -@@ -2231,7 +2677,7 @@ int may_expand_vm(struct mm_struct *mm,
762 +@@ -2231,7 +2682,7 @@ int may_expand_vm(struct mm_struct *mm,
763 unsigned long lim;
764
765 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
766 @@ -56424,16 +56524,21 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c
767 if (cur + npages > lim)
768 return 0;
769 return 1;
770 -@@ -2301,6 +2747,17 @@ int install_special_mapping(struct mm_st
771 +@@ -2301,6 +2752,22 @@ int install_special_mapping(struct mm_st
772 vma->vm_start = addr;
773 vma->vm_end = addr + len;
774
775 +#ifdef CONFIG_PAX_MPROTECT
776 + if (mm->pax_flags & MF_PAX_MPROTECT) {
777 ++#ifndef CONFIG_PAX_MPROTECT_COMPAT
778 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
779 + return -EPERM;
780 + if (!(vm_flags & VM_EXEC))
781 + vm_flags &= ~VM_MAYEXEC;
782 ++#else
783 ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
784 ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
785 ++#endif
786 + else
787 + vm_flags &= ~VM_MAYWRITE;
788 + }
789 @@ -60064,8 +60169,8 @@ diff -urNp linux-2.6.32.28/security/integrity/ima/ima_queue.c linux-2.6.32.28/se
790 return 0;
791 diff -urNp linux-2.6.32.28/security/Kconfig linux-2.6.32.28/security/Kconfig
792 --- linux-2.6.32.28/security/Kconfig 2010-08-13 16:24:37.000000000 -0400
793 -+++ linux-2.6.32.28/security/Kconfig 2011-01-04 17:43:17.000000000 -0500
794 -@@ -4,6 +4,509 @@
795 ++++ linux-2.6.32.28/security/Kconfig 2011-02-12 11:33:55.000000000 -0500
796 +@@ -4,6 +4,527 @@
797
798 menu "Security options"
799
800 @@ -60311,6 +60416,24 @@ diff -urNp linux-2.6.32.28/security/Kconfig linux-2.6.32.28/security/Kconfig
801 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
802 + this feature on a per file basis.
803 +
804 ++config PAX_MPROTECT_COMPAT
805 ++ bool "Use legacy/compat protection demoting (read help)"
806 ++ depends on PAX_MPROTECT
807 ++ default n
808 ++ help
809 ++ The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
810 ++ by sending the proper error code to the application. For some broken
811 ++ userland, this can cause problems with Python or other applications. The
812 ++ current implementation however allows for applications like clamav to
813 ++ detect if JIT compilation/execution is allowed and to fall back gracefully
814 ++ to an interpreter-based mode if it does not. While we encourage everyone
815 ++ to use the current implementation as-is and push upstream to fix broken
816 ++ userland (note that the RWX logging option can assist with this), in some
817 ++ environments this may not be possible. Having to disable MPROTECT
818 ++ completely on certain binaries reduces the security benefit of PaX,
819 ++ so this option is provided for those environments to revert to the old
820 ++ behavior.
821 ++
822 +config PAX_ELFRELOCS
823 + bool "Allow ELF text relocations (read help)"
824 + depends on PAX_MPROTECT
825 @@ -60575,7 +60698,7 @@ diff -urNp linux-2.6.32.28/security/Kconfig linux-2.6.32.28/security/Kconfig
826 config KEYS
827 bool "Enable access key retention support"
828 help
829 -@@ -146,7 +649,7 @@ config INTEL_TXT
830 +@@ -146,7 +667,7 @@ config INTEL_TXT
831 config LSM_MMAP_MIN_ADDR
832 int "Low address space for LSM to protect from user allocation"
833 depends on SECURITY && SECURITY_SELINUX
834 @@ -60638,7 +60761,7 @@ diff -urNp linux-2.6.32.28/security/security.c linux-2.6.32.28/security/security
835 printk(KERN_DEBUG "%s could not verify "
836 diff -urNp linux-2.6.32.28/security/selinux/hooks.c linux-2.6.32.28/security/selinux/hooks.c
837 --- linux-2.6.32.28/security/selinux/hooks.c 2010-08-13 16:24:37.000000000 -0400
838 -+++ linux-2.6.32.28/security/selinux/hooks.c 2010-12-31 14:46:53.000000000 -0500
839 ++++ linux-2.6.32.28/security/selinux/hooks.c 2011-02-12 11:03:00.000000000 -0500
840 @@ -131,7 +131,7 @@ int selinux_enabled = 1;
841 * Minimal support for a secondary security module,
842 * just to allow the use of the capability module.
843 @@ -60648,7 +60771,20 @@ diff -urNp linux-2.6.32.28/security/selinux/hooks.c linux-2.6.32.28/security/sel
844
845 /* Lists of inode and superblock security structures initialized
846 before the policy was loaded. */
847 -@@ -5450,7 +5450,7 @@ static int selinux_key_getsecurity(struc
848 +@@ -3259,7 +3259,11 @@ static void selinux_cred_free(struct cre
849 + {
850 + struct task_security_struct *tsec = cred->security;
851 +
852 +- BUG_ON((unsigned long) cred->security < PAGE_SIZE);
853 ++ /*
854 ++ * cred->security == NULL if security_cred_alloc_blank() or
855 ++ * security_prepare_creds() returned an error.
856 ++ */
857 ++ BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
858 + cred->security = (void *) 0x7UL;
859 + kfree(tsec);
860 + }
861 +@@ -5450,7 +5454,7 @@ static int selinux_key_getsecurity(struc
862
863 #endif
864
865 @@ -60657,7 +60793,7 @@ diff -urNp linux-2.6.32.28/security/selinux/hooks.c linux-2.6.32.28/security/sel
866 .name = "selinux",
867
868 .ptrace_access_check = selinux_ptrace_access_check,
869 -@@ -5834,7 +5834,9 @@ int selinux_disable(void)
870 +@@ -5834,7 +5838,9 @@ int selinux_disable(void)
871 avc_disable();
872
873 /* Reset security_ops to the secondary module, dummy or capability. */
874
875 diff --git a/2.6.37/0000_README b/2.6.37/0000_README
876 index 2c6b512..16e7e24 100644
877 --- a/2.6.37/0000_README
878 +++ b/2.6.37/0000_README
879 @@ -3,7 +3,7 @@ README
880
881 Individual Patch Descriptions:
882 -----------------------------------------------------------------------------
883 -Patch 4420_grsecurity-2.2.1-2.6.37-201101272240.patch
884 +Patch: 4420_grsecurity-2.2.1-2.6.37-201102121148.patch
885 From: http://www.grsecurity.net
886 Desc: hardened-sources base patch from upstream grsecurity
887
888
889 diff --git a/2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch b/2.6.37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch
890 similarity index 99%
891 rename from 2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch
892 rename to 2.6.37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch
893 index 053126a..e66397d 100644
894 --- a/2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch
895 +++ b/2.6.37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch
896 @@ -8049,7 +8049,7 @@ diff -urNp linux-2.6.37/arch/x86/include/asm/mman.h linux-2.6.37/arch/x86/includ
897 #endif /* _ASM_X86_MMAN_H */
898 diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_context.h linux-2.6.37/arch/x86/include/asm/mmu_context.h
899 --- linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-01-04 19:50:19.000000000 -0500
900 -+++ linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-01-17 02:41:00.000000000 -0500
901 ++++ linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-02-12 11:04:35.000000000 -0500
902 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
903
904 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
905 @@ -8081,8 +8081,8 @@ diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_context.h linux-2.6.37/arch/x86
906 +#endif
907
908 if (likely(prev != next)) {
909 - /* stop flush ipis for the previous mm */
910 - cpumask_clear_cpu(cpu, mm_cpumask(prev));
911 +- /* stop flush ipis for the previous mm */
912 +- cpumask_clear_cpu(cpu, mm_cpumask(prev));
913 #ifdef CONFIG_SMP
914 +#ifdef CONFIG_X86_32
915 + tlbstate = percpu_read(cpu_tlbstate.state);
916 @@ -8102,6 +8102,8 @@ diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_context.h linux-2.6.37/arch/x86
917 +#else
918 load_cr3(next->pgd);
919 +#endif
920 ++ /* stop flush ipis for the previous mm */
921 ++ cpumask_clear_cpu(cpu, mm_cpumask(prev));
922
923 /*
924 * load the LDT, if the LDT is different:
925 @@ -27044,6 +27046,26 @@ diff -urNp linux-2.6.37/drivers/pci/pcie/portdrv_pci.c linux-2.6.37/drivers/pci/
926 };
927 MODULE_DEVICE_TABLE(pci, port_pci_ids);
928
929 +diff -urNp linux-2.6.37/drivers/pci/pci-sysfs.c linux-2.6.37/drivers/pci/pci-sysfs.c
930 +--- linux-2.6.37/drivers/pci/pci-sysfs.c 2011-01-04 19:50:19.000000000 -0500
931 ++++ linux-2.6.37/drivers/pci/pci-sysfs.c 2011-02-12 10:32:55.000000000 -0500
932 +@@ -23,6 +23,7 @@
933 + #include <linux/mm.h>
934 + #include <linux/fs.h>
935 + #include <linux/capability.h>
936 ++#include <linux/security.h>
937 + #include <linux/pci-aspm.h>
938 + #include <linux/slab.h>
939 + #include "pci.h"
940 +@@ -368,7 +369,7 @@ pci_read_config(struct file *filp, struc
941 + u8 *data = (u8*) buf;
942 +
943 + /* Several chips lock up trying to read undefined config space */
944 +- if (cap_raised(filp->f_cred->cap_effective, CAP_SYS_ADMIN)) {
945 ++ if (security_capable(filp->f_cred, CAP_SYS_ADMIN)) {
946 + size = dev->cfg_size;
947 + } else if (dev->hdr_type == PCI_HEADER_TYPE_CARDBUS) {
948 + size = 128;
949 diff -urNp linux-2.6.37/drivers/pci/probe.c linux-2.6.37/drivers/pci/probe.c
950 --- linux-2.6.37/drivers/pci/probe.c 2011-01-04 19:50:19.000000000 -0500
951 +++ linux-2.6.37/drivers/pci/probe.c 2011-01-17 02:41:01.000000000 -0500
952 @@ -30248,6 +30270,40 @@ diff -urNp linux-2.6.37/fs/btrfs/inode.c linux-2.6.37/fs/btrfs/inode.c
953 .fill_delalloc = run_delalloc_range,
954 .submit_bio_hook = btrfs_submit_bio_hook,
955 .merge_bio_hook = btrfs_merge_bio_hook,
956 +diff -urNp linux-2.6.37/fs/btrfs/ioctl.c linux-2.6.37/fs/btrfs/ioctl.c
957 +--- linux-2.6.37/fs/btrfs/ioctl.c 2011-01-04 19:50:19.000000000 -0500
958 ++++ linux-2.6.37/fs/btrfs/ioctl.c 2011-02-12 10:29:31.000000000 -0500
959 +@@ -2087,7 +2087,7 @@ long btrfs_ioctl_space_info(struct btrfs
960 + int num_types = 4;
961 + int alloc_size;
962 + int ret = 0;
963 +- int slot_count = 0;
964 ++ u64 slot_count = 0;
965 + int i, c;
966 +
967 + if (copy_from_user(&space_args,
968 +@@ -2126,7 +2126,7 @@ long btrfs_ioctl_space_info(struct btrfs
969 + goto out;
970 + }
971 +
972 +- slot_count = min_t(int, space_args.space_slots, slot_count);
973 ++ slot_count = min_t(u64, space_args.space_slots, slot_count);
974 +
975 + alloc_size = sizeof(*dest) * slot_count;
976 +
977 +@@ -2146,6 +2146,12 @@ long btrfs_ioctl_space_info(struct btrfs
978 + for (i = 0; i < num_types; i++) {
979 + struct btrfs_space_info *tmp;
980 +
981 ++ /* Don't copy in more than we allocated */
982 ++ if (!slot_count)
983 ++ break;
984 ++
985 ++ slot_count--;
986 ++
987 + info = NULL;
988 + rcu_read_lock();
989 + list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
990 diff -urNp linux-2.6.37/fs/btrfs/relocation.c linux-2.6.37/fs/btrfs/relocation.c
991 --- linux-2.6.37/fs/btrfs/relocation.c 2011-01-04 19:50:19.000000000 -0500
992 +++ linux-2.6.37/fs/btrfs/relocation.c 2011-01-17 02:41:01.000000000 -0500
993 @@ -30668,7 +30724,7 @@ diff -urNp linux-2.6.37/fs/ecryptfs/miscdev.c linux-2.6.37/fs/ecryptfs/miscdev.c
994 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
995 diff -urNp linux-2.6.37/fs/exec.c linux-2.6.37/fs/exec.c
996 --- linux-2.6.37/fs/exec.c 2011-01-04 19:50:19.000000000 -0500
997 -+++ linux-2.6.37/fs/exec.c 2011-01-17 02:41:01.000000000 -0500
998 ++++ linux-2.6.37/fs/exec.c 2011-02-12 11:21:04.000000000 -0500
999 @@ -55,12 +55,24 @@
1000 #include <linux/fs_struct.h>
1001 #include <linux/pipe_fs_i.h>
1002 @@ -31194,7 +31250,7 @@ diff -urNp linux-2.6.37/fs/exec.c linux-2.6.37/fs/exec.c
1003 goto fail_corename;
1004 }
1005
1006 -+ if (signr == SIGKILL || signr == SIGILL)
1007 ++ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
1008 + gr_handle_brute_attach(current);
1009 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
1010 +
1011 @@ -47851,7 +47907,7 @@ diff -urNp linux-2.6.37/include/linux/screen_info.h linux-2.6.37/include/linux/s
1012 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
1013 diff -urNp linux-2.6.37/include/linux/security.h linux-2.6.37/include/linux/security.h
1014 --- linux-2.6.37/include/linux/security.h 2011-01-04 19:50:19.000000000 -0500
1015 -+++ linux-2.6.37/include/linux/security.h 2011-01-17 02:41:02.000000000 -0500
1016 ++++ linux-2.6.37/include/linux/security.h 2011-02-12 10:34:03.000000000 -0500
1017 @@ -35,6 +35,7 @@
1018 #include <linux/key.h>
1019 #include <linux/xfrm.h>
1020 @@ -47860,6 +47916,27 @@ diff -urNp linux-2.6.37/include/linux/security.h linux-2.6.37/include/linux/secu
1021 #include <net/flow.h>
1022
1023 /* Maximum number of letters for an LSM name string */
1024 +@@ -1664,7 +1665,7 @@ int security_capset(struct cred *new, co
1025 + const kernel_cap_t *effective,
1026 + const kernel_cap_t *inheritable,
1027 + const kernel_cap_t *permitted);
1028 +-int security_capable(int cap);
1029 ++int security_capable(const struct cred *cred, int cap);
1030 + int security_real_capable(struct task_struct *tsk, int cap);
1031 + int security_real_capable_noaudit(struct task_struct *tsk, int cap);
1032 + int security_sysctl(struct ctl_table *table, int op);
1033 +@@ -1857,9 +1858,9 @@ static inline int security_capset(struct
1034 + return cap_capset(new, old, effective, inheritable, permitted);
1035 + }
1036 +
1037 +-static inline int security_capable(int cap)
1038 ++static inline int security_capable(const struct cred *cred, int cap)
1039 + {
1040 +- return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT);
1041 ++ return cap_capable(current, cred, cap, SECURITY_CAP_AUDIT);
1042 + }
1043 +
1044 + static inline int security_real_capable(struct task_struct *tsk, int cap)
1045 diff -urNp linux-2.6.37/include/linux/shm.h linux-2.6.37/include/linux/shm.h
1046 --- linux-2.6.37/include/linux/shm.h 2011-01-04 19:50:19.000000000 -0500
1047 +++ linux-2.6.37/include/linux/shm.h 2011-01-17 02:41:02.000000000 -0500
1048 @@ -49247,7 +49324,7 @@ diff -urNp linux-2.6.37/kernel/acct.c linux-2.6.37/kernel/acct.c
1049 set_fs(fs);
1050 diff -urNp linux-2.6.37/kernel/capability.c linux-2.6.37/kernel/capability.c
1051 --- linux-2.6.37/kernel/capability.c 2011-01-04 19:50:19.000000000 -0500
1052 -+++ linux-2.6.37/kernel/capability.c 2011-01-17 02:41:02.000000000 -0500
1053 ++++ linux-2.6.37/kernel/capability.c 2011-02-12 11:48:20.000000000 -0500
1054 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
1055 * before modification is attempted and the application
1056 * fails.
1057 @@ -49263,7 +49340,7 @@ diff -urNp linux-2.6.37/kernel/capability.c linux-2.6.37/kernel/capability.c
1058 }
1059
1060 - if (security_capable(cap) == 0) {
1061 -+ if (security_capable(cap) == 0 && gr_is_capable(cap)) {
1062 ++ if (security_capable(current_cred(), cap) == 0 && gr_is_capable(cap)) {
1063 current->flags |= PF_SUPERPRIV;
1064 return 1;
1065 }
1066 @@ -49277,7 +49354,7 @@ diff -urNp linux-2.6.37/kernel/capability.c linux-2.6.37/kernel/capability.c
1067 + BUG();
1068 + }
1069 +
1070 -+ if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
1071 ++ if (security_capable(current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
1072 + current->flags |= PF_SUPERPRIV;
1073 + return 1;
1074 + }
1075 @@ -49322,7 +49399,24 @@ diff -urNp linux-2.6.37/kernel/configs.c linux-2.6.37/kernel/configs.c
1076
1077 diff -urNp linux-2.6.37/kernel/cred.c linux-2.6.37/kernel/cred.c
1078 --- linux-2.6.37/kernel/cred.c 2011-01-04 19:50:19.000000000 -0500
1079 -+++ linux-2.6.37/kernel/cred.c 2011-01-17 02:41:02.000000000 -0500
1080 ++++ linux-2.6.37/kernel/cred.c 2011-02-12 11:03:34.000000000 -0500
1081 +@@ -252,13 +252,13 @@ struct cred *cred_alloc_blank(void)
1082 + #endif
1083 +
1084 + atomic_set(&new->usage, 1);
1085 ++#ifdef CONFIG_DEBUG_CREDENTIALS
1086 ++ new->magic = CRED_MAGIC;
1087 ++#endif
1088 +
1089 + if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
1090 + goto error;
1091 +
1092 +-#ifdef CONFIG_DEBUG_CREDENTIALS
1093 +- new->magic = CRED_MAGIC;
1094 +-#endif
1095 + return new;
1096 +
1097 + error:
1098 @@ -483,6 +483,8 @@ int commit_creds(struct cred *new)
1099
1100 get_cred(new); /* we will require a ref for the subj creds too */
1101 @@ -49332,6 +49426,37 @@ diff -urNp linux-2.6.37/kernel/cred.c linux-2.6.37/kernel/cred.c
1102 /* dumpability changes */
1103 if (old->euid != new->euid ||
1104 old->egid != new->egid ||
1105 +@@ -657,6 +659,8 @@ struct cred *prepare_kernel_cred(struct
1106 + validate_creds(old);
1107 +
1108 + *new = *old;
1109 ++ atomic_set(&new->usage, 1);
1110 ++ set_cred_subscribers(new, 0);
1111 + get_uid(new->user);
1112 + get_group_info(new->group_info);
1113 +
1114 +@@ -674,8 +678,6 @@ struct cred *prepare_kernel_cred(struct
1115 + if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
1116 + goto error;
1117 +
1118 +- atomic_set(&new->usage, 1);
1119 +- set_cred_subscribers(new, 0);
1120 + put_cred(old);
1121 + validate_creds(new);
1122 + return new;
1123 +@@ -748,7 +750,11 @@ bool creds_are_invalid(const struct cred
1124 + if (cred->magic != CRED_MAGIC)
1125 + return true;
1126 + #ifdef CONFIG_SECURITY_SELINUX
1127 +- if (selinux_is_enabled()) {
1128 ++ /*
1129 ++ * cred->security == NULL if security_cred_alloc_blank() or
1130 ++ * security_prepare_creds() returned an error.
1131 ++ */
1132 ++ if (selinux_is_enabled() && cred->security) {
1133 + if ((unsigned long) cred->security < PAGE_SIZE)
1134 + return true;
1135 + if ((*(u32 *)cred->security & 0xffffff00) ==
1136 diff -urNp linux-2.6.37/kernel/debug/debug_core.c linux-2.6.37/kernel/debug/debug_core.c
1137 --- linux-2.6.37/kernel/debug/debug_core.c 2011-01-04 19:50:19.000000000 -0500
1138 +++ linux-2.6.37/kernel/debug/debug_core.c 2011-01-17 02:41:02.000000000 -0500
1139 @@ -50099,8 +50224,8 @@ diff -urNp linux-2.6.37/kernel/kallsyms.c linux-2.6.37/kernel/kallsyms.c
1140 reset_iter(iter, 0);
1141 diff -urNp linux-2.6.37/kernel/kmod.c linux-2.6.37/kernel/kmod.c
1142 --- linux-2.6.37/kernel/kmod.c 2011-01-04 19:50:19.000000000 -0500
1143 -+++ linux-2.6.37/kernel/kmod.c 2011-01-17 02:41:02.000000000 -0500
1144 -@@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
1145 ++++ linux-2.6.37/kernel/kmod.c 2011-02-12 10:56:18.000000000 -0500
1146 +@@ -90,6 +90,28 @@ int __request_module(bool wait, const ch
1147 if (ret)
1148 return ret;
1149
1150 @@ -50111,7 +50236,17 @@ diff -urNp linux-2.6.37/kernel/kmod.c linux-2.6.37/kernel/kmod.c
1151 + auto-loaded
1152 + */
1153 + if (current_uid()) {
1154 -+ gr_log_nonroot_mod_load(module_name);
1155 ++#if !defined(CONFIG_IPV6) && !defined(CONFIG_IPV6_MODULE)
1156 ++ /* There are known knowns. These are things we know
1157 ++ that we know. There are known unknowns. That is to say,
1158 ++ there are things that we know we don't know. But there are
1159 ++ also unknown unknowns. There are things we don't know
1160 ++ we don't know.
1161 ++ This here is a known unknown.
1162 ++ */
1163 ++ if (strcmp(module_name, "net-pf-10"))
1164 ++#endif
1165 ++ gr_log_nonroot_mod_load(module_name);
1166 + return -EPERM;
1167 + }
1168 +#endif
1169 @@ -50203,7 +50338,7 @@ diff -urNp linux-2.6.37/kernel/lockdep_proc.c linux-2.6.37/kernel/lockdep_proc.c
1170 if (!name) {
1171 diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c
1172 --- linux-2.6.37/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
1173 -+++ linux-2.6.37/kernel/module.c 2011-01-17 02:41:02.000000000 -0500
1174 ++++ linux-2.6.37/kernel/module.c 2011-02-02 20:28:40.000000000 -0500
1175 @@ -97,7 +97,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
1176
1177 /* Bounds of module allocation, for speeding __module_address.
1178 @@ -50241,6 +50376,15 @@ diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c
1179 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
1180 mod->name, align, PAGE_SIZE);
1181 align = PAGE_SIZE;
1182 +@@ -1122,7 +1123,7 @@ resolve_symbol_wait(struct module *mod,
1183 + */
1184 + #ifdef CONFIG_SYSFS
1185 +
1186 +-#ifdef CONFIG_KALLSYMS
1187 ++#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
1188 + static inline bool sect_empty(const Elf_Shdr *sect)
1189 + {
1190 + return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
1191 @@ -1566,15 +1567,18 @@ static void free_module(struct module *m
1192 destroy_params(mod->kp, mod->num_kp);
1193
1194 @@ -50461,10 +50605,8 @@ diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c
1195 + if (!ptr) {
1196 + module_free(mod, mod->module_init_rw);
1197 + module_free(mod, mod->module_core_rw);
1198 - return -ENOMEM;
1199 - }
1200 -- memset(ptr, 0, mod->init_size);
1201 -- mod->module_init = ptr;
1202 ++ return -ENOMEM;
1203 ++ }
1204 +
1205 + pax_open_kernel();
1206 + memset(ptr, 0, mod->core_size_rx);
1207 @@ -50477,8 +50619,10 @@ diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c
1208 + module_free_exec(mod, mod->module_core_rx);
1209 + module_free(mod, mod->module_init_rw);
1210 + module_free(mod, mod->module_core_rw);
1211 -+ return -ENOMEM;
1212 -+ }
1213 + return -ENOMEM;
1214 + }
1215 +- memset(ptr, 0, mod->init_size);
1216 +- mod->module_init = ptr;
1217 +
1218 + pax_open_kernel();
1219 + memset(ptr, 0, mod->init_size_rx);
1220 @@ -50893,7 +51037,7 @@ diff -urNp linux-2.6.37/kernel/printk.c linux-2.6.37/kernel/printk.c
1221 * at open time.
1222 diff -urNp linux-2.6.37/kernel/ptrace.c linux-2.6.37/kernel/ptrace.c
1223 --- linux-2.6.37/kernel/ptrace.c 2011-01-04 19:50:19.000000000 -0500
1224 -+++ linux-2.6.37/kernel/ptrace.c 2011-01-17 02:41:02.000000000 -0500
1225 ++++ linux-2.6.37/kernel/ptrace.c 2011-02-12 10:37:18.000000000 -0500
1226 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru
1227 cred->gid != tcred->egid ||
1228 cred->gid != tcred->sgid ||
1229 @@ -50921,6 +51065,15 @@ diff -urNp linux-2.6.37/kernel/ptrace.c linux-2.6.37/kernel/ptrace.c
1230 task->ptrace |= PT_PTRACE_CAP;
1231
1232 __ptrace_link(task, current);
1233 +@@ -313,7 +313,7 @@ int ptrace_detach(struct task_struct *ch
1234 + child->exit_code = data;
1235 + dead = __ptrace_detach(current, child);
1236 + if (!child->exit_state)
1237 +- wake_up_process(child);
1238 ++ wake_up_state(child, TASK_TRACED | TASK_STOPPED);
1239 + }
1240 + write_unlock_irq(&tasklist_lock);
1241 +
1242 @@ -369,7 +369,7 @@ int ptrace_readdata(struct task_struct *
1243 break;
1244 return -EIO;
1245 @@ -51105,7 +51258,7 @@ diff -urNp linux-2.6.37/kernel/sched_fair.c linux-2.6.37/kernel/sched_fair.c
1246 struct rq *this_rq = cpu_rq(this_cpu);
1247 diff -urNp linux-2.6.37/kernel/signal.c linux-2.6.37/kernel/signal.c
1248 --- linux-2.6.37/kernel/signal.c 2011-01-04 19:50:19.000000000 -0500
1249 -+++ linux-2.6.37/kernel/signal.c 2011-01-17 02:41:02.000000000 -0500
1250 ++++ linux-2.6.37/kernel/signal.c 2011-02-12 11:22:39.000000000 -0500
1251 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
1252
1253 int print_fatal_signals __read_mostly;
1254 @@ -51168,17 +51321,34 @@ diff -urNp linux-2.6.37/kernel/signal.c linux-2.6.37/kernel/signal.c
1255 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
1256 {
1257 return send_signal(sig, info, t, 0);
1258 -@@ -1079,6 +1085,9 @@ force_sig_info(int sig, struct siginfo *
1259 +@@ -1062,6 +1068,7 @@ force_sig_info(int sig, struct siginfo *
1260 + unsigned long int flags;
1261 + int ret, blocked, ignored;
1262 + struct k_sigaction *action;
1263 ++ int is_unhandled = 0;
1264 +
1265 + spin_lock_irqsave(&t->sighand->siglock, flags);
1266 + action = &t->sighand->action[sig-1];
1267 +@@ -1076,9 +1083,18 @@ force_sig_info(int sig, struct siginfo *
1268 + }
1269 + if (action->sa.sa_handler == SIG_DFL)
1270 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
1271 ++ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
1272 ++ is_unhandled = 1;
1273 ret = specific_send_sig_info(sig, info, t);
1274 spin_unlock_irqrestore(&t->sighand->siglock, flags);
1275
1276 -+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
1277 -+ gr_handle_crash(t, sig);
1278 ++ /* only deal with unhandled signals, java etc trigger SIGSEGV during
1279 ++ normal operation */
1280 ++ if (is_unhandled) {
1281 ++ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
1282 ++ gr_handle_crash(t, sig);
1283 ++ }
1284 +
1285 return ret;
1286 }
1287
1288 -@@ -1137,8 +1146,11 @@ int group_send_sig_info(int sig, struct
1289 +@@ -1137,8 +1153,11 @@ int group_send_sig_info(int sig, struct
1290 ret = check_kill_permission(sig, info, p);
1291 rcu_read_unlock();
1292
1293 @@ -53219,7 +53389,7 @@ diff -urNp linux-2.6.37/mm/mlock.c linux-2.6.37/mm/mlock.c
1294 ret = do_mlockall(flags);
1295 diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1296 --- linux-2.6.37/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500
1297 -+++ linux-2.6.37/mm/mmap.c 2011-01-17 02:41:02.000000000 -0500
1298 ++++ linux-2.6.37/mm/mmap.c 2011-02-12 11:36:29.000000000 -0500
1299 @@ -45,6 +45,16 @@
1300 #define arch_rebalance_pgtables(addr, len) (addr)
1301 #endif
1302 @@ -53442,12 +53612,13 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1303 if (addr & ~PAGE_MASK)
1304 return addr;
1305
1306 -@@ -1016,6 +1093,31 @@ unsigned long do_mmap_pgoff(struct file
1307 +@@ -1016,6 +1093,36 @@ unsigned long do_mmap_pgoff(struct file
1308 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
1309 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
1310
1311 +#ifdef CONFIG_PAX_MPROTECT
1312 + if (mm->pax_flags & MF_PAX_MPROTECT) {
1313 ++#ifndef CONFIG_PAX_MPROTECT_COMPAT
1314 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
1315 + gr_log_rwxmmap(file);
1316 +
1317 @@ -53461,6 +53632,10 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1318 +
1319 + if (!(vm_flags & VM_EXEC))
1320 + vm_flags &= ~VM_MAYEXEC;
1321 ++#else
1322 ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
1323 ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
1324 ++#endif
1325 + else
1326 + vm_flags &= ~VM_MAYWRITE;
1327 + }
1328 @@ -53474,7 +53649,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1329 if (flags & MAP_LOCKED)
1330 if (!can_do_mlock())
1331 return -EPERM;
1332 -@@ -1027,6 +1129,7 @@ unsigned long do_mmap_pgoff(struct file
1333 +@@ -1027,6 +1134,7 @@ unsigned long do_mmap_pgoff(struct file
1334 locked += mm->locked_vm;
1335 lock_limit = rlimit(RLIMIT_MEMLOCK);
1336 lock_limit >>= PAGE_SHIFT;
1337 @@ -53482,7 +53657,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1338 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
1339 return -EAGAIN;
1340 }
1341 -@@ -1097,6 +1200,9 @@ unsigned long do_mmap_pgoff(struct file
1342 +@@ -1097,6 +1205,9 @@ unsigned long do_mmap_pgoff(struct file
1343 if (error)
1344 return error;
1345
1346 @@ -53492,7 +53667,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1347 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
1348 }
1349 EXPORT_SYMBOL(do_mmap_pgoff);
1350 -@@ -1174,10 +1280,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
1351 +@@ -1174,10 +1285,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
1352 */
1353 int vma_wants_writenotify(struct vm_area_struct *vma)
1354 {
1355 @@ -53505,7 +53680,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1356 return 0;
1357
1358 /* The backer wishes to know when pages are first written to? */
1359 -@@ -1226,14 +1332,24 @@ unsigned long mmap_region(struct file *f
1360 +@@ -1226,14 +1337,24 @@ unsigned long mmap_region(struct file *f
1361 unsigned long charged = 0;
1362 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
1363
1364 @@ -53532,7 +53707,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1365 }
1366
1367 /* Check against address space limit. */
1368 -@@ -1282,6 +1398,16 @@ munmap_back:
1369 +@@ -1282,6 +1403,16 @@ munmap_back:
1370 goto unacct_error;
1371 }
1372
1373 @@ -53549,7 +53724,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1374 vma->vm_mm = mm;
1375 vma->vm_start = addr;
1376 vma->vm_end = addr + len;
1377 -@@ -1305,6 +1431,19 @@ munmap_back:
1378 +@@ -1305,6 +1436,19 @@ munmap_back:
1379 error = file->f_op->mmap(file, vma);
1380 if (error)
1381 goto unmap_and_free_vma;
1382 @@ -53569,7 +53744,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1383 if (vm_flags & VM_EXECUTABLE)
1384 added_exe_file_vma(mm);
1385
1386 -@@ -1340,6 +1479,11 @@ munmap_back:
1387 +@@ -1340,6 +1484,11 @@ munmap_back:
1388 vma_link(mm, vma, prev, rb_link, rb_parent);
1389 file = vma->vm_file;
1390
1391 @@ -53581,7 +53756,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1392 /* Once vma denies write, undo our temporary denial count */
1393 if (correct_wcount)
1394 atomic_inc(&inode->i_writecount);
1395 -@@ -1348,6 +1492,7 @@ out:
1396 +@@ -1348,6 +1497,7 @@ out:
1397
1398 mm->total_vm += len >> PAGE_SHIFT;
1399 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
1400 @@ -53589,7 +53764,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1401 if (vm_flags & VM_LOCKED) {
1402 if (!mlock_vma_pages_range(vma, addr, addr + len))
1403 mm->locked_vm += (len >> PAGE_SHIFT);
1404 -@@ -1365,6 +1510,12 @@ unmap_and_free_vma:
1405 +@@ -1365,6 +1515,12 @@ unmap_and_free_vma:
1406 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
1407 charged = 0;
1408 free_vma:
1409 @@ -53602,7 +53777,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1410 kmem_cache_free(vm_area_cachep, vma);
1411 unacct_error:
1412 if (charged)
1413 -@@ -1372,6 +1523,33 @@ unacct_error:
1414 +@@ -1372,6 +1528,33 @@ unacct_error:
1415 return error;
1416 }
1417
1418 @@ -53636,7 +53811,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1419 /* Get an address range which is currently unmapped.
1420 * For shmat() with addr=0.
1421 *
1422 -@@ -1398,18 +1576,23 @@ arch_get_unmapped_area(struct file *filp
1423 +@@ -1398,18 +1581,23 @@ arch_get_unmapped_area(struct file *filp
1424 if (flags & MAP_FIXED)
1425 return addr;
1426
1427 @@ -53667,7 +53842,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1428 }
1429
1430 full_search:
1431 -@@ -1420,34 +1603,40 @@ full_search:
1432 +@@ -1420,34 +1608,40 @@ full_search:
1433 * Start a new search - just in case we missed
1434 * some holes.
1435 */
1436 @@ -53719,7 +53894,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1437 mm->free_area_cache = addr;
1438 mm->cached_hole_size = ~0UL;
1439 }
1440 -@@ -1465,7 +1654,7 @@ arch_get_unmapped_area_topdown(struct fi
1441 +@@ -1465,7 +1659,7 @@ arch_get_unmapped_area_topdown(struct fi
1442 {
1443 struct vm_area_struct *vma;
1444 struct mm_struct *mm = current->mm;
1445 @@ -53728,7 +53903,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1446
1447 /* requested length too big for entire address space */
1448 if (len > TASK_SIZE)
1449 -@@ -1474,13 +1663,18 @@ arch_get_unmapped_area_topdown(struct fi
1450 +@@ -1474,13 +1668,18 @@ arch_get_unmapped_area_topdown(struct fi
1451 if (flags & MAP_FIXED)
1452 return addr;
1453
1454 @@ -53751,7 +53926,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1455 }
1456
1457 /* check if free_area_cache is useful for us */
1458 -@@ -1495,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi
1459 +@@ -1495,7 +1694,7 @@ arch_get_unmapped_area_topdown(struct fi
1460 /* make sure it can fit in the remaining address space */
1461 if (addr > len) {
1462 vma = find_vma(mm, addr-len);
1463 @@ -53760,7 +53935,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1464 /* remember the address as a hint for next time */
1465 return (mm->free_area_cache = addr-len);
1466 }
1467 -@@ -1512,7 +1706,7 @@ arch_get_unmapped_area_topdown(struct fi
1468 +@@ -1512,7 +1711,7 @@ arch_get_unmapped_area_topdown(struct fi
1469 * return with success:
1470 */
1471 vma = find_vma(mm, addr);
1472 @@ -53769,7 +53944,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1473 /* remember the address as a hint for next time */
1474 return (mm->free_area_cache = addr);
1475
1476 -@@ -1531,13 +1725,21 @@ bottomup:
1477 +@@ -1531,13 +1730,21 @@ bottomup:
1478 * can happen with large stack limits and large mmap()
1479 * allocations.
1480 */
1481 @@ -53793,7 +53968,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1482 mm->cached_hole_size = ~0UL;
1483
1484 return addr;
1485 -@@ -1546,6 +1748,12 @@ bottomup:
1486 +@@ -1546,6 +1753,12 @@ bottomup:
1487
1488 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
1489 {
1490 @@ -53806,7 +53981,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1491 /*
1492 * Is this a new hole at the highest possible address?
1493 */
1494 -@@ -1553,8 +1761,10 @@ void arch_unmap_area_topdown(struct mm_s
1495 +@@ -1553,8 +1766,10 @@ void arch_unmap_area_topdown(struct mm_s
1496 mm->free_area_cache = addr;
1497
1498 /* dont allow allocations above current base */
1499 @@ -53818,7 +53993,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1500 }
1501
1502 unsigned long
1503 -@@ -1662,6 +1872,28 @@ out:
1504 +@@ -1662,6 +1877,28 @@ out:
1505 return prev ? prev->vm_next : vma;
1506 }
1507
1508 @@ -53847,7 +54022,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1509 /*
1510 * Verify that the stack growth is acceptable and
1511 * update accounting. This is shared with both the
1512 -@@ -1678,6 +1910,7 @@ static int acct_stack_growth(struct vm_a
1513 +@@ -1678,6 +1915,7 @@ static int acct_stack_growth(struct vm_a
1514 return -ENOMEM;
1515
1516 /* Stack limit test */
1517 @@ -53855,7 +54030,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1518 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
1519 return -ENOMEM;
1520
1521 -@@ -1688,6 +1921,7 @@ static int acct_stack_growth(struct vm_a
1522 +@@ -1688,6 +1926,7 @@ static int acct_stack_growth(struct vm_a
1523 locked = mm->locked_vm + grow;
1524 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
1525 limit >>= PAGE_SHIFT;
1526 @@ -53863,7 +54038,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1527 if (locked > limit && !capable(CAP_IPC_LOCK))
1528 return -ENOMEM;
1529 }
1530 -@@ -1718,37 +1952,48 @@ static int acct_stack_growth(struct vm_a
1531 +@@ -1718,37 +1957,48 @@ static int acct_stack_growth(struct vm_a
1532 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
1533 * vma is the last one with address > vma->vm_end. Have to extend vma.
1534 */
1535 @@ -53921,7 +54096,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1536 unsigned long size, grow;
1537
1538 size = address - vma->vm_start;
1539 -@@ -1760,6 +2005,8 @@ int expand_upwards(struct vm_area_struct
1540 +@@ -1760,6 +2010,8 @@ int expand_upwards(struct vm_area_struct
1541 perf_event_mmap(vma);
1542 }
1543 }
1544 @@ -53930,7 +54105,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1545 vma_unlock_anon_vma(vma);
1546 return error;
1547 }
1548 -@@ -1772,6 +2019,8 @@ static int expand_downwards(struct vm_ar
1549 +@@ -1772,6 +2024,8 @@ static int expand_downwards(struct vm_ar
1550 unsigned long address)
1551 {
1552 int error;
1553 @@ -53939,7 +54114,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1554
1555 /*
1556 * We must make sure the anon_vma is allocated
1557 -@@ -1785,6 +2034,15 @@ static int expand_downwards(struct vm_ar
1558 +@@ -1785,6 +2039,15 @@ static int expand_downwards(struct vm_ar
1559 if (error)
1560 return error;
1561
1562 @@ -53955,7 +54130,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1563 vma_lock_anon_vma(vma);
1564
1565 /*
1566 -@@ -1794,9 +2052,17 @@ static int expand_downwards(struct vm_ar
1567 +@@ -1794,9 +2057,17 @@ static int expand_downwards(struct vm_ar
1568 */
1569
1570 /* Somebody else might have raced and expanded it already */
1571 @@ -53974,7 +54149,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1572 size = vma->vm_end - address;
1573 grow = (vma->vm_start - address) >> PAGE_SHIFT;
1574
1575 -@@ -1804,10 +2070,21 @@ static int expand_downwards(struct vm_ar
1576 +@@ -1804,10 +2075,21 @@ static int expand_downwards(struct vm_ar
1577 if (!error) {
1578 vma->vm_start = address;
1579 vma->vm_pgoff -= grow;
1580 @@ -53996,7 +54171,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1581 return error;
1582 }
1583
1584 -@@ -1881,6 +2158,13 @@ static void remove_vma_list(struct mm_st
1585 +@@ -1881,6 +2163,13 @@ static void remove_vma_list(struct mm_st
1586 do {
1587 long nrpages = vma_pages(vma);
1588
1589 @@ -54010,7 +54185,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1590 mm->total_vm -= nrpages;
1591 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
1592 vma = remove_vma(vma);
1593 -@@ -1926,6 +2210,16 @@ detach_vmas_to_be_unmapped(struct mm_str
1594 +@@ -1926,6 +2215,16 @@ detach_vmas_to_be_unmapped(struct mm_str
1595 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
1596 vma->vm_prev = NULL;
1597 do {
1598 @@ -54027,7 +54202,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1599 rb_erase(&vma->vm_rb, &mm->mm_rb);
1600 mm->map_count--;
1601 tail_vma = vma;
1602 -@@ -1954,14 +2248,33 @@ static int __split_vma(struct mm_struct
1603 +@@ -1954,14 +2253,33 @@ static int __split_vma(struct mm_struct
1604 struct vm_area_struct *new;
1605 int err = -ENOMEM;
1606
1607 @@ -54061,7 +54236,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1608 /* most fields are the same, copy all, and then fixup */
1609 *new = *vma;
1610
1611 -@@ -1974,6 +2287,22 @@ static int __split_vma(struct mm_struct
1612 +@@ -1974,6 +2292,22 @@ static int __split_vma(struct mm_struct
1613 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
1614 }
1615
1616 @@ -54084,7 +54259,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1617 pol = mpol_dup(vma_policy(vma));
1618 if (IS_ERR(pol)) {
1619 err = PTR_ERR(pol);
1620 -@@ -1999,6 +2328,42 @@ static int __split_vma(struct mm_struct
1621 +@@ -1999,6 +2333,42 @@ static int __split_vma(struct mm_struct
1622 else
1623 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
1624
1625 @@ -54127,7 +54302,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1626 /* Success. */
1627 if (!err)
1628 return 0;
1629 -@@ -2011,10 +2376,18 @@ static int __split_vma(struct mm_struct
1630 +@@ -2011,10 +2381,18 @@ static int __split_vma(struct mm_struct
1631 removed_exe_file_vma(mm);
1632 fput(new->vm_file);
1633 }
1634 @@ -54147,7 +54322,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1635 kmem_cache_free(vm_area_cachep, new);
1636 out_err:
1637 return err;
1638 -@@ -2027,6 +2400,15 @@ static int __split_vma(struct mm_struct
1639 +@@ -2027,6 +2405,15 @@ static int __split_vma(struct mm_struct
1640 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
1641 unsigned long addr, int new_below)
1642 {
1643 @@ -54163,7 +54338,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1644 if (mm->map_count >= sysctl_max_map_count)
1645 return -ENOMEM;
1646
1647 -@@ -2038,11 +2420,30 @@ int split_vma(struct mm_struct *mm, stru
1648 +@@ -2038,11 +2425,30 @@ int split_vma(struct mm_struct *mm, stru
1649 * work. This now handles partial unmappings.
1650 * Jeremy Fitzhardinge <jeremy@××××.org>
1651 */
1652 @@ -54194,7 +54369,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1653 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
1654 return -EINVAL;
1655
1656 -@@ -2116,6 +2517,8 @@ int do_munmap(struct mm_struct *mm, unsi
1657 +@@ -2116,6 +2522,8 @@ int do_munmap(struct mm_struct *mm, unsi
1658 /* Fix up all other VM information */
1659 remove_vma_list(mm, vma);
1660
1661 @@ -54203,7 +54378,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1662 return 0;
1663 }
1664
1665 -@@ -2128,22 +2531,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
1666 +@@ -2128,22 +2536,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
1667
1668 profile_munmap(addr);
1669
1670 @@ -54232,7 +54407,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1671 /*
1672 * this is really a simplified "do_mmap". it only handles
1673 * anonymous maps. eventually we may be able to do some
1674 -@@ -2157,6 +2556,7 @@ unsigned long do_brk(unsigned long addr,
1675 +@@ -2157,6 +2561,7 @@ unsigned long do_brk(unsigned long addr,
1676 struct rb_node ** rb_link, * rb_parent;
1677 pgoff_t pgoff = addr >> PAGE_SHIFT;
1678 int error;
1679 @@ -54240,7 +54415,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1680
1681 len = PAGE_ALIGN(len);
1682 if (!len)
1683 -@@ -2168,16 +2568,30 @@ unsigned long do_brk(unsigned long addr,
1684 +@@ -2168,16 +2573,30 @@ unsigned long do_brk(unsigned long addr,
1685
1686 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
1687
1688 @@ -54272,7 +54447,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1689 locked += mm->locked_vm;
1690 lock_limit = rlimit(RLIMIT_MEMLOCK);
1691 lock_limit >>= PAGE_SHIFT;
1692 -@@ -2194,22 +2608,22 @@ unsigned long do_brk(unsigned long addr,
1693 +@@ -2194,22 +2613,22 @@ unsigned long do_brk(unsigned long addr,
1694 /*
1695 * Clear old maps. this also does some error checking for us
1696 */
1697 @@ -54299,7 +54474,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1698 return -ENOMEM;
1699
1700 /* Can we just expand an old private anonymous mapping? */
1701 -@@ -2223,7 +2637,7 @@ unsigned long do_brk(unsigned long addr,
1702 +@@ -2223,7 +2642,7 @@ unsigned long do_brk(unsigned long addr,
1703 */
1704 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
1705 if (!vma) {
1706 @@ -54308,7 +54483,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1707 return -ENOMEM;
1708 }
1709
1710 -@@ -2237,11 +2651,12 @@ unsigned long do_brk(unsigned long addr,
1711 +@@ -2237,11 +2656,12 @@ unsigned long do_brk(unsigned long addr,
1712 vma_link(mm, vma, prev, rb_link, rb_parent);
1713 out:
1714 perf_event_mmap(vma);
1715 @@ -54323,7 +54498,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1716 return addr;
1717 }
1718
1719 -@@ -2288,8 +2703,10 @@ void exit_mmap(struct mm_struct *mm)
1720 +@@ -2288,8 +2708,10 @@ void exit_mmap(struct mm_struct *mm)
1721 * Walk the list again, actually closing and freeing it,
1722 * with preemption enabled, without holding any MM locks.
1723 */
1724 @@ -54335,7 +54510,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1725
1726 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
1727 }
1728 -@@ -2303,6 +2720,13 @@ int insert_vm_struct(struct mm_struct *
1729 +@@ -2303,6 +2725,13 @@ int insert_vm_struct(struct mm_struct *
1730 struct vm_area_struct * __vma, * prev;
1731 struct rb_node ** rb_link, * rb_parent;
1732
1733 @@ -54349,7 +54524,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1734 /*
1735 * The vm_pgoff of a purely anonymous vma should be irrelevant
1736 * until its first write fault, when page's anon_vma and index
1737 -@@ -2325,7 +2749,22 @@ int insert_vm_struct(struct mm_struct *
1738 +@@ -2325,7 +2754,22 @@ int insert_vm_struct(struct mm_struct *
1739 if ((vma->vm_flags & VM_ACCOUNT) &&
1740 security_vm_enough_memory_mm(mm, vma_pages(vma)))
1741 return -ENOMEM;
1742 @@ -54372,7 +54547,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1743 return 0;
1744 }
1745
1746 -@@ -2343,6 +2782,8 @@ struct vm_area_struct *copy_vma(struct v
1747 +@@ -2343,6 +2787,8 @@ struct vm_area_struct *copy_vma(struct v
1748 struct rb_node **rb_link, *rb_parent;
1749 struct mempolicy *pol;
1750
1751 @@ -54381,7 +54556,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1752 /*
1753 * If anonymous vma has not yet been faulted, update new pgoff
1754 * to match new location, to increase its chance of merging.
1755 -@@ -2392,6 +2833,39 @@ struct vm_area_struct *copy_vma(struct v
1756 +@@ -2392,6 +2838,39 @@ struct vm_area_struct *copy_vma(struct v
1757 kmem_cache_free(vm_area_cachep, new_vma);
1758 return NULL;
1759 }
1760 @@ -54421,7 +54596,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1761
1762 /*
1763 * Return true if the calling process may expand its vm space by the passed
1764 -@@ -2403,7 +2877,7 @@ int may_expand_vm(struct mm_struct *mm,
1765 +@@ -2403,7 +2882,7 @@ int may_expand_vm(struct mm_struct *mm,
1766 unsigned long lim;
1767
1768 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
1769 @@ -54430,16 +54605,21 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
1770 if (cur + npages > lim)
1771 return 0;
1772 return 1;
1773 -@@ -2474,6 +2948,17 @@ int install_special_mapping(struct mm_st
1774 +@@ -2474,6 +2953,22 @@ int install_special_mapping(struct mm_st
1775 vma->vm_start = addr;
1776 vma->vm_end = addr + len;
1777
1778 +#ifdef CONFIG_PAX_MPROTECT
1779 + if (mm->pax_flags & MF_PAX_MPROTECT) {
1780 ++#ifndef CONFIG_PAX_MPROTECT_COMPAT
1781 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
1782 + return -EPERM;
1783 + if (!(vm_flags & VM_EXEC))
1784 + vm_flags &= ~VM_MAYEXEC;
1785 ++#else
1786 ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
1787 ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
1788 ++#endif
1789 + else
1790 + vm_flags &= ~VM_MAYWRITE;
1791 + }
1792 @@ -57966,8 +58146,8 @@ diff -urNp linux-2.6.37/security/integrity/ima/ima_queue.c linux-2.6.37/security
1793 return 0;
1794 diff -urNp linux-2.6.37/security/Kconfig linux-2.6.37/security/Kconfig
1795 --- linux-2.6.37/security/Kconfig 2011-01-04 19:50:19.000000000 -0500
1796 -+++ linux-2.6.37/security/Kconfig 2011-01-17 02:41:02.000000000 -0500
1797 -@@ -4,6 +4,509 @@
1798 ++++ linux-2.6.37/security/Kconfig 2011-02-12 11:32:56.000000000 -0500
1799 +@@ -4,6 +4,527 @@
1800
1801 menu "Security options"
1802
1803 @@ -58213,6 +58393,24 @@ diff -urNp linux-2.6.37/security/Kconfig linux-2.6.37/security/Kconfig
1804 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
1805 + this feature on a per file basis.
1806 +
1807 ++config PAX_MPROTECT_COMPAT
1808 ++ bool "Use legacy/compat protection demoting (read help)"
1809 ++ depends on PAX_MPROTECT
1810 ++ default n
1811 ++ help
1812 ++ The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
1813 ++ by sending the proper error code to the application. For some broken
1814 ++ userland, this can cause problems with Python or other applications. The
1815 ++ current implementation however allows for applications like clamav to
1816 ++ detect if JIT compilation/execution is allowed and to fall back gracefully
1817 ++ to an interpreter-based mode if it does not. While we encourage everyone
1818 ++ to use the current implementation as-is and push upstream to fix broken
1819 ++ userland (note that the RWX logging option can assist with this), in some
1820 ++ environments this may not be possible. Having to disable MPROTECT
1821 ++ completely on certain binaries reduces the security benefit of PaX,
1822 ++ so this option is provided for those environments to revert to the old
1823 ++ behavior.
1824 ++
1825 +config PAX_ELFRELOCS
1826 + bool "Allow ELF text relocations (read help)"
1827 + depends on PAX_MPROTECT
1828 @@ -58477,7 +58675,7 @@ diff -urNp linux-2.6.37/security/Kconfig linux-2.6.37/security/Kconfig
1829 config KEYS
1830 bool "Enable access key retention support"
1831 help
1832 -@@ -136,7 +639,7 @@ config INTEL_TXT
1833 +@@ -136,7 +657,7 @@ config INTEL_TXT
1834 config LSM_MMAP_MIN_ADDR
1835 int "Low address space for LSM to protect from user allocation"
1836 depends on SECURITY && SECURITY_SELINUX
1837 @@ -58507,7 +58705,7 @@ diff -urNp linux-2.6.37/security/min_addr.c linux-2.6.37/security/min_addr.c
1838 /*
1839 diff -urNp linux-2.6.37/security/security.c linux-2.6.37/security/security.c
1840 --- linux-2.6.37/security/security.c 2011-01-04 19:50:19.000000000 -0500
1841 -+++ linux-2.6.37/security/security.c 2011-01-17 02:41:02.000000000 -0500
1842 ++++ linux-2.6.37/security/security.c 2011-02-12 10:36:34.000000000 -0500
1843 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
1844 /* things that live in capability.c */
1845 extern void __init security_fixup_ops(struct security_operations *ops);
1846 @@ -58529,9 +58727,22 @@ diff -urNp linux-2.6.37/security/security.c linux-2.6.37/security/security.c
1847 }
1848
1849 /* Save user chosen LSM */
1850 +@@ -154,10 +156,9 @@ int security_capset(struct cred *new, co
1851 + effective, inheritable, permitted);
1852 + }
1853 +
1854 +-int security_capable(int cap)
1855 ++int security_capable(const struct cred *cred, int cap)
1856 + {
1857 +- return security_ops->capable(current, current_cred(), cap,
1858 +- SECURITY_CAP_AUDIT);
1859 ++ return security_ops->capable(current, cred, cap, SECURITY_CAP_AUDIT);
1860 + }
1861 +
1862 + int security_real_capable(struct task_struct *tsk, int cap)
1863 diff -urNp linux-2.6.37/security/selinux/hooks.c linux-2.6.37/security/selinux/hooks.c
1864 --- linux-2.6.37/security/selinux/hooks.c 2011-01-04 19:50:19.000000000 -0500
1865 -+++ linux-2.6.37/security/selinux/hooks.c 2011-01-17 02:41:02.000000000 -0500
1866 ++++ linux-2.6.37/security/selinux/hooks.c 2011-02-12 11:02:14.000000000 -0500
1867 @@ -90,7 +90,6 @@
1868 #define NUM_SEL_MNT_OPTS 5
1869
1870 @@ -58540,7 +58751,20 @@ diff -urNp linux-2.6.37/security/selinux/hooks.c linux-2.6.37/security/selinux/h
1871
1872 /* SECMARK reference count */
1873 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
1874 -@@ -5388,7 +5387,7 @@ static int selinux_key_getsecurity(struc
1875 +@@ -3195,7 +3194,11 @@ static void selinux_cred_free(struct cre
1876 + {
1877 + struct task_security_struct *tsec = cred->security;
1878 +
1879 +- BUG_ON((unsigned long) cred->security < PAGE_SIZE);
1880 ++ /*
1881 ++ * cred->security == NULL if security_cred_alloc_blank() or
1882 ++ * security_prepare_creds() returned an error.
1883 ++ */
1884 ++ BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
1885 + cred->security = (void *) 0x7UL;
1886 + kfree(tsec);
1887 + }
1888 +@@ -5388,7 +5391,7 @@ static int selinux_key_getsecurity(struc
1889
1890 #endif
Report Message
Find on MARC Find on Google Groups