1 |
commit: b7b6c63d4ed778e1e1588005c377e93c69eb0283 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Jan 4 15:08:35 2014 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Jan 4 15:08:35 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=b7b6c63d |
7 |
|
8 |
Grsec/PaX: 3.0-3.12.6-201401021726 |
9 |
|
10 |
--- |
11 |
3.12.6/0000_README | 2 +- |
12 |
... 4420_grsecurity-3.0-3.12.6-201401021726.patch} | 184 ++++++++++++--------- |
13 |
2 files changed, 110 insertions(+), 76 deletions(-) |
14 |
|
15 |
diff --git a/3.12.6/0000_README b/3.12.6/0000_README |
16 |
index 9a0fb55..0c79077 100644 |
17 |
--- a/3.12.6/0000_README |
18 |
+++ b/3.12.6/0000_README |
19 |
@@ -2,7 +2,7 @@ README |
20 |
----------------------------------------------------------------------------- |
21 |
Individual Patch Descriptions: |
22 |
----------------------------------------------------------------------------- |
23 |
-Patch: 4420_grsecurity-3.0-3.12.6-201312301223.patch |
24 |
+Patch: 4420_grsecurity-3.0-3.12.6-201401021726.patch |
25 |
From: http://www.grsecurity.net |
26 |
Desc: hardened-sources base patch from upstream grsecurity |
27 |
|
28 |
|
29 |
diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch |
30 |
similarity index 99% |
31 |
rename from 3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch |
32 |
rename to 3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch |
33 |
index a396411..e1b8944 100644 |
34 |
--- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch |
35 |
+++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch |
36 |
@@ -45673,43 +45673,40 @@ index f4a18f5..ff2463c 100644 |
37 |
int retval = -ENOMEM; |
38 |
|
39 |
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c |
40 |
-index 7128cfd..db7c65b 100644 |
41 |
+index 7128cfd..6fdc261 100644 |
42 |
--- a/drivers/pci/pci-sysfs.c |
43 |
+++ b/drivers/pci/pci-sysfs.c |
44 |
-@@ -634,6 +634,10 @@ pci_write_config(struct file* filp, struct kobject *kobj, |
45 |
+@@ -634,6 +634,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, |
46 |
loff_t init_off = off; |
47 |
u8 *data = (u8*) buf; |
48 |
|
49 |
-+#ifdef CONFIG_GRKERNSEC_KMEM |
50 |
-+ return -EPERM; |
51 |
-+#endif |
52 |
++ if (!capable(CAP_SYS_RAWIO)) |
53 |
++ return -EPERM; |
54 |
+ |
55 |
if (off > dev->cfg_size) |
56 |
return 0; |
57 |
if (off + count > dev->cfg_size) { |
58 |
-@@ -940,6 +944,10 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, |
59 |
+@@ -940,6 +943,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, |
60 |
resource_size_t start, end; |
61 |
int i; |
62 |
|
63 |
-+#ifdef CONFIG_GRKERNSEC_KMEM |
64 |
-+ return -EPERM; |
65 |
-+#endif |
66 |
++ if (!capable(CAP_SYS_RAWIO)) |
67 |
++ return -EPERM; |
68 |
+ |
69 |
for (i = 0; i < PCI_ROM_RESOURCE; i++) |
70 |
if (res == &pdev->resource[i]) |
71 |
break; |
72 |
-@@ -1047,6 +1055,10 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, |
73 |
- struct bin_attribute *attr, char *buf, |
74 |
- loff_t off, size_t count) |
75 |
- { |
76 |
-+#ifdef CONFIG_GRKERNSEC_KMEM |
77 |
-+ return -EPERM; |
78 |
-+#endif |
79 |
-+ |
80 |
- return pci_resource_io(filp, kobj, attr, buf, off, count, true); |
81 |
- } |
82 |
+@@ -997,6 +1003,9 @@ pci_resource_io(struct file *filp, struct kobject *kobj, |
83 |
+ unsigned long port = off; |
84 |
+ int i; |
85 |
|
86 |
-@@ -1083,7 +1095,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine) |
87 |
++ if (!capable(CAP_SYS_RAWIO)) |
88 |
++ return -EPERM; |
89 |
++ |
90 |
+ for (i = 0; i < PCI_ROM_RESOURCE; i++) |
91 |
+ if (res == &pdev->resource[i]) |
92 |
+ break; |
93 |
+@@ -1083,7 +1092,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine) |
94 |
{ |
95 |
/* allocate attribute structure, piggyback attribute name */ |
96 |
int name_len = write_combine ? 13 : 10; |
97 |
@@ -45718,7 +45715,7 @@ index 7128cfd..db7c65b 100644 |
98 |
int retval; |
99 |
|
100 |
res_attr = kzalloc(sizeof(*res_attr) + name_len, GFP_ATOMIC); |
101 |
-@@ -1268,7 +1280,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor |
102 |
+@@ -1268,7 +1277,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor |
103 |
static int pci_create_capabilities_sysfs(struct pci_dev *dev) |
104 |
{ |
105 |
int retval; |
106 |
@@ -45727,7 +45724,7 @@ index 7128cfd..db7c65b 100644 |
107 |
|
108 |
/* If the device has VPD, try to expose it in sysfs. */ |
109 |
if (dev->vpd) { |
110 |
-@@ -1315,7 +1327,7 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev) |
111 |
+@@ -1315,7 +1324,7 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev) |
112 |
{ |
113 |
int retval; |
114 |
int rom_size = 0; |
115 |
@@ -45780,43 +45777,20 @@ index 7ef0f86..17b710f 100644 |
116 |
/* No printks while decoding is disabled! */ |
117 |
if (!dev->mmio_always_on) { |
118 |
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c |
119 |
-index cdc7836..2e0eb94 100644 |
120 |
+index cdc7836..0c964c9 100644 |
121 |
--- a/drivers/pci/proc.c |
122 |
+++ b/drivers/pci/proc.c |
123 |
-@@ -117,6 +117,10 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof |
124 |
+@@ -117,6 +117,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof |
125 |
int size = dev->cfg_size; |
126 |
int cnt; |
127 |
|
128 |
-+#ifdef CONFIG_GRKERNSEC_KMEM |
129 |
-+ return -EPERM; |
130 |
-+#endif |
131 |
++ if (!capable(CAP_SYS_RAWIO)) |
132 |
++ return -EPERM; |
133 |
+ |
134 |
if (pos >= size) |
135 |
return 0; |
136 |
if (nbytes >= size) |
137 |
-@@ -196,6 +200,10 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, |
138 |
- #endif /* HAVE_PCI_MMAP */ |
139 |
- int ret = 0; |
140 |
- |
141 |
-+#ifdef CONFIG_GRKERNSEC_KMEM |
142 |
-+ return -EPERM; |
143 |
-+#endif |
144 |
-+ |
145 |
- switch (cmd) { |
146 |
- case PCIIOC_CONTROLLER: |
147 |
- ret = pci_domain_nr(dev->bus); |
148 |
-@@ -234,6 +242,10 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) |
149 |
- struct pci_filp_private *fpriv = file->private_data; |
150 |
- int i, ret; |
151 |
- |
152 |
-+#ifdef CONFIG_GRKERNSEC_KMEM |
153 |
-+ return -EPERM; |
154 |
-+#endif |
155 |
-+ |
156 |
- if (!capable(CAP_SYS_RAWIO)) |
157 |
- return -EPERM; |
158 |
- |
159 |
-@@ -434,7 +446,16 @@ static const struct file_operations proc_bus_pci_dev_operations = { |
160 |
+@@ -434,7 +437,16 @@ static const struct file_operations proc_bus_pci_dev_operations = { |
161 |
static int __init pci_proc_init(void) |
162 |
{ |
163 |
struct pci_dev *dev = NULL; |
164 |
@@ -45833,21 +45807,6 @@ index cdc7836..2e0eb94 100644 |
165 |
proc_create("devices", 0, proc_bus_pci_dir, |
166 |
&proc_bus_pci_dev_operations); |
167 |
proc_initialized = 1; |
168 |
-diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c |
169 |
-index e1c1ec5..bef4210 100644 |
170 |
---- a/drivers/pci/syscall.c |
171 |
-+++ b/drivers/pci/syscall.c |
172 |
-@@ -92,6 +92,10 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, |
173 |
- u32 dword; |
174 |
- int err = 0; |
175 |
- |
176 |
-+#ifdef CONFIG_GRKERNSEC_KMEM |
177 |
-+ return -EPERM |
178 |
-+#endif |
179 |
-+ |
180 |
- if (!capable(CAP_SYS_ADMIN)) |
181 |
- return -EPERM; |
182 |
- |
183 |
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c |
184 |
index 19c313b..ed28b38 100644 |
185 |
--- a/drivers/platform/x86/asus-wmi.c |
186 |
@@ -61309,21 +61268,96 @@ index 6b6a993..807cccc 100644 |
187 |
kfree(s); |
188 |
} |
189 |
diff --git a/fs/proc/stat.c b/fs/proc/stat.c |
190 |
-index 1cf86c0..5668e11 100644 |
191 |
+index 1cf86c0..f61473c 100644 |
192 |
--- a/fs/proc/stat.c |
193 |
+++ b/fs/proc/stat.c |
194 |
-@@ -218,7 +218,11 @@ static const struct file_operations proc_stat_operations = { |
195 |
+@@ -11,6 +11,7 @@ |
196 |
+ #include <linux/irqnr.h> |
197 |
+ #include <asm/cputime.h> |
198 |
+ #include <linux/tick.h> |
199 |
++#include <linux/grsecurity.h> |
200 |
|
201 |
- static int __init proc_stat_init(void) |
202 |
- { |
203 |
+ #ifndef arch_irq_stat_cpu |
204 |
+ #define arch_irq_stat_cpu(cpu) 0 |
205 |
+@@ -87,13 +88,28 @@ static int show_stat(struct seq_file *p, void *v) |
206 |
+ u64 sum_softirq = 0; |
207 |
+ unsigned int per_softirq_sums[NR_SOFTIRQS] = {0}; |
208 |
+ struct timespec boottime; |
209 |
++ int unrestricted = 1; |
210 |
++ |
211 |
+#ifdef CONFIG_GRKERNSEC_PROC_ADD |
212 |
-+ proc_create_grsec("stat", 0, NULL, &proc_stat_operations); |
213 |
-+#else |
214 |
- proc_create("stat", 0, NULL, &proc_stat_operations); |
215 |
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
216 |
++ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) |
217 |
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP |
218 |
++ && !in_group_p(grsec_proc_gid) |
219 |
+#endif |
220 |
- return 0; |
221 |
- } |
222 |
- module_init(proc_stat_init); |
223 |
++ ) |
224 |
++ unrestricted = 0; |
225 |
++#endif |
226 |
++#endif |
227 |
+ |
228 |
+ user = nice = system = idle = iowait = |
229 |
+ irq = softirq = steal = 0; |
230 |
+ guest = guest_nice = 0; |
231 |
+ getboottime(&boottime); |
232 |
+ jif = boottime.tv_sec; |
233 |
++ if (!unrestricted) |
234 |
++ jif = 0; |
235 |
+ |
236 |
++ if (unrestricted) { |
237 |
+ for_each_possible_cpu(i) { |
238 |
+ user += kcpustat_cpu(i).cpustat[CPUTIME_USER]; |
239 |
+ nice += kcpustat_cpu(i).cpustat[CPUTIME_NICE]; |
240 |
+@@ -116,6 +132,7 @@ static int show_stat(struct seq_file *p, void *v) |
241 |
+ } |
242 |
+ } |
243 |
+ sum += arch_irq_stat(); |
244 |
++ } |
245 |
+ |
246 |
+ seq_puts(p, "cpu "); |
247 |
+ seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user)); |
248 |
+@@ -131,6 +148,7 @@ static int show_stat(struct seq_file *p, void *v) |
249 |
+ seq_putc(p, '\n'); |
250 |
+ |
251 |
+ for_each_online_cpu(i) { |
252 |
++ if (unrestricted) { |
253 |
+ /* Copy values here to work around gcc-2.95.3, gcc-2.96 */ |
254 |
+ user = kcpustat_cpu(i).cpustat[CPUTIME_USER]; |
255 |
+ nice = kcpustat_cpu(i).cpustat[CPUTIME_NICE]; |
256 |
+@@ -142,6 +160,7 @@ static int show_stat(struct seq_file *p, void *v) |
257 |
+ steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL]; |
258 |
+ guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST]; |
259 |
+ guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE]; |
260 |
++ } |
261 |
+ seq_printf(p, "cpu%d", i); |
262 |
+ seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user)); |
263 |
+ seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(nice)); |
264 |
+@@ -159,7 +178,7 @@ static int show_stat(struct seq_file *p, void *v) |
265 |
+ |
266 |
+ /* sum again ? it could be updated? */ |
267 |
+ for_each_irq_nr(j) |
268 |
+- seq_put_decimal_ull(p, ' ', kstat_irqs(j)); |
269 |
++ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs(j) : 0ULL); |
270 |
+ |
271 |
+ seq_printf(p, |
272 |
+ "\nctxt %llu\n" |
273 |
+@@ -167,11 +186,11 @@ static int show_stat(struct seq_file *p, void *v) |
274 |
+ "processes %lu\n" |
275 |
+ "procs_running %lu\n" |
276 |
+ "procs_blocked %lu\n", |
277 |
+- nr_context_switches(), |
278 |
+- (unsigned long)jif, |
279 |
+- total_forks, |
280 |
+- nr_running(), |
281 |
+- nr_iowait()); |
282 |
++ unrestricted ? nr_context_switches() : 0ULL, |
283 |
++ unrestricted ? (unsigned long)jif : 0UL, |
284 |
++ unrestricted ? total_forks : 0UL, |
285 |
++ unrestricted ? nr_running() : 0UL, |
286 |
++ unrestricted ? nr_iowait() : 0UL); |
287 |
+ |
288 |
+ seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq); |
289 |
+ |
290 |
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c |
291 |
index 390bdab..83c1e8a 100644 |
292 |
--- a/fs/proc/task_mmu.c |