[gentoo-commits] proj/hardened-patchset:master commit in: 3.12.6/ - gentoo-commits

From:	"Anthony G. Basile" <blueness@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-patchset:master commit in: 3.12.6/
Date:	Sat, 04 Jan 2014 15:18:44
Message-Id:	`1388848115.b7b6c63d4ed778e1e1588005c377e93c69eb0283.blueness@gentoo`

1

commit:     b7b6c63d4ed778e1e1588005c377e93c69eb0283

2

Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>

3

AuthorDate: Sat Jan  4 15:08:35 2014 +0000

4

Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>

5

CommitDate: Sat Jan  4 15:08:35 2014 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=b7b6c63d

7

8

Grsec/PaX: 3.0-3.12.6-201401021726

9

10

---

11

 3.12.6/0000_README                                 |   2 +-

12

 ... 4420_grsecurity-3.0-3.12.6-201401021726.patch} | 184 ++++++++++++---------

13

 2 files changed, 110 insertions(+), 76 deletions(-)

14

15

diff --git a/3.12.6/0000_README b/3.12.6/0000_README

16

index 9a0fb55..0c79077 100644

17

--- a/3.12.6/0000_README

18

+++ b/3.12.6/0000_README

19

@@ -2,7 +2,7 @@ README

20

 -----------------------------------------------------------------------------

21

 Individual Patch Descriptions:

22

 -----------------------------------------------------------------------------

23

-Patch:	4420_grsecurity-3.0-3.12.6-201312301223.patch

24

+Patch:	4420_grsecurity-3.0-3.12.6-201401021726.patch

25

 From:	http://www.grsecurity.net

26

 Desc:	hardened-sources base patch from upstream grsecurity

27

28

29

diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch

30

similarity index 99%

31

rename from 3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch

32

rename to 3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch

33

index a396411..e1b8944 100644

34

--- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch

35

+++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch

36

@@ -45673,43 +45673,40 @@ index f4a18f5..ff2463c 100644

37

  	int retval = -ENOMEM;

38

39

 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c

40

-index 7128cfd..db7c65b 100644

41

+index 7128cfd..6fdc261 100644

42

 --- a/drivers/pci/pci-sysfs.c

43

 +++ b/drivers/pci/pci-sysfs.c

44

-@@ -634,6 +634,10 @@ pci_write_config(struct file* filp, struct kobject *kobj,

45

+@@ -634,6 +634,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,

46

  	loff_t init_off = off;

47

  	u8 *data = (u8*) buf;

48

49

-+#ifdef CONFIG_GRKERNSEC_KMEM

50

-+	return -EPERM;

51

-+#endif

52

++	if (!capable(CAP_SYS_RAWIO))

53

++		return -EPERM;

54

+

55

  	if (off > dev->cfg_size)

56

  		return 0;

57

  	if (off + count > dev->cfg_size) {

58

-@@ -940,6 +944,10 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,

59

+@@ -940,6 +943,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,

60

  	resource_size_t start, end;

61

  	int i;

62

63

-+#ifdef CONFIG_GRKERNSEC_KMEM

64

-+	return -EPERM;

65

-+#endif

66

++	if (!capable(CAP_SYS_RAWIO))

67

++		return -EPERM;

68

+

69

  	for (i = 0; i < PCI_ROM_RESOURCE; i++)

70

  		if (res == &pdev->resource[i])

71

  			break;

72

-@@ -1047,6 +1055,10 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj,

73

- 		      struct bin_attribute *attr, char *buf,

74

- 		      loff_t off, size_t count)

75

- {

76

-+#ifdef CONFIG_GRKERNSEC_KMEM

77

-+	return -EPERM;

78

-+#endif

79

-+

80

- 	return pci_resource_io(filp, kobj, attr, buf, off, count, true);

81

- }

82

+@@ -997,6 +1003,9 @@ pci_resource_io(struct file *filp, struct kobject *kobj,

83

+ 	unsigned long port = off;

84

+ 	int i;

85

86

-@@ -1083,7 +1095,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine)

87

++	if (!capable(CAP_SYS_RAWIO))

88

++		return -EPERM;

89

++

90

+ 	for (i = 0; i < PCI_ROM_RESOURCE; i++)

91

+ 		if (res == &pdev->resource[i])

92

+ 			break;

93

+@@ -1083,7 +1092,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine)

94

{

95

  	/* allocate attribute structure, piggyback attribute name */

96

  	int name_len = write_combine ? 13 : 10;

97

@@ -45718,7 +45715,7 @@ index 7128cfd..db7c65b 100644

98

  	int retval;

99

100

  	res_attr = kzalloc(sizeof(*res_attr) + name_len, GFP_ATOMIC);

101

-@@ -1268,7 +1280,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor

102

+@@ -1268,7 +1277,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor

103

  static int pci_create_capabilities_sysfs(struct pci_dev *dev)

104

{

105

  	int retval;

106

@@ -45727,7 +45724,7 @@ index 7128cfd..db7c65b 100644

107

108

  	/* If the device has VPD, try to expose it in sysfs. */

109

  	if (dev->vpd) {

110

-@@ -1315,7 +1327,7 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev)

111

+@@ -1315,7 +1324,7 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev)

112

{

113

  	int retval;

114

  	int rom_size = 0;

115

@@ -45780,43 +45777,20 @@ index 7ef0f86..17b710f 100644

116

  	/* No printks while decoding is disabled! */

117

  	if (!dev->mmio_always_on) {

118

 diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c

119

-index cdc7836..2e0eb94 100644

120

+index cdc7836..0c964c9 100644

121

 --- a/drivers/pci/proc.c

122

 +++ b/drivers/pci/proc.c

123

-@@ -117,6 +117,10 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof

124

+@@ -117,6 +117,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof

125

  	int size = dev->cfg_size;

126

  	int cnt;

127

128

-+#ifdef CONFIG_GRKERNSEC_KMEM

129

-+	return -EPERM;

130

-+#endif

131

++	if (!capable(CAP_SYS_RAWIO))

132

++		return -EPERM;

133

+

134

  	if (pos >= size)

135

  		return 0;

136

  	if (nbytes >= size)

137

-@@ -196,6 +200,10 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,

138

- #endif /* HAVE_PCI_MMAP */

139

- 	int ret = 0;

140

-

141

-+#ifdef CONFIG_GRKERNSEC_KMEM

142

-+	return -EPERM;

143

-+#endif

144

-+

145

- 	switch (cmd) {

146

- 	case PCIIOC_CONTROLLER:

147

- 		ret = pci_domain_nr(dev->bus);

148

-@@ -234,6 +242,10 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)

149

- 	struct pci_filp_private *fpriv = file->private_data;

150

- 	int i, ret;

151

-

152

-+#ifdef CONFIG_GRKERNSEC_KMEM

153

-+	return -EPERM;

154

-+#endif

155

-+

156

- 	if (!capable(CAP_SYS_RAWIO))

157

- 		return -EPERM;

158

-

159

-@@ -434,7 +446,16 @@ static const struct file_operations proc_bus_pci_dev_operations = {

160

+@@ -434,7 +437,16 @@ static const struct file_operations proc_bus_pci_dev_operations = {

161

  static int __init pci_proc_init(void)

162

{

163

  	struct pci_dev *dev = NULL;

164

@@ -45833,21 +45807,6 @@ index cdc7836..2e0eb94 100644

165

  	proc_create("devices", 0, proc_bus_pci_dir,

166

  		    &proc_bus_pci_dev_operations);

167

  	proc_initialized = 1;

168

-diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c

169

-index e1c1ec5..bef4210 100644

170

---- a/drivers/pci/syscall.c

171

-+++ b/drivers/pci/syscall.c

172

-@@ -92,6 +92,10 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,

173

- 	u32 dword;

174

- 	int err = 0;

175

-

176

-+#ifdef CONFIG_GRKERNSEC_KMEM

177

-+	return -EPERM

178

-+#endif

179

-+

180

- 	if (!capable(CAP_SYS_ADMIN))

181

- 		return -EPERM;

182

-

183

 diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c

184

 index 19c313b..ed28b38 100644

185

 --- a/drivers/platform/x86/asus-wmi.c

186

@@ -61309,21 +61268,96 @@ index 6b6a993..807cccc 100644

187

  		kfree(s);

188

}

189

 diff --git a/fs/proc/stat.c b/fs/proc/stat.c

190

-index 1cf86c0..5668e11 100644

191

+index 1cf86c0..f61473c 100644

192

 --- a/fs/proc/stat.c

193

 +++ b/fs/proc/stat.c

194

-@@ -218,7 +218,11 @@ static const struct file_operations proc_stat_operations = {

195

+@@ -11,6 +11,7 @@

196

+ #include <linux/irqnr.h>

197

+ #include <asm/cputime.h>

198

+ #include <linux/tick.h>

199

++#include <linux/grsecurity.h>

200

201

- static int __init proc_stat_init(void)

202

- {

203

+ #ifndef arch_irq_stat_cpu

204

+ #define arch_irq_stat_cpu(cpu) 0

205

+@@ -87,13 +88,28 @@ static int show_stat(struct seq_file *p, void *v)

206

+ 	u64 sum_softirq = 0;

207

+ 	unsigned int per_softirq_sums[NR_SOFTIRQS] = {0};

208

+ 	struct timespec boottime;

209

++	int unrestricted = 1;

210

++

211

 +#ifdef CONFIG_GRKERNSEC_PROC_ADD

212

-+	proc_create_grsec("stat", 0, NULL, &proc_stat_operations);

213

-+#else

214

- 	proc_create("stat", 0, NULL, &proc_stat_operations);

215

++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)

216

++	if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)

217

++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP

218

++		&& !in_group_p(grsec_proc_gid)

219

 +#endif

220

- 	return 0;

221

- }

222

- module_init(proc_stat_init);

223

++	)

224

++		unrestricted = 0;

225

++#endif

226

++#endif

227

+

228

+ 	user = nice = system = idle = iowait =

229

+ 		irq = softirq = steal = 0;

230

+ 	guest = guest_nice = 0;

231

+ 	getboottime(&boottime);

232

+ 	jif = boottime.tv_sec;

233

++	if (!unrestricted)

234

++		jif = 0;

235

+

236

++	if (unrestricted) {

237

+ 	for_each_possible_cpu(i) {

238

+ 		user += kcpustat_cpu(i).cpustat[CPUTIME_USER];

239

+ 		nice += kcpustat_cpu(i).cpustat[CPUTIME_NICE];

240

+@@ -116,6 +132,7 @@ static int show_stat(struct seq_file *p, void *v)

241

+ 		}

242

+ 	}

243

+ 	sum += arch_irq_stat();

244

++	}

245

+

246

+ 	seq_puts(p, "cpu ");

247

+ 	seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));

248

+@@ -131,6 +148,7 @@ static int show_stat(struct seq_file *p, void *v)

249

+ 	seq_putc(p, '\n');

250

+

251

+ 	for_each_online_cpu(i) {

252

++		if (unrestricted) {

253

+ 		/* Copy values here to work around gcc-2.95.3, gcc-2.96 */

254

+ 		user = kcpustat_cpu(i).cpustat[CPUTIME_USER];

255

+ 		nice = kcpustat_cpu(i).cpustat[CPUTIME_NICE];

256

+@@ -142,6 +160,7 @@ static int show_stat(struct seq_file *p, void *v)

257

+ 		steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];

258

+ 		guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];

259

+ 		guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];

260

++		}

261

+ 		seq_printf(p, "cpu%d", i);

262

+ 		seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));

263

+ 		seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(nice));

264

+@@ -159,7 +178,7 @@ static int show_stat(struct seq_file *p, void *v)

265

+

266

+ 	/* sum again ? it could be updated? */

267

+ 	for_each_irq_nr(j)

268

+-		seq_put_decimal_ull(p, ' ', kstat_irqs(j));

269

++		seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs(j) : 0ULL);

270

+

271

+ 	seq_printf(p,

272

+ 		"\nctxt %llu\n"

273

+@@ -167,11 +186,11 @@ static int show_stat(struct seq_file *p, void *v)

274

+ 		"processes %lu\n"

275

+ 		"procs_running %lu\n"

276

+ 		"procs_blocked %lu\n",

277

+-		nr_context_switches(),

278

+-		(unsigned long)jif,

279

+-		total_forks,

280

+-		nr_running(),

281

+-		nr_iowait());

282

++		unrestricted ? nr_context_switches() : 0ULL,

283

++		unrestricted ? (unsigned long)jif : 0UL,

284

++		unrestricted ? total_forks : 0UL,

285

++		unrestricted ? nr_running() : 0UL,

286

++		unrestricted ? nr_iowait() : 0UL);

287

+

288

+ 	seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq);

289

+

290

 diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c

291

 index 390bdab..83c1e8a 100644

292

 --- a/fs/proc/task_mmu.c

1	commit: b7b6c63d4ed778e1e1588005c377e93c69eb0283
2	Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3	AuthorDate: Sat Jan 4 15:08:35 2014 +0000
4	Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5	CommitDate: Sat Jan 4 15:08:35 2014 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=b7b6c63d
7
8	Grsec/PaX: 3.0-3.12.6-201401021726
9
10	---
11	3.12.6/0000_README \| 2 +-
12	... 4420_grsecurity-3.0-3.12.6-201401021726.patch} \| 184 ++++++++++++---------
13	2 files changed, 110 insertions(+), 76 deletions(-)
14
15	diff --git a/3.12.6/0000_README b/3.12.6/0000_README
16	index 9a0fb55..0c79077 100644
17	--- a/3.12.6/0000_README
18	+++ b/3.12.6/0000_README
19	@@ -2,7 +2,7 @@ README
20	-----------------------------------------------------------------------------
21	Individual Patch Descriptions:
22	-----------------------------------------------------------------------------
23	-Patch: 4420_grsecurity-3.0-3.12.6-201312301223.patch
24	+Patch: 4420_grsecurity-3.0-3.12.6-201401021726.patch
25	From: http://www.grsecurity.net
26	Desc: hardened-sources base patch from upstream grsecurity
27
28
29	diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch
30	similarity index 99%
31	rename from 3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch
32	rename to 3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch
33	index a396411..e1b8944 100644
34	--- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch
35	+++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch
36	@@ -45673,43 +45673,40 @@ index f4a18f5..ff2463c 100644
37	int retval = -ENOMEM;
38
39	diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
40	-index 7128cfd..db7c65b 100644
41	+index 7128cfd..6fdc261 100644
42	--- a/drivers/pci/pci-sysfs.c
43	+++ b/drivers/pci/pci-sysfs.c
44	-@@ -634,6 +634,10 @@ pci_write_config(struct file* filp, struct kobject *kobj,
45	+@@ -634,6 +634,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,
46	loff_t init_off = off;
47	u8 data = (u8) buf;
48
49	-+#ifdef CONFIG_GRKERNSEC_KMEM
50	-+ return -EPERM;
51	-+#endif
52	++ if (!capable(CAP_SYS_RAWIO))
53	++ return -EPERM;
54	+
55	if (off > dev->cfg_size)
56	return 0;
57	if (off + count > dev->cfg_size) {
58	-@@ -940,6 +944,10 @@ pci_mmap_resource(struct kobject kobj, struct bin_attribute attr,
59	+@@ -940,6 +943,9 @@ pci_mmap_resource(struct kobject kobj, struct bin_attribute attr,
60	resource_size_t start, end;
61	int i;
62
63	-+#ifdef CONFIG_GRKERNSEC_KMEM
64	-+ return -EPERM;
65	-+#endif
66	++ if (!capable(CAP_SYS_RAWIO))
67	++ return -EPERM;
68	+
69	for (i = 0; i < PCI_ROM_RESOURCE; i++)
70	if (res == &pdev->resource[i])
71	break;
72	-@@ -1047,6 +1055,10 @@ pci_write_resource_io(struct file filp, struct kobject kobj,
73	- struct bin_attribute attr, char buf,
74	- loff_t off, size_t count)
75	- {
76	-+#ifdef CONFIG_GRKERNSEC_KMEM
77	-+ return -EPERM;
78	-+#endif
79	-+
80	- return pci_resource_io(filp, kobj, attr, buf, off, count, true);
81	- }
82	+@@ -997,6 +1003,9 @@ pci_resource_io(struct file filp, struct kobject kobj,
83	+ unsigned long port = off;
84	+ int i;
85
86	-@@ -1083,7 +1095,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine)
87	++ if (!capable(CAP_SYS_RAWIO))
88	++ return -EPERM;
89	++
90	+ for (i = 0; i < PCI_ROM_RESOURCE; i++)
91	+ if (res == &pdev->resource[i])
92	+ break;
93	+@@ -1083,7 +1092,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine)
94	{
95	/* allocate attribute structure, piggyback attribute name */
96	int name_len = write_combine ? 13 : 10;
97	@@ -45718,7 +45715,7 @@ index 7128cfd..db7c65b 100644
98	int retval;
99
100	res_attr = kzalloc(sizeof(*res_attr) + name_len, GFP_ATOMIC);
101	-@@ -1268,7 +1280,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor
102	+@@ -1268,7 +1277,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor
103	static int pci_create_capabilities_sysfs(struct pci_dev *dev)
104	{
105	int retval;
106	@@ -45727,7 +45724,7 @@ index 7128cfd..db7c65b 100644
107
108	/* If the device has VPD, try to expose it in sysfs. */
109	if (dev->vpd) {
110	-@@ -1315,7 +1327,7 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev)
111	+@@ -1315,7 +1324,7 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev)
112	{
113	int retval;
114	int rom_size = 0;
115	@@ -45780,43 +45777,20 @@ index 7ef0f86..17b710f 100644
116	/* No printks while decoding is disabled! */
117	if (!dev->mmio_always_on) {
118	diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
119	-index cdc7836..2e0eb94 100644
120	+index cdc7836..0c964c9 100644
121	--- a/drivers/pci/proc.c
122	+++ b/drivers/pci/proc.c
123	-@@ -117,6 +117,10 @@ proc_bus_pci_write(struct file file, const char __user buf, size_t nbytes, lof
124	+@@ -117,6 +117,9 @@ proc_bus_pci_write(struct file file, const char __user buf, size_t nbytes, lof
125	int size = dev->cfg_size;
126	int cnt;
127
128	-+#ifdef CONFIG_GRKERNSEC_KMEM
129	-+ return -EPERM;
130	-+#endif
131	++ if (!capable(CAP_SYS_RAWIO))
132	++ return -EPERM;
133	+
134	if (pos >= size)
135	return 0;
136	if (nbytes >= size)
137	-@@ -196,6 +200,10 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
138	- #endif /* HAVE_PCI_MMAP */
139	- int ret = 0;
140	-
141	-+#ifdef CONFIG_GRKERNSEC_KMEM
142	-+ return -EPERM;
143	-+#endif
144	-+
145	- switch (cmd) {
146	- case PCIIOC_CONTROLLER:
147	- ret = pci_domain_nr(dev->bus);
148	-@@ -234,6 +242,10 @@ static int proc_bus_pci_mmap(struct file file, struct vm_area_struct vma)
149	- struct pci_filp_private *fpriv = file->private_data;
150	- int i, ret;
151	-
152	-+#ifdef CONFIG_GRKERNSEC_KMEM
153	-+ return -EPERM;
154	-+#endif
155	-+
156	- if (!capable(CAP_SYS_RAWIO))
157	- return -EPERM;
158	-
159	-@@ -434,7 +446,16 @@ static const struct file_operations proc_bus_pci_dev_operations = {
160	+@@ -434,7 +437,16 @@ static const struct file_operations proc_bus_pci_dev_operations = {
161	static int __init pci_proc_init(void)
162	{
163	struct pci_dev *dev = NULL;
164	@@ -45833,21 +45807,6 @@ index cdc7836..2e0eb94 100644
165	proc_create("devices", 0, proc_bus_pci_dir,
166	&proc_bus_pci_dev_operations);
167	proc_initialized = 1;
168	-diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
169	-index e1c1ec5..bef4210 100644
170	---- a/drivers/pci/syscall.c
171	-+++ b/drivers/pci/syscall.c
172	-@@ -92,6 +92,10 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
173	- u32 dword;
174	- int err = 0;
175	-
176	-+#ifdef CONFIG_GRKERNSEC_KMEM
177	-+ return -EPERM
178	-+#endif
179	-+
180	- if (!capable(CAP_SYS_ADMIN))
181	- return -EPERM;
182	-
183	diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
184	index 19c313b..ed28b38 100644
185	--- a/drivers/platform/x86/asus-wmi.c
186	@@ -61309,21 +61268,96 @@ index 6b6a993..807cccc 100644
187	kfree(s);
188	}
189	diff --git a/fs/proc/stat.c b/fs/proc/stat.c
190	-index 1cf86c0..5668e11 100644
191	+index 1cf86c0..f61473c 100644
192	--- a/fs/proc/stat.c
193	+++ b/fs/proc/stat.c
194	-@@ -218,7 +218,11 @@ static const struct file_operations proc_stat_operations = {
195	+@@ -11,6 +11,7 @@
196	+ #include <linux/irqnr.h>
197	+ #include <asm/cputime.h>
198	+ #include <linux/tick.h>
199	++#include <linux/grsecurity.h>
200
201	- static int __init proc_stat_init(void)
202	- {
203	+ #ifndef arch_irq_stat_cpu
204	+ #define arch_irq_stat_cpu(cpu) 0
205	+@@ -87,13 +88,28 @@ static int show_stat(struct seq_file p, void v)
206	+ u64 sum_softirq = 0;
207	+ unsigned int per_softirq_sums[NR_SOFTIRQS] = {0};
208	+ struct timespec boottime;
209	++ int unrestricted = 1;
210	++
211	+#ifdef CONFIG_GRKERNSEC_PROC_ADD
212	-+ proc_create_grsec("stat", 0, NULL, &proc_stat_operations);
213	-+#else
214	- proc_create("stat", 0, NULL, &proc_stat_operations);
215	++#if defined(CONFIG_GRKERNSEC_PROC_USER) \|\| defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
216	++ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)
217	++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
218	++ && !in_group_p(grsec_proc_gid)
219	+#endif
220	- return 0;
221	- }
222	- module_init(proc_stat_init);
223	++ )
224	++ unrestricted = 0;
225	++#endif
226	++#endif
227	+
228	+ user = nice = system = idle = iowait =
229	+ irq = softirq = steal = 0;
230	+ guest = guest_nice = 0;
231	+ getboottime(&boottime);
232	+ jif = boottime.tv_sec;
233	++ if (!unrestricted)
234	++ jif = 0;
235	+
236	++ if (unrestricted) {
237	+ for_each_possible_cpu(i) {
238	+ user += kcpustat_cpu(i).cpustat[CPUTIME_USER];
239	+ nice += kcpustat_cpu(i).cpustat[CPUTIME_NICE];
240	+@@ -116,6 +132,7 @@ static int show_stat(struct seq_file p, void v)
241	+ }
242	+ }
243	+ sum += arch_irq_stat();
244	++ }
245	+
246	+ seq_puts(p, "cpu ");
247	+ seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
248	+@@ -131,6 +148,7 @@ static int show_stat(struct seq_file p, void v)
249	+ seq_putc(p, '\n');
250	+
251	+ for_each_online_cpu(i) {
252	++ if (unrestricted) {
253	+ /* Copy values here to work around gcc-2.95.3, gcc-2.96 */
254	+ user = kcpustat_cpu(i).cpustat[CPUTIME_USER];
255	+ nice = kcpustat_cpu(i).cpustat[CPUTIME_NICE];
256	+@@ -142,6 +160,7 @@ static int show_stat(struct seq_file p, void v)
257	+ steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
258	+ guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
259	+ guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
260	++ }
261	+ seq_printf(p, "cpu%d", i);
262	+ seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
263	+ seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(nice));
264	+@@ -159,7 +178,7 @@ static int show_stat(struct seq_file p, void v)
265	+
266	+ /* sum again ? it could be updated? */
267	+ for_each_irq_nr(j)
268	+- seq_put_decimal_ull(p, ' ', kstat_irqs(j));
269	++ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs(j) : 0ULL);
270	+
271	+ seq_printf(p,
272	+ "\nctxt %llu\n"
273	+@@ -167,11 +186,11 @@ static int show_stat(struct seq_file p, void v)
274	+ "processes %lu\n"
275	+ "procs_running %lu\n"
276	+ "procs_blocked %lu\n",
277	+- nr_context_switches(),
278	+- (unsigned long)jif,
279	+- total_forks,
280	+- nr_running(),
281	+- nr_iowait());
282	++ unrestricted ? nr_context_switches() : 0ULL,
283	++ unrestricted ? (unsigned long)jif : 0UL,
284	++ unrestricted ? total_forks : 0UL,
285	++ unrestricted ? nr_running() : 0UL,
286	++ unrestricted ? nr_iowait() : 0UL);
287	+
288	+ seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq);
289	+
290	diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
291	index 390bdab..83c1e8a 100644
292	--- a/fs/proc/task_mmu.c

Gentoo Archives: gentoo-commits