1 |
commit: 9a41f2d531a27a9cbbf7071595929f89f79ab809 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed May 28 16:28:07 2014 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed May 28 16:28:07 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=9a41f2d5 |
7 |
|
8 |
Grsec/PaX: 3.0-3.14.4-201405271114 |
9 |
|
10 |
--- |
11 |
3.14.4/0000_README | 2 +- |
12 |
... 4420_grsecurity-3.0-3.14.4-201405271114.patch} | 283 ++++++++++++++++----- |
13 |
3.14.4/4450_grsec-kconfig-default-gids.patch | 12 +- |
14 |
3.14.4/4465_selinux-avc_audit-log-curr_ip.patch | 2 +- |
15 |
4 files changed, 228 insertions(+), 71 deletions(-) |
16 |
|
17 |
diff --git a/3.14.4/0000_README b/3.14.4/0000_README |
18 |
index 1ddd194..4203555 100644 |
19 |
--- a/3.14.4/0000_README |
20 |
+++ b/3.14.4/0000_README |
21 |
@@ -2,7 +2,7 @@ README |
22 |
----------------------------------------------------------------------------- |
23 |
Individual Patch Descriptions: |
24 |
----------------------------------------------------------------------------- |
25 |
-Patch: 4420_grsecurity-3.0-3.14.4-201405252047.patch |
26 |
+Patch: 4420_grsecurity-3.0-3.14.4-201405271114.patch |
27 |
From: http://www.grsecurity.net |
28 |
Desc: hardened-sources base patch from upstream grsecurity |
29 |
|
30 |
|
31 |
diff --git a/3.14.4/4420_grsecurity-3.0-3.14.4-201405252047.patch b/3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch |
32 |
similarity index 99% |
33 |
rename from 3.14.4/4420_grsecurity-3.0-3.14.4-201405252047.patch |
34 |
rename to 3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch |
35 |
index f294dbc..3537db8 100644 |
36 |
--- a/3.14.4/4420_grsecurity-3.0-3.14.4-201405252047.patch |
37 |
+++ b/3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch |
38 |
@@ -27813,7 +27813,7 @@ index 1c113db..287b42e 100644 |
39 |
static int trace_irq_vector_refcount; |
40 |
static DEFINE_MUTEX(irq_vector_mutex); |
41 |
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c |
42 |
-index 57409f6..e2c17e1 100644 |
43 |
+index 57409f6..b505597 100644 |
44 |
--- a/arch/x86/kernel/traps.c |
45 |
+++ b/arch/x86/kernel/traps.c |
46 |
@@ -66,7 +66,7 @@ |
47 |
@@ -27892,7 +27892,19 @@ index 57409f6..e2c17e1 100644 |
48 |
regs->ip, regs->sp, error_code); |
49 |
print_vma_addr(" in ", regs->ip); |
50 |
pr_cont("\n"); |
51 |
-@@ -273,7 +285,7 @@ do_general_protection(struct pt_regs *regs, long error_code) |
52 |
+@@ -251,6 +263,11 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code) |
53 |
+ tsk->thread.error_code = error_code; |
54 |
+ tsk->thread.trap_nr = X86_TRAP_DF; |
55 |
+ |
56 |
++#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW |
57 |
++ if ((unsigned long)tsk->stack - regs->sp <= PAGE_SIZE) |
58 |
++ die("grsec: kernel stack overflow detected", regs, error_code); |
59 |
++#endif |
60 |
++ |
61 |
+ #ifdef CONFIG_DOUBLEFAULT |
62 |
+ df_debug(regs, error_code); |
63 |
+ #endif |
64 |
+@@ -273,7 +290,7 @@ do_general_protection(struct pt_regs *regs, long error_code) |
65 |
conditional_sti(regs); |
66 |
|
67 |
#ifdef CONFIG_X86_32 |
68 |
@@ -27901,7 +27913,7 @@ index 57409f6..e2c17e1 100644 |
69 |
local_irq_enable(); |
70 |
handle_vm86_fault((struct kernel_vm86_regs *) regs, error_code); |
71 |
goto exit; |
72 |
-@@ -281,18 +293,42 @@ do_general_protection(struct pt_regs *regs, long error_code) |
73 |
+@@ -281,18 +298,42 @@ do_general_protection(struct pt_regs *regs, long error_code) |
74 |
#endif |
75 |
|
76 |
tsk = current; |
77 |
@@ -27946,7 +27958,7 @@ index 57409f6..e2c17e1 100644 |
78 |
tsk->thread.error_code = error_code; |
79 |
tsk->thread.trap_nr = X86_TRAP_GP; |
80 |
|
81 |
-@@ -453,7 +489,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) |
82 |
+@@ -453,7 +494,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) |
83 |
/* It's safe to allow irq's after DR6 has been saved */ |
84 |
preempt_conditional_sti(regs); |
85 |
|
86 |
@@ -27955,7 +27967,7 @@ index 57409f6..e2c17e1 100644 |
87 |
handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code, |
88 |
X86_TRAP_DB); |
89 |
preempt_conditional_cli(regs); |
90 |
-@@ -468,7 +504,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) |
91 |
+@@ -468,7 +509,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code) |
92 |
* We already checked v86 mode above, so we can check for kernel mode |
93 |
* by just checking the CPL of CS. |
94 |
*/ |
95 |
@@ -27964,7 +27976,7 @@ index 57409f6..e2c17e1 100644 |
96 |
tsk->thread.debugreg6 &= ~DR_STEP; |
97 |
set_tsk_thread_flag(tsk, TIF_SINGLESTEP); |
98 |
regs->flags &= ~X86_EFLAGS_TF; |
99 |
-@@ -500,7 +536,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) |
100 |
+@@ -500,7 +541,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr) |
101 |
return; |
102 |
conditional_sti(regs); |
103 |
|
104 |
@@ -58826,7 +58838,7 @@ index e4141f2..d8263e8 100644 |
105 |
i += packet_length_size; |
106 |
if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) |
107 |
diff --git a/fs/exec.c b/fs/exec.c |
108 |
-index 3d78fcc..460e2a0 100644 |
109 |
+index 3d78fcc..cd4f983 100644 |
110 |
--- a/fs/exec.c |
111 |
+++ b/fs/exec.c |
112 |
@@ -55,8 +55,20 @@ |
113 |
@@ -59135,7 +59147,15 @@ index 3d78fcc..460e2a0 100644 |
114 |
set_fs(old_fs); |
115 |
return result; |
116 |
} |
117 |
-@@ -1258,7 +1336,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm) |
118 |
+@@ -846,6 +924,7 @@ static int exec_mmap(struct mm_struct *mm) |
119 |
+ tsk->mm = mm; |
120 |
+ tsk->active_mm = mm; |
121 |
+ activate_mm(active_mm, mm); |
122 |
++ populate_stack(); |
123 |
+ task_unlock(tsk); |
124 |
+ if (old_mm) { |
125 |
+ up_read(&old_mm->mmap_sem); |
126 |
+@@ -1258,7 +1337,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm) |
127 |
} |
128 |
rcu_read_unlock(); |
129 |
|
130 |
@@ -59144,7 +59164,7 @@ index 3d78fcc..460e2a0 100644 |
131 |
bprm->unsafe |= LSM_UNSAFE_SHARE; |
132 |
else |
133 |
p->fs->in_exec = 1; |
134 |
-@@ -1434,6 +1512,31 @@ static int exec_binprm(struct linux_binprm *bprm) |
135 |
+@@ -1434,6 +1513,31 @@ static int exec_binprm(struct linux_binprm *bprm) |
136 |
return ret; |
137 |
} |
138 |
|
139 |
@@ -59176,7 +59196,7 @@ index 3d78fcc..460e2a0 100644 |
140 |
/* |
141 |
* sys_execve() executes a new program. |
142 |
*/ |
143 |
-@@ -1441,6 +1544,11 @@ static int do_execve_common(struct filename *filename, |
144 |
+@@ -1441,6 +1545,11 @@ static int do_execve_common(struct filename *filename, |
145 |
struct user_arg_ptr argv, |
146 |
struct user_arg_ptr envp) |
147 |
{ |
148 |
@@ -59188,7 +59208,7 @@ index 3d78fcc..460e2a0 100644 |
149 |
struct linux_binprm *bprm; |
150 |
struct file *file; |
151 |
struct files_struct *displaced; |
152 |
-@@ -1449,6 +1557,8 @@ static int do_execve_common(struct filename *filename, |
153 |
+@@ -1449,6 +1558,8 @@ static int do_execve_common(struct filename *filename, |
154 |
if (IS_ERR(filename)) |
155 |
return PTR_ERR(filename); |
156 |
|
157 |
@@ -59197,7 +59217,7 @@ index 3d78fcc..460e2a0 100644 |
158 |
/* |
159 |
* We move the actual failure in case of RLIMIT_NPROC excess from |
160 |
* set*uid() to execve() because too many poorly written programs |
161 |
-@@ -1486,11 +1596,21 @@ static int do_execve_common(struct filename *filename, |
162 |
+@@ -1486,11 +1597,21 @@ static int do_execve_common(struct filename *filename, |
163 |
if (IS_ERR(file)) |
164 |
goto out_unmark; |
165 |
|
166 |
@@ -59219,7 +59239,7 @@ index 3d78fcc..460e2a0 100644 |
167 |
retval = bprm_mm_init(bprm); |
168 |
if (retval) |
169 |
goto out_unmark; |
170 |
-@@ -1507,24 +1627,70 @@ static int do_execve_common(struct filename *filename, |
171 |
+@@ -1507,24 +1628,70 @@ static int do_execve_common(struct filename *filename, |
172 |
if (retval < 0) |
173 |
goto out; |
174 |
|
175 |
@@ -59294,7 +59314,7 @@ index 3d78fcc..460e2a0 100644 |
176 |
current->fs->in_exec = 0; |
177 |
current->in_execve = 0; |
178 |
acct_update_integrals(current); |
179 |
-@@ -1535,6 +1701,14 @@ static int do_execve_common(struct filename *filename, |
180 |
+@@ -1535,6 +1702,14 @@ static int do_execve_common(struct filename *filename, |
181 |
put_files_struct(displaced); |
182 |
return retval; |
183 |
|
184 |
@@ -59309,7 +59329,7 @@ index 3d78fcc..460e2a0 100644 |
185 |
out: |
186 |
if (bprm->mm) { |
187 |
acct_arg_size(bprm, 0); |
188 |
-@@ -1626,3 +1800,296 @@ asmlinkage long compat_sys_execve(const char __user * filename, |
189 |
+@@ -1626,3 +1801,296 @@ asmlinkage long compat_sys_execve(const char __user * filename, |
190 |
return compat_do_execve(getname(filename), argv, envp); |
191 |
} |
192 |
#endif |
193 |
@@ -65953,10 +65973,10 @@ index bcfe612..aa399c0 100644 |
194 |
|
195 |
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig |
196 |
new file mode 100644 |
197 |
-index 0000000..3abaf02 |
198 |
+index 0000000..a14eb52 |
199 |
--- /dev/null |
200 |
+++ b/grsecurity/Kconfig |
201 |
-@@ -0,0 +1,1161 @@ |
202 |
+@@ -0,0 +1,1174 @@ |
203 |
+# |
204 |
+# grecurity configuration |
205 |
+# |
206 |
@@ -66095,6 +66115,19 @@ index 0000000..3abaf02 |
207 |
+ If you use PaX it is essential that you say Y here as it closes up |
208 |
+ several holes that make full ASLR useless locally. |
209 |
+ |
210 |
++ |
211 |
++config GRKERNSEC_KSTACKOVERFLOW |
212 |
++ bool "Prevent kernel stack overflows" |
213 |
++ default y if GRKERNSEC_CONFIG_AUTO |
214 |
++ depends on !IA64 && 64BIT |
215 |
++ help |
216 |
++ If you say Y here, the kernel's process stacks will be allocated |
217 |
++ with vmalloc instead of the kernel's default allocator. This |
218 |
++ introduces guard pages that in combination with the alloca checking |
219 |
++ of the STACKLEAK feature prevents all forms of kernel process stack |
220 |
++ overflow abuse. Note that this is different from kernel stack |
221 |
++ buffer overflows. |
222 |
++ |
223 |
+config GRKERNSEC_BRUTE |
224 |
+ bool "Deter exploit bruteforcing" |
225 |
+ default y if GRKERNSEC_CONFIG_AUTO |
226 |
@@ -82073,7 +82106,7 @@ index b66c211..13d2915 100644 |
227 |
static inline void anon_vma_merge(struct vm_area_struct *vma, |
228 |
struct vm_area_struct *next) |
229 |
diff --git a/include/linux/sched.h b/include/linux/sched.h |
230 |
-index a781dec..be1d2a3 100644 |
231 |
+index a781dec..2c03225 100644 |
232 |
--- a/include/linux/sched.h |
233 |
+++ b/include/linux/sched.h |
234 |
@@ -129,6 +129,7 @@ struct fs_struct; |
235 |
@@ -82309,7 +82342,33 @@ index a781dec..be1d2a3 100644 |
236 |
{ |
237 |
return tsk->pid; |
238 |
} |
239 |
-@@ -2112,7 +2223,9 @@ void yield(void); |
240 |
+@@ -1988,6 +2099,25 @@ extern u64 sched_clock_cpu(int cpu); |
241 |
+ |
242 |
+ extern void sched_clock_init(void); |
243 |
+ |
244 |
++#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW |
245 |
++static inline void populate_stack(void) |
246 |
++{ |
247 |
++ struct task_struct *curtask = current; |
248 |
++ int c; |
249 |
++ int *ptr = curtask->stack; |
250 |
++ int *end = curtask->stack + THREAD_SIZE; |
251 |
++ |
252 |
++ while (ptr < end) { |
253 |
++ c = *(volatile int *)ptr; |
254 |
++ ptr += PAGE_SIZE/sizeof(int); |
255 |
++ } |
256 |
++} |
257 |
++#else |
258 |
++static inline void populate_stack(void) |
259 |
++{ |
260 |
++} |
261 |
++#endif |
262 |
++ |
263 |
+ #ifndef CONFIG_HAVE_UNSTABLE_SCHED_CLOCK |
264 |
+ static inline void sched_clock_tick(void) |
265 |
+ { |
266 |
+@@ -2112,7 +2242,9 @@ void yield(void); |
267 |
extern struct exec_domain default_exec_domain; |
268 |
|
269 |
union thread_union { |
270 |
@@ -82319,7 +82378,7 @@ index a781dec..be1d2a3 100644 |
271 |
unsigned long stack[THREAD_SIZE/sizeof(long)]; |
272 |
}; |
273 |
|
274 |
-@@ -2145,6 +2258,7 @@ extern struct pid_namespace init_pid_ns; |
275 |
+@@ -2145,6 +2277,7 @@ extern struct pid_namespace init_pid_ns; |
276 |
*/ |
277 |
|
278 |
extern struct task_struct *find_task_by_vpid(pid_t nr); |
279 |
@@ -82327,7 +82386,7 @@ index a781dec..be1d2a3 100644 |
280 |
extern struct task_struct *find_task_by_pid_ns(pid_t nr, |
281 |
struct pid_namespace *ns); |
282 |
|
283 |
-@@ -2307,7 +2421,7 @@ extern void __cleanup_sighand(struct sighand_struct *); |
284 |
+@@ -2307,7 +2440,7 @@ extern void __cleanup_sighand(struct sighand_struct *); |
285 |
extern void exit_itimers(struct signal_struct *); |
286 |
extern void flush_itimer_signals(void); |
287 |
|
288 |
@@ -82336,7 +82395,7 @@ index a781dec..be1d2a3 100644 |
289 |
|
290 |
extern int allow_signal(int); |
291 |
extern int disallow_signal(int); |
292 |
-@@ -2508,9 +2622,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) |
293 |
+@@ -2508,9 +2641,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) |
294 |
|
295 |
#endif |
296 |
|
297 |
@@ -83302,7 +83361,7 @@ index 502073a..a7de024 100644 |
298 |
#endif |
299 |
#endif /* _LINUX_VGA_SWITCHEROO_H_ */ |
300 |
diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h |
301 |
-index 4b8a891..cb8df6e 100644 |
302 |
+index 4b8a891..05f2361 100644 |
303 |
--- a/include/linux/vmalloc.h |
304 |
+++ b/include/linux/vmalloc.h |
305 |
@@ -16,6 +16,11 @@ struct vm_area_struct; /* vma defining user mapping in mm_types.h */ |
306 |
@@ -83317,7 +83376,15 @@ index 4b8a891..cb8df6e 100644 |
307 |
/* bits [20..32] reserved for arch specific ioremap internals */ |
308 |
|
309 |
/* |
310 |
-@@ -142,7 +147,7 @@ extern void free_vm_area(struct vm_struct *area); |
311 |
+@@ -72,6 +77,7 @@ extern void *vzalloc_node(unsigned long size, int node); |
312 |
+ extern void *vmalloc_exec(unsigned long size); |
313 |
+ extern void *vmalloc_32(unsigned long size); |
314 |
+ extern void *vmalloc_32_user(unsigned long size); |
315 |
++extern void *vmalloc_stack(int node); |
316 |
+ extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot); |
317 |
+ extern void *__vmalloc_node_range(unsigned long size, unsigned long align, |
318 |
+ unsigned long start, unsigned long end, gfp_t gfp_mask, |
319 |
+@@ -142,7 +148,7 @@ extern void free_vm_area(struct vm_struct *area); |
320 |
|
321 |
/* for /dev/kmem */ |
322 |
extern long vread(char *buf, char *addr, unsigned long count); |
323 |
@@ -86418,10 +86485,49 @@ index 81b3d67..ef189a4 100644 |
324 |
{ |
325 |
struct signal_struct *sig = current->signal; |
326 |
diff --git a/kernel/fork.c b/kernel/fork.c |
327 |
-index a17621c..b77fef8 100644 |
328 |
+index a17621c..d9e4b37 100644 |
329 |
--- a/kernel/fork.c |
330 |
+++ b/kernel/fork.c |
331 |
-@@ -319,7 +319,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) |
332 |
+@@ -137,6 +137,18 @@ void __weak arch_release_thread_info(struct thread_info *ti) |
333 |
+ { |
334 |
+ } |
335 |
+ |
336 |
++#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW |
337 |
++static struct thread_info *alloc_thread_info_node(struct task_struct *tsk, |
338 |
++ int node) |
339 |
++{ |
340 |
++ return vmalloc_stack(node); |
341 |
++} |
342 |
++ |
343 |
++static inline void free_thread_info(struct thread_info *ti) |
344 |
++{ |
345 |
++ vfree(ti); |
346 |
++} |
347 |
++#else |
348 |
+ #ifndef CONFIG_ARCH_THREAD_INFO_ALLOCATOR |
349 |
+ |
350 |
+ /* |
351 |
+@@ -179,6 +191,7 @@ void thread_info_cache_init(void) |
352 |
+ } |
353 |
+ # endif |
354 |
+ #endif |
355 |
++#endif |
356 |
+ |
357 |
+ /* SLAB cache for signal_struct structures (tsk->signal) */ |
358 |
+ static struct kmem_cache *signal_cachep; |
359 |
+@@ -200,9 +213,11 @@ static struct kmem_cache *mm_cachep; |
360 |
+ |
361 |
+ static void account_kernel_stack(struct thread_info *ti, int account) |
362 |
+ { |
363 |
++#ifndef CONFIG_GRKERNSEC_KSTACKOVERFLOW |
364 |
+ struct zone *zone = page_zone(virt_to_page(ti)); |
365 |
+ |
366 |
+ mod_zone_page_state(zone, NR_KERNEL_STACK, account); |
367 |
++#endif |
368 |
+ } |
369 |
+ |
370 |
+ void free_task(struct task_struct *tsk) |
371 |
+@@ -319,7 +334,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) |
372 |
*stackend = STACK_END_MAGIC; /* for overflow detection */ |
373 |
|
374 |
#ifdef CONFIG_CC_STACKPROTECTOR |
375 |
@@ -86430,7 +86536,7 @@ index a17621c..b77fef8 100644 |
376 |
#endif |
377 |
|
378 |
/* |
379 |
-@@ -345,12 +345,80 @@ free_tsk: |
380 |
+@@ -345,12 +360,80 @@ free_tsk: |
381 |
} |
382 |
|
383 |
#ifdef CONFIG_MMU |
384 |
@@ -86513,7 +86619,7 @@ index a17621c..b77fef8 100644 |
385 |
|
386 |
uprobe_start_dup_mmap(); |
387 |
down_write(&oldmm->mmap_sem); |
388 |
-@@ -379,55 +447,15 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) |
389 |
+@@ -379,55 +462,15 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) |
390 |
|
391 |
prev = NULL; |
392 |
for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) { |
393 |
@@ -86573,7 +86679,7 @@ index a17621c..b77fef8 100644 |
394 |
} |
395 |
|
396 |
/* |
397 |
-@@ -459,6 +487,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) |
398 |
+@@ -459,6 +502,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) |
399 |
if (retval) |
400 |
goto out; |
401 |
} |
402 |
@@ -86605,7 +86711,7 @@ index a17621c..b77fef8 100644 |
403 |
/* a new mm has just been created */ |
404 |
arch_dup_mmap(oldmm, mm); |
405 |
retval = 0; |
406 |
-@@ -468,14 +521,6 @@ out: |
407 |
+@@ -468,14 +536,6 @@ out: |
408 |
up_write(&oldmm->mmap_sem); |
409 |
uprobe_end_dup_mmap(); |
410 |
return retval; |
411 |
@@ -86620,7 +86726,7 @@ index a17621c..b77fef8 100644 |
412 |
} |
413 |
|
414 |
static inline int mm_alloc_pgd(struct mm_struct *mm) |
415 |
-@@ -689,8 +734,8 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) |
416 |
+@@ -689,8 +749,8 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) |
417 |
return ERR_PTR(err); |
418 |
|
419 |
mm = get_task_mm(task); |
420 |
@@ -86631,7 +86737,7 @@ index a17621c..b77fef8 100644 |
421 |
mmput(mm); |
422 |
mm = ERR_PTR(-EACCES); |
423 |
} |
424 |
-@@ -906,13 +951,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) |
425 |
+@@ -906,13 +966,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) |
426 |
spin_unlock(&fs->lock); |
427 |
return -EAGAIN; |
428 |
} |
429 |
@@ -86653,7 +86759,7 @@ index a17621c..b77fef8 100644 |
430 |
return 0; |
431 |
} |
432 |
|
433 |
-@@ -1130,7 +1182,7 @@ init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid) |
434 |
+@@ -1130,7 +1197,7 @@ init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid) |
435 |
* parts of the process environment (as per the clone |
436 |
* flags). The actual kick-off is left to the caller. |
437 |
*/ |
438 |
@@ -86662,7 +86768,7 @@ index a17621c..b77fef8 100644 |
439 |
unsigned long stack_start, |
440 |
unsigned long stack_size, |
441 |
int __user *child_tidptr, |
442 |
-@@ -1202,6 +1254,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, |
443 |
+@@ -1202,6 +1269,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, |
444 |
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); |
445 |
#endif |
446 |
retval = -EAGAIN; |
447 |
@@ -86672,7 +86778,7 @@ index a17621c..b77fef8 100644 |
448 |
if (atomic_read(&p->real_cred->user->processes) >= |
449 |
task_rlimit(p, RLIMIT_NPROC)) { |
450 |
if (p->real_cred->user != INIT_USER && |
451 |
-@@ -1449,6 +1504,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, |
452 |
+@@ -1449,6 +1519,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, |
453 |
goto bad_fork_free_pid; |
454 |
} |
455 |
|
456 |
@@ -86684,7 +86790,7 @@ index a17621c..b77fef8 100644 |
457 |
if (likely(p->pid)) { |
458 |
ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace); |
459 |
|
460 |
-@@ -1537,6 +1597,8 @@ bad_fork_cleanup_count: |
461 |
+@@ -1537,6 +1612,8 @@ bad_fork_cleanup_count: |
462 |
bad_fork_free: |
463 |
free_task(p); |
464 |
fork_out: |
465 |
@@ -86693,7 +86799,7 @@ index a17621c..b77fef8 100644 |
466 |
return ERR_PTR(retval); |
467 |
} |
468 |
|
469 |
-@@ -1598,6 +1660,7 @@ long do_fork(unsigned long clone_flags, |
470 |
+@@ -1598,6 +1675,7 @@ long do_fork(unsigned long clone_flags, |
471 |
|
472 |
p = copy_process(clone_flags, stack_start, stack_size, |
473 |
child_tidptr, NULL, trace); |
474 |
@@ -86701,7 +86807,7 @@ index a17621c..b77fef8 100644 |
475 |
/* |
476 |
* Do this prior waking up the new thread - the thread pointer |
477 |
* might get invalid after that point, if the thread exits quickly. |
478 |
-@@ -1612,6 +1675,8 @@ long do_fork(unsigned long clone_flags, |
479 |
+@@ -1612,6 +1690,8 @@ long do_fork(unsigned long clone_flags, |
480 |
if (clone_flags & CLONE_PARENT_SETTID) |
481 |
put_user(nr, parent_tidptr); |
482 |
|
483 |
@@ -86710,7 +86816,7 @@ index a17621c..b77fef8 100644 |
484 |
if (clone_flags & CLONE_VFORK) { |
485 |
p->vfork_done = &vfork; |
486 |
init_completion(&vfork); |
487 |
-@@ -1728,7 +1793,7 @@ void __init proc_caches_init(void) |
488 |
+@@ -1728,7 +1808,7 @@ void __init proc_caches_init(void) |
489 |
mm_cachep = kmem_cache_create("mm_struct", |
490 |
sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN, |
491 |
SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL); |
492 |
@@ -86719,7 +86825,7 @@ index a17621c..b77fef8 100644 |
493 |
mmap_init(); |
494 |
nsproxy_cache_init(); |
495 |
} |
496 |
-@@ -1768,7 +1833,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) |
497 |
+@@ -1768,7 +1848,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) |
498 |
return 0; |
499 |
|
500 |
/* don't need lock here; in the worst case we'll do useless copy */ |
501 |
@@ -86728,7 +86834,7 @@ index a17621c..b77fef8 100644 |
502 |
return 0; |
503 |
|
504 |
*new_fsp = copy_fs_struct(fs); |
505 |
-@@ -1875,7 +1940,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) |
506 |
+@@ -1875,7 +1955,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) |
507 |
fs = current->fs; |
508 |
spin_lock(&fs->lock); |
509 |
current->fs = new_fs; |
510 |
@@ -89806,7 +89912,7 @@ index a63f4dc..349bbb0 100644 |
511 |
unsigned long timeout) |
512 |
{ |
513 |
diff --git a/kernel/sched/core.c b/kernel/sched/core.c |
514 |
-index f5c6635..ab9f223 100644 |
515 |
+index f5c6635..7133356 100644 |
516 |
--- a/kernel/sched/core.c |
517 |
+++ b/kernel/sched/core.c |
518 |
@@ -1775,7 +1775,7 @@ void set_numabalancing_state(bool enabled) |
519 |
@@ -89818,7 +89924,19 @@ index f5c6635..ab9f223 100644 |
520 |
int err; |
521 |
int state = numabalancing_enabled; |
522 |
|
523 |
-@@ -3049,6 +3049,8 @@ int can_nice(const struct task_struct *p, const int nice) |
524 |
+@@ -2251,8 +2251,10 @@ context_switch(struct rq *rq, struct task_struct *prev, |
525 |
+ next->active_mm = oldmm; |
526 |
+ atomic_inc(&oldmm->mm_count); |
527 |
+ enter_lazy_tlb(oldmm, next); |
528 |
+- } else |
529 |
++ } else { |
530 |
+ switch_mm(oldmm, mm, next); |
531 |
++ populate_stack(); |
532 |
++ } |
533 |
+ |
534 |
+ if (!prev->mm) { |
535 |
+ prev->active_mm = NULL; |
536 |
+@@ -3049,6 +3051,8 @@ int can_nice(const struct task_struct *p, const int nice) |
537 |
/* convert nice value [19,-20] to rlimit style value [1,40] */ |
538 |
int nice_rlim = 20 - nice; |
539 |
|
540 |
@@ -89827,7 +89945,7 @@ index f5c6635..ab9f223 100644 |
541 |
return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) || |
542 |
capable(CAP_SYS_NICE)); |
543 |
} |
544 |
-@@ -3082,7 +3084,8 @@ SYSCALL_DEFINE1(nice, int, increment) |
545 |
+@@ -3082,7 +3086,8 @@ SYSCALL_DEFINE1(nice, int, increment) |
546 |
if (nice > 19) |
547 |
nice = 19; |
548 |
|
549 |
@@ -89837,7 +89955,7 @@ index f5c6635..ab9f223 100644 |
550 |
return -EPERM; |
551 |
|
552 |
retval = security_task_setnice(current, nice); |
553 |
-@@ -3332,6 +3335,7 @@ recheck: |
554 |
+@@ -3332,6 +3337,7 @@ recheck: |
555 |
if (policy != p->policy && !rlim_rtprio) |
556 |
return -EPERM; |
557 |
|
558 |
@@ -89845,7 +89963,19 @@ index f5c6635..ab9f223 100644 |
559 |
/* can't increase priority */ |
560 |
if (attr->sched_priority > p->rt_priority && |
561 |
attr->sched_priority > rlim_rtprio) |
562 |
-@@ -4781,7 +4785,7 @@ static void migrate_tasks(unsigned int dead_cpu) |
563 |
+@@ -4702,8 +4708,10 @@ void idle_task_exit(void) |
564 |
+ |
565 |
+ BUG_ON(cpu_online(smp_processor_id())); |
566 |
+ |
567 |
+- if (mm != &init_mm) |
568 |
++ if (mm != &init_mm) { |
569 |
+ switch_mm(mm, &init_mm, current); |
570 |
++ populate_stack(); |
571 |
++ } |
572 |
+ mmdrop(mm); |
573 |
+ } |
574 |
+ |
575 |
+@@ -4781,7 +4789,7 @@ static void migrate_tasks(unsigned int dead_cpu) |
576 |
|
577 |
#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL) |
578 |
|
579 |
@@ -89854,7 +89984,7 @@ index f5c6635..ab9f223 100644 |
580 |
{ |
581 |
.procname = "sched_domain", |
582 |
.mode = 0555, |
583 |
-@@ -4798,17 +4802,17 @@ static struct ctl_table sd_ctl_root[] = { |
584 |
+@@ -4798,17 +4806,17 @@ static struct ctl_table sd_ctl_root[] = { |
585 |
{} |
586 |
}; |
587 |
|
588 |
@@ -89876,7 +90006,7 @@ index f5c6635..ab9f223 100644 |
589 |
|
590 |
/* |
591 |
* In the intermediate directories, both the child directory and |
592 |
-@@ -4816,22 +4820,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep) |
593 |
+@@ -4816,22 +4824,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep) |
594 |
* will always be set. In the lowest directory the names are |
595 |
* static strings and all have proc handlers. |
596 |
*/ |
597 |
@@ -89908,7 +90038,7 @@ index f5c6635..ab9f223 100644 |
598 |
const char *procname, void *data, int maxlen, |
599 |
umode_t mode, proc_handler *proc_handler, |
600 |
bool load_idx) |
601 |
-@@ -4851,7 +4858,7 @@ set_table_entry(struct ctl_table *entry, |
602 |
+@@ -4851,7 +4862,7 @@ set_table_entry(struct ctl_table *entry, |
603 |
static struct ctl_table * |
604 |
sd_alloc_ctl_domain_table(struct sched_domain *sd) |
605 |
{ |
606 |
@@ -89917,7 +90047,7 @@ index f5c6635..ab9f223 100644 |
607 |
|
608 |
if (table == NULL) |
609 |
return NULL; |
610 |
-@@ -4886,9 +4893,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd) |
611 |
+@@ -4886,9 +4897,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd) |
612 |
return table; |
613 |
} |
614 |
|
615 |
@@ -89929,7 +90059,7 @@ index f5c6635..ab9f223 100644 |
616 |
struct sched_domain *sd; |
617 |
int domain_num = 0, i; |
618 |
char buf[32]; |
619 |
-@@ -4915,11 +4922,13 @@ static struct ctl_table_header *sd_sysctl_header; |
620 |
+@@ -4915,11 +4926,13 @@ static struct ctl_table_header *sd_sysctl_header; |
621 |
static void register_sched_domain_sysctl(void) |
622 |
{ |
623 |
int i, cpu_num = num_possible_cpus(); |
624 |
@@ -89944,7 +90074,7 @@ index f5c6635..ab9f223 100644 |
625 |
|
626 |
if (entry == NULL) |
627 |
return; |
628 |
-@@ -4942,8 +4951,12 @@ static void unregister_sched_domain_sysctl(void) |
629 |
+@@ -4942,8 +4955,12 @@ static void unregister_sched_domain_sysctl(void) |
630 |
if (sd_sysctl_header) |
631 |
unregister_sysctl_table(sd_sysctl_header); |
632 |
sd_sysctl_header = NULL; |
633 |
@@ -92241,10 +92371,24 @@ index 09d9591..165bb75 100644 |
634 |
bdi_destroy(bdi); |
635 |
return err; |
636 |
diff --git a/mm/filemap.c b/mm/filemap.c |
637 |
-index 7a13f6a..e52e841 100644 |
638 |
+index 7a13f6a..e31738b 100644 |
639 |
--- a/mm/filemap.c |
640 |
+++ b/mm/filemap.c |
641 |
-@@ -1766,7 +1766,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma) |
642 |
+@@ -192,9 +192,11 @@ static int filemap_check_errors(struct address_space *mapping) |
643 |
+ { |
644 |
+ int ret = 0; |
645 |
+ /* Check for outstanding write errors */ |
646 |
+- if (test_and_clear_bit(AS_ENOSPC, &mapping->flags)) |
647 |
++ if (test_bit(AS_ENOSPC, &mapping->flags) && |
648 |
++ test_and_clear_bit(AS_ENOSPC, &mapping->flags)) |
649 |
+ ret = -ENOSPC; |
650 |
+- if (test_and_clear_bit(AS_EIO, &mapping->flags)) |
651 |
++ if (test_bit(AS_EIO, &mapping->flags) && |
652 |
++ test_and_clear_bit(AS_EIO, &mapping->flags)) |
653 |
+ ret = -EIO; |
654 |
+ return ret; |
655 |
+ } |
656 |
+@@ -1766,7 +1768,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma) |
657 |
struct address_space *mapping = file->f_mapping; |
658 |
|
659 |
if (!mapping->a_ops->readpage) |
660 |
@@ -92253,7 +92397,7 @@ index 7a13f6a..e52e841 100644 |
661 |
file_accessed(file); |
662 |
vma->vm_ops = &generic_file_vm_ops; |
663 |
return 0; |
664 |
-@@ -1948,7 +1948,7 @@ static size_t __iovec_copy_from_user_inatomic(char *vaddr, |
665 |
+@@ -1948,7 +1950,7 @@ static size_t __iovec_copy_from_user_inatomic(char *vaddr, |
666 |
|
667 |
while (bytes) { |
668 |
char __user *buf = iov->iov_base + base; |
669 |
@@ -92262,7 +92406,7 @@ index 7a13f6a..e52e841 100644 |
670 |
|
671 |
base = 0; |
672 |
left = __copy_from_user_inatomic(vaddr, buf, copy); |
673 |
-@@ -1977,7 +1977,7 @@ size_t iov_iter_copy_from_user_atomic(struct page *page, |
674 |
+@@ -1977,7 +1979,7 @@ size_t iov_iter_copy_from_user_atomic(struct page *page, |
675 |
BUG_ON(!in_atomic()); |
676 |
kaddr = kmap_atomic(page); |
677 |
if (likely(i->nr_segs == 1)) { |
678 |
@@ -92271,7 +92415,7 @@ index 7a13f6a..e52e841 100644 |
679 |
char __user *buf = i->iov->iov_base + i->iov_offset; |
680 |
left = __copy_from_user_inatomic(kaddr + offset, buf, bytes); |
681 |
copied = bytes - left; |
682 |
-@@ -2005,7 +2005,7 @@ size_t iov_iter_copy_from_user(struct page *page, |
683 |
+@@ -2005,7 +2007,7 @@ size_t iov_iter_copy_from_user(struct page *page, |
684 |
|
685 |
kaddr = kmap(page); |
686 |
if (likely(i->nr_segs == 1)) { |
687 |
@@ -92280,7 +92424,7 @@ index 7a13f6a..e52e841 100644 |
688 |
char __user *buf = i->iov->iov_base + i->iov_offset; |
689 |
left = __copy_from_user(kaddr + offset, buf, bytes); |
690 |
copied = bytes - left; |
691 |
-@@ -2035,7 +2035,7 @@ void iov_iter_advance(struct iov_iter *i, size_t bytes) |
692 |
+@@ -2035,7 +2037,7 @@ void iov_iter_advance(struct iov_iter *i, size_t bytes) |
693 |
* zero-length segments (without overruning the iovec). |
694 |
*/ |
695 |
while (bytes || unlikely(i->count && !iov->iov_len)) { |
696 |
@@ -92289,7 +92433,7 @@ index 7a13f6a..e52e841 100644 |
697 |
|
698 |
copy = min(bytes, iov->iov_len - base); |
699 |
BUG_ON(!i->count || i->count < copy); |
700 |
-@@ -2106,6 +2106,7 @@ inline int generic_write_checks(struct file *file, loff_t *pos, size_t *count, i |
701 |
+@@ -2106,6 +2108,7 @@ inline int generic_write_checks(struct file *file, loff_t *pos, size_t *count, i |
702 |
*pos = i_size_read(inode); |
703 |
|
704 |
if (limit != RLIM_INFINITY) { |
705 |
@@ -96786,7 +96930,7 @@ index a24aa22..a0d41ae 100644 |
706 |
} |
707 |
#endif |
708 |
diff --git a/mm/vmalloc.c b/mm/vmalloc.c |
709 |
-index 0fdf968..d6686e8 100644 |
710 |
+index 0fdf968..2183ba3 100644 |
711 |
--- a/mm/vmalloc.c |
712 |
+++ b/mm/vmalloc.c |
713 |
@@ -59,8 +59,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end) |
714 |
@@ -96932,7 +97076,20 @@ index 0fdf968..d6686e8 100644 |
715 |
area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNINITIALIZED, |
716 |
start, end, node, gfp_mask, caller); |
717 |
if (!area) |
718 |
-@@ -1810,10 +1868,9 @@ EXPORT_SYMBOL(vzalloc_node); |
719 |
+@@ -1701,6 +1759,12 @@ static inline void *__vmalloc_node_flags(unsigned long size, |
720 |
+ node, __builtin_return_address(0)); |
721 |
+ } |
722 |
+ |
723 |
++void *vmalloc_stack(int node) |
724 |
++{ |
725 |
++ return __vmalloc_node(THREAD_SIZE, THREAD_SIZE, THREADINFO_GFP, PAGE_KERNEL, |
726 |
++ node, __builtin_return_address(0)); |
727 |
++} |
728 |
++ |
729 |
+ /** |
730 |
+ * vmalloc - allocate virtually contiguous memory |
731 |
+ * @size: allocation size |
732 |
+@@ -1810,10 +1874,9 @@ EXPORT_SYMBOL(vzalloc_node); |
733 |
* For tight control over page level allocator and protection flags |
734 |
* use __vmalloc() instead. |
735 |
*/ |
736 |
@@ -96944,7 +97101,7 @@ index 0fdf968..d6686e8 100644 |
737 |
NUMA_NO_NODE, __builtin_return_address(0)); |
738 |
} |
739 |
|
740 |
-@@ -2120,6 +2177,8 @@ int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr, |
741 |
+@@ -2120,6 +2183,8 @@ int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr, |
742 |
{ |
743 |
struct vm_struct *area; |
744 |
|
745 |
@@ -96953,7 +97110,7 @@ index 0fdf968..d6686e8 100644 |
746 |
size = PAGE_ALIGN(size); |
747 |
|
748 |
if (!PAGE_ALIGNED(uaddr) || !PAGE_ALIGNED(kaddr)) |
749 |
-@@ -2602,7 +2661,11 @@ static int s_show(struct seq_file *m, void *p) |
750 |
+@@ -2602,7 +2667,11 @@ static int s_show(struct seq_file *m, void *p) |
751 |
v->addr, v->addr + v->size, v->size); |
752 |
|
753 |
if (v->caller) |
754 |
|
755 |
diff --git a/3.14.4/4450_grsec-kconfig-default-gids.patch b/3.14.4/4450_grsec-kconfig-default-gids.patch |
756 |
index ed2968f..a965a27 100644 |
757 |
--- a/3.14.4/4450_grsec-kconfig-default-gids.patch |
758 |
+++ b/3.14.4/4450_grsec-kconfig-default-gids.patch |
759 |
@@ -16,7 +16,7 @@ from shooting themselves in the foot. |
760 |
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
761 |
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 |
762 |
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 |
763 |
-@@ -665,7 +665,7 @@ |
764 |
+@@ -678,7 +678,7 @@ |
765 |
config GRKERNSEC_AUDIT_GID |
766 |
int "GID for auditing" |
767 |
depends on GRKERNSEC_AUDIT_GROUP |
768 |
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
769 |
|
770 |
config GRKERNSEC_EXECLOG |
771 |
bool "Exec logging" |
772 |
-@@ -896,7 +896,7 @@ |
773 |
+@@ -909,7 +909,7 @@ |
774 |
config GRKERNSEC_TPE_UNTRUSTED_GID |
775 |
int "GID for TPE-untrusted users" |
776 |
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT |
777 |
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
778 |
help |
779 |
Setting this GID determines what group TPE restrictions will be |
780 |
*enabled* for. If the sysctl option is enabled, a sysctl option |
781 |
-@@ -905,7 +905,7 @@ |
782 |
+@@ -918,7 +918,7 @@ |
783 |
config GRKERNSEC_TPE_TRUSTED_GID |
784 |
int "GID for TPE-trusted users" |
785 |
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT |
786 |
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
787 |
help |
788 |
Setting this GID determines what group TPE restrictions will be |
789 |
*disabled* for. If the sysctl option is enabled, a sysctl option |
790 |
-@@ -998,7 +998,7 @@ |
791 |
+@@ -1011,7 +1011,7 @@ |
792 |
config GRKERNSEC_SOCKET_ALL_GID |
793 |
int "GID to deny all sockets for" |
794 |
depends on GRKERNSEC_SOCKET_ALL |
795 |
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
796 |
help |
797 |
Here you can choose the GID to disable socket access for. Remember to |
798 |
add the users you want socket access disabled for to the GID |
799 |
-@@ -1019,7 +1019,7 @@ |
800 |
+@@ -1032,7 +1032,7 @@ |
801 |
config GRKERNSEC_SOCKET_CLIENT_GID |
802 |
int "GID to deny client sockets for" |
803 |
depends on GRKERNSEC_SOCKET_CLIENT |
804 |
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
805 |
help |
806 |
Here you can choose the GID to disable client socket access for. |
807 |
Remember to add the users you want client socket access disabled for to |
808 |
-@@ -1037,7 +1037,7 @@ |
809 |
+@@ -1050,7 +1050,7 @@ |
810 |
config GRKERNSEC_SOCKET_SERVER_GID |
811 |
int "GID to deny server sockets for" |
812 |
depends on GRKERNSEC_SOCKET_SERVER |
813 |
|
814 |
diff --git a/3.14.4/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.4/4465_selinux-avc_audit-log-curr_ip.patch |
815 |
index aa90a6f..2765cdc 100644 |
816 |
--- a/3.14.4/4465_selinux-avc_audit-log-curr_ip.patch |
817 |
+++ b/3.14.4/4465_selinux-avc_audit-log-curr_ip.patch |
818 |
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org> |
819 |
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
820 |
--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 |
821 |
+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 |
822 |
-@@ -1132,6 +1132,27 @@ |
823 |
+@@ -1145,6 +1145,27 @@ |
824 |
menu "Logging Options" |
825 |
depends on GRKERNSEC |