[gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.2.4/ - gentoo-commits

From:	"Anthony G. Basile" <blueness@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.2.4/
Date:	Tue, 07 Feb 2012 23:41:33
Message-Id:	`857b85562ea0d3b6d3011f743cfa70fcd2a73ebc.blueness@gentoo`

1

commit:     857b85562ea0d3b6d3011f743cfa70fcd2a73ebc

2

Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>

3

AuthorDate: Mon Feb  6 23:14:55 2012 +0000

4

Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>

5

CommitDate: Mon Feb  6 23:14:55 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=857b8556

7

8

Grsec/PaX: 2.2.2-2.6.32.56-201202051926 + 2.2.2-3.2.4-201202051927

9

10

---

11

 2.6.32/0000_README                                 |    2 +-

12

 ..._grsecurity-2.2.2-2.6.32.56-201202051926.patch} |   56 +++++++++++++++----

13

 3.2.4/0000_README                                  |    2 +-

14

 ...4420_grsecurity-2.2.2-3.2.4-201202051927.patch} |   56 +++++++++++++++----

15

 4 files changed, 90 insertions(+), 26 deletions(-)

16

17

diff --git a/2.6.32/0000_README b/2.6.32/0000_README

18

index cb858f1..6a881db 100644

19

--- a/2.6.32/0000_README

20

+++ b/2.6.32/0000_README

21

@@ -18,7 +18,7 @@ Patch:	1055_linux-2.6.32.56.patch

22

 From:	http://www.kernel.org

23

 Desc:	Linux 2.6.32.56

24

25

-Patch:	4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch

26

+Patch:	4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch

27

 From:	http://www.grsecurity.net

28

 Desc:	hardened-sources base patch from upstream grsecurity

29

30

31

diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch

32

similarity index 99%

33

rename from 2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch

34

rename to 2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch

35

index c0e9b3a..b3de8e3 100644

36

--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch

37

+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch

38

@@ -64705,7 +64705,7 @@ index 0000000..0dc13c3

39

 +EXPORT_SYMBOL(gr_log_timechange);

40

 diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c

41

 new file mode 100644

42

-index 0000000..a35ba33

43

+index 0000000..07e0dc0

44

 --- /dev/null

45

 +++ b/grsecurity/grsec_tpe.c

46

 @@ -0,0 +1,73 @@

47

@@ -64756,7 +64756,7 @@ index 0000000..a35ba33

48

 +		msg2 = "file in group-writable directory";

49

+

50

 +	if (msg && msg2) {

51

-+		char fullmsg[64] = {0};

52

++		char fullmsg[70] = {0};

53

 +		snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2);

54

 +		gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt);

55

 +		return 0;

56

@@ -67139,7 +67139,7 @@ index 0000000..3826b91

57

 +#endif

58

 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h

59

 new file mode 100644

60

-index 0000000..b3347e2

61

+index 0000000..7f62b30

62

 --- /dev/null

63

 +++ b/include/linux/grmsg.h

64

 @@ -0,0 +1,109 @@

65

@@ -67177,7 +67177,7 @@ index 0000000..b3347e2

66

 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "

67

 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "

68

 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "

69

-+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.64s) of %.950s by "

70

++#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by "

71

 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"

72

 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"

73

 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "

74

@@ -67254,10 +67254,10 @@ index 0000000..b3347e2

75

 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "

76

 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h

77

 new file mode 100644

78

-index 0000000..ebba836

79

+index 0000000..c597c46

80

 --- /dev/null

81

 +++ b/include/linux/grsecurity.h

82

-@@ -0,0 +1,223 @@

83

+@@ -0,0 +1,217 @@

84

 +#ifndef GR_SECURITY_H

85

 +#define GR_SECURITY_H

86

 +#include <linux/fs.h>

87

@@ -67273,12 +67273,6 @@ index 0000000..ebba836

88

 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)

89

 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."

90

 +#endif

91

-+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)

92

-+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."

93

-+#endif

94

-+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)

95

-+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."

96

-+#endif

97

 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)

98

 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."

99

 +#endif

100

@@ -69462,6 +69456,44 @@ index a8cc4e1..98d3b85 100644

101

  			u32 val;

102

  			u32 flags;

103

  			u32 bitset;

104

+diff --git a/include/linux/tracehook.h b/include/linux/tracehook.h

105

+index 1eb44a9..f582df3 100644

106

+--- a/include/linux/tracehook.h

107

++++ b/include/linux/tracehook.h

108

+@@ -69,12 +69,12 @@ static inline int tracehook_expect_breakpoints(struct task_struct *task)

109

+ /*

110

+  * ptrace report for syscall entry and exit looks identical.

111

+  */

112

+-static inline void ptrace_report_syscall(struct pt_regs *regs)

113

++static inline int ptrace_report_syscall(struct pt_regs *regs)

114

+ {

115

+ 	int ptrace = task_ptrace(current);

116

+

117

+ 	if (!(ptrace & PT_PTRACED))

118

+-		return;

119

++		return 0;

120

+

121

+ 	ptrace_notify(SIGTRAP | ((ptrace & PT_TRACESYSGOOD) ? 0x80 : 0));

122

+

123

+@@ -87,6 +87,8 @@ static inline void ptrace_report_syscall(struct pt_regs *regs)

124

+ 		send_sig(current->exit_code, current, 1);

125

+ 		current->exit_code = 0;

126

+ 	}

127

++

128

++	return fatal_signal_pending(current);

129

+ }

130

+

131

+ /**

132

+@@ -111,8 +113,7 @@ static inline void ptrace_report_syscall(struct pt_regs *regs)

133

+ static inline __must_check int tracehook_report_syscall_entry(

134

+ 	struct pt_regs *regs)

135

+ {

136

+-	ptrace_report_syscall(regs);

137

+-	return 0;

138

++	return ptrace_report_syscall(regs);

139

+ }

140

+

141

+ /**

142

 diff --git a/include/linux/tty.h b/include/linux/tty.h

143

 index e9c57e9..ee6d489 100644

144

 --- a/include/linux/tty.h

145

146

diff --git a/3.2.4/0000_README b/3.2.4/0000_README

147

index 39e914d..285da06 100644

148

--- a/3.2.4/0000_README

149

+++ b/3.2.4/0000_README

150

@@ -10,7 +10,7 @@ Patch:	1003_linux-3.2.4.patch

151

 From:	http://www.kernel.org

152

 Desc:	Linux 3.2.4

153

154

-Patch:	4420_grsecurity-2.2.2-3.2.4-201202032052.patch

155

+Patch:	4420_grsecurity-2.2.2-3.2.4-201202051927.patch

156

 From:	http://www.grsecurity.net

157

 Desc:	hardened-sources base patch from upstream grsecurity

158

159

160

diff --git a/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch b/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch

161

similarity index 99%

162

rename from 3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch

163

rename to 3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch

164

index 9b95205..b2dcf41 100644

165

--- a/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch

166

+++ b/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch

167

@@ -56770,7 +56770,7 @@ index 0000000..0dc13c3

168

 +EXPORT_SYMBOL(gr_log_timechange);

169

 diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c

170

 new file mode 100644

171

-index 0000000..a35ba33

172

+index 0000000..07e0dc0

173

 --- /dev/null

174

 +++ b/grsecurity/grsec_tpe.c

175

 @@ -0,0 +1,73 @@

176

@@ -56821,7 +56821,7 @@ index 0000000..a35ba33

177

 +		msg2 = "file in group-writable directory";

178

+

179

 +	if (msg && msg2) {

180

-+		char fullmsg[64] = {0};

181

++		char fullmsg[70] = {0};

182

 +		snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2);

183

 +		gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt);

184

 +		return 0;

185

@@ -58870,7 +58870,7 @@ index 0000000..da390f1

186

 +#endif

187

 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h

188

 new file mode 100644

189

-index 0000000..b3347e2

190

+index 0000000..7f62b30

191

 --- /dev/null

192

 +++ b/include/linux/grmsg.h

193

 @@ -0,0 +1,109 @@

194

@@ -58908,7 +58908,7 @@ index 0000000..b3347e2

195

 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "

196

 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "

197

 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "

198

-+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.64s) of %.950s by "

199

++#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by "

200

 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"

201

 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"

202

 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "

203

@@ -58985,10 +58985,10 @@ index 0000000..b3347e2

204

 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "

205

 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h

206

 new file mode 100644

207

-index 0000000..eb4885f

208

+index 0000000..cb9f1c1

209

 --- /dev/null

210

 +++ b/include/linux/grsecurity.h

211

-@@ -0,0 +1,233 @@

212

+@@ -0,0 +1,227 @@

213

 +#ifndef GR_SECURITY_H

214

 +#define GR_SECURITY_H

215

 +#include <linux/fs.h>

216

@@ -59003,12 +59003,6 @@ index 0000000..eb4885f

217

 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)

218

 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."

219

 +#endif

220

-+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)

221

-+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."

222

-+#endif

223

-+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)

224

-+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."

225

-+#endif

226

 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)

227

 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."

228

 +#endif

229

@@ -60895,6 +60889,44 @@ index 703cfa3..0b8ca72ac 100644

230

  extern int proc_dointvec(struct ctl_table *, int,

231

  			 void __user *, size_t *, loff_t *);

232

  extern int proc_dointvec_minmax(struct ctl_table *, int,

233

+diff --git a/include/linux/tracehook.h b/include/linux/tracehook.h

234

+index a71a292..51bd91d 100644

235

+--- a/include/linux/tracehook.h

236

++++ b/include/linux/tracehook.h

237

+@@ -54,12 +54,12 @@ struct linux_binprm;

238

+ /*

239

+  * ptrace report for syscall entry and exit looks identical.

240

+  */

241

+-static inline void ptrace_report_syscall(struct pt_regs *regs)

242

++static inline int ptrace_report_syscall(struct pt_regs *regs)

243

+ {

244

+ 	int ptrace = current->ptrace;

245

+

246

+ 	if (!(ptrace & PT_PTRACED))

247

+-		return;

248

++		return 0;

249

+

250

+ 	ptrace_notify(SIGTRAP | ((ptrace & PT_TRACESYSGOOD) ? 0x80 : 0));

251

+

252

+@@ -72,6 +72,8 @@ static inline void ptrace_report_syscall(struct pt_regs *regs)

253

+ 		send_sig(current->exit_code, current, 1);

254

+ 		current->exit_code = 0;

255

+ 	}

256

++

257

++	return fatal_signal_pending(current);

258

+ }

259

+

260

+ /**

261

+@@ -96,8 +98,7 @@ static inline void ptrace_report_syscall(struct pt_regs *regs)

262

+ static inline __must_check int tracehook_report_syscall_entry(

263

+ 	struct pt_regs *regs)

264

+ {

265

+-	ptrace_report_syscall(regs);

266

+-	return 0;

267

++	return ptrace_report_syscall(regs);

268

+ }

269

+

270

+ /**

271

 diff --git a/include/linux/tty_ldisc.h b/include/linux/tty_ldisc.h

272

 index ff7dc08..893e1bd 100644

273

 --- a/include/linux/tty_ldisc.h

1	commit: 857b85562ea0d3b6d3011f743cfa70fcd2a73ebc
2	Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3	AuthorDate: Mon Feb 6 23:14:55 2012 +0000
4	Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5	CommitDate: Mon Feb 6 23:14:55 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=857b8556
7
8	Grsec/PaX: 2.2.2-2.6.32.56-201202051926 + 2.2.2-3.2.4-201202051927
9
10	---
11	2.6.32/0000_README \| 2 +-
12	..._grsecurity-2.2.2-2.6.32.56-201202051926.patch} \| 56 +++++++++++++++----
13	3.2.4/0000_README \| 2 +-
14	...4420_grsecurity-2.2.2-3.2.4-201202051927.patch} \| 56 +++++++++++++++----
15	4 files changed, 90 insertions(+), 26 deletions(-)
16
17	diff --git a/2.6.32/0000_README b/2.6.32/0000_README
18	index cb858f1..6a881db 100644
19	--- a/2.6.32/0000_README
20	+++ b/2.6.32/0000_README
21	@@ -18,7 +18,7 @@ Patch: 1055_linux-2.6.32.56.patch
22	From: http://www.kernel.org
23	Desc: Linux 2.6.32.56
24
25	-Patch: 4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch
26	+Patch: 4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch
27	From: http://www.grsecurity.net
28	Desc: hardened-sources base patch from upstream grsecurity
29
30
31	diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch
32	similarity index 99%
33	rename from 2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch
34	rename to 2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch
35	index c0e9b3a..b3de8e3 100644
36	--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch
37	+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch
38	@@ -64705,7 +64705,7 @@ index 0000000..0dc13c3
39	+EXPORT_SYMBOL(gr_log_timechange);
40	diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c
41	new file mode 100644
42	-index 0000000..a35ba33
43	+index 0000000..07e0dc0
44	--- /dev/null
45	+++ b/grsecurity/grsec_tpe.c
46	@@ -0,0 +1,73 @@
47	@@ -64756,7 +64756,7 @@ index 0000000..a35ba33
48	+ msg2 = "file in group-writable directory";
49	+
50	+ if (msg && msg2) {
51	-+ char fullmsg[64] = {0};
52	++ char fullmsg[70] = {0};
53	+ snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2);
54	+ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt);
55	+ return 0;
56	@@ -67139,7 +67139,7 @@ index 0000000..3826b91
57	+#endif
58	diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
59	new file mode 100644
60	-index 0000000..b3347e2
61	+index 0000000..7f62b30
62	--- /dev/null
63	+++ b/include/linux/grmsg.h
64	@@ -0,0 +1,109 @@
65	@@ -67177,7 +67177,7 @@ index 0000000..b3347e2
66	+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
67	+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
68	+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
69	-+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.64s) of %.950s by "
70	++#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by "
71	+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
72	+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
73	+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
74	@@ -67254,10 +67254,10 @@ index 0000000..b3347e2
75	+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
76	diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
77	new file mode 100644
78	-index 0000000..ebba836
79	+index 0000000..c597c46
80	--- /dev/null
81	+++ b/include/linux/grsecurity.h
82	-@@ -0,0 +1,223 @@
83	+@@ -0,0 +1,217 @@
84	+#ifndef GR_SECURITY_H
85	+#define GR_SECURITY_H
86	+#include <linux/fs.h>
87	@@ -67273,12 +67273,6 @@ index 0000000..ebba836
88	+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
89	+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
90	+#endif
91	-+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
92	-+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
93	-+#endif
94	-+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) \|\| defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
95	-+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
96	-+#endif
97	+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
98	+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
99	+#endif
100	@@ -69462,6 +69456,44 @@ index a8cc4e1..98d3b85 100644
101	u32 val;
102	u32 flags;
103	u32 bitset;
104	+diff --git a/include/linux/tracehook.h b/include/linux/tracehook.h
105	+index 1eb44a9..f582df3 100644
106	+--- a/include/linux/tracehook.h
107	++++ b/include/linux/tracehook.h
108	+@@ -69,12 +69,12 @@ static inline int tracehook_expect_breakpoints(struct task_struct *task)
109	+ /*
110	+ * ptrace report for syscall entry and exit looks identical.
111	+ */
112	+-static inline void ptrace_report_syscall(struct pt_regs *regs)
113	++static inline int ptrace_report_syscall(struct pt_regs *regs)
114	+ {
115	+ int ptrace = task_ptrace(current);
116	+
117	+ if (!(ptrace & PT_PTRACED))
118	+- return;
119	++ return 0;
120	+
121	+ ptrace_notify(SIGTRAP \| ((ptrace & PT_TRACESYSGOOD) ? 0x80 : 0));
122	+
123	+@@ -87,6 +87,8 @@ static inline void ptrace_report_syscall(struct pt_regs *regs)
124	+ send_sig(current->exit_code, current, 1);
125	+ current->exit_code = 0;
126	+ }
127	++
128	++ return fatal_signal_pending(current);
129	+ }
130	+
131	+ /**
132	+@@ -111,8 +113,7 @@ static inline void ptrace_report_syscall(struct pt_regs *regs)
133	+ static inline __must_check int tracehook_report_syscall_entry(
134	+ struct pt_regs *regs)
135	+ {
136	+- ptrace_report_syscall(regs);
137	+- return 0;
138	++ return ptrace_report_syscall(regs);
139	+ }
140	+
141	+ /**
142	diff --git a/include/linux/tty.h b/include/linux/tty.h
143	index e9c57e9..ee6d489 100644
144	--- a/include/linux/tty.h
145
146	diff --git a/3.2.4/0000_README b/3.2.4/0000_README
147	index 39e914d..285da06 100644
148	--- a/3.2.4/0000_README
149	+++ b/3.2.4/0000_README
150	@@ -10,7 +10,7 @@ Patch: 1003_linux-3.2.4.patch
151	From: http://www.kernel.org
152	Desc: Linux 3.2.4
153
154	-Patch: 4420_grsecurity-2.2.2-3.2.4-201202032052.patch
155	+Patch: 4420_grsecurity-2.2.2-3.2.4-201202051927.patch
156	From: http://www.grsecurity.net
157	Desc: hardened-sources base patch from upstream grsecurity
158
159
160	diff --git a/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch b/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch
161	similarity index 99%
162	rename from 3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch
163	rename to 3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch
164	index 9b95205..b2dcf41 100644
165	--- a/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch
166	+++ b/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch
167	@@ -56770,7 +56770,7 @@ index 0000000..0dc13c3
168	+EXPORT_SYMBOL(gr_log_timechange);
169	diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c
170	new file mode 100644
171	-index 0000000..a35ba33
172	+index 0000000..07e0dc0
173	--- /dev/null
174	+++ b/grsecurity/grsec_tpe.c
175	@@ -0,0 +1,73 @@
176	@@ -56821,7 +56821,7 @@ index 0000000..a35ba33
177	+ msg2 = "file in group-writable directory";
178	+
179	+ if (msg && msg2) {
180	-+ char fullmsg[64] = {0};
181	++ char fullmsg[70] = {0};
182	+ snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2);
183	+ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt);
184	+ return 0;
185	@@ -58870,7 +58870,7 @@ index 0000000..da390f1
186	+#endif
187	diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
188	new file mode 100644
189	-index 0000000..b3347e2
190	+index 0000000..7f62b30
191	--- /dev/null
192	+++ b/include/linux/grmsg.h
193	@@ -0,0 +1,109 @@
194	@@ -58908,7 +58908,7 @@ index 0000000..b3347e2
195	+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
196	+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
197	+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
198	-+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.64s) of %.950s by "
199	++#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by "
200	+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
201	+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
202	+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
203	@@ -58985,10 +58985,10 @@ index 0000000..b3347e2
204	+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
205	diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
206	new file mode 100644
207	-index 0000000..eb4885f
208	+index 0000000..cb9f1c1
209	--- /dev/null
210	+++ b/include/linux/grsecurity.h
211	-@@ -0,0 +1,233 @@
212	+@@ -0,0 +1,227 @@
213	+#ifndef GR_SECURITY_H
214	+#define GR_SECURITY_H
215	+#include <linux/fs.h>
216	@@ -59003,12 +59003,6 @@ index 0000000..eb4885f
217	+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
218	+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
219	+#endif
220	-+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
221	-+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
222	-+#endif
223	-+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) \|\| defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
224	-+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
225	-+#endif
226	+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
227	+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
228	+#endif
229	@@ -60895,6 +60889,44 @@ index 703cfa3..0b8ca72ac 100644
230	extern int proc_dointvec(struct ctl_table *, int,
231	void __user , size_t , loff_t *);
232	extern int proc_dointvec_minmax(struct ctl_table *, int,
233	+diff --git a/include/linux/tracehook.h b/include/linux/tracehook.h
234	+index a71a292..51bd91d 100644
235	+--- a/include/linux/tracehook.h
236	++++ b/include/linux/tracehook.h
237	+@@ -54,12 +54,12 @@ struct linux_binprm;
238	+ /*
239	+ * ptrace report for syscall entry and exit looks identical.
240	+ */
241	+-static inline void ptrace_report_syscall(struct pt_regs *regs)
242	++static inline int ptrace_report_syscall(struct pt_regs *regs)
243	+ {
244	+ int ptrace = current->ptrace;
245	+
246	+ if (!(ptrace & PT_PTRACED))
247	+- return;
248	++ return 0;
249	+
250	+ ptrace_notify(SIGTRAP \| ((ptrace & PT_TRACESYSGOOD) ? 0x80 : 0));
251	+
252	+@@ -72,6 +72,8 @@ static inline void ptrace_report_syscall(struct pt_regs *regs)
253	+ send_sig(current->exit_code, current, 1);
254	+ current->exit_code = 0;
255	+ }
256	++
257	++ return fatal_signal_pending(current);
258	+ }
259	+
260	+ /**
261	+@@ -96,8 +98,7 @@ static inline void ptrace_report_syscall(struct pt_regs *regs)
262	+ static inline __must_check int tracehook_report_syscall_entry(
263	+ struct pt_regs *regs)
264	+ {
265	+- ptrace_report_syscall(regs);
266	+- return 0;
267	++ return ptrace_report_syscall(regs);
268	+ }
269	+
270	+ /**
271	diff --git a/include/linux/tty_ldisc.h b/include/linux/tty_ldisc.h
272	index ff7dc08..893e1bd 100644
273	--- a/include/linux/tty_ldisc.h

Gentoo Archives: gentoo-commits