1 |
commit: 857b85562ea0d3b6d3011f743cfa70fcd2a73ebc |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Feb 6 23:14:55 2012 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 6 23:14:55 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=857b8556 |
7 |
|
8 |
Grsec/PaX: 2.2.2-2.6.32.56-201202051926 + 2.2.2-3.2.4-201202051927 |
9 |
|
10 |
--- |
11 |
2.6.32/0000_README | 2 +- |
12 |
..._grsecurity-2.2.2-2.6.32.56-201202051926.patch} | 56 +++++++++++++++---- |
13 |
3.2.4/0000_README | 2 +- |
14 |
...4420_grsecurity-2.2.2-3.2.4-201202051927.patch} | 56 +++++++++++++++---- |
15 |
4 files changed, 90 insertions(+), 26 deletions(-) |
16 |
|
17 |
diff --git a/2.6.32/0000_README b/2.6.32/0000_README |
18 |
index cb858f1..6a881db 100644 |
19 |
--- a/2.6.32/0000_README |
20 |
+++ b/2.6.32/0000_README |
21 |
@@ -18,7 +18,7 @@ Patch: 1055_linux-2.6.32.56.patch |
22 |
From: http://www.kernel.org |
23 |
Desc: Linux 2.6.32.56 |
24 |
|
25 |
-Patch: 4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch |
26 |
+Patch: 4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch |
27 |
From: http://www.grsecurity.net |
28 |
Desc: hardened-sources base patch from upstream grsecurity |
29 |
|
30 |
|
31 |
diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch |
32 |
similarity index 99% |
33 |
rename from 2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch |
34 |
rename to 2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch |
35 |
index c0e9b3a..b3de8e3 100644 |
36 |
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch |
37 |
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch |
38 |
@@ -64705,7 +64705,7 @@ index 0000000..0dc13c3 |
39 |
+EXPORT_SYMBOL(gr_log_timechange); |
40 |
diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c |
41 |
new file mode 100644 |
42 |
-index 0000000..a35ba33 |
43 |
+index 0000000..07e0dc0 |
44 |
--- /dev/null |
45 |
+++ b/grsecurity/grsec_tpe.c |
46 |
@@ -0,0 +1,73 @@ |
47 |
@@ -64756,7 +64756,7 @@ index 0000000..a35ba33 |
48 |
+ msg2 = "file in group-writable directory"; |
49 |
+ |
50 |
+ if (msg && msg2) { |
51 |
-+ char fullmsg[64] = {0}; |
52 |
++ char fullmsg[70] = {0}; |
53 |
+ snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2); |
54 |
+ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt); |
55 |
+ return 0; |
56 |
@@ -67139,7 +67139,7 @@ index 0000000..3826b91 |
57 |
+#endif |
58 |
diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h |
59 |
new file mode 100644 |
60 |
-index 0000000..b3347e2 |
61 |
+index 0000000..7f62b30 |
62 |
--- /dev/null |
63 |
+++ b/include/linux/grmsg.h |
64 |
@@ -0,0 +1,109 @@ |
65 |
@@ -67177,7 +67177,7 @@ index 0000000..b3347e2 |
66 |
+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by " |
67 |
+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by " |
68 |
+#define GR_EXEC_ACL_MSG "%s execution of %.950s by " |
69 |
-+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.64s) of %.950s by " |
70 |
++#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by " |
71 |
+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds" |
72 |
+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds" |
73 |
+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by " |
74 |
@@ -67254,10 +67254,10 @@ index 0000000..b3347e2 |
75 |
+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by " |
76 |
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h |
77 |
new file mode 100644 |
78 |
-index 0000000..ebba836 |
79 |
+index 0000000..c597c46 |
80 |
--- /dev/null |
81 |
+++ b/include/linux/grsecurity.h |
82 |
-@@ -0,0 +1,223 @@ |
83 |
+@@ -0,0 +1,217 @@ |
84 |
+#ifndef GR_SECURITY_H |
85 |
+#define GR_SECURITY_H |
86 |
+#include <linux/fs.h> |
87 |
@@ -67273,12 +67273,6 @@ index 0000000..ebba836 |
88 |
+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) |
89 |
+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled." |
90 |
+#endif |
91 |
-+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) |
92 |
-+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." |
93 |
-+#endif |
94 |
-+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) |
95 |
-+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." |
96 |
-+#endif |
97 |
+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP) |
98 |
+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled." |
99 |
+#endif |
100 |
@@ -69462,6 +69456,44 @@ index a8cc4e1..98d3b85 100644 |
101 |
u32 val; |
102 |
u32 flags; |
103 |
u32 bitset; |
104 |
+diff --git a/include/linux/tracehook.h b/include/linux/tracehook.h |
105 |
+index 1eb44a9..f582df3 100644 |
106 |
+--- a/include/linux/tracehook.h |
107 |
++++ b/include/linux/tracehook.h |
108 |
+@@ -69,12 +69,12 @@ static inline int tracehook_expect_breakpoints(struct task_struct *task) |
109 |
+ /* |
110 |
+ * ptrace report for syscall entry and exit looks identical. |
111 |
+ */ |
112 |
+-static inline void ptrace_report_syscall(struct pt_regs *regs) |
113 |
++static inline int ptrace_report_syscall(struct pt_regs *regs) |
114 |
+ { |
115 |
+ int ptrace = task_ptrace(current); |
116 |
+ |
117 |
+ if (!(ptrace & PT_PTRACED)) |
118 |
+- return; |
119 |
++ return 0; |
120 |
+ |
121 |
+ ptrace_notify(SIGTRAP | ((ptrace & PT_TRACESYSGOOD) ? 0x80 : 0)); |
122 |
+ |
123 |
+@@ -87,6 +87,8 @@ static inline void ptrace_report_syscall(struct pt_regs *regs) |
124 |
+ send_sig(current->exit_code, current, 1); |
125 |
+ current->exit_code = 0; |
126 |
+ } |
127 |
++ |
128 |
++ return fatal_signal_pending(current); |
129 |
+ } |
130 |
+ |
131 |
+ /** |
132 |
+@@ -111,8 +113,7 @@ static inline void ptrace_report_syscall(struct pt_regs *regs) |
133 |
+ static inline __must_check int tracehook_report_syscall_entry( |
134 |
+ struct pt_regs *regs) |
135 |
+ { |
136 |
+- ptrace_report_syscall(regs); |
137 |
+- return 0; |
138 |
++ return ptrace_report_syscall(regs); |
139 |
+ } |
140 |
+ |
141 |
+ /** |
142 |
diff --git a/include/linux/tty.h b/include/linux/tty.h |
143 |
index e9c57e9..ee6d489 100644 |
144 |
--- a/include/linux/tty.h |
145 |
|
146 |
diff --git a/3.2.4/0000_README b/3.2.4/0000_README |
147 |
index 39e914d..285da06 100644 |
148 |
--- a/3.2.4/0000_README |
149 |
+++ b/3.2.4/0000_README |
150 |
@@ -10,7 +10,7 @@ Patch: 1003_linux-3.2.4.patch |
151 |
From: http://www.kernel.org |
152 |
Desc: Linux 3.2.4 |
153 |
|
154 |
-Patch: 4420_grsecurity-2.2.2-3.2.4-201202032052.patch |
155 |
+Patch: 4420_grsecurity-2.2.2-3.2.4-201202051927.patch |
156 |
From: http://www.grsecurity.net |
157 |
Desc: hardened-sources base patch from upstream grsecurity |
158 |
|
159 |
|
160 |
diff --git a/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch b/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch |
161 |
similarity index 99% |
162 |
rename from 3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch |
163 |
rename to 3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch |
164 |
index 9b95205..b2dcf41 100644 |
165 |
--- a/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch |
166 |
+++ b/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch |
167 |
@@ -56770,7 +56770,7 @@ index 0000000..0dc13c3 |
168 |
+EXPORT_SYMBOL(gr_log_timechange); |
169 |
diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c |
170 |
new file mode 100644 |
171 |
-index 0000000..a35ba33 |
172 |
+index 0000000..07e0dc0 |
173 |
--- /dev/null |
174 |
+++ b/grsecurity/grsec_tpe.c |
175 |
@@ -0,0 +1,73 @@ |
176 |
@@ -56821,7 +56821,7 @@ index 0000000..a35ba33 |
177 |
+ msg2 = "file in group-writable directory"; |
178 |
+ |
179 |
+ if (msg && msg2) { |
180 |
-+ char fullmsg[64] = {0}; |
181 |
++ char fullmsg[70] = {0}; |
182 |
+ snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2); |
183 |
+ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt); |
184 |
+ return 0; |
185 |
@@ -58870,7 +58870,7 @@ index 0000000..da390f1 |
186 |
+#endif |
187 |
diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h |
188 |
new file mode 100644 |
189 |
-index 0000000..b3347e2 |
190 |
+index 0000000..7f62b30 |
191 |
--- /dev/null |
192 |
+++ b/include/linux/grmsg.h |
193 |
@@ -0,0 +1,109 @@ |
194 |
@@ -58908,7 +58908,7 @@ index 0000000..b3347e2 |
195 |
+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by " |
196 |
+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by " |
197 |
+#define GR_EXEC_ACL_MSG "%s execution of %.950s by " |
198 |
-+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.64s) of %.950s by " |
199 |
++#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by " |
200 |
+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds" |
201 |
+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds" |
202 |
+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by " |
203 |
@@ -58985,10 +58985,10 @@ index 0000000..b3347e2 |
204 |
+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by " |
205 |
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h |
206 |
new file mode 100644 |
207 |
-index 0000000..eb4885f |
208 |
+index 0000000..cb9f1c1 |
209 |
--- /dev/null |
210 |
+++ b/include/linux/grsecurity.h |
211 |
-@@ -0,0 +1,233 @@ |
212 |
+@@ -0,0 +1,227 @@ |
213 |
+#ifndef GR_SECURITY_H |
214 |
+#define GR_SECURITY_H |
215 |
+#include <linux/fs.h> |
216 |
@@ -59003,12 +59003,6 @@ index 0000000..eb4885f |
217 |
+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) |
218 |
+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled." |
219 |
+#endif |
220 |
-+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) |
221 |
-+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." |
222 |
-+#endif |
223 |
-+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) |
224 |
-+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." |
225 |
-+#endif |
226 |
+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP) |
227 |
+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled." |
228 |
+#endif |
229 |
@@ -60895,6 +60889,44 @@ index 703cfa3..0b8ca72ac 100644 |
230 |
extern int proc_dointvec(struct ctl_table *, int, |
231 |
void __user *, size_t *, loff_t *); |
232 |
extern int proc_dointvec_minmax(struct ctl_table *, int, |
233 |
+diff --git a/include/linux/tracehook.h b/include/linux/tracehook.h |
234 |
+index a71a292..51bd91d 100644 |
235 |
+--- a/include/linux/tracehook.h |
236 |
++++ b/include/linux/tracehook.h |
237 |
+@@ -54,12 +54,12 @@ struct linux_binprm; |
238 |
+ /* |
239 |
+ * ptrace report for syscall entry and exit looks identical. |
240 |
+ */ |
241 |
+-static inline void ptrace_report_syscall(struct pt_regs *regs) |
242 |
++static inline int ptrace_report_syscall(struct pt_regs *regs) |
243 |
+ { |
244 |
+ int ptrace = current->ptrace; |
245 |
+ |
246 |
+ if (!(ptrace & PT_PTRACED)) |
247 |
+- return; |
248 |
++ return 0; |
249 |
+ |
250 |
+ ptrace_notify(SIGTRAP | ((ptrace & PT_TRACESYSGOOD) ? 0x80 : 0)); |
251 |
+ |
252 |
+@@ -72,6 +72,8 @@ static inline void ptrace_report_syscall(struct pt_regs *regs) |
253 |
+ send_sig(current->exit_code, current, 1); |
254 |
+ current->exit_code = 0; |
255 |
+ } |
256 |
++ |
257 |
++ return fatal_signal_pending(current); |
258 |
+ } |
259 |
+ |
260 |
+ /** |
261 |
+@@ -96,8 +98,7 @@ static inline void ptrace_report_syscall(struct pt_regs *regs) |
262 |
+ static inline __must_check int tracehook_report_syscall_entry( |
263 |
+ struct pt_regs *regs) |
264 |
+ { |
265 |
+- ptrace_report_syscall(regs); |
266 |
+- return 0; |
267 |
++ return ptrace_report_syscall(regs); |
268 |
+ } |
269 |
+ |
270 |
+ /** |
271 |
diff --git a/include/linux/tty_ldisc.h b/include/linux/tty_ldisc.h |
272 |
index ff7dc08..893e1bd 100644 |
273 |
--- a/include/linux/tty_ldisc.h |