1 |
commit: 42f2ed22cb151c6a136a4d39d9e973d36ec5d99b |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu May 29 21:54:31 2014 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 29 21:54:31 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=42f2ed22 |
7 |
|
8 |
Grsec/PaX: 3.0-{3.2.59,3.14.4}-201405281922 |
9 |
|
10 |
--- |
11 |
3.14.4/0000_README | 2 +- |
12 |
... 4420_grsecurity-3.0-3.14.4-201405281922.patch} | 13 ++--- |
13 |
3.14.4/4425_grsec_remove_EI_PAX.patch | 2 +- |
14 |
3.14.4/4450_grsec-kconfig-default-gids.patch | 8 ++-- |
15 |
3.14.4/4475_emutramp_default_on.patch | 2 +- |
16 |
3.2.59/0000_README | 2 +- |
17 |
... 4420_grsecurity-3.0-3.2.59-201405281920.patch} | 55 +++++++++++++--------- |
18 |
7 files changed, 47 insertions(+), 37 deletions(-) |
19 |
|
20 |
diff --git a/3.14.4/0000_README b/3.14.4/0000_README |
21 |
index 4203555..275b0d1 100644 |
22 |
--- a/3.14.4/0000_README |
23 |
+++ b/3.14.4/0000_README |
24 |
@@ -2,7 +2,7 @@ README |
25 |
----------------------------------------------------------------------------- |
26 |
Individual Patch Descriptions: |
27 |
----------------------------------------------------------------------------- |
28 |
-Patch: 4420_grsecurity-3.0-3.14.4-201405271114.patch |
29 |
+Patch: 4420_grsecurity-3.0-3.14.4-201405281922.patch |
30 |
From: http://www.grsecurity.net |
31 |
Desc: hardened-sources base patch from upstream grsecurity |
32 |
|
33 |
|
34 |
diff --git a/3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch b/3.14.4/4420_grsecurity-3.0-3.14.4-201405281922.patch |
35 |
similarity index 99% |
36 |
rename from 3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch |
37 |
rename to 3.14.4/4420_grsecurity-3.0-3.14.4-201405281922.patch |
38 |
index 3537db8..c9100d1 100644 |
39 |
--- a/3.14.4/4420_grsecurity-3.0-3.14.4-201405271114.patch |
40 |
+++ b/3.14.4/4420_grsecurity-3.0-3.14.4-201405281922.patch |
41 |
@@ -58838,7 +58838,7 @@ index e4141f2..d8263e8 100644 |
42 |
i += packet_length_size; |
43 |
if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) |
44 |
diff --git a/fs/exec.c b/fs/exec.c |
45 |
-index 3d78fcc..cd4f983 100644 |
46 |
+index 3d78fcc..122929d 100644 |
47 |
--- a/fs/exec.c |
48 |
+++ b/fs/exec.c |
49 |
@@ -55,8 +55,20 @@ |
50 |
@@ -59329,7 +59329,7 @@ index 3d78fcc..cd4f983 100644 |
51 |
out: |
52 |
if (bprm->mm) { |
53 |
acct_arg_size(bprm, 0); |
54 |
-@@ -1626,3 +1801,296 @@ asmlinkage long compat_sys_execve(const char __user * filename, |
55 |
+@@ -1626,3 +1801,298 @@ asmlinkage long compat_sys_execve(const char __user * filename, |
56 |
return compat_do_execve(getname(filename), argv, envp); |
57 |
} |
58 |
#endif |
59 |
@@ -59613,6 +59613,8 @@ index 3d78fcc..cd4f983 100644 |
60 |
+ if (sp < current_thread_info()->lowest_stack && |
61 |
+ sp > (unsigned long)task_stack_page(current)) |
62 |
+ current_thread_info()->lowest_stack = sp; |
63 |
++ if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16))) |
64 |
++ BUG(); |
65 |
+} |
66 |
+EXPORT_SYMBOL(pax_track_stack); |
67 |
+#endif |
68 |
@@ -104215,10 +104217,10 @@ index 8fac3fd..32ff38d 100644 |
69 |
unsigned int secindex_strings; |
70 |
|
71 |
diff --git a/security/Kconfig b/security/Kconfig |
72 |
-index beb86b5..55198cd 100644 |
73 |
+index beb86b5..1ea5a01 100644 |
74 |
--- a/security/Kconfig |
75 |
+++ b/security/Kconfig |
76 |
-@@ -4,6 +4,961 @@ |
77 |
+@@ -4,6 +4,960 @@ |
78 |
|
79 |
menu "Security options" |
80 |
|
81 |
@@ -104255,7 +104257,6 @@ index beb86b5..55198cd 100644 |
82 |
+ select TTY |
83 |
+ select DEBUG_KERNEL |
84 |
+ select DEBUG_LIST |
85 |
-+ select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW |
86 |
+ help |
87 |
+ If you say Y here, you will be able to configure many features |
88 |
+ that will enhance the security of your system. It is highly |
89 |
@@ -105180,7 +105181,7 @@ index beb86b5..55198cd 100644 |
90 |
source security/keys/Kconfig |
91 |
|
92 |
config SECURITY_DMESG_RESTRICT |
93 |
-@@ -103,7 +1058,7 @@ config INTEL_TXT |
94 |
+@@ -103,7 +1057,7 @@ config INTEL_TXT |
95 |
config LSM_MMAP_MIN_ADDR |
96 |
int "Low address space for LSM to protect from user allocation" |
97 |
depends on SECURITY && SECURITY_SELINUX |
98 |
|
99 |
diff --git a/3.14.4/4425_grsec_remove_EI_PAX.patch b/3.14.4/4425_grsec_remove_EI_PAX.patch |
100 |
index 23631d1..fc51f79 100644 |
101 |
--- a/3.14.4/4425_grsec_remove_EI_PAX.patch |
102 |
+++ b/3.14.4/4425_grsec_remove_EI_PAX.patch |
103 |
@@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600 |
104 |
diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig |
105 |
--- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500 |
106 |
+++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500 |
107 |
-@@ -269,7 +269,7 @@ |
108 |
+@@ -268,7 +268,7 @@ |
109 |
|
110 |
config PAX_EI_PAX |
111 |
bool 'Use legacy ELF header marking' |
112 |
|
113 |
diff --git a/3.14.4/4450_grsec-kconfig-default-gids.patch b/3.14.4/4450_grsec-kconfig-default-gids.patch |
114 |
index a965a27..19a4285 100644 |
115 |
--- a/3.14.4/4450_grsec-kconfig-default-gids.patch |
116 |
+++ b/3.14.4/4450_grsec-kconfig-default-gids.patch |
117 |
@@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
118 |
diff -Nuar a/security/Kconfig b/security/Kconfig |
119 |
--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 |
120 |
+++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 |
121 |
-@@ -197,7 +197,7 @@ |
122 |
+@@ -196,7 +196,7 @@ |
123 |
|
124 |
config GRKERNSEC_PROC_GID |
125 |
int "GID exempted from /proc restrictions" |
126 |
@@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig |
127 |
help |
128 |
Setting this GID determines which group will be exempted from |
129 |
grsecurity's /proc restrictions, allowing users of the specified |
130 |
-@@ -208,7 +208,7 @@ |
131 |
+@@ -207,7 +207,7 @@ |
132 |
config GRKERNSEC_TPE_UNTRUSTED_GID |
133 |
int "GID for TPE-untrusted users" |
134 |
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT |
135 |
@@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig |
136 |
help |
137 |
Setting this GID determines which group untrusted users should |
138 |
be added to. These users will be placed under grsecurity's Trusted Path |
139 |
-@@ -220,7 +220,7 @@ |
140 |
+@@ -219,7 +219,7 @@ |
141 |
config GRKERNSEC_TPE_TRUSTED_GID |
142 |
int "GID for TPE-trusted users" |
143 |
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT |
144 |
@@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig |
145 |
help |
146 |
Setting this GID determines what group TPE restrictions will be |
147 |
*disabled* for. If the sysctl option is enabled, a sysctl option |
148 |
-@@ -229,7 +229,7 @@ |
149 |
+@@ -228,7 +228,7 @@ |
150 |
config GRKERNSEC_SYMLINKOWN_GID |
151 |
int "GID for users with kernel-enforced SymlinksIfOwnerMatch" |
152 |
depends on GRKERNSEC_CONFIG_SERVER |
153 |
|
154 |
diff --git a/3.14.4/4475_emutramp_default_on.patch b/3.14.4/4475_emutramp_default_on.patch |
155 |
index 2c704b9..a453a5b 100644 |
156 |
--- a/3.14.4/4475_emutramp_default_on.patch |
157 |
+++ b/3.14.4/4475_emutramp_default_on.patch |
158 |
@@ -10,7 +10,7 @@ See bug: |
159 |
diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig |
160 |
--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 |
161 |
+++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 |
162 |
-@@ -429,7 +429,7 @@ |
163 |
+@@ -428,7 +428,7 @@ |
164 |
|
165 |
config PAX_EMUTRAMP |
166 |
bool "Emulate trampolines" |
167 |
|
168 |
diff --git a/3.2.59/0000_README b/3.2.59/0000_README |
169 |
index e328e8d..4d1e516 100644 |
170 |
--- a/3.2.59/0000_README |
171 |
+++ b/3.2.59/0000_README |
172 |
@@ -154,7 +154,7 @@ Patch: 1058_linux-3.2.59.patch |
173 |
From: http://www.kernel.org |
174 |
Desc: Linux 3.2.59 |
175 |
|
176 |
-Patch: 4420_grsecurity-3.0-3.2.59-201405252042.patch |
177 |
+Patch: 4420_grsecurity-3.0-3.2.59-201405281920.patch |
178 |
From: http://www.grsecurity.net |
179 |
Desc: hardened-sources base patch from upstream grsecurity |
180 |
|
181 |
|
182 |
diff --git a/3.2.59/4420_grsecurity-3.0-3.2.59-201405252042.patch b/3.2.59/4420_grsecurity-3.0-3.2.59-201405281920.patch |
183 |
similarity index 99% |
184 |
rename from 3.2.59/4420_grsecurity-3.0-3.2.59-201405252042.patch |
185 |
rename to 3.2.59/4420_grsecurity-3.0-3.2.59-201405281920.patch |
186 |
index a27bb43..ae61f08 100644 |
187 |
--- a/3.2.59/4420_grsecurity-3.0-3.2.59-201405252042.patch |
188 |
+++ b/3.2.59/4420_grsecurity-3.0-3.2.59-201405281920.patch |
189 |
@@ -21377,7 +21377,7 @@ index 7209070..ada4d63 100644 |
190 |
* Shouldn't happen, we returned above if in_interrupt(): |
191 |
*/ |
192 |
diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c |
193 |
-index 69bca46..fe78277 100644 |
194 |
+index 69bca46..1ac9a15 100644 |
195 |
--- a/arch/x86/kernel/irq_64.c |
196 |
+++ b/arch/x86/kernel/irq_64.c |
197 |
@@ -26,6 +26,8 @@ EXPORT_PER_CPU_SYMBOL(irq_stat); |
198 |
@@ -21389,7 +21389,7 @@ index 69bca46..fe78277 100644 |
199 |
/* |
200 |
* Probabilistic stack overflow check: |
201 |
* |
202 |
-@@ -38,7 +40,7 @@ static inline void stack_overflow_check(struct pt_regs *regs) |
203 |
+@@ -38,16 +40,16 @@ static inline void stack_overflow_check(struct pt_regs *regs) |
204 |
#ifdef CONFIG_DEBUG_STACKOVERFLOW |
205 |
u64 curbase = (u64)task_stack_page(current); |
206 |
|
207 |
@@ -21397,11 +21397,19 @@ index 69bca46..fe78277 100644 |
208 |
+ if (user_mode(regs)) |
209 |
return; |
210 |
|
211 |
- WARN_ONCE(regs->sp >= curbase && |
212 |
-@@ -48,6 +50,7 @@ static inline void stack_overflow_check(struct pt_regs *regs) |
213 |
- |
214 |
- "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n", |
215 |
- current->comm, curbase, regs->sp); |
216 |
+- WARN_ONCE(regs->sp >= curbase && |
217 |
+- regs->sp <= curbase + THREAD_SIZE && |
218 |
+- regs->sp < curbase + sizeof(struct thread_info) + |
219 |
+- sizeof(struct pt_regs) + 128, |
220 |
+- |
221 |
+- "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n", |
222 |
+- current->comm, curbase, regs->sp); |
223 |
++ if (regs->sp >= curbase + sizeof(struct thread_info) + |
224 |
++ sizeof(struct pt_regs) + 128 && |
225 |
++ regs->sp <= curbase + THREAD_SIZE) |
226 |
++ return; |
227 |
++ WARN_ONCE(1, "do_IRQ: %s near stack overflow (cur:%Lx,sp:%lx)\n", |
228 |
++ current->comm, curbase, regs->sp); |
229 |
+ gr_handle_kernel_exploit(); |
230 |
#endif |
231 |
} |
232 |
@@ -56716,7 +56724,7 @@ index 451b9b8..12e5a03 100644 |
233 |
|
234 |
out_free_fd: |
235 |
diff --git a/fs/exec.c b/fs/exec.c |
236 |
-index 78199eb..80dac79 100644 |
237 |
+index 78199eb..125722f 100644 |
238 |
--- a/fs/exec.c |
239 |
+++ b/fs/exec.c |
240 |
@@ -55,12 +55,35 @@ |
241 |
@@ -57329,7 +57337,7 @@ index 78199eb..80dac79 100644 |
242 |
cn->corename = kmalloc(cn->size, GFP_KERNEL); |
243 |
cn->used = 0; |
244 |
|
245 |
-@@ -1833,6 +2016,293 @@ out: |
246 |
+@@ -1833,6 +2016,295 @@ out: |
247 |
return ispipe; |
248 |
} |
249 |
|
250 |
@@ -57606,6 +57614,8 @@ index 78199eb..80dac79 100644 |
251 |
+ if (sp < current_thread_info()->lowest_stack && |
252 |
+ sp > (unsigned long)task_stack_page(current)) |
253 |
+ current_thread_info()->lowest_stack = sp; |
254 |
++ if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16))) |
255 |
++ BUG(); |
256 |
+} |
257 |
+EXPORT_SYMBOL(pax_track_stack); |
258 |
+#endif |
259 |
@@ -57623,7 +57633,7 @@ index 78199eb..80dac79 100644 |
260 |
static int zap_process(struct task_struct *start, int exit_code) |
261 |
{ |
262 |
struct task_struct *t; |
263 |
-@@ -2006,17 +2476,17 @@ static void coredump_finish(struct mm_struct *mm) |
264 |
+@@ -2006,17 +2478,17 @@ static void coredump_finish(struct mm_struct *mm) |
265 |
void set_dumpable(struct mm_struct *mm, int value) |
266 |
{ |
267 |
switch (value) { |
268 |
@@ -57644,7 +57654,7 @@ index 78199eb..80dac79 100644 |
269 |
set_bit(MMF_DUMP_SECURELY, &mm->flags); |
270 |
smp_wmb(); |
271 |
set_bit(MMF_DUMPABLE, &mm->flags); |
272 |
-@@ -2029,7 +2499,7 @@ static int __get_dumpable(unsigned long mm_flags) |
273 |
+@@ -2029,7 +2501,7 @@ static int __get_dumpable(unsigned long mm_flags) |
274 |
int ret; |
275 |
|
276 |
ret = mm_flags & MMF_DUMPABLE_MASK; |
277 |
@@ -57653,7 +57663,7 @@ index 78199eb..80dac79 100644 |
278 |
} |
279 |
|
280 |
/* |
281 |
-@@ -2050,17 +2520,17 @@ static void wait_for_dump_helpers(struct file *file) |
282 |
+@@ -2050,17 +2522,17 @@ static void wait_for_dump_helpers(struct file *file) |
283 |
pipe = file->f_path.dentry->d_inode->i_pipe; |
284 |
|
285 |
pipe_lock(pipe); |
286 |
@@ -57676,7 +57686,7 @@ index 78199eb..80dac79 100644 |
287 |
pipe_unlock(pipe); |
288 |
|
289 |
} |
290 |
-@@ -2121,7 +2591,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
291 |
+@@ -2121,7 +2593,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
292 |
int retval = 0; |
293 |
int flag = 0; |
294 |
int ispipe; |
295 |
@@ -57686,7 +57696,7 @@ index 78199eb..80dac79 100644 |
296 |
struct coredump_params cprm = { |
297 |
.signr = signr, |
298 |
.regs = regs, |
299 |
-@@ -2136,6 +2607,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
300 |
+@@ -2136,6 +2609,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
301 |
|
302 |
audit_core_dumps(signr); |
303 |
|
304 |
@@ -57696,7 +57706,7 @@ index 78199eb..80dac79 100644 |
305 |
binfmt = mm->binfmt; |
306 |
if (!binfmt || !binfmt->core_dump) |
307 |
goto fail; |
308 |
-@@ -2146,14 +2620,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
309 |
+@@ -2146,14 +2622,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
310 |
if (!cred) |
311 |
goto fail; |
312 |
/* |
313 |
@@ -57717,7 +57727,7 @@ index 78199eb..80dac79 100644 |
314 |
} |
315 |
|
316 |
retval = coredump_wait(exit_code, &core_state); |
317 |
-@@ -2203,7 +2679,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
318 |
+@@ -2203,7 +2681,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
319 |
} |
320 |
cprm.limit = RLIM_INFINITY; |
321 |
|
322 |
@@ -57726,7 +57736,7 @@ index 78199eb..80dac79 100644 |
323 |
if (core_pipe_limit && (core_pipe_limit < dump_count)) { |
324 |
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", |
325 |
task_tgid_vnr(current), current->comm); |
326 |
-@@ -2230,9 +2706,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
327 |
+@@ -2230,9 +2708,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) |
328 |
} else { |
329 |
struct inode *inode; |
330 |
|
331 |
@@ -57746,7 +57756,7 @@ index 78199eb..80dac79 100644 |
332 |
cprm.file = filp_open(cn.corename, |
333 |
O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, |
334 |
0600); |
335 |
-@@ -2273,7 +2759,7 @@ close_fail: |
336 |
+@@ -2273,7 +2761,7 @@ close_fail: |
337 |
filp_close(cprm.file, NULL); |
338 |
fail_dropcount: |
339 |
if (ispipe) |
340 |
@@ -57755,7 +57765,7 @@ index 78199eb..80dac79 100644 |
341 |
fail_unlock: |
342 |
kfree(cn.corename); |
343 |
fail_corename: |
344 |
-@@ -2292,7 +2778,7 @@ fail: |
345 |
+@@ -2292,7 +2780,7 @@ fail: |
346 |
*/ |
347 |
int dump_write(struct file *file, const void *addr, int nr) |
348 |
{ |
349 |
@@ -106824,10 +106834,10 @@ index 38f6617..e70b72b 100755 |
350 |
|
351 |
exuberant() |
352 |
diff --git a/security/Kconfig b/security/Kconfig |
353 |
-index 51bd5a0..f75fbf0 100644 |
354 |
+index 51bd5a0..d4191c5 100644 |
355 |
--- a/security/Kconfig |
356 |
+++ b/security/Kconfig |
357 |
-@@ -4,6 +4,956 @@ |
358 |
+@@ -4,6 +4,955 @@ |
359 |
|
360 |
menu "Security options" |
361 |
|
362 |
@@ -106863,7 +106873,6 @@ index 51bd5a0..f75fbf0 100644 |
363 |
+ select STOP_MACHINE |
364 |
+ select DEBUG_KERNEL |
365 |
+ select DEBUG_LIST |
366 |
-+ select DEBUG_STACKOVERFLOW if HAVE_DEBUG_STACKOVERFLOW |
367 |
+ help |
368 |
+ If you say Y here, you will be able to configure many features |
369 |
+ that will enhance the security of your system. It is highly |
370 |
@@ -107784,7 +107793,7 @@ index 51bd5a0..f75fbf0 100644 |
371 |
config KEYS |
372 |
bool "Enable access key retention support" |
373 |
help |
374 |
-@@ -169,7 +1119,7 @@ config INTEL_TXT |
375 |
+@@ -169,7 +1118,7 @@ config INTEL_TXT |
376 |
config LSM_MMAP_MIN_ADDR |
377 |
int "Low address space for LSM to protect from user allocation" |
378 |
depends on SECURITY && SECURITY_SELINUX |