Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.2.53/, 3.12.6/
Date: Fri, 27 Dec 2013 14:52:55
Message-Id: 1388155965.c21d30c5844b0da4014a5bc2619aff7f87106fd2.blueness@gentoo
1 commit: c21d30c5844b0da4014a5bc2619aff7f87106fd2
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Fri Dec 27 14:52:45 2013 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Fri Dec 27 14:52:45 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=c21d30c5
7
8 Grsec/PaX: 3.0-{2.6.32,3.2.53,3.12.6}-201312262020
9
10 ---
11 2.6.32/0000_README | 2 +-
12 ..._grsecurity-2.9.1-2.6.32.61-201312262018.patch} | 139 ++++++++++-----------
13 3.12.6/0000_README | 2 +-
14 ... 4420_grsecurity-3.0-3.12.6-201312262020.patch} | 134 +++++++++-----------
15 3.2.53/0000_README | 2 +-
16 ... 4420_grsecurity-3.0-3.2.53-201312262018.patch} | 37 +++---
17 6 files changed, 147 insertions(+), 169 deletions(-)
18
19 diff --git a/2.6.32/0000_README b/2.6.32/0000_README
20 index 92be49f..88db1be 100644
21 --- a/2.6.32/0000_README
22 +++ b/2.6.32/0000_README
23 @@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch
24 From: http://www.kernel.org
25 Desc: Linux 2.6.32.61
26
27 -Patch: 4420_grsecurity-2.9.1-2.6.32.61-201312251831.patch
28 +Patch: 4420_grsecurity-2.9.1-2.6.32.61-201312262018.patch
29 From: http://www.grsecurity.net
30 Desc: hardened-sources base patch from upstream grsecurity
31
32
33 diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312251831.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312262018.patch
34 similarity index 99%
35 rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312251831.patch
36 rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312262018.patch
37 index 01a0f17..46790bb 100644
38 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312251831.patch
39 +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312262018.patch
40 @@ -1,16 +1,3 @@
41 - .|,
42 - -*-
43 - '/'\`
44 - /`'o\
45 - /#,o'`\
46 - o/`"#,`\o
47 - /`o``"#,\
48 - o/#,`'o'`\o
49 - /o`"#,`',o\
50 - o`-._`"#_.-'o
51 - _|"|_
52 - \=%=/ hjw
53 - """
54 diff --git a/Documentation/dontdiff b/Documentation/dontdiff
55 index e1efc40..3569a2f 100644
56 --- a/Documentation/dontdiff
57 @@ -62459,57 +62446,57 @@ index 0000000..c7ed692
58 --- /dev/null
59 +++ b/drivers/net/benet/version.h
60 @@ -0,0 +1,51 @@
61 -+#define STR_BE_BRANCH "0"
62 -+#define STR_BE_BUILD "479"
63 -+#define STR_BE_DOT "0"
64 -+#define STR_BE_MINOR "0"
65 -+#define STR_BE_MAJOR "4"
66 -+
67 -+#define BE_BRANCH 0
68 -+#define BE_BUILD 479
69 -+#define BE_DOT 0
70 -+#define BE_MINOR 0
71 -+#define BE_MAJOR 4
72 -+
73 -+#define MGMT_BRANCH 0
74 -+#define MGMT_BUILDNUM 479
75 -+#define MGMT_MINOR 0
76 -+#define MGMT_MAJOR 4
77 -+
78 -+#define BE_REDBOOT_VERSION "2.0.5.0"
79 -+
80 -+//start-auto
81 -+#define BUILD_MONTH "12"
82 -+#define BUILD_MONTH_NAME "December"
83 -+#define BUILD_DAY "6"
84 -+#define BUILD_YEAR "2011"
85 -+#define BUILD_24HOUR "21"
86 -+#define BUILD_12HOUR "9"
87 -+#define BUILD_AM_PM "PM"
88 -+#define BUILD_MIN "48"
89 -+#define BUILD_SEC "05"
90 -+#define BUILD_MONTH_NUMBER 12
91 -+#define BUILD_DAY_NUMBER 6
92 -+#define BUILD_YEAR_NUMBER 2011
93 -+#define BUILD_24HOUR_NUMBER 21
94 -+#define BUILD_12HOUR_NUMBER 9
95 -+#define BUILD_MIN_NUMBER 48
96 -+#define BUILD_SEC_NUMBER 5
97 -+#undef MAJOR_BUILD
98 -+#undef MINOR_BUILD
99 -+#undef DOT_BUILD
100 -+#define NUMBERED_BUILD
101 -+#undef BRANCH_BUILD
102 -+//end-auto
103 -+
104 -+#define ELX_FCOE_XROM_BIOS_VER "7.03a1"
105 -+#define ELX_FCoE_X86_VER "4.02a1"
106 -+#define ELX_FCoE_EFI_VER "5.01a1"
107 -+#define ELX_FCoE_FCODE_VER "4.01a0"
108 -+#define ELX_PXE_BIOS_VER "3.00a5"
109 -+#define ELX_UEFI_NIC_VER "2.10A10"
110 -+#define ELX_UEFI_FCODE_VER "1.10A0"
111 -+#define ELX_ISCSI_BIOS_VER "1.00A8"
112 ++#define STR_BE_BRANCH "0"
113 ++#define STR_BE_BUILD "479"
114 ++#define STR_BE_DOT "0"
115 ++#define STR_BE_MINOR "0"
116 ++#define STR_BE_MAJOR "4"
117 ++
118 ++#define BE_BRANCH 0
119 ++#define BE_BUILD 479
120 ++#define BE_DOT 0
121 ++#define BE_MINOR 0
122 ++#define BE_MAJOR 4
123 ++
124 ++#define MGMT_BRANCH 0
125 ++#define MGMT_BUILDNUM 479
126 ++#define MGMT_MINOR 0
127 ++#define MGMT_MAJOR 4
128 ++
129 ++#define BE_REDBOOT_VERSION "2.0.5.0"
130 ++
131 ++//start-auto
132 ++#define BUILD_MONTH "12"
133 ++#define BUILD_MONTH_NAME "December"
134 ++#define BUILD_DAY "6"
135 ++#define BUILD_YEAR "2011"
136 ++#define BUILD_24HOUR "21"
137 ++#define BUILD_12HOUR "9"
138 ++#define BUILD_AM_PM "PM"
139 ++#define BUILD_MIN "48"
140 ++#define BUILD_SEC "05"
141 ++#define BUILD_MONTH_NUMBER 12
142 ++#define BUILD_DAY_NUMBER 6
143 ++#define BUILD_YEAR_NUMBER 2011
144 ++#define BUILD_24HOUR_NUMBER 21
145 ++#define BUILD_12HOUR_NUMBER 9
146 ++#define BUILD_MIN_NUMBER 48
147 ++#define BUILD_SEC_NUMBER 5
148 ++#undef MAJOR_BUILD
149 ++#undef MINOR_BUILD
150 ++#undef DOT_BUILD
151 ++#define NUMBERED_BUILD
152 ++#undef BRANCH_BUILD
153 ++//end-auto
154 ++
155 ++#define ELX_FCOE_XROM_BIOS_VER "7.03a1"
156 ++#define ELX_FCoE_X86_VER "4.02a1"
157 ++#define ELX_FCoE_EFI_VER "5.01a1"
158 ++#define ELX_FCoE_FCODE_VER "4.01a0"
159 ++#define ELX_PXE_BIOS_VER "3.00a5"
160 ++#define ELX_UEFI_NIC_VER "2.10A10"
161 ++#define ELX_UEFI_FCODE_VER "1.10A0"
162 ++#define ELX_ISCSI_BIOS_VER "1.00A8"
163 diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c
164 index 4874b2b..67f8526 100644
165 --- a/drivers/net/bnx2.c
166 @@ -85982,10 +85969,10 @@ index e89734e..5e84d8d 100644
167 return 0;
168 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
169 new file mode 100644
170 -index 0000000..105b285
171 +index 0000000..9712ce3
172 --- /dev/null
173 +++ b/grsecurity/Kconfig
174 -@@ -0,0 +1,1050 @@
175 +@@ -0,0 +1,1055 @@
176 +#
177 +# grecurity configuration
178 +#
179 @@ -86355,7 +86342,12 @@ index 0000000..105b285
180 + This option acts independently of grsec_lock: once it is set to 1,
181 + it cannot be turned off. Therefore, please be mindful of the resulting
182 + behavior if this option is enabled in an init script on a read-only
183 -+ filesystem. This feature is mainly intended for secure embedded systems.
184 ++ filesystem.
185 ++ Also be aware that as with other root-focused features, GRKERNSEC_KMEM
186 ++ and GRKERNSEC_IO should be enabled and module loading disabled via
187 ++ config or at runtime.
188 ++ This feature is mainly intended for secure embedded systems.
189 ++
190 +
191 +config GRKERNSEC_DEVICE_SIDECHANNEL
192 + bool "Eliminate stat/notify-based device sidechannels"
193 @@ -87087,7 +87079,7 @@ index 0000000..b0b77d5
194 +endif
195 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
196 new file mode 100644
197 -index 0000000..1276b13
198 +index 0000000..a24562a
199 --- /dev/null
200 +++ b/grsecurity/gracl.c
201 @@ -0,0 +1,4309 @@
202 @@ -87390,7 +87382,7 @@ index 0000000..1276b13
203 +gr_handle_rawio(const struct inode *inode)
204 +{
205 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
206 -+ if (inode && S_ISBLK(inode->i_mode) &&
207 ++ if (inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR)) &&
208 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
209 + !capable(CAP_SYS_RAWIO))
210 + return 1;
211 @@ -95245,13 +95237,14 @@ index 0000000..f536303
212 +}
213 diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c
214 new file mode 100644
215 -index 0000000..2131422
216 +index 0000000..cd9e124
217 --- /dev/null
218 +++ b/grsecurity/grsec_mount.c
219 -@@ -0,0 +1,62 @@
220 +@@ -0,0 +1,65 @@
221 +#include <linux/kernel.h>
222 +#include <linux/sched.h>
223 +#include <linux/mount.h>
224 ++#include <linux/major.h>
225 +#include <linux/grsecurity.h>
226 +#include <linux/grinternal.h>
227 +
228 @@ -95302,8 +95295,10 @@ index 0000000..2131422
229 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
230 +{
231 +#ifdef CONFIG_GRKERNSEC_ROFS
232 ++ struct inode *inode = dentry->d_inode;
233 ++
234 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
235 -+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
236 ++ inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR))) {
237 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
238 + return -EPERM;
239 + } else
240
241 diff --git a/3.12.6/0000_README b/3.12.6/0000_README
242 index 6c77b46..55926d8 100644
243 --- a/3.12.6/0000_README
244 +++ b/3.12.6/0000_README
245 @@ -2,7 +2,7 @@ README
246 -----------------------------------------------------------------------------
247 Individual Patch Descriptions:
248 -----------------------------------------------------------------------------
249 -Patch: 4420_grsecurity-3.0-3.12.6-201312251834.patch
250 +Patch: 4420_grsecurity-3.0-3.12.6-201312262020.patch
251 From: http://www.grsecurity.net
252 Desc: hardened-sources base patch from upstream grsecurity
253
254
255 diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312251834.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch
256 similarity index 99%
257 rename from 3.12.6/4420_grsecurity-3.0-3.12.6-201312251834.patch
258 rename to 3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch
259 index 8e02776..639a445 100644
260 --- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312251834.patch
261 +++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch
262 @@ -1,16 +1,3 @@
263 - .|,
264 - -*-
265 - '/'\`
266 - /`'o\
267 - /#,o'`\
268 - o/`"#,`\o
269 - /`o``"#,\
270 - o/#,`'o'`\o
271 - /o`"#,`',o\
272 - o`-._`"#_.-'o
273 - _|"|_
274 - \=%=/ hjw
275 - """
276 diff --git a/Documentation/dontdiff b/Documentation/dontdiff
277 index b89a739..79768fb 100644
278 --- a/Documentation/dontdiff
279 @@ -53580,7 +53567,7 @@ index 89dec7f..361b0d75 100644
280 fd_offset + ex.a_text);
281 if (error != N_DATADDR(ex)) {
282 diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
283 -index 4c94a79..228e9da 100644
284 +index 4c94a79..2610454 100644
285 --- a/fs/binfmt_elf.c
286 +++ b/fs/binfmt_elf.c
287 @@ -34,6 +34,7 @@
288 @@ -53749,7 +53736,7 @@ index 4c94a79..228e9da 100644
289 }
290
291 error = load_addr;
292 -@@ -538,6 +569,322 @@ out:
293 +@@ -538,6 +569,315 @@ out:
294 return error;
295 }
296
297 @@ -53983,41 +53970,34 @@ index 4c94a79..228e9da 100644
298 + unsigned long pax_flags_hardmode = 0UL, pax_flags_softmode = 0UL;
299 +
300 + xattr_size = pax_getxattr(file->f_path.dentry, xattr_value, sizeof xattr_value);
301 -+ switch (xattr_size) {
302 -+ default:
303 ++ if (xattr_size <= 0 || xattr_size > sizeof xattr_value)
304 + return ~0UL;
305 +
306 -+ case -ENODATA:
307 -+ break;
308 -+
309 -+ case 0 ... sizeof xattr_value:
310 -+ for (i = 0; i < xattr_size; i++)
311 -+ switch (xattr_value[i]) {
312 -+ default:
313 -+ return ~0UL;
314 -+
315 -+#define parse_flag(option1, option2, flag) \
316 -+ case option1: \
317 -+ if (pax_flags_hardmode & MF_PAX_##flag) \
318 -+ return ~0UL; \
319 -+ pax_flags_hardmode |= MF_PAX_##flag; \
320 -+ break; \
321 -+ case option2: \
322 -+ if (pax_flags_softmode & MF_PAX_##flag) \
323 -+ return ~0UL; \
324 -+ pax_flags_softmode |= MF_PAX_##flag; \
325 -+ break;
326 ++ for (i = 0; i < xattr_size; i++)
327 ++ switch (xattr_value[i]) {
328 ++ default:
329 ++ return ~0UL;
330 ++
331 ++#define parse_flag(option1, option2, flag) \
332 ++ case option1: \
333 ++ if (pax_flags_hardmode & MF_PAX_##flag) \
334 ++ return ~0UL; \
335 ++ pax_flags_hardmode |= MF_PAX_##flag; \
336 ++ break; \
337 ++ case option2: \
338 ++ if (pax_flags_softmode & MF_PAX_##flag) \
339 ++ return ~0UL; \
340 ++ pax_flags_softmode |= MF_PAX_##flag; \
341 ++ break;
342 +
343 -+ parse_flag('p', 'P', PAGEEXEC);
344 -+ parse_flag('e', 'E', EMUTRAMP);
345 -+ parse_flag('m', 'M', MPROTECT);
346 -+ parse_flag('r', 'R', RANDMMAP);
347 -+ parse_flag('s', 'S', SEGMEXEC);
348 ++ parse_flag('p', 'P', PAGEEXEC);
349 ++ parse_flag('e', 'E', EMUTRAMP);
350 ++ parse_flag('m', 'M', MPROTECT);
351 ++ parse_flag('r', 'R', RANDMMAP);
352 ++ parse_flag('s', 'S', SEGMEXEC);
353 +
354 +#undef parse_flag
355 -+ }
356 -+ break;
357 -+ }
358 ++ }
359 +
360 + if (pax_flags_hardmode & pax_flags_softmode)
361 + return ~0UL;
362 @@ -54072,7 +54052,7 @@ index 4c94a79..228e9da 100644
363 /*
364 * These are the functions used to load ELF style executables and shared
365 * libraries. There is no binary dependent code anywhere else.
366 -@@ -554,6 +901,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
367 +@@ -554,6 +894,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
368 {
369 unsigned int random_variable = 0;
370
371 @@ -54084,7 +54064,7 @@ index 4c94a79..228e9da 100644
372 if ((current->flags & PF_RANDOMIZE) &&
373 !(current->personality & ADDR_NO_RANDOMIZE)) {
374 random_variable = get_random_int() & STACK_RND_MASK;
375 -@@ -572,7 +924,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
376 +@@ -572,7 +917,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
377 unsigned long load_addr = 0, load_bias = 0;
378 int load_addr_set = 0;
379 char * elf_interpreter = NULL;
380 @@ -54093,7 +54073,7 @@ index 4c94a79..228e9da 100644
381 struct elf_phdr *elf_ppnt, *elf_phdata;
382 unsigned long elf_bss, elf_brk;
383 int retval, i;
384 -@@ -582,12 +934,12 @@ static int load_elf_binary(struct linux_binprm *bprm)
385 +@@ -582,12 +927,12 @@ static int load_elf_binary(struct linux_binprm *bprm)
386 unsigned long start_code, end_code, start_data, end_data;
387 unsigned long reloc_func_desc __maybe_unused = 0;
388 int executable_stack = EXSTACK_DEFAULT;
389 @@ -54107,7 +54087,7 @@ index 4c94a79..228e9da 100644
390
391 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
392 if (!loc) {
393 -@@ -723,11 +1075,82 @@ static int load_elf_binary(struct linux_binprm *bprm)
394 +@@ -723,11 +1068,82 @@ static int load_elf_binary(struct linux_binprm *bprm)
395 goto out_free_dentry;
396
397 /* OK, This is the point of no return */
398 @@ -54191,7 +54171,7 @@ index 4c94a79..228e9da 100644
399 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
400 current->personality |= READ_IMPLIES_EXEC;
401
402 -@@ -817,6 +1240,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
403 +@@ -817,6 +1233,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
404 #else
405 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
406 #endif
407 @@ -54212,7 +54192,7 @@ index 4c94a79..228e9da 100644
408 }
409
410 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
411 -@@ -849,9 +1286,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
412 +@@ -849,9 +1279,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
413 * allowed task size. Note that p_filesz must always be
414 * <= p_memsz so it is only necessary to check p_memsz.
415 */
416 @@ -54225,7 +54205,7 @@ index 4c94a79..228e9da 100644
417 /* set_brk can never work. Avoid overflows. */
418 send_sig(SIGKILL, current, 0);
419 retval = -EINVAL;
420 -@@ -890,17 +1327,45 @@ static int load_elf_binary(struct linux_binprm *bprm)
421 +@@ -890,17 +1320,45 @@ static int load_elf_binary(struct linux_binprm *bprm)
422 goto out_free_dentry;
423 }
424 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
425 @@ -54277,7 +54257,7 @@ index 4c94a79..228e9da 100644
426 load_bias);
427 if (!IS_ERR((void *)elf_entry)) {
428 /*
429 -@@ -1122,7 +1587,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
430 +@@ -1122,7 +1580,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
431 * Decide what to dump of a segment, part, all or none.
432 */
433 static unsigned long vma_dump_size(struct vm_area_struct *vma,
434 @@ -54286,7 +54266,7 @@ index 4c94a79..228e9da 100644
435 {
436 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
437
438 -@@ -1160,7 +1625,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
439 +@@ -1160,7 +1618,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
440 if (vma->vm_file == NULL)
441 return 0;
442
443 @@ -54295,7 +54275,7 @@ index 4c94a79..228e9da 100644
444 goto whole;
445
446 /*
447 -@@ -1385,9 +1850,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
448 +@@ -1385,9 +1843,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
449 {
450 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
451 int i = 0;
452 @@ -54307,7 +54287,7 @@ index 4c94a79..228e9da 100644
453 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
454 }
455
456 -@@ -1396,7 +1861,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
457 +@@ -1396,7 +1854,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
458 {
459 mm_segment_t old_fs = get_fs();
460 set_fs(KERNEL_DS);
461 @@ -54316,7 +54296,7 @@ index 4c94a79..228e9da 100644
462 set_fs(old_fs);
463 fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
464 }
465 -@@ -2023,14 +2488,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
466 +@@ -2023,14 +2481,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
467 }
468
469 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
470 @@ -54333,7 +54313,7 @@ index 4c94a79..228e9da 100644
471 return size;
472 }
473
474 -@@ -2123,7 +2588,7 @@ static int elf_core_dump(struct coredump_params *cprm)
475 +@@ -2123,7 +2581,7 @@ static int elf_core_dump(struct coredump_params *cprm)
476
477 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
478
479 @@ -54342,7 +54322,7 @@ index 4c94a79..228e9da 100644
480 offset += elf_core_extra_data_size();
481 e_shoff = offset;
482
483 -@@ -2137,10 +2602,12 @@ static int elf_core_dump(struct coredump_params *cprm)
484 +@@ -2137,10 +2595,12 @@ static int elf_core_dump(struct coredump_params *cprm)
485 offset = dataoff;
486
487 size += sizeof(*elf);
488 @@ -54355,7 +54335,7 @@ index 4c94a79..228e9da 100644
489 if (size > cprm->limit
490 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
491 goto end_coredump;
492 -@@ -2154,7 +2621,7 @@ static int elf_core_dump(struct coredump_params *cprm)
493 +@@ -2154,7 +2614,7 @@ static int elf_core_dump(struct coredump_params *cprm)
494 phdr.p_offset = offset;
495 phdr.p_vaddr = vma->vm_start;
496 phdr.p_paddr = 0;
497 @@ -54364,7 +54344,7 @@ index 4c94a79..228e9da 100644
498 phdr.p_memsz = vma->vm_end - vma->vm_start;
499 offset += phdr.p_filesz;
500 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
501 -@@ -2165,6 +2632,7 @@ static int elf_core_dump(struct coredump_params *cprm)
502 +@@ -2165,6 +2625,7 @@ static int elf_core_dump(struct coredump_params *cprm)
503 phdr.p_align = ELF_EXEC_PAGESIZE;
504
505 size += sizeof(phdr);
506 @@ -54372,7 +54352,7 @@ index 4c94a79..228e9da 100644
507 if (size > cprm->limit
508 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
509 goto end_coredump;
510 -@@ -2189,7 +2657,7 @@ static int elf_core_dump(struct coredump_params *cprm)
511 +@@ -2189,7 +2650,7 @@ static int elf_core_dump(struct coredump_params *cprm)
512 unsigned long addr;
513 unsigned long end;
514
515 @@ -54381,7 +54361,7 @@ index 4c94a79..228e9da 100644
516
517 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
518 struct page *page;
519 -@@ -2198,6 +2666,7 @@ static int elf_core_dump(struct coredump_params *cprm)
520 +@@ -2198,6 +2659,7 @@ static int elf_core_dump(struct coredump_params *cprm)
521 page = get_dump_page(addr);
522 if (page) {
523 void *kaddr = kmap(page);
524 @@ -54389,7 +54369,7 @@ index 4c94a79..228e9da 100644
525 stop = ((size += PAGE_SIZE) > cprm->limit) ||
526 !dump_write(cprm->file, kaddr,
527 PAGE_SIZE);
528 -@@ -2215,6 +2684,7 @@ static int elf_core_dump(struct coredump_params *cprm)
529 +@@ -2215,6 +2677,7 @@ static int elf_core_dump(struct coredump_params *cprm)
530
531 if (e_phnum == PN_XNUM) {
532 size += sizeof(*shdr4extnum);
533 @@ -54397,7 +54377,7 @@ index 4c94a79..228e9da 100644
534 if (size > cprm->limit
535 || !dump_write(cprm->file, shdr4extnum,
536 sizeof(*shdr4extnum)))
537 -@@ -2235,6 +2705,167 @@ out:
538 +@@ -2235,6 +2698,167 @@ out:
539
540 #endif /* CONFIG_ELF_CORE */
541
542 @@ -62491,10 +62471,10 @@ index 2b8952d..a60c6be 100644
543 kfree(s);
544 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
545 new file mode 100644
546 -index 0000000..a78d810
547 +index 0000000..04e9889
548 --- /dev/null
549 +++ b/grsecurity/Kconfig
550 -@@ -0,0 +1,1107 @@
551 +@@ -0,0 +1,1112 @@
552 +#
553 +# grecurity configuration
554 +#
555 @@ -62913,7 +62893,12 @@ index 0000000..a78d810
556 + This option acts independently of grsec_lock: once it is set to 1,
557 + it cannot be turned off. Therefore, please be mindful of the resulting
558 + behavior if this option is enabled in an init script on a read-only
559 -+ filesystem. This feature is mainly intended for secure embedded systems.
560 ++ filesystem.
561 ++ Also be aware that as with other root-focused features, GRKERNSEC_KMEM
562 ++ and GRKERNSEC_IO should be enabled and module loading disabled via
563 ++ config or at runtime.
564 ++ This feature is mainly intended for secure embedded systems.
565 ++
566 +
567 +config GRKERNSEC_DEVICE_SIDECHANNEL
568 + bool "Eliminate stat/notify-based device sidechannels"
569 @@ -63653,7 +63638,7 @@ index 0000000..85beb79
570 +endif
571 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
572 new file mode 100644
573 -index 0000000..6affeea
574 +index 0000000..90f71ce
575 --- /dev/null
576 +++ b/grsecurity/gracl.c
577 @@ -0,0 +1,2679 @@
578 @@ -63808,7 +63793,7 @@ index 0000000..6affeea
579 +gr_handle_rawio(const struct inode *inode)
580 +{
581 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
582 -+ if (inode && S_ISBLK(inode->i_mode) &&
583 ++ if (inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR)) &&
584 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
585 + !capable(CAP_SYS_RAWIO))
586 + return 1;
587 @@ -71971,13 +71956,14 @@ index 0000000..f536303
588 +}
589 diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c
590 new file mode 100644
591 -index 0000000..2131422
592 +index 0000000..cd9e124
593 --- /dev/null
594 +++ b/grsecurity/grsec_mount.c
595 -@@ -0,0 +1,62 @@
596 +@@ -0,0 +1,65 @@
597 +#include <linux/kernel.h>
598 +#include <linux/sched.h>
599 +#include <linux/mount.h>
600 ++#include <linux/major.h>
601 +#include <linux/grsecurity.h>
602 +#include <linux/grinternal.h>
603 +
604 @@ -72028,8 +72014,10 @@ index 0000000..2131422
605 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
606 +{
607 +#ifdef CONFIG_GRKERNSEC_ROFS
608 ++ struct inode *inode = dentry->d_inode;
609 ++
610 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
611 -+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
612 ++ inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR))) {
613 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
614 + return -EPERM;
615 + } else
616
617 diff --git a/3.2.53/0000_README b/3.2.53/0000_README
618 index b20dfe9..62ff1d5 100644
619 --- a/3.2.53/0000_README
620 +++ b/3.2.53/0000_README
621 @@ -130,7 +130,7 @@ Patch: 1052_linux-3.2.53.patch
622 From: http://www.kernel.org
623 Desc: Linux 3.2.53
624
625 -Patch: 4420_grsecurity-3.0-3.2.53-201312251832.patch
626 +Patch: 4420_grsecurity-3.0-3.2.53-201312262018.patch
627 From: http://www.grsecurity.net
628 Desc: hardened-sources base patch from upstream grsecurity
629
630
631 diff --git a/3.2.53/4420_grsecurity-3.0-3.2.53-201312251832.patch b/3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch
632 similarity index 99%
633 rename from 3.2.53/4420_grsecurity-3.0-3.2.53-201312251832.patch
634 rename to 3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch
635 index 818d6db..02cb583 100644
636 --- a/3.2.53/4420_grsecurity-3.0-3.2.53-201312251832.patch
637 +++ b/3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch
638 @@ -1,16 +1,3 @@
639 - .|,
640 - -*-
641 - '/'\`
642 - /`'o\
643 - /#,o'`\
644 - o/`"#,`\o
645 - /`o``"#,\
646 - o/#,`'o'`\o
647 - /o`"#,`',o\
648 - o`-._`"#_.-'o
649 - _|"|_
650 - \=%=/ hjw
651 - """
652 diff --git a/Documentation/dontdiff b/Documentation/dontdiff
653 index dfa6fc6..be27ac3 100644
654 --- a/Documentation/dontdiff
655 @@ -61913,10 +61900,10 @@ index 8a89949..6776861 100644
656 xfs_init_zones(void)
657 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
658 new file mode 100644
659 -index 0000000..7e54fd7
660 +index 0000000..c4717f9
661 --- /dev/null
662 +++ b/grsecurity/Kconfig
663 -@@ -0,0 +1,1080 @@
664 +@@ -0,0 +1,1085 @@
665 +#
666 +# grecurity configuration
667 +#
668 @@ -62326,7 +62313,12 @@ index 0000000..7e54fd7
669 + This option acts independently of grsec_lock: once it is set to 1,
670 + it cannot be turned off. Therefore, please be mindful of the resulting
671 + behavior if this option is enabled in an init script on a read-only
672 -+ filesystem. This feature is mainly intended for secure embedded systems.
673 ++ filesystem.
674 ++ Also be aware that as with other root-focused features, GRKERNSEC_KMEM
675 ++ and GRKERNSEC_IO should be enabled and module loading disabled via
676 ++ config or at runtime.
677 ++ This feature is mainly intended for secure embedded systems.
678 ++
679 +
680 +config GRKERNSEC_DEVICE_SIDECHANNEL
681 + bool "Eliminate stat/notify-based device sidechannels"
682 @@ -63048,7 +63040,7 @@ index 0000000..2f8793f
683 +endif
684 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
685 new file mode 100644
686 -index 0000000..9b1fbce
687 +index 0000000..180140a
688 --- /dev/null
689 +++ b/grsecurity/gracl.c
690 @@ -0,0 +1,2825 @@
691 @@ -63205,7 +63197,7 @@ index 0000000..9b1fbce
692 +gr_handle_rawio(const struct inode *inode)
693 +{
694 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
695 -+ if (inode && S_ISBLK(inode->i_mode) &&
696 ++ if (inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR)) &&
697 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
698 + !capable(CAP_SYS_RAWIO))
699 + return 1;
700 @@ -71425,13 +71417,14 @@ index 0000000..f536303
701 +}
702 diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c
703 new file mode 100644
704 -index 0000000..2131422
705 +index 0000000..cd9e124
706 --- /dev/null
707 +++ b/grsecurity/grsec_mount.c
708 -@@ -0,0 +1,62 @@
709 +@@ -0,0 +1,65 @@
710 +#include <linux/kernel.h>
711 +#include <linux/sched.h>
712 +#include <linux/mount.h>
713 ++#include <linux/major.h>
714 +#include <linux/grsecurity.h>
715 +#include <linux/grinternal.h>
716 +
717 @@ -71482,8 +71475,10 @@ index 0000000..2131422
718 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
719 +{
720 +#ifdef CONFIG_GRKERNSEC_ROFS
721 ++ struct inode *inode = dentry->d_inode;
722 ++
723 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
724 -+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
725 ++ inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR))) {
726 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
727 + return -EPERM;
728 + } else
Report Message
Find on MARC Find on Google Groups