1 |
commit: c21d30c5844b0da4014a5bc2619aff7f87106fd2 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Dec 27 14:52:45 2013 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Dec 27 14:52:45 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=c21d30c5 |
7 |
|
8 |
Grsec/PaX: 3.0-{2.6.32,3.2.53,3.12.6}-201312262020 |
9 |
|
10 |
--- |
11 |
2.6.32/0000_README | 2 +- |
12 |
..._grsecurity-2.9.1-2.6.32.61-201312262018.patch} | 139 ++++++++++----------- |
13 |
3.12.6/0000_README | 2 +- |
14 |
... 4420_grsecurity-3.0-3.12.6-201312262020.patch} | 134 +++++++++----------- |
15 |
3.2.53/0000_README | 2 +- |
16 |
... 4420_grsecurity-3.0-3.2.53-201312262018.patch} | 37 +++--- |
17 |
6 files changed, 147 insertions(+), 169 deletions(-) |
18 |
|
19 |
diff --git a/2.6.32/0000_README b/2.6.32/0000_README |
20 |
index 92be49f..88db1be 100644 |
21 |
--- a/2.6.32/0000_README |
22 |
+++ b/2.6.32/0000_README |
23 |
@@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch |
24 |
From: http://www.kernel.org |
25 |
Desc: Linux 2.6.32.61 |
26 |
|
27 |
-Patch: 4420_grsecurity-2.9.1-2.6.32.61-201312251831.patch |
28 |
+Patch: 4420_grsecurity-2.9.1-2.6.32.61-201312262018.patch |
29 |
From: http://www.grsecurity.net |
30 |
Desc: hardened-sources base patch from upstream grsecurity |
31 |
|
32 |
|
33 |
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312251831.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312262018.patch |
34 |
similarity index 99% |
35 |
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312251831.patch |
36 |
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312262018.patch |
37 |
index 01a0f17..46790bb 100644 |
38 |
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312251831.patch |
39 |
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312262018.patch |
40 |
@@ -1,16 +1,3 @@ |
41 |
- .|, |
42 |
- -*- |
43 |
- '/'\` |
44 |
- /`'o\ |
45 |
- /#,o'`\ |
46 |
- o/`"#,`\o |
47 |
- /`o``"#,\ |
48 |
- o/#,`'o'`\o |
49 |
- /o`"#,`',o\ |
50 |
- o`-._`"#_.-'o |
51 |
- _|"|_ |
52 |
- \=%=/ hjw |
53 |
- """ |
54 |
diff --git a/Documentation/dontdiff b/Documentation/dontdiff |
55 |
index e1efc40..3569a2f 100644 |
56 |
--- a/Documentation/dontdiff |
57 |
@@ -62459,57 +62446,57 @@ index 0000000..c7ed692 |
58 |
--- /dev/null |
59 |
+++ b/drivers/net/benet/version.h |
60 |
@@ -0,0 +1,51 @@ |
61 |
-+#define STR_BE_BRANCH "0" |
62 |
-+#define STR_BE_BUILD "479" |
63 |
-+#define STR_BE_DOT "0" |
64 |
-+#define STR_BE_MINOR "0" |
65 |
-+#define STR_BE_MAJOR "4" |
66 |
-+ |
67 |
-+#define BE_BRANCH 0 |
68 |
-+#define BE_BUILD 479 |
69 |
-+#define BE_DOT 0 |
70 |
-+#define BE_MINOR 0 |
71 |
-+#define BE_MAJOR 4 |
72 |
-+ |
73 |
-+#define MGMT_BRANCH 0 |
74 |
-+#define MGMT_BUILDNUM 479 |
75 |
-+#define MGMT_MINOR 0 |
76 |
-+#define MGMT_MAJOR 4 |
77 |
-+ |
78 |
-+#define BE_REDBOOT_VERSION "2.0.5.0" |
79 |
-+ |
80 |
-+//start-auto |
81 |
-+#define BUILD_MONTH "12" |
82 |
-+#define BUILD_MONTH_NAME "December" |
83 |
-+#define BUILD_DAY "6" |
84 |
-+#define BUILD_YEAR "2011" |
85 |
-+#define BUILD_24HOUR "21" |
86 |
-+#define BUILD_12HOUR "9" |
87 |
-+#define BUILD_AM_PM "PM" |
88 |
-+#define BUILD_MIN "48" |
89 |
-+#define BUILD_SEC "05" |
90 |
-+#define BUILD_MONTH_NUMBER 12 |
91 |
-+#define BUILD_DAY_NUMBER 6 |
92 |
-+#define BUILD_YEAR_NUMBER 2011 |
93 |
-+#define BUILD_24HOUR_NUMBER 21 |
94 |
-+#define BUILD_12HOUR_NUMBER 9 |
95 |
-+#define BUILD_MIN_NUMBER 48 |
96 |
-+#define BUILD_SEC_NUMBER 5 |
97 |
-+#undef MAJOR_BUILD |
98 |
-+#undef MINOR_BUILD |
99 |
-+#undef DOT_BUILD |
100 |
-+#define NUMBERED_BUILD |
101 |
-+#undef BRANCH_BUILD |
102 |
-+//end-auto |
103 |
-+ |
104 |
-+#define ELX_FCOE_XROM_BIOS_VER "7.03a1" |
105 |
-+#define ELX_FCoE_X86_VER "4.02a1" |
106 |
-+#define ELX_FCoE_EFI_VER "5.01a1" |
107 |
-+#define ELX_FCoE_FCODE_VER "4.01a0" |
108 |
-+#define ELX_PXE_BIOS_VER "3.00a5" |
109 |
-+#define ELX_UEFI_NIC_VER "2.10A10" |
110 |
-+#define ELX_UEFI_FCODE_VER "1.10A0" |
111 |
-+#define ELX_ISCSI_BIOS_VER "1.00A8" |
112 |
++#define STR_BE_BRANCH "0" |
113 |
++#define STR_BE_BUILD "479" |
114 |
++#define STR_BE_DOT "0" |
115 |
++#define STR_BE_MINOR "0" |
116 |
++#define STR_BE_MAJOR "4" |
117 |
++ |
118 |
++#define BE_BRANCH 0 |
119 |
++#define BE_BUILD 479 |
120 |
++#define BE_DOT 0 |
121 |
++#define BE_MINOR 0 |
122 |
++#define BE_MAJOR 4 |
123 |
++ |
124 |
++#define MGMT_BRANCH 0 |
125 |
++#define MGMT_BUILDNUM 479 |
126 |
++#define MGMT_MINOR 0 |
127 |
++#define MGMT_MAJOR 4 |
128 |
++ |
129 |
++#define BE_REDBOOT_VERSION "2.0.5.0" |
130 |
++ |
131 |
++//start-auto |
132 |
++#define BUILD_MONTH "12" |
133 |
++#define BUILD_MONTH_NAME "December" |
134 |
++#define BUILD_DAY "6" |
135 |
++#define BUILD_YEAR "2011" |
136 |
++#define BUILD_24HOUR "21" |
137 |
++#define BUILD_12HOUR "9" |
138 |
++#define BUILD_AM_PM "PM" |
139 |
++#define BUILD_MIN "48" |
140 |
++#define BUILD_SEC "05" |
141 |
++#define BUILD_MONTH_NUMBER 12 |
142 |
++#define BUILD_DAY_NUMBER 6 |
143 |
++#define BUILD_YEAR_NUMBER 2011 |
144 |
++#define BUILD_24HOUR_NUMBER 21 |
145 |
++#define BUILD_12HOUR_NUMBER 9 |
146 |
++#define BUILD_MIN_NUMBER 48 |
147 |
++#define BUILD_SEC_NUMBER 5 |
148 |
++#undef MAJOR_BUILD |
149 |
++#undef MINOR_BUILD |
150 |
++#undef DOT_BUILD |
151 |
++#define NUMBERED_BUILD |
152 |
++#undef BRANCH_BUILD |
153 |
++//end-auto |
154 |
++ |
155 |
++#define ELX_FCOE_XROM_BIOS_VER "7.03a1" |
156 |
++#define ELX_FCoE_X86_VER "4.02a1" |
157 |
++#define ELX_FCoE_EFI_VER "5.01a1" |
158 |
++#define ELX_FCoE_FCODE_VER "4.01a0" |
159 |
++#define ELX_PXE_BIOS_VER "3.00a5" |
160 |
++#define ELX_UEFI_NIC_VER "2.10A10" |
161 |
++#define ELX_UEFI_FCODE_VER "1.10A0" |
162 |
++#define ELX_ISCSI_BIOS_VER "1.00A8" |
163 |
diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c |
164 |
index 4874b2b..67f8526 100644 |
165 |
--- a/drivers/net/bnx2.c |
166 |
@@ -85982,10 +85969,10 @@ index e89734e..5e84d8d 100644 |
167 |
return 0; |
168 |
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig |
169 |
new file mode 100644 |
170 |
-index 0000000..105b285 |
171 |
+index 0000000..9712ce3 |
172 |
--- /dev/null |
173 |
+++ b/grsecurity/Kconfig |
174 |
-@@ -0,0 +1,1050 @@ |
175 |
+@@ -0,0 +1,1055 @@ |
176 |
+# |
177 |
+# grecurity configuration |
178 |
+# |
179 |
@@ -86355,7 +86342,12 @@ index 0000000..105b285 |
180 |
+ This option acts independently of grsec_lock: once it is set to 1, |
181 |
+ it cannot be turned off. Therefore, please be mindful of the resulting |
182 |
+ behavior if this option is enabled in an init script on a read-only |
183 |
-+ filesystem. This feature is mainly intended for secure embedded systems. |
184 |
++ filesystem. |
185 |
++ Also be aware that as with other root-focused features, GRKERNSEC_KMEM |
186 |
++ and GRKERNSEC_IO should be enabled and module loading disabled via |
187 |
++ config or at runtime. |
188 |
++ This feature is mainly intended for secure embedded systems. |
189 |
++ |
190 |
+ |
191 |
+config GRKERNSEC_DEVICE_SIDECHANNEL |
192 |
+ bool "Eliminate stat/notify-based device sidechannels" |
193 |
@@ -87087,7 +87079,7 @@ index 0000000..b0b77d5 |
194 |
+endif |
195 |
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c |
196 |
new file mode 100644 |
197 |
-index 0000000..1276b13 |
198 |
+index 0000000..a24562a |
199 |
--- /dev/null |
200 |
+++ b/grsecurity/gracl.c |
201 |
@@ -0,0 +1,4309 @@ |
202 |
@@ -87390,7 +87382,7 @@ index 0000000..1276b13 |
203 |
+gr_handle_rawio(const struct inode *inode) |
204 |
+{ |
205 |
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS |
206 |
-+ if (inode && S_ISBLK(inode->i_mode) && |
207 |
++ if (inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR)) && |
208 |
+ grsec_enable_chroot_caps && proc_is_chrooted(current) && |
209 |
+ !capable(CAP_SYS_RAWIO)) |
210 |
+ return 1; |
211 |
@@ -95245,13 +95237,14 @@ index 0000000..f536303 |
212 |
+} |
213 |
diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c |
214 |
new file mode 100644 |
215 |
-index 0000000..2131422 |
216 |
+index 0000000..cd9e124 |
217 |
--- /dev/null |
218 |
+++ b/grsecurity/grsec_mount.c |
219 |
-@@ -0,0 +1,62 @@ |
220 |
+@@ -0,0 +1,65 @@ |
221 |
+#include <linux/kernel.h> |
222 |
+#include <linux/sched.h> |
223 |
+#include <linux/mount.h> |
224 |
++#include <linux/major.h> |
225 |
+#include <linux/grsecurity.h> |
226 |
+#include <linux/grinternal.h> |
227 |
+ |
228 |
@@ -95302,8 +95295,10 @@ index 0000000..2131422 |
229 |
+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode) |
230 |
+{ |
231 |
+#ifdef CONFIG_GRKERNSEC_ROFS |
232 |
++ struct inode *inode = dentry->d_inode; |
233 |
++ |
234 |
+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) && |
235 |
-+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) { |
236 |
++ inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR))) { |
237 |
+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt); |
238 |
+ return -EPERM; |
239 |
+ } else |
240 |
|
241 |
diff --git a/3.12.6/0000_README b/3.12.6/0000_README |
242 |
index 6c77b46..55926d8 100644 |
243 |
--- a/3.12.6/0000_README |
244 |
+++ b/3.12.6/0000_README |
245 |
@@ -2,7 +2,7 @@ README |
246 |
----------------------------------------------------------------------------- |
247 |
Individual Patch Descriptions: |
248 |
----------------------------------------------------------------------------- |
249 |
-Patch: 4420_grsecurity-3.0-3.12.6-201312251834.patch |
250 |
+Patch: 4420_grsecurity-3.0-3.12.6-201312262020.patch |
251 |
From: http://www.grsecurity.net |
252 |
Desc: hardened-sources base patch from upstream grsecurity |
253 |
|
254 |
|
255 |
diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312251834.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch |
256 |
similarity index 99% |
257 |
rename from 3.12.6/4420_grsecurity-3.0-3.12.6-201312251834.patch |
258 |
rename to 3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch |
259 |
index 8e02776..639a445 100644 |
260 |
--- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312251834.patch |
261 |
+++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch |
262 |
@@ -1,16 +1,3 @@ |
263 |
- .|, |
264 |
- -*- |
265 |
- '/'\` |
266 |
- /`'o\ |
267 |
- /#,o'`\ |
268 |
- o/`"#,`\o |
269 |
- /`o``"#,\ |
270 |
- o/#,`'o'`\o |
271 |
- /o`"#,`',o\ |
272 |
- o`-._`"#_.-'o |
273 |
- _|"|_ |
274 |
- \=%=/ hjw |
275 |
- """ |
276 |
diff --git a/Documentation/dontdiff b/Documentation/dontdiff |
277 |
index b89a739..79768fb 100644 |
278 |
--- a/Documentation/dontdiff |
279 |
@@ -53580,7 +53567,7 @@ index 89dec7f..361b0d75 100644 |
280 |
fd_offset + ex.a_text); |
281 |
if (error != N_DATADDR(ex)) { |
282 |
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c |
283 |
-index 4c94a79..228e9da 100644 |
284 |
+index 4c94a79..2610454 100644 |
285 |
--- a/fs/binfmt_elf.c |
286 |
+++ b/fs/binfmt_elf.c |
287 |
@@ -34,6 +34,7 @@ |
288 |
@@ -53749,7 +53736,7 @@ index 4c94a79..228e9da 100644 |
289 |
} |
290 |
|
291 |
error = load_addr; |
292 |
-@@ -538,6 +569,322 @@ out: |
293 |
+@@ -538,6 +569,315 @@ out: |
294 |
return error; |
295 |
} |
296 |
|
297 |
@@ -53983,41 +53970,34 @@ index 4c94a79..228e9da 100644 |
298 |
+ unsigned long pax_flags_hardmode = 0UL, pax_flags_softmode = 0UL; |
299 |
+ |
300 |
+ xattr_size = pax_getxattr(file->f_path.dentry, xattr_value, sizeof xattr_value); |
301 |
-+ switch (xattr_size) { |
302 |
-+ default: |
303 |
++ if (xattr_size <= 0 || xattr_size > sizeof xattr_value) |
304 |
+ return ~0UL; |
305 |
+ |
306 |
-+ case -ENODATA: |
307 |
-+ break; |
308 |
-+ |
309 |
-+ case 0 ... sizeof xattr_value: |
310 |
-+ for (i = 0; i < xattr_size; i++) |
311 |
-+ switch (xattr_value[i]) { |
312 |
-+ default: |
313 |
-+ return ~0UL; |
314 |
-+ |
315 |
-+#define parse_flag(option1, option2, flag) \ |
316 |
-+ case option1: \ |
317 |
-+ if (pax_flags_hardmode & MF_PAX_##flag) \ |
318 |
-+ return ~0UL; \ |
319 |
-+ pax_flags_hardmode |= MF_PAX_##flag; \ |
320 |
-+ break; \ |
321 |
-+ case option2: \ |
322 |
-+ if (pax_flags_softmode & MF_PAX_##flag) \ |
323 |
-+ return ~0UL; \ |
324 |
-+ pax_flags_softmode |= MF_PAX_##flag; \ |
325 |
-+ break; |
326 |
++ for (i = 0; i < xattr_size; i++) |
327 |
++ switch (xattr_value[i]) { |
328 |
++ default: |
329 |
++ return ~0UL; |
330 |
++ |
331 |
++#define parse_flag(option1, option2, flag) \ |
332 |
++ case option1: \ |
333 |
++ if (pax_flags_hardmode & MF_PAX_##flag) \ |
334 |
++ return ~0UL; \ |
335 |
++ pax_flags_hardmode |= MF_PAX_##flag; \ |
336 |
++ break; \ |
337 |
++ case option2: \ |
338 |
++ if (pax_flags_softmode & MF_PAX_##flag) \ |
339 |
++ return ~0UL; \ |
340 |
++ pax_flags_softmode |= MF_PAX_##flag; \ |
341 |
++ break; |
342 |
+ |
343 |
-+ parse_flag('p', 'P', PAGEEXEC); |
344 |
-+ parse_flag('e', 'E', EMUTRAMP); |
345 |
-+ parse_flag('m', 'M', MPROTECT); |
346 |
-+ parse_flag('r', 'R', RANDMMAP); |
347 |
-+ parse_flag('s', 'S', SEGMEXEC); |
348 |
++ parse_flag('p', 'P', PAGEEXEC); |
349 |
++ parse_flag('e', 'E', EMUTRAMP); |
350 |
++ parse_flag('m', 'M', MPROTECT); |
351 |
++ parse_flag('r', 'R', RANDMMAP); |
352 |
++ parse_flag('s', 'S', SEGMEXEC); |
353 |
+ |
354 |
+#undef parse_flag |
355 |
-+ } |
356 |
-+ break; |
357 |
-+ } |
358 |
++ } |
359 |
+ |
360 |
+ if (pax_flags_hardmode & pax_flags_softmode) |
361 |
+ return ~0UL; |
362 |
@@ -54072,7 +54052,7 @@ index 4c94a79..228e9da 100644 |
363 |
/* |
364 |
* These are the functions used to load ELF style executables and shared |
365 |
* libraries. There is no binary dependent code anywhere else. |
366 |
-@@ -554,6 +901,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) |
367 |
+@@ -554,6 +894,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) |
368 |
{ |
369 |
unsigned int random_variable = 0; |
370 |
|
371 |
@@ -54084,7 +54064,7 @@ index 4c94a79..228e9da 100644 |
372 |
if ((current->flags & PF_RANDOMIZE) && |
373 |
!(current->personality & ADDR_NO_RANDOMIZE)) { |
374 |
random_variable = get_random_int() & STACK_RND_MASK; |
375 |
-@@ -572,7 +924,7 @@ static int load_elf_binary(struct linux_binprm *bprm) |
376 |
+@@ -572,7 +917,7 @@ static int load_elf_binary(struct linux_binprm *bprm) |
377 |
unsigned long load_addr = 0, load_bias = 0; |
378 |
int load_addr_set = 0; |
379 |
char * elf_interpreter = NULL; |
380 |
@@ -54093,7 +54073,7 @@ index 4c94a79..228e9da 100644 |
381 |
struct elf_phdr *elf_ppnt, *elf_phdata; |
382 |
unsigned long elf_bss, elf_brk; |
383 |
int retval, i; |
384 |
-@@ -582,12 +934,12 @@ static int load_elf_binary(struct linux_binprm *bprm) |
385 |
+@@ -582,12 +927,12 @@ static int load_elf_binary(struct linux_binprm *bprm) |
386 |
unsigned long start_code, end_code, start_data, end_data; |
387 |
unsigned long reloc_func_desc __maybe_unused = 0; |
388 |
int executable_stack = EXSTACK_DEFAULT; |
389 |
@@ -54107,7 +54087,7 @@ index 4c94a79..228e9da 100644 |
390 |
|
391 |
loc = kmalloc(sizeof(*loc), GFP_KERNEL); |
392 |
if (!loc) { |
393 |
-@@ -723,11 +1075,82 @@ static int load_elf_binary(struct linux_binprm *bprm) |
394 |
+@@ -723,11 +1068,82 @@ static int load_elf_binary(struct linux_binprm *bprm) |
395 |
goto out_free_dentry; |
396 |
|
397 |
/* OK, This is the point of no return */ |
398 |
@@ -54191,7 +54171,7 @@ index 4c94a79..228e9da 100644 |
399 |
if (elf_read_implies_exec(loc->elf_ex, executable_stack)) |
400 |
current->personality |= READ_IMPLIES_EXEC; |
401 |
|
402 |
-@@ -817,6 +1240,20 @@ static int load_elf_binary(struct linux_binprm *bprm) |
403 |
+@@ -817,6 +1233,20 @@ static int load_elf_binary(struct linux_binprm *bprm) |
404 |
#else |
405 |
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); |
406 |
#endif |
407 |
@@ -54212,7 +54192,7 @@ index 4c94a79..228e9da 100644 |
408 |
} |
409 |
|
410 |
error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, |
411 |
-@@ -849,9 +1286,9 @@ static int load_elf_binary(struct linux_binprm *bprm) |
412 |
+@@ -849,9 +1279,9 @@ static int load_elf_binary(struct linux_binprm *bprm) |
413 |
* allowed task size. Note that p_filesz must always be |
414 |
* <= p_memsz so it is only necessary to check p_memsz. |
415 |
*/ |
416 |
@@ -54225,7 +54205,7 @@ index 4c94a79..228e9da 100644 |
417 |
/* set_brk can never work. Avoid overflows. */ |
418 |
send_sig(SIGKILL, current, 0); |
419 |
retval = -EINVAL; |
420 |
-@@ -890,17 +1327,45 @@ static int load_elf_binary(struct linux_binprm *bprm) |
421 |
+@@ -890,17 +1320,45 @@ static int load_elf_binary(struct linux_binprm *bprm) |
422 |
goto out_free_dentry; |
423 |
} |
424 |
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { |
425 |
@@ -54277,7 +54257,7 @@ index 4c94a79..228e9da 100644 |
426 |
load_bias); |
427 |
if (!IS_ERR((void *)elf_entry)) { |
428 |
/* |
429 |
-@@ -1122,7 +1587,7 @@ static bool always_dump_vma(struct vm_area_struct *vma) |
430 |
+@@ -1122,7 +1580,7 @@ static bool always_dump_vma(struct vm_area_struct *vma) |
431 |
* Decide what to dump of a segment, part, all or none. |
432 |
*/ |
433 |
static unsigned long vma_dump_size(struct vm_area_struct *vma, |
434 |
@@ -54286,7 +54266,7 @@ index 4c94a79..228e9da 100644 |
435 |
{ |
436 |
#define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) |
437 |
|
438 |
-@@ -1160,7 +1625,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, |
439 |
+@@ -1160,7 +1618,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, |
440 |
if (vma->vm_file == NULL) |
441 |
return 0; |
442 |
|
443 |
@@ -54295,7 +54275,7 @@ index 4c94a79..228e9da 100644 |
444 |
goto whole; |
445 |
|
446 |
/* |
447 |
-@@ -1385,9 +1850,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) |
448 |
+@@ -1385,9 +1843,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) |
449 |
{ |
450 |
elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; |
451 |
int i = 0; |
452 |
@@ -54307,7 +54287,7 @@ index 4c94a79..228e9da 100644 |
453 |
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); |
454 |
} |
455 |
|
456 |
-@@ -1396,7 +1861,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata, |
457 |
+@@ -1396,7 +1854,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata, |
458 |
{ |
459 |
mm_segment_t old_fs = get_fs(); |
460 |
set_fs(KERNEL_DS); |
461 |
@@ -54316,7 +54296,7 @@ index 4c94a79..228e9da 100644 |
462 |
set_fs(old_fs); |
463 |
fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata); |
464 |
} |
465 |
-@@ -2023,14 +2488,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, |
466 |
+@@ -2023,14 +2481,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, |
467 |
} |
468 |
|
469 |
static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma, |
470 |
@@ -54333,7 +54313,7 @@ index 4c94a79..228e9da 100644 |
471 |
return size; |
472 |
} |
473 |
|
474 |
-@@ -2123,7 +2588,7 @@ static int elf_core_dump(struct coredump_params *cprm) |
475 |
+@@ -2123,7 +2581,7 @@ static int elf_core_dump(struct coredump_params *cprm) |
476 |
|
477 |
dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); |
478 |
|
479 |
@@ -54342,7 +54322,7 @@ index 4c94a79..228e9da 100644 |
480 |
offset += elf_core_extra_data_size(); |
481 |
e_shoff = offset; |
482 |
|
483 |
-@@ -2137,10 +2602,12 @@ static int elf_core_dump(struct coredump_params *cprm) |
484 |
+@@ -2137,10 +2595,12 @@ static int elf_core_dump(struct coredump_params *cprm) |
485 |
offset = dataoff; |
486 |
|
487 |
size += sizeof(*elf); |
488 |
@@ -54355,7 +54335,7 @@ index 4c94a79..228e9da 100644 |
489 |
if (size > cprm->limit |
490 |
|| !dump_write(cprm->file, phdr4note, sizeof(*phdr4note))) |
491 |
goto end_coredump; |
492 |
-@@ -2154,7 +2621,7 @@ static int elf_core_dump(struct coredump_params *cprm) |
493 |
+@@ -2154,7 +2614,7 @@ static int elf_core_dump(struct coredump_params *cprm) |
494 |
phdr.p_offset = offset; |
495 |
phdr.p_vaddr = vma->vm_start; |
496 |
phdr.p_paddr = 0; |
497 |
@@ -54364,7 +54344,7 @@ index 4c94a79..228e9da 100644 |
498 |
phdr.p_memsz = vma->vm_end - vma->vm_start; |
499 |
offset += phdr.p_filesz; |
500 |
phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; |
501 |
-@@ -2165,6 +2632,7 @@ static int elf_core_dump(struct coredump_params *cprm) |
502 |
+@@ -2165,6 +2625,7 @@ static int elf_core_dump(struct coredump_params *cprm) |
503 |
phdr.p_align = ELF_EXEC_PAGESIZE; |
504 |
|
505 |
size += sizeof(phdr); |
506 |
@@ -54372,7 +54352,7 @@ index 4c94a79..228e9da 100644 |
507 |
if (size > cprm->limit |
508 |
|| !dump_write(cprm->file, &phdr, sizeof(phdr))) |
509 |
goto end_coredump; |
510 |
-@@ -2189,7 +2657,7 @@ static int elf_core_dump(struct coredump_params *cprm) |
511 |
+@@ -2189,7 +2650,7 @@ static int elf_core_dump(struct coredump_params *cprm) |
512 |
unsigned long addr; |
513 |
unsigned long end; |
514 |
|
515 |
@@ -54381,7 +54361,7 @@ index 4c94a79..228e9da 100644 |
516 |
|
517 |
for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { |
518 |
struct page *page; |
519 |
-@@ -2198,6 +2666,7 @@ static int elf_core_dump(struct coredump_params *cprm) |
520 |
+@@ -2198,6 +2659,7 @@ static int elf_core_dump(struct coredump_params *cprm) |
521 |
page = get_dump_page(addr); |
522 |
if (page) { |
523 |
void *kaddr = kmap(page); |
524 |
@@ -54389,7 +54369,7 @@ index 4c94a79..228e9da 100644 |
525 |
stop = ((size += PAGE_SIZE) > cprm->limit) || |
526 |
!dump_write(cprm->file, kaddr, |
527 |
PAGE_SIZE); |
528 |
-@@ -2215,6 +2684,7 @@ static int elf_core_dump(struct coredump_params *cprm) |
529 |
+@@ -2215,6 +2677,7 @@ static int elf_core_dump(struct coredump_params *cprm) |
530 |
|
531 |
if (e_phnum == PN_XNUM) { |
532 |
size += sizeof(*shdr4extnum); |
533 |
@@ -54397,7 +54377,7 @@ index 4c94a79..228e9da 100644 |
534 |
if (size > cprm->limit |
535 |
|| !dump_write(cprm->file, shdr4extnum, |
536 |
sizeof(*shdr4extnum))) |
537 |
-@@ -2235,6 +2705,167 @@ out: |
538 |
+@@ -2235,6 +2698,167 @@ out: |
539 |
|
540 |
#endif /* CONFIG_ELF_CORE */ |
541 |
|
542 |
@@ -62491,10 +62471,10 @@ index 2b8952d..a60c6be 100644 |
543 |
kfree(s); |
544 |
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig |
545 |
new file mode 100644 |
546 |
-index 0000000..a78d810 |
547 |
+index 0000000..04e9889 |
548 |
--- /dev/null |
549 |
+++ b/grsecurity/Kconfig |
550 |
-@@ -0,0 +1,1107 @@ |
551 |
+@@ -0,0 +1,1112 @@ |
552 |
+# |
553 |
+# grecurity configuration |
554 |
+# |
555 |
@@ -62913,7 +62893,12 @@ index 0000000..a78d810 |
556 |
+ This option acts independently of grsec_lock: once it is set to 1, |
557 |
+ it cannot be turned off. Therefore, please be mindful of the resulting |
558 |
+ behavior if this option is enabled in an init script on a read-only |
559 |
-+ filesystem. This feature is mainly intended for secure embedded systems. |
560 |
++ filesystem. |
561 |
++ Also be aware that as with other root-focused features, GRKERNSEC_KMEM |
562 |
++ and GRKERNSEC_IO should be enabled and module loading disabled via |
563 |
++ config or at runtime. |
564 |
++ This feature is mainly intended for secure embedded systems. |
565 |
++ |
566 |
+ |
567 |
+config GRKERNSEC_DEVICE_SIDECHANNEL |
568 |
+ bool "Eliminate stat/notify-based device sidechannels" |
569 |
@@ -63653,7 +63638,7 @@ index 0000000..85beb79 |
570 |
+endif |
571 |
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c |
572 |
new file mode 100644 |
573 |
-index 0000000..6affeea |
574 |
+index 0000000..90f71ce |
575 |
--- /dev/null |
576 |
+++ b/grsecurity/gracl.c |
577 |
@@ -0,0 +1,2679 @@ |
578 |
@@ -63808,7 +63793,7 @@ index 0000000..6affeea |
579 |
+gr_handle_rawio(const struct inode *inode) |
580 |
+{ |
581 |
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS |
582 |
-+ if (inode && S_ISBLK(inode->i_mode) && |
583 |
++ if (inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR)) && |
584 |
+ grsec_enable_chroot_caps && proc_is_chrooted(current) && |
585 |
+ !capable(CAP_SYS_RAWIO)) |
586 |
+ return 1; |
587 |
@@ -71971,13 +71956,14 @@ index 0000000..f536303 |
588 |
+} |
589 |
diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c |
590 |
new file mode 100644 |
591 |
-index 0000000..2131422 |
592 |
+index 0000000..cd9e124 |
593 |
--- /dev/null |
594 |
+++ b/grsecurity/grsec_mount.c |
595 |
-@@ -0,0 +1,62 @@ |
596 |
+@@ -0,0 +1,65 @@ |
597 |
+#include <linux/kernel.h> |
598 |
+#include <linux/sched.h> |
599 |
+#include <linux/mount.h> |
600 |
++#include <linux/major.h> |
601 |
+#include <linux/grsecurity.h> |
602 |
+#include <linux/grinternal.h> |
603 |
+ |
604 |
@@ -72028,8 +72014,10 @@ index 0000000..2131422 |
605 |
+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode) |
606 |
+{ |
607 |
+#ifdef CONFIG_GRKERNSEC_ROFS |
608 |
++ struct inode *inode = dentry->d_inode; |
609 |
++ |
610 |
+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) && |
611 |
-+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) { |
612 |
++ inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR))) { |
613 |
+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt); |
614 |
+ return -EPERM; |
615 |
+ } else |
616 |
|
617 |
diff --git a/3.2.53/0000_README b/3.2.53/0000_README |
618 |
index b20dfe9..62ff1d5 100644 |
619 |
--- a/3.2.53/0000_README |
620 |
+++ b/3.2.53/0000_README |
621 |
@@ -130,7 +130,7 @@ Patch: 1052_linux-3.2.53.patch |
622 |
From: http://www.kernel.org |
623 |
Desc: Linux 3.2.53 |
624 |
|
625 |
-Patch: 4420_grsecurity-3.0-3.2.53-201312251832.patch |
626 |
+Patch: 4420_grsecurity-3.0-3.2.53-201312262018.patch |
627 |
From: http://www.grsecurity.net |
628 |
Desc: hardened-sources base patch from upstream grsecurity |
629 |
|
630 |
|
631 |
diff --git a/3.2.53/4420_grsecurity-3.0-3.2.53-201312251832.patch b/3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch |
632 |
similarity index 99% |
633 |
rename from 3.2.53/4420_grsecurity-3.0-3.2.53-201312251832.patch |
634 |
rename to 3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch |
635 |
index 818d6db..02cb583 100644 |
636 |
--- a/3.2.53/4420_grsecurity-3.0-3.2.53-201312251832.patch |
637 |
+++ b/3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch |
638 |
@@ -1,16 +1,3 @@ |
639 |
- .|, |
640 |
- -*- |
641 |
- '/'\` |
642 |
- /`'o\ |
643 |
- /#,o'`\ |
644 |
- o/`"#,`\o |
645 |
- /`o``"#,\ |
646 |
- o/#,`'o'`\o |
647 |
- /o`"#,`',o\ |
648 |
- o`-._`"#_.-'o |
649 |
- _|"|_ |
650 |
- \=%=/ hjw |
651 |
- """ |
652 |
diff --git a/Documentation/dontdiff b/Documentation/dontdiff |
653 |
index dfa6fc6..be27ac3 100644 |
654 |
--- a/Documentation/dontdiff |
655 |
@@ -61913,10 +61900,10 @@ index 8a89949..6776861 100644 |
656 |
xfs_init_zones(void) |
657 |
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig |
658 |
new file mode 100644 |
659 |
-index 0000000..7e54fd7 |
660 |
+index 0000000..c4717f9 |
661 |
--- /dev/null |
662 |
+++ b/grsecurity/Kconfig |
663 |
-@@ -0,0 +1,1080 @@ |
664 |
+@@ -0,0 +1,1085 @@ |
665 |
+# |
666 |
+# grecurity configuration |
667 |
+# |
668 |
@@ -62326,7 +62313,12 @@ index 0000000..7e54fd7 |
669 |
+ This option acts independently of grsec_lock: once it is set to 1, |
670 |
+ it cannot be turned off. Therefore, please be mindful of the resulting |
671 |
+ behavior if this option is enabled in an init script on a read-only |
672 |
-+ filesystem. This feature is mainly intended for secure embedded systems. |
673 |
++ filesystem. |
674 |
++ Also be aware that as with other root-focused features, GRKERNSEC_KMEM |
675 |
++ and GRKERNSEC_IO should be enabled and module loading disabled via |
676 |
++ config or at runtime. |
677 |
++ This feature is mainly intended for secure embedded systems. |
678 |
++ |
679 |
+ |
680 |
+config GRKERNSEC_DEVICE_SIDECHANNEL |
681 |
+ bool "Eliminate stat/notify-based device sidechannels" |
682 |
@@ -63048,7 +63040,7 @@ index 0000000..2f8793f |
683 |
+endif |
684 |
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c |
685 |
new file mode 100644 |
686 |
-index 0000000..9b1fbce |
687 |
+index 0000000..180140a |
688 |
--- /dev/null |
689 |
+++ b/grsecurity/gracl.c |
690 |
@@ -0,0 +1,2825 @@ |
691 |
@@ -63205,7 +63197,7 @@ index 0000000..9b1fbce |
692 |
+gr_handle_rawio(const struct inode *inode) |
693 |
+{ |
694 |
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS |
695 |
-+ if (inode && S_ISBLK(inode->i_mode) && |
696 |
++ if (inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR)) && |
697 |
+ grsec_enable_chroot_caps && proc_is_chrooted(current) && |
698 |
+ !capable(CAP_SYS_RAWIO)) |
699 |
+ return 1; |
700 |
@@ -71425,13 +71417,14 @@ index 0000000..f536303 |
701 |
+} |
702 |
diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c |
703 |
new file mode 100644 |
704 |
-index 0000000..2131422 |
705 |
+index 0000000..cd9e124 |
706 |
--- /dev/null |
707 |
+++ b/grsecurity/grsec_mount.c |
708 |
-@@ -0,0 +1,62 @@ |
709 |
+@@ -0,0 +1,65 @@ |
710 |
+#include <linux/kernel.h> |
711 |
+#include <linux/sched.h> |
712 |
+#include <linux/mount.h> |
713 |
++#include <linux/major.h> |
714 |
+#include <linux/grsecurity.h> |
715 |
+#include <linux/grinternal.h> |
716 |
+ |
717 |
@@ -71482,8 +71475,10 @@ index 0000000..2131422 |
718 |
+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode) |
719 |
+{ |
720 |
+#ifdef CONFIG_GRKERNSEC_ROFS |
721 |
++ struct inode *inode = dentry->d_inode; |
722 |
++ |
723 |
+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) && |
724 |
-+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) { |
725 |
++ inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR))) { |
726 |
+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt); |
727 |
+ return -EPERM; |
728 |
+ } else |