1 |
commit: 8625ea5b47f8eb2b6e622750fc667ce13bd199b0 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Sep 20 19:18:42 2015 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Sep 20 19:18:42 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=8625ea5b |
7 |
|
8 |
grsecurity-3.1-4.1.7-201509201149 |
9 |
|
10 |
4.1.7/0000_README | 2 +- |
11 |
...> 4420_grsecurity-3.1-4.1.7-201509201149.patch} | 33 ++++++++++++---------- |
12 |
2 files changed, 19 insertions(+), 16 deletions(-) |
13 |
|
14 |
diff --git a/4.1.7/0000_README b/4.1.7/0000_README |
15 |
index a82b514..29c7482 100644 |
16 |
--- a/4.1.7/0000_README |
17 |
+++ b/4.1.7/0000_README |
18 |
@@ -2,7 +2,7 @@ README |
19 |
----------------------------------------------------------------------------- |
20 |
Individual Patch Descriptions: |
21 |
----------------------------------------------------------------------------- |
22 |
-Patch: 4420_grsecurity-3.1-4.1.7-201509131604.patch |
23 |
+Patch: 4420_grsecurity-3.1-4.1.7-201509201149.patch |
24 |
From: http://www.grsecurity.net |
25 |
Desc: hardened-sources base patch from upstream grsecurity |
26 |
|
27 |
|
28 |
diff --git a/4.1.7/4420_grsecurity-3.1-4.1.7-201509131604.patch b/4.1.7/4420_grsecurity-3.1-4.1.7-201509201149.patch |
29 |
similarity index 99% |
30 |
rename from 4.1.7/4420_grsecurity-3.1-4.1.7-201509131604.patch |
31 |
rename to 4.1.7/4420_grsecurity-3.1-4.1.7-201509201149.patch |
32 |
index eb11268..4694239 100644 |
33 |
--- a/4.1.7/4420_grsecurity-3.1-4.1.7-201509131604.patch |
34 |
+++ b/4.1.7/4420_grsecurity-3.1-4.1.7-201509201149.patch |
35 |
@@ -72155,7 +72155,7 @@ index 4c55668..eeae150 100644 |
36 |
fd_offset + ex.a_text); |
37 |
if (error != N_DATADDR(ex)) |
38 |
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c |
39 |
-index cd46e41..244f778 100644 |
40 |
+index cd46e41..d67c3df 100644 |
41 |
--- a/fs/binfmt_elf.c |
42 |
+++ b/fs/binfmt_elf.c |
43 |
@@ -35,6 +35,7 @@ |
44 |
@@ -72998,7 +72998,7 @@ index cd46e41..244f778 100644 |
45 |
+ if (dyn.d_tag == DT_NULL) |
46 |
+ break; |
47 |
+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) { |
48 |
-+ gr_log_textrel(vma); |
49 |
++ gr_log_textrel(vma, is_textrel_rw); |
50 |
+ if (is_textrel_rw) |
51 |
+ vma->vm_flags |= VM_MAYWRITE; |
52 |
+ else |
53 |
@@ -91727,10 +91727,10 @@ index 0000000..8ef2b75 |
54 |
+} |
55 |
diff --git a/grsecurity/grsec_log.c b/grsecurity/grsec_log.c |
56 |
new file mode 100644 |
57 |
-index 0000000..dbe0a6b |
58 |
+index 0000000..0eac5aa |
59 |
--- /dev/null |
60 |
+++ b/grsecurity/grsec_log.c |
61 |
-@@ -0,0 +1,341 @@ |
62 |
+@@ -0,0 +1,342 @@ |
63 |
+#include <linux/kernel.h> |
64 |
+#include <linux/sched.h> |
65 |
+#include <linux/file.h> |
66 |
@@ -91968,10 +91968,11 @@ index 0000000..dbe0a6b |
67 |
+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1); |
68 |
+ break; |
69 |
+ case GR_TEXTREL: |
70 |
++ str1 = va_arg(ap, char *); |
71 |
+ file = va_arg(ap, struct file *); |
72 |
+ ulong1 = va_arg(ap, unsigned long); |
73 |
+ ulong2 = va_arg(ap, unsigned long); |
74 |
-+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2); |
75 |
++ gr_log_middle_varargs(audit, msg, str1, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2); |
76 |
+ break; |
77 |
+ case GR_PTRACE: |
78 |
+ task = va_arg(ap, struct task_struct *); |
79 |
@@ -92199,10 +92200,10 @@ index 0000000..fe02bf4 |
80 |
+} |
81 |
diff --git a/grsecurity/grsec_pax.c b/grsecurity/grsec_pax.c |
82 |
new file mode 100644 |
83 |
-index 0000000..6ee9d50 |
84 |
+index 0000000..2ad7b96 |
85 |
--- /dev/null |
86 |
+++ b/grsecurity/grsec_pax.c |
87 |
-@@ -0,0 +1,45 @@ |
88 |
+@@ -0,0 +1,47 @@ |
89 |
+#include <linux/kernel.h> |
90 |
+#include <linux/sched.h> |
91 |
+#include <linux/mm.h> |
92 |
@@ -92211,11 +92212,13 @@ index 0000000..6ee9d50 |
93 |
+#include <linux/grsecurity.h> |
94 |
+ |
95 |
+void |
96 |
-+gr_log_textrel(struct vm_area_struct * vma) |
97 |
++gr_log_textrel(struct vm_area_struct * vma, bool is_textrel_rw) |
98 |
+{ |
99 |
+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG |
100 |
+ if (grsec_enable_log_rwxmaps) |
101 |
-+ gr_log_textrel_ulong_ulong(GR_DONT_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff); |
102 |
++ gr_log_textrel_ulong_ulong(GR_DONT_AUDIT, GR_TEXTREL_AUDIT_MSG, |
103 |
++ is_textrel_rw ? "executable to writable" : "writable to executable", |
104 |
++ vma->vm_file, vma->vm_start, vma->vm_pgoff); |
105 |
+#endif |
106 |
+ return; |
107 |
+} |
108 |
@@ -96465,7 +96468,7 @@ index 0000000..be66033 |
109 |
+#endif |
110 |
diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h |
111 |
new file mode 100644 |
112 |
-index 0000000..fb1de5d |
113 |
+index 0000000..6245f9e |
114 |
--- /dev/null |
115 |
+++ b/include/linux/grinternal.h |
116 |
@@ -0,0 +1,230 @@ |
117 |
@@ -96682,7 +96685,7 @@ index 0000000..fb1de5d |
118 |
+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str) |
119 |
+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2) |
120 |
+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str) |
121 |
-+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2) |
122 |
++#define gr_log_textrel_ulong_ulong(audit, msg, str, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, str, file, ulong1, ulong2) |
123 |
+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task) |
124 |
+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2) |
125 |
+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str) |
126 |
@@ -96701,7 +96704,7 @@ index 0000000..fb1de5d |
127 |
+#endif |
128 |
diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h |
129 |
new file mode 100644 |
130 |
-index 0000000..26ef560 |
131 |
+index 0000000..3092b3c |
132 |
--- /dev/null |
133 |
+++ b/include/linux/grmsg.h |
134 |
@@ -0,0 +1,118 @@ |
135 |
@@ -96811,7 +96814,7 @@ index 0000000..26ef560 |
136 |
+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for " |
137 |
+#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by " |
138 |
+#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by " |
139 |
-+#define GR_TEXTREL_AUDIT_MSG "denied text relocation in %.950s, VMA:0x%08lx 0x%08lx by " |
140 |
++#define GR_TEXTREL_AUDIT_MSG "allowed %s text relocation transition in %.950s, VMA:0x%08lx 0x%08lx by " |
141 |
+#define GR_PTGNUSTACK_MSG "denied marking stack executable as requested by PT_GNU_STACK marking in %.950s by " |
142 |
+#define GR_VM86_MSG "denied use of vm86 by " |
143 |
+#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by " |
144 |
@@ -96825,7 +96828,7 @@ index 0000000..26ef560 |
145 |
+#define GR_MSRWRITE_MSG "denied write to CPU MSR by " |
146 |
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h |
147 |
new file mode 100644 |
148 |
-index 0000000..085a746 |
149 |
+index 0000000..ae28a25 |
150 |
--- /dev/null |
151 |
+++ b/include/linux/grsecurity.h |
152 |
@@ -0,0 +1,247 @@ |
153 |
@@ -96916,7 +96919,7 @@ index 0000000..085a746 |
154 |
+void gr_log_remount(const char *devname, const int retval); |
155 |
+void gr_log_unmount(const char *devname, const int retval); |
156 |
+void gr_log_mount(const char *from, struct path *to, const int retval); |
157 |
-+void gr_log_textrel(struct vm_area_struct *vma); |
158 |
++void gr_log_textrel(struct vm_area_struct *vma, bool is_textrel_rw); |
159 |
+void gr_log_ptgnustack(struct file *file); |
160 |
+void gr_log_rwxmmap(struct file *file); |
161 |
+void gr_log_rwxmprotect(struct vm_area_struct *vma); |