1 |
commit: d92b42aa041e4af32620d59d11a277a259ca74fd |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Dec 26 16:12:15 2012 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Dec 26 16:12:15 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=d92b42aa |
7 |
|
8 |
Grsec/PaX: 2.9.1-3.7.1-201212171734 |
9 |
|
10 |
--- |
11 |
{3.7.0 => 3.7.1}/0000_README | 2 +- |
12 |
.../4420_grsecurity-2.9.1-3.7.1-201212171734.patch | 133 ++++++++++---------- |
13 |
3.7.1/4425_grsec_remove_EI_PAX.patch | 19 +++ |
14 |
.../4430_grsec-remove-localversion-grsec.patch | 0 |
15 |
{3.7.0 => 3.7.1}/4435_grsec-mute-warnings.patch | 0 |
16 |
.../4440_grsec-remove-protected-paths.patch | 0 |
17 |
.../4450_grsec-kconfig-default-gids.patch | 0 |
18 |
.../4465_selinux-avc_audit-log-curr_ip.patch | 0 |
19 |
{3.7.0 => 3.7.1}/4470_disable-compat_vdso.patch | 0 |
20 |
9 files changed, 87 insertions(+), 67 deletions(-) |
21 |
|
22 |
diff --git a/3.7.0/0000_README b/3.7.1/0000_README |
23 |
similarity index 96% |
24 |
rename from 3.7.0/0000_README |
25 |
rename to 3.7.1/0000_README |
26 |
index c9d0060..84caa16 100644 |
27 |
--- a/3.7.0/0000_README |
28 |
+++ b/3.7.1/0000_README |
29 |
@@ -2,7 +2,7 @@ README |
30 |
----------------------------------------------------------------------------- |
31 |
Individual Patch Descriptions: |
32 |
----------------------------------------------------------------------------- |
33 |
-Patch: 4420_grsecurity-2.9.1-3.7.0-201212151422.patch |
34 |
+Patch: 4420_grsecurity-2.9.1-3.7.1-201212171734.patch |
35 |
From: http://www.grsecurity.net |
36 |
Desc: hardened-sources base patch from upstream grsecurity |
37 |
|
38 |
|
39 |
diff --git a/3.7.0/4420_grsecurity-2.9.1-3.7.0-201212151422.patch b/3.7.1/4420_grsecurity-2.9.1-3.7.1-201212171734.patch |
40 |
similarity index 99% |
41 |
rename from 3.7.0/4420_grsecurity-2.9.1-3.7.0-201212151422.patch |
42 |
rename to 3.7.1/4420_grsecurity-2.9.1-3.7.1-201212171734.patch |
43 |
index aaefb83..18a4557 100644 |
44 |
--- a/3.7.0/4420_grsecurity-2.9.1-3.7.0-201212151422.patch |
45 |
+++ b/3.7.1/4420_grsecurity-2.9.1-3.7.1-201212171734.patch |
46 |
@@ -251,7 +251,7 @@ index 9776f06..18b1856 100644 |
47 |
|
48 |
pcd. [PARIDE] |
49 |
diff --git a/Makefile b/Makefile |
50 |
-index 540f7b2..c823fc5 100644 |
51 |
+index fbf84a4..339f6de 100644 |
52 |
--- a/Makefile |
53 |
+++ b/Makefile |
54 |
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ |
55 |
@@ -20650,7 +20650,7 @@ index d017df3..61ae42e 100644 |
56 |
|
57 |
local_irq_disable(); |
58 |
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
59 |
-index f858159..491d386 100644 |
60 |
+index f858159..4ab7dba 100644 |
61 |
--- a/arch/x86/kvm/vmx.c |
62 |
+++ b/arch/x86/kvm/vmx.c |
63 |
@@ -1332,7 +1332,11 @@ static void reload_tss(void) |
64 |
@@ -20701,15 +20701,16 @@ index f858159..491d386 100644 |
65 |
|
66 |
vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */ |
67 |
#ifdef CONFIG_X86_64 |
68 |
-@@ -3734,6 +3748,7 @@ static void vmx_set_constant_host_state(void) |
69 |
+@@ -3733,7 +3747,7 @@ static void vmx_set_constant_host_state(void) |
70 |
+ native_store_idt(&dt); |
71 |
vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */ |
72 |
|
73 |
- vmcs_writel(HOST_RIP, vmx_return); /* 22.2.5 */ |
74 |
+- vmcs_writel(HOST_RIP, vmx_return); /* 22.2.5 */ |
75 |
+ vmcs_writel(HOST_RIP, ktla_ktva(vmx_return)); /* 22.2.5 */ |
76 |
|
77 |
rdmsr(MSR_IA32_SYSENTER_CS, low32, high32); |
78 |
vmcs_write32(HOST_IA32_SYSENTER_CS, low32); |
79 |
-@@ -6279,6 +6294,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
80 |
+@@ -6279,6 +6293,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
81 |
"jmp 2f \n\t" |
82 |
"1: " __ex(ASM_VMX_VMRESUME) "\n\t" |
83 |
"2: " |
84 |
@@ -20722,7 +20723,7 @@ index f858159..491d386 100644 |
85 |
/* Save guest registers, load host registers, keep flags */ |
86 |
"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t" |
87 |
"pop %0 \n\t" |
88 |
-@@ -6331,6 +6352,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
89 |
+@@ -6331,6 +6351,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
90 |
#endif |
91 |
[cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)), |
92 |
[wordsize]"i"(sizeof(ulong)) |
93 |
@@ -20734,7 +20735,7 @@ index f858159..491d386 100644 |
94 |
: "cc", "memory" |
95 |
#ifdef CONFIG_X86_64 |
96 |
, "rax", "rbx", "rdi", "rsi" |
97 |
-@@ -6344,7 +6370,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
98 |
+@@ -6344,7 +6369,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
99 |
if (debugctlmsr) |
100 |
update_debugctlmsr(debugctlmsr); |
101 |
|
102 |
@@ -20743,7 +20744,7 @@ index f858159..491d386 100644 |
103 |
/* |
104 |
* The sysexit path does not restore ds/es, so we must set them to |
105 |
* a reasonable value ourselves. |
106 |
-@@ -6353,8 +6379,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
107 |
+@@ -6353,8 +6378,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) |
108 |
* may be executed in interrupt context, which saves and restore segments |
109 |
* around it, nullifying its effect. |
110 |
*/ |
111 |
@@ -51614,7 +51615,7 @@ index 0000000..1b9afa9 |
112 |
+endif |
113 |
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c |
114 |
new file mode 100644 |
115 |
-index 0000000..4428c82 |
116 |
+index 0000000..b1810d9 |
117 |
--- /dev/null |
118 |
+++ b/grsecurity/gracl.c |
119 |
@@ -0,0 +1,4056 @@ |
120 |
@@ -52007,7 +52008,7 @@ index 0000000..4428c82 |
121 |
+struct acl_subject_label * |
122 |
+lookup_subject_map(const struct acl_subject_label *userp) |
123 |
+{ |
124 |
-+ unsigned int index = shash(userp, subj_map_set.s_size); |
125 |
++ unsigned int index = gr_shash(userp, subj_map_set.s_size); |
126 |
+ struct subject_map *match; |
127 |
+ |
128 |
+ match = subj_map_set.s_hash[index]; |
129 |
@@ -52024,7 +52025,7 @@ index 0000000..4428c82 |
130 |
+static void |
131 |
+insert_subj_map_entry(struct subject_map *subjmap) |
132 |
+{ |
133 |
-+ unsigned int index = shash(subjmap->user, subj_map_set.s_size); |
134 |
++ unsigned int index = gr_shash(subjmap->user, subj_map_set.s_size); |
135 |
+ struct subject_map **curr; |
136 |
+ |
137 |
+ subjmap->prev = NULL; |
138 |
@@ -52043,7 +52044,7 @@ index 0000000..4428c82 |
139 |
+lookup_acl_role_label(const struct task_struct *task, const uid_t uid, |
140 |
+ const gid_t gid) |
141 |
+{ |
142 |
-+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size); |
143 |
++ unsigned int index = gr_rhash(uid, GR_ROLE_USER, acl_role_set.r_size); |
144 |
+ struct acl_role_label *match; |
145 |
+ struct role_allowed_ip *ipp; |
146 |
+ unsigned int x; |
147 |
@@ -52066,7 +52067,7 @@ index 0000000..4428c82 |
148 |
+found: |
149 |
+ if (match == NULL) { |
150 |
+ try_group: |
151 |
-+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size); |
152 |
++ index = gr_rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size); |
153 |
+ match = acl_role_set.r_hash[index]; |
154 |
+ |
155 |
+ while (match) { |
156 |
@@ -52112,7 +52113,7 @@ index 0000000..4428c82 |
157 |
+lookup_acl_subj_label(const ino_t ino, const dev_t dev, |
158 |
+ const struct acl_role_label *role) |
159 |
+{ |
160 |
-+ unsigned int index = fhash(ino, dev, role->subj_hash_size); |
161 |
++ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size); |
162 |
+ struct acl_subject_label *match; |
163 |
+ |
164 |
+ match = role->subj_hash[index]; |
165 |
@@ -52132,7 +52133,7 @@ index 0000000..4428c82 |
166 |
+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev, |
167 |
+ const struct acl_role_label *role) |
168 |
+{ |
169 |
-+ unsigned int index = fhash(ino, dev, role->subj_hash_size); |
170 |
++ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size); |
171 |
+ struct acl_subject_label *match; |
172 |
+ |
173 |
+ match = role->subj_hash[index]; |
174 |
@@ -52152,7 +52153,7 @@ index 0000000..4428c82 |
175 |
+lookup_acl_obj_label(const ino_t ino, const dev_t dev, |
176 |
+ const struct acl_subject_label *subj) |
177 |
+{ |
178 |
-+ unsigned int index = fhash(ino, dev, subj->obj_hash_size); |
179 |
++ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size); |
180 |
+ struct acl_object_label *match; |
181 |
+ |
182 |
+ match = subj->obj_hash[index]; |
183 |
@@ -52172,7 +52173,7 @@ index 0000000..4428c82 |
184 |
+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev, |
185 |
+ const struct acl_subject_label *subj) |
186 |
+{ |
187 |
-+ unsigned int index = fhash(ino, dev, subj->obj_hash_size); |
188 |
++ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size); |
189 |
+ struct acl_object_label *match; |
190 |
+ |
191 |
+ match = subj->obj_hash[index]; |
192 |
@@ -52246,7 +52247,7 @@ index 0000000..4428c82 |
193 |
+static struct inodev_entry * |
194 |
+lookup_inodev_entry(const ino_t ino, const dev_t dev) |
195 |
+{ |
196 |
-+ unsigned int index = fhash(ino, dev, inodev_set.i_size); |
197 |
++ unsigned int index = gr_fhash(ino, dev, inodev_set.i_size); |
198 |
+ struct inodev_entry *match; |
199 |
+ |
200 |
+ match = inodev_set.i_hash[index]; |
201 |
@@ -52260,7 +52261,7 @@ index 0000000..4428c82 |
202 |
+static void |
203 |
+insert_inodev_entry(struct inodev_entry *entry) |
204 |
+{ |
205 |
-+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device, |
206 |
++ unsigned int index = gr_fhash(entry->nentry->inode, entry->nentry->device, |
207 |
+ inodev_set.i_size); |
208 |
+ struct inodev_entry **curr; |
209 |
+ |
210 |
@@ -52280,7 +52281,7 @@ index 0000000..4428c82 |
211 |
+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid) |
212 |
+{ |
213 |
+ unsigned int index = |
214 |
-+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size); |
215 |
++ gr_rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size); |
216 |
+ struct acl_role_label **curr; |
217 |
+ struct acl_role_label *tmp, *tmp2; |
218 |
+ |
219 |
@@ -52413,7 +52414,7 @@ index 0000000..4428c82 |
220 |
+ struct acl_subject_label *subj) |
221 |
+{ |
222 |
+ unsigned int index = |
223 |
-+ fhash(obj->inode, obj->device, subj->obj_hash_size); |
224 |
++ gr_fhash(obj->inode, obj->device, subj->obj_hash_size); |
225 |
+ struct acl_object_label **curr; |
226 |
+ |
227 |
+ |
228 |
@@ -52433,7 +52434,7 @@ index 0000000..4428c82 |
229 |
+insert_acl_subj_label(struct acl_subject_label *obj, |
230 |
+ struct acl_role_label *role) |
231 |
+{ |
232 |
-+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size); |
233 |
++ unsigned int index = gr_fhash(obj->inode, obj->device, role->subj_hash_size); |
234 |
+ struct acl_subject_label **curr; |
235 |
+ |
236 |
+ obj->prev = NULL; |
237 |
@@ -54297,7 +54298,7 @@ index 0000000..4428c82 |
238 |
+ const ino_t newinode, const dev_t newdevice, |
239 |
+ struct acl_subject_label *subj) |
240 |
+{ |
241 |
-+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size); |
242 |
++ unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size); |
243 |
+ struct acl_object_label *match; |
244 |
+ |
245 |
+ match = subj->obj_hash[index]; |
246 |
@@ -54336,7 +54337,7 @@ index 0000000..4428c82 |
247 |
+ const ino_t newinode, const dev_t newdevice, |
248 |
+ struct acl_role_label *role) |
249 |
+{ |
250 |
-+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size); |
251 |
++ unsigned int index = gr_fhash(oldinode, olddevice, role->subj_hash_size); |
252 |
+ struct acl_subject_label *match; |
253 |
+ |
254 |
+ match = role->subj_hash[index]; |
255 |
@@ -54374,7 +54375,7 @@ index 0000000..4428c82 |
256 |
+update_inodev_entry(const ino_t oldinode, const dev_t olddevice, |
257 |
+ const ino_t newinode, const dev_t newdevice) |
258 |
+{ |
259 |
-+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size); |
260 |
++ unsigned int index = gr_fhash(oldinode, olddevice, inodev_set.i_size); |
261 |
+ struct inodev_entry *match; |
262 |
+ |
263 |
+ match = inodev_set.i_hash[index]; |
264 |
@@ -61755,7 +61756,7 @@ index d0a7967..63c4c47 100644 |
265 |
{ |
266 |
diff --git a/include/linux/gracl.h b/include/linux/gracl.h |
267 |
new file mode 100644 |
268 |
-index 0000000..c938b1f |
269 |
+index 0000000..ebe6d72 |
270 |
--- /dev/null |
271 |
+++ b/include/linux/gracl.h |
272 |
@@ -0,0 +1,319 @@ |
273 |
@@ -62019,25 +62020,25 @@ index 0000000..c938b1f |
274 |
+ Shift/add algorithm with modulus of table size and an XOR*/ |
275 |
+ |
276 |
+static __inline__ unsigned int |
277 |
-+rhash(const uid_t uid, const __u16 type, const unsigned int sz) |
278 |
++gr_rhash(const uid_t uid, const __u16 type, const unsigned int sz) |
279 |
+{ |
280 |
+ return ((((uid + type) << (16 + type)) ^ uid) % sz); |
281 |
+} |
282 |
+ |
283 |
+ static __inline__ unsigned int |
284 |
-+shash(const struct acl_subject_label *userp, const unsigned int sz) |
285 |
++gr_shash(const struct acl_subject_label *userp, const unsigned int sz) |
286 |
+{ |
287 |
+ return ((const unsigned long)userp % sz); |
288 |
+} |
289 |
+ |
290 |
+static __inline__ unsigned int |
291 |
-+fhash(const ino_t ino, const dev_t dev, const unsigned int sz) |
292 |
++gr_fhash(const ino_t ino, const dev_t dev, const unsigned int sz) |
293 |
+{ |
294 |
+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz); |
295 |
+} |
296 |
+ |
297 |
+static __inline__ unsigned int |
298 |
-+nhash(const char *name, const __u16 len, const unsigned int sz) |
299 |
++gr_nhash(const char *name, const __u16 len, const unsigned int sz) |
300 |
+{ |
301 |
+ return full_name_hash((const unsigned char *)name, len) % sz; |
302 |
+} |
303 |
@@ -69684,7 +69685,7 @@ index aaa7b9f..055ff1e 100644 |
304 |
for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) { |
305 |
per_cpu(rcu_torture_count, cpu)[i] = 0; |
306 |
diff --git a/kernel/rcutree.c b/kernel/rcutree.c |
307 |
-index 74df86b..e0702bb 100644 |
308 |
+index 2682295..0f2297e 100644 |
309 |
--- a/kernel/rcutree.c |
310 |
+++ b/kernel/rcutree.c |
311 |
@@ -348,9 +348,9 @@ static void rcu_eqs_enter_common(struct rcu_dynticks *rdtp, long long oldval, |
312 |
@@ -69791,7 +69792,7 @@ index 74df86b..e0702bb 100644 |
313 |
} |
314 |
|
315 |
/* |
316 |
-@@ -1830,7 +1830,7 @@ static void rcu_do_batch(struct rcu_state *rsp, struct rcu_data *rdp) |
317 |
+@@ -1831,7 +1831,7 @@ static void rcu_do_batch(struct rcu_state *rsp, struct rcu_data *rdp) |
318 |
} |
319 |
smp_mb(); /* List handling before counting for rcu_barrier(). */ |
320 |
rdp->qlen_lazy -= count_lazy; |
321 |
@@ -69800,7 +69801,7 @@ index 74df86b..e0702bb 100644 |
322 |
rdp->n_cbs_invoked += count; |
323 |
|
324 |
/* Reinstate batch limit if we have worked down the excess. */ |
325 |
-@@ -2023,7 +2023,7 @@ __rcu_process_callbacks(struct rcu_state *rsp) |
326 |
+@@ -2024,7 +2024,7 @@ __rcu_process_callbacks(struct rcu_state *rsp) |
327 |
/* |
328 |
* Do RCU core processing for the current CPU. |
329 |
*/ |
330 |
@@ -69809,7 +69810,7 @@ index 74df86b..e0702bb 100644 |
331 |
{ |
332 |
struct rcu_state *rsp; |
333 |
|
334 |
-@@ -2135,7 +2135,7 @@ __call_rcu(struct rcu_head *head, void (*func)(struct rcu_head *rcu), |
335 |
+@@ -2136,7 +2136,7 @@ __call_rcu(struct rcu_head *head, void (*func)(struct rcu_head *rcu), |
336 |
local_irq_restore(flags); |
337 |
return; |
338 |
} |
339 |
@@ -69818,7 +69819,7 @@ index 74df86b..e0702bb 100644 |
340 |
if (lazy) |
341 |
rdp->qlen_lazy++; |
342 |
else |
343 |
-@@ -2249,8 +2249,8 @@ void synchronize_rcu_bh(void) |
344 |
+@@ -2250,8 +2250,8 @@ void synchronize_rcu_bh(void) |
345 |
} |
346 |
EXPORT_SYMBOL_GPL(synchronize_rcu_bh); |
347 |
|
348 |
@@ -69829,7 +69830,7 @@ index 74df86b..e0702bb 100644 |
349 |
|
350 |
static int synchronize_sched_expedited_cpu_stop(void *data) |
351 |
{ |
352 |
-@@ -2311,7 +2311,7 @@ void synchronize_sched_expedited(void) |
353 |
+@@ -2312,7 +2312,7 @@ void synchronize_sched_expedited(void) |
354 |
int firstsnap, s, snap, trycount = 0; |
355 |
|
356 |
/* Note that atomic_inc_return() implies full memory barrier. */ |
357 |
@@ -69838,7 +69839,7 @@ index 74df86b..e0702bb 100644 |
358 |
get_online_cpus(); |
359 |
WARN_ON_ONCE(cpu_is_offline(raw_smp_processor_id())); |
360 |
|
361 |
-@@ -2333,7 +2333,7 @@ void synchronize_sched_expedited(void) |
362 |
+@@ -2334,7 +2334,7 @@ void synchronize_sched_expedited(void) |
363 |
} |
364 |
|
365 |
/* Check to see if someone else did our work for us. */ |
366 |
@@ -69847,7 +69848,7 @@ index 74df86b..e0702bb 100644 |
367 |
if (UINT_CMP_GE((unsigned)s, (unsigned)firstsnap)) { |
368 |
smp_mb(); /* ensure test happens before caller kfree */ |
369 |
return; |
370 |
-@@ -2348,7 +2348,7 @@ void synchronize_sched_expedited(void) |
371 |
+@@ -2349,7 +2349,7 @@ void synchronize_sched_expedited(void) |
372 |
* grace period works for us. |
373 |
*/ |
374 |
get_online_cpus(); |
375 |
@@ -69856,7 +69857,7 @@ index 74df86b..e0702bb 100644 |
376 |
smp_mb(); /* ensure read is before try_stop_cpus(). */ |
377 |
} |
378 |
|
379 |
-@@ -2359,12 +2359,12 @@ void synchronize_sched_expedited(void) |
380 |
+@@ -2360,12 +2360,12 @@ void synchronize_sched_expedited(void) |
381 |
* than we did beat us to the punch. |
382 |
*/ |
383 |
do { |
384 |
@@ -69871,7 +69872,7 @@ index 74df86b..e0702bb 100644 |
385 |
|
386 |
put_online_cpus(); |
387 |
} |
388 |
-@@ -2538,7 +2538,7 @@ static void _rcu_barrier(struct rcu_state *rsp) |
389 |
+@@ -2539,7 +2539,7 @@ static void _rcu_barrier(struct rcu_state *rsp) |
390 |
* ACCESS_ONCE() to prevent the compiler from speculating |
391 |
* the increment to precede the early-exit check. |
392 |
*/ |
393 |
@@ -69880,7 +69881,7 @@ index 74df86b..e0702bb 100644 |
394 |
WARN_ON_ONCE((rsp->n_barrier_done & 0x1) != 1); |
395 |
_rcu_barrier_trace(rsp, "Inc1", -1, rsp->n_barrier_done); |
396 |
smp_mb(); /* Order ->n_barrier_done increment with below mechanism. */ |
397 |
-@@ -2580,7 +2580,7 @@ static void _rcu_barrier(struct rcu_state *rsp) |
398 |
+@@ -2581,7 +2581,7 @@ static void _rcu_barrier(struct rcu_state *rsp) |
399 |
|
400 |
/* Increment ->n_barrier_done to prevent duplicate work. */ |
401 |
smp_mb(); /* Keep increment after above mechanism. */ |
402 |
@@ -69889,7 +69890,7 @@ index 74df86b..e0702bb 100644 |
403 |
WARN_ON_ONCE((rsp->n_barrier_done & 0x1) != 0); |
404 |
_rcu_barrier_trace(rsp, "Inc2", -1, rsp->n_barrier_done); |
405 |
smp_mb(); /* Keep increment before caller's subsequent code. */ |
406 |
-@@ -2625,10 +2625,10 @@ rcu_boot_init_percpu_data(int cpu, struct rcu_state *rsp) |
407 |
+@@ -2626,10 +2626,10 @@ rcu_boot_init_percpu_data(int cpu, struct rcu_state *rsp) |
408 |
rdp->grpmask = 1UL << (cpu - rdp->mynode->grplo); |
409 |
init_callback_list(rdp); |
410 |
rdp->qlen_lazy = 0; |
411 |
@@ -69902,7 +69903,7 @@ index 74df86b..e0702bb 100644 |
412 |
#ifdef CONFIG_RCU_USER_QS |
413 |
WARN_ON_ONCE(rdp->dynticks->in_user); |
414 |
#endif |
415 |
-@@ -2663,8 +2663,8 @@ rcu_init_percpu_data(int cpu, struct rcu_state *rsp, int preemptible) |
416 |
+@@ -2664,8 +2664,8 @@ rcu_init_percpu_data(int cpu, struct rcu_state *rsp, int preemptible) |
417 |
rdp->blimit = blimit; |
418 |
init_callback_list(rdp); /* Re-enable callbacks on this CPU. */ |
419 |
rdp->dynticks->dynticks_nesting = DYNTICK_TASK_EXIT_IDLE; |
420 |
@@ -71034,7 +71035,7 @@ index c0bd030..62a1927 100644 |
421 |
ret = -EIO; |
422 |
bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt, |
423 |
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c |
424 |
-index 9dcf15d..9bab704 100644 |
425 |
+index 51b7159..7f83cf8 100644 |
426 |
--- a/kernel/trace/ftrace.c |
427 |
+++ b/kernel/trace/ftrace.c |
428 |
@@ -1874,12 +1874,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec) |
429 |
@@ -71078,7 +71079,7 @@ index 9dcf15d..9bab704 100644 |
430 |
start_pg = ftrace_allocate_pages(count); |
431 |
if (!start_pg) |
432 |
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c |
433 |
-index b979426..c54ff13 100644 |
434 |
+index 4cb5e51..e7e05d9 100644 |
435 |
--- a/kernel/trace/ring_buffer.c |
436 |
+++ b/kernel/trace/ring_buffer.c |
437 |
@@ -346,9 +346,9 @@ struct buffer_data_page { |
438 |
@@ -71150,7 +71151,7 @@ index b979426..c54ff13 100644 |
439 |
local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); |
440 |
} |
441 |
|
442 |
-@@ -1903,7 +1903,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, |
443 |
+@@ -1905,7 +1905,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer, |
444 |
* it is our responsibility to update |
445 |
* the counters. |
446 |
*/ |
447 |
@@ -71159,7 +71160,7 @@ index b979426..c54ff13 100644 |
448 |
local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes); |
449 |
|
450 |
/* |
451 |
-@@ -2053,7 +2053,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, |
452 |
+@@ -2055,7 +2055,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, |
453 |
if (tail == BUF_PAGE_SIZE) |
454 |
tail_page->real_end = 0; |
455 |
|
456 |
@@ -71168,7 +71169,7 @@ index b979426..c54ff13 100644 |
457 |
return; |
458 |
} |
459 |
|
460 |
-@@ -2088,7 +2088,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, |
461 |
+@@ -2090,7 +2090,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, |
462 |
rb_event_set_padding(event); |
463 |
|
464 |
/* Set the write back to the previous setting */ |
465 |
@@ -71177,7 +71178,7 @@ index b979426..c54ff13 100644 |
466 |
return; |
467 |
} |
468 |
|
469 |
-@@ -2100,7 +2100,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, |
470 |
+@@ -2102,7 +2102,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer, |
471 |
|
472 |
/* Set write to end of buffer */ |
473 |
length = (tail + length) - BUF_PAGE_SIZE; |
474 |
@@ -71186,7 +71187,7 @@ index b979426..c54ff13 100644 |
475 |
} |
476 |
|
477 |
/* |
478 |
-@@ -2126,7 +2126,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, |
479 |
+@@ -2128,7 +2128,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, |
480 |
* about it. |
481 |
*/ |
482 |
if (unlikely(next_page == commit_page)) { |
483 |
@@ -71195,7 +71196,7 @@ index b979426..c54ff13 100644 |
484 |
goto out_reset; |
485 |
} |
486 |
|
487 |
-@@ -2180,7 +2180,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, |
488 |
+@@ -2182,7 +2182,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer, |
489 |
cpu_buffer->tail_page) && |
490 |
(cpu_buffer->commit_page == |
491 |
cpu_buffer->reader_page))) { |
492 |
@@ -71204,7 +71205,7 @@ index b979426..c54ff13 100644 |
493 |
goto out_reset; |
494 |
} |
495 |
} |
496 |
-@@ -2228,7 +2228,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, |
497 |
+@@ -2230,7 +2230,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, |
498 |
length += RB_LEN_TIME_EXTEND; |
499 |
|
500 |
tail_page = cpu_buffer->tail_page; |
501 |
@@ -71213,7 +71214,7 @@ index b979426..c54ff13 100644 |
502 |
|
503 |
/* set write to only the index of the write */ |
504 |
write &= RB_WRITE_MASK; |
505 |
-@@ -2245,7 +2245,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, |
506 |
+@@ -2247,7 +2247,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer, |
507 |
kmemcheck_annotate_bitfield(event, bitfield); |
508 |
rb_update_event(cpu_buffer, event, length, add_timestamp, delta); |
509 |
|
510 |
@@ -71222,7 +71223,7 @@ index b979426..c54ff13 100644 |
511 |
|
512 |
/* |
513 |
* If this is the first commit on the page, then update |
514 |
-@@ -2278,7 +2278,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, |
515 |
+@@ -2280,7 +2280,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, |
516 |
|
517 |
if (bpage->page == (void *)addr && rb_page_write(bpage) == old_index) { |
518 |
unsigned long write_mask = |
519 |
@@ -71231,7 +71232,7 @@ index b979426..c54ff13 100644 |
520 |
unsigned long event_length = rb_event_length(event); |
521 |
/* |
522 |
* This is on the tail page. It is possible that |
523 |
-@@ -2288,7 +2288,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, |
524 |
+@@ -2290,7 +2290,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer, |
525 |
*/ |
526 |
old_index += write_mask; |
527 |
new_index += write_mask; |
528 |
@@ -71240,7 +71241,7 @@ index b979426..c54ff13 100644 |
529 |
if (index == old_index) { |
530 |
/* update counters */ |
531 |
local_sub(event_length, &cpu_buffer->entries_bytes); |
532 |
-@@ -2627,7 +2627,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, |
533 |
+@@ -2629,7 +2629,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, |
534 |
|
535 |
/* Do the likely case first */ |
536 |
if (likely(bpage->page == (void *)addr)) { |
537 |
@@ -71249,7 +71250,7 @@ index b979426..c54ff13 100644 |
538 |
return; |
539 |
} |
540 |
|
541 |
-@@ -2639,7 +2639,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, |
542 |
+@@ -2641,7 +2641,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer, |
543 |
start = bpage; |
544 |
do { |
545 |
if (bpage->page == (void *)addr) { |
546 |
@@ -71258,7 +71259,7 @@ index b979426..c54ff13 100644 |
547 |
return; |
548 |
} |
549 |
rb_inc_page(cpu_buffer, &bpage); |
550 |
-@@ -2921,7 +2921,7 @@ static inline unsigned long |
551 |
+@@ -2923,7 +2923,7 @@ static inline unsigned long |
552 |
rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer) |
553 |
{ |
554 |
return local_read(&cpu_buffer->entries) - |
555 |
@@ -71267,7 +71268,7 @@ index b979426..c54ff13 100644 |
556 |
} |
557 |
|
558 |
/** |
559 |
-@@ -3008,7 +3008,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu) |
560 |
+@@ -3011,7 +3011,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu) |
561 |
return 0; |
562 |
|
563 |
cpu_buffer = buffer->buffers[cpu]; |
564 |
@@ -71276,7 +71277,7 @@ index b979426..c54ff13 100644 |
565 |
|
566 |
return ret; |
567 |
} |
568 |
-@@ -3029,7 +3029,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu) |
569 |
+@@ -3032,7 +3032,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu) |
570 |
return 0; |
571 |
|
572 |
cpu_buffer = buffer->buffers[cpu]; |
573 |
@@ -71285,7 +71286,7 @@ index b979426..c54ff13 100644 |
574 |
|
575 |
return ret; |
576 |
} |
577 |
-@@ -3074,7 +3074,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer) |
578 |
+@@ -3077,7 +3077,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer) |
579 |
/* if you care about this being correct, lock the buffer */ |
580 |
for_each_buffer_cpu(buffer, cpu) { |
581 |
cpu_buffer = buffer->buffers[cpu]; |
582 |
@@ -71294,7 +71295,7 @@ index b979426..c54ff13 100644 |
583 |
} |
584 |
|
585 |
return overruns; |
586 |
-@@ -3250,8 +3250,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) |
587 |
+@@ -3253,8 +3253,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) |
588 |
/* |
589 |
* Reset the reader page to size zero. |
590 |
*/ |
591 |
@@ -71305,7 +71306,7 @@ index b979426..c54ff13 100644 |
592 |
local_set(&cpu_buffer->reader_page->page->commit, 0); |
593 |
cpu_buffer->reader_page->real_end = 0; |
594 |
|
595 |
-@@ -3283,7 +3283,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) |
596 |
+@@ -3288,7 +3288,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer) |
597 |
* want to compare with the last_overrun. |
598 |
*/ |
599 |
smp_mb(); |
600 |
@@ -71314,7 +71315,7 @@ index b979426..c54ff13 100644 |
601 |
|
602 |
/* |
603 |
* Here's the tricky part. |
604 |
-@@ -3848,8 +3848,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) |
605 |
+@@ -3858,8 +3858,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) |
606 |
|
607 |
cpu_buffer->head_page |
608 |
= list_entry(cpu_buffer->pages, struct buffer_page, list); |
609 |
@@ -71325,7 +71326,7 @@ index b979426..c54ff13 100644 |
610 |
local_set(&cpu_buffer->head_page->page->commit, 0); |
611 |
|
612 |
cpu_buffer->head_page->read = 0; |
613 |
-@@ -3859,14 +3859,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) |
614 |
+@@ -3869,14 +3869,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) |
615 |
|
616 |
INIT_LIST_HEAD(&cpu_buffer->reader_page->list); |
617 |
INIT_LIST_HEAD(&cpu_buffer->new_pages); |
618 |
@@ -71344,7 +71345,7 @@ index b979426..c54ff13 100644 |
619 |
local_set(&cpu_buffer->entries, 0); |
620 |
local_set(&cpu_buffer->committing, 0); |
621 |
local_set(&cpu_buffer->commits, 0); |
622 |
-@@ -4269,8 +4269,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, |
623 |
+@@ -4279,8 +4279,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer, |
624 |
rb_init_page(bpage); |
625 |
bpage = reader->page; |
626 |
reader->page = *data_page; |
627 |
|
628 |
diff --git a/3.7.1/4425_grsec_remove_EI_PAX.patch b/3.7.1/4425_grsec_remove_EI_PAX.patch |
629 |
new file mode 100644 |
630 |
index 0000000..97e6951 |
631 |
--- /dev/null |
632 |
+++ b/3.7.1/4425_grsec_remove_EI_PAX.patch |
633 |
@@ -0,0 +1,19 @@ |
634 |
+From: Anthony G. Basile <blueness@g.o> |
635 |
+ |
636 |
+Deprecate EI_PAX. |
637 |
+ |
638 |
+X-Gentoo-Bug: 445600 |
639 |
+X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600 |
640 |
+ |
641 |
+diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig |
642 |
+--- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500 |
643 |
++++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500 |
644 |
+@@ -263,7 +263,7 @@ |
645 |
+ |
646 |
+ config PAX_EI_PAX |
647 |
+ bool 'Use legacy ELF header marking' |
648 |
+- default y if GRKERNSEC_CONFIG_AUTO |
649 |
++ depends on BROKEN |
650 |
+ help |
651 |
+ Enabling this option will allow you to control PaX features on |
652 |
+ a per executable basis via the 'chpax' utility available at |
653 |
|
654 |
diff --git a/3.7.0/4430_grsec-remove-localversion-grsec.patch b/3.7.1/4430_grsec-remove-localversion-grsec.patch |
655 |
similarity index 100% |
656 |
rename from 3.7.0/4430_grsec-remove-localversion-grsec.patch |
657 |
rename to 3.7.1/4430_grsec-remove-localversion-grsec.patch |
658 |
|
659 |
diff --git a/3.7.0/4435_grsec-mute-warnings.patch b/3.7.1/4435_grsec-mute-warnings.patch |
660 |
similarity index 100% |
661 |
rename from 3.7.0/4435_grsec-mute-warnings.patch |
662 |
rename to 3.7.1/4435_grsec-mute-warnings.patch |
663 |
|
664 |
diff --git a/3.7.0/4440_grsec-remove-protected-paths.patch b/3.7.1/4440_grsec-remove-protected-paths.patch |
665 |
similarity index 100% |
666 |
rename from 3.7.0/4440_grsec-remove-protected-paths.patch |
667 |
rename to 3.7.1/4440_grsec-remove-protected-paths.patch |
668 |
|
669 |
diff --git a/3.7.0/4450_grsec-kconfig-default-gids.patch b/3.7.1/4450_grsec-kconfig-default-gids.patch |
670 |
similarity index 100% |
671 |
rename from 3.7.0/4450_grsec-kconfig-default-gids.patch |
672 |
rename to 3.7.1/4450_grsec-kconfig-default-gids.patch |
673 |
|
674 |
diff --git a/3.7.0/4465_selinux-avc_audit-log-curr_ip.patch b/3.7.1/4465_selinux-avc_audit-log-curr_ip.patch |
675 |
similarity index 100% |
676 |
rename from 3.7.0/4465_selinux-avc_audit-log-curr_ip.patch |
677 |
rename to 3.7.1/4465_selinux-avc_audit-log-curr_ip.patch |
678 |
|
679 |
diff --git a/3.7.0/4470_disable-compat_vdso.patch b/3.7.1/4470_disable-compat_vdso.patch |
680 |
similarity index 100% |
681 |
rename from 3.7.0/4470_disable-compat_vdso.patch |
682 |
rename to 3.7.1/4470_disable-compat_vdso.patch |