[gentoo-commits] proj/hardened-patchset:master commit in: 4.6.4/ - gentoo-commits

From:	"Anthony G. Basile" <blueness@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-patchset:master commit in: 4.6.4/
Date:	Tue, 26 Jul 2016 07:02:21
Message-Id:	`1469516148.626340b17d84dea8bf5f882750f594207fd5119c.blueness@gentoo`

1

commit:     626340b17d84dea8bf5f882750f594207fd5119c

2

Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>

3

AuthorDate: Tue Jul 26 06:55:48 2016 +0000

4

Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>

5

CommitDate: Tue Jul 26 06:55:48 2016 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=626340b1

7

8

grsecurity-3.1-4.6.4-201607242014

9

10

 4.6.4/0000_README                                  |  2 +-

11

 ...> 4420_grsecurity-3.1-4.6.4-201607242014.patch} | 81 ++++++++++++++--------

12

 2 files changed, 53 insertions(+), 30 deletions(-)

13

14

diff --git a/4.6.4/0000_README b/4.6.4/0000_README

15

index 0a9f680..81410da 100644

16

--- a/4.6.4/0000_README

17

+++ b/4.6.4/0000_README

18

@@ -2,7 +2,7 @@ README

19

 -----------------------------------------------------------------------------

20

 Individual Patch Descriptions:

21

 -----------------------------------------------------------------------------

22

-Patch:	4420_grsecurity-3.1-4.6.4-201607192040.patch

23

+Patch:	4420_grsecurity-3.1-4.6.4-201607242014.patch

24

 From:	http://www.grsecurity.net

25

 Desc:	hardened-sources base patch from upstream grsecurity

26

27

28

diff --git a/4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch b/4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch

29

similarity index 99%

30

rename from 4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch

31

rename to 4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch

32

index 4b02b21..f7868ce 100644

33

--- a/4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch

34

+++ b/4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch

35

@@ -877,7 +877,7 @@ index a876743..fe2a193 100644

36

  	  Counts number of I and D TLB Misses and exports them via Debugfs

37

  	  The counters can be cleared via Debugfs as well

38

 diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig

39

-index cdfa6c2..aba8354 100644

40

+index cdfa6c2..f39881d 100644

41

 --- a/arch/arm/Kconfig

42

 +++ b/arch/arm/Kconfig

43

 @@ -53,6 +53,7 @@ config ARM

44

@@ -888,7 +888,15 @@ index cdfa6c2..aba8354 100644

45

  	select HAVE_GENERIC_DMA_COHERENT

46

  	select HAVE_HW_BREAKPOINT if (PERF_EVENTS && (CPU_V6 || CPU_V6K || CPU_V7))

47

  	select HAVE_IDE if PCI || ISA || PCMCIA

48

-@@ -1629,6 +1630,7 @@ config HIGHPTE

49

+@@ -1561,6 +1562,7 @@ config AEABI

50

+ config OABI_COMPAT

51

+ 	bool "Allow old ABI binaries to run with this kernel (EXPERIMENTAL)"

52

+ 	depends on AEABI && !THUMB2_KERNEL

53

++	depends on !GRKERNSEC

54

+ 	help

55

+ 	  This option preserves the old syscall interface along with the

56

+ 	  new (ARM EABI) one. It also provides a compatibility layer to

57

+@@ -1629,6 +1631,7 @@ config HIGHPTE

58

  config CPU_SW_DOMAIN_PAN

59

  	bool "Enable use of CPU domains to implement privileged no-access"

60

  	depends on MMU && !ARM_LPAE

61

@@ -896,7 +904,7 @@ index cdfa6c2..aba8354 100644

62

  	default y

63

  	help

64

  	  Increase kernel security by ensuring that normal kernel accesses

65

-@@ -1705,7 +1707,7 @@ config ALIGNMENT_TRAP

66

+@@ -1705,7 +1708,7 @@ config ALIGNMENT_TRAP

67

68

  config UACCESS_WITH_MEMCPY

69

  	bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()"

70

@@ -905,7 +913,7 @@ index cdfa6c2..aba8354 100644

71

  	default y if CPU_FEROCEON

72

  	help

73

  	  Implement faster copy_to_user and clear_user methods for CPU

74

-@@ -1960,6 +1962,7 @@ config KEXEC

75

+@@ -1960,6 +1963,7 @@ config KEXEC

76

  	depends on (!SMP || PM_SLEEP_SMP)

77

  	depends on !CPU_V7M

78

  	select KEXEC_CORE

79

@@ -913,7 +921,7 @@ index cdfa6c2..aba8354 100644

80

  	help

81

  	  kexec is a system call that implements the ability to shutdown your

82

  	  current kernel, and to start another kernel.  It is like a reboot

83

-@@ -2004,7 +2007,7 @@ config EFI_STUB

84

+@@ -2004,7 +2008,7 @@ config EFI_STUB

85

86

  config EFI

87

  	bool "UEFI runtime support"

88

@@ -23850,7 +23858,7 @@ index c3496619..3f3a7dc 100644

89

  asmlinkage void smp_deferred_error_interrupt(void);

90

  #endif

91

 diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h

92

-index 2e7513d..73d9d20 100644

93

+index 2e7513d..792107f 100644

94

 --- a/arch/x86/include/asm/uaccess.h

95

 +++ b/arch/x86/include/asm/uaccess.h

96

 @@ -7,6 +7,7 @@

97

@@ -23887,7 +23895,7 @@ index 2e7513d..73d9d20 100644

98

 +	unsigned long __size = size;					\

99

 +	unsigned long __addr = (unsigned long)addr;			\

100

 +	bool __ret_ao = __range_not_ok(__addr, __size, user_addr_max()) == 0;\

101

-+	if (__ret_ao && __size) {					\

102

++	if (__ret_ao && __size < 256 * PAGE_SIZE) {			\

103

 +		unsigned long __addr_ao = __addr & PAGE_MASK;		\

104

 +		unsigned long __end_ao = __addr + __size - 1;		\

105

 +		if (unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) {	\

106

@@ -28460,7 +28468,7 @@ index e565e0e..fdfeb45 100644

107

}

108

  		memcpy(&code, ideal_nops[NOP_ATOMIC5], JUMP_LABEL_NOP_SIZE);

109

 diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c

110

-index 2da6ee9..4cbe3af 100644

111

+index 2da6ee9..fc0ca78 100644

112

 --- a/arch/x86/kernel/kgdb.c

113

 +++ b/arch/x86/kernel/kgdb.c

114

 @@ -228,7 +228,10 @@ static void kgdb_correct_hw_break(void)

115

@@ -28518,7 +28526,7 @@ index 2da6ee9..4cbe3af 100644

116

  	text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr,

117

  		  BREAK_INSTR_SIZE);

118

 -	err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);

119

-+	err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);

120

++	err = probe_kernel_read(opc, (const void *)ktla_ktva(bpt->bpt_addr), BREAK_INSTR_SIZE);

121

  	if (err)

122

  		return err;

123

  	if (memcmp(opc, arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE))

124

@@ -28527,7 +28535,7 @@ index 2da6ee9..4cbe3af 100644

125

  		goto knl_write;

126

  	text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE);

127

 -	err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);

128

-+	err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);

129

++	err = probe_kernel_read(opc, (const void *)ktla_ktva(bpt->bpt_addr), BREAK_INSTR_SIZE);

130

  	if (err || memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE))

131

  		goto knl_write;

132

  	return err;

133

@@ -124075,10 +124083,10 @@ index 0000000..696d76d

134

+}

135

 diff --git a/grsecurity/gracl_res.c b/grsecurity/gracl_res.c

136

 new file mode 100644

137

-index 0000000..39645c9

138

+index 0000000..dfba8fd

139

 --- /dev/null

140

 +++ b/grsecurity/gracl_res.c

141

-@@ -0,0 +1,68 @@

142

+@@ -0,0 +1,74 @@

143

 +#include <linux/kernel.h>

144

 +#include <linux/sched.h>

145

 +#include <linux/gracl.h>

146

@@ -124118,6 +124126,14 @@ index 0000000..39645c9

147

 +	if (unlikely(!restab_log[res]))

148

 +		return;

149

+

150

++	/*

151

++	 * not really security relevant, too much userland code shared

152

++	 * from pulseaudio that blindly attempts to violate limits in a loop,

153

++	 * resulting in log spam

154

++	 */

155

++	if (res == RLIMIT_NICE)

156

++		return;

157

++

158

 +	if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)

159

 +		rlim = task_rlimit_max(task, res);

160

 +	else

161

@@ -124136,8 +124152,6 @@ index 0000000..39645c9

162

 +	else if (res == RLIMIT_MEMLOCK &&

163

 +		 cap_raised(cred->cap_effective, CAP_IPC_LOCK))

164

 +		goto out_rcu_unlock;

165

-+	else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))

166

-+		goto out_rcu_unlock;

167

 +	rcu_read_unlock();

168

+

169

 +	gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);

170

@@ -144283,7 +144297,7 @@ index 2c5e3a8..301fb1a 100644

171

  	return -ENOSYS;

172

}

173

 diff --git a/kernel/sysctl.c b/kernel/sysctl.c

174

-index 725587f..750f909 100644

175

+index 725587f..c7834cc 100644

176

 --- a/kernel/sysctl.c

177

 +++ b/kernel/sysctl.c

178

 @@ -95,7 +95,6 @@

179

@@ -144440,7 +144454,7 @@ index 725587f..750f909 100644

180

 -		.proc_handler	= proc_dointvec_minmax_sysadmin,

181

 +		.proc_handler	= proc_dointvec_minmax_secure_sysadmin,

182

 +#ifdef CONFIG_GRKERNSEC_HIDESYM

183

-+		.extra1		= &two,

184

++		.extra1		= &one,

185

 +#else

186

  		.extra1		= &zero,

187

 +#endif

188

@@ -146874,7 +146888,7 @@ index 4f5b1dd..7cab418 100644

189

+}

190

 +EXPORT_SYMBOL(copy_to_user_overflow);

191

 diff --git a/lib/vsprintf.c b/lib/vsprintf.c

192

-index ccb664b..058e2978 100644

193

+index ccb664b..be065a5 100644

194

 --- a/lib/vsprintf.c

195

 +++ b/lib/vsprintf.c

196

 @@ -16,6 +16,9 @@

197

@@ -146902,7 +146916,7 @@ index ccb664b..058e2978 100644

198

199

 -int kptr_restrict __read_mostly;

200

 +#ifdef CONFIG_GRKERNSEC_HIDESYM

201

-+int kptr_restrict __read_only = 2;

202

++int kptr_restrict __read_only = 1;

203

 +#else

204

 +int kptr_restrict __read_only;

205

 +#endif

206

@@ -146959,7 +146973,17 @@ index ccb664b..058e2978 100644

207

  	case 'K':

208

  		switch (kptr_restrict) {

209

  		case 0:

210

-@@ -1724,6 +1743,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,

211

+@@ -1691,6 +1710,9 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,

212

+ 			 */

213

+ 			cred = current_cred();

214

+ 			if (!has_capability_noaudit(current, CAP_SYSLOG) ||

215

++#ifdef CONFIG_GRKERNSEC_HIDESYM

216

++			    !has_capability_noaudit(current, CAP_SYS_ADMIN) ||

217

++#endif

218

+ 			    !uid_eq(cred->euid, cred->uid) ||

219

+ 			    !gid_eq(cred->egid, cred->gid))

220

+ 				ptr = NULL;

221

+@@ -1724,6 +1746,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,

222

  	case 'G':

223

  		return flags_string(buf, end, ptr, fmt);

224

}

225

@@ -146982,7 +147006,7 @@ index ccb664b..058e2978 100644

226

  	spec.flags |= SMALL;

227

  	if (spec.field_width == -1) {

228

  		spec.field_width = default_width;

229

-@@ -2424,11 +2459,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)

230

+@@ -2424,11 +2462,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)

231

  	typeof(type) value;						\

232

  	if (sizeof(type) == 8) {					\

233

  		args = PTR_ALIGN(args, sizeof(u32));			\

234

@@ -146997,7 +147021,7 @@ index ccb664b..058e2978 100644

235

  	}								\

236

  	args += sizeof(type);						\

237

  	value;								\

238

-@@ -2491,7 +2526,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)

239

+@@ -2491,7 +2529,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)

240

  		case FORMAT_TYPE_STR: {

241

  			const char *str_arg = args;

242

  			args += strlen(str_arg) + 1;

243

@@ -163915,10 +163939,10 @@ index 0000000..ffe60f6

244

+}

245

 diff --git a/scripts/gcc-plugins/constify_plugin.c b/scripts/gcc-plugins/constify_plugin.c

246

 new file mode 100644

247

-index 0000000..1a56d17

248

+index 0000000..b769ccf

249

 --- /dev/null

250

 +++ b/scripts/gcc-plugins/constify_plugin.c

251

-@@ -0,0 +1,583 @@

252

+@@ -0,0 +1,582 @@

253

+/*

254

 + * Copyright 2011 by Emese Revfy <re.emese@×××××.com>

255

 + * Copyright 2011-2016 by PaX Team <pageexec@××××××××.hu>

256

@@ -163944,7 +163968,7 @@ index 0000000..1a56d17

257

 +static bool enabled = true;

258

+

259

 +static struct plugin_info const_plugin_info = {

260

-+	.version	= "201606280200",

261

++	.version	= "201607241840",

262

 +	.help		= "disable\tturn off constification\n",

263

+};

264

+

265

@@ -164069,10 +164093,8 @@ index 0000000..1a56d17

266

 +				continue;

267

 +			if (!constified(ptrtype))

268

 +				continue;

269

-+			if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type)) {

270

-+				TREE_TYPE(field) = copy_node(TREE_TYPE(field));

271

-+				TREE_TYPE(TREE_TYPE(field)) = build_qualified_type(type, TYPE_QUALS(ptrtype) & ~TYPE_QUAL_CONST);

272

-+			}

273

++			if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type))

274

++				TREE_TYPE(field) = build_pointer_type(build_qualified_type(type, TYPE_QUALS(ptrtype) & ~TYPE_QUAL_CONST));

275

 +			continue;

276

 +		}

277

 +		if (TREE_CODE(fieldtype) != RECORD_TYPE && TREE_CODE(fieldtype) != UNION_TYPE)

278

@@ -164190,6 +164212,7 @@ index 0000000..1a56d17

279

+

280

 +static void constify_type(tree type)

281

+{

282

++	gcc_assert(type == TYPE_MAIN_VARIANT(type));

283

 +	TYPE_READONLY(type) = 1;

284

 +	C_TYPE_FIELDS_READONLY(type) = 1;

285

 +	TYPE_CONSTIFY_VISITED(type) = 1;

286

@@ -214202,7 +214225,7 @@ index 3a9b66c..2b38b21 100644

287

  	unsigned long flags;

288

289

 diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c

290

-index 9106d8e..e7e2e3c 100644

291

+index 9106d8e..e7e2e3ca 100644

292

 --- a/sound/core/pcm_native.c

293

 +++ b/sound/core/pcm_native.c

294

 @@ -3014,11 +3014,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream,

1	commit: 626340b17d84dea8bf5f882750f594207fd5119c
2	Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3	AuthorDate: Tue Jul 26 06:55:48 2016 +0000
4	Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5	CommitDate: Tue Jul 26 06:55:48 2016 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=626340b1
7
8	grsecurity-3.1-4.6.4-201607242014
9
10	4.6.4/0000_README \| 2 +-
11	...> 4420_grsecurity-3.1-4.6.4-201607242014.patch} \| 81 ++++++++++++++--------
12	2 files changed, 53 insertions(+), 30 deletions(-)
13
14	diff --git a/4.6.4/0000_README b/4.6.4/0000_README
15	index 0a9f680..81410da 100644
16	--- a/4.6.4/0000_README
17	+++ b/4.6.4/0000_README
18	@@ -2,7 +2,7 @@ README
19	-----------------------------------------------------------------------------
20	Individual Patch Descriptions:
21	-----------------------------------------------------------------------------
22	-Patch: 4420_grsecurity-3.1-4.6.4-201607192040.patch
23	+Patch: 4420_grsecurity-3.1-4.6.4-201607242014.patch
24	From: http://www.grsecurity.net
25	Desc: hardened-sources base patch from upstream grsecurity
26
27
28	diff --git a/4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch b/4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch
29	similarity index 99%
30	rename from 4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch
31	rename to 4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch
32	index 4b02b21..f7868ce 100644
33	--- a/4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch
34	+++ b/4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch
35	@@ -877,7 +877,7 @@ index a876743..fe2a193 100644
36	Counts number of I and D TLB Misses and exports them via Debugfs
37	The counters can be cleared via Debugfs as well
38	diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
39	-index cdfa6c2..aba8354 100644
40	+index cdfa6c2..f39881d 100644
41	--- a/arch/arm/Kconfig
42	+++ b/arch/arm/Kconfig
43	@@ -53,6 +53,7 @@ config ARM
44	@@ -888,7 +888,15 @@ index cdfa6c2..aba8354 100644
45	select HAVE_GENERIC_DMA_COHERENT
46	select HAVE_HW_BREAKPOINT if (PERF_EVENTS && (CPU_V6 \|\| CPU_V6K \|\| CPU_V7))
47	select HAVE_IDE if PCI \|\| ISA \|\| PCMCIA
48	-@@ -1629,6 +1630,7 @@ config HIGHPTE
49	+@@ -1561,6 +1562,7 @@ config AEABI
50	+ config OABI_COMPAT
51	+ bool "Allow old ABI binaries to run with this kernel (EXPERIMENTAL)"
52	+ depends on AEABI && !THUMB2_KERNEL
53	++ depends on !GRKERNSEC
54	+ help
55	+ This option preserves the old syscall interface along with the
56	+ new (ARM EABI) one. It also provides a compatibility layer to
57	+@@ -1629,6 +1631,7 @@ config HIGHPTE
58	config CPU_SW_DOMAIN_PAN
59	bool "Enable use of CPU domains to implement privileged no-access"
60	depends on MMU && !ARM_LPAE
61	@@ -896,7 +904,7 @@ index cdfa6c2..aba8354 100644
62	default y
63	help
64	Increase kernel security by ensuring that normal kernel accesses
65	-@@ -1705,7 +1707,7 @@ config ALIGNMENT_TRAP
66	+@@ -1705,7 +1708,7 @@ config ALIGNMENT_TRAP
67
68	config UACCESS_WITH_MEMCPY
69	bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()"
70	@@ -905,7 +913,7 @@ index cdfa6c2..aba8354 100644
71	default y if CPU_FEROCEON
72	help
73	Implement faster copy_to_user and clear_user methods for CPU
74	-@@ -1960,6 +1962,7 @@ config KEXEC
75	+@@ -1960,6 +1963,7 @@ config KEXEC
76	depends on (!SMP \|\| PM_SLEEP_SMP)
77	depends on !CPU_V7M
78	select KEXEC_CORE
79	@@ -913,7 +921,7 @@ index cdfa6c2..aba8354 100644
80	help
81	kexec is a system call that implements the ability to shutdown your
82	current kernel, and to start another kernel. It is like a reboot
83	-@@ -2004,7 +2007,7 @@ config EFI_STUB
84	+@@ -2004,7 +2008,7 @@ config EFI_STUB
85
86	config EFI
87	bool "UEFI runtime support"
88	@@ -23850,7 +23858,7 @@ index c3496619..3f3a7dc 100644
89	asmlinkage void smp_deferred_error_interrupt(void);
90	#endif
91	diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
92	-index 2e7513d..73d9d20 100644
93	+index 2e7513d..792107f 100644
94	--- a/arch/x86/include/asm/uaccess.h
95	+++ b/arch/x86/include/asm/uaccess.h
96	@@ -7,6 +7,7 @@
97	@@ -23887,7 +23895,7 @@ index 2e7513d..73d9d20 100644
98	+ unsigned long __size = size; \
99	+ unsigned long __addr = (unsigned long)addr; \
100	+ bool __ret_ao = __range_not_ok(__addr, __size, user_addr_max()) == 0;\
101	-+ if (__ret_ao && __size) { \
102	++ if (__ret_ao && __size < 256 * PAGE_SIZE) { \
103	+ unsigned long __addr_ao = __addr & PAGE_MASK; \
104	+ unsigned long __end_ao = __addr + __size - 1; \
105	+ if (unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
106	@@ -28460,7 +28468,7 @@ index e565e0e..fdfeb45 100644
107	}
108	memcpy(&code, ideal_nops[NOP_ATOMIC5], JUMP_LABEL_NOP_SIZE);
109	diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c
110	-index 2da6ee9..4cbe3af 100644
111	+index 2da6ee9..fc0ca78 100644
112	--- a/arch/x86/kernel/kgdb.c
113	+++ b/arch/x86/kernel/kgdb.c
114	@@ -228,7 +228,10 @@ static void kgdb_correct_hw_break(void)
115	@@ -28518,7 +28526,7 @@ index 2da6ee9..4cbe3af 100644
116	text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr,
117	BREAK_INSTR_SIZE);
118	- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
119	-+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
120	++ err = probe_kernel_read(opc, (const void *)ktla_ktva(bpt->bpt_addr), BREAK_INSTR_SIZE);
121	if (err)
122	return err;
123	if (memcmp(opc, arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE))
124	@@ -28527,7 +28535,7 @@ index 2da6ee9..4cbe3af 100644
125	goto knl_write;
126	text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE);
127	- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
128	-+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
129	++ err = probe_kernel_read(opc, (const void *)ktla_ktva(bpt->bpt_addr), BREAK_INSTR_SIZE);
130	if (err \|\| memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE))
131	goto knl_write;
132	return err;
133	@@ -124075,10 +124083,10 @@ index 0000000..696d76d
134	+}
135	diff --git a/grsecurity/gracl_res.c b/grsecurity/gracl_res.c
136	new file mode 100644
137	-index 0000000..39645c9
138	+index 0000000..dfba8fd
139	--- /dev/null
140	+++ b/grsecurity/gracl_res.c
141	-@@ -0,0 +1,68 @@
142	+@@ -0,0 +1,74 @@
143	+#include <linux/kernel.h>
144	+#include <linux/sched.h>
145	+#include <linux/gracl.h>
146	@@ -124118,6 +124126,14 @@ index 0000000..39645c9
147	+ if (unlikely(!restab_log[res]))
148	+ return;
149	+
150	++ /*
151	++ * not really security relevant, too much userland code shared
152	++ * from pulseaudio that blindly attempts to violate limits in a loop,
153	++ * resulting in log spam
154	++ */
155	++ if (res == RLIMIT_NICE)
156	++ return;
157	++
158	+ if (res == RLIMIT_CPU \|\| res == RLIMIT_RTTIME)
159	+ rlim = task_rlimit_max(task, res);
160	+ else
161	@@ -124136,8 +124152,6 @@ index 0000000..39645c9
162	+ else if (res == RLIMIT_MEMLOCK &&
163	+ cap_raised(cred->cap_effective, CAP_IPC_LOCK))
164	+ goto out_rcu_unlock;
165	-+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
166	-+ goto out_rcu_unlock;
167	+ rcu_read_unlock();
168	+
169	+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
170	@@ -144283,7 +144297,7 @@ index 2c5e3a8..301fb1a 100644
171	return -ENOSYS;
172	}
173	diff --git a/kernel/sysctl.c b/kernel/sysctl.c
174	-index 725587f..750f909 100644
175	+index 725587f..c7834cc 100644
176	--- a/kernel/sysctl.c
177	+++ b/kernel/sysctl.c
178	@@ -95,7 +95,6 @@
179	@@ -144440,7 +144454,7 @@ index 725587f..750f909 100644
180	- .proc_handler = proc_dointvec_minmax_sysadmin,
181	+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
182	+#ifdef CONFIG_GRKERNSEC_HIDESYM
183	-+ .extra1 = &two,
184	++ .extra1 = &one,
185	+#else
186	.extra1 = &zero,
187	+#endif
188	@@ -146874,7 +146888,7 @@ index 4f5b1dd..7cab418 100644
189	+}
190	+EXPORT_SYMBOL(copy_to_user_overflow);
191	diff --git a/lib/vsprintf.c b/lib/vsprintf.c
192	-index ccb664b..058e2978 100644
193	+index ccb664b..be065a5 100644
194	--- a/lib/vsprintf.c
195	+++ b/lib/vsprintf.c
196	@@ -16,6 +16,9 @@
197	@@ -146902,7 +146916,7 @@ index ccb664b..058e2978 100644
198
199	-int kptr_restrict __read_mostly;
200	+#ifdef CONFIG_GRKERNSEC_HIDESYM
201	-+int kptr_restrict __read_only = 2;
202	++int kptr_restrict __read_only = 1;
203	+#else
204	+int kptr_restrict __read_only;
205	+#endif
206	@@ -146959,7 +146973,17 @@ index ccb664b..058e2978 100644
207	case 'K':
208	switch (kptr_restrict) {
209	case 0:
210	-@@ -1724,6 +1743,22 @@ char pointer(const char fmt, char buf, char end, void *ptr,
211	+@@ -1691,6 +1710,9 @@ char pointer(const char fmt, char buf, char end, void *ptr,
212	+ */
213	+ cred = current_cred();
214	+ if (!has_capability_noaudit(current, CAP_SYSLOG) \|\|
215	++#ifdef CONFIG_GRKERNSEC_HIDESYM
216	++ !has_capability_noaudit(current, CAP_SYS_ADMIN) \|\|
217	++#endif
218	+ !uid_eq(cred->euid, cred->uid) \|\|
219	+ !gid_eq(cred->egid, cred->gid))
220	+ ptr = NULL;
221	+@@ -1724,6 +1746,22 @@ char pointer(const char fmt, char buf, char end, void *ptr,
222	case 'G':
223	return flags_string(buf, end, ptr, fmt);
224	}
225	@@ -146982,7 +147006,7 @@ index ccb664b..058e2978 100644
226	spec.flags \|= SMALL;
227	if (spec.field_width == -1) {
228	spec.field_width = default_width;
229	-@@ -2424,11 +2459,11 @@ int bstr_printf(char buf, size_t size, const char fmt, const u32 *bin_buf)
230	+@@ -2424,11 +2462,11 @@ int bstr_printf(char buf, size_t size, const char fmt, const u32 *bin_buf)
231	typeof(type) value; \
232	if (sizeof(type) == 8) { \
233	args = PTR_ALIGN(args, sizeof(u32)); \
234	@@ -146997,7 +147021,7 @@ index ccb664b..058e2978 100644
235	} \
236	args += sizeof(type); \
237	value; \
238	-@@ -2491,7 +2526,7 @@ int bstr_printf(char buf, size_t size, const char fmt, const u32 *bin_buf)
239	+@@ -2491,7 +2529,7 @@ int bstr_printf(char buf, size_t size, const char fmt, const u32 *bin_buf)
240	case FORMAT_TYPE_STR: {
241	const char *str_arg = args;
242	args += strlen(str_arg) + 1;
243	@@ -163915,10 +163939,10 @@ index 0000000..ffe60f6
244	+}
245	diff --git a/scripts/gcc-plugins/constify_plugin.c b/scripts/gcc-plugins/constify_plugin.c
246	new file mode 100644
247	-index 0000000..1a56d17
248	+index 0000000..b769ccf
249	--- /dev/null
250	+++ b/scripts/gcc-plugins/constify_plugin.c
251	-@@ -0,0 +1,583 @@
252	+@@ -0,0 +1,582 @@
253	+/*
254	+ * Copyright 2011 by Emese Revfy <re.emese@×××××.com>
255	+ * Copyright 2011-2016 by PaX Team <pageexec@××××××××.hu>
256	@@ -163944,7 +163968,7 @@ index 0000000..1a56d17
257	+static bool enabled = true;
258	+
259	+static struct plugin_info const_plugin_info = {
260	-+ .version = "201606280200",
261	++ .version = "201607241840",
262	+ .help = "disable\tturn off constification\n",
263	+};
264	+
265	@@ -164069,10 +164093,8 @@ index 0000000..1a56d17
266	+ continue;
267	+ if (!constified(ptrtype))
268	+ continue;
269	-+ if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type)) {
270	-+ TREE_TYPE(field) = copy_node(TREE_TYPE(field));
271	-+ TREE_TYPE(TREE_TYPE(field)) = build_qualified_type(type, TYPE_QUALS(ptrtype) & ~TYPE_QUAL_CONST);
272	-+ }
273	++ if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type))
274	++ TREE_TYPE(field) = build_pointer_type(build_qualified_type(type, TYPE_QUALS(ptrtype) & ~TYPE_QUAL_CONST));
275	+ continue;
276	+ }
277	+ if (TREE_CODE(fieldtype) != RECORD_TYPE && TREE_CODE(fieldtype) != UNION_TYPE)
278	@@ -164190,6 +164212,7 @@ index 0000000..1a56d17
279	+
280	+static void constify_type(tree type)
281	+{
282	++ gcc_assert(type == TYPE_MAIN_VARIANT(type));
283	+ TYPE_READONLY(type) = 1;
284	+ C_TYPE_FIELDS_READONLY(type) = 1;
285	+ TYPE_CONSTIFY_VISITED(type) = 1;
286	@@ -214202,7 +214225,7 @@ index 3a9b66c..2b38b21 100644
287	unsigned long flags;
288
289	diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
290	-index 9106d8e..e7e2e3c 100644
291	+index 9106d8e..e7e2e3ca 100644
292	--- a/sound/core/pcm_native.c
293	+++ b/sound/core/pcm_native.c
294	@@ -3014,11 +3014,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream,

Gentoo Archives: gentoo-commits