1 |
commit: 626340b17d84dea8bf5f882750f594207fd5119c |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Jul 26 06:55:48 2016 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Jul 26 06:55:48 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=626340b1 |
7 |
|
8 |
grsecurity-3.1-4.6.4-201607242014 |
9 |
|
10 |
4.6.4/0000_README | 2 +- |
11 |
...> 4420_grsecurity-3.1-4.6.4-201607242014.patch} | 81 ++++++++++++++-------- |
12 |
2 files changed, 53 insertions(+), 30 deletions(-) |
13 |
|
14 |
diff --git a/4.6.4/0000_README b/4.6.4/0000_README |
15 |
index 0a9f680..81410da 100644 |
16 |
--- a/4.6.4/0000_README |
17 |
+++ b/4.6.4/0000_README |
18 |
@@ -2,7 +2,7 @@ README |
19 |
----------------------------------------------------------------------------- |
20 |
Individual Patch Descriptions: |
21 |
----------------------------------------------------------------------------- |
22 |
-Patch: 4420_grsecurity-3.1-4.6.4-201607192040.patch |
23 |
+Patch: 4420_grsecurity-3.1-4.6.4-201607242014.patch |
24 |
From: http://www.grsecurity.net |
25 |
Desc: hardened-sources base patch from upstream grsecurity |
26 |
|
27 |
|
28 |
diff --git a/4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch b/4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch |
29 |
similarity index 99% |
30 |
rename from 4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch |
31 |
rename to 4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch |
32 |
index 4b02b21..f7868ce 100644 |
33 |
--- a/4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch |
34 |
+++ b/4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch |
35 |
@@ -877,7 +877,7 @@ index a876743..fe2a193 100644 |
36 |
Counts number of I and D TLB Misses and exports them via Debugfs |
37 |
The counters can be cleared via Debugfs as well |
38 |
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig |
39 |
-index cdfa6c2..aba8354 100644 |
40 |
+index cdfa6c2..f39881d 100644 |
41 |
--- a/arch/arm/Kconfig |
42 |
+++ b/arch/arm/Kconfig |
43 |
@@ -53,6 +53,7 @@ config ARM |
44 |
@@ -888,7 +888,15 @@ index cdfa6c2..aba8354 100644 |
45 |
select HAVE_GENERIC_DMA_COHERENT |
46 |
select HAVE_HW_BREAKPOINT if (PERF_EVENTS && (CPU_V6 || CPU_V6K || CPU_V7)) |
47 |
select HAVE_IDE if PCI || ISA || PCMCIA |
48 |
-@@ -1629,6 +1630,7 @@ config HIGHPTE |
49 |
+@@ -1561,6 +1562,7 @@ config AEABI |
50 |
+ config OABI_COMPAT |
51 |
+ bool "Allow old ABI binaries to run with this kernel (EXPERIMENTAL)" |
52 |
+ depends on AEABI && !THUMB2_KERNEL |
53 |
++ depends on !GRKERNSEC |
54 |
+ help |
55 |
+ This option preserves the old syscall interface along with the |
56 |
+ new (ARM EABI) one. It also provides a compatibility layer to |
57 |
+@@ -1629,6 +1631,7 @@ config HIGHPTE |
58 |
config CPU_SW_DOMAIN_PAN |
59 |
bool "Enable use of CPU domains to implement privileged no-access" |
60 |
depends on MMU && !ARM_LPAE |
61 |
@@ -896,7 +904,7 @@ index cdfa6c2..aba8354 100644 |
62 |
default y |
63 |
help |
64 |
Increase kernel security by ensuring that normal kernel accesses |
65 |
-@@ -1705,7 +1707,7 @@ config ALIGNMENT_TRAP |
66 |
+@@ -1705,7 +1708,7 @@ config ALIGNMENT_TRAP |
67 |
|
68 |
config UACCESS_WITH_MEMCPY |
69 |
bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()" |
70 |
@@ -905,7 +913,7 @@ index cdfa6c2..aba8354 100644 |
71 |
default y if CPU_FEROCEON |
72 |
help |
73 |
Implement faster copy_to_user and clear_user methods for CPU |
74 |
-@@ -1960,6 +1962,7 @@ config KEXEC |
75 |
+@@ -1960,6 +1963,7 @@ config KEXEC |
76 |
depends on (!SMP || PM_SLEEP_SMP) |
77 |
depends on !CPU_V7M |
78 |
select KEXEC_CORE |
79 |
@@ -913,7 +921,7 @@ index cdfa6c2..aba8354 100644 |
80 |
help |
81 |
kexec is a system call that implements the ability to shutdown your |
82 |
current kernel, and to start another kernel. It is like a reboot |
83 |
-@@ -2004,7 +2007,7 @@ config EFI_STUB |
84 |
+@@ -2004,7 +2008,7 @@ config EFI_STUB |
85 |
|
86 |
config EFI |
87 |
bool "UEFI runtime support" |
88 |
@@ -23850,7 +23858,7 @@ index c3496619..3f3a7dc 100644 |
89 |
asmlinkage void smp_deferred_error_interrupt(void); |
90 |
#endif |
91 |
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h |
92 |
-index 2e7513d..73d9d20 100644 |
93 |
+index 2e7513d..792107f 100644 |
94 |
--- a/arch/x86/include/asm/uaccess.h |
95 |
+++ b/arch/x86/include/asm/uaccess.h |
96 |
@@ -7,6 +7,7 @@ |
97 |
@@ -23887,7 +23895,7 @@ index 2e7513d..73d9d20 100644 |
98 |
+ unsigned long __size = size; \ |
99 |
+ unsigned long __addr = (unsigned long)addr; \ |
100 |
+ bool __ret_ao = __range_not_ok(__addr, __size, user_addr_max()) == 0;\ |
101 |
-+ if (__ret_ao && __size) { \ |
102 |
++ if (__ret_ao && __size < 256 * PAGE_SIZE) { \ |
103 |
+ unsigned long __addr_ao = __addr & PAGE_MASK; \ |
104 |
+ unsigned long __end_ao = __addr + __size - 1; \ |
105 |
+ if (unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \ |
106 |
@@ -28460,7 +28468,7 @@ index e565e0e..fdfeb45 100644 |
107 |
} |
108 |
memcpy(&code, ideal_nops[NOP_ATOMIC5], JUMP_LABEL_NOP_SIZE); |
109 |
diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c |
110 |
-index 2da6ee9..4cbe3af 100644 |
111 |
+index 2da6ee9..fc0ca78 100644 |
112 |
--- a/arch/x86/kernel/kgdb.c |
113 |
+++ b/arch/x86/kernel/kgdb.c |
114 |
@@ -228,7 +228,10 @@ static void kgdb_correct_hw_break(void) |
115 |
@@ -28518,7 +28526,7 @@ index 2da6ee9..4cbe3af 100644 |
116 |
text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr, |
117 |
BREAK_INSTR_SIZE); |
118 |
- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE); |
119 |
-+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE); |
120 |
++ err = probe_kernel_read(opc, (const void *)ktla_ktva(bpt->bpt_addr), BREAK_INSTR_SIZE); |
121 |
if (err) |
122 |
return err; |
123 |
if (memcmp(opc, arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE)) |
124 |
@@ -28527,7 +28535,7 @@ index 2da6ee9..4cbe3af 100644 |
125 |
goto knl_write; |
126 |
text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE); |
127 |
- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE); |
128 |
-+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE); |
129 |
++ err = probe_kernel_read(opc, (const void *)ktla_ktva(bpt->bpt_addr), BREAK_INSTR_SIZE); |
130 |
if (err || memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE)) |
131 |
goto knl_write; |
132 |
return err; |
133 |
@@ -124075,10 +124083,10 @@ index 0000000..696d76d |
134 |
+} |
135 |
diff --git a/grsecurity/gracl_res.c b/grsecurity/gracl_res.c |
136 |
new file mode 100644 |
137 |
-index 0000000..39645c9 |
138 |
+index 0000000..dfba8fd |
139 |
--- /dev/null |
140 |
+++ b/grsecurity/gracl_res.c |
141 |
-@@ -0,0 +1,68 @@ |
142 |
+@@ -0,0 +1,74 @@ |
143 |
+#include <linux/kernel.h> |
144 |
+#include <linux/sched.h> |
145 |
+#include <linux/gracl.h> |
146 |
@@ -124118,6 +124126,14 @@ index 0000000..39645c9 |
147 |
+ if (unlikely(!restab_log[res])) |
148 |
+ return; |
149 |
+ |
150 |
++ /* |
151 |
++ * not really security relevant, too much userland code shared |
152 |
++ * from pulseaudio that blindly attempts to violate limits in a loop, |
153 |
++ * resulting in log spam |
154 |
++ */ |
155 |
++ if (res == RLIMIT_NICE) |
156 |
++ return; |
157 |
++ |
158 |
+ if (res == RLIMIT_CPU || res == RLIMIT_RTTIME) |
159 |
+ rlim = task_rlimit_max(task, res); |
160 |
+ else |
161 |
@@ -124136,8 +124152,6 @@ index 0000000..39645c9 |
162 |
+ else if (res == RLIMIT_MEMLOCK && |
163 |
+ cap_raised(cred->cap_effective, CAP_IPC_LOCK)) |
164 |
+ goto out_rcu_unlock; |
165 |
-+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE)) |
166 |
-+ goto out_rcu_unlock; |
167 |
+ rcu_read_unlock(); |
168 |
+ |
169 |
+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim); |
170 |
@@ -144283,7 +144297,7 @@ index 2c5e3a8..301fb1a 100644 |
171 |
return -ENOSYS; |
172 |
} |
173 |
diff --git a/kernel/sysctl.c b/kernel/sysctl.c |
174 |
-index 725587f..750f909 100644 |
175 |
+index 725587f..c7834cc 100644 |
176 |
--- a/kernel/sysctl.c |
177 |
+++ b/kernel/sysctl.c |
178 |
@@ -95,7 +95,6 @@ |
179 |
@@ -144440,7 +144454,7 @@ index 725587f..750f909 100644 |
180 |
- .proc_handler = proc_dointvec_minmax_sysadmin, |
181 |
+ .proc_handler = proc_dointvec_minmax_secure_sysadmin, |
182 |
+#ifdef CONFIG_GRKERNSEC_HIDESYM |
183 |
-+ .extra1 = &two, |
184 |
++ .extra1 = &one, |
185 |
+#else |
186 |
.extra1 = &zero, |
187 |
+#endif |
188 |
@@ -146874,7 +146888,7 @@ index 4f5b1dd..7cab418 100644 |
189 |
+} |
190 |
+EXPORT_SYMBOL(copy_to_user_overflow); |
191 |
diff --git a/lib/vsprintf.c b/lib/vsprintf.c |
192 |
-index ccb664b..058e2978 100644 |
193 |
+index ccb664b..be065a5 100644 |
194 |
--- a/lib/vsprintf.c |
195 |
+++ b/lib/vsprintf.c |
196 |
@@ -16,6 +16,9 @@ |
197 |
@@ -146902,7 +146916,7 @@ index ccb664b..058e2978 100644 |
198 |
|
199 |
-int kptr_restrict __read_mostly; |
200 |
+#ifdef CONFIG_GRKERNSEC_HIDESYM |
201 |
-+int kptr_restrict __read_only = 2; |
202 |
++int kptr_restrict __read_only = 1; |
203 |
+#else |
204 |
+int kptr_restrict __read_only; |
205 |
+#endif |
206 |
@@ -146959,7 +146973,17 @@ index ccb664b..058e2978 100644 |
207 |
case 'K': |
208 |
switch (kptr_restrict) { |
209 |
case 0: |
210 |
-@@ -1724,6 +1743,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
211 |
+@@ -1691,6 +1710,9 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
212 |
+ */ |
213 |
+ cred = current_cred(); |
214 |
+ if (!has_capability_noaudit(current, CAP_SYSLOG) || |
215 |
++#ifdef CONFIG_GRKERNSEC_HIDESYM |
216 |
++ !has_capability_noaudit(current, CAP_SYS_ADMIN) || |
217 |
++#endif |
218 |
+ !uid_eq(cred->euid, cred->uid) || |
219 |
+ !gid_eq(cred->egid, cred->gid)) |
220 |
+ ptr = NULL; |
221 |
+@@ -1724,6 +1746,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, |
222 |
case 'G': |
223 |
return flags_string(buf, end, ptr, fmt); |
224 |
} |
225 |
@@ -146982,7 +147006,7 @@ index ccb664b..058e2978 100644 |
226 |
spec.flags |= SMALL; |
227 |
if (spec.field_width == -1) { |
228 |
spec.field_width = default_width; |
229 |
-@@ -2424,11 +2459,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) |
230 |
+@@ -2424,11 +2462,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) |
231 |
typeof(type) value; \ |
232 |
if (sizeof(type) == 8) { \ |
233 |
args = PTR_ALIGN(args, sizeof(u32)); \ |
234 |
@@ -146997,7 +147021,7 @@ index ccb664b..058e2978 100644 |
235 |
} \ |
236 |
args += sizeof(type); \ |
237 |
value; \ |
238 |
-@@ -2491,7 +2526,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) |
239 |
+@@ -2491,7 +2529,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) |
240 |
case FORMAT_TYPE_STR: { |
241 |
const char *str_arg = args; |
242 |
args += strlen(str_arg) + 1; |
243 |
@@ -163915,10 +163939,10 @@ index 0000000..ffe60f6 |
244 |
+} |
245 |
diff --git a/scripts/gcc-plugins/constify_plugin.c b/scripts/gcc-plugins/constify_plugin.c |
246 |
new file mode 100644 |
247 |
-index 0000000..1a56d17 |
248 |
+index 0000000..b769ccf |
249 |
--- /dev/null |
250 |
+++ b/scripts/gcc-plugins/constify_plugin.c |
251 |
-@@ -0,0 +1,583 @@ |
252 |
+@@ -0,0 +1,582 @@ |
253 |
+/* |
254 |
+ * Copyright 2011 by Emese Revfy <re.emese@×××××.com> |
255 |
+ * Copyright 2011-2016 by PaX Team <pageexec@××××××××.hu> |
256 |
@@ -163944,7 +163968,7 @@ index 0000000..1a56d17 |
257 |
+static bool enabled = true; |
258 |
+ |
259 |
+static struct plugin_info const_plugin_info = { |
260 |
-+ .version = "201606280200", |
261 |
++ .version = "201607241840", |
262 |
+ .help = "disable\tturn off constification\n", |
263 |
+}; |
264 |
+ |
265 |
@@ -164069,10 +164093,8 @@ index 0000000..1a56d17 |
266 |
+ continue; |
267 |
+ if (!constified(ptrtype)) |
268 |
+ continue; |
269 |
-+ if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type)) { |
270 |
-+ TREE_TYPE(field) = copy_node(TREE_TYPE(field)); |
271 |
-+ TREE_TYPE(TREE_TYPE(field)) = build_qualified_type(type, TYPE_QUALS(ptrtype) & ~TYPE_QUAL_CONST); |
272 |
-+ } |
273 |
++ if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type)) |
274 |
++ TREE_TYPE(field) = build_pointer_type(build_qualified_type(type, TYPE_QUALS(ptrtype) & ~TYPE_QUAL_CONST)); |
275 |
+ continue; |
276 |
+ } |
277 |
+ if (TREE_CODE(fieldtype) != RECORD_TYPE && TREE_CODE(fieldtype) != UNION_TYPE) |
278 |
@@ -164190,6 +164212,7 @@ index 0000000..1a56d17 |
279 |
+ |
280 |
+static void constify_type(tree type) |
281 |
+{ |
282 |
++ gcc_assert(type == TYPE_MAIN_VARIANT(type)); |
283 |
+ TYPE_READONLY(type) = 1; |
284 |
+ C_TYPE_FIELDS_READONLY(type) = 1; |
285 |
+ TYPE_CONSTIFY_VISITED(type) = 1; |
286 |
@@ -214202,7 +214225,7 @@ index 3a9b66c..2b38b21 100644 |
287 |
unsigned long flags; |
288 |
|
289 |
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c |
290 |
-index 9106d8e..e7e2e3c 100644 |
291 |
+index 9106d8e..e7e2e3ca 100644 |
292 |
--- a/sound/core/pcm_native.c |
293 |
+++ b/sound/core/pcm_native.c |
294 |
@@ -3014,11 +3014,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream, |