[gentoo-commits] proj/hardened-patchset:XT_PAX commit in: 3.1.1/ - gentoo-commits

From:	"Anthony G. Basile" <blueness@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-patchset:XT_PAX commit in: 3.1.1/
Date:	Sun, 20 Nov 2011 23:53:23
Message-Id:	`db7feee5792d0b67a0754e213dd86c41eaa46466.blueness@gentoo`

1

commit:     db7feee5792d0b67a0754e213dd86c41eaa46466

2

Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>

3

AuthorDate: Sun Nov 20 23:53:09 2011 +0000

4

Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>

5

CommitDate: Sun Nov 20 23:53:09 2011 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=db7feee5

7

8

Cleanup patchset line numbers for XT_PAX 3.1.1

9

10

---

11

 3.1.1/4490_grsec-kconfig-default-gids.patch    |    6 +++---

12

 3.1.1/4500_grsec-kconfig-gentoo.patch          |   16 ++++++++--------

13

 3.1.1/4510-grsec-kconfig-proc-user.patch       |    6 +++---

14

 3.1.1/4520_selinux-avc_audit-log-curr_ip.patch |   14 +++++++-------

15

 3.1.1/4530_disable-compat_vdso.patch           |    2 +-

16

 5 files changed, 22 insertions(+), 22 deletions(-)

17

18

diff --git a/3.1.1/4490_grsec-kconfig-default-gids.patch b/3.1.1/4490_grsec-kconfig-default-gids.patch

19

index 671636e..8efaa57 100644

20

--- a/3.1.1/4490_grsec-kconfig-default-gids.patch

21

+++ b/3.1.1/4490_grsec-kconfig-default-gids.patch

22

@@ -9,9 +9,9 @@ attention to the finer points of kernel configuration, it is probably

23

 wise to specify some reasonable defaults so as to stop careless users

24

 from shooting themselves in the foot.

25

26

-diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-hardened-r44/grsecurity/Kconfig

27

---- linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig	2011-04-17 18:15:55.000000000 -0400

28

-+++ linux-2.6.32-hardened-r44/grsecurity/Kconfig	2011-04-17 18:37:33.000000000 -0400

29

+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

30

+--- a/grsecurity/Kconfig	2011-04-17 18:15:55.000000000 -0400

31

++++ b/grsecurity/Kconfig	2011-04-17 18:37:33.000000000 -0400

32

 @@ -430,7 +430,7 @@

33

  config GRKERNSEC_PROC_GID

34

  	int "GID for special group"

35

36

diff --git a/3.1.1/4500_grsec-kconfig-gentoo.patch b/3.1.1/4500_grsec-kconfig-gentoo.patch

37

index 6d94033..5fad5b9 100644

38

--- a/3.1.1/4500_grsec-kconfig-gentoo.patch

39

+++ b/3.1.1/4500_grsec-kconfig-gentoo.patch

40

@@ -16,8 +16,8 @@ The original version of this patch was conceived and created by:

41

 Ned Ludd <solar@g.o>

42

43

 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

44

---- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400

45

-+++ b/grsecurity/Kconfig	2011-04-17 19:27:46.000000000 -0400

46

+--- a/grsecurity/Kconfig	2011-11-20 18:21:40.000000000 -0500

47

++++ b/grsecurity/Kconfig	2011-11-20 18:22:27.000000000 -0500

48

 @@ -18,7 +18,7 @@

49

  choice

50

  	prompt "Security Level"

51

@@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

52

53

  config GRKERNSEC_LOW

54

  	bool "Low"

55

-@@ -191,6 +191,255 @@

56

+@@ -188,6 +188,255 @@

57

  	  - Restricted sysfs/debugfs

58

  	  - Active kernel exploit response

59

60

@@ -283,9 +283,10 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

61

  config GRKERNSEC_CUSTOM

62

  	bool "Custom"

63

  	help

64

---- a/security/Kconfig	2011-09-21 07:20:02.000000000 -0400

65

-+++ b/security/Kconfig	2011-09-21 07:25:50.000000000 -0400

66

-@@ -322,9 +322,10 @@

67

+diff -Naur a/security/Kconfig b/security/Kconfig

68

+--- a/security/Kconfig	2011-11-20 18:21:39.000000000 -0500

69

++++ b/security/Kconfig	2011-11-20 18:22:27.000000000 -0500

70

+@@ -296,9 +296,10 @@

71

72

  config PAX_KERNEXEC

73

  	bool "Enforce non-executable kernel pages"

74

@@ -297,7 +298,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

75

  	help

76

  	  This is the kernel land equivalent of PAGEEXEC and MPROTECT,

77

  	  that is, enabling this option will make it harder to inject

78

-@@ -487,8 +488,9 @@

79

+@@ -461,8 +462,9 @@

80

81

  config PAX_MEMORY_UDEREF

82

  	bool "Prevent invalid userland pointer dereference"

83

@@ -308,4 +309,3 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

84

  	help

85

  	  By saying Y here the kernel will be prevented from dereferencing

86

  	  userland pointers in contexts where the kernel expects only kernel

87

-

88

89

diff --git a/3.1.1/4510-grsec-kconfig-proc-user.patch b/3.1.1/4510-grsec-kconfig-proc-user.patch

90

index c588683..3c09754 100644

91

--- a/3.1.1/4510-grsec-kconfig-proc-user.patch

92

+++ b/3.1.1/4510-grsec-kconfig-proc-user.patch

93

@@ -3,10 +3,10 @@ From: Anthony G. Basile <blueness@g.o>

94

 Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP

95

 in a different way to avoid bug #366019.  This patch should eventually go upstream.

96

97

-diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig

98

+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

99

 --- a/grsecurity/Kconfig	2011-06-29 10:02:56.000000000 -0400

100

 +++ b/grsecurity/Kconfig	2011-06-29 10:08:07.000000000 -0400

101

-@@ -666,7 +666,7 @@

102

+@@ -660,7 +660,7 @@

103

104

  config GRKERNSEC_PROC_USER

105

  	bool "Restrict /proc to user only"

106

@@ -15,7 +15,7 @@ diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-harden

107

  	help

108

  	  If you say Y here, non-root users will only be able to view their own

109

  	  processes, and restricts them from viewing network-related information,

110

-@@ -674,7 +674,7 @@

111

+@@ -668,7 +668,7 @@

112

113

  config GRKERNSEC_PROC_USERGROUP

114

  	bool "Allow special group"

115

116

diff --git a/3.1.1/4520_selinux-avc_audit-log-curr_ip.patch b/3.1.1/4520_selinux-avc_audit-log-curr_ip.patch

117

index 0fd5d2d..a96f6f2 100644

118

--- a/3.1.1/4520_selinux-avc_audit-log-curr_ip.patch

119

+++ b/3.1.1/4520_selinux-avc_audit-log-curr_ip.patch

120

@@ -25,10 +25,10 @@ provided by grSecurity patch to be applied before.

121

 Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>

122

---

123

124

-diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardened-r1/grsecurity/Kconfig

125

---- linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400

126

-+++ linux-2.6.38-hardened-r1/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400

127

-@@ -1265,6 +1265,27 @@

128

+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

129

+--- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400

130

++++ b/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400

131

+@@ -1259,6 +1259,27 @@

132

  menu "Logging Options"

133

  depends on GRKERNSEC

134

135

@@ -56,9 +56,9 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene

136

  config GRKERNSEC_FLOODTIME

137

  	int "Seconds in between log messages (minimum)"

138

  	default 10

139

-diff -Naur linux-2.6.38-hardened-r1.orig/security/selinux/avc.c linux-2.6.38-hardened-r1/security/selinux/avc.c

140

---- linux-2.6.38-hardened-r1.orig/security/selinux/avc.c	2011-04-17 19:04:47.000000000 -0400

141

-+++ linux-2.6.38-hardened-r1/security/selinux/avc.c	2011-04-17 19:32:53.000000000 -0400

142

+diff -Naur a/security/selinux/avc.c b/security/selinux/avc.c

143

+--- a/security/selinux/avc.c	2011-04-17 19:04:47.000000000 -0400

144

++++ b/security/selinux/avc.c	2011-04-17 19:32:53.000000000 -0400

145

 @@ -139,6 +139,11 @@

146

  	char *scontext;

147

  	u32 scontext_len;

148

149

diff --git a/3.1.1/4530_disable-compat_vdso.patch b/3.1.1/4530_disable-compat_vdso.patch

150

index 3b76b6c..737dcca 100644

151

--- a/3.1.1/4530_disable-compat_vdso.patch

152

+++ b/3.1.1/4530_disable-compat_vdso.patch

153

@@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138

154

 diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig

155

 --- a/arch/x86/Kconfig	2009-07-31 01:36:57.323857684 +0100

156

 +++ b/arch/x86/Kconfig	2009-07-31 01:51:39.395749681 +0100

157

-@@ -1638,17 +1638,8 @@

158

+@@ -1639,17 +1639,8 @@

159

160

  config COMPAT_VDSO

161

  	def_bool n

1	commit: db7feee5792d0b67a0754e213dd86c41eaa46466
2	Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3	AuthorDate: Sun Nov 20 23:53:09 2011 +0000
4	Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5	CommitDate: Sun Nov 20 23:53:09 2011 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=db7feee5
7
8	Cleanup patchset line numbers for XT_PAX 3.1.1
9
10	---
11	3.1.1/4490_grsec-kconfig-default-gids.patch \| 6 +++---
12	3.1.1/4500_grsec-kconfig-gentoo.patch \| 16 ++++++++--------
13	3.1.1/4510-grsec-kconfig-proc-user.patch \| 6 +++---
14	3.1.1/4520_selinux-avc_audit-log-curr_ip.patch \| 14 +++++++-------
15	3.1.1/4530_disable-compat_vdso.patch \| 2 +-
16	5 files changed, 22 insertions(+), 22 deletions(-)
17
18	diff --git a/3.1.1/4490_grsec-kconfig-default-gids.patch b/3.1.1/4490_grsec-kconfig-default-gids.patch
19	index 671636e..8efaa57 100644
20	--- a/3.1.1/4490_grsec-kconfig-default-gids.patch
21	+++ b/3.1.1/4490_grsec-kconfig-default-gids.patch
22	@@ -9,9 +9,9 @@ attention to the finer points of kernel configuration, it is probably
23	wise to specify some reasonable defaults so as to stop careless users
24	from shooting themselves in the foot.
25
26	-diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-hardened-r44/grsecurity/Kconfig
27	---- linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig 2011-04-17 18:15:55.000000000 -0400
28	-+++ linux-2.6.32-hardened-r44/grsecurity/Kconfig 2011-04-17 18:37:33.000000000 -0400
29	+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
30	+--- a/grsecurity/Kconfig 2011-04-17 18:15:55.000000000 -0400
31	++++ b/grsecurity/Kconfig 2011-04-17 18:37:33.000000000 -0400
32	@@ -430,7 +430,7 @@
33	config GRKERNSEC_PROC_GID
34	int "GID for special group"
35
36	diff --git a/3.1.1/4500_grsec-kconfig-gentoo.patch b/3.1.1/4500_grsec-kconfig-gentoo.patch
37	index 6d94033..5fad5b9 100644
38	--- a/3.1.1/4500_grsec-kconfig-gentoo.patch
39	+++ b/3.1.1/4500_grsec-kconfig-gentoo.patch
40	@@ -16,8 +16,8 @@ The original version of this patch was conceived and created by:
41	Ned Ludd <solar@g.o>
42
43	diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
44	---- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
45	-+++ b/grsecurity/Kconfig 2011-04-17 19:27:46.000000000 -0400
46	+--- a/grsecurity/Kconfig 2011-11-20 18:21:40.000000000 -0500
47	++++ b/grsecurity/Kconfig 2011-11-20 18:22:27.000000000 -0500
48	@@ -18,7 +18,7 @@
49	choice
50	prompt "Security Level"
51	@@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
52
53	config GRKERNSEC_LOW
54	bool "Low"
55	-@@ -191,6 +191,255 @@
56	+@@ -188,6 +188,255 @@
57	- Restricted sysfs/debugfs
58	- Active kernel exploit response
59
60	@@ -283,9 +283,10 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
61	config GRKERNSEC_CUSTOM
62	bool "Custom"
63	help
64	---- a/security/Kconfig 2011-09-21 07:20:02.000000000 -0400
65	-+++ b/security/Kconfig 2011-09-21 07:25:50.000000000 -0400
66	-@@ -322,9 +322,10 @@
67	+diff -Naur a/security/Kconfig b/security/Kconfig
68	+--- a/security/Kconfig 2011-11-20 18:21:39.000000000 -0500
69	++++ b/security/Kconfig 2011-11-20 18:22:27.000000000 -0500
70	+@@ -296,9 +296,10 @@
71
72	config PAX_KERNEXEC
73	bool "Enforce non-executable kernel pages"
74	@@ -297,7 +298,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
75	help
76	This is the kernel land equivalent of PAGEEXEC and MPROTECT,
77	that is, enabling this option will make it harder to inject
78	-@@ -487,8 +488,9 @@
79	+@@ -461,8 +462,9 @@
80
81	config PAX_MEMORY_UDEREF
82	bool "Prevent invalid userland pointer dereference"
83	@@ -308,4 +309,3 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
84	help
85	By saying Y here the kernel will be prevented from dereferencing
86	userland pointers in contexts where the kernel expects only kernel
87	-
88
89	diff --git a/3.1.1/4510-grsec-kconfig-proc-user.patch b/3.1.1/4510-grsec-kconfig-proc-user.patch
90	index c588683..3c09754 100644
91	--- a/3.1.1/4510-grsec-kconfig-proc-user.patch
92	+++ b/3.1.1/4510-grsec-kconfig-proc-user.patch
93	@@ -3,10 +3,10 @@ From: Anthony G. Basile <blueness@g.o>
94	Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP
95	in a different way to avoid bug #366019. This patch should eventually go upstream.
96
97	-diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig
98	+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
99	--- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400
100	+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400
101	-@@ -666,7 +666,7 @@
102	+@@ -660,7 +660,7 @@
103
104	config GRKERNSEC_PROC_USER
105	bool "Restrict /proc to user only"
106	@@ -15,7 +15,7 @@ diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-harden
107	help
108	If you say Y here, non-root users will only be able to view their own
109	processes, and restricts them from viewing network-related information,
110	-@@ -674,7 +674,7 @@
111	+@@ -668,7 +668,7 @@
112
113	config GRKERNSEC_PROC_USERGROUP
114	bool "Allow special group"
115
116	diff --git a/3.1.1/4520_selinux-avc_audit-log-curr_ip.patch b/3.1.1/4520_selinux-avc_audit-log-curr_ip.patch
117	index 0fd5d2d..a96f6f2 100644
118	--- a/3.1.1/4520_selinux-avc_audit-log-curr_ip.patch
119	+++ b/3.1.1/4520_selinux-avc_audit-log-curr_ip.patch
120	@@ -25,10 +25,10 @@ provided by grSecurity patch to be applied before.
121	Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
122	---
123
124	-diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardened-r1/grsecurity/Kconfig
125	---- linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
126	-+++ linux-2.6.38-hardened-r1/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
127	-@@ -1265,6 +1265,27 @@
128	+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
129	+--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
130	++++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
131	+@@ -1259,6 +1259,27 @@
132	menu "Logging Options"
133	depends on GRKERNSEC
134
135	@@ -56,9 +56,9 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene
136	config GRKERNSEC_FLOODTIME
137	int "Seconds in between log messages (minimum)"
138	default 10
139	-diff -Naur linux-2.6.38-hardened-r1.orig/security/selinux/avc.c linux-2.6.38-hardened-r1/security/selinux/avc.c
140	---- linux-2.6.38-hardened-r1.orig/security/selinux/avc.c 2011-04-17 19:04:47.000000000 -0400
141	-+++ linux-2.6.38-hardened-r1/security/selinux/avc.c 2011-04-17 19:32:53.000000000 -0400
142	+diff -Naur a/security/selinux/avc.c b/security/selinux/avc.c
143	+--- a/security/selinux/avc.c 2011-04-17 19:04:47.000000000 -0400
144	++++ b/security/selinux/avc.c 2011-04-17 19:32:53.000000000 -0400
145	@@ -139,6 +139,11 @@
146	char *scontext;
147	u32 scontext_len;
148
149	diff --git a/3.1.1/4530_disable-compat_vdso.patch b/3.1.1/4530_disable-compat_vdso.patch
150	index 3b76b6c..737dcca 100644
151	--- a/3.1.1/4530_disable-compat_vdso.patch
152	+++ b/3.1.1/4530_disable-compat_vdso.patch
153	@@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
154	diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
155	--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
156	+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
157	-@@ -1638,17 +1638,8 @@
158	+@@ -1639,17 +1639,8 @@
159
160	config COMPAT_VDSO
161	def_bool n

Gentoo Archives: gentoo-commits