1 |
commit: db7feee5792d0b67a0754e213dd86c41eaa46466 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Nov 20 23:53:09 2011 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Nov 20 23:53:09 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=db7feee5 |
7 |
|
8 |
Cleanup patchset line numbers for XT_PAX 3.1.1 |
9 |
|
10 |
--- |
11 |
3.1.1/4490_grsec-kconfig-default-gids.patch | 6 +++--- |
12 |
3.1.1/4500_grsec-kconfig-gentoo.patch | 16 ++++++++-------- |
13 |
3.1.1/4510-grsec-kconfig-proc-user.patch | 6 +++--- |
14 |
3.1.1/4520_selinux-avc_audit-log-curr_ip.patch | 14 +++++++------- |
15 |
3.1.1/4530_disable-compat_vdso.patch | 2 +- |
16 |
5 files changed, 22 insertions(+), 22 deletions(-) |
17 |
|
18 |
diff --git a/3.1.1/4490_grsec-kconfig-default-gids.patch b/3.1.1/4490_grsec-kconfig-default-gids.patch |
19 |
index 671636e..8efaa57 100644 |
20 |
--- a/3.1.1/4490_grsec-kconfig-default-gids.patch |
21 |
+++ b/3.1.1/4490_grsec-kconfig-default-gids.patch |
22 |
@@ -9,9 +9,9 @@ attention to the finer points of kernel configuration, it is probably |
23 |
wise to specify some reasonable defaults so as to stop careless users |
24 |
from shooting themselves in the foot. |
25 |
|
26 |
-diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-hardened-r44/grsecurity/Kconfig |
27 |
---- linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig 2011-04-17 18:15:55.000000000 -0400 |
28 |
-+++ linux-2.6.32-hardened-r44/grsecurity/Kconfig 2011-04-17 18:37:33.000000000 -0400 |
29 |
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
30 |
+--- a/grsecurity/Kconfig 2011-04-17 18:15:55.000000000 -0400 |
31 |
++++ b/grsecurity/Kconfig 2011-04-17 18:37:33.000000000 -0400 |
32 |
@@ -430,7 +430,7 @@ |
33 |
config GRKERNSEC_PROC_GID |
34 |
int "GID for special group" |
35 |
|
36 |
diff --git a/3.1.1/4500_grsec-kconfig-gentoo.patch b/3.1.1/4500_grsec-kconfig-gentoo.patch |
37 |
index 6d94033..5fad5b9 100644 |
38 |
--- a/3.1.1/4500_grsec-kconfig-gentoo.patch |
39 |
+++ b/3.1.1/4500_grsec-kconfig-gentoo.patch |
40 |
@@ -16,8 +16,8 @@ The original version of this patch was conceived and created by: |
41 |
Ned Ludd <solar@g.o> |
42 |
|
43 |
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
44 |
---- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 |
45 |
-+++ b/grsecurity/Kconfig 2011-04-17 19:27:46.000000000 -0400 |
46 |
+--- a/grsecurity/Kconfig 2011-11-20 18:21:40.000000000 -0500 |
47 |
++++ b/grsecurity/Kconfig 2011-11-20 18:22:27.000000000 -0500 |
48 |
@@ -18,7 +18,7 @@ |
49 |
choice |
50 |
prompt "Security Level" |
51 |
@@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
52 |
|
53 |
config GRKERNSEC_LOW |
54 |
bool "Low" |
55 |
-@@ -191,6 +191,255 @@ |
56 |
+@@ -188,6 +188,255 @@ |
57 |
- Restricted sysfs/debugfs |
58 |
- Active kernel exploit response |
59 |
|
60 |
@@ -283,9 +283,10 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
61 |
config GRKERNSEC_CUSTOM |
62 |
bool "Custom" |
63 |
help |
64 |
---- a/security/Kconfig 2011-09-21 07:20:02.000000000 -0400 |
65 |
-+++ b/security/Kconfig 2011-09-21 07:25:50.000000000 -0400 |
66 |
-@@ -322,9 +322,10 @@ |
67 |
+diff -Naur a/security/Kconfig b/security/Kconfig |
68 |
+--- a/security/Kconfig 2011-11-20 18:21:39.000000000 -0500 |
69 |
++++ b/security/Kconfig 2011-11-20 18:22:27.000000000 -0500 |
70 |
+@@ -296,9 +296,10 @@ |
71 |
|
72 |
config PAX_KERNEXEC |
73 |
bool "Enforce non-executable kernel pages" |
74 |
@@ -297,7 +298,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
75 |
help |
76 |
This is the kernel land equivalent of PAGEEXEC and MPROTECT, |
77 |
that is, enabling this option will make it harder to inject |
78 |
-@@ -487,8 +488,9 @@ |
79 |
+@@ -461,8 +462,9 @@ |
80 |
|
81 |
config PAX_MEMORY_UDEREF |
82 |
bool "Prevent invalid userland pointer dereference" |
83 |
@@ -308,4 +309,3 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
84 |
help |
85 |
By saying Y here the kernel will be prevented from dereferencing |
86 |
userland pointers in contexts where the kernel expects only kernel |
87 |
- |
88 |
|
89 |
diff --git a/3.1.1/4510-grsec-kconfig-proc-user.patch b/3.1.1/4510-grsec-kconfig-proc-user.patch |
90 |
index c588683..3c09754 100644 |
91 |
--- a/3.1.1/4510-grsec-kconfig-proc-user.patch |
92 |
+++ b/3.1.1/4510-grsec-kconfig-proc-user.patch |
93 |
@@ -3,10 +3,10 @@ From: Anthony G. Basile <blueness@g.o> |
94 |
Address the mutually exclusive options GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP |
95 |
in a different way to avoid bug #366019. This patch should eventually go upstream. |
96 |
|
97 |
-diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig |
98 |
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
99 |
--- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400 |
100 |
+++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400 |
101 |
-@@ -666,7 +666,7 @@ |
102 |
+@@ -660,7 +660,7 @@ |
103 |
|
104 |
config GRKERNSEC_PROC_USER |
105 |
bool "Restrict /proc to user only" |
106 |
@@ -15,7 +15,7 @@ diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-harden |
107 |
help |
108 |
If you say Y here, non-root users will only be able to view their own |
109 |
processes, and restricts them from viewing network-related information, |
110 |
-@@ -674,7 +674,7 @@ |
111 |
+@@ -668,7 +668,7 @@ |
112 |
|
113 |
config GRKERNSEC_PROC_USERGROUP |
114 |
bool "Allow special group" |
115 |
|
116 |
diff --git a/3.1.1/4520_selinux-avc_audit-log-curr_ip.patch b/3.1.1/4520_selinux-avc_audit-log-curr_ip.patch |
117 |
index 0fd5d2d..a96f6f2 100644 |
118 |
--- a/3.1.1/4520_selinux-avc_audit-log-curr_ip.patch |
119 |
+++ b/3.1.1/4520_selinux-avc_audit-log-curr_ip.patch |
120 |
@@ -25,10 +25,10 @@ provided by grSecurity patch to be applied before. |
121 |
Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org> |
122 |
--- |
123 |
|
124 |
-diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardened-r1/grsecurity/Kconfig |
125 |
---- linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 |
126 |
-+++ linux-2.6.38-hardened-r1/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 |
127 |
-@@ -1265,6 +1265,27 @@ |
128 |
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
129 |
+--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 |
130 |
++++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 |
131 |
+@@ -1259,6 +1259,27 @@ |
132 |
menu "Logging Options" |
133 |
depends on GRKERNSEC |
134 |
|
135 |
@@ -56,9 +56,9 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene |
136 |
config GRKERNSEC_FLOODTIME |
137 |
int "Seconds in between log messages (minimum)" |
138 |
default 10 |
139 |
-diff -Naur linux-2.6.38-hardened-r1.orig/security/selinux/avc.c linux-2.6.38-hardened-r1/security/selinux/avc.c |
140 |
---- linux-2.6.38-hardened-r1.orig/security/selinux/avc.c 2011-04-17 19:04:47.000000000 -0400 |
141 |
-+++ linux-2.6.38-hardened-r1/security/selinux/avc.c 2011-04-17 19:32:53.000000000 -0400 |
142 |
+diff -Naur a/security/selinux/avc.c b/security/selinux/avc.c |
143 |
+--- a/security/selinux/avc.c 2011-04-17 19:04:47.000000000 -0400 |
144 |
++++ b/security/selinux/avc.c 2011-04-17 19:32:53.000000000 -0400 |
145 |
@@ -139,6 +139,11 @@ |
146 |
char *scontext; |
147 |
u32 scontext_len; |
148 |
|
149 |
diff --git a/3.1.1/4530_disable-compat_vdso.patch b/3.1.1/4530_disable-compat_vdso.patch |
150 |
index 3b76b6c..737dcca 100644 |
151 |
--- a/3.1.1/4530_disable-compat_vdso.patch |
152 |
+++ b/3.1.1/4530_disable-compat_vdso.patch |
153 |
@@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 |
154 |
diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig |
155 |
--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 |
156 |
+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 |
157 |
-@@ -1638,17 +1638,8 @@ |
158 |
+@@ -1639,17 +1639,8 @@ |
159 |
|
160 |
config COMPAT_VDSO |
161 |
def_bool n |