1 |
commit: 713f3073603ed2b9ab0c16b36ad996bb8543cbef |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Jun 6 14:22:25 2016 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jun 6 14:22:25 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=713f3073 |
7 |
|
8 |
grsecurity-3.1-4.5.6-201606051644 |
9 |
|
10 |
{4.5.5 => 4.5.6}/0000_README | 2 +- |
11 |
.../4420_grsecurity-3.1-4.5.6-201606051644.patch | 134 +++++++++++---------- |
12 |
{4.5.5 => 4.5.6}/4425_grsec_remove_EI_PAX.patch | 0 |
13 |
{4.5.5 => 4.5.6}/4427_force_XATTR_PAX_tmpfs.patch | 0 |
14 |
.../4430_grsec-remove-localversion-grsec.patch | 0 |
15 |
{4.5.5 => 4.5.6}/4435_grsec-mute-warnings.patch | 0 |
16 |
.../4440_grsec-remove-protected-paths.patch | 0 |
17 |
.../4450_grsec-kconfig-default-gids.patch | 0 |
18 |
.../4465_selinux-avc_audit-log-curr_ip.patch | 0 |
19 |
{4.5.5 => 4.5.6}/4470_disable-compat_vdso.patch | 0 |
20 |
{4.5.5 => 4.5.6}/4475_emutramp_default_on.patch | 0 |
21 |
11 files changed, 71 insertions(+), 65 deletions(-) |
22 |
|
23 |
diff --git a/4.5.5/0000_README b/4.5.6/0000_README |
24 |
similarity index 96% |
25 |
rename from 4.5.5/0000_README |
26 |
rename to 4.5.6/0000_README |
27 |
index 71dba33..48f38a5 100644 |
28 |
--- a/4.5.5/0000_README |
29 |
+++ b/4.5.6/0000_README |
30 |
@@ -2,7 +2,7 @@ README |
31 |
----------------------------------------------------------------------------- |
32 |
Individual Patch Descriptions: |
33 |
----------------------------------------------------------------------------- |
34 |
-Patch: 4420_grsecurity-3.1-4.5.5-201605291201.patch |
35 |
+Patch: 4420_grsecurity-3.1-4.5.6-201606051644.patch |
36 |
From: http://www.grsecurity.net |
37 |
Desc: hardened-sources base patch from upstream grsecurity |
38 |
|
39 |
|
40 |
diff --git a/4.5.5/4420_grsecurity-3.1-4.5.5-201605291201.patch b/4.5.6/4420_grsecurity-3.1-4.5.6-201606051644.patch |
41 |
similarity index 99% |
42 |
rename from 4.5.5/4420_grsecurity-3.1-4.5.5-201605291201.patch |
43 |
rename to 4.5.6/4420_grsecurity-3.1-4.5.6-201606051644.patch |
44 |
index 1fb08ce..d2dfe90 100644 |
45 |
--- a/4.5.5/4420_grsecurity-3.1-4.5.5-201605291201.patch |
46 |
+++ b/4.5.6/4420_grsecurity-3.1-4.5.6-201606051644.patch |
47 |
@@ -408,7 +408,7 @@ index a93b414..f50a50b 100644 |
48 |
|
49 |
A toggle value indicating if modules are allowed to be loaded |
50 |
diff --git a/Makefile b/Makefile |
51 |
-index a23df41..db4f30b 100644 |
52 |
+index 07a1786..7f359da 100644 |
53 |
--- a/Makefile |
54 |
+++ b/Makefile |
55 |
@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ |
56 |
@@ -456,7 +456,7 @@ index a23df41..db4f30b 100644 |
57 |
ifdef CONFIG_READABLE_ASM |
58 |
# Disable optimizations that make assembler listings hard to read. |
59 |
# reorder blocks reorders the control in the function |
60 |
-@@ -714,7 +727,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g) |
61 |
+@@ -715,7 +728,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g) |
62 |
else |
63 |
KBUILD_CFLAGS += -g |
64 |
endif |
65 |
@@ -465,7 +465,7 @@ index a23df41..db4f30b 100644 |
66 |
endif |
67 |
ifdef CONFIG_DEBUG_INFO_DWARF4 |
68 |
KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,) |
69 |
-@@ -886,7 +899,7 @@ export mod_sign_cmd |
70 |
+@@ -887,7 +900,7 @@ export mod_sign_cmd |
71 |
|
72 |
|
73 |
ifeq ($(KBUILD_EXTMOD),) |
74 |
@@ -474,7 +474,7 @@ index a23df41..db4f30b 100644 |
75 |
|
76 |
vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ |
77 |
$(core-y) $(core-m) $(drivers-y) $(drivers-m) \ |
78 |
-@@ -989,7 +1002,7 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ |
79 |
+@@ -990,7 +1003,7 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ |
80 |
|
81 |
archprepare: archheaders archscripts prepare1 scripts_basic |
82 |
|
83 |
@@ -483,7 +483,7 @@ index a23df41..db4f30b 100644 |
84 |
$(Q)$(MAKE) $(build)=. |
85 |
|
86 |
# All the preparing.. |
87 |
-@@ -1184,7 +1197,11 @@ MRPROPER_FILES += .config .config.old .version .old_version \ |
88 |
+@@ -1185,7 +1198,11 @@ MRPROPER_FILES += .config .config.old .version .old_version \ |
89 |
Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ |
90 |
signing_key.pem signing_key.priv signing_key.x509 \ |
91 |
x509.genkey extra_certificates signing_key.x509.keyid \ |
92 |
@@ -496,7 +496,7 @@ index a23df41..db4f30b 100644 |
93 |
|
94 |
# clean - Delete most, but leave enough to build external modules |
95 |
# |
96 |
-@@ -1223,7 +1240,7 @@ distclean: mrproper |
97 |
+@@ -1224,7 +1241,7 @@ distclean: mrproper |
98 |
@find $(srctree) $(RCS_FIND_IGNORE) \ |
99 |
\( -name '*.orig' -o -name '*.rej' -o -name '*~' \ |
100 |
-o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ |
101 |
@@ -25822,7 +25822,7 @@ index 653f88d..11b6b78 100644 |
102 |
if (!insn.opcode.got) |
103 |
return X86_BR_ABORT; |
104 |
diff --git a/arch/x86/kernel/cpu/perf_event_intel_pt.c b/arch/x86/kernel/cpu/perf_event_intel_pt.c |
105 |
-index c0bbd10..53a5dc6 100644 |
106 |
+index a5286d0..79c220a 100644 |
107 |
--- a/arch/x86/kernel/cpu/perf_event_intel_pt.c |
108 |
+++ b/arch/x86/kernel/cpu/perf_event_intel_pt.c |
109 |
@@ -133,14 +133,10 @@ static const struct attribute_group *pt_attr_groups[] = { |
110 |
@@ -25890,7 +25890,7 @@ index c0bbd10..53a5dc6 100644 |
111 |
} |
112 |
|
113 |
#define RTIT_CTL_CYC_PSB (RTIT_CTL_CYCLEACC | \ |
114 |
-@@ -997,7 +979,7 @@ static void pt_event_start(struct perf_event *event, int mode) |
115 |
+@@ -999,7 +981,7 @@ static void pt_event_start(struct perf_event *event, int mode) |
116 |
return; |
117 |
} |
118 |
|
119 |
@@ -25899,7 +25899,7 @@ index c0bbd10..53a5dc6 100644 |
120 |
event->hw.state = 0; |
121 |
|
122 |
pt_config_buffer(buf->cur->table, buf->cur_idx, |
123 |
-@@ -1013,7 +995,7 @@ static void pt_event_stop(struct perf_event *event, int mode) |
124 |
+@@ -1015,7 +997,7 @@ static void pt_event_stop(struct perf_event *event, int mode) |
125 |
* Protect against the PMI racing with disabling wrmsr, |
126 |
* see comment in intel_pt_interrupt(). |
127 |
*/ |
128 |
@@ -31435,7 +31435,7 @@ index dad5fe9..ce5f4ba 100644 |
129 |
.disable = native_disable_io_apic, |
130 |
}; |
131 |
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c |
132 |
-index 6525e92..28559d2 100644 |
133 |
+index 2e1fd58..cc6d3d7 100644 |
134 |
--- a/arch/x86/kvm/cpuid.c |
135 |
+++ b/arch/x86/kvm/cpuid.c |
136 |
@@ -206,15 +206,20 @@ int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu, |
137 |
@@ -31701,7 +31701,7 @@ index c13a64b..2075a7c 100644 |
138 |
.disabled_by_bios = is_disabled, |
139 |
.hardware_setup = svm_hardware_setup, |
140 |
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c |
141 |
-index 539062e..0aa69ab 100644 |
142 |
+index 60946a5..0ac3003 100644 |
143 |
--- a/arch/x86/kvm/vmx.c |
144 |
+++ b/arch/x86/kvm/vmx.c |
145 |
@@ -1575,14 +1575,14 @@ static __always_inline void vmcs_writel(unsigned long field, unsigned long value |
146 |
@@ -39745,10 +39745,10 @@ index c68e724..e863008 100644 |
147 |
/* parse the table header to get the table length */ |
148 |
if (count <= sizeof(struct acpi_table_header)) |
149 |
diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c |
150 |
-index cd2c3d6..2031a4a 100644 |
151 |
+index 993fd31..cc15d14 100644 |
152 |
--- a/drivers/acpi/device_pm.c |
153 |
+++ b/drivers/acpi/device_pm.c |
154 |
-@@ -1025,6 +1025,8 @@ EXPORT_SYMBOL_GPL(acpi_subsys_freeze); |
155 |
+@@ -1026,6 +1026,8 @@ EXPORT_SYMBOL_GPL(acpi_subsys_freeze); |
156 |
|
157 |
#endif /* CONFIG_PM_SLEEP */ |
158 |
|
159 |
@@ -39757,7 +39757,7 @@ index cd2c3d6..2031a4a 100644 |
160 |
static struct dev_pm_domain acpi_general_pm_domain = { |
161 |
.ops = { |
162 |
.runtime_suspend = acpi_subsys_runtime_suspend, |
163 |
-@@ -1041,6 +1043,7 @@ static struct dev_pm_domain acpi_general_pm_domain = { |
164 |
+@@ -1042,6 +1044,7 @@ static struct dev_pm_domain acpi_general_pm_domain = { |
165 |
.restore_early = acpi_subsys_resume_early, |
166 |
#endif |
167 |
}, |
168 |
@@ -39765,7 +39765,7 @@ index cd2c3d6..2031a4a 100644 |
169 |
}; |
170 |
|
171 |
/** |
172 |
-@@ -1118,7 +1121,6 @@ int acpi_dev_pm_attach(struct device *dev, bool power_on) |
173 |
+@@ -1119,7 +1122,6 @@ int acpi_dev_pm_attach(struct device *dev, bool power_on) |
174 |
acpi_device_wakeup(adev, ACPI_STATE_S0, false); |
175 |
} |
176 |
|
177 |
@@ -51059,10 +51059,10 @@ index 8adaaea..99dab8e 100644 |
178 |
|
179 |
void ir_ack_apic_edge(struct irq_data *data) |
180 |
diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c |
181 |
-index 8f9ebf7..e614150 100644 |
182 |
+index eef9500..71f7183 100644 |
183 |
--- a/drivers/irqchip/irq-gic.c |
184 |
+++ b/drivers/irqchip/irq-gic.c |
185 |
-@@ -379,7 +379,7 @@ static void gic_handle_cascade_irq(struct irq_desc *desc) |
186 |
+@@ -387,7 +387,7 @@ static void gic_handle_cascade_irq(struct irq_desc *desc) |
187 |
chained_irq_exit(chip, desc); |
188 |
} |
189 |
|
190 |
@@ -58214,10 +58214,10 @@ index 1deb8ff..4e2b0c1 100644 |
191 |
struct bfin_can_priv *priv = netdev_priv(dev); |
192 |
struct bfin_can_regs __iomem *reg = priv->membase; |
193 |
diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c |
194 |
-index 141c2a4..ca734ed 100644 |
195 |
+index 910c12e..b9c005d 100644 |
196 |
--- a/drivers/net/can/dev.c |
197 |
+++ b/drivers/net/can/dev.c |
198 |
-@@ -961,7 +961,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev, |
199 |
+@@ -1008,7 +1008,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev, |
200 |
return -EOPNOTSUPP; |
201 |
} |
202 |
|
203 |
@@ -71818,7 +71818,7 @@ index 8c6e318..1c58581 100644 |
204 |
/* check if the device is still usable */ |
205 |
if (unlikely(cmd->device->sdev_state == SDEV_DEL)) { |
206 |
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c |
207 |
-index 00bc721..7a16d8a 100644 |
208 |
+index 9e5f893..2bf2da8 100644 |
209 |
--- a/drivers/scsi/scsi_sysfs.c |
210 |
+++ b/drivers/scsi/scsi_sysfs.c |
211 |
@@ -818,7 +818,7 @@ show_iostat_##field(struct device *dev, struct device_attribute *attr, \ |
212 |
@@ -75713,7 +75713,7 @@ index 92982d7..758ecfe 100644 |
213 |
tty_port_tty_set(&ch->port, tty); |
214 |
mutex_lock(&ch->port.mutex); |
215 |
diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c |
216 |
-index c3fe026..66cd166 100644 |
217 |
+index 9aff371..2faef0d 100644 |
218 |
--- a/drivers/tty/n_gsm.c |
219 |
+++ b/drivers/tty/n_gsm.c |
220 |
@@ -1644,7 +1644,7 @@ static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr) |
221 |
@@ -75725,7 +75725,7 @@ index c3fe026..66cd166 100644 |
222 |
kfree(dlci); |
223 |
return NULL; |
224 |
} |
225 |
-@@ -2665,7 +2665,7 @@ static inline void muxnet_put(struct gsm_mux_net *mux_net) |
226 |
+@@ -2667,7 +2667,7 @@ static inline void muxnet_put(struct gsm_mux_net *mux_net) |
227 |
kref_put(&mux_net->ref, net_free); |
228 |
} |
229 |
|
230 |
@@ -75734,7 +75734,7 @@ index c3fe026..66cd166 100644 |
231 |
struct net_device *net) |
232 |
{ |
233 |
struct gsm_mux_net *mux_net = netdev_priv(net); |
234 |
-@@ -2957,7 +2957,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp) |
235 |
+@@ -2959,7 +2959,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp) |
236 |
struct gsm_dlci *dlci = tty->driver_data; |
237 |
struct tty_port *port = &dlci->port; |
238 |
|
239 |
@@ -75744,7 +75744,7 @@ index c3fe026..66cd166 100644 |
240 |
|
241 |
dlci->modem_rx = 0; |
242 |
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c |
243 |
-index b280abaa..3ccd7d1 100644 |
244 |
+index c12def7..4f1303d 100644 |
245 |
--- a/drivers/tty/n_tty.c |
246 |
+++ b/drivers/tty/n_tty.c |
247 |
@@ -1515,7 +1515,7 @@ n_tty_receive_char_lnext(struct tty_struct *tty, unsigned char c, char flag) |
248 |
@@ -75835,7 +75835,7 @@ index b280abaa..3ccd7d1 100644 |
249 |
|
250 |
n = min(count, room); |
251 |
if (!n) |
252 |
-@@ -2549,6 +2550,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) |
253 |
+@@ -2545,6 +2546,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops) |
254 |
{ |
255 |
*ops = tty_ldisc_N_TTY; |
256 |
ops->owner = NULL; |
257 |
@@ -75845,10 +75845,10 @@ index b280abaa..3ccd7d1 100644 |
258 |
} |
259 |
EXPORT_SYMBOL_GPL(n_tty_inherit_ops); |
260 |
diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c |
261 |
-index 2348fa6..490e407 100644 |
262 |
+index 6427a39..4ee0796 100644 |
263 |
--- a/drivers/tty/pty.c |
264 |
+++ b/drivers/tty/pty.c |
265 |
-@@ -879,8 +879,10 @@ static void __init unix98_pty_init(void) |
266 |
+@@ -877,8 +877,10 @@ static void __init unix98_pty_init(void) |
267 |
panic("Couldn't register Unix98 pts driver"); |
268 |
|
269 |
/* Now create the /dev/ptmx special device */ |
270 |
@@ -75921,10 +75921,10 @@ index c9720a9..964f2d9 100644 |
271 |
if (share_irqs) |
272 |
irqflag = IRQF_SHARED; |
273 |
diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c |
274 |
-index 7cd6f9a..d13ac0a 100644 |
275 |
+index c1d4a8f..a8e7167 100644 |
276 |
--- a/drivers/tty/serial/8250/8250_pci.c |
277 |
+++ b/drivers/tty/serial/8250/8250_pci.c |
278 |
-@@ -5656,7 +5656,7 @@ static struct pci_device_id serial_pci_tbl[] = { |
279 |
+@@ -5659,7 +5659,7 @@ static struct pci_device_id serial_pci_tbl[] = { |
280 |
}; |
281 |
|
282 |
static pci_ers_result_t serial8250_io_error_detected(struct pci_dev *dev, |
283 |
@@ -76143,7 +76143,7 @@ index dcde955..920693f 100644 |
284 |
if (unlikely(line < 0 || line >= UART_NR)) |
285 |
return -ENXIO; |
286 |
diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c |
287 |
-index d72cd73..aac0435 100644 |
288 |
+index 8320173..fd1160b 100644 |
289 |
--- a/drivers/tty/serial/samsung.c |
290 |
+++ b/drivers/tty/serial/samsung.c |
291 |
@@ -970,11 +970,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port) |
292 |
@@ -96727,7 +96727,7 @@ index 3525ed7..ac8afb7 100644 |
293 |
} |
294 |
|
295 |
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c |
296 |
-index 42e1f44..017e7f6 100644 |
297 |
+index 8f38e33..90f716a 100644 |
298 |
--- a/fs/cifs/smb2pdu.c |
299 |
+++ b/fs/cifs/smb2pdu.c |
300 |
@@ -2388,8 +2388,7 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon, |
301 |
@@ -122536,10 +122536,10 @@ index 0000000..39645c9 |
302 |
+} |
303 |
diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c |
304 |
new file mode 100644 |
305 |
-index 0000000..10f1617 |
306 |
+index 0000000..02c5a2b |
307 |
--- /dev/null |
308 |
+++ b/grsecurity/gracl_segv.c |
309 |
-@@ -0,0 +1,304 @@ |
310 |
+@@ -0,0 +1,306 @@ |
311 |
+#include <linux/kernel.h> |
312 |
+#include <linux/mm.h> |
313 |
+#include <asm/uaccess.h> |
314 |
@@ -122752,9 +122752,11 @@ index 0000000..10f1617 |
315 |
+ |
316 |
+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) && |
317 |
+ time_after(curr->expires, get_seconds())) { |
318 |
++ int is_priv = is_privileged_binary(task->mm->exe_file->f_path.dentry); |
319 |
++ |
320 |
+ rcu_read_lock(); |
321 |
+ cred = __task_cred(task); |
322 |
-+ if (gr_is_global_nonroot(cred->uid) && is_privileged_binary(task->mm->exe_file->f_path.dentry)) { |
323 |
++ if (gr_is_global_nonroot(cred->uid) && is_priv) { |
324 |
+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max); |
325 |
+ spin_lock(&gr_uid_lock); |
326 |
+ gr_insert_uid(cred->uid, curr->expires); |
327 |
@@ -125147,10 +125149,10 @@ index 0000000..304c518 |
328 |
+} |
329 |
diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c |
330 |
new file mode 100644 |
331 |
-index 0000000..a2b8b8f |
332 |
+index 0000000..f072c9d |
333 |
--- /dev/null |
334 |
+++ b/grsecurity/grsec_sig.c |
335 |
-@@ -0,0 +1,245 @@ |
336 |
+@@ -0,0 +1,248 @@ |
337 |
+#include <linux/kernel.h> |
338 |
+#include <linux/sched.h> |
339 |
+#include <linux/fs.h> |
340 |
@@ -125236,16 +125238,19 @@ index 0000000..a2b8b8f |
341 |
+#ifdef CONFIG_GRKERNSEC_BRUTE |
342 |
+ struct task_struct *p = current; |
343 |
+ kuid_t uid = GLOBAL_ROOT_UID; |
344 |
++ int is_priv = 0; |
345 |
+ int daemon = 0; |
346 |
+ |
347 |
+ if (!grsec_enable_brute) |
348 |
+ return; |
349 |
+ |
350 |
++ if (is_privileged_binary(p->mm->exe_file->f_path.dentry)) |
351 |
++ is_priv = 1; |
352 |
++ |
353 |
+ rcu_read_lock(); |
354 |
+ read_lock(&tasklist_lock); |
355 |
+ read_lock(&grsec_exec_file_lock); |
356 |
-+ if (p->real_parent && gr_is_same_file(p->real_parent->exec_file, p->exec_file) && |
357 |
-+ !is_privileged_binary(p->mm->exe_file->f_path.dentry)) { |
358 |
++ if (!is_priv && p->real_parent && gr_is_same_file(p->real_parent->exec_file, p->exec_file)) { |
359 |
+ p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME; |
360 |
+ p->real_parent->brute = 1; |
361 |
+ daemon = 1; |
362 |
@@ -126173,7 +126178,7 @@ index 0000000..61b514e |
363 |
+EXPORT_SYMBOL_GPL(gr_log_timechange); |
364 |
diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c |
365 |
new file mode 100644 |
366 |
-index 0000000..9786671 |
367 |
+index 0000000..cbd2776 |
368 |
--- /dev/null |
369 |
+++ b/grsecurity/grsec_tpe.c |
370 |
@@ -0,0 +1,78 @@ |
371 |
@@ -126221,7 +126226,7 @@ index 0000000..9786671 |
372 |
+ msg2 = "file in non-root-owned directory"; |
373 |
+ else if (inode->i_mode & S_IWOTH) |
374 |
+ msg2 = "file in world-writable directory"; |
375 |
-+ else if (inode->i_mode & S_IWGRP) |
376 |
++ else if ((inode->i_mode & S_IWGRP) && gr_is_global_nonroot_gid(inode->i_gid)) |
377 |
+ msg2 = "file in group-writable directory"; |
378 |
+ else if (file_inode->i_mode & S_IWOTH) |
379 |
+ msg2 = "file is world-writable"; |
380 |
@@ -126242,7 +126247,7 @@ index 0000000..9786671 |
381 |
+ msg = "directory not owned by user"; |
382 |
+ else if (inode->i_mode & S_IWOTH) |
383 |
+ msg = "file in world-writable directory"; |
384 |
-+ else if (inode->i_mode & S_IWGRP) |
385 |
++ else if ((inode->i_mode & S_IWGRP) && gr_is_global_nonroot_gid(inode->i_gid)) |
386 |
+ msg = "file in group-writable directory"; |
387 |
+ else if (file_inode->i_mode & S_IWOTH) |
388 |
+ msg = "file is world-writable"; |
389 |
@@ -133221,10 +133226,10 @@ index 04e8818..af85805 100644 |
390 |
/* shm_mode upper byte flags */ |
391 |
#define SHM_DEST 01000 /* segment will be destroyed on last detach */ |
392 |
diff --git a/include/linux/signal.h b/include/linux/signal.h |
393 |
-index 92557bb..53fa513 100644 |
394 |
+index d80259a..41a639a 100644 |
395 |
--- a/include/linux/signal.h |
396 |
+++ b/include/linux/signal.h |
397 |
-@@ -288,7 +288,7 @@ static inline void allow_signal(int sig) |
398 |
+@@ -303,7 +303,7 @@ static inline void allow_signal(int sig) |
399 |
* know it'll be handled, so that they don't get converted to |
400 |
* SIGKILL or just silently dropped. |
401 |
*/ |
402 |
@@ -134184,7 +134189,7 @@ index b4c2a48..0a13f65 100644 |
403 |
|
404 |
#endif /* _LINUX_THREAD_INFO_H */ |
405 |
diff --git a/include/linux/tty.h b/include/linux/tty.h |
406 |
-index 19199c2..e16a361 100644 |
407 |
+index e5b996d..65cd286 100644 |
408 |
--- a/include/linux/tty.h |
409 |
+++ b/include/linux/tty.h |
410 |
@@ -225,7 +225,7 @@ struct tty_port { |
411 |
@@ -134294,10 +134299,10 @@ index 3495578..f479218 100644 |
412 |
#ifndef user_access_begin |
413 |
#define user_access_begin() do { } while (0) |
414 |
diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h |
415 |
-index 0383552..a0125dd 100644 |
416 |
+index 0383552..595969a 100644 |
417 |
--- a/include/linux/uidgid.h |
418 |
+++ b/include/linux/uidgid.h |
419 |
-@@ -187,4 +187,9 @@ static inline bool kgid_has_mapping(struct user_namespace *ns, kgid_t gid) |
420 |
+@@ -187,4 +187,10 @@ static inline bool kgid_has_mapping(struct user_namespace *ns, kgid_t gid) |
421 |
|
422 |
#endif /* CONFIG_USER_NS */ |
423 |
|
424 |
@@ -134305,6 +134310,7 @@ index 0383552..a0125dd 100644 |
425 |
+#define GR_GLOBAL_GID(x) from_kgid_munged(&init_user_ns, (x)) |
426 |
+#define gr_is_global_root(x) uid_eq((x), GLOBAL_ROOT_UID) |
427 |
+#define gr_is_global_nonroot(x) (!uid_eq((x), GLOBAL_ROOT_UID)) |
428 |
++#define gr_is_global_nonroot_gid(x) (!gid_eq((x), GLOBAL_ROOT_GID)) |
429 |
+ |
430 |
#endif /* _LINUX_UIDGID_H */ |
431 |
diff --git a/include/linux/uio_driver.h b/include/linux/uio_driver.h |
432 |
@@ -134372,7 +134378,7 @@ index 99c1b4d..562e6f3 100644 |
433 |
|
434 |
static inline void put_unaligned_le16(u16 val, void *p) |
435 |
diff --git a/include/linux/usb.h b/include/linux/usb.h |
436 |
-index 89533ba..78c419a 100644 |
437 |
+index f3dbc21..a59a42a 100644 |
438 |
--- a/include/linux/usb.h |
439 |
+++ b/include/linux/usb.h |
440 |
@@ -367,7 +367,7 @@ struct usb_bus { |
441 |
@@ -135825,7 +135831,7 @@ index 93d14da..734b3d8 100644 |
442 |
u8 qfull; |
443 |
enum fc_lport_state state; |
444 |
diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h |
445 |
-index ba93c0f..90acd4d 100644 |
446 |
+index a5d31f7..e5ee774 100644 |
447 |
--- a/include/scsi/scsi_device.h |
448 |
+++ b/include/scsi/scsi_device.h |
449 |
@@ -187,9 +187,9 @@ struct scsi_device { |
450 |
@@ -137969,7 +137975,7 @@ index 2a20c0d..3eb7d03 100644 |
451 |
#ifdef CONFIG_MODULE_UNLOAD |
452 |
{ |
453 |
diff --git a/kernel/events/core.c b/kernel/events/core.c |
454 |
-index a0ef98b..c60fa0a 100644 |
455 |
+index 477fb6b..dcd02b5 100644 |
456 |
--- a/kernel/events/core.c |
457 |
+++ b/kernel/events/core.c |
458 |
@@ -350,8 +350,15 @@ static struct srcu_struct pmus_srcu; |
459 |
@@ -138018,7 +138024,7 @@ index a0ef98b..c60fa0a 100644 |
460 |
struct hrtimer *timer = &cpuctx->hrtimer; |
461 |
struct pmu *pmu = cpuctx->ctx.pmu; |
462 |
unsigned long flags; |
463 |
-@@ -2893,7 +2901,7 @@ void __perf_event_task_sched_in(struct task_struct *prev, |
464 |
+@@ -2894,7 +2902,7 @@ void __perf_event_task_sched_in(struct task_struct *prev, |
465 |
perf_pmu_sched_task(prev, task, true); |
466 |
} |
467 |
|
468 |
@@ -138027,7 +138033,7 @@ index a0ef98b..c60fa0a 100644 |
469 |
{ |
470 |
u64 frequency = event->attr.sample_freq; |
471 |
u64 sec = NSEC_PER_SEC; |
472 |
-@@ -3944,9 +3952,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) |
473 |
+@@ -3935,9 +3943,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) |
474 |
total += perf_event_count(event); |
475 |
|
476 |
*enabled += event->total_time_enabled + |
477 |
@@ -138039,7 +138045,7 @@ index a0ef98b..c60fa0a 100644 |
478 |
|
479 |
list_for_each_entry(child, &event->child_list, child_list) { |
480 |
(void)perf_event_read(child, false); |
481 |
-@@ -3978,12 +3986,12 @@ static int __perf_read_group_add(struct perf_event *leader, |
482 |
+@@ -3969,12 +3977,12 @@ static int __perf_read_group_add(struct perf_event *leader, |
483 |
*/ |
484 |
if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { |
485 |
values[n++] += leader->total_time_enabled + |
486 |
@@ -138054,7 +138060,7 @@ index a0ef98b..c60fa0a 100644 |
487 |
} |
488 |
|
489 |
/* |
490 |
-@@ -4485,10 +4493,10 @@ void perf_event_update_userpage(struct perf_event *event) |
491 |
+@@ -4476,10 +4484,10 @@ void perf_event_update_userpage(struct perf_event *event) |
492 |
userpg->offset -= local64_read(&event->hw.prev_count); |
493 |
|
494 |
userpg->time_enabled = enabled + |
495 |
@@ -138067,7 +138073,7 @@ index a0ef98b..c60fa0a 100644 |
496 |
|
497 |
arch_perf_update_userpage(event, userpg, now); |
498 |
|
499 |
-@@ -5163,7 +5171,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, |
500 |
+@@ -5154,7 +5162,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size, |
501 |
|
502 |
/* Data. */ |
503 |
sp = perf_user_stack_pointer(regs); |
504 |
@@ -138076,7 +138082,7 @@ index a0ef98b..c60fa0a 100644 |
505 |
dyn_size = dump_size - rem; |
506 |
|
507 |
perf_output_skip(handle, rem); |
508 |
-@@ -5254,11 +5262,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, |
509 |
+@@ -5245,11 +5253,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, |
510 |
values[n++] = perf_event_count(event); |
511 |
if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { |
512 |
values[n++] = enabled + |
513 |
@@ -138090,7 +138096,7 @@ index a0ef98b..c60fa0a 100644 |
514 |
} |
515 |
if (read_format & PERF_FORMAT_ID) |
516 |
values[n++] = primary_event_id(event); |
517 |
-@@ -7568,8 +7576,7 @@ perf_event_mux_interval_ms_store(struct device *dev, |
518 |
+@@ -7559,8 +7567,7 @@ perf_event_mux_interval_ms_store(struct device *dev, |
519 |
cpuctx = per_cpu_ptr(pmu->pmu_cpu_context, cpu); |
520 |
cpuctx->hrtimer_interval = ns_to_ktime(NSEC_PER_MSEC * timer); |
521 |
|
522 |
@@ -138100,7 +138106,7 @@ index a0ef98b..c60fa0a 100644 |
523 |
} |
524 |
put_online_cpus(); |
525 |
mutex_unlock(&mux_interval_mutex); |
526 |
-@@ -7938,7 +7945,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, |
527 |
+@@ -7929,7 +7936,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, |
528 |
event->parent = parent_event; |
529 |
|
530 |
event->ns = get_pid_ns(task_active_pid_ns(current)); |
531 |
@@ -138109,7 +138115,7 @@ index a0ef98b..c60fa0a 100644 |
532 |
|
533 |
event->state = PERF_EVENT_STATE_INACTIVE; |
534 |
|
535 |
-@@ -8300,6 +8307,11 @@ SYSCALL_DEFINE5(perf_event_open, |
536 |
+@@ -8291,6 +8298,11 @@ SYSCALL_DEFINE5(perf_event_open, |
537 |
if (flags & ~PERF_FLAG_ALL) |
538 |
return -EINVAL; |
539 |
|
540 |
@@ -138121,7 +138127,7 @@ index a0ef98b..c60fa0a 100644 |
541 |
err = perf_copy_attr(attr_uptr, &attr); |
542 |
if (err) |
543 |
return err; |
544 |
-@@ -8788,10 +8800,10 @@ static void sync_child_event(struct perf_event *child_event, |
545 |
+@@ -8805,10 +8817,10 @@ static void sync_child_event(struct perf_event *child_event, |
546 |
/* |
547 |
* Add back the child's count to the parent's count: |
548 |
*/ |
549 |
@@ -143482,7 +143488,7 @@ index 57a6eea..168c21f 100644 |
550 |
/* make curr_ret_stack visible before we add the ret_stack */ |
551 |
smp_wmb(); |
552 |
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c |
553 |
-index 95181e3..3b49321 100644 |
554 |
+index 9c14373..5ddd763 100644 |
555 |
--- a/kernel/trace/ring_buffer.c |
556 |
+++ b/kernel/trace/ring_buffer.c |
557 |
@@ -296,9 +296,9 @@ struct buffer_data_page { |
558 |
@@ -143535,7 +143541,7 @@ index 95181e3..3b49321 100644 |
559 |
|
560 |
/* |
561 |
* No need to worry about races with clearing out the commit. |
562 |
-@@ -1411,12 +1411,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer); |
563 |
+@@ -1412,12 +1412,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer); |
564 |
|
565 |
static inline unsigned long rb_page_entries(struct buffer_page *bpage) |
566 |
{ |
567 |
@@ -143550,7 +143556,7 @@ index 95181e3..3b49321 100644 |
568 |
} |
569 |
|
570 |
static int |
571 |
-@@ -1511,7 +1511,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages) |
572 |
+@@ -1512,7 +1512,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages) |
573 |
* bytes consumed in ring buffer from here. |
574 |
* Increment overrun to account for the lost events. |
575 |
*/ |
576 |
@@ -160909,10 +160915,10 @@ index 55c96cb..e4e88ab 100644 |
577 |
__clean-files := $(filter-out $(no-clean-files), $(__clean-files)) |
578 |
|
579 |
diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn |
580 |
-index f9e47a7..b72022a 100644 |
581 |
+index 53449a6..c1fd180 100644 |
582 |
--- a/scripts/Makefile.extrawarn |
583 |
+++ b/scripts/Makefile.extrawarn |
584 |
-@@ -27,6 +27,10 @@ warning-1 += $(call cc-option, -Wunused-but-set-variable) |
585 |
+@@ -28,6 +28,10 @@ warning-1 += $(call cc-option, -Wunused-const-variable) |
586 |
warning-1 += $(call cc-disable-warning, missing-field-initializers) |
587 |
warning-1 += $(call cc-disable-warning, sign-compare) |
588 |
|
589 |
|
590 |
diff --git a/4.5.5/4425_grsec_remove_EI_PAX.patch b/4.5.6/4425_grsec_remove_EI_PAX.patch |
591 |
similarity index 100% |
592 |
rename from 4.5.5/4425_grsec_remove_EI_PAX.patch |
593 |
rename to 4.5.6/4425_grsec_remove_EI_PAX.patch |
594 |
|
595 |
diff --git a/4.5.5/4427_force_XATTR_PAX_tmpfs.patch b/4.5.6/4427_force_XATTR_PAX_tmpfs.patch |
596 |
similarity index 100% |
597 |
rename from 4.5.5/4427_force_XATTR_PAX_tmpfs.patch |
598 |
rename to 4.5.6/4427_force_XATTR_PAX_tmpfs.patch |
599 |
|
600 |
diff --git a/4.5.5/4430_grsec-remove-localversion-grsec.patch b/4.5.6/4430_grsec-remove-localversion-grsec.patch |
601 |
similarity index 100% |
602 |
rename from 4.5.5/4430_grsec-remove-localversion-grsec.patch |
603 |
rename to 4.5.6/4430_grsec-remove-localversion-grsec.patch |
604 |
|
605 |
diff --git a/4.5.5/4435_grsec-mute-warnings.patch b/4.5.6/4435_grsec-mute-warnings.patch |
606 |
similarity index 100% |
607 |
rename from 4.5.5/4435_grsec-mute-warnings.patch |
608 |
rename to 4.5.6/4435_grsec-mute-warnings.patch |
609 |
|
610 |
diff --git a/4.5.5/4440_grsec-remove-protected-paths.patch b/4.5.6/4440_grsec-remove-protected-paths.patch |
611 |
similarity index 100% |
612 |
rename from 4.5.5/4440_grsec-remove-protected-paths.patch |
613 |
rename to 4.5.6/4440_grsec-remove-protected-paths.patch |
614 |
|
615 |
diff --git a/4.5.5/4450_grsec-kconfig-default-gids.patch b/4.5.6/4450_grsec-kconfig-default-gids.patch |
616 |
similarity index 100% |
617 |
rename from 4.5.5/4450_grsec-kconfig-default-gids.patch |
618 |
rename to 4.5.6/4450_grsec-kconfig-default-gids.patch |
619 |
|
620 |
diff --git a/4.5.5/4465_selinux-avc_audit-log-curr_ip.patch b/4.5.6/4465_selinux-avc_audit-log-curr_ip.patch |
621 |
similarity index 100% |
622 |
rename from 4.5.5/4465_selinux-avc_audit-log-curr_ip.patch |
623 |
rename to 4.5.6/4465_selinux-avc_audit-log-curr_ip.patch |
624 |
|
625 |
diff --git a/4.5.5/4470_disable-compat_vdso.patch b/4.5.6/4470_disable-compat_vdso.patch |
626 |
similarity index 100% |
627 |
rename from 4.5.5/4470_disable-compat_vdso.patch |
628 |
rename to 4.5.6/4470_disable-compat_vdso.patch |
629 |
|
630 |
diff --git a/4.5.5/4475_emutramp_default_on.patch b/4.5.6/4475_emutramp_default_on.patch |
631 |
similarity index 100% |
632 |
rename from 4.5.5/4475_emutramp_default_on.patch |
633 |
rename to 4.5.6/4475_emutramp_default_on.patch |