Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 4.5.7/
Date: Sat, 02 Jul 2016 08:57:25
Message-Id: 1467449986.d32dd7f3f7697ee461fd2faa0fd051877e411bc1.blueness@gentoo
1 commit: d32dd7f3f7697ee461fd2faa0fd051877e411bc1
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Sat Jul 2 08:59:46 2016 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Sat Jul 2 08:59:46 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=d32dd7f3
7
8 grsecurity-3.1-4.5.7-201606302132
9
10 4.5.7/0000_README | 2 +-
11 ...> 4420_grsecurity-3.1-4.5.7-201606302132.patch} | 416 ++++++++++++---------
12 4.5.7/4425_grsec_remove_EI_PAX.patch | 2 +-
13 4.5.7/4450_grsec-kconfig-default-gids.patch | 8 +-
14 4.5.7/4470_disable-compat_vdso.patch | 2 +-
15 4.5.7/4475_emutramp_default_on.patch | 4 +-
16 6 files changed, 252 insertions(+), 182 deletions(-)
17
18 diff --git a/4.5.7/0000_README b/4.5.7/0000_README
19 index 6531b4d..cd47bdd 100644
20 --- a/4.5.7/0000_README
21 +++ b/4.5.7/0000_README
22 @@ -2,7 +2,7 @@ README
23 -----------------------------------------------------------------------------
24 Individual Patch Descriptions:
25 -----------------------------------------------------------------------------
26 -Patch: 4420_grsecurity-3.1-4.5.7-201606292300.patch
27 +Patch: 4420_grsecurity-3.1-4.5.7-201606302132.patch
28 From: http://www.grsecurity.net
29 Desc: hardened-sources base patch from upstream grsecurity
30
31
32 diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606302132.patch
33 similarity index 99%
34 rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch
35 rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606302132.patch
36 index 4f4d48f..6f9feec 100644
37 --- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch
38 +++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606302132.patch
39 @@ -12658,7 +12658,7 @@ index 3ba5ff2..44bdacc 100644
40 config X86_MINIMUM_CPU_FAMILY
41 int
42 diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
43 -index 9b18ed9..9528749 100644
44 +index 9b18ed9..0fb0660 100644
45 --- a/arch/x86/Kconfig.debug
46 +++ b/arch/x86/Kconfig.debug
47 @@ -55,6 +55,7 @@ config X86_PTDUMP
48 @@ -12669,16 +12669,15 @@ index 9b18ed9..9528749 100644
49 select X86_PTDUMP_CORE
50 ---help---
51 Say Y here if you want to show the kernel pagetable layout in a
52 -@@ -77,7 +78,7 @@ config EFI_PGT_DUMP
53 +@@ -77,7 +78,6 @@ config EFI_PGT_DUMP
54 config DEBUG_RODATA
55 bool "Write protect kernel read-only data structures"
56 default y
57 - depends on DEBUG_KERNEL
58 -+ depends on DEBUG_KERNEL && BROKEN
59 ---help---
60 Mark the kernel read-only data as write-protected in the pagetables,
61 in order to catch accidental (and incorrect) writes to such const
62 -@@ -123,7 +124,7 @@ config DEBUG_WX
63 +@@ -123,7 +123,7 @@ config DEBUG_WX
64
65 config DEBUG_SET_MODULE_RONX
66 bool "Set loadable kernel module data as NX and text as RO"
67 @@ -12687,7 +12686,7 @@ index 9b18ed9..9528749 100644
68 ---help---
69 This option helps catch unintended modifications to loadable
70 kernel module's text and read-only data. It also prevents execution
71 -@@ -375,6 +376,7 @@ config X86_DEBUG_FPU
72 +@@ -375,6 +375,7 @@ config X86_DEBUG_FPU
73 config PUNIT_ATOM_DEBUG
74 tristate "ATOM Punit debug driver"
75 select DEBUG_FS
76 @@ -27194,7 +27193,7 @@ index 2c0f340..76c1d24 100644
77
78 for (i = 0; i < NUM_EXCEPTION_VECTORS; i++)
79 diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
80 -index 6bc9ae2..33997fe 100644
81 +index 6bc9ae2..51f7c58 100644
82 --- a/arch/x86/kernel/head_32.S
83 +++ b/arch/x86/kernel/head_32.S
84 @@ -27,6 +27,12 @@
85 @@ -27466,28 +27465,23 @@ index 6bc9ae2..33997fe 100644
86 pushl 16(%esp)
87 pushl 24(%esp)
88 pushl 32(%esp)
89 -@@ -663,29 +755,34 @@ ENTRY(setup_once_ref)
90 - /*
91 - * BSS section
92 - */
93 +@@ -660,11 +752,8 @@ ENTRY(initial_code)
94 + ENTRY(setup_once_ref)
95 + .long setup_once
96 +
97 +-/*
98 +- * BSS section
99 +- */
100 -__PAGE_ALIGNED_BSS
101 - .align PAGE_SIZE
102 ++__READ_ONLY
103 ++ .balign PAGE_SIZE
104 #ifdef CONFIG_X86_PAE
105 -+.section .initial_pg_pmd,"a",@progbits
106 initial_pg_pmd:
107 .fill 1024*KPMDS,4,0
108 - #else
109 -+.section .initial_page_table,"a",@progbits
110 - ENTRY(initial_page_table)
111 - .fill 1024,4,0
112 - #endif
113 -+.section .initial_pg_fixmap,"a",@progbits
114 - initial_pg_fixmap:
115 - .fill 1024,4,0
116 -+.section .empty_zero_page,"a",@progbits
117 +@@ -677,15 +766,18 @@ initial_pg_fixmap:
118 ENTRY(empty_zero_page)
119 .fill 4096,1,0
120 -+.section .swapper_pg_dir,"a",@progbits
121 ENTRY(swapper_pg_dir)
122 - .fill 1024,4,0
123 +#ifdef CONFIG_X86_PAE
124 @@ -27503,21 +27497,24 @@ index 6bc9ae2..33997fe 100644
125 -__PAGE_ALIGNED_DATA
126 - /* Page-aligned for the benefit of paravirt? */
127 - .align PAGE_SIZE
128 -+.section .initial_page_table,"a",@progbits
129 ++__READ_ONLY
130 ++ .balign PAGE_SIZE
131 ENTRY(initial_page_table)
132 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
133 # if KPMDS == 3
134 -@@ -704,12 +801,20 @@ ENTRY(initial_page_table)
135 +@@ -703,13 +795,21 @@ ENTRY(initial_page_table)
136 + # else
137 # error "Kernel PMDs should be 1, 2 or 3"
138 # endif
139 - .align PAGE_SIZE /* needs to be page-sized too */
140 +- .align PAGE_SIZE /* needs to be page-sized too */
141 ++ .balign PAGE_SIZE /* needs to be page-sized too */
142 +
143 -+#ifdef CONFIG_PAX_PER_CPU_PGD
144 ++# ifdef CONFIG_PAX_PER_CPU_PGD
145 +ENTRY(cpu_pgd)
146 + .rept 2*NR_CPUS
147 + .fill PTRS_PER_PGD,8,0
148 + .endr
149 -+#endif
150 ++# endif
151 +
152 #endif
153
154 @@ -27529,16 +27526,16 @@ index 6bc9ae2..33997fe 100644
155
156 __INITRODATA
157 int_msg:
158 -@@ -737,7 +842,7 @@ fault_msg:
159 +@@ -737,7 +837,7 @@ fault_msg:
160 * segment size, and 32-bit linear address value:
161 */
162
163 - .data
164 -+.section .rodata,"a",@progbits
165 ++__READ_ONLY
166 .globl boot_gdt_descr
167 .globl idt_descr
168
169 -@@ -746,7 +851,7 @@ fault_msg:
170 +@@ -746,7 +846,7 @@ fault_msg:
171 .word 0 # 32 bit align gdt_desc.address
172 boot_gdt_descr:
173 .word __BOOT_DS+7
174 @@ -27547,7 +27544,7 @@ index 6bc9ae2..33997fe 100644
175
176 .word 0 # 32-bit align idt_desc.address
177 idt_descr:
178 -@@ -757,7 +862,7 @@ idt_descr:
179 +@@ -757,7 +857,7 @@ idt_descr:
180 .word 0 # 32 bit align gdt_desc.address
181 ENTRY(early_gdt_descr)
182 .word GDT_ENTRIES*8-1
183 @@ -27556,7 +27553,7 @@ index 6bc9ae2..33997fe 100644
184
185 /*
186 * The boot_gdt must mirror the equivalent in setup.S and is
187 -@@ -766,5 +871,65 @@ ENTRY(early_gdt_descr)
188 +@@ -766,5 +866,65 @@ ENTRY(early_gdt_descr)
189 .align L1_CACHE_BYTES
190 ENTRY(boot_gdt)
191 .fill GDT_ENTRY_BOOT_CS,8,0
192 @@ -27625,7 +27622,7 @@ index 6bc9ae2..33997fe 100644
193 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
194 + .endr
195 diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
196 -index ffdc0e8..60b5d16 100644
197 +index ffdc0e8..1827c62 100644
198 --- a/arch/x86/kernel/head_64.S
199 +++ b/arch/x86/kernel/head_64.S
200 @@ -20,6 +20,8 @@
201 @@ -27704,7 +27701,7 @@ index ffdc0e8..60b5d16 100644
202 movq %rcx, %cr4
203
204 /* Setup early boot stage 4 level pagetables. */
205 -@@ -205,10 +239,21 @@ ENTRY(secondary_startup_64)
206 +@@ -205,10 +239,24 @@ ENTRY(secondary_startup_64)
207 movl $MSR_EFER, %ecx
208 rdmsr
209 btsl $_EFER_SCE, %eax /* Enable System Call */
210 @@ -27716,7 +27713,10 @@ index ffdc0e8..60b5d16 100644
211 + je 1f
212 btsq $_PAGE_BIT_NX,early_pmd_flags(%rip)
213 + btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_PAGE_OFFSET(%rip)
214 -+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_START(%rip)
215 ++ btsq $_PAGE_BIT_NX, init_level4_pgt + (8*L4_VMALLOC_START)(%rip)
216 ++ btsq $_PAGE_BIT_NX, init_level4_pgt + (8*L4_VMALLOC_START) + 8(%rip)
217 ++ btsq $_PAGE_BIT_NX, init_level4_pgt + (8*L4_VMALLOC_START) + 16(%rip)
218 ++ btsq $_PAGE_BIT_NX, init_level4_pgt + (8*L4_VMALLOC_START) + 24(%rip)
219 + btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_END(%rip)
220 + btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMEMMAP_START(%rip)
221 + btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*504(%rip)
222 @@ -27727,7 +27727,7 @@ index ffdc0e8..60b5d16 100644
223 1: wrmsr /* Make changes effective */
224
225 /* Setup cr0 */
226 -@@ -288,6 +333,7 @@ ENTRY(secondary_startup_64)
227 +@@ -288,6 +336,7 @@ ENTRY(secondary_startup_64)
228 * REX.W + FF /5 JMP m16:64 Jump far, absolute indirect,
229 * address given in m16:64.
230 */
231 @@ -27735,7 +27735,7 @@ index ffdc0e8..60b5d16 100644
232 movq initial_code(%rip),%rax
233 pushq $0 # fake return address to stop unwinder
234 pushq $__KERNEL_CS # set correct cs
235 -@@ -321,7 +367,7 @@ ENDPROC(start_cpu0)
236 +@@ -321,7 +370,7 @@ ENDPROC(start_cpu0)
237 .quad INIT_PER_CPU_VAR(irq_stack_union)
238
239 GLOBAL(stack_start)
240 @@ -27744,7 +27744,7 @@ index ffdc0e8..60b5d16 100644
241 .word 0
242 __FINITDATA
243
244 -@@ -401,7 +447,7 @@ early_idt_handler_common:
245 +@@ -401,7 +450,7 @@ early_idt_handler_common:
246 call dump_stack
247 #ifdef CONFIG_KALLSYMS
248 leaq early_idt_ripmsg(%rip),%rdi
249 @@ -27753,15 +27753,15 @@ index ffdc0e8..60b5d16 100644
250 call __print_symbol
251 #endif
252 #endif /* EARLY_PRINTK */
253 -@@ -430,6 +476,7 @@ ENDPROC(early_idt_handler_common)
254 +@@ -430,6 +479,7 @@ ENDPROC(early_idt_handler_common)
255 early_recursion_flag:
256 .long 0
257
258 -+ .section .rodata,"a",@progbits
259 ++ __READ_ONLY
260 #ifdef CONFIG_EARLY_PRINTK
261 early_idt_msg:
262 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
263 -@@ -452,40 +499,70 @@ GLOBAL(name)
264 +@@ -452,40 +502,70 @@ GLOBAL(name)
265 __INITDATA
266 NEXT_PAGE(early_level4_pgt)
267 .fill 511,8,0
268 @@ -27772,7 +27772,7 @@ index ffdc0e8..60b5d16 100644
269 .fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0
270
271 - .data
272 -+ .section .rodata,"a",@progbits
273 ++ __READ_ONLY
274
275 -#ifndef CONFIG_XEN
276 NEXT_PAGE(init_level4_pgt)
277 @@ -27844,7 +27844,7 @@ index ffdc0e8..60b5d16 100644
278
279 NEXT_PAGE(level2_kernel_pgt)
280 /*
281 -@@ -502,31 +579,79 @@ NEXT_PAGE(level2_kernel_pgt)
282 +@@ -502,31 +582,79 @@ NEXT_PAGE(level2_kernel_pgt)
283 KERNEL_IMAGE_SIZE/PMD_SIZE)
284
285 NEXT_PAGE(level2_fixmap_pgt)
286 @@ -31240,7 +31240,7 @@ index e574b85..5514c57 100644
287 case VM86_GET_AND_RESET_IRQ: {
288 return get_and_reset_irq(irqnumber);
289 diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
290 -index 74e4bf1..a9a6168 100644
291 +index 74e4bf1..0897a97 100644
292 --- a/arch/x86/kernel/vmlinux.lds.S
293 +++ b/arch/x86/kernel/vmlinux.lds.S
294 @@ -26,6 +26,13 @@
295 @@ -31310,7 +31310,7 @@ index 74e4bf1..a9a6168 100644
296 HEAD_TEXT
297 . = ALIGN(8);
298 _stext = .;
299 -@@ -104,13 +124,47 @@ SECTIONS
300 +@@ -104,13 +124,35 @@ SECTIONS
301 IRQENTRY_TEXT
302 *(.fixup)
303 *(.gnu.warning)
304 @@ -31343,18 +31343,6 @@ index 74e4bf1..a9a6168 100644
305 + _etext = . - __KERNEL_TEXT_OFFSET;
306 + }
307 +
308 -+#ifdef CONFIG_X86_32
309 -+ . = ALIGN(PAGE_SIZE);
310 -+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
311 -+ . = ALIGN(PAGE_SIZE);
312 -+ *(.empty_zero_page)
313 -+ *(.initial_pg_fixmap)
314 -+ *(.initial_pg_pmd)
315 -+ *(.initial_page_table)
316 -+ *(.swapper_pg_dir)
317 -+ } :rodata
318 -+#endif
319 -+
320 + . = ALIGN(PAGE_SIZE);
321 + NOTES :rodata :note
322 +
323 @@ -31362,7 +31350,7 @@ index 74e4bf1..a9a6168 100644
324
325 #if defined(CONFIG_DEBUG_RODATA)
326 /* .text should occupy whole number of pages */
327 -@@ -122,16 +176,20 @@ SECTIONS
328 +@@ -122,16 +164,20 @@ SECTIONS
329
330 /* Data */
331 .data : AT(ADDR(.data) - LOAD_OFFSET) {
332 @@ -31386,7 +31374,7 @@ index 74e4bf1..a9a6168 100644
333
334 PAGE_ALIGNED_DATA(PAGE_SIZE)
335
336 -@@ -174,12 +232,19 @@ SECTIONS
337 +@@ -174,12 +220,19 @@ SECTIONS
338 . = ALIGN(__vvar_page + PAGE_SIZE, PAGE_SIZE);
339
340 /* Init code and data - will be freed after init */
341 @@ -31409,7 +31397,7 @@ index 74e4bf1..a9a6168 100644
342 /*
343 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
344 * output PHDR, so the next output section - .init.text - should
345 -@@ -190,12 +255,33 @@ SECTIONS
346 +@@ -190,12 +243,33 @@ SECTIONS
347 "per-CPU data too large - increase CONFIG_PHYSICAL_START")
348 #endif
349
350 @@ -31447,7 +31435,7 @@ index 74e4bf1..a9a6168 100644
351
352 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
353 __x86_cpu_dev_start = .;
354 -@@ -266,19 +352,12 @@ SECTIONS
355 +@@ -266,19 +340,12 @@ SECTIONS
356 }
357
358 . = ALIGN(8);
359 @@ -31468,7 +31456,7 @@ index 74e4bf1..a9a6168 100644
360 PERCPU_SECTION(INTERNODE_CACHE_BYTES)
361 #endif
362
363 -@@ -297,16 +376,10 @@ SECTIONS
364 +@@ -297,16 +364,10 @@ SECTIONS
365 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
366 __smp_locks = .;
367 *(.smp_locks)
368 @@ -31486,7 +31474,7 @@ index 74e4bf1..a9a6168 100644
369 /* BSS */
370 . = ALIGN(PAGE_SIZE);
371 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
372 -@@ -322,6 +395,7 @@ SECTIONS
373 +@@ -322,6 +383,7 @@ SECTIONS
374 __brk_base = .;
375 . += 64 * 1024; /* 64k alignment slop space */
376 *(.brk_reservation) /* areas brk users have reserved */
377 @@ -31494,7 +31482,7 @@ index 74e4bf1..a9a6168 100644
378 __brk_limit = .;
379 }
380
381 -@@ -348,13 +422,12 @@ SECTIONS
382 +@@ -348,13 +410,12 @@ SECTIONS
383 * for the boot processor.
384 */
385 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
386 @@ -35806,7 +35794,7 @@ index 740d7ac..4091827 100644
387 #endif /* CONFIG_HUGETLB_PAGE */
388
389 diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
390 -index 493f541..d8e6b22 100644
391 +index 493f541..ee7a3f0 100644
392 --- a/arch/x86/mm/init.c
393 +++ b/arch/x86/mm/init.c
394 @@ -4,6 +4,7 @@
395 @@ -35817,16 +35805,15 @@ index 493f541..d8e6b22 100644
396
397 #include <asm/cacheflush.h>
398 #include <asm/e820.h>
399 -@@ -17,6 +18,8 @@
400 +@@ -17,6 +18,7 @@
401 #include <asm/proto.h>
402 #include <asm/dma.h> /* for MAX_DMA_PFN */
403 #include <asm/microcode.h>
404 -+#include <asm/desc.h>
405 +#include <asm/bios_ebda.h>
406
407 /*
408 * We need to define the tracepoints somewhere, and tlb.c
409 -@@ -618,7 +621,18 @@ void __init init_mem_mapping(void)
410 +@@ -618,7 +620,18 @@ void __init init_mem_mapping(void)
411 early_ioremap_page_table_range_init();
412 #endif
413
414 @@ -35845,7 +35832,7 @@ index 493f541..d8e6b22 100644
415 __flush_tlb_all();
416
417 early_memtest(0, max_pfn_mapped << PAGE_SHIFT);
418 -@@ -634,10 +648,34 @@ void __init init_mem_mapping(void)
419 +@@ -634,10 +647,34 @@ void __init init_mem_mapping(void)
420 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
421 * mmio resources as well as potential bios/acpi data regions.
422 */
423 @@ -35880,8 +35867,8 @@ index 493f541..d8e6b22 100644
424 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
425 return 0;
426 if (!page_is_ram(pagenr))
427 -@@ -683,8 +721,127 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
428 - #endif
429 +@@ -645,6 +682,29 @@ int devmem_is_allowed(unsigned long pagenr)
430 + return 0;
431 }
432
433 +#ifdef CONFIG_GRKERNSEC_KMEM
434 @@ -35907,109 +35894,29 @@ index 493f541..d8e6b22 100644
435 +static inline void gr_init_ebda(void) { }
436 +#endif
437 +
438 + void free_init_pages(char *what, unsigned long begin, unsigned long end)
439 + {
440 + unsigned long begin_aligned, end_aligned;
441 +@@ -668,7 +728,7 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
442 + */
443 + #ifdef CONFIG_DEBUG_PAGEALLOC
444 + printk(KERN_INFO "debug: unmapping init [mem %#010lx-%#010lx]\n",
445 +- begin, end - 1);
446 ++ begin, end - 1);
447 + set_memory_np(begin, (end - begin) >> PAGE_SHIFT);
448 + #else
449 + /*
450 +@@ -685,6 +745,8 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
451 +
452 void free_initmem(void)
453 {
454 -+#ifdef CONFIG_PAX_KERNEXEC
455 -+#ifdef CONFIG_X86_32
456 -+ /* PaX: limit KERNEL_CS to actual size */
457 -+ unsigned long addr, limit;
458 -+ struct desc_struct d;
459 -+ int cpu;
460 -+#else
461 -+ pgd_t *pgd;
462 -+ pud_t *pud;
463 -+ pmd_t *pmd;
464 -+ unsigned long addr, end;
465 -+#endif
466 -+#endif
467 -+
468 + gr_init_ebda();
469 +
470 -+#ifdef CONFIG_PAX_KERNEXEC
471 -+#ifdef CONFIG_X86_32
472 -+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
473 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
474 -+
475 -+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
476 -+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
477 -+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
478 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
479 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S);
480 -+ }
481 -+
482 -+ /* PaX: make KERNEL_CS read-only */
483 -+ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
484 -+ if (!paravirt_enabled())
485 -+ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
486 -+/*
487 -+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
488 -+ pgd = pgd_offset_k(addr);
489 -+ pud = pud_offset(pgd, addr);
490 -+ pmd = pmd_offset(pud, addr);
491 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
492 -+ }
493 -+*/
494 -+#ifdef CONFIG_X86_PAE
495 -+ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
496 -+/*
497 -+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
498 -+ pgd = pgd_offset_k(addr);
499 -+ pud = pud_offset(pgd, addr);
500 -+ pmd = pmd_offset(pud, addr);
501 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
502 -+ }
503 -+*/
504 -+#endif
505 -+
506 -+#ifdef CONFIG_MODULES
507 -+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
508 -+#endif
509 -+
510 -+#else
511 -+ /* PaX: make kernel code/rodata read-only, rest non-executable */
512 -+ set_memory_ro((unsigned long)_text, ((unsigned long)(_sdata - _text) >> PAGE_SHIFT));
513 -+ set_memory_nx((unsigned long)_sdata, (__START_KERNEL_map + KERNEL_IMAGE_SIZE - (unsigned long)_sdata) >> PAGE_SHIFT);
514 -+
515 -+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
516 -+ pgd = pgd_offset_k(addr);
517 -+ pud = pud_offset(pgd, addr);
518 -+ pmd = pmd_offset(pud, addr);
519 -+ if (!pmd_present(*pmd))
520 -+ continue;
521 -+ if (addr >= (unsigned long)_text)
522 -+ BUG_ON(!pmd_large(*pmd));
523 -+ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
524 -+ BUG_ON(pmd_write(*pmd));
525 -+// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
526 -+ else
527 -+ BUG_ON(!(pmd_flags(*pmd) & _PAGE_NX));
528 -+// set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
529 -+ }
530 -+
531 -+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
532 -+ end = addr + KERNEL_IMAGE_SIZE;
533 -+ for (; addr < end; addr += PMD_SIZE) {
534 -+ pgd = pgd_offset_k(addr);
535 -+ pud = pud_offset(pgd, addr);
536 -+ pmd = pmd_offset(pud, addr);
537 -+ if (!pmd_present(*pmd))
538 -+ continue;
539 -+ if (addr >= (unsigned long)_text)
540 -+ BUG_ON(!pmd_large(*pmd));
541 -+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
542 -+ BUG_ON(pmd_write(*pmd));
543 -+// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
544 -+ }
545 -+#endif
546 -+
547 -+ flush_tlb_all();
548 -+#endif
549 -+
550 free_init_pages("unused kernel",
551 (unsigned long)(&__init_begin),
552 (unsigned long)(&__init_end));
553 diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
554 -index cb4ef3d..377ec5a 100644
555 +index cb4ef3d..1b13259 100644
556 --- a/arch/x86/mm/init_32.c
557 +++ b/arch/x86/mm/init_32.c
558 @@ -62,33 +62,6 @@ static noinline int do_test_wp_bit(void);
559 @@ -36253,16 +36160,77 @@ index cb4ef3d..377ec5a 100644
560 pr_debug("Set kernel text: %lx - %lx for read only\n",
561 start, start+size);
562
563 -@@ -927,6 +931,7 @@ void mark_rodata_ro(void)
564 +@@ -911,7 +915,7 @@ static void mark_nxdata_nx(void)
565 + * When this called, init has already been executed and released,
566 + * so everything past _etext should be NX.
567 + */
568 +- unsigned long start = PFN_ALIGN(_etext);
569 ++ unsigned long start = ktla_ktva(PFN_ALIGN(_etext));
570 + /*
571 + * This comes from is_kernel_text upper limit. Also HPAGE where used:
572 + */
573 +@@ -927,26 +931,47 @@ void mark_rodata_ro(void)
574 unsigned long start = PFN_ALIGN(_text);
575 unsigned long size = PFN_ALIGN(_etext) - start;
576
577 +- set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
578 +- printk(KERN_INFO "Write protecting the kernel text: %luk\n",
579 +- size >> 10);
580 ++ if (config_enabled(CONFIG_PAX_KERNEXEC)) {
581 ++ /* PaX: limit KERNEL_CS to actual size */
582 ++ unsigned long limit;
583 ++ struct desc_struct d;
584 ++ int cpu;
585 +
586 +- kernel_set_to_readonly = 1;
587 ++ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
588 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
589 ++
590 ++ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
591 ++ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
592 ++ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
593 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
594 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S);
595 ++ }
596 ++
597 ++ if (config_enabled(CONFIG_MODULES))
598 ++ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
599 ++ }
600 ++
601 + start = ktla_ktva(start);
602 ++ /* PaX: make KERNEL_CS read-only */
603 ++ if (config_enabled(CONFIG_PAX_KERNEXEC) && !paravirt_enabled()) {
604 ++ set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
605 ++ printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10);
606 ++
607 ++ kernel_set_to_readonly = 1;
608 +
609 + #ifdef CONFIG_CPA_DEBUG
610 +- printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n",
611 +- start, start+size);
612 +- set_pages_rw(virt_to_page(start), size>>PAGE_SHIFT);
613 ++ printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n", start, start+size);
614 ++ set_pages_rw(virt_to_page(start), size>>PAGE_SHIFT);
615 +
616 +- printk(KERN_INFO "Testing CPA: write protecting again\n");
617 +- set_pages_ro(virt_to_page(start), size>>PAGE_SHIFT);
618 ++ printk(KERN_INFO "Testing CPA: write protecting again\n");
619 ++ set_pages_ro(virt_to_page(start), size>>PAGE_SHIFT);
620 + #endif
621 ++ }
622 +
623 + start += size;
624 +- size = (unsigned long)__end_rodata - start;
625 ++ size = PFN_ALIGN(_sdata) - start;
626 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
627 - printk(KERN_INFO "Write protecting the kernel text: %luk\n",
628 - size >> 10);
629 +- printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n",
630 +- size >> 10);
631 ++ printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", size >> 10);
632 + rodata_test();
633 +
634 + #ifdef CONFIG_CPA_DEBUG
635 diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
636 -index 5488d21..6063860 100644
637 +index 5488d21..9f75681 100644
638 --- a/arch/x86/mm/init_64.c
639 +++ b/arch/x86/mm/init_64.c
640 @@ -137,7 +137,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page,
641 @@ -36395,6 +36363,94 @@ index 5488d21..6063860 100644
642 spin_unlock(&init_mm.page_table_lock);
643 pgd_changed = true;
644 }
645 +@@ -1107,8 +1135,7 @@ void set_kernel_text_ro(void)
646 + if (!kernel_set_to_readonly)
647 + return;
648 +
649 +- pr_debug("Set kernel text: %lx - %lx for read only\n",
650 +- start, end);
651 ++ pr_debug("Set kernel text: %lx - %lx for read only\n", start, end);
652 +
653 + /*
654 + * Set the kernel identity mapping for text RO.
655 +@@ -1118,15 +1145,20 @@ void set_kernel_text_ro(void)
656 +
657 + void mark_rodata_ro(void)
658 + {
659 ++ unsigned long addr;
660 + unsigned long start = PFN_ALIGN(_text);
661 + unsigned long rodata_start = PFN_ALIGN(__start_rodata);
662 ++#ifdef CONFIG_PAX_KERNEXEC
663 ++ unsigned long end = PFN_ALIGN(_sdata);
664 ++ unsigned long text_end = end;
665 ++#else
666 + unsigned long end = (unsigned long) &__end_rodata_hpage_align;
667 + unsigned long text_end = PFN_ALIGN(&__stop___ex_table);
668 ++#endif
669 + unsigned long rodata_end = PFN_ALIGN(&__end_rodata);
670 + unsigned long all_end;
671 +
672 +- printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n",
673 +- (end - start) >> 10);
674 ++ printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", (end - start) >> 10);
675 + set_memory_ro(start, (end - start) >> PAGE_SHIFT);
676 +
677 + kernel_set_to_readonly = 1;
678 +@@ -1156,12 +1188,54 @@ void mark_rodata_ro(void)
679 + set_memory_ro(start, (end-start) >> PAGE_SHIFT);
680 + #endif
681 +
682 ++#ifdef CONFIG_PAX_KERNEXEC
683 ++ /* PaX: ensure that kernel code/rodata is read-only, the rest is non-executable */
684 ++ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
685 ++ pgd_t *pgd;
686 ++ pud_t *pud;
687 ++ pmd_t *pmd;
688 ++
689 ++ pgd = pgd_offset_k(addr);
690 ++ pud = pud_offset(pgd, addr);
691 ++ pmd = pmd_offset(pud, addr);
692 ++ if (!pmd_present(*pmd))
693 ++ continue;
694 ++ if (addr >= (unsigned long)_text)
695 ++ BUG_ON(!pmd_large(*pmd));
696 ++ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
697 ++ BUG_ON(pmd_write(*pmd));
698 ++// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
699 ++ else
700 ++ BUG_ON(!(pmd_flags(*pmd) & _PAGE_NX));
701 ++// set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
702 ++ }
703 ++
704 ++ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
705 ++ end = addr + KERNEL_IMAGE_SIZE;
706 ++ for (; addr < end; addr += PMD_SIZE) {
707 ++ pgd_t *pgd;
708 ++ pud_t *pud;
709 ++ pmd_t *pmd;
710 ++
711 ++ pgd = pgd_offset_k(addr);
712 ++ pud = pud_offset(pgd, addr);
713 ++ pmd = pmd_offset(pud, addr);
714 ++ if (!pmd_present(*pmd))
715 ++ continue;
716 ++ if (addr >= (unsigned long)_text)
717 ++ BUG_ON(!pmd_large(*pmd));
718 ++ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
719 ++ BUG_ON(pmd_write(*pmd));
720 ++// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
721 ++ }
722 ++#else
723 + free_init_pages("unused kernel",
724 + (unsigned long) __va(__pa_symbol(text_end)),
725 + (unsigned long) __va(__pa_symbol(rodata_start)));
726 + free_init_pages("unused kernel",
727 + (unsigned long) __va(__pa_symbol(rodata_end)),
728 + (unsigned long) __va(__pa_symbol(_sdata)));
729 ++#endif
730 +
731 + debug_checkwx();
732 + }
733 diff --git a/arch/x86/mm/iomap_32.c b/arch/x86/mm/iomap_32.c
734 index 9c0ff04..9020d5f 100644
735 --- a/arch/x86/mm/iomap_32.c
736 @@ -131434,7 +131490,7 @@ index ba7a9b0..33a0237 100644
737 extern int register_pppox_proto(int proto_num, const struct pppox_proto *pp);
738 extern void unregister_pppox_proto(int proto_num);
739 diff --git a/include/linux/init.h b/include/linux/init.h
740 -index b449f37..3416791 100644
741 +index b449f37..2bf1598 100644
742 --- a/include/linux/init.h
743 +++ b/include/linux/init.h
744 @@ -39,7 +39,7 @@
745 @@ -131455,6 +131511,19 @@ index b449f37..3416791 100644
746 #define __meminitdata __section(.meminit.data)
747 #define __meminitconst __constsection(.meminit.rodata)
748 #define __memexit __section(.memexit.text) __exitused __cold notrace
749 +@@ -117,6 +117,12 @@
750 + #define __REFDATA .section ".ref.data", "aw"
751 + #define __REFCONST .section ".ref.rodata", "a"
752 +
753 ++#ifdef CONFIG_PAX_KERNEXEC
754 ++#define __READ_ONLY .section ".data..read_only","a",%progbits
755 ++#else
756 ++#define __READ_ONLY .section ".data..mostly","aw",%progbits
757 ++#endif
758 ++
759 + #ifndef __ASSEMBLY__
760 + /*
761 + * Used for initialization calls..
762 diff --git a/include/linux/init_task.h b/include/linux/init_task.h
763 index f2cb8d4..2f0363e 100644
764 --- a/include/linux/init_task.h
765 @@ -211966,10 +212035,10 @@ index 23ba1c6..cad2484 100755
766 # Find all available archs
767 find_all_archs()
768 diff --git a/security/Kconfig b/security/Kconfig
769 -index e452378..e634654 100644
770 +index e452378..cc25231 100644
771 --- a/security/Kconfig
772 +++ b/security/Kconfig
773 -@@ -4,6 +4,994 @@
774 +@@ -4,6 +4,995 @@
775
776 menu "Security options"
777
778 @@ -212559,6 +212628,7 @@ index e452378..e634654 100644
779 + depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !(ARM_LPAE && MODULES))) && !XEN
780 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
781 + select PAX_KERNEXEC_PLUGIN if X86_64
782 ++ select DEBUG_RODATA if X86
783 + select ARM_KERNMEM_PERMS if ARM
784 + help
785 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
786 @@ -212964,7 +213034,7 @@ index e452378..e634654 100644
787 source security/keys/Kconfig
788
789 config SECURITY_DMESG_RESTRICT
790 -@@ -104,7 +1092,7 @@ config INTEL_TXT
791 +@@ -104,7 +1093,7 @@ config INTEL_TXT
792 config LSM_MMAP_MIN_ADDR
793 int "Low address space for LSM to protect from user allocation"
794 depends on SECURITY && SECURITY_SELINUX
795
796 diff --git a/4.5.7/4425_grsec_remove_EI_PAX.patch b/4.5.7/4425_grsec_remove_EI_PAX.patch
797 index 2a1aa6c..c988c9a 100644
798 --- a/4.5.7/4425_grsec_remove_EI_PAX.patch
799 +++ b/4.5.7/4425_grsec_remove_EI_PAX.patch
800 @@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
801 diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
802 --- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500
803 +++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500
804 -@@ -279,7 +279,7 @@
805 +@@ -280,7 +280,7 @@
806
807 config PAX_EI_PAX
808 bool 'Use legacy ELF header marking'
809
810 diff --git a/4.5.7/4450_grsec-kconfig-default-gids.patch b/4.5.7/4450_grsec-kconfig-default-gids.patch
811 index 79a866b..ccf0abd 100644
812 --- a/4.5.7/4450_grsec-kconfig-default-gids.patch
813 +++ b/4.5.7/4450_grsec-kconfig-default-gids.patch
814 @@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
815 diff -Nuar a/security/Kconfig b/security/Kconfig
816 --- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400
817 +++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400
818 -@@ -207,7 +207,7 @@
819 +@@ -208,7 +208,7 @@
820
821 config GRKERNSEC_PROC_GID
822 int "GID exempted from /proc restrictions"
823 @@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
824 help
825 Setting this GID determines which group will be exempted from
826 grsecurity's /proc restrictions, allowing users of the specified
827 -@@ -218,7 +218,7 @@
828 +@@ -219,7 +219,7 @@
829 config GRKERNSEC_TPE_UNTRUSTED_GID
830 int "GID for TPE-untrusted users"
831 depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
832 @@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
833 help
834 Setting this GID determines which group untrusted users should
835 be added to. These users will be placed under grsecurity's Trusted Path
836 -@@ -230,7 +230,7 @@
837 +@@ -231,7 +231,7 @@
838 config GRKERNSEC_TPE_TRUSTED_GID
839 int "GID for TPE-trusted users"
840 depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
841 @@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
842 help
843 Setting this GID determines what group TPE restrictions will be
844 *disabled* for. If the sysctl option is enabled, a sysctl option
845 -@@ -239,7 +239,7 @@
846 +@@ -240,7 +240,7 @@
847 config GRKERNSEC_SYMLINKOWN_GID
848 int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
849 depends on GRKERNSEC_CONFIG_SERVER
850
851 diff --git a/4.5.7/4470_disable-compat_vdso.patch b/4.5.7/4470_disable-compat_vdso.patch
852 index 4aba080..febce96 100644
853 --- a/4.5.7/4470_disable-compat_vdso.patch
854 +++ b/4.5.7/4470_disable-compat_vdso.patch
855 @@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
856 diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
857 --- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
858 +++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
859 -@@ -2044,29 +2044,8 @@
860 +@@ -2047,29 +2047,8 @@
861
862 config COMPAT_VDSO
863 def_bool n
864
865 diff --git a/4.5.7/4475_emutramp_default_on.patch b/4.5.7/4475_emutramp_default_on.patch
866 index afd6019..feb8c7b 100644
867 --- a/4.5.7/4475_emutramp_default_on.patch
868 +++ b/4.5.7/4475_emutramp_default_on.patch
869 @@ -10,7 +10,7 @@ See bug:
870 diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
871 --- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400
872 +++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400
873 -@@ -439,7 +439,7 @@
874 +@@ -440,7 +440,7 @@
875
876 config PAX_EMUTRAMP
877 bool "Emulate trampolines"
878 @@ -19,7 +19,7 @@ diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/secur
879 depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
880 help
881 There are some programs and libraries that for one reason or
882 -@@ -462,6 +462,12 @@
883 +@@ -463,6 +463,12 @@
884 utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
885 for the affected files.
Report Message
Find on MARC Find on Google Groups