1 |
commit: d32dd7f3f7697ee461fd2faa0fd051877e411bc1 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Jul 2 08:59:46 2016 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Jul 2 08:59:46 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=d32dd7f3 |
7 |
|
8 |
grsecurity-3.1-4.5.7-201606302132 |
9 |
|
10 |
4.5.7/0000_README | 2 +- |
11 |
...> 4420_grsecurity-3.1-4.5.7-201606302132.patch} | 416 ++++++++++++--------- |
12 |
4.5.7/4425_grsec_remove_EI_PAX.patch | 2 +- |
13 |
4.5.7/4450_grsec-kconfig-default-gids.patch | 8 +- |
14 |
4.5.7/4470_disable-compat_vdso.patch | 2 +- |
15 |
4.5.7/4475_emutramp_default_on.patch | 4 +- |
16 |
6 files changed, 252 insertions(+), 182 deletions(-) |
17 |
|
18 |
diff --git a/4.5.7/0000_README b/4.5.7/0000_README |
19 |
index 6531b4d..cd47bdd 100644 |
20 |
--- a/4.5.7/0000_README |
21 |
+++ b/4.5.7/0000_README |
22 |
@@ -2,7 +2,7 @@ README |
23 |
----------------------------------------------------------------------------- |
24 |
Individual Patch Descriptions: |
25 |
----------------------------------------------------------------------------- |
26 |
-Patch: 4420_grsecurity-3.1-4.5.7-201606292300.patch |
27 |
+Patch: 4420_grsecurity-3.1-4.5.7-201606302132.patch |
28 |
From: http://www.grsecurity.net |
29 |
Desc: hardened-sources base patch from upstream grsecurity |
30 |
|
31 |
|
32 |
diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606302132.patch |
33 |
similarity index 99% |
34 |
rename from 4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch |
35 |
rename to 4.5.7/4420_grsecurity-3.1-4.5.7-201606302132.patch |
36 |
index 4f4d48f..6f9feec 100644 |
37 |
--- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606292300.patch |
38 |
+++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606302132.patch |
39 |
@@ -12658,7 +12658,7 @@ index 3ba5ff2..44bdacc 100644 |
40 |
config X86_MINIMUM_CPU_FAMILY |
41 |
int |
42 |
diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug |
43 |
-index 9b18ed9..9528749 100644 |
44 |
+index 9b18ed9..0fb0660 100644 |
45 |
--- a/arch/x86/Kconfig.debug |
46 |
+++ b/arch/x86/Kconfig.debug |
47 |
@@ -55,6 +55,7 @@ config X86_PTDUMP |
48 |
@@ -12669,16 +12669,15 @@ index 9b18ed9..9528749 100644 |
49 |
select X86_PTDUMP_CORE |
50 |
---help--- |
51 |
Say Y here if you want to show the kernel pagetable layout in a |
52 |
-@@ -77,7 +78,7 @@ config EFI_PGT_DUMP |
53 |
+@@ -77,7 +78,6 @@ config EFI_PGT_DUMP |
54 |
config DEBUG_RODATA |
55 |
bool "Write protect kernel read-only data structures" |
56 |
default y |
57 |
- depends on DEBUG_KERNEL |
58 |
-+ depends on DEBUG_KERNEL && BROKEN |
59 |
---help--- |
60 |
Mark the kernel read-only data as write-protected in the pagetables, |
61 |
in order to catch accidental (and incorrect) writes to such const |
62 |
-@@ -123,7 +124,7 @@ config DEBUG_WX |
63 |
+@@ -123,7 +123,7 @@ config DEBUG_WX |
64 |
|
65 |
config DEBUG_SET_MODULE_RONX |
66 |
bool "Set loadable kernel module data as NX and text as RO" |
67 |
@@ -12687,7 +12686,7 @@ index 9b18ed9..9528749 100644 |
68 |
---help--- |
69 |
This option helps catch unintended modifications to loadable |
70 |
kernel module's text and read-only data. It also prevents execution |
71 |
-@@ -375,6 +376,7 @@ config X86_DEBUG_FPU |
72 |
+@@ -375,6 +375,7 @@ config X86_DEBUG_FPU |
73 |
config PUNIT_ATOM_DEBUG |
74 |
tristate "ATOM Punit debug driver" |
75 |
select DEBUG_FS |
76 |
@@ -27194,7 +27193,7 @@ index 2c0f340..76c1d24 100644 |
77 |
|
78 |
for (i = 0; i < NUM_EXCEPTION_VECTORS; i++) |
79 |
diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S |
80 |
-index 6bc9ae2..33997fe 100644 |
81 |
+index 6bc9ae2..51f7c58 100644 |
82 |
--- a/arch/x86/kernel/head_32.S |
83 |
+++ b/arch/x86/kernel/head_32.S |
84 |
@@ -27,6 +27,12 @@ |
85 |
@@ -27466,28 +27465,23 @@ index 6bc9ae2..33997fe 100644 |
86 |
pushl 16(%esp) |
87 |
pushl 24(%esp) |
88 |
pushl 32(%esp) |
89 |
-@@ -663,29 +755,34 @@ ENTRY(setup_once_ref) |
90 |
- /* |
91 |
- * BSS section |
92 |
- */ |
93 |
+@@ -660,11 +752,8 @@ ENTRY(initial_code) |
94 |
+ ENTRY(setup_once_ref) |
95 |
+ .long setup_once |
96 |
+ |
97 |
+-/* |
98 |
+- * BSS section |
99 |
+- */ |
100 |
-__PAGE_ALIGNED_BSS |
101 |
- .align PAGE_SIZE |
102 |
++__READ_ONLY |
103 |
++ .balign PAGE_SIZE |
104 |
#ifdef CONFIG_X86_PAE |
105 |
-+.section .initial_pg_pmd,"a",@progbits |
106 |
initial_pg_pmd: |
107 |
.fill 1024*KPMDS,4,0 |
108 |
- #else |
109 |
-+.section .initial_page_table,"a",@progbits |
110 |
- ENTRY(initial_page_table) |
111 |
- .fill 1024,4,0 |
112 |
- #endif |
113 |
-+.section .initial_pg_fixmap,"a",@progbits |
114 |
- initial_pg_fixmap: |
115 |
- .fill 1024,4,0 |
116 |
-+.section .empty_zero_page,"a",@progbits |
117 |
+@@ -677,15 +766,18 @@ initial_pg_fixmap: |
118 |
ENTRY(empty_zero_page) |
119 |
.fill 4096,1,0 |
120 |
-+.section .swapper_pg_dir,"a",@progbits |
121 |
ENTRY(swapper_pg_dir) |
122 |
- .fill 1024,4,0 |
123 |
+#ifdef CONFIG_X86_PAE |
124 |
@@ -27503,21 +27497,24 @@ index 6bc9ae2..33997fe 100644 |
125 |
-__PAGE_ALIGNED_DATA |
126 |
- /* Page-aligned for the benefit of paravirt? */ |
127 |
- .align PAGE_SIZE |
128 |
-+.section .initial_page_table,"a",@progbits |
129 |
++__READ_ONLY |
130 |
++ .balign PAGE_SIZE |
131 |
ENTRY(initial_page_table) |
132 |
.long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */ |
133 |
# if KPMDS == 3 |
134 |
-@@ -704,12 +801,20 @@ ENTRY(initial_page_table) |
135 |
+@@ -703,13 +795,21 @@ ENTRY(initial_page_table) |
136 |
+ # else |
137 |
# error "Kernel PMDs should be 1, 2 or 3" |
138 |
# endif |
139 |
- .align PAGE_SIZE /* needs to be page-sized too */ |
140 |
+- .align PAGE_SIZE /* needs to be page-sized too */ |
141 |
++ .balign PAGE_SIZE /* needs to be page-sized too */ |
142 |
+ |
143 |
-+#ifdef CONFIG_PAX_PER_CPU_PGD |
144 |
++# ifdef CONFIG_PAX_PER_CPU_PGD |
145 |
+ENTRY(cpu_pgd) |
146 |
+ .rept 2*NR_CPUS |
147 |
+ .fill PTRS_PER_PGD,8,0 |
148 |
+ .endr |
149 |
-+#endif |
150 |
++# endif |
151 |
+ |
152 |
#endif |
153 |
|
154 |
@@ -27529,16 +27526,16 @@ index 6bc9ae2..33997fe 100644 |
155 |
|
156 |
__INITRODATA |
157 |
int_msg: |
158 |
-@@ -737,7 +842,7 @@ fault_msg: |
159 |
+@@ -737,7 +837,7 @@ fault_msg: |
160 |
* segment size, and 32-bit linear address value: |
161 |
*/ |
162 |
|
163 |
- .data |
164 |
-+.section .rodata,"a",@progbits |
165 |
++__READ_ONLY |
166 |
.globl boot_gdt_descr |
167 |
.globl idt_descr |
168 |
|
169 |
-@@ -746,7 +851,7 @@ fault_msg: |
170 |
+@@ -746,7 +846,7 @@ fault_msg: |
171 |
.word 0 # 32 bit align gdt_desc.address |
172 |
boot_gdt_descr: |
173 |
.word __BOOT_DS+7 |
174 |
@@ -27547,7 +27544,7 @@ index 6bc9ae2..33997fe 100644 |
175 |
|
176 |
.word 0 # 32-bit align idt_desc.address |
177 |
idt_descr: |
178 |
-@@ -757,7 +862,7 @@ idt_descr: |
179 |
+@@ -757,7 +857,7 @@ idt_descr: |
180 |
.word 0 # 32 bit align gdt_desc.address |
181 |
ENTRY(early_gdt_descr) |
182 |
.word GDT_ENTRIES*8-1 |
183 |
@@ -27556,7 +27553,7 @@ index 6bc9ae2..33997fe 100644 |
184 |
|
185 |
/* |
186 |
* The boot_gdt must mirror the equivalent in setup.S and is |
187 |
-@@ -766,5 +871,65 @@ ENTRY(early_gdt_descr) |
188 |
+@@ -766,5 +866,65 @@ ENTRY(early_gdt_descr) |
189 |
.align L1_CACHE_BYTES |
190 |
ENTRY(boot_gdt) |
191 |
.fill GDT_ENTRY_BOOT_CS,8,0 |
192 |
@@ -27625,7 +27622,7 @@ index 6bc9ae2..33997fe 100644 |
193 |
+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0 |
194 |
+ .endr |
195 |
diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S |
196 |
-index ffdc0e8..60b5d16 100644 |
197 |
+index ffdc0e8..1827c62 100644 |
198 |
--- a/arch/x86/kernel/head_64.S |
199 |
+++ b/arch/x86/kernel/head_64.S |
200 |
@@ -20,6 +20,8 @@ |
201 |
@@ -27704,7 +27701,7 @@ index ffdc0e8..60b5d16 100644 |
202 |
movq %rcx, %cr4 |
203 |
|
204 |
/* Setup early boot stage 4 level pagetables. */ |
205 |
-@@ -205,10 +239,21 @@ ENTRY(secondary_startup_64) |
206 |
+@@ -205,10 +239,24 @@ ENTRY(secondary_startup_64) |
207 |
movl $MSR_EFER, %ecx |
208 |
rdmsr |
209 |
btsl $_EFER_SCE, %eax /* Enable System Call */ |
210 |
@@ -27716,7 +27713,10 @@ index ffdc0e8..60b5d16 100644 |
211 |
+ je 1f |
212 |
btsq $_PAGE_BIT_NX,early_pmd_flags(%rip) |
213 |
+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_PAGE_OFFSET(%rip) |
214 |
-+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_START(%rip) |
215 |
++ btsq $_PAGE_BIT_NX, init_level4_pgt + (8*L4_VMALLOC_START)(%rip) |
216 |
++ btsq $_PAGE_BIT_NX, init_level4_pgt + (8*L4_VMALLOC_START) + 8(%rip) |
217 |
++ btsq $_PAGE_BIT_NX, init_level4_pgt + (8*L4_VMALLOC_START) + 16(%rip) |
218 |
++ btsq $_PAGE_BIT_NX, init_level4_pgt + (8*L4_VMALLOC_START) + 24(%rip) |
219 |
+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_END(%rip) |
220 |
+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMEMMAP_START(%rip) |
221 |
+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*504(%rip) |
222 |
@@ -27727,7 +27727,7 @@ index ffdc0e8..60b5d16 100644 |
223 |
1: wrmsr /* Make changes effective */ |
224 |
|
225 |
/* Setup cr0 */ |
226 |
-@@ -288,6 +333,7 @@ ENTRY(secondary_startup_64) |
227 |
+@@ -288,6 +336,7 @@ ENTRY(secondary_startup_64) |
228 |
* REX.W + FF /5 JMP m16:64 Jump far, absolute indirect, |
229 |
* address given in m16:64. |
230 |
*/ |
231 |
@@ -27735,7 +27735,7 @@ index ffdc0e8..60b5d16 100644 |
232 |
movq initial_code(%rip),%rax |
233 |
pushq $0 # fake return address to stop unwinder |
234 |
pushq $__KERNEL_CS # set correct cs |
235 |
-@@ -321,7 +367,7 @@ ENDPROC(start_cpu0) |
236 |
+@@ -321,7 +370,7 @@ ENDPROC(start_cpu0) |
237 |
.quad INIT_PER_CPU_VAR(irq_stack_union) |
238 |
|
239 |
GLOBAL(stack_start) |
240 |
@@ -27744,7 +27744,7 @@ index ffdc0e8..60b5d16 100644 |
241 |
.word 0 |
242 |
__FINITDATA |
243 |
|
244 |
-@@ -401,7 +447,7 @@ early_idt_handler_common: |
245 |
+@@ -401,7 +450,7 @@ early_idt_handler_common: |
246 |
call dump_stack |
247 |
#ifdef CONFIG_KALLSYMS |
248 |
leaq early_idt_ripmsg(%rip),%rdi |
249 |
@@ -27753,15 +27753,15 @@ index ffdc0e8..60b5d16 100644 |
250 |
call __print_symbol |
251 |
#endif |
252 |
#endif /* EARLY_PRINTK */ |
253 |
-@@ -430,6 +476,7 @@ ENDPROC(early_idt_handler_common) |
254 |
+@@ -430,6 +479,7 @@ ENDPROC(early_idt_handler_common) |
255 |
early_recursion_flag: |
256 |
.long 0 |
257 |
|
258 |
-+ .section .rodata,"a",@progbits |
259 |
++ __READ_ONLY |
260 |
#ifdef CONFIG_EARLY_PRINTK |
261 |
early_idt_msg: |
262 |
.asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n" |
263 |
-@@ -452,40 +499,70 @@ GLOBAL(name) |
264 |
+@@ -452,40 +502,70 @@ GLOBAL(name) |
265 |
__INITDATA |
266 |
NEXT_PAGE(early_level4_pgt) |
267 |
.fill 511,8,0 |
268 |
@@ -27772,7 +27772,7 @@ index ffdc0e8..60b5d16 100644 |
269 |
.fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0 |
270 |
|
271 |
- .data |
272 |
-+ .section .rodata,"a",@progbits |
273 |
++ __READ_ONLY |
274 |
|
275 |
-#ifndef CONFIG_XEN |
276 |
NEXT_PAGE(init_level4_pgt) |
277 |
@@ -27844,7 +27844,7 @@ index ffdc0e8..60b5d16 100644 |
278 |
|
279 |
NEXT_PAGE(level2_kernel_pgt) |
280 |
/* |
281 |
-@@ -502,31 +579,79 @@ NEXT_PAGE(level2_kernel_pgt) |
282 |
+@@ -502,31 +582,79 @@ NEXT_PAGE(level2_kernel_pgt) |
283 |
KERNEL_IMAGE_SIZE/PMD_SIZE) |
284 |
|
285 |
NEXT_PAGE(level2_fixmap_pgt) |
286 |
@@ -31240,7 +31240,7 @@ index e574b85..5514c57 100644 |
287 |
case VM86_GET_AND_RESET_IRQ: { |
288 |
return get_and_reset_irq(irqnumber); |
289 |
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S |
290 |
-index 74e4bf1..a9a6168 100644 |
291 |
+index 74e4bf1..0897a97 100644 |
292 |
--- a/arch/x86/kernel/vmlinux.lds.S |
293 |
+++ b/arch/x86/kernel/vmlinux.lds.S |
294 |
@@ -26,6 +26,13 @@ |
295 |
@@ -31310,7 +31310,7 @@ index 74e4bf1..a9a6168 100644 |
296 |
HEAD_TEXT |
297 |
. = ALIGN(8); |
298 |
_stext = .; |
299 |
-@@ -104,13 +124,47 @@ SECTIONS |
300 |
+@@ -104,13 +124,35 @@ SECTIONS |
301 |
IRQENTRY_TEXT |
302 |
*(.fixup) |
303 |
*(.gnu.warning) |
304 |
@@ -31343,18 +31343,6 @@ index 74e4bf1..a9a6168 100644 |
305 |
+ _etext = . - __KERNEL_TEXT_OFFSET; |
306 |
+ } |
307 |
+ |
308 |
-+#ifdef CONFIG_X86_32 |
309 |
-+ . = ALIGN(PAGE_SIZE); |
310 |
-+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) { |
311 |
-+ . = ALIGN(PAGE_SIZE); |
312 |
-+ *(.empty_zero_page) |
313 |
-+ *(.initial_pg_fixmap) |
314 |
-+ *(.initial_pg_pmd) |
315 |
-+ *(.initial_page_table) |
316 |
-+ *(.swapper_pg_dir) |
317 |
-+ } :rodata |
318 |
-+#endif |
319 |
-+ |
320 |
+ . = ALIGN(PAGE_SIZE); |
321 |
+ NOTES :rodata :note |
322 |
+ |
323 |
@@ -31362,7 +31350,7 @@ index 74e4bf1..a9a6168 100644 |
324 |
|
325 |
#if defined(CONFIG_DEBUG_RODATA) |
326 |
/* .text should occupy whole number of pages */ |
327 |
-@@ -122,16 +176,20 @@ SECTIONS |
328 |
+@@ -122,16 +164,20 @@ SECTIONS |
329 |
|
330 |
/* Data */ |
331 |
.data : AT(ADDR(.data) - LOAD_OFFSET) { |
332 |
@@ -31386,7 +31374,7 @@ index 74e4bf1..a9a6168 100644 |
333 |
|
334 |
PAGE_ALIGNED_DATA(PAGE_SIZE) |
335 |
|
336 |
-@@ -174,12 +232,19 @@ SECTIONS |
337 |
+@@ -174,12 +220,19 @@ SECTIONS |
338 |
. = ALIGN(__vvar_page + PAGE_SIZE, PAGE_SIZE); |
339 |
|
340 |
/* Init code and data - will be freed after init */ |
341 |
@@ -31409,7 +31397,7 @@ index 74e4bf1..a9a6168 100644 |
342 |
/* |
343 |
* percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the |
344 |
* output PHDR, so the next output section - .init.text - should |
345 |
-@@ -190,12 +255,33 @@ SECTIONS |
346 |
+@@ -190,12 +243,33 @@ SECTIONS |
347 |
"per-CPU data too large - increase CONFIG_PHYSICAL_START") |
348 |
#endif |
349 |
|
350 |
@@ -31447,7 +31435,7 @@ index 74e4bf1..a9a6168 100644 |
351 |
|
352 |
.x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) { |
353 |
__x86_cpu_dev_start = .; |
354 |
-@@ -266,19 +352,12 @@ SECTIONS |
355 |
+@@ -266,19 +340,12 @@ SECTIONS |
356 |
} |
357 |
|
358 |
. = ALIGN(8); |
359 |
@@ -31468,7 +31456,7 @@ index 74e4bf1..a9a6168 100644 |
360 |
PERCPU_SECTION(INTERNODE_CACHE_BYTES) |
361 |
#endif |
362 |
|
363 |
-@@ -297,16 +376,10 @@ SECTIONS |
364 |
+@@ -297,16 +364,10 @@ SECTIONS |
365 |
.smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) { |
366 |
__smp_locks = .; |
367 |
*(.smp_locks) |
368 |
@@ -31486,7 +31474,7 @@ index 74e4bf1..a9a6168 100644 |
369 |
/* BSS */ |
370 |
. = ALIGN(PAGE_SIZE); |
371 |
.bss : AT(ADDR(.bss) - LOAD_OFFSET) { |
372 |
-@@ -322,6 +395,7 @@ SECTIONS |
373 |
+@@ -322,6 +383,7 @@ SECTIONS |
374 |
__brk_base = .; |
375 |
. += 64 * 1024; /* 64k alignment slop space */ |
376 |
*(.brk_reservation) /* areas brk users have reserved */ |
377 |
@@ -31494,7 +31482,7 @@ index 74e4bf1..a9a6168 100644 |
378 |
__brk_limit = .; |
379 |
} |
380 |
|
381 |
-@@ -348,13 +422,12 @@ SECTIONS |
382 |
+@@ -348,13 +410,12 @@ SECTIONS |
383 |
* for the boot processor. |
384 |
*/ |
385 |
#define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load |
386 |
@@ -35806,7 +35794,7 @@ index 740d7ac..4091827 100644 |
387 |
#endif /* CONFIG_HUGETLB_PAGE */ |
388 |
|
389 |
diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c |
390 |
-index 493f541..d8e6b22 100644 |
391 |
+index 493f541..ee7a3f0 100644 |
392 |
--- a/arch/x86/mm/init.c |
393 |
+++ b/arch/x86/mm/init.c |
394 |
@@ -4,6 +4,7 @@ |
395 |
@@ -35817,16 +35805,15 @@ index 493f541..d8e6b22 100644 |
396 |
|
397 |
#include <asm/cacheflush.h> |
398 |
#include <asm/e820.h> |
399 |
-@@ -17,6 +18,8 @@ |
400 |
+@@ -17,6 +18,7 @@ |
401 |
#include <asm/proto.h> |
402 |
#include <asm/dma.h> /* for MAX_DMA_PFN */ |
403 |
#include <asm/microcode.h> |
404 |
-+#include <asm/desc.h> |
405 |
+#include <asm/bios_ebda.h> |
406 |
|
407 |
/* |
408 |
* We need to define the tracepoints somewhere, and tlb.c |
409 |
-@@ -618,7 +621,18 @@ void __init init_mem_mapping(void) |
410 |
+@@ -618,7 +620,18 @@ void __init init_mem_mapping(void) |
411 |
early_ioremap_page_table_range_init(); |
412 |
#endif |
413 |
|
414 |
@@ -35845,7 +35832,7 @@ index 493f541..d8e6b22 100644 |
415 |
__flush_tlb_all(); |
416 |
|
417 |
early_memtest(0, max_pfn_mapped << PAGE_SHIFT); |
418 |
-@@ -634,10 +648,34 @@ void __init init_mem_mapping(void) |
419 |
+@@ -634,10 +647,34 @@ void __init init_mem_mapping(void) |
420 |
* Access has to be given to non-kernel-ram areas as well, these contain the PCI |
421 |
* mmio resources as well as potential bios/acpi data regions. |
422 |
*/ |
423 |
@@ -35880,8 +35867,8 @@ index 493f541..d8e6b22 100644 |
424 |
if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) |
425 |
return 0; |
426 |
if (!page_is_ram(pagenr)) |
427 |
-@@ -683,8 +721,127 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) |
428 |
- #endif |
429 |
+@@ -645,6 +682,29 @@ int devmem_is_allowed(unsigned long pagenr) |
430 |
+ return 0; |
431 |
} |
432 |
|
433 |
+#ifdef CONFIG_GRKERNSEC_KMEM |
434 |
@@ -35907,109 +35894,29 @@ index 493f541..d8e6b22 100644 |
435 |
+static inline void gr_init_ebda(void) { } |
436 |
+#endif |
437 |
+ |
438 |
+ void free_init_pages(char *what, unsigned long begin, unsigned long end) |
439 |
+ { |
440 |
+ unsigned long begin_aligned, end_aligned; |
441 |
+@@ -668,7 +728,7 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) |
442 |
+ */ |
443 |
+ #ifdef CONFIG_DEBUG_PAGEALLOC |
444 |
+ printk(KERN_INFO "debug: unmapping init [mem %#010lx-%#010lx]\n", |
445 |
+- begin, end - 1); |
446 |
++ begin, end - 1); |
447 |
+ set_memory_np(begin, (end - begin) >> PAGE_SHIFT); |
448 |
+ #else |
449 |
+ /* |
450 |
+@@ -685,6 +745,8 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end) |
451 |
+ |
452 |
void free_initmem(void) |
453 |
{ |
454 |
-+#ifdef CONFIG_PAX_KERNEXEC |
455 |
-+#ifdef CONFIG_X86_32 |
456 |
-+ /* PaX: limit KERNEL_CS to actual size */ |
457 |
-+ unsigned long addr, limit; |
458 |
-+ struct desc_struct d; |
459 |
-+ int cpu; |
460 |
-+#else |
461 |
-+ pgd_t *pgd; |
462 |
-+ pud_t *pud; |
463 |
-+ pmd_t *pmd; |
464 |
-+ unsigned long addr, end; |
465 |
-+#endif |
466 |
-+#endif |
467 |
-+ |
468 |
+ gr_init_ebda(); |
469 |
+ |
470 |
-+#ifdef CONFIG_PAX_KERNEXEC |
471 |
-+#ifdef CONFIG_X86_32 |
472 |
-+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext; |
473 |
-+ limit = (limit - 1UL) >> PAGE_SHIFT; |
474 |
-+ |
475 |
-+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE); |
476 |
-+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) { |
477 |
-+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC); |
478 |
-+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S); |
479 |
-+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S); |
480 |
-+ } |
481 |
-+ |
482 |
-+ /* PaX: make KERNEL_CS read-only */ |
483 |
-+ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text)); |
484 |
-+ if (!paravirt_enabled()) |
485 |
-+ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT); |
486 |
-+/* |
487 |
-+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) { |
488 |
-+ pgd = pgd_offset_k(addr); |
489 |
-+ pud = pud_offset(pgd, addr); |
490 |
-+ pmd = pmd_offset(pud, addr); |
491 |
-+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW)); |
492 |
-+ } |
493 |
-+*/ |
494 |
-+#ifdef CONFIG_X86_PAE |
495 |
-+ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT); |
496 |
-+/* |
497 |
-+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) { |
498 |
-+ pgd = pgd_offset_k(addr); |
499 |
-+ pud = pud_offset(pgd, addr); |
500 |
-+ pmd = pmd_offset(pud, addr); |
501 |
-+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask))); |
502 |
-+ } |
503 |
-+*/ |
504 |
-+#endif |
505 |
-+ |
506 |
-+#ifdef CONFIG_MODULES |
507 |
-+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT); |
508 |
-+#endif |
509 |
-+ |
510 |
-+#else |
511 |
-+ /* PaX: make kernel code/rodata read-only, rest non-executable */ |
512 |
-+ set_memory_ro((unsigned long)_text, ((unsigned long)(_sdata - _text) >> PAGE_SHIFT)); |
513 |
-+ set_memory_nx((unsigned long)_sdata, (__START_KERNEL_map + KERNEL_IMAGE_SIZE - (unsigned long)_sdata) >> PAGE_SHIFT); |
514 |
-+ |
515 |
-+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) { |
516 |
-+ pgd = pgd_offset_k(addr); |
517 |
-+ pud = pud_offset(pgd, addr); |
518 |
-+ pmd = pmd_offset(pud, addr); |
519 |
-+ if (!pmd_present(*pmd)) |
520 |
-+ continue; |
521 |
-+ if (addr >= (unsigned long)_text) |
522 |
-+ BUG_ON(!pmd_large(*pmd)); |
523 |
-+ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata) |
524 |
-+ BUG_ON(pmd_write(*pmd)); |
525 |
-+// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW)); |
526 |
-+ else |
527 |
-+ BUG_ON(!(pmd_flags(*pmd) & _PAGE_NX)); |
528 |
-+// set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask))); |
529 |
-+ } |
530 |
-+ |
531 |
-+ addr = (unsigned long)__va(__pa(__START_KERNEL_map)); |
532 |
-+ end = addr + KERNEL_IMAGE_SIZE; |
533 |
-+ for (; addr < end; addr += PMD_SIZE) { |
534 |
-+ pgd = pgd_offset_k(addr); |
535 |
-+ pud = pud_offset(pgd, addr); |
536 |
-+ pmd = pmd_offset(pud, addr); |
537 |
-+ if (!pmd_present(*pmd)) |
538 |
-+ continue; |
539 |
-+ if (addr >= (unsigned long)_text) |
540 |
-+ BUG_ON(!pmd_large(*pmd)); |
541 |
-+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata))) |
542 |
-+ BUG_ON(pmd_write(*pmd)); |
543 |
-+// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW)); |
544 |
-+ } |
545 |
-+#endif |
546 |
-+ |
547 |
-+ flush_tlb_all(); |
548 |
-+#endif |
549 |
-+ |
550 |
free_init_pages("unused kernel", |
551 |
(unsigned long)(&__init_begin), |
552 |
(unsigned long)(&__init_end)); |
553 |
diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c |
554 |
-index cb4ef3d..377ec5a 100644 |
555 |
+index cb4ef3d..1b13259 100644 |
556 |
--- a/arch/x86/mm/init_32.c |
557 |
+++ b/arch/x86/mm/init_32.c |
558 |
@@ -62,33 +62,6 @@ static noinline int do_test_wp_bit(void); |
559 |
@@ -36253,16 +36160,77 @@ index cb4ef3d..377ec5a 100644 |
560 |
pr_debug("Set kernel text: %lx - %lx for read only\n", |
561 |
start, start+size); |
562 |
|
563 |
-@@ -927,6 +931,7 @@ void mark_rodata_ro(void) |
564 |
+@@ -911,7 +915,7 @@ static void mark_nxdata_nx(void) |
565 |
+ * When this called, init has already been executed and released, |
566 |
+ * so everything past _etext should be NX. |
567 |
+ */ |
568 |
+- unsigned long start = PFN_ALIGN(_etext); |
569 |
++ unsigned long start = ktla_ktva(PFN_ALIGN(_etext)); |
570 |
+ /* |
571 |
+ * This comes from is_kernel_text upper limit. Also HPAGE where used: |
572 |
+ */ |
573 |
+@@ -927,26 +931,47 @@ void mark_rodata_ro(void) |
574 |
unsigned long start = PFN_ALIGN(_text); |
575 |
unsigned long size = PFN_ALIGN(_etext) - start; |
576 |
|
577 |
+- set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); |
578 |
+- printk(KERN_INFO "Write protecting the kernel text: %luk\n", |
579 |
+- size >> 10); |
580 |
++ if (config_enabled(CONFIG_PAX_KERNEXEC)) { |
581 |
++ /* PaX: limit KERNEL_CS to actual size */ |
582 |
++ unsigned long limit; |
583 |
++ struct desc_struct d; |
584 |
++ int cpu; |
585 |
+ |
586 |
+- kernel_set_to_readonly = 1; |
587 |
++ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext; |
588 |
++ limit = (limit - 1UL) >> PAGE_SHIFT; |
589 |
++ |
590 |
++ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE); |
591 |
++ for (cpu = 0; cpu < nr_cpu_ids; cpu++) { |
592 |
++ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC); |
593 |
++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S); |
594 |
++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S); |
595 |
++ } |
596 |
++ |
597 |
++ if (config_enabled(CONFIG_MODULES)) |
598 |
++ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT); |
599 |
++ } |
600 |
++ |
601 |
+ start = ktla_ktva(start); |
602 |
++ /* PaX: make KERNEL_CS read-only */ |
603 |
++ if (config_enabled(CONFIG_PAX_KERNEXEC) && !paravirt_enabled()) { |
604 |
++ set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); |
605 |
++ printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10); |
606 |
++ |
607 |
++ kernel_set_to_readonly = 1; |
608 |
+ |
609 |
+ #ifdef CONFIG_CPA_DEBUG |
610 |
+- printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n", |
611 |
+- start, start+size); |
612 |
+- set_pages_rw(virt_to_page(start), size>>PAGE_SHIFT); |
613 |
++ printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n", start, start+size); |
614 |
++ set_pages_rw(virt_to_page(start), size>>PAGE_SHIFT); |
615 |
+ |
616 |
+- printk(KERN_INFO "Testing CPA: write protecting again\n"); |
617 |
+- set_pages_ro(virt_to_page(start), size>>PAGE_SHIFT); |
618 |
++ printk(KERN_INFO "Testing CPA: write protecting again\n"); |
619 |
++ set_pages_ro(virt_to_page(start), size>>PAGE_SHIFT); |
620 |
+ #endif |
621 |
++ } |
622 |
+ |
623 |
+ start += size; |
624 |
+- size = (unsigned long)__end_rodata - start; |
625 |
++ size = PFN_ALIGN(_sdata) - start; |
626 |
set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); |
627 |
- printk(KERN_INFO "Write protecting the kernel text: %luk\n", |
628 |
- size >> 10); |
629 |
+- printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", |
630 |
+- size >> 10); |
631 |
++ printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", size >> 10); |
632 |
+ rodata_test(); |
633 |
+ |
634 |
+ #ifdef CONFIG_CPA_DEBUG |
635 |
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c |
636 |
-index 5488d21..6063860 100644 |
637 |
+index 5488d21..9f75681 100644 |
638 |
--- a/arch/x86/mm/init_64.c |
639 |
+++ b/arch/x86/mm/init_64.c |
640 |
@@ -137,7 +137,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page, |
641 |
@@ -36395,6 +36363,94 @@ index 5488d21..6063860 100644 |
642 |
spin_unlock(&init_mm.page_table_lock); |
643 |
pgd_changed = true; |
644 |
} |
645 |
+@@ -1107,8 +1135,7 @@ void set_kernel_text_ro(void) |
646 |
+ if (!kernel_set_to_readonly) |
647 |
+ return; |
648 |
+ |
649 |
+- pr_debug("Set kernel text: %lx - %lx for read only\n", |
650 |
+- start, end); |
651 |
++ pr_debug("Set kernel text: %lx - %lx for read only\n", start, end); |
652 |
+ |
653 |
+ /* |
654 |
+ * Set the kernel identity mapping for text RO. |
655 |
+@@ -1118,15 +1145,20 @@ void set_kernel_text_ro(void) |
656 |
+ |
657 |
+ void mark_rodata_ro(void) |
658 |
+ { |
659 |
++ unsigned long addr; |
660 |
+ unsigned long start = PFN_ALIGN(_text); |
661 |
+ unsigned long rodata_start = PFN_ALIGN(__start_rodata); |
662 |
++#ifdef CONFIG_PAX_KERNEXEC |
663 |
++ unsigned long end = PFN_ALIGN(_sdata); |
664 |
++ unsigned long text_end = end; |
665 |
++#else |
666 |
+ unsigned long end = (unsigned long) &__end_rodata_hpage_align; |
667 |
+ unsigned long text_end = PFN_ALIGN(&__stop___ex_table); |
668 |
++#endif |
669 |
+ unsigned long rodata_end = PFN_ALIGN(&__end_rodata); |
670 |
+ unsigned long all_end; |
671 |
+ |
672 |
+- printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", |
673 |
+- (end - start) >> 10); |
674 |
++ printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", (end - start) >> 10); |
675 |
+ set_memory_ro(start, (end - start) >> PAGE_SHIFT); |
676 |
+ |
677 |
+ kernel_set_to_readonly = 1; |
678 |
+@@ -1156,12 +1188,54 @@ void mark_rodata_ro(void) |
679 |
+ set_memory_ro(start, (end-start) >> PAGE_SHIFT); |
680 |
+ #endif |
681 |
+ |
682 |
++#ifdef CONFIG_PAX_KERNEXEC |
683 |
++ /* PaX: ensure that kernel code/rodata is read-only, the rest is non-executable */ |
684 |
++ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) { |
685 |
++ pgd_t *pgd; |
686 |
++ pud_t *pud; |
687 |
++ pmd_t *pmd; |
688 |
++ |
689 |
++ pgd = pgd_offset_k(addr); |
690 |
++ pud = pud_offset(pgd, addr); |
691 |
++ pmd = pmd_offset(pud, addr); |
692 |
++ if (!pmd_present(*pmd)) |
693 |
++ continue; |
694 |
++ if (addr >= (unsigned long)_text) |
695 |
++ BUG_ON(!pmd_large(*pmd)); |
696 |
++ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata) |
697 |
++ BUG_ON(pmd_write(*pmd)); |
698 |
++// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW)); |
699 |
++ else |
700 |
++ BUG_ON(!(pmd_flags(*pmd) & _PAGE_NX)); |
701 |
++// set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask))); |
702 |
++ } |
703 |
++ |
704 |
++ addr = (unsigned long)__va(__pa(__START_KERNEL_map)); |
705 |
++ end = addr + KERNEL_IMAGE_SIZE; |
706 |
++ for (; addr < end; addr += PMD_SIZE) { |
707 |
++ pgd_t *pgd; |
708 |
++ pud_t *pud; |
709 |
++ pmd_t *pmd; |
710 |
++ |
711 |
++ pgd = pgd_offset_k(addr); |
712 |
++ pud = pud_offset(pgd, addr); |
713 |
++ pmd = pmd_offset(pud, addr); |
714 |
++ if (!pmd_present(*pmd)) |
715 |
++ continue; |
716 |
++ if (addr >= (unsigned long)_text) |
717 |
++ BUG_ON(!pmd_large(*pmd)); |
718 |
++ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata))) |
719 |
++ BUG_ON(pmd_write(*pmd)); |
720 |
++// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW)); |
721 |
++ } |
722 |
++#else |
723 |
+ free_init_pages("unused kernel", |
724 |
+ (unsigned long) __va(__pa_symbol(text_end)), |
725 |
+ (unsigned long) __va(__pa_symbol(rodata_start))); |
726 |
+ free_init_pages("unused kernel", |
727 |
+ (unsigned long) __va(__pa_symbol(rodata_end)), |
728 |
+ (unsigned long) __va(__pa_symbol(_sdata))); |
729 |
++#endif |
730 |
+ |
731 |
+ debug_checkwx(); |
732 |
+ } |
733 |
diff --git a/arch/x86/mm/iomap_32.c b/arch/x86/mm/iomap_32.c |
734 |
index 9c0ff04..9020d5f 100644 |
735 |
--- a/arch/x86/mm/iomap_32.c |
736 |
@@ -131434,7 +131490,7 @@ index ba7a9b0..33a0237 100644 |
737 |
extern int register_pppox_proto(int proto_num, const struct pppox_proto *pp); |
738 |
extern void unregister_pppox_proto(int proto_num); |
739 |
diff --git a/include/linux/init.h b/include/linux/init.h |
740 |
-index b449f37..3416791 100644 |
741 |
+index b449f37..2bf1598 100644 |
742 |
--- a/include/linux/init.h |
743 |
+++ b/include/linux/init.h |
744 |
@@ -39,7 +39,7 @@ |
745 |
@@ -131455,6 +131511,19 @@ index b449f37..3416791 100644 |
746 |
#define __meminitdata __section(.meminit.data) |
747 |
#define __meminitconst __constsection(.meminit.rodata) |
748 |
#define __memexit __section(.memexit.text) __exitused __cold notrace |
749 |
+@@ -117,6 +117,12 @@ |
750 |
+ #define __REFDATA .section ".ref.data", "aw" |
751 |
+ #define __REFCONST .section ".ref.rodata", "a" |
752 |
+ |
753 |
++#ifdef CONFIG_PAX_KERNEXEC |
754 |
++#define __READ_ONLY .section ".data..read_only","a",%progbits |
755 |
++#else |
756 |
++#define __READ_ONLY .section ".data..mostly","aw",%progbits |
757 |
++#endif |
758 |
++ |
759 |
+ #ifndef __ASSEMBLY__ |
760 |
+ /* |
761 |
+ * Used for initialization calls.. |
762 |
diff --git a/include/linux/init_task.h b/include/linux/init_task.h |
763 |
index f2cb8d4..2f0363e 100644 |
764 |
--- a/include/linux/init_task.h |
765 |
@@ -211966,10 +212035,10 @@ index 23ba1c6..cad2484 100755 |
766 |
# Find all available archs |
767 |
find_all_archs() |
768 |
diff --git a/security/Kconfig b/security/Kconfig |
769 |
-index e452378..e634654 100644 |
770 |
+index e452378..cc25231 100644 |
771 |
--- a/security/Kconfig |
772 |
+++ b/security/Kconfig |
773 |
-@@ -4,6 +4,994 @@ |
774 |
+@@ -4,6 +4,995 @@ |
775 |
|
776 |
menu "Security options" |
777 |
|
778 |
@@ -212559,6 +212628,7 @@ index e452378..e634654 100644 |
779 |
+ depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !(ARM_LPAE && MODULES))) && !XEN |
780 |
+ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) |
781 |
+ select PAX_KERNEXEC_PLUGIN if X86_64 |
782 |
++ select DEBUG_RODATA if X86 |
783 |
+ select ARM_KERNMEM_PERMS if ARM |
784 |
+ help |
785 |
+ This is the kernel land equivalent of PAGEEXEC and MPROTECT, |
786 |
@@ -212964,7 +213034,7 @@ index e452378..e634654 100644 |
787 |
source security/keys/Kconfig |
788 |
|
789 |
config SECURITY_DMESG_RESTRICT |
790 |
-@@ -104,7 +1092,7 @@ config INTEL_TXT |
791 |
+@@ -104,7 +1093,7 @@ config INTEL_TXT |
792 |
config LSM_MMAP_MIN_ADDR |
793 |
int "Low address space for LSM to protect from user allocation" |
794 |
depends on SECURITY && SECURITY_SELINUX |
795 |
|
796 |
diff --git a/4.5.7/4425_grsec_remove_EI_PAX.patch b/4.5.7/4425_grsec_remove_EI_PAX.patch |
797 |
index 2a1aa6c..c988c9a 100644 |
798 |
--- a/4.5.7/4425_grsec_remove_EI_PAX.patch |
799 |
+++ b/4.5.7/4425_grsec_remove_EI_PAX.patch |
800 |
@@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600 |
801 |
diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig |
802 |
--- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500 |
803 |
+++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500 |
804 |
-@@ -279,7 +279,7 @@ |
805 |
+@@ -280,7 +280,7 @@ |
806 |
|
807 |
config PAX_EI_PAX |
808 |
bool 'Use legacy ELF header marking' |
809 |
|
810 |
diff --git a/4.5.7/4450_grsec-kconfig-default-gids.patch b/4.5.7/4450_grsec-kconfig-default-gids.patch |
811 |
index 79a866b..ccf0abd 100644 |
812 |
--- a/4.5.7/4450_grsec-kconfig-default-gids.patch |
813 |
+++ b/4.5.7/4450_grsec-kconfig-default-gids.patch |
814 |
@@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
815 |
diff -Nuar a/security/Kconfig b/security/Kconfig |
816 |
--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 |
817 |
+++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 |
818 |
-@@ -207,7 +207,7 @@ |
819 |
+@@ -208,7 +208,7 @@ |
820 |
|
821 |
config GRKERNSEC_PROC_GID |
822 |
int "GID exempted from /proc restrictions" |
823 |
@@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig |
824 |
help |
825 |
Setting this GID determines which group will be exempted from |
826 |
grsecurity's /proc restrictions, allowing users of the specified |
827 |
-@@ -218,7 +218,7 @@ |
828 |
+@@ -219,7 +219,7 @@ |
829 |
config GRKERNSEC_TPE_UNTRUSTED_GID |
830 |
int "GID for TPE-untrusted users" |
831 |
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT |
832 |
@@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig |
833 |
help |
834 |
Setting this GID determines which group untrusted users should |
835 |
be added to. These users will be placed under grsecurity's Trusted Path |
836 |
-@@ -230,7 +230,7 @@ |
837 |
+@@ -231,7 +231,7 @@ |
838 |
config GRKERNSEC_TPE_TRUSTED_GID |
839 |
int "GID for TPE-trusted users" |
840 |
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT |
841 |
@@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig |
842 |
help |
843 |
Setting this GID determines what group TPE restrictions will be |
844 |
*disabled* for. If the sysctl option is enabled, a sysctl option |
845 |
-@@ -239,7 +239,7 @@ |
846 |
+@@ -240,7 +240,7 @@ |
847 |
config GRKERNSEC_SYMLINKOWN_GID |
848 |
int "GID for users with kernel-enforced SymlinksIfOwnerMatch" |
849 |
depends on GRKERNSEC_CONFIG_SERVER |
850 |
|
851 |
diff --git a/4.5.7/4470_disable-compat_vdso.patch b/4.5.7/4470_disable-compat_vdso.patch |
852 |
index 4aba080..febce96 100644 |
853 |
--- a/4.5.7/4470_disable-compat_vdso.patch |
854 |
+++ b/4.5.7/4470_disable-compat_vdso.patch |
855 |
@@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 |
856 |
diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig |
857 |
--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 |
858 |
+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 |
859 |
-@@ -2044,29 +2044,8 @@ |
860 |
+@@ -2047,29 +2047,8 @@ |
861 |
|
862 |
config COMPAT_VDSO |
863 |
def_bool n |
864 |
|
865 |
diff --git a/4.5.7/4475_emutramp_default_on.patch b/4.5.7/4475_emutramp_default_on.patch |
866 |
index afd6019..feb8c7b 100644 |
867 |
--- a/4.5.7/4475_emutramp_default_on.patch |
868 |
+++ b/4.5.7/4475_emutramp_default_on.patch |
869 |
@@ -10,7 +10,7 @@ See bug: |
870 |
diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig |
871 |
--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 |
872 |
+++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 |
873 |
-@@ -439,7 +439,7 @@ |
874 |
+@@ -440,7 +440,7 @@ |
875 |
|
876 |
config PAX_EMUTRAMP |
877 |
bool "Emulate trampolines" |
878 |
@@ -19,7 +19,7 @@ diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/secur |
879 |
depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86) |
880 |
help |
881 |
There are some programs and libraries that for one reason or |
882 |
-@@ -462,6 +462,12 @@ |
883 |
+@@ -463,6 +463,12 @@ |
884 |
utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC |
885 |
for the affected files. |