1 |
commit: f31dc62ba3b58489d68b09632c7f5c9272bf9d78 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Feb 8 17:38:31 2014 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 8 17:38:31 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=f31dc62b |
7 |
|
8 |
Grsec/PaX: 3.0-{3.2.54,3.13.2}-201402062224 |
9 |
|
10 |
--- |
11 |
{3.13.1 => 3.13.2}/0000_README | 2 +- |
12 |
.../4420_grsecurity-3.0-3.13.2-201402062224.patch | 382 +++++++++++++-------- |
13 |
{3.13.1 => 3.13.2}/4425_grsec_remove_EI_PAX.patch | 2 +- |
14 |
.../4427_force_XATTR_PAX_tmpfs.patch | 0 |
15 |
.../4430_grsec-remove-localversion-grsec.patch | 0 |
16 |
{3.13.1 => 3.13.2}/4435_grsec-mute-warnings.patch | 0 |
17 |
.../4440_grsec-remove-protected-paths.patch | 7 +- |
18 |
.../4450_grsec-kconfig-default-gids.patch | 20 +- |
19 |
.../4465_selinux-avc_audit-log-curr_ip.patch | 2 +- |
20 |
{3.13.1 => 3.13.2}/4470_disable-compat_vdso.patch | 0 |
21 |
{3.13.1 => 3.13.2}/4475_emutramp_default_on.patch | 2 +- |
22 |
3.2.54/0000_README | 2 +- |
23 |
... 4420_grsecurity-3.0-3.2.54-201402062221.patch} | 41 ++- |
24 |
3.2.54/4425_grsec_remove_EI_PAX.patch | 2 +- |
25 |
3.2.54/4440_grsec-remove-protected-paths.patch | 7 +- |
26 |
3.2.54/4450_grsec-kconfig-default-gids.patch | 8 +- |
27 |
3.2.54/4475_emutramp_default_on.patch | 2 +- |
28 |
17 files changed, 313 insertions(+), 166 deletions(-) |
29 |
|
30 |
diff --git a/3.13.1/0000_README b/3.13.2/0000_README |
31 |
similarity index 96% |
32 |
rename from 3.13.1/0000_README |
33 |
rename to 3.13.2/0000_README |
34 |
index 6b35ea7..850ef1e 100644 |
35 |
--- a/3.13.1/0000_README |
36 |
+++ b/3.13.2/0000_README |
37 |
@@ -2,7 +2,7 @@ README |
38 |
----------------------------------------------------------------------------- |
39 |
Individual Patch Descriptions: |
40 |
----------------------------------------------------------------------------- |
41 |
-Patch: 4420_grsecurity-3.0-3.13.1-201402052349.patch |
42 |
+Patch: 4420_grsecurity-3.0-3.13.2-201402062224.patch |
43 |
From: http://www.grsecurity.net |
44 |
Desc: hardened-sources base patch from upstream grsecurity |
45 |
|
46 |
|
47 |
diff --git a/3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch b/3.13.2/4420_grsecurity-3.0-3.13.2-201402062224.patch |
48 |
similarity index 99% |
49 |
rename from 3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch |
50 |
rename to 3.13.2/4420_grsecurity-3.0-3.13.2-201402062224.patch |
51 |
index ee1465f..824a474 100644 |
52 |
--- a/3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch |
53 |
+++ b/3.13.2/4420_grsecurity-3.0-3.13.2-201402062224.patch |
54 |
@@ -287,7 +287,7 @@ index b9e9bd8..bf49b92 100644 |
55 |
|
56 |
pcd. [PARIDE] |
57 |
diff --git a/Makefile b/Makefile |
58 |
-index de4cda9..e5ec62c 100644 |
59 |
+index a7fd5d9..84ed0df 100644 |
60 |
--- a/Makefile |
61 |
+++ b/Makefile |
62 |
@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ |
63 |
@@ -302,7 +302,23 @@ index de4cda9..e5ec62c 100644 |
64 |
|
65 |
# Decide whether to build built-in, modular, or both. |
66 |
# Normally, just do built-in. |
67 |
-@@ -417,8 +418,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \ |
68 |
+@@ -311,9 +312,15 @@ endif |
69 |
+ # If the user is running make -s (silent mode), suppress echoing of |
70 |
+ # commands |
71 |
+ |
72 |
++ifneq ($(filter 4.%,$(MAKE_VERSION)),) # make-4 |
73 |
++ifneq ($(filter %s ,$(firstword x$(MAKEFLAGS))),) |
74 |
++ quiet=silent_ |
75 |
++endif |
76 |
++else # make-3.8x |
77 |
+ ifneq ($(filter s% -s%,$(MAKEFLAGS)),) |
78 |
+ quiet=silent_ |
79 |
+ endif |
80 |
++endif |
81 |
+ |
82 |
+ export quiet Q KBUILD_VERBOSE |
83 |
+ |
84 |
+@@ -417,8 +424,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \ |
85 |
# Rules shared between *config targets and build targets |
86 |
|
87 |
# Basic helpers built in scripts/ |
88 |
@@ -313,7 +329,7 @@ index de4cda9..e5ec62c 100644 |
89 |
$(Q)$(MAKE) $(build)=scripts/basic |
90 |
$(Q)rm -f .tmp_quiet_recordmcount |
91 |
|
92 |
-@@ -579,6 +580,76 @@ else |
93 |
+@@ -579,6 +586,74 @@ else |
94 |
KBUILD_CFLAGS += -O2 |
95 |
endif |
96 |
|
97 |
@@ -340,10 +356,8 @@ index de4cda9..e5ec62c 100644 |
98 |
+KERNEXEC_PLUGIN_AFLAGS := -DKERNEXEC_PLUGIN |
99 |
+endif |
100 |
+ifdef CONFIG_GRKERNSEC_RANDSTRUCT |
101 |
-+GRKERNSEC_RANDSTRUCT_SEED := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gen-random-seed.sh) |
102 |
+RANDSTRUCT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/randomize_layout_plugin.so -DRANDSTRUCT_PLUGIN |
103 |
-+RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-seed=$(GRKERNSEC_RANDSTRUCT_SEED) |
104 |
-+RANDSTRUCT_HASHED_SEED := $(shell cat "$(srctree)/tools/gcc/randstruct.hashed_seed") |
105 |
++RANDSTRUCT_HASHED_SEED := $(shell cat "$(objtree)/tools/gcc/randomize_layout_hash.data") |
106 |
+RANDSTRUCT_PLUGIN_CFLAGS += -DRANDSTRUCT_HASHED_SEED="\"$(RANDSTRUCT_HASHED_SEED)\"" |
107 |
+ifdef CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE |
108 |
+RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-performance-mode |
109 |
@@ -390,7 +404,16 @@ index de4cda9..e5ec62c 100644 |
110 |
include $(srctree)/arch/$(SRCARCH)/Makefile |
111 |
|
112 |
ifdef CONFIG_READABLE_ASM |
113 |
-@@ -754,7 +825,7 @@ export mod_sign_cmd |
114 |
+@@ -619,7 +694,7 @@ endif |
115 |
+ |
116 |
+ ifdef CONFIG_DEBUG_INFO |
117 |
+ KBUILD_CFLAGS += -g |
118 |
+-KBUILD_AFLAGS += -gdwarf-2 |
119 |
++KBUILD_AFLAGS += -Wa,--gdwarf-2 |
120 |
+ endif |
121 |
+ |
122 |
+ ifdef CONFIG_DEBUG_INFO_REDUCED |
123 |
+@@ -754,7 +829,7 @@ export mod_sign_cmd |
124 |
|
125 |
|
126 |
ifeq ($(KBUILD_EXTMOD),) |
127 |
@@ -399,7 +422,7 @@ index de4cda9..e5ec62c 100644 |
128 |
|
129 |
vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ |
130 |
$(core-y) $(core-m) $(drivers-y) $(drivers-m) \ |
131 |
-@@ -803,6 +874,8 @@ endif |
132 |
+@@ -803,6 +878,8 @@ endif |
133 |
|
134 |
# The actual objects are generated when descending, |
135 |
# make sure no implicit rule kicks in |
136 |
@@ -408,7 +431,7 @@ index de4cda9..e5ec62c 100644 |
137 |
$(sort $(vmlinux-deps)): $(vmlinux-dirs) ; |
138 |
|
139 |
# Handle descending into subdirectories listed in $(vmlinux-dirs) |
140 |
-@@ -812,7 +885,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; |
141 |
+@@ -812,7 +889,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ; |
142 |
# Error messages still appears in the original language |
143 |
|
144 |
PHONY += $(vmlinux-dirs) |
145 |
@@ -417,7 +440,7 @@ index de4cda9..e5ec62c 100644 |
146 |
$(Q)$(MAKE) $(build)=$@ |
147 |
|
148 |
define filechk_kernel.release |
149 |
-@@ -855,10 +928,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ |
150 |
+@@ -855,10 +932,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \ |
151 |
|
152 |
archprepare: archheaders archscripts prepare1 scripts_basic |
153 |
|
154 |
@@ -431,7 +454,7 @@ index de4cda9..e5ec62c 100644 |
155 |
prepare: prepare0 |
156 |
|
157 |
# Generate some files |
158 |
-@@ -966,6 +1042,8 @@ all: modules |
159 |
+@@ -966,6 +1046,8 @@ all: modules |
160 |
# using awk while concatenating to the final file. |
161 |
|
162 |
PHONY += modules |
163 |
@@ -440,7 +463,7 @@ index de4cda9..e5ec62c 100644 |
164 |
modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin |
165 |
$(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order |
166 |
@$(kecho) ' Building modules, stage 2.'; |
167 |
-@@ -981,7 +1059,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) |
168 |
+@@ -981,7 +1063,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) |
169 |
|
170 |
# Target to prepare building external modules |
171 |
PHONY += modules_prepare |
172 |
@@ -449,17 +472,17 @@ index de4cda9..e5ec62c 100644 |
173 |
|
174 |
# Target to install modules |
175 |
PHONY += modules_install |
176 |
-@@ -1047,7 +1125,8 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ |
177 |
+@@ -1047,7 +1129,8 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \ |
178 |
Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ |
179 |
signing_key.priv signing_key.x509 x509.genkey \ |
180 |
extra_certificates signing_key.x509.keyid \ |
181 |
- signing_key.x509.signer |
182 |
+ signing_key.x509.signer tools/gcc/size_overflow_hash.h \ |
183 |
-+ tools/gcc/randstruct.seed tools/gcc/randstruct.hashed_seed |
184 |
++ tools/gcc/randomize_layout_seed.h tools/gcc/randomize_layout_hash.data |
185 |
|
186 |
# clean - Delete most, but leave enough to build external modules |
187 |
# |
188 |
-@@ -1087,6 +1166,7 @@ distclean: mrproper |
189 |
+@@ -1087,6 +1170,7 @@ distclean: mrproper |
190 |
\( -name '*.orig' -o -name '*.rej' -o -name '*~' \ |
191 |
-o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ |
192 |
-o -name '.*.rej' \ |
193 |
@@ -467,7 +490,7 @@ index de4cda9..e5ec62c 100644 |
194 |
-o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ |
195 |
-type f -print | xargs rm -f |
196 |
|
197 |
-@@ -1248,6 +1328,8 @@ PHONY += $(module-dirs) modules |
198 |
+@@ -1248,6 +1332,8 @@ PHONY += $(module-dirs) modules |
199 |
$(module-dirs): crmodverdir $(objtree)/Module.symvers |
200 |
$(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) |
201 |
|
202 |
@@ -476,7 +499,7 @@ index de4cda9..e5ec62c 100644 |
203 |
modules: $(module-dirs) |
204 |
@$(kecho) ' Building modules, stage 2.'; |
205 |
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost |
206 |
-@@ -1387,17 +1469,21 @@ else |
207 |
+@@ -1387,17 +1473,21 @@ else |
208 |
target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) |
209 |
endif |
210 |
|
211 |
@@ -502,7 +525,7 @@ index de4cda9..e5ec62c 100644 |
212 |
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) |
213 |
%.symtypes: %.c prepare scripts FORCE |
214 |
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) |
215 |
-@@ -1407,11 +1493,15 @@ endif |
216 |
+@@ -1407,11 +1497,15 @@ endif |
217 |
$(cmd_crmodverdir) |
218 |
$(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ |
219 |
$(build)=$(build-dir) |
220 |
@@ -3596,6 +3619,29 @@ index 8a1b5e0..5f30074 100644 |
221 |
|
222 |
/* omap_hwmod_list contains all registered struct omap_hwmods */ |
223 |
static LIST_HEAD(omap_hwmod_list); |
224 |
+diff --git a/arch/arm/mach-omap2/powerdomains43xx_data.c b/arch/arm/mach-omap2/powerdomains43xx_data.c |
225 |
+index 95fee54..cfa9cf1 100644 |
226 |
+--- a/arch/arm/mach-omap2/powerdomains43xx_data.c |
227 |
++++ b/arch/arm/mach-omap2/powerdomains43xx_data.c |
228 |
+@@ -10,6 +10,7 @@ |
229 |
+ |
230 |
+ #include <linux/kernel.h> |
231 |
+ #include <linux/init.h> |
232 |
++#include <asm/pgtable.h> |
233 |
+ |
234 |
+ #include "powerdomain.h" |
235 |
+ |
236 |
+@@ -129,7 +130,9 @@ static int am43xx_check_vcvp(void) |
237 |
+ |
238 |
+ void __init am43xx_powerdomains_init(void) |
239 |
+ { |
240 |
+- omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp; |
241 |
++ pax_open_kernel(); |
242 |
++ *(void **)&omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp; |
243 |
++ pax_close_kernel(); |
244 |
+ pwrdm_register_platform_funcs(&omap4_pwrdm_operations); |
245 |
+ pwrdm_register_pwrdms(powerdomains_am43xx); |
246 |
+ pwrdm_complete_init(); |
247 |
diff --git a/arch/arm/mach-omap2/wd_timer.c b/arch/arm/mach-omap2/wd_timer.c |
248 |
index d15c7bb..b2d1f0c 100644 |
249 |
--- a/arch/arm/mach-omap2/wd_timer.c |
250 |
@@ -18643,7 +18689,7 @@ index 3ba3de4..6c113b2 100644 |
251 |
#endif |
252 |
#endif /* _ASM_X86_THREAD_INFO_H */ |
253 |
diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h |
254 |
-index e6d90ba..0897f44 100644 |
255 |
+index e6d90ba..f81f114 100644 |
256 |
--- a/arch/x86/include/asm/tlbflush.h |
257 |
+++ b/arch/x86/include/asm/tlbflush.h |
258 |
@@ -17,18 +17,44 @@ |
259 |
@@ -18697,11 +18743,10 @@ index e6d90ba..0897f44 100644 |
260 |
} |
261 |
|
262 |
static inline void __native_flush_tlb_global(void) |
263 |
-@@ -49,6 +75,42 @@ static inline void __native_flush_tlb_global(void) |
264 |
+@@ -49,6 +75,41 @@ static inline void __native_flush_tlb_global(void) |
265 |
|
266 |
static inline void __native_flush_tlb_single(unsigned long addr) |
267 |
{ |
268 |
-+ |
269 |
+ if (static_cpu_has(X86_FEATURE_INVPCID)) { |
270 |
+ u64 descriptor[2]; |
271 |
+ |
272 |
@@ -20255,10 +20300,10 @@ index 47b56a7..efc2bc6 100644 |
273 |
obj-y += proc.o capflags.o powerflags.o common.o |
274 |
obj-y += rdrand.o |
275 |
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c |
276 |
-index bca023b..c544908 100644 |
277 |
+index 59bfebc..d8f27bd 100644 |
278 |
--- a/arch/x86/kernel/cpu/amd.c |
279 |
+++ b/arch/x86/kernel/cpu/amd.c |
280 |
-@@ -743,7 +743,7 @@ static void init_amd(struct cpuinfo_x86 *c) |
281 |
+@@ -753,7 +753,7 @@ static void init_amd(struct cpuinfo_x86 *c) |
282 |
static unsigned int amd_size_cache(struct cpuinfo_x86 *c, unsigned int size) |
283 |
{ |
284 |
/* AMD errata T13 (order #21922) */ |
285 |
@@ -27510,7 +27555,7 @@ index c697625..a032162 100644 |
286 |
|
287 |
out: |
288 |
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c |
289 |
-index 775702f..737d4a9 100644 |
290 |
+index d86ff15..e77b023 100644 |
291 |
--- a/arch/x86/kvm/lapic.c |
292 |
+++ b/arch/x86/kvm/lapic.c |
293 |
@@ -55,7 +55,7 @@ |
294 |
@@ -27723,10 +27768,10 @@ index da7837e..86c6ebf 100644 |
295 |
|
296 |
vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP) |
297 |
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c |
298 |
-index 5d004da..0802480 100644 |
299 |
+index d89d51b..f3c612a 100644 |
300 |
--- a/arch/x86/kvm/x86.c |
301 |
+++ b/arch/x86/kvm/x86.c |
302 |
-@@ -1788,8 +1788,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) |
303 |
+@@ -1791,8 +1791,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data) |
304 |
{ |
305 |
struct kvm *kvm = vcpu->kvm; |
306 |
int lm = is_long_mode(vcpu); |
307 |
@@ -27737,7 +27782,7 @@ index 5d004da..0802480 100644 |
308 |
u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64 |
309 |
: kvm->arch.xen_hvm_config.blob_size_32; |
310 |
u32 page_num = data & ~PAGE_MASK; |
311 |
-@@ -2673,6 +2673,8 @@ long kvm_arch_dev_ioctl(struct file *filp, |
312 |
+@@ -2676,6 +2676,8 @@ long kvm_arch_dev_ioctl(struct file *filp, |
313 |
if (n < msr_list.nmsrs) |
314 |
goto out; |
315 |
r = -EFAULT; |
316 |
@@ -27746,7 +27791,7 @@ index 5d004da..0802480 100644 |
317 |
if (copy_to_user(user_msr_list->indices, &msrs_to_save, |
318 |
num_msrs_to_save * sizeof(u32))) |
319 |
goto out; |
320 |
-@@ -5482,7 +5484,7 @@ static struct notifier_block pvclock_gtod_notifier = { |
321 |
+@@ -5485,7 +5487,7 @@ static struct notifier_block pvclock_gtod_notifier = { |
322 |
}; |
323 |
#endif |
324 |
|
325 |
@@ -35509,7 +35554,7 @@ index c482f8c..c832240 100644 |
326 |
unsigned long timeout_msec) |
327 |
{ |
328 |
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c |
329 |
-index 1393a58..3bf8cbe 100644 |
330 |
+index 1a3dbd1..dfc6e5c 100644 |
331 |
--- a/drivers/ata/libata-core.c |
332 |
+++ b/drivers/ata/libata-core.c |
333 |
@@ -98,7 +98,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev); |
334 |
@@ -35521,7 +35566,7 @@ index 1393a58..3bf8cbe 100644 |
335 |
|
336 |
struct ata_force_param { |
337 |
const char *name; |
338 |
-@@ -4823,7 +4823,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) |
339 |
+@@ -4850,7 +4850,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) |
340 |
struct ata_port *ap; |
341 |
unsigned int tag; |
342 |
|
343 |
@@ -35530,7 +35575,7 @@ index 1393a58..3bf8cbe 100644 |
344 |
ap = qc->ap; |
345 |
|
346 |
qc->flags = 0; |
347 |
-@@ -4839,7 +4839,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) |
348 |
+@@ -4866,7 +4866,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) |
349 |
struct ata_port *ap; |
350 |
struct ata_link *link; |
351 |
|
352 |
@@ -35539,7 +35584,7 @@ index 1393a58..3bf8cbe 100644 |
353 |
WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); |
354 |
ap = qc->ap; |
355 |
link = qc->dev->link; |
356 |
-@@ -5958,6 +5958,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) |
357 |
+@@ -5985,6 +5985,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) |
358 |
return; |
359 |
|
360 |
spin_lock(&lock); |
361 |
@@ -35547,7 +35592,7 @@ index 1393a58..3bf8cbe 100644 |
362 |
|
363 |
for (cur = ops->inherits; cur; cur = cur->inherits) { |
364 |
void **inherit = (void **)cur; |
365 |
-@@ -5971,8 +5972,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) |
366 |
+@@ -5998,8 +5999,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops) |
367 |
if (IS_ERR(*pp)) |
368 |
*pp = NULL; |
369 |
|
370 |
@@ -35558,7 +35603,7 @@ index 1393a58..3bf8cbe 100644 |
371 |
spin_unlock(&lock); |
372 |
} |
373 |
|
374 |
-@@ -6165,7 +6167,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) |
375 |
+@@ -6192,7 +6194,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) |
376 |
|
377 |
/* give ports names and add SCSI hosts */ |
378 |
for (i = 0; i < host->n_ports; i++) { |
379 |
@@ -35568,10 +35613,10 @@ index 1393a58..3bf8cbe 100644 |
380 |
} |
381 |
|
382 |
diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c |
383 |
-index 377eb88..8591b44 100644 |
384 |
+index ef8567d..8bdbd03 100644 |
385 |
--- a/drivers/ata/libata-scsi.c |
386 |
+++ b/drivers/ata/libata-scsi.c |
387 |
-@@ -4135,7 +4135,7 @@ int ata_sas_port_init(struct ata_port *ap) |
388 |
+@@ -4147,7 +4147,7 @@ int ata_sas_port_init(struct ata_port *ap) |
389 |
|
390 |
if (rc) |
391 |
return rc; |
392 |
@@ -39035,6 +39080,27 @@ index 9902732..64b62dd 100644 |
393 |
|
394 |
return -EINVAL; |
395 |
} |
396 |
+diff --git a/drivers/gpu/drm/armada/armada_drv.c b/drivers/gpu/drm/armada/armada_drv.c |
397 |
+index 62d0ff3..073dbf3 100644 |
398 |
+--- a/drivers/gpu/drm/armada/armada_drv.c |
399 |
++++ b/drivers/gpu/drm/armada/armada_drv.c |
400 |
+@@ -68,15 +68,7 @@ void __armada_drm_queue_unref_work(struct drm_device *dev, |
401 |
+ { |
402 |
+ struct armada_private *priv = dev->dev_private; |
403 |
+ |
404 |
+- /* |
405 |
+- * Yes, we really must jump through these hoops just to store a |
406 |
+- * _pointer_ to something into the kfifo. This is utterly insane |
407 |
+- * and idiotic, because it kfifo requires the _data_ pointed to by |
408 |
+- * the pointer const, not the pointer itself. Not only that, but |
409 |
+- * you have to pass a pointer _to_ the pointer you want stored. |
410 |
+- */ |
411 |
+- const struct drm_framebuffer *silly_api_alert = fb; |
412 |
+- WARN_ON(!kfifo_put(&priv->fb_unref, &silly_api_alert)); |
413 |
++ WARN_ON(!kfifo_put(&priv->fb_unref, fb)); |
414 |
+ schedule_work(&priv->fb_unref_work); |
415 |
+ } |
416 |
+ |
417 |
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c |
418 |
index d6cf77c..2842146 100644 |
419 |
--- a/drivers/gpu/drm/drm_crtc.c |
420 |
@@ -40354,6 +40420,19 @@ index ae1cb31..5b5b6b7c 100644 |
421 |
|
422 |
err = drm_debugfs_create_files(dc->debugfs_files, |
423 |
ARRAY_SIZE(debugfs_files), |
424 |
+diff --git a/drivers/gpu/drm/tegra/hdmi.c b/drivers/gpu/drm/tegra/hdmi.c |
425 |
+index 0cd9bc2..9759be4 100644 |
426 |
+--- a/drivers/gpu/drm/tegra/hdmi.c |
427 |
++++ b/drivers/gpu/drm/tegra/hdmi.c |
428 |
+@@ -57,7 +57,7 @@ struct tegra_hdmi { |
429 |
+ bool stereo; |
430 |
+ bool dvi; |
431 |
+ |
432 |
+- struct drm_info_list *debugfs_files; |
433 |
++ drm_info_list_no_const *debugfs_files; |
434 |
+ struct drm_minor *minor; |
435 |
+ struct dentry *debugfs; |
436 |
+ }; |
437 |
diff --git a/drivers/gpu/drm/ttm/ttm_bo_manager.c b/drivers/gpu/drm/ttm/ttm_bo_manager.c |
438 |
index c58eba33..83c2728 100644 |
439 |
--- a/drivers/gpu/drm/ttm/ttm_bo_manager.c |
440 |
@@ -44379,6 +44458,21 @@ index 464419b..64bae8d 100644 |
441 |
|
442 |
c2dev->dev = device_create(c2port_class, NULL, 0, c2dev, |
443 |
"c2port%d", c2dev->id); |
444 |
+diff --git a/drivers/misc/eeprom/sunxi_sid.c b/drivers/misc/eeprom/sunxi_sid.c |
445 |
+index 9c34e57..b981cda 100644 |
446 |
+--- a/drivers/misc/eeprom/sunxi_sid.c |
447 |
++++ b/drivers/misc/eeprom/sunxi_sid.c |
448 |
+@@ -127,7 +127,9 @@ static int sunxi_sid_probe(struct platform_device *pdev) |
449 |
+ |
450 |
+ platform_set_drvdata(pdev, sid_data); |
451 |
+ |
452 |
+- sid_bin_attr.size = sid_data->keysize; |
453 |
++ pax_open_kernel(); |
454 |
++ *(size_t *)&sid_bin_attr.size = sid_data->keysize; |
455 |
++ pax_close_kernel(); |
456 |
+ if (device_create_bin_file(&pdev->dev, &sid_bin_attr)) |
457 |
+ return -ENODEV; |
458 |
+ |
459 |
diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c |
460 |
index 36f5d52..32311c3 100644 |
461 |
--- a/drivers/misc/kgdbts.c |
462 |
@@ -44809,6 +44903,25 @@ index f320579..7b7ebac 100644 |
463 |
mmci_write_datactrlreg(host, MCI_ST_DPSM_BUSYMODE); |
464 |
} |
465 |
|
466 |
+diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c |
467 |
+index 1dcaf8a..025af25 100644 |
468 |
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c |
469 |
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c |
470 |
+@@ -1009,9 +1009,12 @@ static int sdhci_esdhc_imx_probe(struct platform_device *pdev) |
471 |
+ host->quirks2 |= SDHCI_QUIRK2_PRESET_VALUE_BROKEN; |
472 |
+ } |
473 |
+ |
474 |
+- if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) |
475 |
+- sdhci_esdhc_ops.platform_execute_tuning = |
476 |
++ if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) { |
477 |
++ pax_open_kernel(); |
478 |
++ *(void **)&sdhci_esdhc_ops.platform_execute_tuning = |
479 |
+ esdhc_executing_tuning; |
480 |
++ pax_close_kernel(); |
481 |
++ } |
482 |
+ boarddata = &imx_data->boarddata; |
483 |
+ if (sdhci_esdhc_imx_probe_dt(pdev, boarddata) < 0) { |
484 |
+ if (!host->mmc->parent->platform_data) { |
485 |
diff --git a/drivers/mmc/host/sdhci-s3c.c b/drivers/mmc/host/sdhci-s3c.c |
486 |
index 6debda9..2ba7427 100644 |
487 |
--- a/drivers/mmc/host/sdhci-s3c.c |
488 |
@@ -45549,10 +45662,10 @@ index a79e9d3..78cd4fa 100644 |
489 |
|
490 |
/* we will have to manufacture ethernet headers, prepare template */ |
491 |
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c |
492 |
-index ed384fe..9e3f4f4 100644 |
493 |
+index 0247973..088193a 100644 |
494 |
--- a/drivers/net/vxlan.c |
495 |
+++ b/drivers/net/vxlan.c |
496 |
-@@ -2617,7 +2617,7 @@ nla_put_failure: |
497 |
+@@ -2615,7 +2615,7 @@ nla_put_failure: |
498 |
return -EMSGSIZE; |
499 |
} |
500 |
|
501 |
@@ -46226,10 +46339,10 @@ index 7aad766..06addb4 100644 |
502 |
data->sku_cap_band_24GHz_enable ? "" : "NOT", "enabled", |
503 |
data->sku_cap_band_52GHz_enable ? "" : "NOT", "enabled", |
504 |
diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c |
505 |
-index cde9c16..e485cfe 100644 |
506 |
+index f53ef83..5e34bcb 100644 |
507 |
--- a/drivers/net/wireless/iwlwifi/pcie/trans.c |
508 |
+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c |
509 |
-@@ -1368,7 +1368,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, |
510 |
+@@ -1390,7 +1390,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file, |
511 |
struct isr_statistics *isr_stats = &trans_pcie->isr_stats; |
512 |
|
513 |
char buf[8]; |
514 |
@@ -46238,7 +46351,7 @@ index cde9c16..e485cfe 100644 |
515 |
u32 reset_flag; |
516 |
|
517 |
memset(buf, 0, sizeof(buf)); |
518 |
-@@ -1389,7 +1389,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file, |
519 |
+@@ -1411,7 +1411,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file, |
520 |
{ |
521 |
struct iwl_trans *trans = file->private_data; |
522 |
char buf[8]; |
523 |
@@ -48544,10 +48657,10 @@ index 084d1fd..9f939eb 100644 |
524 |
uint32_t default_time2wait; /* Default Min time between |
525 |
* relogins (+aens) */ |
526 |
diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c |
527 |
-index a28d5e6..000a8af 100644 |
528 |
+index cf174a4..128a420 100644 |
529 |
--- a/drivers/scsi/qla4xxx/ql4_os.c |
530 |
+++ b/drivers/scsi/qla4xxx/ql4_os.c |
531 |
-@@ -3308,12 +3308,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess) |
532 |
+@@ -3311,12 +3311,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess) |
533 |
*/ |
534 |
if (!iscsi_is_session_online(cls_sess)) { |
535 |
/* Reset retry relogin timer */ |
536 |
@@ -48562,7 +48675,7 @@ index a28d5e6..000a8af 100644 |
537 |
ddb_entry->default_time2wait + 4)); |
538 |
set_bit(DPC_RELOGIN_DEVICE, &ha->dpc_flags); |
539 |
atomic_set(&ddb_entry->retry_relogin_timer, |
540 |
-@@ -5455,7 +5455,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha, |
541 |
+@@ -5458,7 +5458,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha, |
542 |
|
543 |
atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY); |
544 |
atomic_set(&ddb_entry->relogin_timer, 0); |
545 |
@@ -50607,7 +50720,7 @@ index d0e3a44..5f8b754 100644 |
546 |
ret = -EPERM; |
547 |
goto reterr; |
548 |
diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c |
549 |
-index f7beb6e..8c0bbd0 100644 |
550 |
+index a673e5b..36e5d32 100644 |
551 |
--- a/drivers/uio/uio.c |
552 |
+++ b/drivers/uio/uio.c |
553 |
@@ -25,6 +25,7 @@ |
554 |
@@ -50886,7 +50999,7 @@ index 6bffb8c..b404e8b 100644 |
555 |
wake_up(&usb_kill_urb_queue); |
556 |
usb_put_urb(urb); |
557 |
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c |
558 |
-index bd9dc35..c04ae2f 100644 |
559 |
+index 07e6654..6420edf 100644 |
560 |
--- a/drivers/usb/core/hub.c |
561 |
+++ b/drivers/usb/core/hub.c |
562 |
@@ -27,6 +27,7 @@ |
563 |
@@ -50897,7 +51010,7 @@ index bd9dc35..c04ae2f 100644 |
564 |
|
565 |
#include <asm/uaccess.h> |
566 |
#include <asm/byteorder.h> |
567 |
-@@ -4463,6 +4464,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, |
568 |
+@@ -4442,6 +4443,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1, |
569 |
goto done; |
570 |
return; |
571 |
} |
572 |
@@ -56118,10 +56231,10 @@ index a4b38f9..f86a509 100644 |
573 |
spin_lock_init(&delayed_root->lock); |
574 |
init_waitqueue_head(&delayed_root->wait); |
575 |
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c |
576 |
-index 21da576..3551e09 100644 |
577 |
+index 9f831bb..14afde5 100644 |
578 |
--- a/fs/btrfs/ioctl.c |
579 |
+++ b/fs/btrfs/ioctl.c |
580 |
-@@ -3451,9 +3451,12 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) |
581 |
+@@ -3457,9 +3457,12 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) |
582 |
for (i = 0; i < num_types; i++) { |
583 |
struct btrfs_space_info *tmp; |
584 |
|
585 |
@@ -56134,7 +56247,7 @@ index 21da576..3551e09 100644 |
586 |
info = NULL; |
587 |
rcu_read_lock(); |
588 |
list_for_each_entry_rcu(tmp, &root->fs_info->space_info, |
589 |
-@@ -3475,10 +3478,7 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) |
590 |
+@@ -3481,10 +3484,7 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) |
591 |
memcpy(dest, &space, sizeof(space)); |
592 |
dest++; |
593 |
space_args.total_spaces++; |
594 |
@@ -57166,7 +57279,7 @@ index bc3fbcd..6031650 100644 |
595 |
return 0; |
596 |
while (nr) { |
597 |
diff --git a/fs/dcache.c b/fs/dcache.c |
598 |
-index cb4a106..b75581f 100644 |
599 |
+index fdbe230..ba17c1f 100644 |
600 |
--- a/fs/dcache.c |
601 |
+++ b/fs/dcache.c |
602 |
@@ -1495,7 +1495,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name) |
603 |
@@ -57178,7 +57291,7 @@ index cb4a106..b75581f 100644 |
604 |
if (!dname) { |
605 |
kmem_cache_free(dentry_cache, dentry); |
606 |
return NULL; |
607 |
-@@ -3429,7 +3429,8 @@ void __init vfs_caches_init(unsigned long mempages) |
608 |
+@@ -3428,7 +3428,8 @@ void __init vfs_caches_init(unsigned long mempages) |
609 |
mempages -= reserve; |
610 |
|
611 |
names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0, |
612 |
@@ -60150,7 +60263,7 @@ index 92a0f0a..45a48f0 100644 |
613 |
|
614 |
spin_lock(&inode->i_lock); |
615 |
diff --git a/fs/mount.h b/fs/mount.h |
616 |
-index d64c594..6c283db 100644 |
617 |
+index a17458c..e69fb5b 100644 |
618 |
--- a/fs/mount.h |
619 |
+++ b/fs/mount.h |
620 |
@@ -11,7 +11,7 @@ struct mnt_namespace { |
621 |
@@ -64110,7 +64223,7 @@ index 104455b..764c512 100644 |
622 |
kfree(s); |
623 |
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig |
624 |
new file mode 100644 |
625 |
-index 0000000..01d5523 |
626 |
+index 0000000..e98584b |
627 |
--- /dev/null |
628 |
+++ b/grsecurity/Kconfig |
629 |
@@ -0,0 +1,1147 @@ |
630 |
@@ -64343,7 +64456,7 @@ index 0000000..01d5523 |
631 |
+ Volatility against the system (unless the kernel source tree isn't |
632 |
+ cleaned after kernel installation). |
633 |
+ |
634 |
-+ The seed used for compilation is located at tools/gcc/randstruct.seed. |
635 |
++ The seed used for compilation is located at tools/gcc/randomize_layout_seed.h. |
636 |
+ It remains after a make clean to allow for external modules to be compiled |
637 |
+ with the existing seed and will be removed by a make mrproper or |
638 |
+ make distclean. |
639 |
@@ -65263,10 +65376,10 @@ index 0000000..01d5523 |
640 |
+endmenu |
641 |
diff --git a/grsecurity/Makefile b/grsecurity/Makefile |
642 |
new file mode 100644 |
643 |
-index 0000000..8a0354c |
644 |
+index 0000000..5307c8a |
645 |
--- /dev/null |
646 |
+++ b/grsecurity/Makefile |
647 |
-@@ -0,0 +1,53 @@ |
648 |
+@@ -0,0 +1,54 @@ |
649 |
+# grsecurity – access control and security hardening for Linux |
650 |
+# All code in this directory and various hooks located throughout the Linux kernel are |
651 |
+# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc. |
652 |
@@ -65318,6 +65431,7 @@ index 0000000..8a0354c |
653 |
+ @-chmod -f 500 /lib64/modules |
654 |
+ @-chmod -f 500 /lib32/modules |
655 |
+ @-chmod -f 700 . |
656 |
++ @-chmod -f 700 $(objtree) |
657 |
+ @echo ' grsec: protected kernel image paths' |
658 |
+endif |
659 |
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c |
660 |
@@ -75711,7 +75825,7 @@ index e73c19e..5b89e00 100644 |
661 |
struct crypto_instance { |
662 |
struct crypto_alg alg; |
663 |
diff --git a/include/drm/drmP.h b/include/drm/drmP.h |
664 |
-index 1d4a920..53a3229 100644 |
665 |
+index 1d4a920..da65658 100644 |
666 |
--- a/include/drm/drmP.h |
667 |
+++ b/include/drm/drmP.h |
668 |
@@ -66,6 +66,7 @@ |
669 |
@@ -75750,16 +75864,17 @@ index 1d4a920..53a3229 100644 |
670 |
|
671 |
/** |
672 |
* Creates a driver or general drm_ioctl_desc array entry for the given |
673 |
-@@ -1013,7 +1016,7 @@ struct drm_info_list { |
674 |
+@@ -1013,7 +1016,8 @@ struct drm_info_list { |
675 |
int (*show)(struct seq_file*, void*); /** show callback */ |
676 |
u32 driver_features; /**< Required driver features for this entry */ |
677 |
void *data; |
678 |
-}; |
679 |
+} __do_const; |
680 |
++typedef struct drm_info_list __no_const drm_info_list_no_const; |
681 |
|
682 |
/** |
683 |
* debugfs node structure. This structure represents a debugfs file. |
684 |
-@@ -1097,7 +1100,7 @@ struct drm_device { |
685 |
+@@ -1097,7 +1101,7 @@ struct drm_device { |
686 |
|
687 |
/** \name Usage Counters */ |
688 |
/*@{ */ |
689 |
@@ -75807,6 +75922,18 @@ index 72dcbe8..8db58d7 100644 |
690 |
|
691 |
/** |
692 |
* struct ttm_mem_global - Global memory accounting structure. |
693 |
+diff --git a/include/drm/ttm/ttm_page_alloc.h b/include/drm/ttm/ttm_page_alloc.h |
694 |
+index d1f61bf..2239439 100644 |
695 |
+--- a/include/drm/ttm/ttm_page_alloc.h |
696 |
++++ b/include/drm/ttm/ttm_page_alloc.h |
697 |
+@@ -78,6 +78,7 @@ void ttm_dma_page_alloc_fini(void); |
698 |
+ */ |
699 |
+ extern int ttm_dma_page_alloc_debugfs(struct seq_file *m, void *data); |
700 |
+ |
701 |
++struct device; |
702 |
+ extern int ttm_dma_populate(struct ttm_dma_tt *ttm_dma, struct device *dev); |
703 |
+ extern void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev); |
704 |
+ |
705 |
diff --git a/include/keys/asymmetric-subtype.h b/include/keys/asymmetric-subtype.h |
706 |
index 4b840e8..155d235 100644 |
707 |
--- a/include/keys/asymmetric-subtype.h |
708 |
@@ -78620,10 +78747,10 @@ index 9523d2a..16c0424 100644 |
709 |
|
710 |
int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu); |
711 |
diff --git a/include/linux/libata.h b/include/linux/libata.h |
712 |
-index 9b50337..712d748 100644 |
713 |
+index bec6dbe..2873d64 100644 |
714 |
--- a/include/linux/libata.h |
715 |
+++ b/include/linux/libata.h |
716 |
-@@ -973,7 +973,7 @@ struct ata_port_operations { |
717 |
+@@ -975,7 +975,7 @@ struct ata_port_operations { |
718 |
* fields must be pointers. |
719 |
*/ |
720 |
const struct ata_port_operations *inherits; |
721 |
@@ -91285,7 +91412,7 @@ index 6768ce9..4c41d69 100644 |
722 |
mm = get_task_mm(tsk); |
723 |
if (!mm) |
724 |
diff --git a/mm/mempolicy.c b/mm/mempolicy.c |
725 |
-index 0cd2c4d..9558c83 100644 |
726 |
+index e1bd997..055f496 100644 |
727 |
--- a/mm/mempolicy.c |
728 |
+++ b/mm/mempolicy.c |
729 |
@@ -747,6 +747,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start, |
730 |
@@ -95513,7 +95640,7 @@ index 4a5df7b..9ad1f1d 100644 |
731 |
|
732 |
switch (ss->ss_family) { |
733 |
diff --git a/net/compat.c b/net/compat.c |
734 |
-index dd32e34..94fa415 100644 |
735 |
+index f50161f..94fa415 100644 |
736 |
--- a/net/compat.c |
737 |
+++ b/net/compat.c |
738 |
@@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) |
739 |
@@ -95643,31 +95770,7 @@ index dd32e34..94fa415 100644 |
740 |
struct group_filter __user *kgf; |
741 |
int __user *koptlen; |
742 |
u32 interface, fmode, numsrc; |
743 |
-@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, |
744 |
- if (flags & MSG_CMSG_COMPAT) |
745 |
- return -EINVAL; |
746 |
- |
747 |
-- if (COMPAT_USE_64BIT_TIME) |
748 |
-- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, |
749 |
-- flags | MSG_CMSG_COMPAT, |
750 |
-- (struct timespec *) timeout); |
751 |
-- |
752 |
- if (timeout == NULL) |
753 |
- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, |
754 |
- flags | MSG_CMSG_COMPAT, NULL); |
755 |
- |
756 |
-- if (get_compat_timespec(&ktspec, timeout)) |
757 |
-+ if (compat_get_timespec(&ktspec, timeout)) |
758 |
- return -EFAULT; |
759 |
- |
760 |
- datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, |
761 |
- flags | MSG_CMSG_COMPAT, &ktspec); |
762 |
-- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout)) |
763 |
-+ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout)) |
764 |
- datagrams = -EFAULT; |
765 |
- |
766 |
- return datagrams; |
767 |
-@@ -808,7 +803,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) |
768 |
+@@ -803,7 +803,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) |
769 |
|
770 |
if (call < SYS_SOCKET || call > SYS_SENDMMSG) |
771 |
return -EINVAL; |
772 |
@@ -96481,7 +96584,7 @@ index a1b5bcb..62ec5c6 100644 |
773 |
#endif |
774 |
if (dflt != &ipv4_devconf_dflt) |
775 |
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c |
776 |
-index d846304..d0622bb 100644 |
777 |
+index c7539e2..b455e51 100644 |
778 |
--- a/net/ipv4/fib_frontend.c |
779 |
+++ b/net/ipv4/fib_frontend.c |
780 |
@@ -1015,12 +1015,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event, |
781 |
@@ -96499,7 +96602,7 @@ index d846304..d0622bb 100644 |
782 |
if (ifa->ifa_dev->ifa_list == NULL) { |
783 |
/* Last address was deleted from this interface. |
784 |
* Disable IP. |
785 |
-@@ -1056,7 +1056,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo |
786 |
+@@ -1058,7 +1058,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo |
787 |
#ifdef CONFIG_IP_ROUTE_MULTIPATH |
788 |
fib_sync_up(dev); |
789 |
#endif |
790 |
@@ -96631,7 +96734,7 @@ index 2481993..2d9a7a7 100644 |
791 |
return -ENOMEM; |
792 |
} |
793 |
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c |
794 |
-index e560ef3..218c5c5 100644 |
795 |
+index d306360..1c1a1f1 100644 |
796 |
--- a/net/ipv4/ip_gre.c |
797 |
+++ b/net/ipv4/ip_gre.c |
798 |
@@ -115,7 +115,7 @@ static bool log_ecn_error = true; |
799 |
@@ -101278,20 +101381,6 @@ index 0000000..5e0222d |
800 |
+ [[ "$plugincc" =~ "$1" ]] && echo "$1" |
801 |
+ [[ "$plugincc" =~ "$2" ]] && echo "$2" |
802 |
+fi |
803 |
-diff --git a/scripts/gen-random-seed.sh b/scripts/gen-random-seed.sh |
804 |
-new file mode 100644 |
805 |
-index 0000000..27e0f4a |
806 |
---- /dev/null |
807 |
-+++ b/scripts/gen-random-seed.sh |
808 |
-@@ -0,0 +1,8 @@ |
809 |
-+#!/bin/sh |
810 |
-+ |
811 |
-+if [ ! -f 'tools/gcc/randstruct.seed' ]; then |
812 |
-+ SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'` |
813 |
-+ echo "$SEED" > tools/gcc/randstruct.seed |
814 |
-+ cat tools/gcc/randstruct.seed | sha256sum | cut -d" " -f1 | tr -d "\n" > tools/gcc/randstruct.hashed_seed |
815 |
-+fi |
816 |
-+cat tools/gcc/randstruct.seed |
817 |
diff --git a/scripts/headers_install.sh b/scripts/headers_install.sh |
818 |
index 5de5660..d3deb89 100644 |
819 |
--- a/scripts/headers_install.sh |
820 |
@@ -102924,6 +103013,21 @@ index 48c3cc9..8022cf7 100644 |
821 |
rtnl_lock(); |
822 |
for_each_net(net) |
823 |
rt_genid_bump_all(net); |
824 |
+diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c |
825 |
+index d106733..539aadd 100644 |
826 |
+--- a/security/selinux/ss/services.c |
827 |
++++ b/security/selinux/ss/services.c |
828 |
+@@ -1232,6 +1232,10 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, |
829 |
+ struct context context; |
830 |
+ int rc = 0; |
831 |
+ |
832 |
++ /* An empty security context is never valid. */ |
833 |
++ if (!scontext_len) |
834 |
++ return -EINVAL; |
835 |
++ |
836 |
+ if (!ss_initialized) { |
837 |
+ int i; |
838 |
+ |
839 |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c |
840 |
index b0be893..646bd94 100644 |
841 |
--- a/security/smack/smack_lsm.c |
842 |
@@ -103730,10 +103834,10 @@ index 0000000..8eb55ca |
843 |
+randstruct.hashed_seed |
844 |
diff --git a/tools/gcc/Makefile b/tools/gcc/Makefile |
845 |
new file mode 100644 |
846 |
-index 0000000..f8ef8a3 |
847 |
+index 0000000..51a2ba2 |
848 |
--- /dev/null |
849 |
+++ b/tools/gcc/Makefile |
850 |
-@@ -0,0 +1,47 @@ |
851 |
+@@ -0,0 +1,55 @@ |
852 |
+#CC := gcc |
853 |
+#PLUGIN_SOURCE_FILES := pax_plugin.c |
854 |
+#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES)) |
855 |
@@ -103773,6 +103877,8 @@ index 0000000..f8ef8a3 |
856 |
+randomize_layout_plugin-objs := randomize_layout_plugin.o |
857 |
+ |
858 |
+$(obj)/size_overflow_plugin.o: $(objtree)/$(obj)/size_overflow_hash.h |
859 |
++$(obj)/randomize_layout_plugin.o: $(objtree)/$(obj)/randomize_layout_seed.h \ |
860 |
++ $(objtree)/$(obj)/randomize_layout_hash.data |
861 |
+ |
862 |
+quiet_cmd_build_size_overflow_hash = GENHASH $@ |
863 |
+ cmd_build_size_overflow_hash = \ |
864 |
@@ -103780,7 +103886,13 @@ index 0000000..f8ef8a3 |
865 |
+$(objtree)/$(obj)/size_overflow_hash.h: $(src)/size_overflow_hash.data FORCE |
866 |
+ $(call if_changed,build_size_overflow_hash) |
867 |
+ |
868 |
-+targets += size_overflow_hash.h |
869 |
++quiet_cmd_create_randomize_layout_seed = GENSEED $@ |
870 |
++ cmd_create_randomize_layout_seed = \ |
871 |
++ $(CONFIG_SHELL) $(srctree)/$(src)/gen-random-seed.sh $@ $(objtree)/$(obj)/randomize_layout_hash.data |
872 |
++$(objtree)/$(obj)/randomize_layout_seed.h $(objtree)/$(obj)/randomize_layout_hash.data: FORCE |
873 |
++ $(call if_changed,create_randomize_layout_seed) |
874 |
++ |
875 |
++targets += size_overflow_hash.h randomize_layout_seed.h randomize_layout_hash.data |
876 |
diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c |
877 |
new file mode 100644 |
878 |
index 0000000..5452feea |
879 |
@@ -104672,10 +104784,10 @@ index 0000000..4f67ac1 |
880 |
+} |
881 |
diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h |
882 |
new file mode 100644 |
883 |
-index 0000000..986f39b |
884 |
+index 0000000..312d3b6 |
885 |
--- /dev/null |
886 |
+++ b/tools/gcc/gcc-common.h |
887 |
-@@ -0,0 +1,267 @@ |
888 |
+@@ -0,0 +1,268 @@ |
889 |
+#ifndef GCC_COMMON_H_INCLUDED |
890 |
+#define GCC_COMMON_H_INCLUDED |
891 |
+ |
892 |
@@ -104766,6 +104878,7 @@ index 0000000..986f39b |
893 |
+#if BUILDING_GCC_VERSION >= 4009 |
894 |
+#include "tree-ssa-operands.h" |
895 |
+#include "tree-phinodes.h" |
896 |
++#include "tree-cfg.h" |
897 |
+#include "gimple-iterator.h" |
898 |
+#include "gimple-ssa.h" |
899 |
+#include "ssa-iterators.h" |
900 |
@@ -104943,6 +105056,19 @@ index 0000000..986f39b |
901 |
+#endif |
902 |
+ |
903 |
+#endif |
904 |
+diff --git a/tools/gcc/gen-random-seed.sh b/tools/gcc/gen-random-seed.sh |
905 |
+new file mode 100644 |
906 |
+index 0000000..8030e6e |
907 |
+--- /dev/null |
908 |
++++ b/tools/gcc/gen-random-seed.sh |
909 |
+@@ -0,0 +1,7 @@ |
910 |
++#!/bin/sh |
911 |
++ |
912 |
++if [ ! -f "$1" ]; then |
913 |
++ SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'` |
914 |
++ echo "const char *randstruct_seed = \"$SEED\";" > "$1" |
915 |
++ echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d "\n" > "$2" |
916 |
++fi |
917 |
diff --git a/tools/gcc/generate_size_overflow_hash.sh b/tools/gcc/generate_size_overflow_hash.sh |
918 |
new file mode 100644 |
919 |
index 0000000..e518932 |
920 |
@@ -106089,10 +106215,10 @@ index 0000000..592b923 |
921 |
+} |
922 |
diff --git a/tools/gcc/randomize_layout_plugin.c b/tools/gcc/randomize_layout_plugin.c |
923 |
new file mode 100644 |
924 |
-index 0000000..8ed761c6 |
925 |
+index 0000000..fed12bf |
926 |
--- /dev/null |
927 |
+++ b/tools/gcc/randomize_layout_plugin.c |
928 |
-@@ -0,0 +1,914 @@ |
929 |
+@@ -0,0 +1,902 @@ |
930 |
+/* |
931 |
+ * Copyright 2014 by Open Source Security, Inc., Brad Spengler <spender@××××××××××.net> |
932 |
+ * and PaX Team <pageexec@××××××××.hu> |
933 |
@@ -106107,6 +106233,7 @@ index 0000000..8ed761c6 |
934 |
+ */ |
935 |
+ |
936 |
+#include "gcc-common.h" |
937 |
++#include "randomize_layout_seed.h" |
938 |
+ |
939 |
+#define ORIG_TYPE_NAME(node) \ |
940 |
+ (TYPE_NAME(TYPE_MAIN_VARIANT(node)) != NULL_TREE ? ((const unsigned char *)IDENTIFIER_POINTER(TYPE_NAME(TYPE_MAIN_VARIANT(node)))) : (const unsigned char *)"anonymous") |
941 |
@@ -106116,9 +106243,8 @@ index 0000000..8ed761c6 |
942 |
+static int performance_mode; |
943 |
+ |
944 |
+static struct plugin_info randomize_layout_plugin_info = { |
945 |
-+ .version = "201402011940", |
946 |
++ .version = "201402061950", |
947 |
+ .help = "disable\t\t\tdo not activate plugin\n" |
948 |
-+ "seed\t\t\tprovide a required 64-byte seed in hex format\n" |
949 |
+ "performance-mode\tenable cacheline-aware layout randomization\n" |
950 |
+}; |
951 |
+ |
952 |
@@ -106685,13 +106811,8 @@ index 0000000..8ed761c6 |
953 |
+ struct varpool_node *node; |
954 |
+ tree init; |
955 |
+ |
956 |
-+#if BUILDING_GCC_VERSION <= 4007 |
957 |
-+ for (node = varpool_nodes; node; node = node->next) { |
958 |
-+ tree var = node->decl; |
959 |
-+#else |
960 |
+ FOR_EACH_VARIABLE(node) { |
961 |
-+ tree var = node->symbol.decl; |
962 |
-+#endif |
963 |
++ tree var = NODE_DECL(node); |
964 |
+ init = DECL_INITIAL(var); |
965 |
+ if (init == NULL_TREE) |
966 |
+ continue; |
967 |
@@ -106975,22 +107096,15 @@ index 0000000..8ed761c6 |
968 |
+ performance_mode = 1; |
969 |
+ continue; |
970 |
+ } |
971 |
-+ if (!strcmp(argv[i].key, "seed")) { |
972 |
-+ if (!argv[i].value) { |
973 |
-+ error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); |
974 |
-+ continue; |
975 |
-+ } |
976 |
-+ if (strlen(argv[i].value) != 64) { |
977 |
-+ error(G_("invalid value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); |
978 |
-+ continue; |
979 |
-+ } |
980 |
-+ obtained_seed = sscanf(argv[i].value, "%016llx%016llx%016llx%016llx", |
981 |
-+ &shuffle_seed[0], &shuffle_seed[1], &shuffle_seed[2], &shuffle_seed[3]); |
982 |
-+ continue; |
983 |
-+ } |
984 |
+ error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key); |
985 |
+ } |
986 |
+ |
987 |
++ if (strlen(randstruct_seed) != 64) { |
988 |
++ error(G_("invalid seed value supplied for %s plugin"), plugin_name); |
989 |
++ return 1; |
990 |
++ } |
991 |
++ obtained_seed = sscanf(randstruct_seed, "%016llx%016llx%016llx%016llx", |
992 |
++ &shuffle_seed[0], &shuffle_seed[1], &shuffle_seed[2], &shuffle_seed[3]); |
993 |
+ if (obtained_seed != 4) { |
994 |
+ error(G_("Invalid seed supplied for %s plugin"), plugin_name); |
995 |
+ return 1; |
996 |
|
997 |
diff --git a/3.13.1/4425_grsec_remove_EI_PAX.patch b/3.13.2/4425_grsec_remove_EI_PAX.patch |
998 |
similarity index 96% |
999 |
rename from 3.13.1/4425_grsec_remove_EI_PAX.patch |
1000 |
rename to 3.13.2/4425_grsec_remove_EI_PAX.patch |
1001 |
index cf65d90..fc51f79 100644 |
1002 |
--- a/3.13.1/4425_grsec_remove_EI_PAX.patch |
1003 |
+++ b/3.13.2/4425_grsec_remove_EI_PAX.patch |
1004 |
@@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600 |
1005 |
diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig |
1006 |
--- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500 |
1007 |
+++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500 |
1008 |
-@@ -267,7 +267,7 @@ |
1009 |
+@@ -268,7 +268,7 @@ |
1010 |
|
1011 |
config PAX_EI_PAX |
1012 |
bool 'Use legacy ELF header marking' |
1013 |
|
1014 |
diff --git a/3.13.1/4427_force_XATTR_PAX_tmpfs.patch b/3.13.2/4427_force_XATTR_PAX_tmpfs.patch |
1015 |
similarity index 100% |
1016 |
rename from 3.13.1/4427_force_XATTR_PAX_tmpfs.patch |
1017 |
rename to 3.13.2/4427_force_XATTR_PAX_tmpfs.patch |
1018 |
|
1019 |
diff --git a/3.13.1/4430_grsec-remove-localversion-grsec.patch b/3.13.2/4430_grsec-remove-localversion-grsec.patch |
1020 |
similarity index 100% |
1021 |
rename from 3.13.1/4430_grsec-remove-localversion-grsec.patch |
1022 |
rename to 3.13.2/4430_grsec-remove-localversion-grsec.patch |
1023 |
|
1024 |
diff --git a/3.13.1/4435_grsec-mute-warnings.patch b/3.13.2/4435_grsec-mute-warnings.patch |
1025 |
similarity index 100% |
1026 |
rename from 3.13.1/4435_grsec-mute-warnings.patch |
1027 |
rename to 3.13.2/4435_grsec-mute-warnings.patch |
1028 |
|
1029 |
diff --git a/3.13.1/4440_grsec-remove-protected-paths.patch b/3.13.2/4440_grsec-remove-protected-paths.patch |
1030 |
similarity index 71% |
1031 |
rename from 3.13.1/4440_grsec-remove-protected-paths.patch |
1032 |
rename to 3.13.2/4440_grsec-remove-protected-paths.patch |
1033 |
index 05710b1..741546d 100644 |
1034 |
--- a/3.13.1/4440_grsec-remove-protected-paths.patch |
1035 |
+++ b/3.13.2/4440_grsec-remove-protected-paths.patch |
1036 |
@@ -4,9 +4,9 @@ We don't want GRSEC's Makefile to change permissions on paths in |
1037 |
the filesystem. |
1038 |
|
1039 |
diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile |
1040 |
---- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400 |
1041 |
-+++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400 |
1042 |
-@@ -34,10 +34,4 @@ |
1043 |
+--- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400 |
1044 |
++++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400 |
1045 |
+@@ -44,11 +44,4 @@ |
1046 |
ifdef CONFIG_GRKERNSEC_HIDESYM |
1047 |
extra-y := grsec_hidesym.o |
1048 |
$(obj)/grsec_hidesym.o: |
1049 |
@@ -15,5 +15,6 @@ diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile |
1050 |
- @-chmod -f 500 /lib64/modules |
1051 |
- @-chmod -f 500 /lib32/modules |
1052 |
- @-chmod -f 700 . |
1053 |
+- @-chmod -f 700 $(objtree) |
1054 |
- @echo ' grsec: protected kernel image paths' |
1055 |
endif |
1056 |
|
1057 |
diff --git a/3.13.1/4450_grsec-kconfig-default-gids.patch b/3.13.2/4450_grsec-kconfig-default-gids.patch |
1058 |
similarity index 95% |
1059 |
rename from 3.13.1/4450_grsec-kconfig-default-gids.patch |
1060 |
rename to 3.13.2/4450_grsec-kconfig-default-gids.patch |
1061 |
index 207c450..88f1f9b 100644 |
1062 |
--- a/3.13.1/4450_grsec-kconfig-default-gids.patch |
1063 |
+++ b/3.13.2/4450_grsec-kconfig-default-gids.patch |
1064 |
@@ -16,7 +16,7 @@ from shooting themselves in the foot. |
1065 |
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1066 |
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 |
1067 |
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 |
1068 |
-@@ -656,7 +656,7 @@ |
1069 |
+@@ -657,7 +657,7 @@ |
1070 |
config GRKERNSEC_AUDIT_GID |
1071 |
int "GID for auditing" |
1072 |
depends on GRKERNSEC_AUDIT_GROUP |
1073 |
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1074 |
|
1075 |
config GRKERNSEC_EXECLOG |
1076 |
bool "Exec logging" |
1077 |
-@@ -887,7 +887,7 @@ |
1078 |
+@@ -888,7 +888,7 @@ |
1079 |
config GRKERNSEC_TPE_UNTRUSTED_GID |
1080 |
int "GID for TPE-untrusted users" |
1081 |
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT |
1082 |
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1083 |
help |
1084 |
Setting this GID determines what group TPE restrictions will be |
1085 |
*enabled* for. If the sysctl option is enabled, a sysctl option |
1086 |
-@@ -896,7 +896,7 @@ |
1087 |
+@@ -897,7 +897,7 @@ |
1088 |
config GRKERNSEC_TPE_TRUSTED_GID |
1089 |
int "GID for TPE-trusted users" |
1090 |
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT |
1091 |
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1092 |
help |
1093 |
Setting this GID determines what group TPE restrictions will be |
1094 |
*disabled* for. If the sysctl option is enabled, a sysctl option |
1095 |
-@@ -989,7 +989,7 @@ |
1096 |
+@@ -990,7 +990,7 @@ |
1097 |
config GRKERNSEC_SOCKET_ALL_GID |
1098 |
int "GID to deny all sockets for" |
1099 |
depends on GRKERNSEC_SOCKET_ALL |
1100 |
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1101 |
help |
1102 |
Here you can choose the GID to disable socket access for. Remember to |
1103 |
add the users you want socket access disabled for to the GID |
1104 |
-@@ -1010,7 +1010,7 @@ |
1105 |
+@@ -1011,7 +1011,7 @@ |
1106 |
config GRKERNSEC_SOCKET_CLIENT_GID |
1107 |
int "GID to deny client sockets for" |
1108 |
depends on GRKERNSEC_SOCKET_CLIENT |
1109 |
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1110 |
help |
1111 |
Here you can choose the GID to disable client socket access for. |
1112 |
Remember to add the users you want client socket access disabled for to |
1113 |
-@@ -1028,7 +1028,7 @@ |
1114 |
+@@ -1029,7 +1029,7 @@ |
1115 |
config GRKERNSEC_SOCKET_SERVER_GID |
1116 |
int "GID to deny server sockets for" |
1117 |
depends on GRKERNSEC_SOCKET_SERVER |
1118 |
@@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1119 |
diff -Nuar a/security/Kconfig b/security/Kconfig |
1120 |
--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 |
1121 |
+++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 |
1122 |
-@@ -195,7 +195,7 @@ |
1123 |
+@@ -196,7 +196,7 @@ |
1124 |
|
1125 |
config GRKERNSEC_PROC_GID |
1126 |
int "GID exempted from /proc restrictions" |
1127 |
@@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig |
1128 |
help |
1129 |
Setting this GID determines which group will be exempted from |
1130 |
grsecurity's /proc restrictions, allowing users of the specified |
1131 |
-@@ -206,7 +206,7 @@ |
1132 |
+@@ -207,7 +207,7 @@ |
1133 |
config GRKERNSEC_TPE_UNTRUSTED_GID |
1134 |
int "GID for TPE-untrusted users" |
1135 |
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT |
1136 |
@@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig |
1137 |
help |
1138 |
Setting this GID determines which group untrusted users should |
1139 |
be added to. These users will be placed under grsecurity's Trusted Path |
1140 |
-@@ -218,7 +218,7 @@ |
1141 |
+@@ -219,7 +219,7 @@ |
1142 |
config GRKERNSEC_TPE_TRUSTED_GID |
1143 |
int "GID for TPE-trusted users" |
1144 |
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT |
1145 |
@@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig |
1146 |
help |
1147 |
Setting this GID determines what group TPE restrictions will be |
1148 |
*disabled* for. If the sysctl option is enabled, a sysctl option |
1149 |
-@@ -227,7 +227,7 @@ |
1150 |
+@@ -228,7 +228,7 @@ |
1151 |
config GRKERNSEC_SYMLINKOWN_GID |
1152 |
int "GID for users with kernel-enforced SymlinksIfOwnerMatch" |
1153 |
depends on GRKERNSEC_CONFIG_SERVER |
1154 |
|
1155 |
diff --git a/3.13.1/4465_selinux-avc_audit-log-curr_ip.patch b/3.13.2/4465_selinux-avc_audit-log-curr_ip.patch |
1156 |
similarity index 99% |
1157 |
rename from 3.13.1/4465_selinux-avc_audit-log-curr_ip.patch |
1158 |
rename to 3.13.2/4465_selinux-avc_audit-log-curr_ip.patch |
1159 |
index ddabda7..0648169 100644 |
1160 |
--- a/3.13.1/4465_selinux-avc_audit-log-curr_ip.patch |
1161 |
+++ b/3.13.2/4465_selinux-avc_audit-log-curr_ip.patch |
1162 |
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org> |
1163 |
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1164 |
--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 |
1165 |
+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 |
1166 |
-@@ -1123,6 +1123,27 @@ |
1167 |
+@@ -1124,6 +1124,27 @@ |
1168 |
menu "Logging Options" |
1169 |
depends on GRKERNSEC |
1170 |
|
1171 |
|
1172 |
diff --git a/3.13.1/4470_disable-compat_vdso.patch b/3.13.2/4470_disable-compat_vdso.patch |
1173 |
similarity index 100% |
1174 |
rename from 3.13.1/4470_disable-compat_vdso.patch |
1175 |
rename to 3.13.2/4470_disable-compat_vdso.patch |
1176 |
|
1177 |
diff --git a/3.13.1/4475_emutramp_default_on.patch b/3.13.2/4475_emutramp_default_on.patch |
1178 |
similarity index 97% |
1179 |
rename from 3.13.1/4475_emutramp_default_on.patch |
1180 |
rename to 3.13.2/4475_emutramp_default_on.patch |
1181 |
index cfde6f8..30f6978 100644 |
1182 |
--- a/3.13.1/4475_emutramp_default_on.patch |
1183 |
+++ b/3.13.2/4475_emutramp_default_on.patch |
1184 |
@@ -10,7 +10,7 @@ See bug: |
1185 |
diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig |
1186 |
--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 |
1187 |
+++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 |
1188 |
-@@ -427,7 +427,7 @@ |
1189 |
+@@ -428,7 +428,7 @@ |
1190 |
|
1191 |
config PAX_EMUTRAMP |
1192 |
bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86) |
1193 |
|
1194 |
diff --git a/3.2.54/0000_README b/3.2.54/0000_README |
1195 |
index 18647c3..61f72a8 100644 |
1196 |
--- a/3.2.54/0000_README |
1197 |
+++ b/3.2.54/0000_README |
1198 |
@@ -134,7 +134,7 @@ Patch: 1053_linux-3.2.54.patch |
1199 |
From: http://www.kernel.org |
1200 |
Desc: Linux 3.2.54 |
1201 |
|
1202 |
-Patch: 4420_grsecurity-3.0-3.2.54-201402052347.patch |
1203 |
+Patch: 4420_grsecurity-3.0-3.2.54-201402062221.patch |
1204 |
From: http://www.grsecurity.net |
1205 |
Desc: hardened-sources base patch from upstream grsecurity |
1206 |
|
1207 |
|
1208 |
diff --git a/3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch b/3.2.54/4420_grsecurity-3.0-3.2.54-201402062221.patch |
1209 |
similarity index 99% |
1210 |
rename from 3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch |
1211 |
rename to 3.2.54/4420_grsecurity-3.0-3.2.54-201402062221.patch |
1212 |
index fa55d46..88feed1 100644 |
1213 |
--- a/3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch |
1214 |
+++ b/3.2.54/4420_grsecurity-3.0-3.2.54-201402062221.patch |
1215 |
@@ -52869,10 +52869,25 @@ index 49eefdb..547693e 100644 |
1216 |
do_chunk_alloc(trans, root->fs_info->extent_root, |
1217 |
num_bytes, data, CHUNK_ALLOC_FORCE); |
1218 |
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c |
1219 |
-index 618ae6f..118fe0c 100644 |
1220 |
+index 618ae6f..82d0bc6 100644 |
1221 |
--- a/fs/btrfs/ioctl.c |
1222 |
+++ b/fs/btrfs/ioctl.c |
1223 |
-@@ -2733,9 +2733,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) |
1224 |
+@@ -1329,6 +1329,14 @@ static noinline int btrfs_ioctl_snap_create_transid(struct file *file, |
1225 |
+ ret = -EINVAL; |
1226 |
+ fput(src_file); |
1227 |
+ goto out; |
1228 |
++ } else if (!inode_owner_or_capable(src_inode)) { |
1229 |
++ /* |
1230 |
++ * Subvolume creation is not restricted, but snapshots |
1231 |
++ * are limited to own subvolumes only |
1232 |
++ */ |
1233 |
++ ret = -EPERM; |
1234 |
++ fput(src_file); |
1235 |
++ goto out; |
1236 |
+ } |
1237 |
+ ret = btrfs_mksubvol(&file->f_path, name, namelen, |
1238 |
+ BTRFS_I(src_inode)->root, |
1239 |
+@@ -2733,9 +2741,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) |
1240 |
for (i = 0; i < num_types; i++) { |
1241 |
struct btrfs_space_info *tmp; |
1242 |
|
1243 |
@@ -52885,7 +52900,7 @@ index 618ae6f..118fe0c 100644 |
1244 |
info = NULL; |
1245 |
rcu_read_lock(); |
1246 |
list_for_each_entry_rcu(tmp, &root->fs_info->space_info, |
1247 |
-@@ -2757,15 +2760,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) |
1248 |
+@@ -2757,15 +2768,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg) |
1249 |
memcpy(dest, &space, sizeof(space)); |
1250 |
dest++; |
1251 |
space_args.total_spaces++; |
1252 |
@@ -62842,10 +62857,10 @@ index 0000000..c4717f9 |
1253 |
+endmenu |
1254 |
diff --git a/grsecurity/Makefile b/grsecurity/Makefile |
1255 |
new file mode 100644 |
1256 |
-index 0000000..5cb186f |
1257 |
+index 0000000..f96524e |
1258 |
--- /dev/null |
1259 |
+++ b/grsecurity/Makefile |
1260 |
-@@ -0,0 +1,53 @@ |
1261 |
+@@ -0,0 +1,54 @@ |
1262 |
+# grsecurity – access control and security hardening for Linux |
1263 |
+# All code in this directory and various hooks located throughout the Linux kernel are |
1264 |
+# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc. |
1265 |
@@ -62897,6 +62912,7 @@ index 0000000..5cb186f |
1266 |
+ @-chmod -f 500 /lib64/modules |
1267 |
+ @-chmod -f 500 /lib32/modules |
1268 |
+ @-chmod -f 700 . |
1269 |
++ @-chmod -f 700 $(objtree) |
1270 |
+ @echo ' grsec: protected kernel image paths' |
1271 |
+endif |
1272 |
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c |
1273 |
@@ -104658,6 +104674,21 @@ index b43813c..74be837 100644 |
1274 |
} |
1275 |
#else |
1276 |
static inline int selinux_xfrm_enabled(void) |
1277 |
+diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c |
1278 |
+index 185f849..72b20b1 100644 |
1279 |
+--- a/security/selinux/ss/services.c |
1280 |
++++ b/security/selinux/ss/services.c |
1281 |
+@@ -1229,6 +1229,10 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len, |
1282 |
+ struct context context; |
1283 |
+ int rc = 0; |
1284 |
+ |
1285 |
++ /* An empty security context is never valid. */ |
1286 |
++ if (!scontext_len) |
1287 |
++ return -EINVAL; |
1288 |
++ |
1289 |
+ if (!ss_initialized) { |
1290 |
+ int i; |
1291 |
+ |
1292 |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c |
1293 |
index 7db62b4..ee4d949 100644 |
1294 |
--- a/security/smack/smack_lsm.c |
1295 |
|
1296 |
diff --git a/3.2.54/4425_grsec_remove_EI_PAX.patch b/3.2.54/4425_grsec_remove_EI_PAX.patch |
1297 |
index 415fda5..cf65d90 100644 |
1298 |
--- a/3.2.54/4425_grsec_remove_EI_PAX.patch |
1299 |
+++ b/3.2.54/4425_grsec_remove_EI_PAX.patch |
1300 |
@@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600 |
1301 |
diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig |
1302 |
--- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500 |
1303 |
+++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500 |
1304 |
-@@ -266,7 +266,7 @@ |
1305 |
+@@ -267,7 +267,7 @@ |
1306 |
|
1307 |
config PAX_EI_PAX |
1308 |
bool 'Use legacy ELF header marking' |
1309 |
|
1310 |
diff --git a/3.2.54/4440_grsec-remove-protected-paths.patch b/3.2.54/4440_grsec-remove-protected-paths.patch |
1311 |
index 05710b1..741546d 100644 |
1312 |
--- a/3.2.54/4440_grsec-remove-protected-paths.patch |
1313 |
+++ b/3.2.54/4440_grsec-remove-protected-paths.patch |
1314 |
@@ -4,9 +4,9 @@ We don't want GRSEC's Makefile to change permissions on paths in |
1315 |
the filesystem. |
1316 |
|
1317 |
diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile |
1318 |
---- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400 |
1319 |
-+++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400 |
1320 |
-@@ -34,10 +34,4 @@ |
1321 |
+--- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400 |
1322 |
++++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400 |
1323 |
+@@ -44,11 +44,4 @@ |
1324 |
ifdef CONFIG_GRKERNSEC_HIDESYM |
1325 |
extra-y := grsec_hidesym.o |
1326 |
$(obj)/grsec_hidesym.o: |
1327 |
@@ -15,5 +15,6 @@ diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile |
1328 |
- @-chmod -f 500 /lib64/modules |
1329 |
- @-chmod -f 500 /lib32/modules |
1330 |
- @-chmod -f 700 . |
1331 |
+- @-chmod -f 700 $(objtree) |
1332 |
- @echo ' grsec: protected kernel image paths' |
1333 |
endif |
1334 |
|
1335 |
diff --git a/3.2.54/4450_grsec-kconfig-default-gids.patch b/3.2.54/4450_grsec-kconfig-default-gids.patch |
1336 |
index 55a02aa..71f6231 100644 |
1337 |
--- a/3.2.54/4450_grsec-kconfig-default-gids.patch |
1338 |
+++ b/3.2.54/4450_grsec-kconfig-default-gids.patch |
1339 |
@@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
1340 |
diff -Nuar a/security/Kconfig b/security/Kconfig |
1341 |
--- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400 |
1342 |
+++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400 |
1343 |
-@@ -194,7 +194,7 @@ |
1344 |
+@@ -195,7 +195,7 @@ |
1345 |
|
1346 |
config GRKERNSEC_PROC_GID |
1347 |
int "GID exempted from /proc restrictions" |
1348 |
@@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig |
1349 |
help |
1350 |
Setting this GID determines which group will be exempted from |
1351 |
grsecurity's /proc restrictions, allowing users of the specified |
1352 |
-@@ -205,7 +205,7 @@ |
1353 |
+@@ -206,7 +206,7 @@ |
1354 |
config GRKERNSEC_TPE_UNTRUSTED_GID |
1355 |
int "GID for TPE-untrusted users" |
1356 |
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT |
1357 |
@@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig |
1358 |
help |
1359 |
Setting this GID determines which group untrusted users should |
1360 |
be added to. These users will be placed under grsecurity's Trusted Path |
1361 |
-@@ -217,7 +217,7 @@ |
1362 |
+@@ -218,7 +218,7 @@ |
1363 |
config GRKERNSEC_TPE_TRUSTED_GID |
1364 |
int "GID for TPE-trusted users" |
1365 |
depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT |
1366 |
@@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig |
1367 |
help |
1368 |
Setting this GID determines what group TPE restrictions will be |
1369 |
*disabled* for. If the sysctl option is enabled, a sysctl option |
1370 |
-@@ -226,7 +226,7 @@ |
1371 |
+@@ -227,7 +227,7 @@ |
1372 |
config GRKERNSEC_SYMLINKOWN_GID |
1373 |
int "GID for users with kernel-enforced SymlinksIfOwnerMatch" |
1374 |
depends on GRKERNSEC_CONFIG_SERVER |
1375 |
|
1376 |
diff --git a/3.2.54/4475_emutramp_default_on.patch b/3.2.54/4475_emutramp_default_on.patch |
1377 |
index df700e6..cfde6f8 100644 |
1378 |
--- a/3.2.54/4475_emutramp_default_on.patch |
1379 |
+++ b/3.2.54/4475_emutramp_default_on.patch |
1380 |
@@ -10,7 +10,7 @@ See bug: |
1381 |
diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig |
1382 |
--- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400 |
1383 |
+++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400 |
1384 |
-@@ -426,7 +426,7 @@ |
1385 |
+@@ -427,7 +427,7 @@ |
1386 |
|
1387 |
config PAX_EMUTRAMP |
1388 |
bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86) |