Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:experimental commit in: 2.6.39/, 2.6.32/
Date: Sat, 30 Jul 2011 11:27:03
Message-Id: 76c12f38d3c63651455fab1bee4090746993c6bb.blueness@gentoo
1 commit: 76c12f38d3c63651455fab1bee4090746993c6bb
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Sat Jul 30 11:26:41 2011 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Sat Jul 30 11:26:41 2011 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=76c12f38
7
8 Add patch to remove legacy PAX_EI_PAX
9
10 ---
11 2.6.32/4421_remove-legacy-pax-ei.patch | 185 ++++++++++++++++++++
12 ... => 4422_grsec-remove-localversion-grsec.patch} | 0
13 ...rnings.patch => 4424_grsec-mute-warnings.patch} | 0
14 ...tch => 4426_grsec-remove-protected-paths.patch} | 0
15 ...ec.patch => 4428_grsec-pax-without-grsec.patch} | 0
16 2.6.32/4435_grsec-kconfig-gentoo.patch | 5 +-
17 2.6.39/4421_remove-legacy-pax-ei.patch | 185 ++++++++++++++++++++
18 ... => 4422_grsec-remove-localversion-grsec.patch} | 0
19 ...rnings.patch => 4424_grsec-mute-warnings.patch} | 0
20 ...tch => 4426_grsec-remove-protected-paths.patch} | 0
21 ...ec.patch => 4428_grsec-pax-without-grsec.patch} | 0
22 2.6.39/4435_grsec-kconfig-gentoo.patch | 9 +-
23 12 files changed, 374 insertions(+), 10 deletions(-)
24
25 diff --git a/2.6.32/4421_remove-legacy-pax-ei.patch b/2.6.32/4421_remove-legacy-pax-ei.patch
26 new file mode 100644
27 index 0000000..8a911f7
28 --- /dev/null
29 +++ b/2.6.32/4421_remove-legacy-pax-ei.patch
30 @@ -0,0 +1,185 @@
31 +diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
32 +--- a/fs/binfmt_elf.c 2011-07-30 07:14:33.000000000 -0400
33 ++++ b/fs/binfmt_elf.c 2011-07-30 07:17:26.000000000 -0400
34 +@@ -557,7 +557,7 @@
35 + return error;
36 + }
37 +
38 +-#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
39 ++#if (defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
40 + static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
41 + {
42 + unsigned long pax_flags = 0UL;
43 +@@ -643,50 +643,7 @@
44 + }
45 + #endif
46 +
47 +-#ifdef CONFIG_PAX_EI_PAX
48 +-static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
49 +-{
50 +- unsigned long pax_flags = 0UL;
51 +-
52 +-#ifdef CONFIG_PAX_PAGEEXEC
53 +- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
54 +- pax_flags |= MF_PAX_PAGEEXEC;
55 +-#endif
56 +-
57 +-#ifdef CONFIG_PAX_SEGMEXEC
58 +- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
59 +- pax_flags |= MF_PAX_SEGMEXEC;
60 +-#endif
61 +-
62 +-#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
63 +- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
64 +- if (nx_enabled)
65 +- pax_flags &= ~MF_PAX_SEGMEXEC;
66 +- else
67 +- pax_flags &= ~MF_PAX_PAGEEXEC;
68 +- }
69 +-#endif
70 +-
71 +-#ifdef CONFIG_PAX_EMUTRAMP
72 +- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
73 +- pax_flags |= MF_PAX_EMUTRAMP;
74 +-#endif
75 +-
76 +-#ifdef CONFIG_PAX_MPROTECT
77 +- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
78 +- pax_flags |= MF_PAX_MPROTECT;
79 +-#endif
80 +-
81 +-#ifdef CONFIG_PAX_ASLR
82 +- if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
83 +- pax_flags |= MF_PAX_RANDMMAP;
84 +-#endif
85 +-
86 +- return pax_flags;
87 +-}
88 +-#endif
89 +-
90 +-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
91 ++#if defined(CONFIG_PAX_PT_PAX_FLAGS)
92 + static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
93 + {
94 + unsigned long pax_flags = 0UL;
95 +@@ -696,10 +653,6 @@
96 + int found_flags = 0;
97 + #endif
98 +
99 +-#ifdef CONFIG_PAX_EI_PAX
100 +- pax_flags = pax_parse_ei_pax(elf_ex);
101 +-#endif
102 +-
103 + #ifdef CONFIG_PAX_PT_PAX_FLAGS
104 + for (i = 0UL; i < elf_ex->e_phnum; i++)
105 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
106 +@@ -722,7 +675,7 @@
107 + }
108 + #endif
109 +
110 +-#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
111 ++#if defined(CONFIG_PAX_PT_PAX_FLAGS)
112 + if (found_flags == 0) {
113 + struct elf_phdr phdr;
114 + memset(&phdr, 0, sizeof(phdr));
115 +@@ -956,7 +909,7 @@
116 +
117 + current->mm->def_flags = 0;
118 +
119 +-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
120 ++#if defined(CONFIG_PAX_PT_PAX_FLAGS)
121 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
122 + send_sig(SIGKILL, current, 0);
123 + goto out_free_dentry;
124 +diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
125 +--- a/grsecurity/Kconfig 2011-07-30 07:14:33.000000000 -0400
126 ++++ b/grsecurity/Kconfig 2011-07-30 07:17:56.000000000 -0400
127 +@@ -49,7 +49,6 @@
128 + config GRKERNSEC_MEDIUM
129 + bool "Medium"
130 + select PAX
131 +- select PAX_EI_PAX
132 + select PAX_PT_PAX_FLAGS
133 + select PAX_HAVE_ACL_FLAGS
134 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
135 +@@ -147,7 +146,6 @@
136 + select PAX_RANDMMAP
137 + select PAX_NOEXEC
138 + select PAX_MPROTECT
139 +- select PAX_EI_PAX
140 + select PAX_PT_PAX_FLAGS
141 + select PAX_HAVE_ACL_FLAGS
142 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
143 +diff -Naur a/include/linux/grsecurity.h b/include/linux/grsecurity.h
144 +--- a/include/linux/grsecurity.h 2011-07-30 07:14:33.000000000 -0400
145 ++++ b/include/linux/grsecurity.h 2011-07-30 07:19:50.000000000 -0400
146 +@@ -10,11 +10,11 @@
147 + #if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
148 + #error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
149 + #endif
150 +-#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
151 +-#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
152 ++#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
153 ++#error "CONFIG_PAX_NOEXEC enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
154 + #endif
155 +-#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
156 +-#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
157 ++#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
158 ++#error "CONFIG_PAX_ASLR enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
159 + #endif
160 + #if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
161 + #error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
162 +diff -Naur a/include/linux/mm_types.h b/include/linux/mm_types.h
163 +--- a/include/linux/mm_types.h 2011-07-30 07:14:33.000000000 -0400
164 ++++ b/include/linux/mm_types.h 2011-07-30 07:18:49.000000000 -0400
165 +@@ -290,7 +290,7 @@
166 + struct mmu_notifier_mm *mmu_notifier_mm;
167 + #endif
168 +
169 +-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
170 ++#if defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
171 + unsigned long pax_flags;
172 + #endif
173 +
174 +diff -Naur a/security/Kconfig b/security/Kconfig
175 +--- a/security/Kconfig 2011-07-30 07:14:33.000000000 -0400
176 ++++ b/security/Kconfig 2011-07-30 07:20:37.000000000 -0400
177 +@@ -48,20 +48,6 @@
178 + line option on boot. Furthermore you can control various PaX features
179 + at runtime via the entries in /proc/sys/kernel/pax.
180 +
181 +-config PAX_EI_PAX
182 +- bool 'Use legacy ELF header marking'
183 +- help
184 +- Enabling this option will allow you to control PaX features on
185 +- a per executable basis via the 'chpax' utility available at
186 +- http://pax.grsecurity.net/. The control flags will be read from
187 +- an otherwise reserved part of the ELF header. This marking has
188 +- numerous drawbacks (no support for soft-mode, toolchain does not
189 +- know about the non-standard use of the ELF header) therefore it
190 +- has been deprecated in favour of PT_PAX_FLAGS support.
191 +-
192 +- Note that if you enable PT_PAX_FLAGS marking support as well,
193 +- the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
194 +-
195 + config PAX_PT_PAX_FLAGS
196 + bool 'Use ELF program header marking'
197 + help
198 +@@ -110,7 +96,7 @@
199 +
200 + config PAX_NOEXEC
201 + bool "Enforce non-executable pages"
202 +- depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
203 ++ depends on (PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
204 + help
205 + By design some architectures do not allow for protecting memory
206 + pages against execution or even if they do, Linux does not make
207 +@@ -356,7 +342,7 @@
208 +
209 + config PAX_ASLR
210 + bool "Address Space Layout Randomization"
211 +- depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
212 ++ depends on PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
213 + help
214 + Many if not most exploit techniques rely on the knowledge of
215 + certain addresses in the attacked program. The following options
216
217 diff --git a/2.6.32/4421_grsec-remove-localversion-grsec.patch b/2.6.32/4422_grsec-remove-localversion-grsec.patch
218 similarity index 100%
219 rename from 2.6.32/4421_grsec-remove-localversion-grsec.patch
220 rename to 2.6.32/4422_grsec-remove-localversion-grsec.patch
221
222 diff --git a/2.6.32/4422_grsec-mute-warnings.patch b/2.6.32/4424_grsec-mute-warnings.patch
223 similarity index 100%
224 rename from 2.6.32/4422_grsec-mute-warnings.patch
225 rename to 2.6.32/4424_grsec-mute-warnings.patch
226
227 diff --git a/2.6.32/4423_grsec-remove-protected-paths.patch b/2.6.32/4426_grsec-remove-protected-paths.patch
228 similarity index 100%
229 rename from 2.6.32/4423_grsec-remove-protected-paths.patch
230 rename to 2.6.32/4426_grsec-remove-protected-paths.patch
231
232 diff --git a/2.6.32/4425_grsec-pax-without-grsec.patch b/2.6.32/4428_grsec-pax-without-grsec.patch
233 similarity index 100%
234 rename from 2.6.32/4425_grsec-pax-without-grsec.patch
235 rename to 2.6.32/4428_grsec-pax-without-grsec.patch
236
237 diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch
238 index f2b8a25..9db4e1d 100644
239 --- a/2.6.32/4435_grsec-kconfig-gentoo.patch
240 +++ b/2.6.32/4435_grsec-kconfig-gentoo.patch
241 @@ -27,7 +27,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
242
243 config GRKERNSEC_LOW
244 bool "Low"
245 -@@ -195,6 +195,261 @@
246 +@@ -195,6 +195,258 @@
247 - Restricted sysfs/debugfs
248 - Active kernel exploit response
249
250 @@ -78,7 +78,6 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
251 + select PAX_RANDMMAP
252 + select PAX_NOEXEC
253 + select PAX_MPROTECT
254 -+ select PAX_EI_PAX
255 + select PAX_PT_PAX_FLAGS
256 + select PAX_HAVE_ACL_FLAGS
257 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
258 @@ -163,7 +162,6 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
259 + select PAX_RANDMMAP
260 + select PAX_NOEXEC
261 + select PAX_MPROTECT
262 -+ select PAX_EI_PAX
263 + select PAX_PT_PAX_FLAGS
264 + select PAX_HAVE_ACL_FLAGS
265 + # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
266 @@ -248,7 +246,6 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
267 + select PAX_RANDMMAP
268 + select PAX_NOEXEC
269 + select PAX_MPROTECT
270 -+ select PAX_EI_PAX
271 + select PAX_PT_PAX_FLAGS
272 + select PAX_HAVE_ACL_FLAGS
273 + # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
274
275 diff --git a/2.6.39/4421_remove-legacy-pax-ei.patch b/2.6.39/4421_remove-legacy-pax-ei.patch
276 new file mode 100644
277 index 0000000..fe3cdd4
278 --- /dev/null
279 +++ b/2.6.39/4421_remove-legacy-pax-ei.patch
280 @@ -0,0 +1,185 @@
281 +diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
282 +--- a/fs/binfmt_elf.c 2011-07-30 06:31:54.000000000 -0400
283 ++++ b/fs/binfmt_elf.c 2011-07-30 06:36:36.000000000 -0400
284 +@@ -553,7 +553,7 @@
285 + return error;
286 + }
287 +
288 +-#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
289 ++#if (defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
290 + static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
291 + {
292 + unsigned long pax_flags = 0UL;
293 +@@ -639,50 +639,7 @@
294 + }
295 + #endif
296 +
297 +-#ifdef CONFIG_PAX_EI_PAX
298 +-static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
299 +-{
300 +- unsigned long pax_flags = 0UL;
301 +-
302 +-#ifdef CONFIG_PAX_PAGEEXEC
303 +- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
304 +- pax_flags |= MF_PAX_PAGEEXEC;
305 +-#endif
306 +-
307 +-#ifdef CONFIG_PAX_SEGMEXEC
308 +- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
309 +- pax_flags |= MF_PAX_SEGMEXEC;
310 +-#endif
311 +-
312 +-#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
313 +- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
314 +- if ((__supported_pte_mask & _PAGE_NX))
315 +- pax_flags &= ~MF_PAX_SEGMEXEC;
316 +- else
317 +- pax_flags &= ~MF_PAX_PAGEEXEC;
318 +- }
319 +-#endif
320 +-
321 +-#ifdef CONFIG_PAX_EMUTRAMP
322 +- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
323 +- pax_flags |= MF_PAX_EMUTRAMP;
324 +-#endif
325 +-
326 +-#ifdef CONFIG_PAX_MPROTECT
327 +- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
328 +- pax_flags |= MF_PAX_MPROTECT;
329 +-#endif
330 +-
331 +-#ifdef CONFIG_PAX_ASLR
332 +- if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
333 +- pax_flags |= MF_PAX_RANDMMAP;
334 +-#endif
335 +-
336 +- return pax_flags;
337 +-}
338 +-#endif
339 +-
340 +-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
341 ++#if defined(CONFIG_PAX_PT_PAX_FLAGS)
342 + static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
343 + {
344 + unsigned long pax_flags = 0UL;
345 +@@ -692,10 +649,6 @@
346 + int found_flags = 0;
347 + #endif
348 +
349 +-#ifdef CONFIG_PAX_EI_PAX
350 +- pax_flags = pax_parse_ei_pax(elf_ex);
351 +-#endif
352 +-
353 + #ifdef CONFIG_PAX_PT_PAX_FLAGS
354 + for (i = 0UL; i < elf_ex->e_phnum; i++)
355 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
356 +@@ -718,7 +671,7 @@
357 + }
358 + #endif
359 +
360 +-#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
361 ++#if defined(CONFIG_PAX_PT_PAX_FLAGS)
362 + if (found_flags == 0) {
363 + struct elf_phdr phdr;
364 + memset(&phdr, 0, sizeof(phdr));
365 +@@ -951,7 +904,7 @@
366 +
367 + current->mm->def_flags = 0;
368 +
369 +-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
370 ++#if defined(CONFIG_PAX_PT_PAX_FLAGS)
371 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
372 + send_sig(SIGKILL, current, 0);
373 + goto out_free_dentry;
374 +diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
375 +--- a/grsecurity/Kconfig 2011-07-30 06:31:55.000000000 -0400
376 ++++ b/grsecurity/Kconfig 2011-07-30 06:37:18.000000000 -0400
377 +@@ -49,7 +49,6 @@
378 + config GRKERNSEC_MEDIUM
379 + bool "Medium"
380 + select PAX
381 +- select PAX_EI_PAX
382 + select PAX_PT_PAX_FLAGS
383 + select PAX_HAVE_ACL_FLAGS
384 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
385 +@@ -147,7 +146,6 @@
386 + select PAX_RANDMMAP
387 + select PAX_NOEXEC
388 + select PAX_MPROTECT
389 +- select PAX_EI_PAX
390 + select PAX_PT_PAX_FLAGS
391 + select PAX_HAVE_ACL_FLAGS
392 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
393 +diff -Naur a/include/linux/grsecurity.h b/include/linux/grsecurity.h
394 +--- a/include/linux/grsecurity.h 2011-07-30 06:31:55.000000000 -0400
395 ++++ b/include/linux/grsecurity.h 2011-07-30 06:39:52.000000000 -0400
396 +@@ -10,11 +10,11 @@
397 + #if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
398 + #error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
399 + #endif
400 +-#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
401 +-#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
402 ++#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
403 ++#error "CONFIG_PAX_NOEXEC enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
404 + #endif
405 +-#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
406 +-#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
407 ++#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
408 ++#error "CONFIG_PAX_ASLR enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
409 + #endif
410 + #if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
411 + #error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
412 +diff -Naur a/include/linux/mm_types.h b/include/linux/mm_types.h
413 +--- a/include/linux/mm_types.h 2011-07-30 06:31:55.000000000 -0400
414 ++++ b/include/linux/mm_types.h 2011-07-30 06:38:43.000000000 -0400
415 +@@ -320,7 +320,7 @@
416 + pgtable_t pmd_huge_pte; /* protected by page_table_lock */
417 + #endif
418 +
419 +-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
420 ++#if defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
421 + unsigned long pax_flags;
422 + #endif
423 +
424 +diff a/security/Kconfig b/security/Kconfig
425 +--- a/security/Kconfig 2011-07-30 06:31:56.000000000 -0400
426 ++++ b/security/Kconfig 2011-07-30 06:40:40.000000000 -0400
427 +@@ -48,20 +48,6 @@
428 + line option on boot. Furthermore you can control various PaX features
429 + at runtime via the entries in /proc/sys/kernel/pax.
430 +
431 +-config PAX_EI_PAX
432 +- bool 'Use legacy ELF header marking'
433 +- help
434 +- Enabling this option will allow you to control PaX features on
435 +- a per executable basis via the 'chpax' utility available at
436 +- http://pax.grsecurity.net/. The control flags will be read from
437 +- an otherwise reserved part of the ELF header. This marking has
438 +- numerous drawbacks (no support for soft-mode, toolchain does not
439 +- know about the non-standard use of the ELF header) therefore it
440 +- has been deprecated in favour of PT_PAX_FLAGS support.
441 +-
442 +- Note that if you enable PT_PAX_FLAGS marking support as well,
443 +- the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
444 +-
445 + config PAX_PT_PAX_FLAGS
446 + bool 'Use ELF program header marking'
447 + help
448 +@@ -110,7 +96,7 @@
449 +
450 + config PAX_NOEXEC
451 + bool "Enforce non-executable pages"
452 +- depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
453 ++ depends on (PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
454 + help
455 + By design some architectures do not allow for protecting memory
456 + pages against execution or even if they do, Linux does not make
457 +@@ -356,7 +342,7 @@
458 +
459 + config PAX_ASLR
460 + bool "Address Space Layout Randomization"
461 +- depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
462 ++ depends on PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
463 + help
464 + Many if not most exploit techniques rely on the knowledge of
465 + certain addresses in the attacked program. The following options
466
467 diff --git a/2.6.39/4421_grsec-remove-localversion-grsec.patch b/2.6.39/4422_grsec-remove-localversion-grsec.patch
468 similarity index 100%
469 rename from 2.6.39/4421_grsec-remove-localversion-grsec.patch
470 rename to 2.6.39/4422_grsec-remove-localversion-grsec.patch
471
472 diff --git a/2.6.39/4422_grsec-mute-warnings.patch b/2.6.39/4424_grsec-mute-warnings.patch
473 similarity index 100%
474 rename from 2.6.39/4422_grsec-mute-warnings.patch
475 rename to 2.6.39/4424_grsec-mute-warnings.patch
476
477 diff --git a/2.6.39/4423_grsec-remove-protected-paths.patch b/2.6.39/4426_grsec-remove-protected-paths.patch
478 similarity index 100%
479 rename from 2.6.39/4423_grsec-remove-protected-paths.patch
480 rename to 2.6.39/4426_grsec-remove-protected-paths.patch
481
482 diff --git a/2.6.39/4425_grsec-pax-without-grsec.patch b/2.6.39/4428_grsec-pax-without-grsec.patch
483 similarity index 100%
484 rename from 2.6.39/4425_grsec-pax-without-grsec.patch
485 rename to 2.6.39/4428_grsec-pax-without-grsec.patch
486
487 diff --git a/2.6.39/4435_grsec-kconfig-gentoo.patch b/2.6.39/4435_grsec-kconfig-gentoo.patch
488 index 5bae307..bc09842 100644
489 --- a/2.6.39/4435_grsec-kconfig-gentoo.patch
490 +++ b/2.6.39/4435_grsec-kconfig-gentoo.patch
491 @@ -27,7 +27,7 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene
492
493 config GRKERNSEC_LOW
494 bool "Low"
495 -@@ -195,6 +195,261 @@
496 +@@ -193,6 +193,258 @@
497 - Restricted sysfs/debugfs
498 - Active kernel exploit response
499
500 @@ -78,7 +78,6 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene
501 + select PAX_RANDMMAP
502 + select PAX_NOEXEC
503 + select PAX_MPROTECT
504 -+ select PAX_EI_PAX
505 + select PAX_PT_PAX_FLAGS
506 + select PAX_HAVE_ACL_FLAGS
507 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
508 @@ -163,7 +162,6 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene
509 + select PAX_RANDMMAP
510 + select PAX_NOEXEC
511 + select PAX_MPROTECT
512 -+ select PAX_EI_PAX
513 + select PAX_PT_PAX_FLAGS
514 + select PAX_HAVE_ACL_FLAGS
515 + # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
516 @@ -248,7 +246,6 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene
517 + select PAX_RANDMMAP
518 + select PAX_NOEXEC
519 + select PAX_MPROTECT
520 -+ select PAX_EI_PAX
521 + select PAX_PT_PAX_FLAGS
522 + select PAX_HAVE_ACL_FLAGS
523 + # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
524 @@ -292,7 +289,7 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene
525 diff -Naur linux-2.6.38-hardened-r1.orig/security/Kconfig linux-2.6.38-hardened-r1/security/Kconfig
526 --- linux-2.6.38-hardened-r1.orig/security/Kconfig 2011-04-17 19:25:02.000000000 -0400
527 +++ linux-2.6.38-hardened-r1/security/Kconfig 2011-04-17 19:27:46.000000000 -0400
528 -@@ -319,8 +319,9 @@
529 +@@ -305,8 +305,9 @@
530
531 config PAX_KERNEXEC
532 bool "Enforce non-executable kernel pages"
533 @@ -303,7 +300,7 @@ diff -Naur linux-2.6.38-hardened-r1.orig/security/Kconfig linux-2.6.38-hardened-
534 help
535 This is the kernel land equivalent of PAGEEXEC and MPROTECT,
536 that is, enabling this option will make it harder to inject
537 -@@ -483,8 +484,9 @@
538 +@@ -469,8 +470,9 @@
539
540 config PAX_MEMORY_UDEREF
541 bool "Prevent invalid userland pointer dereference"
Report Message
Find on MARC Find on Google Groups