1 |
commit: 76c12f38d3c63651455fab1bee4090746993c6bb |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Jul 30 11:26:41 2011 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Jul 30 11:26:41 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=76c12f38 |
7 |
|
8 |
Add patch to remove legacy PAX_EI_PAX |
9 |
|
10 |
--- |
11 |
2.6.32/4421_remove-legacy-pax-ei.patch | 185 ++++++++++++++++++++ |
12 |
... => 4422_grsec-remove-localversion-grsec.patch} | 0 |
13 |
...rnings.patch => 4424_grsec-mute-warnings.patch} | 0 |
14 |
...tch => 4426_grsec-remove-protected-paths.patch} | 0 |
15 |
...ec.patch => 4428_grsec-pax-without-grsec.patch} | 0 |
16 |
2.6.32/4435_grsec-kconfig-gentoo.patch | 5 +- |
17 |
2.6.39/4421_remove-legacy-pax-ei.patch | 185 ++++++++++++++++++++ |
18 |
... => 4422_grsec-remove-localversion-grsec.patch} | 0 |
19 |
...rnings.patch => 4424_grsec-mute-warnings.patch} | 0 |
20 |
...tch => 4426_grsec-remove-protected-paths.patch} | 0 |
21 |
...ec.patch => 4428_grsec-pax-without-grsec.patch} | 0 |
22 |
2.6.39/4435_grsec-kconfig-gentoo.patch | 9 +- |
23 |
12 files changed, 374 insertions(+), 10 deletions(-) |
24 |
|
25 |
diff --git a/2.6.32/4421_remove-legacy-pax-ei.patch b/2.6.32/4421_remove-legacy-pax-ei.patch |
26 |
new file mode 100644 |
27 |
index 0000000..8a911f7 |
28 |
--- /dev/null |
29 |
+++ b/2.6.32/4421_remove-legacy-pax-ei.patch |
30 |
@@ -0,0 +1,185 @@ |
31 |
+diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c |
32 |
+--- a/fs/binfmt_elf.c 2011-07-30 07:14:33.000000000 -0400 |
33 |
++++ b/fs/binfmt_elf.c 2011-07-30 07:17:26.000000000 -0400 |
34 |
+@@ -557,7 +557,7 @@ |
35 |
+ return error; |
36 |
+ } |
37 |
+ |
38 |
+-#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE) |
39 |
++#if (defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE) |
40 |
+ static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata) |
41 |
+ { |
42 |
+ unsigned long pax_flags = 0UL; |
43 |
+@@ -643,50 +643,7 @@ |
44 |
+ } |
45 |
+ #endif |
46 |
+ |
47 |
+-#ifdef CONFIG_PAX_EI_PAX |
48 |
+-static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex) |
49 |
+-{ |
50 |
+- unsigned long pax_flags = 0UL; |
51 |
+- |
52 |
+-#ifdef CONFIG_PAX_PAGEEXEC |
53 |
+- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC)) |
54 |
+- pax_flags |= MF_PAX_PAGEEXEC; |
55 |
+-#endif |
56 |
+- |
57 |
+-#ifdef CONFIG_PAX_SEGMEXEC |
58 |
+- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC)) |
59 |
+- pax_flags |= MF_PAX_SEGMEXEC; |
60 |
+-#endif |
61 |
+- |
62 |
+-#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC) |
63 |
+- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) { |
64 |
+- if (nx_enabled) |
65 |
+- pax_flags &= ~MF_PAX_SEGMEXEC; |
66 |
+- else |
67 |
+- pax_flags &= ~MF_PAX_PAGEEXEC; |
68 |
+- } |
69 |
+-#endif |
70 |
+- |
71 |
+-#ifdef CONFIG_PAX_EMUTRAMP |
72 |
+- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP)) |
73 |
+- pax_flags |= MF_PAX_EMUTRAMP; |
74 |
+-#endif |
75 |
+- |
76 |
+-#ifdef CONFIG_PAX_MPROTECT |
77 |
+- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT)) |
78 |
+- pax_flags |= MF_PAX_MPROTECT; |
79 |
+-#endif |
80 |
+- |
81 |
+-#ifdef CONFIG_PAX_ASLR |
82 |
+- if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP)) |
83 |
+- pax_flags |= MF_PAX_RANDMMAP; |
84 |
+-#endif |
85 |
+- |
86 |
+- return pax_flags; |
87 |
+-} |
88 |
+-#endif |
89 |
+- |
90 |
+-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) |
91 |
++#if defined(CONFIG_PAX_PT_PAX_FLAGS) |
92 |
+ static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata) |
93 |
+ { |
94 |
+ unsigned long pax_flags = 0UL; |
95 |
+@@ -696,10 +653,6 @@ |
96 |
+ int found_flags = 0; |
97 |
+ #endif |
98 |
+ |
99 |
+-#ifdef CONFIG_PAX_EI_PAX |
100 |
+- pax_flags = pax_parse_ei_pax(elf_ex); |
101 |
+-#endif |
102 |
+- |
103 |
+ #ifdef CONFIG_PAX_PT_PAX_FLAGS |
104 |
+ for (i = 0UL; i < elf_ex->e_phnum; i++) |
105 |
+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) { |
106 |
+@@ -722,7 +675,7 @@ |
107 |
+ } |
108 |
+ #endif |
109 |
+ |
110 |
+-#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS) |
111 |
++#if defined(CONFIG_PAX_PT_PAX_FLAGS) |
112 |
+ if (found_flags == 0) { |
113 |
+ struct elf_phdr phdr; |
114 |
+ memset(&phdr, 0, sizeof(phdr)); |
115 |
+@@ -956,7 +909,7 @@ |
116 |
+ |
117 |
+ current->mm->def_flags = 0; |
118 |
+ |
119 |
+-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) |
120 |
++#if defined(CONFIG_PAX_PT_PAX_FLAGS) |
121 |
+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) { |
122 |
+ send_sig(SIGKILL, current, 0); |
123 |
+ goto out_free_dentry; |
124 |
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
125 |
+--- a/grsecurity/Kconfig 2011-07-30 07:14:33.000000000 -0400 |
126 |
++++ b/grsecurity/Kconfig 2011-07-30 07:17:56.000000000 -0400 |
127 |
+@@ -49,7 +49,6 @@ |
128 |
+ config GRKERNSEC_MEDIUM |
129 |
+ bool "Medium" |
130 |
+ select PAX |
131 |
+- select PAX_EI_PAX |
132 |
+ select PAX_PT_PAX_FLAGS |
133 |
+ select PAX_HAVE_ACL_FLAGS |
134 |
+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
135 |
+@@ -147,7 +146,6 @@ |
136 |
+ select PAX_RANDMMAP |
137 |
+ select PAX_NOEXEC |
138 |
+ select PAX_MPROTECT |
139 |
+- select PAX_EI_PAX |
140 |
+ select PAX_PT_PAX_FLAGS |
141 |
+ select PAX_HAVE_ACL_FLAGS |
142 |
+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
143 |
+diff -Naur a/include/linux/grsecurity.h b/include/linux/grsecurity.h |
144 |
+--- a/include/linux/grsecurity.h 2011-07-30 07:14:33.000000000 -0400 |
145 |
++++ b/include/linux/grsecurity.h 2011-07-30 07:19:50.000000000 -0400 |
146 |
+@@ -10,11 +10,11 @@ |
147 |
+ #if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) |
148 |
+ #error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled." |
149 |
+ #endif |
150 |
+-#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) |
151 |
+-#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." |
152 |
++#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PT_PAX_FLAGS) |
153 |
++#error "CONFIG_PAX_NOEXEC enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled." |
154 |
+ #endif |
155 |
+-#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) |
156 |
+-#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." |
157 |
++#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_PT_PAX_FLAGS) |
158 |
++#error "CONFIG_PAX_ASLR enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled." |
159 |
+ #endif |
160 |
+ #if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP) |
161 |
+ #error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled." |
162 |
+diff -Naur a/include/linux/mm_types.h b/include/linux/mm_types.h |
163 |
+--- a/include/linux/mm_types.h 2011-07-30 07:14:33.000000000 -0400 |
164 |
++++ b/include/linux/mm_types.h 2011-07-30 07:18:49.000000000 -0400 |
165 |
+@@ -290,7 +290,7 @@ |
166 |
+ struct mmu_notifier_mm *mmu_notifier_mm; |
167 |
+ #endif |
168 |
+ |
169 |
+-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR) |
170 |
++#if defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR) |
171 |
+ unsigned long pax_flags; |
172 |
+ #endif |
173 |
+ |
174 |
+diff -Naur a/security/Kconfig b/security/Kconfig |
175 |
+--- a/security/Kconfig 2011-07-30 07:14:33.000000000 -0400 |
176 |
++++ b/security/Kconfig 2011-07-30 07:20:37.000000000 -0400 |
177 |
+@@ -48,20 +48,6 @@ |
178 |
+ line option on boot. Furthermore you can control various PaX features |
179 |
+ at runtime via the entries in /proc/sys/kernel/pax. |
180 |
+ |
181 |
+-config PAX_EI_PAX |
182 |
+- bool 'Use legacy ELF header marking' |
183 |
+- help |
184 |
+- Enabling this option will allow you to control PaX features on |
185 |
+- a per executable basis via the 'chpax' utility available at |
186 |
+- http://pax.grsecurity.net/. The control flags will be read from |
187 |
+- an otherwise reserved part of the ELF header. This marking has |
188 |
+- numerous drawbacks (no support for soft-mode, toolchain does not |
189 |
+- know about the non-standard use of the ELF header) therefore it |
190 |
+- has been deprecated in favour of PT_PAX_FLAGS support. |
191 |
+- |
192 |
+- Note that if you enable PT_PAX_FLAGS marking support as well, |
193 |
+- the PT_PAX_FLAG marks will override the legacy EI_PAX marks. |
194 |
+- |
195 |
+ config PAX_PT_PAX_FLAGS |
196 |
+ bool 'Use ELF program header marking' |
197 |
+ help |
198 |
+@@ -110,7 +96,7 @@ |
199 |
+ |
200 |
+ config PAX_NOEXEC |
201 |
+ bool "Enforce non-executable pages" |
202 |
+- depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86) |
203 |
++ depends on (PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86) |
204 |
+ help |
205 |
+ By design some architectures do not allow for protecting memory |
206 |
+ pages against execution or even if they do, Linux does not make |
207 |
+@@ -356,7 +342,7 @@ |
208 |
+ |
209 |
+ config PAX_ASLR |
210 |
+ bool "Address Space Layout Randomization" |
211 |
+- depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS |
212 |
++ depends on PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS |
213 |
+ help |
214 |
+ Many if not most exploit techniques rely on the knowledge of |
215 |
+ certain addresses in the attacked program. The following options |
216 |
|
217 |
diff --git a/2.6.32/4421_grsec-remove-localversion-grsec.patch b/2.6.32/4422_grsec-remove-localversion-grsec.patch |
218 |
similarity index 100% |
219 |
rename from 2.6.32/4421_grsec-remove-localversion-grsec.patch |
220 |
rename to 2.6.32/4422_grsec-remove-localversion-grsec.patch |
221 |
|
222 |
diff --git a/2.6.32/4422_grsec-mute-warnings.patch b/2.6.32/4424_grsec-mute-warnings.patch |
223 |
similarity index 100% |
224 |
rename from 2.6.32/4422_grsec-mute-warnings.patch |
225 |
rename to 2.6.32/4424_grsec-mute-warnings.patch |
226 |
|
227 |
diff --git a/2.6.32/4423_grsec-remove-protected-paths.patch b/2.6.32/4426_grsec-remove-protected-paths.patch |
228 |
similarity index 100% |
229 |
rename from 2.6.32/4423_grsec-remove-protected-paths.patch |
230 |
rename to 2.6.32/4426_grsec-remove-protected-paths.patch |
231 |
|
232 |
diff --git a/2.6.32/4425_grsec-pax-without-grsec.patch b/2.6.32/4428_grsec-pax-without-grsec.patch |
233 |
similarity index 100% |
234 |
rename from 2.6.32/4425_grsec-pax-without-grsec.patch |
235 |
rename to 2.6.32/4428_grsec-pax-without-grsec.patch |
236 |
|
237 |
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch |
238 |
index f2b8a25..9db4e1d 100644 |
239 |
--- a/2.6.32/4435_grsec-kconfig-gentoo.patch |
240 |
+++ b/2.6.32/4435_grsec-kconfig-gentoo.patch |
241 |
@@ -27,7 +27,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden |
242 |
|
243 |
config GRKERNSEC_LOW |
244 |
bool "Low" |
245 |
-@@ -195,6 +195,261 @@ |
246 |
+@@ -195,6 +195,258 @@ |
247 |
- Restricted sysfs/debugfs |
248 |
- Active kernel exploit response |
249 |
|
250 |
@@ -78,7 +78,6 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden |
251 |
+ select PAX_RANDMMAP |
252 |
+ select PAX_NOEXEC |
253 |
+ select PAX_MPROTECT |
254 |
-+ select PAX_EI_PAX |
255 |
+ select PAX_PT_PAX_FLAGS |
256 |
+ select PAX_HAVE_ACL_FLAGS |
257 |
+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
258 |
@@ -163,7 +162,6 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden |
259 |
+ select PAX_RANDMMAP |
260 |
+ select PAX_NOEXEC |
261 |
+ select PAX_MPROTECT |
262 |
-+ select PAX_EI_PAX |
263 |
+ select PAX_PT_PAX_FLAGS |
264 |
+ select PAX_HAVE_ACL_FLAGS |
265 |
+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
266 |
@@ -248,7 +246,6 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden |
267 |
+ select PAX_RANDMMAP |
268 |
+ select PAX_NOEXEC |
269 |
+ select PAX_MPROTECT |
270 |
-+ select PAX_EI_PAX |
271 |
+ select PAX_PT_PAX_FLAGS |
272 |
+ select PAX_HAVE_ACL_FLAGS |
273 |
+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
274 |
|
275 |
diff --git a/2.6.39/4421_remove-legacy-pax-ei.patch b/2.6.39/4421_remove-legacy-pax-ei.patch |
276 |
new file mode 100644 |
277 |
index 0000000..fe3cdd4 |
278 |
--- /dev/null |
279 |
+++ b/2.6.39/4421_remove-legacy-pax-ei.patch |
280 |
@@ -0,0 +1,185 @@ |
281 |
+diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c |
282 |
+--- a/fs/binfmt_elf.c 2011-07-30 06:31:54.000000000 -0400 |
283 |
++++ b/fs/binfmt_elf.c 2011-07-30 06:36:36.000000000 -0400 |
284 |
+@@ -553,7 +553,7 @@ |
285 |
+ return error; |
286 |
+ } |
287 |
+ |
288 |
+-#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE) |
289 |
++#if (defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE) |
290 |
+ static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata) |
291 |
+ { |
292 |
+ unsigned long pax_flags = 0UL; |
293 |
+@@ -639,50 +639,7 @@ |
294 |
+ } |
295 |
+ #endif |
296 |
+ |
297 |
+-#ifdef CONFIG_PAX_EI_PAX |
298 |
+-static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex) |
299 |
+-{ |
300 |
+- unsigned long pax_flags = 0UL; |
301 |
+- |
302 |
+-#ifdef CONFIG_PAX_PAGEEXEC |
303 |
+- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC)) |
304 |
+- pax_flags |= MF_PAX_PAGEEXEC; |
305 |
+-#endif |
306 |
+- |
307 |
+-#ifdef CONFIG_PAX_SEGMEXEC |
308 |
+- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC)) |
309 |
+- pax_flags |= MF_PAX_SEGMEXEC; |
310 |
+-#endif |
311 |
+- |
312 |
+-#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC) |
313 |
+- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) { |
314 |
+- if ((__supported_pte_mask & _PAGE_NX)) |
315 |
+- pax_flags &= ~MF_PAX_SEGMEXEC; |
316 |
+- else |
317 |
+- pax_flags &= ~MF_PAX_PAGEEXEC; |
318 |
+- } |
319 |
+-#endif |
320 |
+- |
321 |
+-#ifdef CONFIG_PAX_EMUTRAMP |
322 |
+- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP)) |
323 |
+- pax_flags |= MF_PAX_EMUTRAMP; |
324 |
+-#endif |
325 |
+- |
326 |
+-#ifdef CONFIG_PAX_MPROTECT |
327 |
+- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT)) |
328 |
+- pax_flags |= MF_PAX_MPROTECT; |
329 |
+-#endif |
330 |
+- |
331 |
+-#ifdef CONFIG_PAX_ASLR |
332 |
+- if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP)) |
333 |
+- pax_flags |= MF_PAX_RANDMMAP; |
334 |
+-#endif |
335 |
+- |
336 |
+- return pax_flags; |
337 |
+-} |
338 |
+-#endif |
339 |
+- |
340 |
+-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) |
341 |
++#if defined(CONFIG_PAX_PT_PAX_FLAGS) |
342 |
+ static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata) |
343 |
+ { |
344 |
+ unsigned long pax_flags = 0UL; |
345 |
+@@ -692,10 +649,6 @@ |
346 |
+ int found_flags = 0; |
347 |
+ #endif |
348 |
+ |
349 |
+-#ifdef CONFIG_PAX_EI_PAX |
350 |
+- pax_flags = pax_parse_ei_pax(elf_ex); |
351 |
+-#endif |
352 |
+- |
353 |
+ #ifdef CONFIG_PAX_PT_PAX_FLAGS |
354 |
+ for (i = 0UL; i < elf_ex->e_phnum; i++) |
355 |
+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) { |
356 |
+@@ -718,7 +671,7 @@ |
357 |
+ } |
358 |
+ #endif |
359 |
+ |
360 |
+-#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS) |
361 |
++#if defined(CONFIG_PAX_PT_PAX_FLAGS) |
362 |
+ if (found_flags == 0) { |
363 |
+ struct elf_phdr phdr; |
364 |
+ memset(&phdr, 0, sizeof(phdr)); |
365 |
+@@ -951,7 +904,7 @@ |
366 |
+ |
367 |
+ current->mm->def_flags = 0; |
368 |
+ |
369 |
+-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) |
370 |
++#if defined(CONFIG_PAX_PT_PAX_FLAGS) |
371 |
+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) { |
372 |
+ send_sig(SIGKILL, current, 0); |
373 |
+ goto out_free_dentry; |
374 |
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
375 |
+--- a/grsecurity/Kconfig 2011-07-30 06:31:55.000000000 -0400 |
376 |
++++ b/grsecurity/Kconfig 2011-07-30 06:37:18.000000000 -0400 |
377 |
+@@ -49,7 +49,6 @@ |
378 |
+ config GRKERNSEC_MEDIUM |
379 |
+ bool "Medium" |
380 |
+ select PAX |
381 |
+- select PAX_EI_PAX |
382 |
+ select PAX_PT_PAX_FLAGS |
383 |
+ select PAX_HAVE_ACL_FLAGS |
384 |
+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) |
385 |
+@@ -147,7 +146,6 @@ |
386 |
+ select PAX_RANDMMAP |
387 |
+ select PAX_NOEXEC |
388 |
+ select PAX_MPROTECT |
389 |
+- select PAX_EI_PAX |
390 |
+ select PAX_PT_PAX_FLAGS |
391 |
+ select PAX_HAVE_ACL_FLAGS |
392 |
+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
393 |
+diff -Naur a/include/linux/grsecurity.h b/include/linux/grsecurity.h |
394 |
+--- a/include/linux/grsecurity.h 2011-07-30 06:31:55.000000000 -0400 |
395 |
++++ b/include/linux/grsecurity.h 2011-07-30 06:39:52.000000000 -0400 |
396 |
+@@ -10,11 +10,11 @@ |
397 |
+ #if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) |
398 |
+ #error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled." |
399 |
+ #endif |
400 |
+-#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) |
401 |
+-#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." |
402 |
++#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PT_PAX_FLAGS) |
403 |
++#error "CONFIG_PAX_NOEXEC enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled." |
404 |
+ #endif |
405 |
+-#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) |
406 |
+-#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." |
407 |
++#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_PT_PAX_FLAGS) |
408 |
++#error "CONFIG_PAX_ASLR enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled." |
409 |
+ #endif |
410 |
+ #if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP) |
411 |
+ #error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled." |
412 |
+diff -Naur a/include/linux/mm_types.h b/include/linux/mm_types.h |
413 |
+--- a/include/linux/mm_types.h 2011-07-30 06:31:55.000000000 -0400 |
414 |
++++ b/include/linux/mm_types.h 2011-07-30 06:38:43.000000000 -0400 |
415 |
+@@ -320,7 +320,7 @@ |
416 |
+ pgtable_t pmd_huge_pte; /* protected by page_table_lock */ |
417 |
+ #endif |
418 |
+ |
419 |
+-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR) |
420 |
++#if defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR) |
421 |
+ unsigned long pax_flags; |
422 |
+ #endif |
423 |
+ |
424 |
+diff a/security/Kconfig b/security/Kconfig |
425 |
+--- a/security/Kconfig 2011-07-30 06:31:56.000000000 -0400 |
426 |
++++ b/security/Kconfig 2011-07-30 06:40:40.000000000 -0400 |
427 |
+@@ -48,20 +48,6 @@ |
428 |
+ line option on boot. Furthermore you can control various PaX features |
429 |
+ at runtime via the entries in /proc/sys/kernel/pax. |
430 |
+ |
431 |
+-config PAX_EI_PAX |
432 |
+- bool 'Use legacy ELF header marking' |
433 |
+- help |
434 |
+- Enabling this option will allow you to control PaX features on |
435 |
+- a per executable basis via the 'chpax' utility available at |
436 |
+- http://pax.grsecurity.net/. The control flags will be read from |
437 |
+- an otherwise reserved part of the ELF header. This marking has |
438 |
+- numerous drawbacks (no support for soft-mode, toolchain does not |
439 |
+- know about the non-standard use of the ELF header) therefore it |
440 |
+- has been deprecated in favour of PT_PAX_FLAGS support. |
441 |
+- |
442 |
+- Note that if you enable PT_PAX_FLAGS marking support as well, |
443 |
+- the PT_PAX_FLAG marks will override the legacy EI_PAX marks. |
444 |
+- |
445 |
+ config PAX_PT_PAX_FLAGS |
446 |
+ bool 'Use ELF program header marking' |
447 |
+ help |
448 |
+@@ -110,7 +96,7 @@ |
449 |
+ |
450 |
+ config PAX_NOEXEC |
451 |
+ bool "Enforce non-executable pages" |
452 |
+- depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86) |
453 |
++ depends on (PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86) |
454 |
+ help |
455 |
+ By design some architectures do not allow for protecting memory |
456 |
+ pages against execution or even if they do, Linux does not make |
457 |
+@@ -356,7 +342,7 @@ |
458 |
+ |
459 |
+ config PAX_ASLR |
460 |
+ bool "Address Space Layout Randomization" |
461 |
+- depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS |
462 |
++ depends on PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS |
463 |
+ help |
464 |
+ Many if not most exploit techniques rely on the knowledge of |
465 |
+ certain addresses in the attacked program. The following options |
466 |
|
467 |
diff --git a/2.6.39/4421_grsec-remove-localversion-grsec.patch b/2.6.39/4422_grsec-remove-localversion-grsec.patch |
468 |
similarity index 100% |
469 |
rename from 2.6.39/4421_grsec-remove-localversion-grsec.patch |
470 |
rename to 2.6.39/4422_grsec-remove-localversion-grsec.patch |
471 |
|
472 |
diff --git a/2.6.39/4422_grsec-mute-warnings.patch b/2.6.39/4424_grsec-mute-warnings.patch |
473 |
similarity index 100% |
474 |
rename from 2.6.39/4422_grsec-mute-warnings.patch |
475 |
rename to 2.6.39/4424_grsec-mute-warnings.patch |
476 |
|
477 |
diff --git a/2.6.39/4423_grsec-remove-protected-paths.patch b/2.6.39/4426_grsec-remove-protected-paths.patch |
478 |
similarity index 100% |
479 |
rename from 2.6.39/4423_grsec-remove-protected-paths.patch |
480 |
rename to 2.6.39/4426_grsec-remove-protected-paths.patch |
481 |
|
482 |
diff --git a/2.6.39/4425_grsec-pax-without-grsec.patch b/2.6.39/4428_grsec-pax-without-grsec.patch |
483 |
similarity index 100% |
484 |
rename from 2.6.39/4425_grsec-pax-without-grsec.patch |
485 |
rename to 2.6.39/4428_grsec-pax-without-grsec.patch |
486 |
|
487 |
diff --git a/2.6.39/4435_grsec-kconfig-gentoo.patch b/2.6.39/4435_grsec-kconfig-gentoo.patch |
488 |
index 5bae307..bc09842 100644 |
489 |
--- a/2.6.39/4435_grsec-kconfig-gentoo.patch |
490 |
+++ b/2.6.39/4435_grsec-kconfig-gentoo.patch |
491 |
@@ -27,7 +27,7 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene |
492 |
|
493 |
config GRKERNSEC_LOW |
494 |
bool "Low" |
495 |
-@@ -195,6 +195,261 @@ |
496 |
+@@ -193,6 +193,258 @@ |
497 |
- Restricted sysfs/debugfs |
498 |
- Active kernel exploit response |
499 |
|
500 |
@@ -78,7 +78,6 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene |
501 |
+ select PAX_RANDMMAP |
502 |
+ select PAX_NOEXEC |
503 |
+ select PAX_MPROTECT |
504 |
-+ select PAX_EI_PAX |
505 |
+ select PAX_PT_PAX_FLAGS |
506 |
+ select PAX_HAVE_ACL_FLAGS |
507 |
+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
508 |
@@ -163,7 +162,6 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene |
509 |
+ select PAX_RANDMMAP |
510 |
+ select PAX_NOEXEC |
511 |
+ select PAX_MPROTECT |
512 |
-+ select PAX_EI_PAX |
513 |
+ select PAX_PT_PAX_FLAGS |
514 |
+ select PAX_HAVE_ACL_FLAGS |
515 |
+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
516 |
@@ -248,7 +246,6 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene |
517 |
+ select PAX_RANDMMAP |
518 |
+ select PAX_NOEXEC |
519 |
+ select PAX_MPROTECT |
520 |
-+ select PAX_EI_PAX |
521 |
+ select PAX_PT_PAX_FLAGS |
522 |
+ select PAX_HAVE_ACL_FLAGS |
523 |
+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN) |
524 |
@@ -292,7 +289,7 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene |
525 |
diff -Naur linux-2.6.38-hardened-r1.orig/security/Kconfig linux-2.6.38-hardened-r1/security/Kconfig |
526 |
--- linux-2.6.38-hardened-r1.orig/security/Kconfig 2011-04-17 19:25:02.000000000 -0400 |
527 |
+++ linux-2.6.38-hardened-r1/security/Kconfig 2011-04-17 19:27:46.000000000 -0400 |
528 |
-@@ -319,8 +319,9 @@ |
529 |
+@@ -305,8 +305,9 @@ |
530 |
|
531 |
config PAX_KERNEXEC |
532 |
bool "Enforce non-executable kernel pages" |
533 |
@@ -303,7 +300,7 @@ diff -Naur linux-2.6.38-hardened-r1.orig/security/Kconfig linux-2.6.38-hardened- |
534 |
help |
535 |
This is the kernel land equivalent of PAGEEXEC and MPROTECT, |
536 |
that is, enabling this option will make it harder to inject |
537 |
-@@ -483,8 +484,9 @@ |
538 |
+@@ -469,8 +470,9 @@ |
539 |
|
540 |
config PAX_MEMORY_UDEREF |
541 |
bool "Prevent invalid userland pointer dereference" |