1 |
commit: 895b4e7fd913d74bc4edcc9f8b63dd29d46651d8 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Dec 31 19:39:15 2013 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Dec 31 19:39:15 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=895b4e7f |
7 |
|
8 |
Grsec/PaX: 3.0-3.12.6-201312301223 |
9 |
|
10 |
--- |
11 |
3.12.6/0000_README | 2 +- |
12 |
... 4420_grsecurity-3.0-3.12.6-201312301223.patch} | 99 ++++++++++++++++++---- |
13 |
3.12.6/4450_grsec-kconfig-default-gids.patch | 12 +-- |
14 |
3.12.6/4465_selinux-avc_audit-log-curr_ip.patch | 2 +- |
15 |
4 files changed, 89 insertions(+), 26 deletions(-) |
16 |
|
17 |
diff --git a/3.12.6/0000_README b/3.12.6/0000_README |
18 |
index 55926d8..9a0fb55 100644 |
19 |
--- a/3.12.6/0000_README |
20 |
+++ b/3.12.6/0000_README |
21 |
@@ -2,7 +2,7 @@ README |
22 |
----------------------------------------------------------------------------- |
23 |
Individual Patch Descriptions: |
24 |
----------------------------------------------------------------------------- |
25 |
-Patch: 4420_grsecurity-3.0-3.12.6-201312262020.patch |
26 |
+Patch: 4420_grsecurity-3.0-3.12.6-201312301223.patch |
27 |
From: http://www.grsecurity.net |
28 |
Desc: hardened-sources base patch from upstream grsecurity |
29 |
|
30 |
|
31 |
diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch |
32 |
similarity index 99% |
33 |
rename from 3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch |
34 |
rename to 3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch |
35 |
index 639a445..a396411 100644 |
36 |
--- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch |
37 |
+++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch |
38 |
@@ -60943,6 +60943,22 @@ index 651d09a..60c73ae 100644 |
39 |
|
40 |
/* |
41 |
* base.c |
42 |
+diff --git a/fs/proc/interrupts.c b/fs/proc/interrupts.c |
43 |
+index 05029c0..7ea1987 100644 |
44 |
+--- a/fs/proc/interrupts.c |
45 |
++++ b/fs/proc/interrupts.c |
46 |
+@@ -47,7 +47,11 @@ static const struct file_operations proc_interrupts_operations = { |
47 |
+ |
48 |
+ static int __init proc_interrupts_init(void) |
49 |
+ { |
50 |
++#ifdef CONFIG_GRKERNSEC_PROC_ADD |
51 |
++ proc_create_grsec("interrupts", 0, NULL, &proc_interrupts_operations); |
52 |
++#else |
53 |
+ proc_create("interrupts", 0, NULL, &proc_interrupts_operations); |
54 |
++#endif |
55 |
+ return 0; |
56 |
+ } |
57 |
+ module_init(proc_interrupts_init); |
58 |
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c |
59 |
index 06ea155..9a798c7 100644 |
60 |
--- a/fs/proc/kcore.c |
61 |
@@ -61292,6 +61308,22 @@ index 6b6a993..807cccc 100644 |
62 |
if (!IS_ERR(s)) |
63 |
kfree(s); |
64 |
} |
65 |
+diff --git a/fs/proc/stat.c b/fs/proc/stat.c |
66 |
+index 1cf86c0..5668e11 100644 |
67 |
+--- a/fs/proc/stat.c |
68 |
++++ b/fs/proc/stat.c |
69 |
+@@ -218,7 +218,11 @@ static const struct file_operations proc_stat_operations = { |
70 |
+ |
71 |
+ static int __init proc_stat_init(void) |
72 |
+ { |
73 |
++#ifdef CONFIG_GRKERNSEC_PROC_ADD |
74 |
++ proc_create_grsec("stat", 0, NULL, &proc_stat_operations); |
75 |
++#else |
76 |
+ proc_create("stat", 0, NULL, &proc_stat_operations); |
77 |
++#endif |
78 |
+ return 0; |
79 |
+ } |
80 |
+ module_init(proc_stat_init); |
81 |
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c |
82 |
index 390bdab..83c1e8a 100644 |
83 |
--- a/fs/proc/task_mmu.c |
84 |
@@ -62471,10 +62503,10 @@ index 2b8952d..a60c6be 100644 |
85 |
kfree(s); |
86 |
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig |
87 |
new file mode 100644 |
88 |
-index 0000000..04e9889 |
89 |
+index 0000000..5b2538b |
90 |
--- /dev/null |
91 |
+++ b/grsecurity/Kconfig |
92 |
-@@ -0,0 +1,1112 @@ |
93 |
+@@ -0,0 +1,1116 @@ |
94 |
+# |
95 |
+# grecurity configuration |
96 |
+# |
97 |
@@ -63270,15 +63302,19 @@ index 0000000..04e9889 |
98 |
+ a sysctl option with name "consistent_setxid" is created. |
99 |
+ |
100 |
+config GRKERNSEC_HARDEN_IPC |
101 |
-+ bool "Disallow access to world-accessible IPC objects" |
102 |
++ bool "Disallow access to overly-permissive IPC objects" |
103 |
+ default y if GRKERNSEC_CONFIG_AUTO |
104 |
+ depends on SYSVIPC |
105 |
+ help |
106 |
-+ If you say Y here, access to overly-permissive IPC (shared memory, |
107 |
-+ message queues, and semaphores) will be denied for processes whose |
108 |
-+ effective user or group would not grant them permission. It's a |
109 |
-+ common error to grant too much permission to these objects, with |
110 |
-+ impact ranging from denial of service and information leaking to |
111 |
++ If you say Y here, access to overly-permissive IPC objects (shared |
112 |
++ memory, message queues, and semaphores) will be denied for processes |
113 |
++ given the following criteria beyond normal permission checks: |
114 |
++ 1) If the IPC object is world-accessible and the euid doesn't match |
115 |
++ that of the creator or current uid for the IPC object |
116 |
++ 2) If the IPC object is group-accessible and the egid doesn't |
117 |
++ match that of the creator or current gid for the IPC object |
118 |
++ It's a common error to grant too much permission to these objects, |
119 |
++ with impact ranging from denial of service and information leaking to |
120 |
+ privilege escalation. This feature was developed in response to |
121 |
+ research by Tim Brown: |
122 |
+ http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ |
123 |
@@ -71471,10 +71507,10 @@ index 0000000..a88e901 |
124 |
+} |
125 |
diff --git a/grsecurity/grsec_ipc.c b/grsecurity/grsec_ipc.c |
126 |
new file mode 100644 |
127 |
-index 0000000..f365de0 |
128 |
+index 0000000..78d1680 |
129 |
--- /dev/null |
130 |
+++ b/grsecurity/grsec_ipc.c |
131 |
-@@ -0,0 +1,22 @@ |
132 |
+@@ -0,0 +1,48 @@ |
133 |
+#include <linux/kernel.h> |
134 |
+#include <linux/mm.h> |
135 |
+#include <linux/sched.h> |
136 |
@@ -71488,10 +71524,36 @@ index 0000000..f365de0 |
137 |
+gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, int requested_mode, int granted_mode) |
138 |
+{ |
139 |
+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC |
140 |
-+ int write = (requested_mode & 00002); |
141 |
++ int write; |
142 |
++ int orig_granted_mode; |
143 |
++ kuid_t euid; |
144 |
++ kgid_t egid; |
145 |
+ |
146 |
-+ if (grsec_enable_harden_ipc && !(requested_mode & ~granted_mode & 0007) && !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) { |
147 |
-+ gr_log_str2_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", write ? "writ" : "read", GR_GLOBAL_UID(ipcp->cuid)); |
148 |
++ if (!grsec_enable_harden_ipc) |
149 |
++ return 0; |
150 |
++ |
151 |
++ euid = current_euid(); |
152 |
++ egid = current_egid(); |
153 |
++ |
154 |
++ write = requested_mode & 00002; |
155 |
++ orig_granted_mode = ipcp->mode; |
156 |
++ |
157 |
++ if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid)) |
158 |
++ orig_granted_mode >>= 6; |
159 |
++ else { |
160 |
++ /* if likely wrong permissions, lock to user */ |
161 |
++ if (orig_granted_mode & 0007) |
162 |
++ orig_granted_mode = 0; |
163 |
++ /* otherwise do a egid-only check */ |
164 |
++ else if (gid_eq(egid, ipcp->cgid) || gid_eq(egid, ipcp->gid)) |
165 |
++ orig_granted_mode >>= 3; |
166 |
++ /* otherwise, no access */ |
167 |
++ else |
168 |
++ orig_granted_mode = 0; |
169 |
++ } |
170 |
++ if (!(requested_mode & ~granted_mode & 0007) && (requested_mode & ~orig_granted_mode & 0007) && |
171 |
++ !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) { |
172 |
++ gr_log_str_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", GR_GLOBAL_UID(ipcp->cuid)); |
173 |
+ return 0; |
174 |
+ } |
175 |
+#endif |
176 |
@@ -75995,7 +76057,7 @@ index 0000000..d25522e |
177 |
+#endif |
178 |
diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h |
179 |
new file mode 100644 |
180 |
-index 0000000..2b07594 |
181 |
+index 0000000..195cbe4 |
182 |
--- /dev/null |
183 |
+++ b/include/linux/grmsg.h |
184 |
@@ -0,0 +1,115 @@ |
185 |
@@ -76113,7 +76175,7 @@ index 0000000..2b07594 |
186 |
+#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by " |
187 |
+#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for " |
188 |
+#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for " |
189 |
-+#define GR_IPC_DENIED_MSG "denied %s of globally-%sable IPC with creator uid %u by " |
190 |
++#define GR_IPC_DENIED_MSG "denied %s of overly-permissive IPC object with creator uid %u by " |
191 |
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h |
192 |
new file mode 100644 |
193 |
index 0000000..d8b5b48 |
194 |
@@ -81460,7 +81522,7 @@ index 7a51443..3a257d8 100644 |
195 |
ipc_unlock_object(&shp->shm_perm); |
196 |
rcu_read_unlock(); |
197 |
diff --git a/ipc/util.c b/ipc/util.c |
198 |
-index 7684f41..f7da711 100644 |
199 |
+index 7684f41..5bf1880 100644 |
200 |
--- a/ipc/util.c |
201 |
+++ b/ipc/util.c |
202 |
@@ -71,6 +71,8 @@ struct ipc_proc_iface { |
203 |
@@ -81472,11 +81534,12 @@ index 7684f41..f7da711 100644 |
204 |
static void ipc_memory_notifier(struct work_struct *work) |
205 |
{ |
206 |
ipcns_notify(IPCNS_MEMCHANGED); |
207 |
-@@ -560,6 +562,9 @@ int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag) |
208 |
+@@ -560,6 +562,10 @@ int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag) |
209 |
granted_mode >>= 6; |
210 |
else if (in_group_p(ipcp->cgid) || in_group_p(ipcp->gid)) |
211 |
granted_mode >>= 3; |
212 |
-+ else if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode)) |
213 |
++ |
214 |
++ if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode)) |
215 |
+ return -1; |
216 |
+ |
217 |
/* is there some bit set in requested_mode but not in granted_mode? */ |
218 |
|
219 |
diff --git a/3.12.6/4450_grsec-kconfig-default-gids.patch b/3.12.6/4450_grsec-kconfig-default-gids.patch |
220 |
index aa9d567..cdd1703 100644 |
221 |
--- a/3.12.6/4450_grsec-kconfig-default-gids.patch |
222 |
+++ b/3.12.6/4450_grsec-kconfig-default-gids.patch |
223 |
@@ -16,7 +16,7 @@ from shooting themselves in the foot. |
224 |
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
225 |
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 |
226 |
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 |
227 |
-@@ -621,7 +621,7 @@ |
228 |
+@@ -626,7 +626,7 @@ |
229 |
config GRKERNSEC_AUDIT_GID |
230 |
int "GID for auditing" |
231 |
depends on GRKERNSEC_AUDIT_GROUP |
232 |
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
233 |
|
234 |
config GRKERNSEC_EXECLOG |
235 |
bool "Exec logging" |
236 |
-@@ -848,7 +848,7 @@ |
237 |
+@@ -857,7 +857,7 @@ |
238 |
config GRKERNSEC_TPE_UNTRUSTED_GID |
239 |
int "GID for TPE-untrusted users" |
240 |
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT |
241 |
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
242 |
help |
243 |
Setting this GID determines what group TPE restrictions will be |
244 |
*enabled* for. If the sysctl option is enabled, a sysctl option |
245 |
-@@ -857,7 +857,7 @@ |
246 |
+@@ -866,7 +866,7 @@ |
247 |
config GRKERNSEC_TPE_TRUSTED_GID |
248 |
int "GID for TPE-trusted users" |
249 |
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT |
250 |
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
251 |
help |
252 |
Setting this GID determines what group TPE restrictions will be |
253 |
*disabled* for. If the sysctl option is enabled, a sysctl option |
254 |
-@@ -950,7 +950,7 @@ |
255 |
+@@ -959,7 +959,7 @@ |
256 |
config GRKERNSEC_SOCKET_ALL_GID |
257 |
int "GID to deny all sockets for" |
258 |
depends on GRKERNSEC_SOCKET_ALL |
259 |
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
260 |
help |
261 |
Here you can choose the GID to disable socket access for. Remember to |
262 |
add the users you want socket access disabled for to the GID |
263 |
-@@ -971,7 +971,7 @@ |
264 |
+@@ -980,7 +980,7 @@ |
265 |
config GRKERNSEC_SOCKET_CLIENT_GID |
266 |
int "GID to deny client sockets for" |
267 |
depends on GRKERNSEC_SOCKET_CLIENT |
268 |
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
269 |
help |
270 |
Here you can choose the GID to disable client socket access for. |
271 |
Remember to add the users you want client socket access disabled for to |
272 |
-@@ -989,7 +989,7 @@ |
273 |
+@@ -998,7 +998,7 @@ |
274 |
config GRKERNSEC_SOCKET_SERVER_GID |
275 |
int "GID to deny server sockets for" |
276 |
depends on GRKERNSEC_SOCKET_SERVER |
277 |
|
278 |
diff --git a/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch b/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch |
279 |
index 6490fca..04ec3fb 100644 |
280 |
--- a/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch |
281 |
+++ b/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch |
282 |
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org> |
283 |
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig |
284 |
--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 |
285 |
+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 |
286 |
-@@ -1084,6 +1084,27 @@ |
287 |
+@@ -1093,6 +1093,27 @@ |
288 |
menu "Logging Options" |
289 |
depends on GRKERNSEC |