[gentoo-commits] proj/hardened-patchset:master commit in: 3.12.6/ - gentoo-commits

From:	"Anthony G. Basile" <blueness@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-patchset:master commit in: 3.12.6/
Date:	Tue, 31 Dec 2013 19:38:42
Message-Id:	`1388518755.895b4e7fd913d74bc4edcc9f8b63dd29d46651d8.blueness@gentoo`

1

commit:     895b4e7fd913d74bc4edcc9f8b63dd29d46651d8

2

Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>

3

AuthorDate: Tue Dec 31 19:39:15 2013 +0000

4

Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>

5

CommitDate: Tue Dec 31 19:39:15 2013 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=895b4e7f

7

8

 Grsec/PaX: 3.0-3.12.6-201312301223

9

10

---

11

 3.12.6/0000_README                                 |  2 +-

12

 ... 4420_grsecurity-3.0-3.12.6-201312301223.patch} | 99 ++++++++++++++++++----

13

 3.12.6/4450_grsec-kconfig-default-gids.patch       | 12 +--

14

 3.12.6/4465_selinux-avc_audit-log-curr_ip.patch    |  2 +-

15

 4 files changed, 89 insertions(+), 26 deletions(-)

16

17

diff --git a/3.12.6/0000_README b/3.12.6/0000_README

18

index 55926d8..9a0fb55 100644

19

--- a/3.12.6/0000_README

20

+++ b/3.12.6/0000_README

21

@@ -2,7 +2,7 @@ README

22

 -----------------------------------------------------------------------------

23

 Individual Patch Descriptions:

24

 -----------------------------------------------------------------------------

25

-Patch:	4420_grsecurity-3.0-3.12.6-201312262020.patch

26

+Patch:	4420_grsecurity-3.0-3.12.6-201312301223.patch

27

 From:	http://www.grsecurity.net

28

 Desc:	hardened-sources base patch from upstream grsecurity

29

30

31

diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch

32

similarity index 99%

33

rename from 3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch

34

rename to 3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch

35

index 639a445..a396411 100644

36

--- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch

37

+++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch

38

@@ -60943,6 +60943,22 @@ index 651d09a..60c73ae 100644

39

40

/*

41

   * base.c

42

+diff --git a/fs/proc/interrupts.c b/fs/proc/interrupts.c

43

+index 05029c0..7ea1987 100644

44

+--- a/fs/proc/interrupts.c

45

++++ b/fs/proc/interrupts.c

46

+@@ -47,7 +47,11 @@ static const struct file_operations proc_interrupts_operations = {

47

+

48

+ static int __init proc_interrupts_init(void)

49

+ {

50

++#ifdef CONFIG_GRKERNSEC_PROC_ADD

51

++	proc_create_grsec("interrupts", 0, NULL, &proc_interrupts_operations);

52

++#else

53

+ 	proc_create("interrupts", 0, NULL, &proc_interrupts_operations);

54

++#endif

55

+ 	return 0;

56

+ }

57

+ module_init(proc_interrupts_init);

58

 diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c

59

 index 06ea155..9a798c7 100644

60

 --- a/fs/proc/kcore.c

61

@@ -61292,6 +61308,22 @@ index 6b6a993..807cccc 100644

62

  	if (!IS_ERR(s))

63

  		kfree(s);

64

}

65

+diff --git a/fs/proc/stat.c b/fs/proc/stat.c

66

+index 1cf86c0..5668e11 100644

67

+--- a/fs/proc/stat.c

68

++++ b/fs/proc/stat.c

69

+@@ -218,7 +218,11 @@ static const struct file_operations proc_stat_operations = {

70

+

71

+ static int __init proc_stat_init(void)

72

+ {

73

++#ifdef CONFIG_GRKERNSEC_PROC_ADD

74

++	proc_create_grsec("stat", 0, NULL, &proc_stat_operations);

75

++#else

76

+ 	proc_create("stat", 0, NULL, &proc_stat_operations);

77

++#endif

78

+ 	return 0;

79

+ }

80

+ module_init(proc_stat_init);

81

 diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c

82

 index 390bdab..83c1e8a 100644

83

 --- a/fs/proc/task_mmu.c

84

@@ -62471,10 +62503,10 @@ index 2b8952d..a60c6be 100644

85

  		kfree(s);

86

 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig

87

 new file mode 100644

88

-index 0000000..04e9889

89

+index 0000000..5b2538b

90

 --- /dev/null

91

 +++ b/grsecurity/Kconfig

92

-@@ -0,0 +1,1112 @@

93

+@@ -0,0 +1,1116 @@

94

+#

95

 +# grecurity configuration

96

+#

97

@@ -63270,15 +63302,19 @@ index 0000000..04e9889

98

 +	  a sysctl option with name "consistent_setxid" is created.

99

+

100

 +config GRKERNSEC_HARDEN_IPC

101

-+	bool "Disallow access to world-accessible IPC objects"

102

++	bool "Disallow access to overly-permissive IPC objects"

103

 +	default y if GRKERNSEC_CONFIG_AUTO

104

 +	depends on SYSVIPC

105

 +	help

106

-+	  If you say Y here, access to overly-permissive IPC (shared memory,

107

-+	  message queues, and semaphores) will be denied for processes whose

108

-+	  effective user or group would not grant them permission.  It's a

109

-+	  common error to grant too much permission to these objects, with

110

-+	  impact ranging from denial of service and information leaking to

111

++	  If you say Y here, access to overly-permissive IPC objects (shared

112

++	  memory, message queues, and semaphores) will be denied for processes

113

++	  given the following criteria beyond normal permission checks:

114

++	  1) If the IPC object is world-accessible and the euid doesn't match

115

++	     that of the creator or current uid for the IPC object

116

++	  2) If the IPC object is group-accessible and the egid doesn't

117

++	     match that of the creator or current gid for the IPC object

118

++	  It's a common error to grant too much permission to these objects,

119

++	  with impact ranging from denial of service and information leaking to

120

 +	  privilege escalation.  This feature was developed in response to

121

 +	  research by Tim Brown:

122

 +	  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/

123

@@ -71471,10 +71507,10 @@ index 0000000..a88e901

124

+}

125

 diff --git a/grsecurity/grsec_ipc.c b/grsecurity/grsec_ipc.c

126

 new file mode 100644

127

-index 0000000..f365de0

128

+index 0000000..78d1680

129

 --- /dev/null

130

 +++ b/grsecurity/grsec_ipc.c

131

-@@ -0,0 +1,22 @@

132

+@@ -0,0 +1,48 @@

133

 +#include <linux/kernel.h>

134

 +#include <linux/mm.h>

135

 +#include <linux/sched.h>

136

@@ -71488,10 +71524,36 @@ index 0000000..f365de0

137

 +gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, int requested_mode, int granted_mode)

138

+{

139

 +#ifdef CONFIG_GRKERNSEC_HARDEN_IPC

140

-+	int write = (requested_mode & 00002);

141

++	int write;

142

++	int orig_granted_mode;

143

++	kuid_t euid;

144

++	kgid_t egid;

145

+

146

-+	if (grsec_enable_harden_ipc && !(requested_mode & ~granted_mode & 0007) && !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) {

147

-+		gr_log_str2_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", write ? "writ" : "read", GR_GLOBAL_UID(ipcp->cuid));

148

++	if (!grsec_enable_harden_ipc)

149

++		return 0;

150

++

151

++	euid = current_euid();

152

++	egid = current_egid();

153

++

154

++	write = requested_mode & 00002;

155

++	orig_granted_mode = ipcp->mode;

156

++

157

++	if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid))

158

++		orig_granted_mode >>= 6;

159

++	else {

160

++		/* if likely wrong permissions, lock to user */

161

++		if (orig_granted_mode & 0007)

162

++			orig_granted_mode = 0;

163

++		/* otherwise do a egid-only check */

164

++		else if (gid_eq(egid, ipcp->cgid) || gid_eq(egid, ipcp->gid))

165

++			orig_granted_mode >>= 3;

166

++		/* otherwise, no access */

167

++		else

168

++			orig_granted_mode = 0;

169

++	}

170

++	if (!(requested_mode & ~granted_mode & 0007) && (requested_mode & ~orig_granted_mode & 0007) &&

171

++	    !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) {

172

++		gr_log_str_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", GR_GLOBAL_UID(ipcp->cuid));

173

 +		return 0;

174

+	}

175

 +#endif

176

@@ -75995,7 +76057,7 @@ index 0000000..d25522e

177

 +#endif

178

 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h

179

 new file mode 100644

180

-index 0000000..2b07594

181

+index 0000000..195cbe4

182

 --- /dev/null

183

 +++ b/include/linux/grmsg.h

184

 @@ -0,0 +1,115 @@

185

@@ -76113,7 +76175,7 @@ index 0000000..2b07594

186

 +#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "

187

 +#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for "

188

 +#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes.  Please investigate the crash report for "

189

-+#define GR_IPC_DENIED_MSG "denied %s of globally-%sable IPC with creator uid %u by "

190

++#define GR_IPC_DENIED_MSG "denied %s of overly-permissive IPC object with creator uid %u by "

191

 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h

192

 new file mode 100644

193

 index 0000000..d8b5b48

194

@@ -81460,7 +81522,7 @@ index 7a51443..3a257d8 100644

195

  	ipc_unlock_object(&shp->shm_perm);

196

  	rcu_read_unlock();

197

 diff --git a/ipc/util.c b/ipc/util.c

198

-index 7684f41..f7da711 100644

199

+index 7684f41..5bf1880 100644

200

 --- a/ipc/util.c

201

 +++ b/ipc/util.c

202

 @@ -71,6 +71,8 @@ struct ipc_proc_iface {

203

@@ -81472,11 +81534,12 @@ index 7684f41..f7da711 100644

204

  static void ipc_memory_notifier(struct work_struct *work)

205

{

206

  	ipcns_notify(IPCNS_MEMCHANGED);

207

-@@ -560,6 +562,9 @@ int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)

208

+@@ -560,6 +562,10 @@ int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)

209

  		granted_mode >>= 6;

210

  	else if (in_group_p(ipcp->cgid) || in_group_p(ipcp->gid))

211

  		granted_mode >>= 3;

212

-+	else if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode))

213

++

214

++	if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode))

215

 +		return -1;

216

+

217

  	/* is there some bit set in requested_mode but not in granted_mode? */

218

219

diff --git a/3.12.6/4450_grsec-kconfig-default-gids.patch b/3.12.6/4450_grsec-kconfig-default-gids.patch

220

index aa9d567..cdd1703 100644

221

--- a/3.12.6/4450_grsec-kconfig-default-gids.patch

222

+++ b/3.12.6/4450_grsec-kconfig-default-gids.patch

223

@@ -16,7 +16,7 @@ from shooting themselves in the foot.

224

 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

225

 --- a/grsecurity/Kconfig	2012-10-13 09:51:35.000000000 -0400

226

 +++ b/grsecurity/Kconfig	2012-10-13 09:52:32.000000000 -0400

227

-@@ -621,7 +621,7 @@

228

+@@ -626,7 +626,7 @@

229

  config GRKERNSEC_AUDIT_GID

230

  	int "GID for auditing"

231

  	depends on GRKERNSEC_AUDIT_GROUP

232

@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

233

234

  config GRKERNSEC_EXECLOG

235

  	bool "Exec logging"

236

-@@ -848,7 +848,7 @@

237

+@@ -857,7 +857,7 @@

238

  config GRKERNSEC_TPE_UNTRUSTED_GID

239

  	int "GID for TPE-untrusted users"

240

  	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT

241

@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

242

  	help

243

  	  Setting this GID determines what group TPE restrictions will be

244

  	  *enabled* for.  If the sysctl option is enabled, a sysctl option

245

-@@ -857,7 +857,7 @@

246

+@@ -866,7 +866,7 @@

247

  config GRKERNSEC_TPE_TRUSTED_GID

248

  	int "GID for TPE-trusted users"

249

  	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT

250

@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

251

  	help

252

  	  Setting this GID determines what group TPE restrictions will be

253

  	  *disabled* for.  If the sysctl option is enabled, a sysctl option

254

-@@ -950,7 +950,7 @@

255

+@@ -959,7 +959,7 @@

256

  config GRKERNSEC_SOCKET_ALL_GID

257

  	int "GID to deny all sockets for"

258

  	depends on GRKERNSEC_SOCKET_ALL

259

@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

260

  	help

261

  	  Here you can choose the GID to disable socket access for. Remember to

262

  	  add the users you want socket access disabled for to the GID

263

-@@ -971,7 +971,7 @@

264

+@@ -980,7 +980,7 @@

265

  config GRKERNSEC_SOCKET_CLIENT_GID

266

  	int "GID to deny client sockets for"

267

  	depends on GRKERNSEC_SOCKET_CLIENT

268

@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

269

  	help

270

  	  Here you can choose the GID to disable client socket access for.

271

  	  Remember to add the users you want client socket access disabled for to

272

-@@ -989,7 +989,7 @@

273

+@@ -998,7 +998,7 @@

274

  config GRKERNSEC_SOCKET_SERVER_GID

275

  	int "GID to deny server sockets for"

276

  	depends on GRKERNSEC_SOCKET_SERVER

277

278

diff --git a/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch b/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch

279

index 6490fca..04ec3fb 100644

280

--- a/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch

281

+++ b/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch

282

@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>

283

 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig

284

 --- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400

285

 +++ b/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400

286

-@@ -1084,6 +1084,27 @@

287

+@@ -1093,6 +1093,27 @@

288

  menu "Logging Options"

289

  depends on GRKERNSEC

1	commit: 895b4e7fd913d74bc4edcc9f8b63dd29d46651d8
2	Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3	AuthorDate: Tue Dec 31 19:39:15 2013 +0000
4	Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5	CommitDate: Tue Dec 31 19:39:15 2013 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=895b4e7f
7
8	Grsec/PaX: 3.0-3.12.6-201312301223
9
10	---
11	3.12.6/0000_README \| 2 +-
12	... 4420_grsecurity-3.0-3.12.6-201312301223.patch} \| 99 ++++++++++++++++++----
13	3.12.6/4450_grsec-kconfig-default-gids.patch \| 12 +--
14	3.12.6/4465_selinux-avc_audit-log-curr_ip.patch \| 2 +-
15	4 files changed, 89 insertions(+), 26 deletions(-)
16
17	diff --git a/3.12.6/0000_README b/3.12.6/0000_README
18	index 55926d8..9a0fb55 100644
19	--- a/3.12.6/0000_README
20	+++ b/3.12.6/0000_README
21	@@ -2,7 +2,7 @@ README
22	-----------------------------------------------------------------------------
23	Individual Patch Descriptions:
24	-----------------------------------------------------------------------------
25	-Patch: 4420_grsecurity-3.0-3.12.6-201312262020.patch
26	+Patch: 4420_grsecurity-3.0-3.12.6-201312301223.patch
27	From: http://www.grsecurity.net
28	Desc: hardened-sources base patch from upstream grsecurity
29
30
31	diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch
32	similarity index 99%
33	rename from 3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch
34	rename to 3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch
35	index 639a445..a396411 100644
36	--- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch
37	+++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch
38	@@ -60943,6 +60943,22 @@ index 651d09a..60c73ae 100644
39
40	/*
41	* base.c
42	+diff --git a/fs/proc/interrupts.c b/fs/proc/interrupts.c
43	+index 05029c0..7ea1987 100644
44	+--- a/fs/proc/interrupts.c
45	++++ b/fs/proc/interrupts.c
46	+@@ -47,7 +47,11 @@ static const struct file_operations proc_interrupts_operations = {
47	+
48	+ static int __init proc_interrupts_init(void)
49	+ {
50	++#ifdef CONFIG_GRKERNSEC_PROC_ADD
51	++ proc_create_grsec("interrupts", 0, NULL, &proc_interrupts_operations);
52	++#else
53	+ proc_create("interrupts", 0, NULL, &proc_interrupts_operations);
54	++#endif
55	+ return 0;
56	+ }
57	+ module_init(proc_interrupts_init);
58	diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
59	index 06ea155..9a798c7 100644
60	--- a/fs/proc/kcore.c
61	@@ -61292,6 +61308,22 @@ index 6b6a993..807cccc 100644
62	if (!IS_ERR(s))
63	kfree(s);
64	}
65	+diff --git a/fs/proc/stat.c b/fs/proc/stat.c
66	+index 1cf86c0..5668e11 100644
67	+--- a/fs/proc/stat.c
68	++++ b/fs/proc/stat.c
69	+@@ -218,7 +218,11 @@ static const struct file_operations proc_stat_operations = {
70	+
71	+ static int __init proc_stat_init(void)
72	+ {
73	++#ifdef CONFIG_GRKERNSEC_PROC_ADD
74	++ proc_create_grsec("stat", 0, NULL, &proc_stat_operations);
75	++#else
76	+ proc_create("stat", 0, NULL, &proc_stat_operations);
77	++#endif
78	+ return 0;
79	+ }
80	+ module_init(proc_stat_init);
81	diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
82	index 390bdab..83c1e8a 100644
83	--- a/fs/proc/task_mmu.c
84	@@ -62471,10 +62503,10 @@ index 2b8952d..a60c6be 100644
85	kfree(s);
86	diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
87	new file mode 100644
88	-index 0000000..04e9889
89	+index 0000000..5b2538b
90	--- /dev/null
91	+++ b/grsecurity/Kconfig
92	-@@ -0,0 +1,1112 @@
93	+@@ -0,0 +1,1116 @@
94	+#
95	+# grecurity configuration
96	+#
97	@@ -63270,15 +63302,19 @@ index 0000000..04e9889
98	+ a sysctl option with name "consistent_setxid" is created.
99	+
100	+config GRKERNSEC_HARDEN_IPC
101	-+ bool "Disallow access to world-accessible IPC objects"
102	++ bool "Disallow access to overly-permissive IPC objects"
103	+ default y if GRKERNSEC_CONFIG_AUTO
104	+ depends on SYSVIPC
105	+ help
106	-+ If you say Y here, access to overly-permissive IPC (shared memory,
107	-+ message queues, and semaphores) will be denied for processes whose
108	-+ effective user or group would not grant them permission. It's a
109	-+ common error to grant too much permission to these objects, with
110	-+ impact ranging from denial of service and information leaking to
111	++ If you say Y here, access to overly-permissive IPC objects (shared
112	++ memory, message queues, and semaphores) will be denied for processes
113	++ given the following criteria beyond normal permission checks:
114	++ 1) If the IPC object is world-accessible and the euid doesn't match
115	++ that of the creator or current uid for the IPC object
116	++ 2) If the IPC object is group-accessible and the egid doesn't
117	++ match that of the creator or current gid for the IPC object
118	++ It's a common error to grant too much permission to these objects,
119	++ with impact ranging from denial of service and information leaking to
120	+ privilege escalation. This feature was developed in response to
121	+ research by Tim Brown:
122	+ http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
123	@@ -71471,10 +71507,10 @@ index 0000000..a88e901
124	+}
125	diff --git a/grsecurity/grsec_ipc.c b/grsecurity/grsec_ipc.c
126	new file mode 100644
127	-index 0000000..f365de0
128	+index 0000000..78d1680
129	--- /dev/null
130	+++ b/grsecurity/grsec_ipc.c
131	-@@ -0,0 +1,22 @@
132	+@@ -0,0 +1,48 @@
133	+#include <linux/kernel.h>
134	+#include <linux/mm.h>
135	+#include <linux/sched.h>
136	@@ -71488,10 +71524,36 @@ index 0000000..f365de0
137	+gr_ipc_permitted(struct ipc_namespace ns, struct kern_ipc_perm ipcp, int requested_mode, int granted_mode)
138	+{
139	+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
140	-+ int write = (requested_mode & 00002);
141	++ int write;
142	++ int orig_granted_mode;
143	++ kuid_t euid;
144	++ kgid_t egid;
145	+
146	-+ if (grsec_enable_harden_ipc && !(requested_mode & ~granted_mode & 0007) && !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) {
147	-+ gr_log_str2_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", write ? "writ" : "read", GR_GLOBAL_UID(ipcp->cuid));
148	++ if (!grsec_enable_harden_ipc)
149	++ return 0;
150	++
151	++ euid = current_euid();
152	++ egid = current_egid();
153	++
154	++ write = requested_mode & 00002;
155	++ orig_granted_mode = ipcp->mode;
156	++
157	++ if (uid_eq(euid, ipcp->cuid) \|\| uid_eq(euid, ipcp->uid))
158	++ orig_granted_mode >>= 6;
159	++ else {
160	++ /* if likely wrong permissions, lock to user */
161	++ if (orig_granted_mode & 0007)
162	++ orig_granted_mode = 0;
163	++ /* otherwise do a egid-only check */
164	++ else if (gid_eq(egid, ipcp->cgid) \|\| gid_eq(egid, ipcp->gid))
165	++ orig_granted_mode >>= 3;
166	++ /* otherwise, no access */
167	++ else
168	++ orig_granted_mode = 0;
169	++ }
170	++ if (!(requested_mode & ~granted_mode & 0007) && (requested_mode & ~orig_granted_mode & 0007) &&
171	++ !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) {
172	++ gr_log_str_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", GR_GLOBAL_UID(ipcp->cuid));
173	+ return 0;
174	+ }
175	+#endif
176	@@ -75995,7 +76057,7 @@ index 0000000..d25522e
177	+#endif
178	diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
179	new file mode 100644
180	-index 0000000..2b07594
181	+index 0000000..195cbe4
182	--- /dev/null
183	+++ b/include/linux/grmsg.h
184	@@ -0,0 +1,115 @@
185	@@ -76113,7 +76175,7 @@ index 0000000..2b07594
186	+#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
187	+#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
188	+#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for "
189	-+#define GR_IPC_DENIED_MSG "denied %s of globally-%sable IPC with creator uid %u by "
190	++#define GR_IPC_DENIED_MSG "denied %s of overly-permissive IPC object with creator uid %u by "
191	diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
192	new file mode 100644
193	index 0000000..d8b5b48
194	@@ -81460,7 +81522,7 @@ index 7a51443..3a257d8 100644
195	ipc_unlock_object(&shp->shm_perm);
196	rcu_read_unlock();
197	diff --git a/ipc/util.c b/ipc/util.c
198	-index 7684f41..f7da711 100644
199	+index 7684f41..5bf1880 100644
200	--- a/ipc/util.c
201	+++ b/ipc/util.c
202	@@ -71,6 +71,8 @@ struct ipc_proc_iface {
203	@@ -81472,11 +81534,12 @@ index 7684f41..f7da711 100644
204	static void ipc_memory_notifier(struct work_struct *work)
205	{
206	ipcns_notify(IPCNS_MEMCHANGED);
207	-@@ -560,6 +562,9 @@ int ipcperms(struct ipc_namespace ns, struct kern_ipc_perm ipcp, short flag)
208	+@@ -560,6 +562,10 @@ int ipcperms(struct ipc_namespace ns, struct kern_ipc_perm ipcp, short flag)
209	granted_mode >>= 6;
210	else if (in_group_p(ipcp->cgid) \|\| in_group_p(ipcp->gid))
211	granted_mode >>= 3;
212	-+ else if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode))
213	++
214	++ if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode))
215	+ return -1;
216	+
217	/* is there some bit set in requested_mode but not in granted_mode? */
218
219	diff --git a/3.12.6/4450_grsec-kconfig-default-gids.patch b/3.12.6/4450_grsec-kconfig-default-gids.patch
220	index aa9d567..cdd1703 100644
221	--- a/3.12.6/4450_grsec-kconfig-default-gids.patch
222	+++ b/3.12.6/4450_grsec-kconfig-default-gids.patch
223	@@ -16,7 +16,7 @@ from shooting themselves in the foot.
224	diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
225	--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
226	+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
227	-@@ -621,7 +621,7 @@
228	+@@ -626,7 +626,7 @@
229	config GRKERNSEC_AUDIT_GID
230	int "GID for auditing"
231	depends on GRKERNSEC_AUDIT_GROUP
232	@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
233
234	config GRKERNSEC_EXECLOG
235	bool "Exec logging"
236	-@@ -848,7 +848,7 @@
237	+@@ -857,7 +857,7 @@
238	config GRKERNSEC_TPE_UNTRUSTED_GID
239	int "GID for TPE-untrusted users"
240	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
241	@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
242	help
243	Setting this GID determines what group TPE restrictions will be
244	enabled for. If the sysctl option is enabled, a sysctl option
245	-@@ -857,7 +857,7 @@
246	+@@ -866,7 +866,7 @@
247	config GRKERNSEC_TPE_TRUSTED_GID
248	int "GID for TPE-trusted users"
249	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
250	@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
251	help
252	Setting this GID determines what group TPE restrictions will be
253	disabled for. If the sysctl option is enabled, a sysctl option
254	-@@ -950,7 +950,7 @@
255	+@@ -959,7 +959,7 @@
256	config GRKERNSEC_SOCKET_ALL_GID
257	int "GID to deny all sockets for"
258	depends on GRKERNSEC_SOCKET_ALL
259	@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
260	help
261	Here you can choose the GID to disable socket access for. Remember to
262	add the users you want socket access disabled for to the GID
263	-@@ -971,7 +971,7 @@
264	+@@ -980,7 +980,7 @@
265	config GRKERNSEC_SOCKET_CLIENT_GID
266	int "GID to deny client sockets for"
267	depends on GRKERNSEC_SOCKET_CLIENT
268	@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
269	help
270	Here you can choose the GID to disable client socket access for.
271	Remember to add the users you want client socket access disabled for to
272	-@@ -989,7 +989,7 @@
273	+@@ -998,7 +998,7 @@
274	config GRKERNSEC_SOCKET_SERVER_GID
275	int "GID to deny server sockets for"
276	depends on GRKERNSEC_SOCKET_SERVER
277
278	diff --git a/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch b/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch
279	index 6490fca..04ec3fb 100644
280	--- a/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch
281	+++ b/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch
282	@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
283	diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
284	--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
285	+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
286	-@@ -1084,6 +1084,27 @@
287	+@@ -1093,6 +1093,27 @@
288	menu "Logging Options"
289	depends on GRKERNSEC

Gentoo Archives: gentoo-commits