summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2012-03-22 20:46:47 -0400
committerAnthony G. Basile <blueness@gentoo.org>2012-03-22 20:46:47 -0400
commita833d83eb668229fbcc18dca61f3c333fa209fe8 (patch)
treebf8202540422ccba4c54fc2ce36fee51cf1f276e
parentGrsec/PaX: 2.9-2.6.32.59-201203201932 + 2.9-3.2.12-201203201932 (diff)
downloadhardened-patchset-a833d83eb668229fbcc18dca61f3c333fa209fe8.tar.gz
hardened-patchset-a833d83eb668229fbcc18dca61f3c333fa209fe8.tar.bz2
hardened-patchset-a833d83eb668229fbcc18dca61f3c333fa209fe8.zip
Grsec/PaX: 2.9-2.6.32.59-201203212033 + 2.9-3.2.12-20120321203320120321
-rw-r--r--2.6.32/0000_README2
-rw-r--r--2.6.32/4420_grsecurity-2.9-2.6.32.59-201203212033.patch (renamed from 2.6.32/4420_grsecurity-2.9-2.6.32.59-201203201932.patch)107
-rw-r--r--2.6.32/4455_grsec-kconfig-gentoo.patch5
-rw-r--r--3.2.12/0000_README2
-rw-r--r--3.2.12/4420_grsecurity-2.9-3.2.12-201203212033.patch (renamed from 3.2.12/4420_grsecurity-2.9-3.2.12-201203201932.patch)67
-rw-r--r--3.2.12/4455_grsec-kconfig-gentoo.patch5
6 files changed, 130 insertions, 58 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 0a02821..078f367 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -30,7 +30,7 @@ Patch: 1058_linux-2.6.32.59.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.59
-Patch: 4420_grsecurity-2.9-2.6.32.59-201203201932.patch
+Patch: 4420_grsecurity-2.9-2.6.32.59-201203212033.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9-2.6.32.59-201203201932.patch b/2.6.32/4420_grsecurity-2.9-2.6.32.59-201203212033.patch
index 64b036f..0b63ac0 100644
--- a/2.6.32/4420_grsecurity-2.9-2.6.32.59-201203201932.patch
+++ b/2.6.32/4420_grsecurity-2.9-2.6.32.59-201203212033.patch
@@ -22651,7 +22651,7 @@ index e6d925f..8cdd779 100644
.disabled_by_bios = vmx_disabled_by_bios,
.hardware_setup = hardware_setup,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index df1cefb..ff86cc2 100644
+index df1cefb..31447ca 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -82,7 +82,7 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu);
@@ -22728,23 +22728,19 @@ index df1cefb..ff86cc2 100644
return -EINVAL;
if (irqchip_in_kernel(vcpu->kvm))
return -ENXIO;
-@@ -2764,7 +2774,14 @@ int emulator_write_emulated(unsigned long addr,
- }
- EXPORT_SYMBOL_GPL(emulator_write_emulated);
-
--static int emulator_cmpxchg_emulated(unsigned long addr,
-+static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt,
-+ unsigned long addr,
-+ const void *old,
-+ const void *new,
-+ unsigned int bytes,
-+ struct kvm_vcpu *vcpu) __size_overflow(5);
-+static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt,
-+ unsigned long addr,
+@@ -2768,6 +2778,11 @@ static int emulator_cmpxchg_emulated(unsigned long addr,
const void *old,
const void *new,
unsigned int bytes,
-@@ -3260,10 +3277,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = {
++ struct kvm_vcpu *vcpu) __size_overflow(5);
++static int emulator_cmpxchg_emulated(unsigned long addr,
++ const void *old,
++ const void *new,
++ unsigned int bytes,
+ struct kvm_vcpu *vcpu)
+ {
+ printk_once(KERN_WARNING "kvm: emulating exchange as write\n");
+@@ -3260,10 +3275,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = {
.notifier_call = kvmclock_cpufreq_notifier
};
@@ -74908,10 +74904,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..d785922
+index 0000000..d881a39
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4117 @@
+@@ -0,0 +1,4156 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -75566,22 +75562,60 @@ index 0000000..d785922
+ unsigned int index =
+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
+ struct acl_role_label **curr;
-+ struct acl_role_label *tmp;
++ struct acl_role_label *tmp, *tmp2;
+
+ curr = &acl_role_set.r_hash[index];
+
-+ /* if role was already inserted due to domains and already has
-+ a role in the same bucket as it attached, then we need to
-+ combine these two buckets
-+ */
-+ if (role->next) {
-+ tmp = role->next;
-+ while (tmp->next)
++ /* simple case, slot is empty, just set it to our role */
++ if (*curr == NULL) {
++ *curr = role;
++ } else {
++ /* example:
++ 1 -> 2 -> 3 (adding 2 -> 3 to here)
++ 2 -> 3
++ */
++ /* first check to see if we can already be reached via this slot */
++ tmp = *curr;
++ while (tmp && tmp != role)
+ tmp = tmp->next;
-+ tmp->next = *curr;
-+ } else
-+ role->next = *curr;
-+ *curr = role;
++ if (tmp == role) {
++ /* we don't need to add ourselves to this slot's chain */
++ return;
++ }
++ /* we need to add ourselves to this chain, two cases */
++ if (role->next == NULL) {
++ /* simple case, append the current chain to our role */
++ role->next = *curr;
++ *curr = role;
++ } else {
++ /* 1 -> 2 -> 3 -> 4
++ 2 -> 3 -> 4
++ 3 -> 4 (adding 1 -> 2 -> 3 -> 4 to here)
++ */
++ /* trickier case: walk our role's chain until we find
++ the role for the start of the current slot's chain */
++ tmp = role;
++ tmp2 = *curr;
++ while (tmp->next && tmp->next != tmp2)
++ tmp = tmp->next;
++ if (tmp->next == tmp2) {
++ /* from example above, we found 3, so just
++ replace this slot's chain with ours */
++ *curr = role;
++ } else {
++ /* we didn't find a subset of our role's chain
++ in the current slot's chain, so append their
++ chain to ours, and set us as the first role in
++ the slot's chain
++
++ we could fold this case with the case above,
++ but making it explicit for clarity
++ */
++ tmp->next = tmp2;
++ *curr = role;
++ }
++ }
++ }
+
+ return;
+}
@@ -75910,6 +75944,7 @@ index 0000000..d785922
+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
+
+ default_role = NULL;
++ kernel_role = NULL;
+ role_list = NULL;
+
+ return;
@@ -84490,7 +84525,7 @@ index e2bd73e..fea8ed3 100644
#endif /* _ASM_GENERIC_PGTABLE_H */
diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
-index b218b85..62dbfdc 100644
+index b218b85..043ee5b 100644
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -76,6 +76,8 @@ extern unsigned long search_exception_table(unsigned long);
@@ -84535,15 +84570,7 @@ index b218b85..62dbfdc 100644
static inline long copy_to_user(void __user *to,
const void *from, unsigned long n)
{
-@@ -276,6 +283,7 @@ __strncpy_from_user(char *dst, const char __user *src, long count)
- #endif
-
- static inline long
-+static inline long
- strncpy_from_user(char *dst, const char __user *src, long count)
- {
- if (!access_ok(VERIFY_READ, src, 1))
-@@ -307,6 +315,8 @@ static inline long strlen_user(const char __user *src)
+@@ -307,6 +314,8 @@ static inline long strlen_user(const char __user *src)
*/
#ifndef __clear_user
static inline __must_check unsigned long
@@ -84552,7 +84579,7 @@ index b218b85..62dbfdc 100644
__clear_user(void __user *to, unsigned long n)
{
memset((void __force *)to, 0, n);
-@@ -315,6 +325,8 @@ __clear_user(void __user *to, unsigned long n)
+@@ -315,6 +324,8 @@ __clear_user(void __user *to, unsigned long n)
#endif
static inline __must_check unsigned long
diff --git a/2.6.32/4455_grsec-kconfig-gentoo.patch b/2.6.32/4455_grsec-kconfig-gentoo.patch
index b7e7322..495638e 100644
--- a/2.6.32/4455_grsec-kconfig-gentoo.patch
+++ b/2.6.32/4455_grsec-kconfig-gentoo.patch
@@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_LOW
bool "Low"
-@@ -192,6 +192,259 @@
+@@ -192,6 +192,262 @@
- Restricted sysfs/debugfs
- Active kernel exploit response
@@ -67,6 +67,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_PTRACE_READEXEC
+ select GRKERNSEC_SETXID
+ select GRKERNSEC_VM86 if (X86_32)
+ select GRKERNSEC_IO
@@ -152,6 +153,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_PTRACE_READEXEC
+ select GRKERNSEC_SETXID
+ select GRKERNSEC_VM86 if (X86_32)
+ select GRKERNSEC_PROC_IPADDR
@@ -236,6 +238,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_PTRACE_READEXEC
+ select GRKERNSEC_SETXID
+ select GRKERNSEC_VM86 if (X86_32)
+ select GRKERNSEC_PROC_IPADDR
diff --git a/3.2.12/0000_README b/3.2.12/0000_README
index 106e032..4e91c4e 100644
--- a/3.2.12/0000_README
+++ b/3.2.12/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9-3.2.12-201203201932.patch
+Patch: 4420_grsecurity-2.9-3.2.12-201203212033.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.12/4420_grsecurity-2.9-3.2.12-201203201932.patch b/3.2.12/4420_grsecurity-2.9-3.2.12-201203212033.patch
index 2ecba26..adc602d 100644
--- a/3.2.12/4420_grsecurity-2.9-3.2.12-201203201932.patch
+++ b/3.2.12/4420_grsecurity-2.9-3.2.12-201203212033.patch
@@ -50956,10 +50956,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..19b3cba
+index 0000000..2d9c682
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4133 @@
+@@ -0,0 +1,4172 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -51619,22 +51619,60 @@ index 0000000..19b3cba
+ unsigned int index =
+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
+ struct acl_role_label **curr;
-+ struct acl_role_label *tmp;
++ struct acl_role_label *tmp, *tmp2;
+
+ curr = &acl_role_set.r_hash[index];
+
-+ /* if role was already inserted due to domains and already has
-+ a role in the same bucket as it attached, then we need to
-+ combine these two buckets
-+ */
-+ if (role->next) {
-+ tmp = role->next;
-+ while (tmp->next)
++ /* simple case, slot is empty, just set it to our role */
++ if (*curr == NULL) {
++ *curr = role;
++ } else {
++ /* example:
++ 1 -> 2 -> 3 (adding 2 -> 3 to here)
++ 2 -> 3
++ */
++ /* first check to see if we can already be reached via this slot */
++ tmp = *curr;
++ while (tmp && tmp != role)
+ tmp = tmp->next;
-+ tmp->next = *curr;
-+ } else
-+ role->next = *curr;
-+ *curr = role;
++ if (tmp == role) {
++ /* we don't need to add ourselves to this slot's chain */
++ return;
++ }
++ /* we need to add ourselves to this chain, two cases */
++ if (role->next == NULL) {
++ /* simple case, append the current chain to our role */
++ role->next = *curr;
++ *curr = role;
++ } else {
++ /* 1 -> 2 -> 3 -> 4
++ 2 -> 3 -> 4
++ 3 -> 4 (adding 1 -> 2 -> 3 -> 4 to here)
++ */
++ /* trickier case: walk our role's chain until we find
++ the role for the start of the current slot's chain */
++ tmp = role;
++ tmp2 = *curr;
++ while (tmp->next && tmp->next != tmp2)
++ tmp = tmp->next;
++ if (tmp->next == tmp2) {
++ /* from example above, we found 3, so just
++ replace this slot's chain with ours */
++ *curr = role;
++ } else {
++ /* we didn't find a subset of our role's chain
++ in the current slot's chain, so append their
++ chain to ours, and set us as the first role in
++ the slot's chain
++
++ we could fold this case with the case above,
++ but making it explicit for clarity
++ */
++ tmp->next = tmp2;
++ *curr = role;
++ }
++ }
++ }
+
+ return;
+}
@@ -51956,6 +51994,7 @@ index 0000000..19b3cba
+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
+
+ default_role = NULL;
++ kernel_role = NULL;
+ role_list = NULL;
+
+ return;
diff --git a/3.2.12/4455_grsec-kconfig-gentoo.patch b/3.2.12/4455_grsec-kconfig-gentoo.patch
index 587b7d9..ef59341 100644
--- a/3.2.12/4455_grsec-kconfig-gentoo.patch
+++ b/3.2.12/4455_grsec-kconfig-gentoo.patch
@@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_LOW
bool "Low"
-@@ -192,6 +192,259 @@
+@@ -192,6 +192,262 @@
- Restricted sysfs/debugfs
- Active kernel exploit response
@@ -67,6 +67,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_PTRACE_READEXEC
+ select GRKERNSEC_SETXID
+ select GRKERNSEC_VM86 if (X86_32)
+ select GRKERNSEC_IO
@@ -152,6 +153,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_PTRACE_READEXEC
+ select GRKERNSEC_SETXID
+ select GRKERNSEC_VM86 if (X86_32)
+ select GRKERNSEC_PROC_IPADDR
@@ -236,6 +238,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_PTRACE_READEXEC
+ select GRKERNSEC_SETXID
+ select GRKERNSEC_VM86 if (X86_32)
+ select GRKERNSEC_PROC_IPADDR