diff options
| -rw-r--r-- | 3.14.33/0000_README | 2 | ||||
| -rw-r--r-- | 3.14.33/4420_grsecurity-3.1-3.14.33-201502222137.patch (renamed from 3.14.33/4420_grsecurity-3.0-3.14.33-201502200812.patch) | 191 | ||||
| -rw-r--r-- | 3.14.33/4427_force_XATTR_PAX_tmpfs.patch | 4 | ||||
| -rw-r--r-- | 3.14.33/4450_grsec-kconfig-default-gids.patch | 12 | ||||
| -rw-r--r-- | 3.14.33/4465_selinux-avc_audit-log-curr_ip.patch | 2 | ||||
| -rw-r--r-- | 3.14.33/4470_disable-compat_vdso.patch | 2 | ||||
| -rw-r--r-- | 3.18.7/0000_README | 2 | ||||
| -rw-r--r-- | 3.18.7/4420_grsecurity-3.1-3.18.7-201502222138.patch (renamed from 3.18.7/4420_grsecurity-3.0-3.18.7-201502200813.patch) | 191 | ||||
| -rw-r--r-- | 3.18.7/4470_disable-compat_vdso.patch | 2 | ||||
| -rw-r--r-- | 3.2.67/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.67/4420_grsecurity-3.1-3.2.67-201502222131.patch (renamed from 3.2.67/4420_grsecurity-3.0-3.2.67-201502200807.patch) | 191 | ||||
| -rw-r--r-- | 3.2.67/4450_grsec-kconfig-default-gids.patch | 12 | ||||
| -rw-r--r-- | 3.2.67/4465_selinux-avc_audit-log-curr_ip.patch | 2 |
13 files changed, 375 insertions, 240 deletions
diff --git a/3.14.33/0000_README b/3.14.33/0000_README index 0785237..d79223a 100644 --- a/3.14.33/0000_README +++ b/3.14.33/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.14.33-201502200812.patch +Patch: 4420_grsecurity-3.1-3.14.33-201502222137.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.33/4420_grsecurity-3.0-3.14.33-201502200812.patch b/3.14.33/4420_grsecurity-3.1-3.14.33-201502222137.patch index 6f66607..ae236cc 100644 --- a/3.14.33/4420_grsecurity-3.0-3.14.33-201502200812.patch +++ b/3.14.33/4420_grsecurity-3.1-3.14.33-201502222137.patch @@ -64169,7 +64169,7 @@ index b29e42f..5ea7fdf 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index 0dd72c8..b058c6d 100644 +index 0dd72c8..07c6710 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -331,17 +331,34 @@ int generic_permission(struct inode *inode, int mask) @@ -64613,7 +64613,7 @@ index 0dd72c8..b058c6d 100644 struct filename *name; struct dentry *dentry; struct nameidata nd; -+ ino_t saved_ino = 0; ++ u64 saved_ino = 0; + dev_t saved_dev = 0; unsigned int lookup_flags = 0; retry: @@ -64623,7 +64623,7 @@ index 0dd72c8..b058c6d 100644 goto exit3; } + -+ saved_ino = dentry->d_inode->i_ino; ++ saved_ino = gr_get_ino_from_dentry(dentry); + saved_dev = gr_get_dev_from_dentry(dentry); + + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) { @@ -64644,7 +64644,7 @@ index 0dd72c8..b058c6d 100644 struct nameidata nd; struct inode *inode = NULL; struct inode *delegated_inode = NULL; -+ ino_t saved_ino = 0; ++ u64 saved_ino = 0; + dev_t saved_dev = 0; unsigned int lookup_flags = 0; retry: @@ -64655,7 +64655,7 @@ index 0dd72c8..b058c6d 100644 ihold(inode); + + if (inode->i_nlink <= 1) { -+ saved_ino = inode->i_ino; ++ saved_ino = gr_get_ino_from_dentry(dentry); + saved_dev = gr_get_dev_from_dentry(dentry); + } + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) { @@ -70424,10 +70424,10 @@ index 0000000..30ababb +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..c83525f +index 0000000..24d5a4c --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,2697 @@ +@@ -0,0 +1,2725 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -70535,11 +70535,26 @@ index 0000000..c83525f + return dentry->d_sb->s_dev; +} + ++static inline u64 __get_ino(const struct dentry *dentry) ++{ ++#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE) ++ if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC) ++ return btrfs_ino(dentry->d_inode); ++ else ++#endif ++ return dentry->d_inode->i_ino; ++} ++ +dev_t gr_get_dev_from_dentry(struct dentry *dentry) +{ + return __get_dev(dentry); +} + ++u64 gr_get_ino_from_dentry(struct dentry *dentry) ++{ ++ return __get_ino(dentry); ++} ++ +static char gr_task_roletype_to_char(struct task_struct *task) +{ + switch (task->role->roletype & @@ -70878,7 +70893,7 @@ index 0000000..c83525f +} + +struct acl_subject_label * -+lookup_acl_subj_label(const ino_t ino, const dev_t dev, ++lookup_acl_subj_label(const u64 ino, const dev_t dev, + const struct acl_role_label *role) +{ + unsigned int index = gr_fhash(ino, dev, role->subj_hash_size); @@ -70898,7 +70913,7 @@ index 0000000..c83525f +} + +struct acl_subject_label * -+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev, ++lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev, + const struct acl_role_label *role) +{ + unsigned int index = gr_fhash(ino, dev, role->subj_hash_size); @@ -70918,7 +70933,7 @@ index 0000000..c83525f +} + +static struct acl_object_label * -+lookup_acl_obj_label(const ino_t ino, const dev_t dev, ++lookup_acl_obj_label(const u64 ino, const dev_t dev, + const struct acl_subject_label *subj) +{ + unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size); @@ -70938,7 +70953,7 @@ index 0000000..c83525f +} + +static struct acl_object_label * -+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev, ++lookup_acl_obj_label_create(const u64 ino, const dev_t dev, + const struct acl_subject_label *subj) +{ + unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size); @@ -71019,7 +71034,7 @@ index 0000000..c83525f +} + +static struct inodev_entry * -+lookup_inodev_entry(const ino_t ino, const dev_t dev) ++lookup_inodev_entry(const u64 ino, const dev_t dev) +{ + unsigned int index = gr_fhash(ino, dev, running_polstate.inodev_set.i_size); + struct inodev_entry *match; @@ -71244,7 +71259,7 @@ index 0000000..c83525f + +static struct acl_object_label * +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt, -+ const ino_t curr_ino, const dev_t curr_dev, ++ const u64 curr_ino, const dev_t curr_dev, + const struct acl_subject_label *subj, char **path, const int checkglob) +{ + struct acl_subject_label *tmpsubj; @@ -71275,7 +71290,7 @@ index 0000000..c83525f + const struct acl_subject_label *subj, char **path, const int checkglob) +{ + int newglob = checkglob; -+ ino_t inode; ++ u64 inode; + dev_t device; + + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking @@ -71287,7 +71302,7 @@ index 0000000..c83525f + newglob = GR_NO_GLOB; + + spin_lock(&curr_dentry->d_lock); -+ inode = curr_dentry->d_inode->i_ino; ++ inode = __get_ino(curr_dentry); + device = __get_dev(curr_dentry); + spin_unlock(&curr_dentry->d_lock); + @@ -71420,7 +71435,7 @@ index 0000000..c83525f + spin_lock(&dentry->d_lock); + read_lock(&gr_inode_lock); + retval = -+ lookup_acl_subj_label(dentry->d_inode->i_ino, ++ lookup_acl_subj_label(__get_ino(dentry), + __get_dev(dentry), role); + read_unlock(&gr_inode_lock); + spin_unlock(&dentry->d_lock); @@ -71435,7 +71450,7 @@ index 0000000..c83525f + + spin_lock(&dentry->d_lock); + read_lock(&gr_inode_lock); -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino, ++ retval = lookup_acl_subj_label(__get_ino(dentry), + __get_dev(dentry), role); + read_unlock(&gr_inode_lock); + parent = dentry->d_parent; @@ -71449,7 +71464,7 @@ index 0000000..c83525f + + spin_lock(&dentry->d_lock); + read_lock(&gr_inode_lock); -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino, ++ retval = lookup_acl_subj_label(__get_ino(dentry), + __get_dev(dentry), role); + read_unlock(&gr_inode_lock); + spin_unlock(&dentry->d_lock); @@ -71457,7 +71472,7 @@ index 0000000..c83525f + if (unlikely(retval == NULL)) { + /* gr_real_root is pinned, we don't need to hold a reference */ + read_lock(&gr_inode_lock); -+ retval = lookup_acl_subj_label(gr_real_root.dentry->d_inode->i_ino, ++ retval = lookup_acl_subj_label(__get_ino(gr_real_root.dentry), + __get_dev(gr_real_root.dentry), role); + read_unlock(&gr_inode_lock); + } @@ -71584,14 +71599,27 @@ index 0000000..c83525f + return; + + for (i = 0; i < RLIM_NLIMITS; i++) { ++ unsigned long rlim_cur, rlim_max; ++ + if (!(proc->resmask & (1U << i))) + continue; + -+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur; -+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max; ++ rlim_cur = proc->res[i].rlim_cur; ++ rlim_max = proc->res[i].rlim_max; ++ ++ if (i == RLIMIT_NOFILE) { ++ unsigned long saved_sysctl_nr_open = sysctl_nr_open; ++ if (rlim_cur > saved_sysctl_nr_open) ++ rlim_cur = saved_sysctl_nr_open; ++ if (rlim_max > saved_sysctl_nr_open) ++ rlim_max = saved_sysctl_nr_open; ++ } ++ ++ task->signal->rlim[i].rlim_cur = rlim_cur; ++ task->signal->rlim[i].rlim_max = rlim_max; + + if (i == RLIMIT_CPU) -+ update_rlimit_cpu(task, proc->res[i].rlim_cur); ++ update_rlimit_cpu(task, rlim_cur); + } + + return; @@ -72294,7 +72322,7 @@ index 0000000..c83525f + +/* always called with valid inodev ptr */ +static void -+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev) ++do_handle_delete(struct inodev_entry *inodev, const u64 ino, const dev_t dev) +{ + struct acl_object_label *matchpo; + struct acl_subject_label *matchps; @@ -72322,7 +72350,7 @@ index 0000000..c83525f +} + +void -+gr_handle_delete(const ino_t ino, const dev_t dev) ++gr_handle_delete(const u64 ino, const dev_t dev) +{ + struct inodev_entry *inodev; + @@ -72339,8 +72367,8 @@ index 0000000..c83525f +} + +static void -+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice, -+ const ino_t newinode, const dev_t newdevice, ++update_acl_obj_label(const u64 oldinode, const dev_t olddevice, ++ const u64 newinode, const dev_t newdevice, + struct acl_subject_label *subj) +{ + unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size); @@ -72378,8 +72406,8 @@ index 0000000..c83525f +} + +static void -+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice, -+ const ino_t newinode, const dev_t newdevice, ++update_acl_subj_label(const u64 oldinode, const dev_t olddevice, ++ const u64 newinode, const dev_t newdevice, + struct acl_role_label *role) +{ + unsigned int index = gr_fhash(oldinode, olddevice, role->subj_hash_size); @@ -72417,8 +72445,8 @@ index 0000000..c83525f +} + +static void -+update_inodev_entry(const ino_t oldinode, const dev_t olddevice, -+ const ino_t newinode, const dev_t newdevice) ++update_inodev_entry(const u64 oldinode, const dev_t olddevice, ++ const u64 newinode, const dev_t newdevice) +{ + unsigned int index = gr_fhash(oldinode, olddevice, running_polstate.inodev_set.i_size); + struct inodev_entry *match; @@ -72454,7 +72482,7 @@ index 0000000..c83525f +} + +static void -+__do_handle_create(const struct name_entry *matchn, ino_t ino, dev_t dev) ++__do_handle_create(const struct name_entry *matchn, u64 ino, dev_t dev) +{ + struct acl_subject_label *subj; + struct acl_role_label *role; @@ -72487,7 +72515,7 @@ index 0000000..c83525f +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry, + const struct vfsmount *mnt) +{ -+ ino_t ino = dentry->d_inode->i_ino; ++ u64 ino = __get_ino(dentry); + dev_t dev = __get_dev(dentry); + + __do_handle_create(matchn, ino, dev); @@ -72546,7 +72574,7 @@ index 0000000..c83525f + struct name_entry *matchn; + struct inodev_entry *inodev; + struct inode *inode = new_dentry->d_inode; -+ ino_t old_ino = old_dentry->d_inode->i_ino; ++ u64 old_ino = __get_ino(old_dentry); + dev_t old_dev = __get_dev(old_dentry); + + /* vfs_rename swaps the name and parent link for old_dentry and @@ -72569,7 +72597,7 @@ index 0000000..c83525f + + write_lock(&gr_inode_lock); + if (unlikely(replace && inode)) { -+ ino_t new_ino = inode->i_ino; ++ u64 new_ino = __get_ino(new_dentry); + dev_t new_dev = __get_dev(new_dentry); + + inodev = lookup_inodev_entry(new_ino, new_dev); @@ -73026,7 +73054,7 @@ index 0000000..c83525f + return 0; +} + -+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino) ++int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const u64 ino) +{ + struct task_struct *task = current; + struct dentry *dentry = file->f_path.dentry; @@ -73371,10 +73399,10 @@ index 0000000..1a94c11 + diff --git a/grsecurity/gracl_compat.c b/grsecurity/gracl_compat.c new file mode 100644 -index 0000000..ca25605 +index 0000000..a43dd06 --- /dev/null +++ b/grsecurity/gracl_compat.c -@@ -0,0 +1,270 @@ +@@ -0,0 +1,269 @@ +#include <linux/kernel.h> +#include <linux/gracl.h> +#include <linux/compat.h> @@ -73389,8 +73417,7 @@ index 0000000..ca25605 + if (copy_from_user(&uwrapcompat, buf, sizeof(uwrapcompat))) + return -EFAULT; + -+ if (((uwrapcompat.version != GRSECURITY_VERSION) && -+ (uwrapcompat.version != 0x2901)) || ++ if ((uwrapcompat.version != GRSECURITY_VERSION) || + (uwrapcompat.size != sizeof(struct gr_arg_compat))) + return -EINVAL; + @@ -74697,10 +74724,10 @@ index 0000000..25f54ef +}; diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c new file mode 100644 -index 0000000..7949dcd +index 0000000..fd26052 --- /dev/null +++ b/grsecurity/gracl_policy.c -@@ -0,0 +1,1782 @@ +@@ -0,0 +1,1781 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -74780,8 +74807,8 @@ index 0000000..7949dcd +extern void insert_acl_subj_label(struct acl_subject_label *obj, struct acl_role_label *role); +extern struct name_entry * __lookup_name_entry(const struct gr_policy_state *state, const char *name); +extern char *gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt); -+extern struct acl_subject_label *lookup_acl_subj_label(const ino_t ino, const dev_t dev, const struct acl_role_label *role); -+extern struct acl_subject_label *lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev, const struct acl_role_label *role); ++extern struct acl_subject_label *lookup_acl_subj_label(const u64 ino, const dev_t dev, const struct acl_role_label *role); ++extern struct acl_subject_label *lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev, const struct acl_role_label *role); +extern void assign_special_role(const char *rolename); +extern struct acl_subject_label *chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt, const struct acl_role_label *role); +extern int gr_rbac_disable(void *unused); @@ -74864,8 +74891,7 @@ index 0000000..7949dcd + if (copy_from_user(uwrap, buf, sizeof (struct gr_arg_wrapper))) + return -EFAULT; + -+ if (((uwrap->version != GRSECURITY_VERSION) && -+ (uwrap->version != 0x2901)) || ++ if ((uwrap->version != GRSECURITY_VERSION) || + (uwrap->size != sizeof(struct gr_arg))) + return -EINVAL; + @@ -75050,7 +75076,7 @@ index 0000000..7949dcd +} + +static int -+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted) ++insert_name_entry(char *name, const u64 inode, const dev_t device, __u8 deleted) +{ + struct name_entry **curr, *nentry; + struct inodev_entry *ientry; @@ -76559,10 +76585,10 @@ index 0000000..39645c9 +} diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c new file mode 100644 -index 0000000..2040e61 +index 0000000..218b66b --- /dev/null +++ b/grsecurity/gracl_segv.c -@@ -0,0 +1,313 @@ +@@ -0,0 +1,324 @@ +#include <linux/kernel.h> +#include <linux/mm.h> +#include <asm/uaccess.h> @@ -76593,7 +76619,7 @@ index 0000000..2040e61 +static DEFINE_SPINLOCK(gr_uid_lock); +extern rwlock_t gr_inode_lock; +extern struct acl_subject_label * -+ lookup_acl_subj_label(const ino_t inode, const dev_t dev, ++ lookup_acl_subj_label(const u64 inode, const dev_t dev, + struct acl_role_label *role); + +static inline dev_t __get_dev(const struct dentry *dentry) @@ -76606,6 +76632,16 @@ index 0000000..2040e61 + return dentry->d_sb->s_dev; +} + ++static inline u64 __get_ino(const struct dentry *dentry) ++{ ++#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE) ++ if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC) ++ return btrfs_ino(dentry->d_inode); ++ else ++#endif ++ return dentry->d_inode->i_ino; ++} ++ +int +gr_init_uidset(void) +{ @@ -76826,13 +76862,14 @@ index 0000000..2040e61 +gr_check_crash_exec(const struct file *filp) +{ + struct acl_subject_label *curr; ++ struct dentry *dentry; + + if (unlikely(!gr_acl_is_enabled())) + return 0; + + read_lock(&gr_inode_lock); -+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino, -+ __get_dev(filp->f_path.dentry), ++ dentry = filp->f_path.dentry; ++ curr = lookup_acl_subj_label(__get_ino(dentry), __get_dev(dentry), + current->role); + read_unlock(&gr_inode_lock); + @@ -77424,10 +77461,10 @@ index 0000000..2a43673 +} diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c new file mode 100644 -index 0000000..1e028d7 +index 0000000..7e8cbe4 --- /dev/null +++ b/grsecurity/grsec_disabled.c -@@ -0,0 +1,439 @@ +@@ -0,0 +1,444 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -77549,7 +77586,7 @@ index 0000000..1e028d7 +} + +void -+gr_handle_delete(const ino_t ino, const dev_t dev) ++gr_handle_delete(const u64 ino, const dev_t dev) +{ + return; +} @@ -77749,7 +77786,7 @@ index 0000000..1e028d7 + +int +gr_acl_handle_filldir(const struct file *file, const char *name, -+ const int namelen, const ino_t ino) ++ const int namelen, const u64 ino) +{ + return 1; +} @@ -77858,6 +77895,11 @@ index 0000000..1e028d7 + return dentry->d_sb->s_dev; +} + ++u64 gr_get_ino_from_dentry(struct dentry *dentry) ++{ ++ return dentry->d_inode->i_ino; ++} ++ +void gr_put_exec_file(struct task_struct *task) +{ + return; @@ -82279,10 +82321,10 @@ index 3824ac6..f3932a3 100644 { diff --git a/include/linux/gracl.h b/include/linux/gracl.h new file mode 100644 -index 0000000..edb2cb6 +index 0000000..91858e4 --- /dev/null +++ b/include/linux/gracl.h -@@ -0,0 +1,340 @@ +@@ -0,0 +1,342 @@ +#ifndef GR_ACL_H +#define GR_ACL_H + @@ -82294,8 +82336,8 @@ index 0000000..edb2cb6 + +/* Major status information */ + -+#define GR_VERSION "grsecurity 3.0" -+#define GRSECURITY_VERSION 0x3000 ++#define GR_VERSION "grsecurity 3.1" ++#define GRSECURITY_VERSION 0x3100 + +enum { + GR_SHUTDOWN = 0, @@ -82340,7 +82382,7 @@ index 0000000..edb2cb6 + +struct name_entry { + __u32 key; -+ ino_t inode; ++ u64 inode; + dev_t device; + char *name; + __u16 len; @@ -82388,7 +82430,7 @@ index 0000000..edb2cb6 + +struct acl_subject_label { + char *filename; -+ ino_t inode; ++ u64 inode; + dev_t device; + __u32 mode; + kernel_cap_t cap_mask; @@ -82476,7 +82518,7 @@ index 0000000..edb2cb6 + +struct acl_object_label { + char *filename; -+ ino_t inode; ++ u64 inode; + dev_t device; + __u32 mode; + @@ -82512,7 +82554,7 @@ index 0000000..edb2cb6 + unsigned char sp_role[GR_SPROLE_LEN]; + struct sprole_pw *sprole_pws; + dev_t segv_device; -+ ino_t segv_inode; ++ u64 segv_inode; + uid_t segv_uid; + __u16 num_sprole_pws; + __u16 mode; @@ -82584,9 +82626,11 @@ index 0000000..edb2cb6 +} + +static __inline__ unsigned int -+gr_fhash(const ino_t ino, const dev_t dev, const unsigned int sz) ++gr_fhash(const u64 ino, const dev_t dev, const unsigned int sz) +{ -+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz); ++ unsigned int rem; ++ div_u64_rem((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9)), sz, &rem); ++ return rem; +} + +static __inline__ unsigned int @@ -82625,7 +82669,7 @@ index 0000000..edb2cb6 + diff --git a/include/linux/gracl_compat.h b/include/linux/gracl_compat.h new file mode 100644 -index 0000000..33ebd1f +index 0000000..af64092 --- /dev/null +++ b/include/linux/gracl_compat.h @@ -0,0 +1,156 @@ @@ -82652,7 +82696,7 @@ index 0000000..33ebd1f + +struct acl_subject_label_compat { + compat_uptr_t filename; -+ compat_ino_t inode; ++ compat_u64 inode; + __u32 device; + __u32 mode; + kernel_cap_t cap_mask; @@ -82740,7 +82784,7 @@ index 0000000..33ebd1f + +struct acl_object_label_compat { + compat_uptr_t filename; -+ compat_ino_t inode; ++ compat_u64 inode; + __u32 device; + __u32 mode; + @@ -82772,7 +82816,7 @@ index 0000000..33ebd1f + unsigned char sp_role[GR_SPROLE_LEN]; + compat_uptr_t sprole_pws; + __u32 segv_device; -+ compat_ino_t segv_inode; ++ compat_u64 segv_inode; + uid_t segv_uid; + __u16 num_sprole_pws; + __u16 mode; @@ -83308,10 +83352,10 @@ index 0000000..26ef560 +#define GR_MSRWRITE_MSG "denied write to CPU MSR by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..40e9e6a +index 0000000..0fb332e --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,259 @@ +@@ -0,0 +1,260 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -83479,7 +83523,7 @@ index 0000000..40e9e6a + const struct vfsmount *parent_mnt); +__u32 gr_acl_handle_rmdir(const struct dentry *dentry, + const struct vfsmount *mnt); -+void gr_handle_delete(const ino_t ino, const dev_t dev); ++void gr_handle_delete(const u64 ino, const dev_t dev); +__u32 gr_acl_handle_unlink(const struct dentry *dentry, + const struct vfsmount *mnt); +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry, @@ -83508,7 +83552,7 @@ index 0000000..40e9e6a + const struct dentry *old_dentry, + const struct vfsmount *old_mnt); +int gr_acl_handle_filldir(const struct file *file, const char *name, -+ const unsigned int namelen, const ino_t ino); ++ const unsigned int namelen, const u64 ino); + +__u32 gr_acl_handle_unix(const struct dentry *dentry, + const struct vfsmount *mnt); @@ -83519,6 +83563,7 @@ index 0000000..40e9e6a +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode); +void gr_audit_ptrace(struct task_struct *task); +dev_t gr_get_dev_from_dentry(struct dentry *dentry); ++u64 gr_get_ino_from_dentry(struct dentry *dentry); +void gr_put_exec_file(struct task_struct *task); + +int gr_ptrace_readexec(struct file *file, int unsafe_flags); diff --git a/3.14.33/4427_force_XATTR_PAX_tmpfs.patch b/3.14.33/4427_force_XATTR_PAX_tmpfs.patch index aa540ad..4c236cc 100644 --- a/3.14.33/4427_force_XATTR_PAX_tmpfs.patch +++ b/3.14.33/4427_force_XATTR_PAX_tmpfs.patch @@ -6,7 +6,7 @@ namespace supported on tmpfs so that the PaX markings survive emerge. diff -Naur a/mm/shmem.c b/mm/shmem.c --- a/mm/shmem.c 2013-06-11 21:00:18.000000000 -0400 +++ b/mm/shmem.c 2013-06-11 21:08:18.000000000 -0400 -@@ -2240,11 +2240,7 @@ +@@ -2249,11 +2249,7 @@ static int shmem_xattr_validate(const char *name) { struct { const char *prefix; size_t len; } arr[] = { @@ -18,7 +18,7 @@ diff -Naur a/mm/shmem.c b/mm/shmem.c { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN }, { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN } }; -@@ -2300,14 +2296,12 @@ +@@ -2309,14 +2305,12 @@ if (err) return err; diff --git a/3.14.33/4450_grsec-kconfig-default-gids.patch b/3.14.33/4450_grsec-kconfig-default-gids.patch index 722821b..8c878fc 100644 --- a/3.14.33/4450_grsec-kconfig-default-gids.patch +++ b/3.14.33/4450_grsec-kconfig-default-gids.patch @@ -16,7 +16,7 @@ from shooting themselves in the foot. diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 -@@ -680,7 +680,7 @@ +@@ -696,7 +696,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -911,7 +911,7 @@ +@@ -927,7 +927,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -920,7 +920,7 @@ +@@ -936,7 +936,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -1005,7 +1005,7 @@ +@@ -1021,7 +1021,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -1026,7 +1026,7 @@ +@@ -1042,7 +1042,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -1044,7 +1044,7 @@ +@@ -1060,7 +1060,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/3.14.33/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.33/4465_selinux-avc_audit-log-curr_ip.patch index f92c155..bba906e 100644 --- a/3.14.33/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.14.33/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -1139,6 +1139,27 @@ +@@ -1155,6 +1155,27 @@ menu "Logging Options" depends on GRKERNSEC diff --git a/3.14.33/4470_disable-compat_vdso.patch b/3.14.33/4470_disable-compat_vdso.patch index cc7c122..3b3953b 100644 --- a/3.14.33/4470_disable-compat_vdso.patch +++ b/3.14.33/4470_disable-compat_vdso.patch @@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig --- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 +++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 -@@ -1862,17 +1862,8 @@ +@@ -1866,17 +1866,8 @@ config COMPAT_VDSO def_bool n diff --git a/3.18.7/0000_README b/3.18.7/0000_README index ee63631..366e930 100644 --- a/3.18.7/0000_README +++ b/3.18.7/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.18.7-201502200813.patch +Patch: 4420_grsecurity-3.1-3.18.7-201502222138.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.18.7/4420_grsecurity-3.0-3.18.7-201502200813.patch b/3.18.7/4420_grsecurity-3.1-3.18.7-201502222138.patch index 544940a..1db1bc3 100644 --- a/3.18.7/4420_grsecurity-3.0-3.18.7-201502200813.patch +++ b/3.18.7/4420_grsecurity-3.1-3.18.7-201502222138.patch @@ -64135,7 +64135,7 @@ index f82c628..9492b99 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index db5fe86..ac769e4 100644 +index db5fe86..8bce5f0 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -331,17 +331,32 @@ int generic_permission(struct inode *inode, int mask) @@ -64516,7 +64516,7 @@ index db5fe86..ac769e4 100644 struct filename *name; struct dentry *dentry; struct nameidata nd; -+ ino_t saved_ino = 0; ++ u64 saved_ino = 0; + dev_t saved_dev = 0; unsigned int lookup_flags = 0; retry: @@ -64526,7 +64526,7 @@ index db5fe86..ac769e4 100644 goto exit3; } + -+ saved_ino = dentry->d_inode->i_ino; ++ saved_ino = gr_get_ino_from_dentry(dentry); + saved_dev = gr_get_dev_from_dentry(dentry); + + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) { @@ -64547,7 +64547,7 @@ index db5fe86..ac769e4 100644 struct nameidata nd; struct inode *inode = NULL; struct inode *delegated_inode = NULL; -+ ino_t saved_ino = 0; ++ u64 saved_ino = 0; + dev_t saved_dev = 0; unsigned int lookup_flags = 0; retry: @@ -64558,7 +64558,7 @@ index db5fe86..ac769e4 100644 ihold(inode); + + if (inode->i_nlink <= 1) { -+ saved_ino = inode->i_ino; ++ saved_ino = gr_get_ino_from_dentry(dentry); + saved_dev = gr_get_dev_from_dentry(dentry); + } + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) { @@ -69512,10 +69512,10 @@ index 0000000..30ababb +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..9c2d930 +index 0000000..6c1e154 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,2721 @@ +@@ -0,0 +1,2749 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -69623,11 +69623,26 @@ index 0000000..9c2d930 + return dentry->d_sb->s_dev; +} + ++static inline u64 __get_ino(const struct dentry *dentry) ++{ ++#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE) ++ if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC) ++ return btrfs_ino(dentry->d_inode); ++ else ++#endif ++ return dentry->d_inode->i_ino; ++} ++ +dev_t gr_get_dev_from_dentry(struct dentry *dentry) +{ + return __get_dev(dentry); +} + ++u64 gr_get_ino_from_dentry(struct dentry *dentry) ++{ ++ return __get_ino(dentry); ++} ++ +static char gr_task_roletype_to_char(struct task_struct *task) +{ + switch (task->role->roletype & @@ -69966,7 +69981,7 @@ index 0000000..9c2d930 +} + +struct acl_subject_label * -+lookup_acl_subj_label(const ino_t ino, const dev_t dev, ++lookup_acl_subj_label(const u64 ino, const dev_t dev, + const struct acl_role_label *role) +{ + unsigned int index = gr_fhash(ino, dev, role->subj_hash_size); @@ -69986,7 +70001,7 @@ index 0000000..9c2d930 +} + +struct acl_subject_label * -+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev, ++lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev, + const struct acl_role_label *role) +{ + unsigned int index = gr_fhash(ino, dev, role->subj_hash_size); @@ -70006,7 +70021,7 @@ index 0000000..9c2d930 +} + +static struct acl_object_label * -+lookup_acl_obj_label(const ino_t ino, const dev_t dev, ++lookup_acl_obj_label(const u64 ino, const dev_t dev, + const struct acl_subject_label *subj) +{ + unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size); @@ -70026,7 +70041,7 @@ index 0000000..9c2d930 +} + +static struct acl_object_label * -+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev, ++lookup_acl_obj_label_create(const u64 ino, const dev_t dev, + const struct acl_subject_label *subj) +{ + unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size); @@ -70107,7 +70122,7 @@ index 0000000..9c2d930 +} + +static struct inodev_entry * -+lookup_inodev_entry(const ino_t ino, const dev_t dev) ++lookup_inodev_entry(const u64 ino, const dev_t dev) +{ + unsigned int index = gr_fhash(ino, dev, running_polstate.inodev_set.i_size); + struct inodev_entry *match; @@ -70332,7 +70347,7 @@ index 0000000..9c2d930 + +static struct acl_object_label * +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt, -+ const ino_t curr_ino, const dev_t curr_dev, ++ const u64 curr_ino, const dev_t curr_dev, + const struct acl_subject_label *subj, char **path, const int checkglob) +{ + struct acl_subject_label *tmpsubj; @@ -70363,7 +70378,7 @@ index 0000000..9c2d930 + const struct acl_subject_label *subj, char **path, const int checkglob) +{ + int newglob = checkglob; -+ ino_t inode; ++ u64 inode; + dev_t device; + + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking @@ -70375,7 +70390,7 @@ index 0000000..9c2d930 + newglob = GR_NO_GLOB; + + spin_lock(&curr_dentry->d_lock); -+ inode = curr_dentry->d_inode->i_ino; ++ inode = __get_ino(curr_dentry); + device = __get_dev(curr_dentry); + spin_unlock(&curr_dentry->d_lock); + @@ -70508,7 +70523,7 @@ index 0000000..9c2d930 + spin_lock(&dentry->d_lock); + read_lock(&gr_inode_lock); + retval = -+ lookup_acl_subj_label(dentry->d_inode->i_ino, ++ lookup_acl_subj_label(__get_ino(dentry), + __get_dev(dentry), role); + read_unlock(&gr_inode_lock); + spin_unlock(&dentry->d_lock); @@ -70523,7 +70538,7 @@ index 0000000..9c2d930 + + spin_lock(&dentry->d_lock); + read_lock(&gr_inode_lock); -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino, ++ retval = lookup_acl_subj_label(__get_ino(dentry), + __get_dev(dentry), role); + read_unlock(&gr_inode_lock); + parent = dentry->d_parent; @@ -70537,7 +70552,7 @@ index 0000000..9c2d930 + + spin_lock(&dentry->d_lock); + read_lock(&gr_inode_lock); -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino, ++ retval = lookup_acl_subj_label(__get_ino(dentry), + __get_dev(dentry), role); + read_unlock(&gr_inode_lock); + spin_unlock(&dentry->d_lock); @@ -70545,7 +70560,7 @@ index 0000000..9c2d930 + if (unlikely(retval == NULL)) { + /* gr_real_root is pinned, we don't need to hold a reference */ + read_lock(&gr_inode_lock); -+ retval = lookup_acl_subj_label(gr_real_root.dentry->d_inode->i_ino, ++ retval = lookup_acl_subj_label(__get_ino(gr_real_root.dentry), + __get_dev(gr_real_root.dentry), role); + read_unlock(&gr_inode_lock); + } @@ -70672,14 +70687,27 @@ index 0000000..9c2d930 + return; + + for (i = 0; i < RLIM_NLIMITS; i++) { ++ unsigned long rlim_cur, rlim_max; ++ + if (!(proc->resmask & (1U << i))) + continue; + -+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur; -+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max; ++ rlim_cur = proc->res[i].rlim_cur; ++ rlim_max = proc->res[i].rlim_max; ++ ++ if (i == RLIMIT_NOFILE) { ++ unsigned long saved_sysctl_nr_open = sysctl_nr_open; ++ if (rlim_cur > saved_sysctl_nr_open) ++ rlim_cur = saved_sysctl_nr_open; ++ if (rlim_max > saved_sysctl_nr_open) ++ rlim_max = saved_sysctl_nr_open; ++ } ++ ++ task->signal->rlim[i].rlim_cur = rlim_cur; ++ task->signal->rlim[i].rlim_max = rlim_max; + + if (i == RLIMIT_CPU) -+ update_rlimit_cpu(task, proc->res[i].rlim_cur); ++ update_rlimit_cpu(task, rlim_cur); + } + + return; @@ -71382,7 +71410,7 @@ index 0000000..9c2d930 + +/* always called with valid inodev ptr */ +static void -+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev) ++do_handle_delete(struct inodev_entry *inodev, const u64 ino, const dev_t dev) +{ + struct acl_object_label *matchpo; + struct acl_subject_label *matchps; @@ -71410,7 +71438,7 @@ index 0000000..9c2d930 +} + +void -+gr_handle_delete(const ino_t ino, const dev_t dev) ++gr_handle_delete(const u64 ino, const dev_t dev) +{ + struct inodev_entry *inodev; + @@ -71427,8 +71455,8 @@ index 0000000..9c2d930 +} + +static void -+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice, -+ const ino_t newinode, const dev_t newdevice, ++update_acl_obj_label(const u64 oldinode, const dev_t olddevice, ++ const u64 newinode, const dev_t newdevice, + struct acl_subject_label *subj) +{ + unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size); @@ -71466,8 +71494,8 @@ index 0000000..9c2d930 +} + +static void -+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice, -+ const ino_t newinode, const dev_t newdevice, ++update_acl_subj_label(const u64 oldinode, const dev_t olddevice, ++ const u64 newinode, const dev_t newdevice, + struct acl_role_label *role) +{ + unsigned int index = gr_fhash(oldinode, olddevice, role->subj_hash_size); @@ -71505,8 +71533,8 @@ index 0000000..9c2d930 +} + +static void -+update_inodev_entry(const ino_t oldinode, const dev_t olddevice, -+ const ino_t newinode, const dev_t newdevice) ++update_inodev_entry(const u64 oldinode, const dev_t olddevice, ++ const u64 newinode, const dev_t newdevice) +{ + unsigned int index = gr_fhash(oldinode, olddevice, running_polstate.inodev_set.i_size); + struct inodev_entry *match; @@ -71542,7 +71570,7 @@ index 0000000..9c2d930 +} + +static void -+__do_handle_create(const struct name_entry *matchn, ino_t ino, dev_t dev) ++__do_handle_create(const struct name_entry *matchn, u64 ino, dev_t dev) +{ + struct acl_subject_label *subj; + struct acl_role_label *role; @@ -71575,7 +71603,7 @@ index 0000000..9c2d930 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry, + const struct vfsmount *mnt) +{ -+ ino_t ino = dentry->d_inode->i_ino; ++ u64 ino = __get_ino(dentry); + dev_t dev = __get_dev(dentry); + + __do_handle_create(matchn, ino, dev); @@ -71635,7 +71663,7 @@ index 0000000..9c2d930 + struct name_entry *matchn2 = NULL; + struct inodev_entry *inodev; + struct inode *inode = new_dentry->d_inode; -+ ino_t old_ino = old_dentry->d_inode->i_ino; ++ u64 old_ino = __get_ino(old_dentry); + dev_t old_dev = __get_dev(old_dentry); + unsigned int exchange = flags & RENAME_EXCHANGE; + @@ -71677,7 +71705,7 @@ index 0000000..9c2d930 + + write_lock(&gr_inode_lock); + if (unlikely((replace || exchange) && inode)) { -+ ino_t new_ino = inode->i_ino; ++ u64 new_ino = __get_ino(new_dentry); + dev_t new_dev = __get_dev(new_dentry); + + inodev = lookup_inodev_entry(new_ino, new_dev); @@ -72138,7 +72166,7 @@ index 0000000..9c2d930 + return 0; +} + -+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino) ++int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const u64 ino) +{ + struct task_struct *task = current; + struct dentry *dentry = file->f_path.dentry; @@ -72483,10 +72511,10 @@ index 0000000..1a94c11 + diff --git a/grsecurity/gracl_compat.c b/grsecurity/gracl_compat.c new file mode 100644 -index 0000000..ca25605 +index 0000000..a43dd06 --- /dev/null +++ b/grsecurity/gracl_compat.c -@@ -0,0 +1,270 @@ +@@ -0,0 +1,269 @@ +#include <linux/kernel.h> +#include <linux/gracl.h> +#include <linux/compat.h> @@ -72501,8 +72529,7 @@ index 0000000..ca25605 + if (copy_from_user(&uwrapcompat, buf, sizeof(uwrapcompat))) + return -EFAULT; + -+ if (((uwrapcompat.version != GRSECURITY_VERSION) && -+ (uwrapcompat.version != 0x2901)) || ++ if ((uwrapcompat.version != GRSECURITY_VERSION) || + (uwrapcompat.size != sizeof(struct gr_arg_compat))) + return -EINVAL; + @@ -73817,10 +73844,10 @@ index 0000000..25f54ef +}; diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c new file mode 100644 -index 0000000..7949dcd +index 0000000..fd26052 --- /dev/null +++ b/grsecurity/gracl_policy.c -@@ -0,0 +1,1782 @@ +@@ -0,0 +1,1781 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -73900,8 +73927,8 @@ index 0000000..7949dcd +extern void insert_acl_subj_label(struct acl_subject_label *obj, struct acl_role_label *role); +extern struct name_entry * __lookup_name_entry(const struct gr_policy_state *state, const char *name); +extern char *gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt); -+extern struct acl_subject_label *lookup_acl_subj_label(const ino_t ino, const dev_t dev, const struct acl_role_label *role); -+extern struct acl_subject_label *lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev, const struct acl_role_label *role); ++extern struct acl_subject_label *lookup_acl_subj_label(const u64 ino, const dev_t dev, const struct acl_role_label *role); ++extern struct acl_subject_label *lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev, const struct acl_role_label *role); +extern void assign_special_role(const char *rolename); +extern struct acl_subject_label *chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt, const struct acl_role_label *role); +extern int gr_rbac_disable(void *unused); @@ -73984,8 +74011,7 @@ index 0000000..7949dcd + if (copy_from_user(uwrap, buf, sizeof (struct gr_arg_wrapper))) + return -EFAULT; + -+ if (((uwrap->version != GRSECURITY_VERSION) && -+ (uwrap->version != 0x2901)) || ++ if ((uwrap->version != GRSECURITY_VERSION) || + (uwrap->size != sizeof(struct gr_arg))) + return -EINVAL; + @@ -74170,7 +74196,7 @@ index 0000000..7949dcd +} + +static int -+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted) ++insert_name_entry(char *name, const u64 inode, const dev_t device, __u8 deleted) +{ + struct name_entry **curr, *nentry; + struct inodev_entry *ientry; @@ -75679,10 +75705,10 @@ index 0000000..39645c9 +} diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c new file mode 100644 -index 0000000..2040e61 +index 0000000..218b66b --- /dev/null +++ b/grsecurity/gracl_segv.c -@@ -0,0 +1,313 @@ +@@ -0,0 +1,324 @@ +#include <linux/kernel.h> +#include <linux/mm.h> +#include <asm/uaccess.h> @@ -75713,7 +75739,7 @@ index 0000000..2040e61 +static DEFINE_SPINLOCK(gr_uid_lock); +extern rwlock_t gr_inode_lock; +extern struct acl_subject_label * -+ lookup_acl_subj_label(const ino_t inode, const dev_t dev, ++ lookup_acl_subj_label(const u64 inode, const dev_t dev, + struct acl_role_label *role); + +static inline dev_t __get_dev(const struct dentry *dentry) @@ -75726,6 +75752,16 @@ index 0000000..2040e61 + return dentry->d_sb->s_dev; +} + ++static inline u64 __get_ino(const struct dentry *dentry) ++{ ++#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE) ++ if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC) ++ return btrfs_ino(dentry->d_inode); ++ else ++#endif ++ return dentry->d_inode->i_ino; ++} ++ +int +gr_init_uidset(void) +{ @@ -75946,13 +75982,14 @@ index 0000000..2040e61 +gr_check_crash_exec(const struct file *filp) +{ + struct acl_subject_label *curr; ++ struct dentry *dentry; + + if (unlikely(!gr_acl_is_enabled())) + return 0; + + read_lock(&gr_inode_lock); -+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino, -+ __get_dev(filp->f_path.dentry), ++ dentry = filp->f_path.dentry; ++ curr = lookup_acl_subj_label(__get_ino(dentry), __get_dev(dentry), + current->role); + read_unlock(&gr_inode_lock); + @@ -76542,10 +76579,10 @@ index 0000000..114ea4f +} diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c new file mode 100644 -index 0000000..0f9ac91 +index 0000000..946f750 --- /dev/null +++ b/grsecurity/grsec_disabled.c -@@ -0,0 +1,440 @@ +@@ -0,0 +1,445 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -76667,7 +76704,7 @@ index 0000000..0f9ac91 +} + +void -+gr_handle_delete(const ino_t ino, const dev_t dev) ++gr_handle_delete(const u64 ino, const dev_t dev) +{ + return; +} @@ -76868,7 +76905,7 @@ index 0000000..0f9ac91 + +int +gr_acl_handle_filldir(const struct file *file, const char *name, -+ const int namelen, const ino_t ino) ++ const int namelen, const u64 ino) +{ + return 1; +} @@ -76977,6 +77014,11 @@ index 0000000..0f9ac91 + return dentry->d_sb->s_dev; +} + ++u64 gr_get_ino_from_dentry(struct dentry *dentry) ++{ ++ return dentry->d_inode->i_ino; ++} ++ +void gr_put_exec_file(struct task_struct *task) +{ + return; @@ -81399,10 +81441,10 @@ index 41b30fd..a3718cf 100644 { diff --git a/include/linux/gracl.h b/include/linux/gracl.h new file mode 100644 -index 0000000..edb2cb6 +index 0000000..91858e4 --- /dev/null +++ b/include/linux/gracl.h -@@ -0,0 +1,340 @@ +@@ -0,0 +1,342 @@ +#ifndef GR_ACL_H +#define GR_ACL_H + @@ -81414,8 +81456,8 @@ index 0000000..edb2cb6 + +/* Major status information */ + -+#define GR_VERSION "grsecurity 3.0" -+#define GRSECURITY_VERSION 0x3000 ++#define GR_VERSION "grsecurity 3.1" ++#define GRSECURITY_VERSION 0x3100 + +enum { + GR_SHUTDOWN = 0, @@ -81460,7 +81502,7 @@ index 0000000..edb2cb6 + +struct name_entry { + __u32 key; -+ ino_t inode; ++ u64 inode; + dev_t device; + char *name; + __u16 len; @@ -81508,7 +81550,7 @@ index 0000000..edb2cb6 + +struct acl_subject_label { + char *filename; -+ ino_t inode; ++ u64 inode; + dev_t device; + __u32 mode; + kernel_cap_t cap_mask; @@ -81596,7 +81638,7 @@ index 0000000..edb2cb6 + +struct acl_object_label { + char *filename; -+ ino_t inode; ++ u64 inode; + dev_t device; + __u32 mode; + @@ -81632,7 +81674,7 @@ index 0000000..edb2cb6 + unsigned char sp_role[GR_SPROLE_LEN]; + struct sprole_pw *sprole_pws; + dev_t segv_device; -+ ino_t segv_inode; ++ u64 segv_inode; + uid_t segv_uid; + __u16 num_sprole_pws; + __u16 mode; @@ -81704,9 +81746,11 @@ index 0000000..edb2cb6 +} + +static __inline__ unsigned int -+gr_fhash(const ino_t ino, const dev_t dev, const unsigned int sz) ++gr_fhash(const u64 ino, const dev_t dev, const unsigned int sz) +{ -+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz); ++ unsigned int rem; ++ div_u64_rem((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9)), sz, &rem); ++ return rem; +} + +static __inline__ unsigned int @@ -81745,7 +81789,7 @@ index 0000000..edb2cb6 + diff --git a/include/linux/gracl_compat.h b/include/linux/gracl_compat.h new file mode 100644 -index 0000000..33ebd1f +index 0000000..af64092 --- /dev/null +++ b/include/linux/gracl_compat.h @@ -0,0 +1,156 @@ @@ -81772,7 +81816,7 @@ index 0000000..33ebd1f + +struct acl_subject_label_compat { + compat_uptr_t filename; -+ compat_ino_t inode; ++ compat_u64 inode; + __u32 device; + __u32 mode; + kernel_cap_t cap_mask; @@ -81860,7 +81904,7 @@ index 0000000..33ebd1f + +struct acl_object_label_compat { + compat_uptr_t filename; -+ compat_ino_t inode; ++ compat_u64 inode; + __u32 device; + __u32 mode; + @@ -81892,7 +81936,7 @@ index 0000000..33ebd1f + unsigned char sp_role[GR_SPROLE_LEN]; + compat_uptr_t sprole_pws; + __u32 segv_device; -+ compat_ino_t segv_inode; ++ compat_u64 segv_inode; + uid_t segv_uid; + __u16 num_sprole_pws; + __u16 mode; @@ -82428,10 +82472,10 @@ index 0000000..26ef560 +#define GR_MSRWRITE_MSG "denied write to CPU MSR by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..6c76fcb +index 0000000..63c1850 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,249 @@ +@@ -0,0 +1,250 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -82599,7 +82643,7 @@ index 0000000..6c76fcb + const struct vfsmount *parent_mnt); +__u32 gr_acl_handle_rmdir(const struct dentry *dentry, + const struct vfsmount *mnt); -+void gr_handle_delete(const ino_t ino, const dev_t dev); ++void gr_handle_delete(const u64 ino, const dev_t dev); +__u32 gr_acl_handle_unlink(const struct dentry *dentry, + const struct vfsmount *mnt); +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry, @@ -82628,7 +82672,7 @@ index 0000000..6c76fcb + const struct dentry *old_dentry, + const struct vfsmount *old_mnt); +int gr_acl_handle_filldir(const struct file *file, const char *name, -+ const unsigned int namelen, const ino_t ino); ++ const unsigned int namelen, const u64 ino); + +__u32 gr_acl_handle_unix(const struct dentry *dentry, + const struct vfsmount *mnt); @@ -82639,6 +82683,7 @@ index 0000000..6c76fcb +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode); +void gr_audit_ptrace(struct task_struct *task); +dev_t gr_get_dev_from_dentry(struct dentry *dentry); ++u64 gr_get_ino_from_dentry(struct dentry *dentry); +void gr_put_exec_file(struct task_struct *task); + +int gr_ptrace_readexec(struct file *file, int unsafe_flags); diff --git a/3.18.7/4470_disable-compat_vdso.patch b/3.18.7/4470_disable-compat_vdso.patch index df785ab..0a0c524 100644 --- a/3.18.7/4470_disable-compat_vdso.patch +++ b/3.18.7/4470_disable-compat_vdso.patch @@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138 diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig --- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100 +++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100 -@@ -1904,29 +1904,8 @@ +@@ -1908,29 +1908,8 @@ config COMPAT_VDSO def_bool n diff --git a/3.2.67/0000_README b/3.2.67/0000_README index deb8dff..c7f6e15 100644 --- a/3.2.67/0000_README +++ b/3.2.67/0000_README @@ -186,7 +186,7 @@ Patch: 1066_linux-3.2.67.patch From: http://www.kernel.org Desc: Linux 3.2.67 -Patch: 4420_grsecurity-3.0-3.2.67-201502200807.patch +Patch: 4420_grsecurity-3.1-3.2.67-201502222131.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.67/4420_grsecurity-3.0-3.2.67-201502200807.patch b/3.2.67/4420_grsecurity-3.1-3.2.67-201502222131.patch index 880a085..f77ebd7 100644 --- a/3.2.67/4420_grsecurity-3.0-3.2.67-201502200807.patch +++ b/3.2.67/4420_grsecurity-3.1-3.2.67-201502222131.patch @@ -62235,7 +62235,7 @@ index 4d46a6a..dee1cdf 100644 static int __init init_minix_fs(void) { diff --git a/fs/namei.c b/fs/namei.c -index c8b13a9..09cc61e 100644 +index c8b13a9..2ec69cd 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -279,16 +279,32 @@ int generic_permission(struct inode *inode, int mask) @@ -62645,7 +62645,7 @@ index c8b13a9..09cc61e 100644 char * name; struct dentry *dentry; struct nameidata nd; -+ ino_t saved_ino = 0; ++ u64 saved_ino = 0; + dev_t saved_dev = 0; error = user_path_parent(dfd, pathname, &nd, &name); @@ -62655,7 +62655,7 @@ index c8b13a9..09cc61e 100644 goto exit3; } + -+ saved_ino = dentry->d_inode->i_ino; ++ saved_ino = gr_get_ino_from_dentry(dentry); + saved_dev = gr_get_dev_from_dentry(dentry); + + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) { @@ -62679,7 +62679,7 @@ index c8b13a9..09cc61e 100644 struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; -+ ino_t saved_ino = 0; ++ u64 saved_ino = 0; + dev_t saved_dev = 0; error = user_path_parent(dfd, pathname, &nd, &name); @@ -62690,7 +62690,7 @@ index c8b13a9..09cc61e 100644 ihold(inode); + + if (inode->i_nlink <= 1) { -+ saved_ino = inode->i_ino; ++ saved_ino = gr_get_ino_from_dentry(dentry); + saved_dev = gr_get_dev_from_dentry(dentry); + } + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) { @@ -68659,10 +68659,10 @@ index 0000000..30ababb +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..99cbce0 +index 0000000..1b75b8a --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,2845 @@ +@@ -0,0 +1,2873 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -68774,11 +68774,26 @@ index 0000000..99cbce0 + return dentry->d_sb->s_dev; +} + ++static inline u64 __get_ino(const struct dentry *dentry) ++{ ++#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE) ++ if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC) ++ return btrfs_ino(dentry->d_inode); ++ else ++#endif ++ return dentry->d_inode->i_ino; ++} ++ +dev_t gr_get_dev_from_dentry(struct dentry *dentry) +{ + return __get_dev(dentry); +} + ++u64 gr_get_ino_from_dentry(struct dentry *dentry) ++{ ++ return __get_ino(dentry); ++} ++ +static char gr_task_roletype_to_char(struct task_struct *task) +{ + switch (task->role->roletype & @@ -69115,7 +69130,7 @@ index 0000000..99cbce0 +} + +struct acl_subject_label * -+lookup_acl_subj_label(const ino_t ino, const dev_t dev, ++lookup_acl_subj_label(const u64 ino, const dev_t dev, + const struct acl_role_label *role) +{ + unsigned int index = gr_fhash(ino, dev, role->subj_hash_size); @@ -69135,7 +69150,7 @@ index 0000000..99cbce0 +} + +struct acl_subject_label * -+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev, ++lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev, + const struct acl_role_label *role) +{ + unsigned int index = gr_fhash(ino, dev, role->subj_hash_size); @@ -69155,7 +69170,7 @@ index 0000000..99cbce0 +} + +static struct acl_object_label * -+lookup_acl_obj_label(const ino_t ino, const dev_t dev, ++lookup_acl_obj_label(const u64 ino, const dev_t dev, + const struct acl_subject_label *subj) +{ + unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size); @@ -69175,7 +69190,7 @@ index 0000000..99cbce0 +} + +static struct acl_object_label * -+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev, ++lookup_acl_obj_label_create(const u64 ino, const dev_t dev, + const struct acl_subject_label *subj) +{ + unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size); @@ -69256,7 +69271,7 @@ index 0000000..99cbce0 +} + +static struct inodev_entry * -+lookup_inodev_entry(const ino_t ino, const dev_t dev) ++lookup_inodev_entry(const u64 ino, const dev_t dev) +{ + unsigned int index = gr_fhash(ino, dev, running_polstate.inodev_set.i_size); + struct inodev_entry *match; @@ -69481,7 +69496,7 @@ index 0000000..99cbce0 + +static struct acl_object_label * +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt, -+ const ino_t curr_ino, const dev_t curr_dev, ++ const u64 curr_ino, const dev_t curr_dev, + const struct acl_subject_label *subj, char **path, const int checkglob) +{ + struct acl_subject_label *tmpsubj; @@ -69512,7 +69527,7 @@ index 0000000..99cbce0 + const struct acl_subject_label *subj, char **path, const int checkglob) +{ + int newglob = checkglob; -+ ino_t inode; ++ u64 inode; + dev_t device; + + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking @@ -69524,7 +69539,7 @@ index 0000000..99cbce0 + newglob = GR_NO_GLOB; + + spin_lock(&curr_dentry->d_lock); -+ inode = curr_dentry->d_inode->i_ino; ++ inode = __get_ino(curr_dentry); + device = __get_dev(curr_dentry); + spin_unlock(&curr_dentry->d_lock); + @@ -69640,7 +69655,7 @@ index 0000000..99cbce0 + spin_lock(&dentry->d_lock); + read_lock(&gr_inode_lock); + retval = -+ lookup_acl_subj_label(dentry->d_inode->i_ino, ++ lookup_acl_subj_label(__get_ino(dentry), + __get_dev(dentry), role); + read_unlock(&gr_inode_lock); + spin_unlock(&dentry->d_lock); @@ -69654,7 +69669,7 @@ index 0000000..99cbce0 + + spin_lock(&dentry->d_lock); + read_lock(&gr_inode_lock); -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino, ++ retval = lookup_acl_subj_label(__get_ino(dentry), + __get_dev(dentry), role); + read_unlock(&gr_inode_lock); + parent = dentry->d_parent; @@ -69668,7 +69683,7 @@ index 0000000..99cbce0 + + spin_lock(&dentry->d_lock); + read_lock(&gr_inode_lock); -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino, ++ retval = lookup_acl_subj_label(__get_ino(dentry), + __get_dev(dentry), role); + read_unlock(&gr_inode_lock); + spin_unlock(&dentry->d_lock); @@ -69676,7 +69691,7 @@ index 0000000..99cbce0 + if (unlikely(retval == NULL)) { + /* gr_real_root is pinned, we don't need to hold a reference */ + read_lock(&gr_inode_lock); -+ retval = lookup_acl_subj_label(gr_real_root.dentry->d_inode->i_ino, ++ retval = lookup_acl_subj_label(__get_ino(gr_real_root.dentry), + __get_dev(gr_real_root.dentry), role); + read_unlock(&gr_inode_lock); + } @@ -69804,14 +69819,27 @@ index 0000000..99cbce0 + return; + + for (i = 0; i < RLIM_NLIMITS; i++) { ++ unsigned long rlim_cur, rlim_max; ++ + if (!(proc->resmask & (1U << i))) + continue; + -+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur; -+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max; ++ rlim_cur = proc->res[i].rlim_cur; ++ rlim_max = proc->res[i].rlim_max; ++ ++ if (i == RLIMIT_NOFILE) { ++ unsigned long saved_sysctl_nr_open = sysctl_nr_open; ++ if (rlim_cur > saved_sysctl_nr_open) ++ rlim_cur = saved_sysctl_nr_open; ++ if (rlim_max > saved_sysctl_nr_open) ++ rlim_max = saved_sysctl_nr_open; ++ } ++ ++ task->signal->rlim[i].rlim_cur = rlim_cur; ++ task->signal->rlim[i].rlim_max = rlim_max; + + if (i == RLIMIT_CPU) -+ update_rlimit_cpu(task, proc->res[i].rlim_cur); ++ update_rlimit_cpu(task, rlim_cur); + } + + return; @@ -70479,7 +70507,7 @@ index 0000000..99cbce0 + +/* always called with valid inodev ptr */ +static void -+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev) ++do_handle_delete(struct inodev_entry *inodev, const u64 ino, const dev_t dev) +{ + struct acl_object_label *matchpo; + struct acl_subject_label *matchps; @@ -70507,7 +70535,7 @@ index 0000000..99cbce0 +} + +void -+gr_handle_delete(const ino_t ino, const dev_t dev) ++gr_handle_delete(const u64 ino, const dev_t dev) +{ + struct inodev_entry *inodev; + @@ -70524,8 +70552,8 @@ index 0000000..99cbce0 +} + +static void -+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice, -+ const ino_t newinode, const dev_t newdevice, ++update_acl_obj_label(const u64 oldinode, const dev_t olddevice, ++ const u64 newinode, const dev_t newdevice, + struct acl_subject_label *subj) +{ + unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size); @@ -70563,8 +70591,8 @@ index 0000000..99cbce0 +} + +static void -+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice, -+ const ino_t newinode, const dev_t newdevice, ++update_acl_subj_label(const u64 oldinode, const dev_t olddevice, ++ const u64 newinode, const dev_t newdevice, + struct acl_role_label *role) +{ + unsigned int index = gr_fhash(oldinode, olddevice, role->subj_hash_size); @@ -70602,8 +70630,8 @@ index 0000000..99cbce0 +} + +static void -+update_inodev_entry(const ino_t oldinode, const dev_t olddevice, -+ const ino_t newinode, const dev_t newdevice) ++update_inodev_entry(const u64 oldinode, const dev_t olddevice, ++ const u64 newinode, const dev_t newdevice) +{ + unsigned int index = gr_fhash(oldinode, olddevice, running_polstate.inodev_set.i_size); + struct inodev_entry *match; @@ -70639,7 +70667,7 @@ index 0000000..99cbce0 +} + +static void -+__do_handle_create(const struct name_entry *matchn, ino_t ino, dev_t dev) ++__do_handle_create(const struct name_entry *matchn, u64 ino, dev_t dev) +{ + struct acl_subject_label *subj; + struct acl_role_label *role; @@ -70672,7 +70700,7 @@ index 0000000..99cbce0 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry, + const struct vfsmount *mnt) +{ -+ ino_t ino = dentry->d_inode->i_ino; ++ u64 ino = __get_ino(dentry); + dev_t dev = __get_dev(dentry); + + __do_handle_create(matchn, ino, dev); @@ -70731,7 +70759,7 @@ index 0000000..99cbce0 + struct name_entry *matchn; + struct inodev_entry *inodev; + struct inode *inode = new_dentry->d_inode; -+ ino_t old_ino = old_dentry->d_inode->i_ino; ++ u64 old_ino = __get_ino(old_dentry); + dev_t old_dev = __get_dev(old_dentry); + + /* vfs_rename swaps the name and parent link for old_dentry and @@ -70754,7 +70782,7 @@ index 0000000..99cbce0 + + write_lock(&gr_inode_lock); + if (unlikely(replace && inode)) { -+ ino_t new_ino = inode->i_ino; ++ u64 new_ino = __get_ino(new_dentry); + dev_t new_dev = __get_dev(new_dentry); + + inodev = lookup_inodev_entry(new_ino, new_dev); @@ -71408,7 +71436,7 @@ index 0000000..99cbce0 + return 0; +} + -+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino) ++int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const u64 ino) +{ + struct task_struct *task = current; + struct dentry *dentry = file->f_path.dentry; @@ -71745,10 +71773,10 @@ index 0000000..b2ec14c + diff --git a/grsecurity/gracl_compat.c b/grsecurity/gracl_compat.c new file mode 100644 -index 0000000..ca25605 +index 0000000..a43dd06 --- /dev/null +++ b/grsecurity/gracl_compat.c -@@ -0,0 +1,270 @@ +@@ -0,0 +1,269 @@ +#include <linux/kernel.h> +#include <linux/gracl.h> +#include <linux/compat.h> @@ -71763,8 +71791,7 @@ index 0000000..ca25605 + if (copy_from_user(&uwrapcompat, buf, sizeof(uwrapcompat))) + return -EFAULT; + -+ if (((uwrapcompat.version != GRSECURITY_VERSION) && -+ (uwrapcompat.version != 0x2901)) || ++ if ((uwrapcompat.version != GRSECURITY_VERSION) || + (uwrapcompat.size != sizeof(struct gr_arg_compat))) + return -EINVAL; + @@ -73071,10 +73098,10 @@ index 0000000..25f54ef +}; diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c new file mode 100644 -index 0000000..94ef7e60 +index 0000000..62916b2 --- /dev/null +++ b/grsecurity/gracl_policy.c -@@ -0,0 +1,1781 @@ +@@ -0,0 +1,1780 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -73153,8 +73180,8 @@ index 0000000..94ef7e60 +extern void insert_acl_subj_label(struct acl_subject_label *obj, struct acl_role_label *role); +extern struct name_entry * __lookup_name_entry(const struct gr_policy_state *state, const char *name); +extern char *gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt); -+extern struct acl_subject_label *lookup_acl_subj_label(const ino_t ino, const dev_t dev, const struct acl_role_label *role); -+extern struct acl_subject_label *lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev, const struct acl_role_label *role); ++extern struct acl_subject_label *lookup_acl_subj_label(const u64 ino, const dev_t dev, const struct acl_role_label *role); ++extern struct acl_subject_label *lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev, const struct acl_role_label *role); +extern void assign_special_role(const char *rolename); +extern struct acl_subject_label *chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt, const struct acl_role_label *role); +extern int gr_rbac_disable(void *unused); @@ -73237,8 +73264,7 @@ index 0000000..94ef7e60 + if (copy_from_user(uwrap, buf, sizeof (struct gr_arg_wrapper))) + return -EFAULT; + -+ if (((uwrap->version != GRSECURITY_VERSION) && -+ (uwrap->version != 0x2901)) || ++ if ((uwrap->version != GRSECURITY_VERSION) || + (uwrap->size != sizeof(struct gr_arg))) + return -EINVAL; + @@ -73423,7 +73449,7 @@ index 0000000..94ef7e60 +} + +static int -+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted) ++insert_name_entry(char *name, const u64 inode, const dev_t device, __u8 deleted) +{ + struct name_entry **curr, *nentry; + struct inodev_entry *ientry; @@ -74932,10 +74958,10 @@ index 0000000..39645c9 +} diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c new file mode 100644 -index 0000000..266766a +index 0000000..275df2d --- /dev/null +++ b/grsecurity/gracl_segv.c -@@ -0,0 +1,309 @@ +@@ -0,0 +1,320 @@ +#include <linux/kernel.h> +#include <linux/mm.h> +#include <asm/uaccess.h> @@ -74966,7 +74992,7 @@ index 0000000..266766a +static DEFINE_SPINLOCK(gr_uid_lock); +extern rwlock_t gr_inode_lock; +extern struct acl_subject_label * -+ lookup_acl_subj_label(const ino_t inode, const dev_t dev, ++ lookup_acl_subj_label(const u64 inode, const dev_t dev, + struct acl_role_label *role); + +static inline dev_t __get_dev(const struct dentry *dentry) @@ -74979,6 +75005,16 @@ index 0000000..266766a + return dentry->d_sb->s_dev; +} + ++static inline u64 __get_ino(const struct dentry *dentry) ++{ ++#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE) ++ if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC) ++ return btrfs_ino(dentry->d_inode); ++ else ++#endif ++ return dentry->d_inode->i_ino; ++} ++ +int +gr_init_uidset(void) +{ @@ -75195,13 +75231,14 @@ index 0000000..266766a +gr_check_crash_exec(const struct file *filp) +{ + struct acl_subject_label *curr; ++ struct dentry *dentry; + + if (unlikely(!gr_acl_is_enabled())) + return 0; + + read_lock(&gr_inode_lock); -+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino, -+ __get_dev(filp->f_path.dentry), ++ dentry = filp->f_path.dentry; ++ curr = lookup_acl_subj_label(__get_ino(dentry), __get_dev(dentry), + current->role); + read_unlock(&gr_inode_lock); + @@ -75779,10 +75816,10 @@ index 0000000..bf944ab +} diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c new file mode 100644 -index 0000000..a9ab1fe +index 0000000..7ef20f0 --- /dev/null +++ b/grsecurity/grsec_disabled.c -@@ -0,0 +1,447 @@ +@@ -0,0 +1,452 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -75911,7 +75948,7 @@ index 0000000..a9ab1fe +} + +void -+gr_handle_delete(const ino_t ino, const dev_t dev) ++gr_handle_delete(const u64 ino, const dev_t dev) +{ + return; +} @@ -76111,7 +76148,7 @@ index 0000000..a9ab1fe + +int +gr_acl_handle_filldir(const struct file *file, const char *name, -+ const int namelen, const ino_t ino) ++ const int namelen, const u64 ino) +{ + return 1; +} @@ -76220,6 +76257,11 @@ index 0000000..a9ab1fe + return dentry->d_sb->s_dev; +} + ++u64 gr_get_ino_from_dentry(struct dentry *dentry) ++{ ++ return dentry->d_inode->i_ino; ++} ++ +void gr_put_exec_file(struct task_struct *task) +{ + return; @@ -80885,10 +80927,10 @@ index 3a76faf..c0592c7 100644 { diff --git a/include/linux/gracl.h b/include/linux/gracl.h new file mode 100644 -index 0000000..edb2cb6 +index 0000000..91858e4 --- /dev/null +++ b/include/linux/gracl.h -@@ -0,0 +1,340 @@ +@@ -0,0 +1,342 @@ +#ifndef GR_ACL_H +#define GR_ACL_H + @@ -80900,8 +80942,8 @@ index 0000000..edb2cb6 + +/* Major status information */ + -+#define GR_VERSION "grsecurity 3.0" -+#define GRSECURITY_VERSION 0x3000 ++#define GR_VERSION "grsecurity 3.1" ++#define GRSECURITY_VERSION 0x3100 + +enum { + GR_SHUTDOWN = 0, @@ -80946,7 +80988,7 @@ index 0000000..edb2cb6 + +struct name_entry { + __u32 key; -+ ino_t inode; ++ u64 inode; + dev_t device; + char *name; + __u16 len; @@ -80994,7 +81036,7 @@ index 0000000..edb2cb6 + +struct acl_subject_label { + char *filename; -+ ino_t inode; ++ u64 inode; + dev_t device; + __u32 mode; + kernel_cap_t cap_mask; @@ -81082,7 +81124,7 @@ index 0000000..edb2cb6 + +struct acl_object_label { + char *filename; -+ ino_t inode; ++ u64 inode; + dev_t device; + __u32 mode; + @@ -81118,7 +81160,7 @@ index 0000000..edb2cb6 + unsigned char sp_role[GR_SPROLE_LEN]; + struct sprole_pw *sprole_pws; + dev_t segv_device; -+ ino_t segv_inode; ++ u64 segv_inode; + uid_t segv_uid; + __u16 num_sprole_pws; + __u16 mode; @@ -81190,9 +81232,11 @@ index 0000000..edb2cb6 +} + +static __inline__ unsigned int -+gr_fhash(const ino_t ino, const dev_t dev, const unsigned int sz) ++gr_fhash(const u64 ino, const dev_t dev, const unsigned int sz) +{ -+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz); ++ unsigned int rem; ++ div_u64_rem((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9)), sz, &rem); ++ return rem; +} + +static __inline__ unsigned int @@ -81231,7 +81275,7 @@ index 0000000..edb2cb6 + diff --git a/include/linux/gracl_compat.h b/include/linux/gracl_compat.h new file mode 100644 -index 0000000..33ebd1f +index 0000000..af64092 --- /dev/null +++ b/include/linux/gracl_compat.h @@ -0,0 +1,156 @@ @@ -81258,7 +81302,7 @@ index 0000000..33ebd1f + +struct acl_subject_label_compat { + compat_uptr_t filename; -+ compat_ino_t inode; ++ compat_u64 inode; + __u32 device; + __u32 mode; + kernel_cap_t cap_mask; @@ -81346,7 +81390,7 @@ index 0000000..33ebd1f + +struct acl_object_label_compat { + compat_uptr_t filename; -+ compat_ino_t inode; ++ compat_u64 inode; + __u32 device; + __u32 mode; + @@ -81378,7 +81422,7 @@ index 0000000..33ebd1f + unsigned char sp_role[GR_SPROLE_LEN]; + compat_uptr_t sprole_pws; + __u32 segv_device; -+ compat_ino_t segv_inode; ++ compat_u64 segv_inode; + uid_t segv_uid; + __u16 num_sprole_pws; + __u16 mode; @@ -81922,10 +81966,10 @@ index 0000000..26ef560 +#define GR_MSRWRITE_MSG "denied write to CPU MSR by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..083dbf1 +index 0000000..a9066b5 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,238 @@ +@@ -0,0 +1,239 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -82092,7 +82136,7 @@ index 0000000..083dbf1 + const struct vfsmount *parent_mnt); +__u32 gr_acl_handle_rmdir(const struct dentry *dentry, + const struct vfsmount *mnt); -+void gr_handle_delete(const ino_t ino, const dev_t dev); ++void gr_handle_delete(const u64 ino, const dev_t dev); +__u32 gr_acl_handle_unlink(const struct dentry *dentry, + const struct vfsmount *mnt); +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry, @@ -82121,7 +82165,7 @@ index 0000000..083dbf1 + const struct dentry *old_dentry, + const struct vfsmount *old_mnt); +int gr_acl_handle_filldir(const struct file *file, const char *name, -+ const unsigned int namelen, const ino_t ino); ++ const unsigned int namelen, const u64 ino); + +__u32 gr_acl_handle_unix(const struct dentry *dentry, + const struct vfsmount *mnt); @@ -82132,6 +82176,7 @@ index 0000000..083dbf1 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode); +void gr_audit_ptrace(struct task_struct *task); +dev_t gr_get_dev_from_dentry(struct dentry *dentry); ++u64 gr_get_ino_from_dentry(struct dentry *dentry); +void gr_put_exec_file(struct task_struct *task); + +int gr_ptrace_readexec(struct file *file, int unsafe_flags); diff --git a/3.2.67/4450_grsec-kconfig-default-gids.patch b/3.2.67/4450_grsec-kconfig-default-gids.patch index 9456d08..26dedae 100644 --- a/3.2.67/4450_grsec-kconfig-default-gids.patch +++ b/3.2.67/4450_grsec-kconfig-default-gids.patch @@ -16,7 +16,7 @@ from shooting themselves in the foot. diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400 +++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400 -@@ -666,7 +666,7 @@ +@@ -682,7 +682,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -897,7 +897,7 @@ +@@ -913,7 +913,7 @@ config GRKERNSEC_TPE_UNTRUSTED_GID int "GID for TPE-untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -906,7 +906,7 @@ +@@ -922,7 +922,7 @@ config GRKERNSEC_TPE_TRUSTED_GID int "GID for TPE-trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -991,7 +991,7 @@ +@@ -1007,7 +1007,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -1012,7 +1012,7 @@ +@@ -1028,7 +1028,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -1030,7 +1030,7 @@ +@@ -1046,7 +1046,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/3.2.67/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.67/4465_selinux-avc_audit-log-curr_ip.patch index ed1cb9b..f73d198 100644 --- a/3.2.67/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.67/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -1125,6 +1125,27 @@ +@@ -1141,6 +1141,27 @@ menu "Logging Options" depends on GRKERNSEC |