summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2013-09-06 07:38:11 -0400
committerAnthony G. Basile <blueness@gentoo.org>2013-09-06 07:38:11 -0400
commit7fb187ce50bd4da188e757da6dd9e2b97893fbce (patch)
treebe8bbe1a16520ad5fabd0cf9feb706d186e5d92d
parent3.10.10: clean up line numbers (diff)
downloadhardened-patchset-7fb187ce50bd4da188e757da6dd9e2b97893fbce.tar.gz
hardened-patchset-7fb187ce50bd4da188e757da6dd9e2b97893fbce.tar.bz2
hardened-patchset-7fb187ce50bd4da188e757da6dd9e2b97893fbce.zip
Grsec/PaX: 2.9.1-{2.6.32.61,3.2.50,3.10.10}-201309052118
-rw-r--r--2.6.32/0000_README2
-rw-r--r--2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309052115.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201308171247.patch)129
-rw-r--r--3.10.10/0000_README2
-rw-r--r--3.10.10/4420_grsecurity-2.9.1-3.10.10-201309052118.patch (renamed from 3.10.10/4420_grsecurity-2.9.1-3.10.10-201309011630.patch)51
-rw-r--r--3.2.50/0000_README2
-rw-r--r--3.2.50/4420_grsecurity-2.9.1-3.2.50-201309052115.patch (renamed from 3.2.50/4420_grsecurity-2.9.1-3.2.50-201309011629.patch)143
6 files changed, 278 insertions, 51 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index e3fc2d2..c481225 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.61
-Patch: 4420_grsecurity-2.9.1-2.6.32.61-201308171247.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.61-201309052115.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201308171247.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309052115.patch
index 0348734..41ba8b2 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201308171247.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309052115.patch
@@ -71686,6 +71686,28 @@ index bcbe104..9cfd1c6 100644
void usb_mon_deregister(void);
#else
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 02aad50..12a5df8 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -24,6 +24,7 @@
+ #include <linux/freezer.h>
+ #include <linux/usb/quirks.h>
+ #include <linux/random.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/byteorder.h>
+@@ -3079,6 +3080,9 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
+ return;
+ }
+
++ if (gr_handle_new_usb())
++ goto done;
++
+ for (i = 0; i < SET_CONFIG_TRIES; i++) {
+
+ /* reallocate for each attempt, since references
diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
index fcdcad4..cf1aadd 100644
--- a/drivers/usb/core/sysfs.c
@@ -85532,10 +85554,10 @@ index e89734e..5e84d8d 100644
return 0;
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..2147ad0
+index 0000000..105b285
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1014 @@
+@@ -0,0 +1,1050 @@
+#
+# grecurity configuration
+#
@@ -85894,6 +85916,7 @@ index 0000000..2147ad0
+
+config GRKERNSEC_ROFS
+ bool "Runtime read-only mount protection"
++ depends on SYSCTL
+ help
+ If you say Y here, a sysctl option with name "romount_protect" will
+ be created. By setting this option to 1 at runtime, filesystems
@@ -86478,6 +86501,41 @@ index 0000000..2147ad0
+ option with name "socket_server_gid" is created.
+
+endmenu
++
++menu "Physical Protections"
++depends on GRKERNSEC
++
++config GRKERNSEC_DENYUSB
++ bool "Deny new USB connections after toggle"
++ default y if GRKERNSEC_CONFIG_AUTO
++ help
++ If you say Y here, a new sysctl option with name "deny_new_usb"
++ will be created. Setting its value to 1 will prevent any new
++ USB devices from being recognized by the OS. Any attempted USB
++ device insertion will be logged. This option is intended to be
++ used against custom USB devices designed to exploit vulnerabilities
++ in various USB device drivers.
++
++ For greatest effectiveness, this sysctl should be set after any
++ relevant init scripts. This option is safe to enable in distros
++ as each user can choose whether or not to toggle the sysctl.
++
++config GRKERNSEC_DENYUSB_FORCE
++ bool "Reject all USB devices not connected at boot"
++ select USB
++ depends on SYSCTL && GRKERNSEC_DENYUSB
++ help
++ If you say Y here, a variant of GRKERNSEC_DENYUSB will be enabled
++ that doesn't involve a sysctl entry. This option should only be
++ enabled if you're sure you want to deny all new USB connections
++ at runtime and don't want to modify init scripts. This should not
++ be enabled by distros. It forces the core USB code to be built
++ into the kernel image so that all devices connected at boot time
++ can be recognized and new USB device connections can be prevented
++ prior to init running.
++
++endmenu
++
+menu "Sysctl Support"
+depends on GRKERNSEC && SYSCTL
+
@@ -86552,10 +86610,10 @@ index 0000000..2147ad0
+endmenu
diff --git a/grsecurity/Makefile b/grsecurity/Makefile
new file mode 100644
-index 0000000..36845aa
+index 0000000..b0b77d5
--- /dev/null
+++ b/grsecurity/Makefile
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,43 @@
+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
+# during 2001-2009 it has been completely redesigned by Brad Spengler
+# into an RBAC system
@@ -86568,7 +86626,8 @@ index 0000000..36845aa
+
+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
+ grsec_mount.o grsec_sig.o grsec_sysctl.o \
-+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
++ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \
++ grsec_usb.o
+
+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
@@ -94015,10 +94074,10 @@ index 0000000..8ca18bf
+}
diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
new file mode 100644
-index 0000000..13e8574
+index 0000000..e2f1239
--- /dev/null
+++ b/grsecurity/grsec_init.c
-@@ -0,0 +1,284 @@
+@@ -0,0 +1,288 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
@@ -94049,6 +94108,7 @@ index 0000000..13e8574
+int grsec_enable_chdir;
+int grsec_enable_mount;
+int grsec_enable_rofs;
++int grsec_deny_new_usb;
+int grsec_enable_chroot_findtask;
+int grsec_enable_chroot_mount;
+int grsec_enable_chroot_shmat;
@@ -94300,6 +94360,9 @@ index 0000000..13e8574
+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
+#endif
+#endif
++#ifdef CONFIG_GRKERNSEC_DENYUSB_FORCE
++ grsec_deny_new_usb = 1;
++#endif
+
+ return;
+}
@@ -95419,10 +95482,10 @@ index 0000000..7512ea9
+}
diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
new file mode 100644
-index 0000000..f33decd
+index 0000000..5a6d4bc
--- /dev/null
+++ b/grsecurity/grsec_sysctl.c
-@@ -0,0 +1,517 @@
+@@ -0,0 +1,527 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/sysctl.h>
@@ -95441,11 +95504,12 @@ index 0000000..f33decd
+ return 0;
+}
+
-+#ifdef CONFIG_GRKERNSEC_ROFS
-+static int __maybe_unused one = 1;
++#if defined(CONFIG_GRKERNSEC_ROFS) || defined(CONFIG_GRKERNSEC_DENYUSB)
++static int __maybe_unused __read_only one = 1;
+#endif
+
-+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
++#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS) || \
++ defined(CONFIG_GRKERNSEC_DENYUSB)
+ctl_table grsecurity_table[] = {
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
@@ -95937,6 +96001,15 @@ index 0000000..f33decd
+ .extra2 = &one,
+ },
+#endif
++#if defined(CONFIG_GRKERNSEC_DENYUSB) && !defined(CONFIG_GRKERNSEC_DENYUSB_FORCE)
++ {
++ .procname = "deny_new_usb",
++ .data = &grsec_deny_new_usb,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
+ { .ctl_name = 0 }
+};
+#endif
@@ -96041,6 +96114,27 @@ index 0000000..07e0dc0
+#endif
+ return 1;
+}
+diff --git a/grsecurity/grsec_usb.c b/grsecurity/grsec_usb.c
+new file mode 100644
+index 0000000..ae02d8e
+--- /dev/null
++++ b/grsecurity/grsec_usb.c
+@@ -0,0 +1,15 @@
++#include <linux/kernel.h>
++#include <linux/grinternal.h>
++#include <linux/module.h>
++
++int gr_handle_new_usb(void)
++{
++#ifdef CONFIG_GRKERNSEC_DENYUSB
++ if (grsec_deny_new_usb) {
++ printk(KERN_ALERT "grsec: denied insert of new USB device\n");
++ return 1;
++ }
++#endif
++ return 0;
++}
++EXPORT_SYMBOL_GPL(gr_handle_new_usb);
diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c
new file mode 100644
index 0000000..9f7b1ac
@@ -98937,10 +99031,10 @@ index 0000000..0b166f4
+#endif
diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
new file mode 100644
-index 0000000..0159022
+index 0000000..ef6ca0d
--- /dev/null
+++ b/include/linux/grinternal.h
-@@ -0,0 +1,233 @@
+@@ -0,0 +1,234 @@
+#ifndef __GRINTERNAL_H
+#define __GRINTERNAL_H
+
@@ -98988,6 +99082,7 @@ index 0000000..0159022
+extern int grsec_enable_forkfail;
+extern int grsec_enable_time;
+extern int grsec_enable_rofs;
++extern int grsec_deny_new_usb;
+extern int grsec_enable_chroot_shmat;
+extern int grsec_enable_chroot_mount;
+extern int grsec_enable_chroot_double;
@@ -99294,10 +99389,10 @@ index 0000000..607de0d
+#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..71812fd
+index 0000000..a897a25
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,221 @@
+@@ -0,0 +1,223 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -99319,6 +99414,8 @@ index 0000000..71812fd
+#error "CONFIG_PAX enabled, but no PaX options are enabled."
+#endif
+
++int gr_handle_new_usb(void);
++
+void gr_handle_brute_attach(unsigned long mm_flags);
+void gr_handle_brute_check(void);
+void gr_handle_kernel_exploit(void);
diff --git a/3.10.10/0000_README b/3.10.10/0000_README
index a09b757..4ab8587 100644
--- a/3.10.10/0000_README
+++ b/3.10.10/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9.1-3.10.10-201309011630.patch
+Patch: 4420_grsecurity-2.9.1-3.10.10-201309052118.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.10.10/4420_grsecurity-2.9.1-3.10.10-201309011630.patch b/3.10.10/4420_grsecurity-2.9.1-3.10.10-201309052118.patch
index 54e5089..938f65c 100644
--- a/3.10.10/4420_grsecurity-2.9.1-3.10.10-201309011630.patch
+++ b/3.10.10/4420_grsecurity-2.9.1-3.10.10-201309052118.patch
@@ -62298,10 +62298,10 @@ index ca9ecaa..60100c7 100644
kfree(s);
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..76e84b9
+index 0000000..6fb5192
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1063 @@
+@@ -0,0 +1,1079 @@
+#
+# grecurity configuration
+#
@@ -62700,6 +62700,7 @@ index 0000000..76e84b9
+
+config GRKERNSEC_ROFS
+ bool "Runtime read-only mount protection"
++ depends on SYSCTL
+ help
+ If you say Y here, a sysctl option with name "romount_protect" will
+ be created. By setting this option to 1 at runtime, filesystems
@@ -63289,7 +63290,22 @@ index 0000000..76e84b9
+ in various USB device drivers.
+
+ For greatest effectiveness, this sysctl should be set after any
-+ relevant init scripts. Once set, it cannot be unset.
++ relevant init scripts. This option is safe to enable in distros
++ as each user can choose whether or not to toggle the sysctl.
++
++config GRKERNSEC_DENYUSB_FORCE
++ bool "Reject all USB devices not connected at boot"
++ select USB
++ depends on SYSCTL && GRKERNSEC_DENYUSB
++ help
++ If you say Y here, a variant of GRKERNSEC_DENYUSB will be enabled
++ that doesn't involve a sysctl entry. This option should only be
++ enabled if you're sure you want to deny all new USB connections
++ at runtime and don't want to modify init scripts. This should not
++ be enabled by distros. It forces the core USB code to be built
++ into the kernel image so that all devices connected at boot time
++ can be recognized and new USB device connections can be prevented
++ prior to init running.
+
+endmenu
+
@@ -70669,10 +70685,10 @@ index 0000000..8ca18bf
+}
diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
new file mode 100644
-index 0000000..836f38f
+index 0000000..99a0cb9
--- /dev/null
+++ b/grsecurity/grsec_init.c
-@@ -0,0 +1,280 @@
+@@ -0,0 +1,283 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
@@ -70950,6 +70966,9 @@ index 0000000..836f38f
+ grsec_socket_server_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_SERVER_GID);
+#endif
+#endif
++#ifdef CONFIG_GRKERNSEC_DENYUSB_FORCE
++ grsec_deny_new_usb = 1;
++#endif
+
+ return;
+}
@@ -72069,10 +72088,10 @@ index 0000000..4030d57
+}
diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
new file mode 100644
-index 0000000..a9e378f
+index 0000000..a147ae7
--- /dev/null
+++ b/grsecurity/grsec_sysctl.c
-@@ -0,0 +1,472 @@
+@@ -0,0 +1,470 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/sysctl.h>
@@ -72531,15 +72550,13 @@ index 0000000..a9e378f
+ .extra2 = &one,
+ },
+#endif
-+#ifdef CONFIG_GRKERNSEC_DENYUSB
++#if defined(CONFIG_GRKERNSEC_DENYUSB) && !defined(CONFIG_GRKERNSEC_DENYUSB_FORCE)
+ {
+ .procname = "deny_new_usb",
+ .data = &grsec_deny_new_usb,
+ .maxlen = sizeof(int),
+ .mode = 0600,
-+ .proc_handler = &proc_dointvec_minmax,
-+ .extra1 = &one,
-+ .extra2 = &one,
++ .proc_handler = &proc_dointvec,
+ },
+#endif
+ { }
@@ -100325,7 +100342,7 @@ index f728728..6457a0c 100644
/*
diff --git a/security/security.c b/security/security.c
-index a3dce87..9ca1435 100644
+index a3dce87..04178a1 100644
--- a/security/security.c
+++ b/security/security.c
@@ -20,6 +20,7 @@
@@ -100347,8 +100364,12 @@ index a3dce87..9ca1435 100644
.name = "default",
};
-@@ -74,7 +75,9 @@ int __init security_init(void)
+@@ -72,11 +73,17 @@ int __init security_init(void)
+ return 0;
+ }
++#ifdef CONFIG_SECURITY_SELINUX_DISABLE
++
void reset_security_ops(void)
{
+ pax_open_kernel();
@@ -100356,7 +100377,11 @@ index a3dce87..9ca1435 100644
+ pax_close_kernel();
}
++#endif
++
/* Save user chosen LSM */
+ static int __init choose_lsm(char *str)
+ {
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index dad36a6..7e5ffbf 100644
--- a/security/selinux/avc.c
diff --git a/3.2.50/0000_README b/3.2.50/0000_README
index b584719..f87c63f 100644
--- a/3.2.50/0000_README
+++ b/3.2.50/0000_README
@@ -118,7 +118,7 @@ Patch: 1049_linux-3.2.50.patch
From: http://www.kernel.org
Desc: Linux 3.2.50
-Patch: 4420_grsecurity-2.9.1-3.2.50-201309011629.patch
+Patch: 4420_grsecurity-2.9.1-3.2.50-201309052115.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.50/4420_grsecurity-2.9.1-3.2.50-201309011629.patch b/3.2.50/4420_grsecurity-2.9.1-3.2.50-201309052115.patch
index eab80ae..45cd2da 100644
--- a/3.2.50/4420_grsecurity-2.9.1-3.2.50-201309011629.patch
+++ b/3.2.50/4420_grsecurity-2.9.1-3.2.50-201309052115.patch
@@ -45094,6 +45094,28 @@ index 032e5a6..bc422e4 100644
if (atomic_read(&urb->reject))
wake_up(&usb_kill_urb_queue);
usb_put_urb(urb);
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 2768a7e..7b5c7a9 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -25,6 +25,7 @@
+ #include <linux/mutex.h>
+ #include <linux/freezer.h>
+ #include <linux/random.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/byteorder.h>
+@@ -3405,6 +3406,9 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
+ return;
+ }
+
++ if (gr_handle_new_usb())
++ goto done;
++
+ for (i = 0; i < SET_CONFIG_TRIES; i++) {
+
+ /* reallocate for each attempt, since references
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index ab11ca3c..e9bb990 100644
--- a/drivers/usb/core/message.c
@@ -58914,10 +58936,10 @@ index 8a89949..6776861 100644
xfs_init_zones(void)
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..0f25032
+index 0000000..2bdbcaa
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1043 @@
+@@ -0,0 +1,1079 @@
+#
+# grecurity configuration
+#
@@ -59316,6 +59338,7 @@ index 0000000..0f25032
+
+config GRKERNSEC_ROFS
+ bool "Runtime read-only mount protection"
++ depends on SYSCTL
+ help
+ If you say Y here, a sysctl option with name "romount_protect" will
+ be created. By setting this option to 1 at runtime, filesystems
@@ -59889,6 +59912,41 @@ index 0000000..0f25032
+ option with name "socket_server_gid" is created.
+
+endmenu
++
++menu "Physical Protections"
++depends on GRKERNSEC
++
++config GRKERNSEC_DENYUSB
++ bool "Deny new USB connections after toggle"
++ default y if GRKERNSEC_CONFIG_AUTO
++ help
++ If you say Y here, a new sysctl option with name "deny_new_usb"
++ will be created. Setting its value to 1 will prevent any new
++ USB devices from being recognized by the OS. Any attempted USB
++ device insertion will be logged. This option is intended to be
++ used against custom USB devices designed to exploit vulnerabilities
++ in various USB device drivers.
++
++ For greatest effectiveness, this sysctl should be set after any
++ relevant init scripts. This option is safe to enable in distros
++ as each user can choose whether or not to toggle the sysctl.
++
++config GRKERNSEC_DENYUSB_FORCE
++ bool "Reject all USB devices not connected at boot"
++ select USB
++ depends on SYSCTL && GRKERNSEC_DENYUSB
++ help
++ If you say Y here, a variant of GRKERNSEC_DENYUSB will be enabled
++ that doesn't involve a sysctl entry. This option should only be
++ enabled if you're sure you want to deny all new USB connections
++ at runtime and don't want to modify init scripts. This should not
++ be enabled by distros. It forces the core USB code to be built
++ into the kernel image so that all devices connected at boot time
++ can be recognized and new USB device connections can be prevented
++ prior to init running.
++
++endmenu
++
+menu "Sysctl Support"
+depends on GRKERNSEC && SYSCTL
+
@@ -59963,10 +60021,10 @@ index 0000000..0f25032
+endmenu
diff --git a/grsecurity/Makefile b/grsecurity/Makefile
new file mode 100644
-index 0000000..36845aa
+index 0000000..b0b77d5
--- /dev/null
+++ b/grsecurity/Makefile
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,43 @@
+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
+# during 2001-2009 it has been completely redesigned by Brad Spengler
+# into an RBAC system
@@ -59979,7 +60037,8 @@ index 0000000..36845aa
+
+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
+ grsec_mount.o grsec_sig.o grsec_sysctl.o \
-+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
++ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \
++ grsec_usb.o
+
+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
@@ -67359,10 +67418,10 @@ index 0000000..8ca18bf
+}
diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
new file mode 100644
-index 0000000..e704013
+index 0000000..691c024
--- /dev/null
+++ b/grsecurity/grsec_init.c
-@@ -0,0 +1,279 @@
+@@ -0,0 +1,283 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
@@ -67391,6 +67450,7 @@ index 0000000..e704013
+int grsec_enable_chdir;
+int grsec_enable_mount;
+int grsec_enable_rofs;
++int grsec_deny_new_usb;
+int grsec_enable_chroot_findtask;
+int grsec_enable_chroot_mount;
+int grsec_enable_chroot_shmat;
@@ -67639,6 +67699,9 @@ index 0000000..e704013
+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
+#endif
+#endif
++#ifdef CONFIG_GRKERNSEC_DENYUSB_FORCE
++ grsec_deny_new_usb = 1;
++#endif
+
+ return;
+}
@@ -68752,10 +68815,10 @@ index 0000000..4030d57
+}
diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
new file mode 100644
-index 0000000..4ebaefc
+index 0000000..6314062
--- /dev/null
+++ b/grsecurity/grsec_sysctl.c
-@@ -0,0 +1,458 @@
+@@ -0,0 +1,468 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/sysctl.h>
@@ -68774,11 +68837,12 @@ index 0000000..4ebaefc
+ return 0;
+}
+
-+#ifdef CONFIG_GRKERNSEC_ROFS
-+static int __maybe_unused one = 1;
++#if defined(CONFIG_GRKERNSEC_ROFS) || defined(CONFIG_GRKERNSEC_DENYUSB)
++static int __maybe_unused __read_only one = 1;
+#endif
+
-+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
++#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS) || \
++ defined(CONFIG_GRKERNSEC_DENYUSB)
+struct ctl_table grsecurity_table[] = {
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
@@ -69211,6 +69275,15 @@ index 0000000..4ebaefc
+ .extra2 = &one,
+ },
+#endif
++#if defined(CONFIG_GRKERNSEC_DENYUSB) && !defined(CONFIG_GRKERNSEC_DENYUSB_FORCE)
++ {
++ .procname = "deny_new_usb",
++ .data = &grsec_deny_new_usb,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
+ { }
+};
+#endif
@@ -69315,6 +69388,27 @@ index 0000000..07e0dc0
+#endif
+ return 1;
+}
+diff --git a/grsecurity/grsec_usb.c b/grsecurity/grsec_usb.c
+new file mode 100644
+index 0000000..ae02d8e
+--- /dev/null
++++ b/grsecurity/grsec_usb.c
+@@ -0,0 +1,15 @@
++#include <linux/kernel.h>
++#include <linux/grinternal.h>
++#include <linux/module.h>
++
++int gr_handle_new_usb(void)
++{
++#ifdef CONFIG_GRKERNSEC_DENYUSB
++ if (grsec_deny_new_usb) {
++ printk(KERN_ALERT "grsec: denied insert of new USB device\n");
++ return 1;
++ }
++#endif
++ return 0;
++}
++EXPORT_SYMBOL_GPL(gr_handle_new_usb);
diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c
new file mode 100644
index 0000000..9f7b1ac
@@ -71821,10 +71915,10 @@ index 0000000..be66033
+#endif
diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
new file mode 100644
-index 0000000..1d1b40e
+index 0000000..2977600
--- /dev/null
+++ b/include/linux/grinternal.h
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,237 @@
+#ifndef __GRINTERNAL_H
+#define __GRINTERNAL_H
+
@@ -71873,6 +71967,7 @@ index 0000000..1d1b40e
+extern int grsec_enable_forkfail;
+extern int grsec_enable_time;
+extern int grsec_enable_rofs;
++extern int grsec_deny_new_usb;
+extern int grsec_enable_chroot_shmat;
+extern int grsec_enable_chroot_mount;
+extern int grsec_enable_chroot_double;
@@ -72182,10 +72277,10 @@ index 0000000..a4396b5
+#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..f5fa948
+index 0000000..a9a304f
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,221 @@
+@@ -0,0 +1,223 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -72207,6 +72302,8 @@ index 0000000..f5fa948
+#error "CONFIG_PAX enabled, but no PaX options are enabled."
+#endif
+
++int gr_handle_new_usb(void);
++
+void gr_handle_brute_attach(unsigned long mm_flags);
+void gr_handle_brute_check(void);
+void gr_handle_kernel_exploit(void);
@@ -98524,7 +98621,7 @@ index f728728..6457a0c 100644
/*
diff --git a/security/security.c b/security/security.c
-index e2f684a..8eed291 100644
+index e2f684a..57eb484 100644
--- a/security/security.c
+++ b/security/security.c
@@ -26,8 +26,8 @@
@@ -98538,8 +98635,12 @@ index e2f684a..8eed291 100644
.name = "default",
};
-@@ -68,7 +68,9 @@ int __init security_init(void)
+@@ -66,11 +66,17 @@ int __init security_init(void)
+ return 0;
+ }
++#ifdef CONFIG_SECURITY_SELINUX_DISABLE
++
void reset_security_ops(void)
{
+ pax_open_kernel();
@@ -98547,8 +98648,12 @@ index e2f684a..8eed291 100644
+ pax_close_kernel();
}
++#endif
++
/* Save user chosen LSM */
-@@ -162,6 +164,13 @@ int security_capable(struct user_namespace *ns, const struct cred *cred,
+ static int __init choose_lsm(char *str)
+ {
+@@ -162,6 +168,13 @@ int security_capable(struct user_namespace *ns, const struct cred *cred,
SECURITY_CAP_AUDIT);
}