Grsec/PaX: 2.2.2-2.6.32.46-201109240842 + 2.2.2-3.0.4-20110924084220110924

author: Anthony G. Basile <blueness@gentoo.org> 2011-09-25 09:28:19 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2011-09-25 09:32:14 -0400
commit: be81a9aea2d68648a0aa6b228105a930c83d57ae (patch)
tree: 33482106d9673e337b685b11f6a7991ea277b4a4
parent: Grsec/PaX: 2.2.2-3.0.4-201109190917 (diff)
download: hardened-patchset-20110924.tar.gz
hardened-patchset-20110924.tar.bz2
hardened-patchset-20110924.zip
9 files changed, 59 insertions, 45 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 8013d69..e3aa423 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch
+Patch:	4420_grsecurity-2.2.2-2.6.32.46-201109240842.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109240842.patch
index bcff015..0d9b6ae 100644
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109240842.patch
@@ -55474,8 +55474,8 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_chroot.c linux-2.6.32.46/grsecurity/
 +}
 diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurity/grsec_disabled.c
 --- linux-2.6.32.46/grsecurity/grsec_disabled.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.46/grsecurity/grsec_disabled.c	2011-04-17 15:56:46.000000000 -0400
-@@ -0,0 +1,447 @@
++++ linux-2.6.32.46/grsecurity/grsec_disabled.c	2011-09-24 08:13:29.000000000 -0400
+@@ -0,0 +1,433 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -55643,18 +55643,6 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurit
 +	return 0;
 +}
 +
-+int
-+gr_is_capable(const int cap)
-+{
-+	return 1;
-+}
-+
-+int
-+gr_is_capable_nolog(const int cap)
-+{
-+	return 1;
-+}
-+
 +void
 +gr_handle_alertkill(struct task_struct *task)
 +{
@@ -55915,8 +55903,6 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurit
 +	return dentry->d_inode->i_sb->s_dev;
 +}
 +
-+EXPORT_SYMBOL(gr_is_capable);
-+EXPORT_SYMBOL(gr_is_capable_nolog);
 +EXPORT_SYMBOL(gr_learn_resource);
 +EXPORT_SYMBOL(gr_set_kernel_label);
 +#ifdef CONFIG_SECURITY
@@ -73067,7 +73053,16 @@ diff -urNp linux-2.6.32.46/mm/slob.c linux-2.6.32.46/mm/slob.c
  
 diff -urNp linux-2.6.32.46/mm/slub.c linux-2.6.32.46/mm/slub.c
 --- linux-2.6.32.46/mm/slub.c	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.46/mm/slub.c	2011-04-17 15:56:46.000000000 -0400
++++ linux-2.6.32.46/mm/slub.c	2011-09-24 08:36:34.000000000 -0400
+@@ -201,7 +201,7 @@ struct track {
+ 
+ enum track_item { TRACK_ALLOC, TRACK_FREE };
+ 
+-#ifdef CONFIG_SLUB_DEBUG
++#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
+ static int sysfs_slab_add(struct kmem_cache *);
+ static int sysfs_slab_alias(struct kmem_cache *, const char *);
+ static void sysfs_slab_remove(struct kmem_cache *);
 @@ -410,7 +410,7 @@ static void print_track(const char *s, s
  	if (!t->addr)
  		return;
diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch
index 34d8596..368d10c 100644
--- a/2.6.32/4437-grsec-kconfig-proc-user.patch
+++ b/2.6.32/4437-grsec-kconfig-proc-user.patch
@@ -6,7 +6,7 @@ in a different way to avoid bug #366019.  This patch should eventually go upstre
 diff -Naur linux-2.6.32-hardened-r54.orig//grsecurity/Kconfig linux-2.6.32-hardened-r54/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-06-29 07:46:02.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-06-29 07:47:20.000000000 -0400
-@@ -668,7 +668,7 @@
+@@ -665,7 +665,7 @@
  
  config GRKERNSEC_PROC_USER
  	bool "Restrict /proc to user only"
@@ -15,7 +15,7 @@ diff -Naur linux-2.6.32-hardened-r54.orig//grsecurity/Kconfig linux-2.6.32-harde
  	help
  	  If you say Y here, non-root users will only be able to view their own
  	  processes, and restricts them from viewing network-related information,
-@@ -676,7 +676,7 @@
+@@ -673,7 +673,7 @@
  
  config GRKERNSEC_PROC_USERGROUP
  	bool "Allow special group"
diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
index b582401..003d903 100644
--- a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-hardened-r44/grsecurity/Kconfig
 --- linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig	2011-04-17 18:47:02.000000000 -0400
 +++ linux-2.6.32-hardened-r44/grsecurity/Kconfig	2011-04-17 18:51:15.000000000 -0400
-@@ -1267,6 +1267,27 @@
+@@ -1264,6 +1264,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
  
diff --git a/3.0.4/0000_README b/3.0.4/0000_README
index a44f871..6cdadcb 100644
--- a/3.0.4/0000_README
+++ b/3.0.4/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.2-3.0.4-201109190917.patch
+Patch:	4420_grsecurity-2.2.2-3.0.4-201109240842.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109190917.patch b/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109240842.patch
index ec88fda..5e86d2b 100644
--- a/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109190917.patch
+++ b/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109240842.patch
@@ -50694,8 +50694,8 @@ diff -urNp linux-3.0.4/grsecurity/grsec_chroot.c linux-3.0.4/grsecurity/grsec_ch
 +}
 diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_disabled.c
 --- linux-3.0.4/grsecurity/grsec_disabled.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/grsecurity/grsec_disabled.c	2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,447 @@
++++ linux-3.0.4/grsecurity/grsec_disabled.c	2011-09-24 08:13:01.000000000 -0400
+@@ -0,0 +1,433 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -50863,18 +50863,6 @@ diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_
 +	return 0;
 +}
 +
-+int
-+gr_is_capable(const int cap)
-+{
-+	return 1;
-+}
-+
-+int
-+gr_is_capable_nolog(const int cap)
-+{
-+	return 1;
-+}
-+
 +void
 +gr_handle_alertkill(struct task_struct *task)
 +{
@@ -51135,8 +51123,6 @@ diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_
 +	return dentry->d_inode->i_sb->s_dev;
 +}
 +
-+EXPORT_SYMBOL(gr_is_capable);
-+EXPORT_SYMBOL(gr_is_capable_nolog);
 +EXPORT_SYMBOL(gr_learn_resource);
 +EXPORT_SYMBOL(gr_set_kernel_label);
 +#ifdef CONFIG_SECURITY
@@ -55798,7 +55784,7 @@ diff -urNp linux-3.0.4/include/linux/grdefs.h linux-3.0.4/include/linux/grdefs.h
 +#endif
 diff -urNp linux-3.0.4/include/linux/grinternal.h linux-3.0.4/include/linux/grinternal.h
 --- linux-3.0.4/include/linux/grinternal.h	1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/include/linux/grinternal.h	2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.4/include/linux/grinternal.h	2011-09-24 08:43:45.000000000 -0400
 @@ -0,0 +1,219 @@
 +#ifndef __GRINTERNAL_H
 +#define __GRINTERNAL_H
@@ -55924,7 +55910,7 @@ diff -urNp linux-3.0.4/include/linux/grinternal.h linux-3.0.4/include/linux/grin
 +	CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
 +	CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
 +	CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
-+	CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
++	CAP_TO_MASK(CAP_IPC_OWNER) , CAP_TO_MASK(CAP_SYSLOG) }}
 +
 +#define security_learn(normal_msg,args...) \
 +({ \
@@ -67520,7 +67506,16 @@ diff -urNp linux-3.0.4/mm/slob.c linux-3.0.4/mm/slob.c
  
 diff -urNp linux-3.0.4/mm/slub.c linux-3.0.4/mm/slub.c
 --- linux-3.0.4/mm/slub.c	2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.4/mm/slub.c	2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.4/mm/slub.c	2011-09-24 08:37:26.000000000 -0400
+@@ -200,7 +200,7 @@ struct track {
+ 
+ enum track_item { TRACK_ALLOC, TRACK_FREE };
+ 
+-#ifdef CONFIG_SYSFS
++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
+ static int sysfs_slab_add(struct kmem_cache *);
+ static int sysfs_slab_alias(struct kmem_cache *, const char *);
+ static void sysfs_slab_remove(struct kmem_cache *);
 @@ -442,7 +442,7 @@ static void print_track(const char *s, s
  	if (!t->addr)
  		return;
@@ -67671,6 +67666,30 @@ diff -urNp linux-3.0.4/mm/slub.c linux-3.0.4/mm/slub.c
  			goto err;
  		}
  		up_write(&slub_lock);
+@@ -3545,7 +3586,7 @@ void *__kmalloc_node_track_caller(size_t
+ }
+ #endif
+ 
+-#ifdef CONFIG_SYSFS
++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
+ static int count_inuse(struct page *page)
+ {
+ 	return page->inuse;
+@@ -3935,12 +3976,12 @@ static void resiliency_test(void)
+ 	validate_slab_cache(kmalloc_caches[9]);
+ }
+ #else
+-#ifdef CONFIG_SYSFS
++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
+ static void resiliency_test(void) {};
+ #endif
+ #endif
+ 
+-#ifdef CONFIG_SYSFS
++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
+ enum slab_stat_type {
+ 	SL_ALL,			/* All slabs */
+ 	SL_PARTIAL,		/* Only partially allocated slabs */
 @@ -4150,7 +4191,7 @@ SLAB_ATTR_RO(ctor);
  
  static ssize_t aliases_show(struct kmem_cache *s, char *buf)
diff --git a/3.0.4/4425_grsec-pax-without-grsec.patch b/3.0.4/4425_grsec-pax-without-grsec.patch
index cdc33f2..41be0d0 100644
--- a/3.0.4/4425_grsec-pax-without-grsec.patch
+++ b/3.0.4/4425_grsec-pax-without-grsec.patch
@@ -77,7 +77,7 @@ diff -Naur a/fs/exec.c b/fs/exec.c
 diff -Naur a/security/Kconfig b/security/Kconfig
 --- a/security/Kconfig	2011-04-17 19:05:03.000000000 -0400
 +++ b/security/Kconfig	2011-04-17 19:20:30.000000000 -0400
-@@ -26,7 +26,7 @@
+@@ -29,7 +29,7 @@
  	
  config PAX
  	bool "Enable various PaX features"
diff --git a/3.0.4/4437-grsec-kconfig-proc-user.patch b/3.0.4/4437-grsec-kconfig-proc-user.patch
index 4e5acda..c588683 100644
--- a/3.0.4/4437-grsec-kconfig-proc-user.patch
+++ b/3.0.4/4437-grsec-kconfig-proc-user.patch
@@ -6,7 +6,7 @@ in a different way to avoid bug #366019.  This patch should eventually go upstre
 diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-06-29 10:02:56.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-06-29 10:08:07.000000000 -0400
-@@ -669,7 +669,7 @@
+@@ -666,7 +666,7 @@
  
  config GRKERNSEC_PROC_USER
  	bool "Restrict /proc to user only"
@@ -15,7 +15,7 @@ diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-harden
  	help
  	  If you say Y here, non-root users will only be able to view their own
  	  processes, and restricts them from viewing network-related information,
-@@ -677,7 +677,7 @@
+@@ -674,7 +674,7 @@
  
  config GRKERNSEC_PROC_USERGROUP
  	bool "Allow special group"
diff --git a/3.0.4/4440_selinux-avc_audit-log-curr_ip.patch b/3.0.4/4440_selinux-avc_audit-log-curr_ip.patch
index 3a991fb..0fd5d2d 100644
--- a/3.0.4/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/3.0.4/4440_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardened-r1/grsecurity/Kconfig
 --- linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
 +++ linux-2.6.38-hardened-r1/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400
-@@ -1268,6 +1268,27 @@
+@@ -1265,6 +1265,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
author	Anthony G. Basile <blueness@gentoo.org>	2011-09-25 09:28:19 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2011-09-25 09:32:14 -0400
commit	be81a9aea2d68648a0aa6b228105a930c83d57ae (patch)
tree	33482106d9673e337b685b11f6a7991ea277b4a4
parent	Grsec/PaX: 2.2.2-3.0.4-201109190917 (diff)
download	hardened-patchset-20110924.tar.gz hardened-patchset-20110924.tar.bz2 hardened-patchset-20110924.zip