diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2011-09-15 13:56:05 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2011-09-15 13:56:05 -0400 |
commit | 2d55c386371d094e542fe96e90ba4ff3c2278fe3 (patch) | |
tree | e0a306d5cd8e7bf6d266de5e48f1dd49f21b74e8 | |
parent | Grsec/PaX: grsecurity-2.2.2-2.6.32.46-201109021814 + grsecurity-2.2.2-3.0.4-2... (diff) | |
download | hardened-patchset-2d55c386371d094e542fe96e90ba4ff3c2278fe3.tar.gz hardened-patchset-2d55c386371d094e542fe96e90ba4ff3c2278fe3.tar.bz2 hardened-patchset-2d55c386371d094e542fe96e90ba4ff3c2278fe3.zip |
Grsec/PaX: grsecurity-2.2.2-2.6.32.46-201109150655 + grsecurity-2.2.2-3.0.4-20110915065520110915
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch (renamed from 2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109021814.patch) | 264 | ||||
-rw-r--r-- | 2.6.32/4423_grsec-remove-protected-paths.patch | 18 | ||||
-rw-r--r-- | 3.0.4/0000_README | 2 | ||||
-rw-r--r-- | 3.0.4/4420_grsecurity-2.2.2-3.0.4-201109150655.patch (renamed from 3.0.4/4420_grsecurity-2.2.2-3.0.4-201109011725.patch) | 757 | ||||
-rw-r--r-- | 3.0.4/4423_grsec-remove-protected-paths.patch | 18 |
6 files changed, 705 insertions, 356 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index ca3d4a1..160c256 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -11,7 +11,7 @@ Patch: 1044_linux-2.6.32.45.patch From: http://www.kernel.org Desc: Linux 2.6.39.45 -Patch: 4420_grsecurity-2.2.2-2.6.32.46-201109021814.patch +Patch: 4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109021814.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch index 505eaa4..bcff015 100644 --- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109021814.patch +++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch @@ -37671,25 +37671,25 @@ diff -urNp linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c linux-2.6.32.4 .read = vme_user_read, diff -urNp linux-2.6.32.46/drivers/staging/vt6655/hostap.c linux-2.6.32.46/drivers/staging/vt6655/hostap.c --- linux-2.6.32.46/drivers/staging/vt6655/hostap.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/drivers/staging/vt6655/hostap.c 2011-09-02 18:13:56.000000000 -0400 ++++ linux-2.6.32.46/drivers/staging/vt6655/hostap.c 2011-09-14 09:51:07.000000000 -0400 @@ -84,7 +84,7 @@ static int hostap_enable_hostapd(PSDevic PSDevice apdev_priv; struct net_device *dev = pDevice->dev; int ret; - const struct net_device_ops apdev_netdev_ops = { -+ static net_device_ops_no_const apdev_netdev_ops = { ++ net_device_ops_no_const apdev_netdev_ops = { .ndo_start_xmit = pDevice->tx_80211, }; diff -urNp linux-2.6.32.46/drivers/staging/vt6656/hostap.c linux-2.6.32.46/drivers/staging/vt6656/hostap.c --- linux-2.6.32.46/drivers/staging/vt6656/hostap.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/drivers/staging/vt6656/hostap.c 2011-09-02 18:13:35.000000000 -0400 ++++ linux-2.6.32.46/drivers/staging/vt6656/hostap.c 2011-09-14 09:49:53.000000000 -0400 @@ -86,7 +86,7 @@ static int hostap_enable_hostapd(PSDevic PSDevice apdev_priv; struct net_device *dev = pDevice->dev; int ret; - const struct net_device_ops apdev_netdev_ops = { -+ static net_device_ops_no_const apdev_netdev_ops = { ++ net_device_ops_no_const apdev_netdev_ops = { .ndo_start_xmit = pDevice->tx_80211, }; @@ -47045,7 +47045,7 @@ diff -urNp linux-2.6.32.46/fs/ocfs2/super.c linux-2.6.32.46/fs/ocfs2/super.c osb->osb_ecc_stats = *stats; diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c --- linux-2.6.32.46/fs/open.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/fs/open.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/fs/open.c 2011-09-13 16:03:56.000000000 -0400 @@ -275,6 +275,10 @@ static long do_sys_truncate(const char _ error = locks_verify_truncate(inode, NULL, length); if (!error) @@ -47090,18 +47090,13 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c if (!error) set_fs_pwd(current->fs, &file->f_path); out_putf: -@@ -588,7 +604,18 @@ SYSCALL_DEFINE1(chroot, const char __use +@@ -588,7 +604,13 @@ SYSCALL_DEFINE1(chroot, const char __use if (!capable(CAP_SYS_CHROOT)) goto dput_and_out; + if (gr_handle_chroot_chroot(path.dentry, path.mnt)) + goto dput_and_out; + -+ if (gr_handle_chroot_caps(&path)) { -+ error = -ENOMEM; -+ goto dput_and_out; -+ } -+ set_fs_root(current->fs, &path); + + gr_handle_chroot_chdir(&path); @@ -47109,7 +47104,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c error = 0; dput_and_out: path_put(&path); -@@ -616,12 +643,27 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd +@@ -616,12 +638,27 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd err = mnt_want_write_file(file); if (err) goto out_putf; @@ -47137,7 +47132,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c mutex_unlock(&inode->i_mutex); mnt_drop_write(file->f_path.mnt); out_putf: -@@ -645,12 +687,27 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons +@@ -645,12 +682,27 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons error = mnt_want_write(path.mnt); if (error) goto dput_and_out; @@ -47165,7 +47160,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c mutex_unlock(&inode->i_mutex); mnt_drop_write(path.mnt); dput_and_out: -@@ -664,12 +721,15 @@ SYSCALL_DEFINE2(chmod, const char __user +@@ -664,12 +716,15 @@ SYSCALL_DEFINE2(chmod, const char __user return sys_fchmodat(AT_FDCWD, filename, mode); } @@ -47182,7 +47177,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c newattrs.ia_valid = ATTR_CTIME; if (user != (uid_t) -1) { newattrs.ia_valid |= ATTR_UID; -@@ -700,7 +760,7 @@ SYSCALL_DEFINE3(chown, const char __user +@@ -700,7 +755,7 @@ SYSCALL_DEFINE3(chown, const char __user error = mnt_want_write(path.mnt); if (error) goto out_release; @@ -47191,7 +47186,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c mnt_drop_write(path.mnt); out_release: path_put(&path); -@@ -725,7 +785,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons +@@ -725,7 +780,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons error = mnt_want_write(path.mnt); if (error) goto out_release; @@ -47200,7 +47195,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c mnt_drop_write(path.mnt); out_release: path_put(&path); -@@ -744,7 +804,7 @@ SYSCALL_DEFINE3(lchown, const char __use +@@ -744,7 +799,7 @@ SYSCALL_DEFINE3(lchown, const char __use error = mnt_want_write(path.mnt); if (error) goto out_release; @@ -47209,7 +47204,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c mnt_drop_write(path.mnt); out_release: path_put(&path); -@@ -767,7 +827,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd +@@ -767,7 +822,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd goto out_fput; dentry = file->f_path.dentry; audit_inode(NULL, dentry); @@ -47218,7 +47213,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c mnt_drop_write(file->f_path.mnt); out_fput: fput(file); -@@ -1036,7 +1096,10 @@ long do_sys_open(int dfd, const char __u +@@ -1036,7 +1091,10 @@ long do_sys_open(int dfd, const char __u if (!IS_ERR(tmp)) { fd = get_unused_fd_flags(flags); if (fd >= 0) { @@ -47520,7 +47515,7 @@ diff -urNp linux-2.6.32.46/fs/proc/array.c linux-2.6.32.46/fs/proc/array.c +#endif diff -urNp linux-2.6.32.46/fs/proc/base.c linux-2.6.32.46/fs/proc/base.c --- linux-2.6.32.46/fs/proc/base.c 2011-08-09 18:35:30.000000000 -0400 -+++ linux-2.6.32.46/fs/proc/base.c 2011-08-09 18:34:33.000000000 -0400 ++++ linux-2.6.32.46/fs/proc/base.c 2011-09-13 14:51:06.000000000 -0400 @@ -102,6 +102,22 @@ struct pid_entry { union proc_op op; }; @@ -47586,7 +47581,7 @@ diff -urNp linux-2.6.32.46/fs/proc/base.c linux-2.6.32.46/fs/proc/base.c + if (PAX_RAND_FLAGS(mm) && + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) { + mmput(mm); -+ return res; ++ return 0; + } +#endif + @@ -53525,8 +53520,8 @@ diff -urNp linux-2.6.32.46/grsecurity/gracl.c linux-2.6.32.46/grsecurity/gracl.c + diff -urNp linux-2.6.32.46/grsecurity/gracl_cap.c linux-2.6.32.46/grsecurity/gracl_cap.c --- linux-2.6.32.46/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.46/grsecurity/gracl_cap.c 2011-04-17 15:56:46.000000000 -0400 -@@ -0,0 +1,138 @@ ++++ linux-2.6.32.46/grsecurity/gracl_cap.c 2011-09-14 08:53:50.000000000 -0400 +@@ -0,0 +1,101 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -53534,48 +53529,11 @@ diff -urNp linux-2.6.32.46/grsecurity/gracl_cap.c linux-2.6.32.46/grsecurity/gra +#include <linux/grsecurity.h> +#include <linux/grinternal.h> + -+static const char *captab_log[] = { -+ "CAP_CHOWN", -+ "CAP_DAC_OVERRIDE", -+ "CAP_DAC_READ_SEARCH", -+ "CAP_FOWNER", -+ "CAP_FSETID", -+ "CAP_KILL", -+ "CAP_SETGID", -+ "CAP_SETUID", -+ "CAP_SETPCAP", -+ "CAP_LINUX_IMMUTABLE", -+ "CAP_NET_BIND_SERVICE", -+ "CAP_NET_BROADCAST", -+ "CAP_NET_ADMIN", -+ "CAP_NET_RAW", -+ "CAP_IPC_LOCK", -+ "CAP_IPC_OWNER", -+ "CAP_SYS_MODULE", -+ "CAP_SYS_RAWIO", -+ "CAP_SYS_CHROOT", -+ "CAP_SYS_PTRACE", -+ "CAP_SYS_PACCT", -+ "CAP_SYS_ADMIN", -+ "CAP_SYS_BOOT", -+ "CAP_SYS_NICE", -+ "CAP_SYS_RESOURCE", -+ "CAP_SYS_TIME", -+ "CAP_SYS_TTY_CONFIG", -+ "CAP_MKNOD", -+ "CAP_LEASE", -+ "CAP_AUDIT_WRITE", -+ "CAP_AUDIT_CONTROL", -+ "CAP_SETFCAP", -+ "CAP_MAC_OVERRIDE", -+ "CAP_MAC_ADMIN" -+}; -+ -+EXPORT_SYMBOL(gr_is_capable); -+EXPORT_SYMBOL(gr_is_capable_nolog); ++extern const char *captab_log[]; ++extern int captab_log_entries; + +int -+gr_is_capable(const int cap) ++gr_acl_is_capable(const int cap) +{ + struct task_struct *task = current; + const struct cred *cred = current_cred(); @@ -53627,13 +53585,13 @@ diff -urNp linux-2.6.32.46/grsecurity/gracl_cap.c linux-2.6.32.46/grsecurity/gra + return 1; + } + -+ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap)) ++ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap)) + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]); + return 0; +} + +int -+gr_is_capable_nolog(const int cap) ++gr_acl_is_capable_nolog(const int cap) +{ + struct acl_subject_label *curracl; + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set; @@ -55126,8 +55084,8 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_chdir.c linux-2.6.32.46/grsecurity/g +} diff -urNp linux-2.6.32.46/grsecurity/grsec_chroot.c linux-2.6.32.46/grsecurity/grsec_chroot.c --- linux-2.6.32.46/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.46/grsecurity/grsec_chroot.c 2011-07-18 17:14:10.000000000 -0400 -@@ -0,0 +1,384 @@ ++++ linux-2.6.32.46/grsecurity/grsec_chroot.c 2011-09-15 06:48:16.000000000 -0400 +@@ -0,0 +1,386 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -55443,33 +55401,39 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_chroot.c linux-2.6.32.46/grsecurity/ + return 0; +} + ++extern const char *captab_log[]; ++extern int captab_log_entries; ++ +int -+gr_handle_chroot_caps(struct path *path) ++gr_chroot_is_capable(const int cap) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS -+ if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL && -+ (init_task.fs->root.dentry != path->dentry) && -+ (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) { -+ ++ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) { + kernel_cap_t chroot_caps = GR_CHROOT_CAPS; -+ const struct cred *old = current_cred(); -+ struct cred *new = prepare_creds(); -+ if (new == NULL) -+ return 1; -+ -+ new->cap_permitted = cap_drop(old->cap_permitted, -+ chroot_caps); -+ new->cap_inheritable = cap_drop(old->cap_inheritable, -+ chroot_caps); -+ new->cap_effective = cap_drop(old->cap_effective, -+ chroot_caps); -+ -+ commit_creds(new); ++ if (cap_raised(chroot_caps, cap)) { ++ const struct cred *creds = current_cred(); ++ if (cap_raised(creds->cap_effective, cap) && cap < captab_log_entries) { ++ gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, current, captab_log[cap]); ++ } ++ return 0; ++ } ++ } ++#endif ++ return 1; ++} + -+ return 0; ++int ++gr_chroot_is_capable_nolog(const int cap) ++{ ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS ++ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) { ++ kernel_cap_t chroot_caps = GR_CHROOT_CAPS; ++ if (cap_raised(chroot_caps, cap)) { ++ return 0; ++ } + } +#endif -+ return 0; ++ return 1; +} + +int @@ -55508,10 +55472,6 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_chroot.c linux-2.6.32.46/grsecurity/ +#endif + return 0; +} -+ -+#ifdef CONFIG_SECURITY -+EXPORT_SYMBOL(gr_handle_chroot_caps); -+#endif diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurity/grsec_disabled.c --- linux-2.6.32.46/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.6.32.46/grsecurity/grsec_disabled.c 2011-04-17 15:56:46.000000000 -0400 @@ -55965,8 +55925,8 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurit +#endif diff -urNp linux-2.6.32.46/grsecurity/grsec_exec.c linux-2.6.32.46/grsecurity/grsec_exec.c --- linux-2.6.32.46/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.46/grsecurity/grsec_exec.c 2011-08-11 19:57:19.000000000 -0400 -@@ -0,0 +1,132 @@ ++++ linux-2.6.32.46/grsecurity/grsec_exec.c 2011-09-13 22:54:27.000000000 -0400 +@@ -0,0 +1,204 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -55978,6 +55938,7 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_exec.c linux-2.6.32.46/grsecurity/gr +#include <linux/grinternal.h> +#include <linux/capability.h> +#include <linux/compat.h> ++#include <linux/module.h> + +#include <asm/uaccess.h> + @@ -56099,6 +56060,77 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_exec.c linux-2.6.32.46/grsecurity/gr + return; +} +#endif ++ ++#ifdef CONFIG_GRKERNSEC ++extern int gr_acl_is_capable(const int cap); ++extern int gr_acl_is_capable_nolog(const int cap); ++extern int gr_chroot_is_capable(const int cap); ++extern int gr_chroot_is_capable_nolog(const int cap); ++#endif ++ ++const char *captab_log[] = { ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN" ++}; ++ ++int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]); ++ ++int gr_is_capable(const int cap) ++{ ++#ifdef CONFIG_GRKERNSEC ++ if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap)) ++ return 1; ++ return 0; ++#else ++ return 1; ++#endif ++} ++ ++int gr_is_capable_nolog(const int cap) ++{ ++#ifdef CONFIG_GRKERNSEC ++ if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap)) ++ return 1; ++ return 0; ++#else ++ return 1; ++#endif ++} ++ ++EXPORT_SYMBOL(gr_is_capable); ++EXPORT_SYMBOL(gr_is_capable_nolog); diff -urNp linux-2.6.32.46/grsecurity/grsec_fifo.c linux-2.6.32.46/grsecurity/grsec_fifo.c --- linux-2.6.32.46/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.6.32.46/grsecurity/grsec_fifo.c 2011-04-17 15:56:46.000000000 -0400 @@ -56477,8 +56509,8 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_link.c linux-2.6.32.46/grsecurity/gr +} diff -urNp linux-2.6.32.46/grsecurity/grsec_log.c linux-2.6.32.46/grsecurity/grsec_log.c --- linux-2.6.32.46/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.46/grsecurity/grsec_log.c 2011-05-10 21:58:49.000000000 -0400 -@@ -0,0 +1,310 @@ ++++ linux-2.6.32.46/grsecurity/grsec_log.c 2011-09-14 23:16:01.000000000 -0400 +@@ -0,0 +1,313 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -56531,20 +56563,23 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_log.c linux-2.6.32.46/grsecurity/grs + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT; + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt; + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf; ++ unsigned long curr_secs = get_seconds(); + + if (audit == GR_DO_AUDIT) + goto set_fmt; + -+ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) { -+ grsec_alert_wtime = jiffies; ++ if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) { ++ grsec_alert_wtime = curr_secs; + grsec_alert_fyet = 0; -+ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { -+ grsec_alert_fyet++; -+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) { -+ grsec_alert_wtime = jiffies; -+ grsec_alert_fyet++; -+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); -+ return FLOODING; ++ } else if (time_before(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) { ++ if (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST) { ++ grsec_alert_fyet++; ++ } else if (grsec_alert_fyet && grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) { ++ grsec_alert_wtime = curr_secs; ++ grsec_alert_fyet++; ++ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); ++ return FLOODING; ++ } + } else return FLOODING; + +set_fmt: @@ -58051,7 +58086,7 @@ diff -urNp linux-2.6.32.46/grsecurity/grsum.c linux-2.6.32.46/grsecurity/grsum.c +} diff -urNp linux-2.6.32.46/grsecurity/Kconfig linux-2.6.32.46/grsecurity/Kconfig --- linux-2.6.32.46/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.46/grsecurity/Kconfig 2011-08-17 19:04:25.000000000 -0400 ++++ linux-2.6.32.46/grsecurity/Kconfig 2011-09-15 00:00:38.000000000 -0400 @@ -0,0 +1,1037 @@ +# +# grecurity configuration @@ -58686,7 +58721,7 @@ diff -urNp linux-2.6.32.46/grsecurity/Kconfig linux-2.6.32.46/grsecurity/Kconfig + bool "Capability restrictions" + depends on GRKERNSEC_CHROOT + help -+ If you say Y here, the capabilities on all root processes within a ++ If you say Y here, the capabilities on all processes within a + chroot jail will be lowered to stop module insertion, raw i/o, + system and net admin tasks, rebooting the system, modifying immutable + files, modifying IPC owned by another, and changing the system time. @@ -59079,7 +59114,7 @@ diff -urNp linux-2.6.32.46/grsecurity/Kconfig linux-2.6.32.46/grsecurity/Kconfig + +config GRKERNSEC_FLOODBURST + int "Number of messages in a burst (maximum)" -+ default 4 ++ default 6 + help + This option allows you to choose the maximum number of messages allowed + within the flood time interval you chose in a separate option. The @@ -59092,8 +59127,8 @@ diff -urNp linux-2.6.32.46/grsecurity/Kconfig linux-2.6.32.46/grsecurity/Kconfig +endmenu diff -urNp linux-2.6.32.46/grsecurity/Makefile linux-2.6.32.46/grsecurity/Makefile --- linux-2.6.32.46/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.46/grsecurity/Makefile 2011-08-21 18:54:34.000000000 -0400 -@@ -0,0 +1,34 @@ ++++ linux-2.6.32.46/grsecurity/Makefile 2011-09-14 23:29:39.000000000 -0400 +@@ -0,0 +1,35 @@ +# grsecurity's ACL system was originally written in 2001 by Michael Dalton +# during 2001-2009 it has been completely redesigned by Brad Spengler +# into an RBAC system @@ -59125,6 +59160,7 @@ diff -urNp linux-2.6.32.46/grsecurity/Makefile linux-2.6.32.46/grsecurity/Makefi +$(obj)/grsec_hidesym.o: + @-chmod -f 500 /boot + @-chmod -f 500 /lib/modules ++ @-chmod -f 500 /lib64/modules + @-chmod -f 700 . + @echo ' grsec: protected kernel image paths' +endif @@ -61290,8 +61326,8 @@ diff -urNp linux-2.6.32.46/include/linux/grinternal.h linux-2.6.32.46/include/li +#endif diff -urNp linux-2.6.32.46/include/linux/grmsg.h linux-2.6.32.46/include/linux/grmsg.h --- linux-2.6.32.46/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.46/include/linux/grmsg.h 2011-08-25 17:28:11.000000000 -0400 -@@ -0,0 +1,107 @@ ++++ linux-2.6.32.46/include/linux/grmsg.h 2011-09-13 15:44:53.000000000 -0400 +@@ -0,0 +1,108 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " @@ -61384,6 +61420,7 @@ diff -urNp linux-2.6.32.46/include/linux/grmsg.h linux-2.6.32.46/include/linux/g +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4" +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process " +#define GR_CAP_ACL_MSG "use of %s denied for " ++#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for " +#define GR_CAP_ACL_MSG2 "use of %s permitted for " +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for " +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for " @@ -61401,8 +61438,8 @@ diff -urNp linux-2.6.32.46/include/linux/grmsg.h linux-2.6.32.46/include/linux/g +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by " diff -urNp linux-2.6.32.46/include/linux/grsecurity.h linux-2.6.32.46/include/linux/grsecurity.h --- linux-2.6.32.46/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.46/include/linux/grsecurity.h 2011-08-11 19:58:57.000000000 -0400 -@@ -0,0 +1,217 @@ ++++ linux-2.6.32.46/include/linux/grsecurity.h 2011-09-13 16:03:42.000000000 -0400 +@@ -0,0 +1,216 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -61454,7 +61491,6 @@ diff -urNp linux-2.6.32.46/include/linux/grsecurity.h linux-2.6.32.46/include/li +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt); +int gr_handle_chroot_chroot(const struct dentry *dentry, + const struct vfsmount *mnt); -+int gr_handle_chroot_caps(struct path *path); +void gr_handle_chroot_chdir(struct path *path); +int gr_handle_chroot_chmod(const struct dentry *dentry, + const struct vfsmount *mnt, const int mode); diff --git a/2.6.32/4423_grsec-remove-protected-paths.patch b/2.6.32/4423_grsec-remove-protected-paths.patch index da4c861..abd9b99 100644 --- a/2.6.32/4423_grsec-remove-protected-paths.patch +++ b/2.6.32/4423_grsec-remove-protected-paths.patch @@ -1,20 +1,18 @@ -From: Anthony G. Basile <basile@opensource.dyc.edu> +From: Anthony G. Basile <blueness@gentoo.org> -We don't want to allow GRSEC's Makefile to change permissions on -paths in the filesystem. +We don't want GRSEC's Makefile to change permissions on paths in +the filesystem. ---- a/grsecurity/Makefile 2010-05-21 06:52:24.000000000 -0400 -+++ b/grsecurity/Makefile 2010-05-21 06:54:54.000000000 -0400 -@@ -27,8 +27,8 @@ +diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile +--- a/grsecurity/Makefile 2011-09-15 13:36:25.000000000 -0400 ++++ b/grsecurity/Makefile 2011-09-15 13:44:58.000000000 -0400 +@@ -27,9 +27,4 @@ ifdef CONFIG_GRKERNSEC_HIDESYM extra-y := grsec_hidesym.o $(obj)/grsec_hidesym.o: - @-chmod -f 500 /boot - @-chmod -f 500 /lib/modules +- @-chmod -f 500 /lib64/modules - @-chmod -f 700 . - @echo ' grsec: protected kernel image paths' -+ # @-chmod -f 500 /boot -+ # @-chmod -f 500 /lib/modules -+ # @-chmod -f 700 . -+ # @echo ' grsec: protected kernel image paths' endif diff --git a/3.0.4/0000_README b/3.0.4/0000_README index af75e4e..2fff4cc 100644 --- a/3.0.4/0000_README +++ b/3.0.4/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.2-3.0.4-201109011725.patch +Patch: 4420_grsecurity-2.2.2-3.0.4-201109150655.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109011725.patch b/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109150655.patch index 1e39265..97156c7 100644 --- a/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109011725.patch +++ b/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109150655.patch @@ -3055,7 +3055,7 @@ diff -urNp linux-3.0.4/arch/sparc/include/asm/elf_32.h linux-3.0.4/arch/sparc/in instruction set this cpu supports. This can NOT be done in userspace on Sparc. */ diff -urNp linux-3.0.4/arch/sparc/include/asm/elf_64.h linux-3.0.4/arch/sparc/include/asm/elf_64.h ---- linux-3.0.4/arch/sparc/include/asm/elf_64.h 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/arch/sparc/include/asm/elf_64.h 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/arch/sparc/include/asm/elf_64.h 2011-08-23 21:47:55.000000000 -0400 @@ -180,6 +180,13 @@ typedef struct { #define ELF_ET_DYN_BASE 0x0000010000000000UL @@ -3794,7 +3794,7 @@ diff -urNp linux-3.0.4/arch/sparc/kernel/traps_64.c linux-3.0.4/arch/sparc/kerne } EXPORT_SYMBOL(die_if_kernel); diff -urNp linux-3.0.4/arch/sparc/kernel/unaligned_64.c linux-3.0.4/arch/sparc/kernel/unaligned_64.c ---- linux-3.0.4/arch/sparc/kernel/unaligned_64.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/arch/sparc/kernel/unaligned_64.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/arch/sparc/kernel/unaligned_64.c 2011-08-23 21:48:14.000000000 -0400 @@ -279,7 +279,7 @@ static void log_unaligned(struct pt_regs static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5); @@ -4065,7 +4065,7 @@ diff -urNp linux-3.0.4/arch/sparc/lib/ksyms.c linux-3.0.4/arch/sparc/lib/ksyms.c /* Atomic bit operations. */ diff -urNp linux-3.0.4/arch/sparc/lib/Makefile linux-3.0.4/arch/sparc/lib/Makefile ---- linux-3.0.4/arch/sparc/lib/Makefile 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/arch/sparc/lib/Makefile 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/arch/sparc/lib/Makefile 2011-08-23 21:47:55.000000000 -0400 @@ -2,7 +2,7 @@ # @@ -10706,7 +10706,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/cpu/common.c linux-3.0.4/arch/x86/kernel/ if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) { diff -urNp linux-3.0.4/arch/x86/kernel/cpu/intel.c linux-3.0.4/arch/x86/kernel/cpu/intel.c ---- linux-3.0.4/arch/x86/kernel/cpu/intel.c 2011-08-29 23:26:13.000000000 -0400 +--- linux-3.0.4/arch/x86/kernel/cpu/intel.c 2011-09-02 18:11:26.000000000 -0400 +++ linux-3.0.4/arch/x86/kernel/cpu/intel.c 2011-08-29 23:30:14.000000000 -0400 @@ -172,7 +172,7 @@ static void __cpuinit trap_init_f00f_bug * Update the IDT descriptor and reload the IDT so that @@ -10850,7 +10850,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/cpu/mcheck/mce-inject.c linux-3.0.4/arch/ return 0; } diff -urNp linux-3.0.4/arch/x86/kernel/cpu/mtrr/main.c linux-3.0.4/arch/x86/kernel/cpu/mtrr/main.c ---- linux-3.0.4/arch/x86/kernel/cpu/mtrr/main.c 2011-08-29 23:26:13.000000000 -0400 +--- linux-3.0.4/arch/x86/kernel/cpu/mtrr/main.c 2011-09-02 18:11:26.000000000 -0400 +++ linux-3.0.4/arch/x86/kernel/cpu/mtrr/main.c 2011-08-29 23:26:21.000000000 -0400 @@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex); u64 size_or_mask, size_and_mask; @@ -20538,7 +20538,7 @@ diff -urNp linux-3.0.4/arch/x86/net/bpf_jit_comp.c linux-3.0.4/arch/x86/net/bpf_ sizeof(struct work_struct))); if (!image) diff -urNp linux-3.0.4/arch/x86/oprofile/backtrace.c linux-3.0.4/arch/x86/oprofile/backtrace.c ---- linux-3.0.4/arch/x86/oprofile/backtrace.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/arch/x86/oprofile/backtrace.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/arch/x86/oprofile/backtrace.c 2011-08-23 21:47:55.000000000 -0400 @@ -148,7 +148,7 @@ x86_backtrace(struct pt_regs * const reg { @@ -21313,7 +21313,7 @@ diff -urNp linux-3.0.4/arch/x86/vdso/vma.c linux-3.0.4/arch/x86/vdso/vma.c -} -__setup("vdso=", vdso_setup); diff -urNp linux-3.0.4/arch/x86/xen/enlighten.c linux-3.0.4/arch/x86/xen/enlighten.c ---- linux-3.0.4/arch/x86/xen/enlighten.c 2011-08-29 23:26:13.000000000 -0400 +--- linux-3.0.4/arch/x86/xen/enlighten.c 2011-09-02 18:11:26.000000000 -0400 +++ linux-3.0.4/arch/x86/xen/enlighten.c 2011-08-29 23:26:21.000000000 -0400 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -21388,7 +21388,7 @@ diff -urNp linux-3.0.4/arch/x86/xen/enlighten.c linux-3.0.4/arch/x86/xen/enlight #ifdef CONFIG_ACPI_NUMA diff -urNp linux-3.0.4/arch/x86/xen/mmu.c linux-3.0.4/arch/x86/xen/mmu.c ---- linux-3.0.4/arch/x86/xen/mmu.c 2011-08-29 23:26:13.000000000 -0400 +--- linux-3.0.4/arch/x86/xen/mmu.c 2011-09-02 18:11:26.000000000 -0400 +++ linux-3.0.4/arch/x86/xen/mmu.c 2011-08-29 23:26:21.000000000 -0400 @@ -1683,6 +1683,8 @@ pgd_t * __init xen_setup_kernel_pagetabl convert_pfn_mfn(init_level4_pgt); @@ -21427,7 +21427,7 @@ diff -urNp linux-3.0.4/arch/x86/xen/mmu.c linux-3.0.4/arch/x86/xen/mmu.c .alloc_pud = xen_alloc_pmd_init, .release_pud = xen_release_pmd_init, diff -urNp linux-3.0.4/arch/x86/xen/smp.c linux-3.0.4/arch/x86/xen/smp.c ---- linux-3.0.4/arch/x86/xen/smp.c 2011-08-29 23:26:13.000000000 -0400 +--- linux-3.0.4/arch/x86/xen/smp.c 2011-09-02 18:11:26.000000000 -0400 +++ linux-3.0.4/arch/x86/xen/smp.c 2011-08-29 23:26:21.000000000 -0400 @@ -193,11 +193,6 @@ static void __init xen_smp_prepare_boot_ { @@ -21519,7 +21519,7 @@ diff -urNp linux-3.0.4/arch/x86/xen/xen-head.S linux-3.0.4/arch/x86/xen/xen-head mov %rsi,xen_start_info mov $init_thread_union+THREAD_SIZE,%rsp diff -urNp linux-3.0.4/arch/x86/xen/xen-ops.h linux-3.0.4/arch/x86/xen/xen-ops.h ---- linux-3.0.4/arch/x86/xen/xen-ops.h 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/arch/x86/xen/xen-ops.h 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/arch/x86/xen/xen-ops.h 2011-08-23 21:47:55.000000000 -0400 @@ -10,8 +10,6 @@ extern const char xen_hypervisor_callback[]; @@ -23175,7 +23175,7 @@ diff -urNp linux-3.0.4/drivers/block/cciss.c linux-3.0.4/drivers/block/cciss.c } diff -urNp linux-3.0.4/drivers/block/cciss.h linux-3.0.4/drivers/block/cciss.h ---- linux-3.0.4/drivers/block/cciss.h 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/block/cciss.h 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/block/cciss.h 2011-08-23 21:47:55.000000000 -0400 @@ -100,7 +100,7 @@ struct ctlr_info /* information about each logical volume */ @@ -23880,7 +23880,7 @@ diff -urNp linux-3.0.4/drivers/char/nvram.c linux-3.0.4/drivers/char/nvram.c *ppos = i; diff -urNp linux-3.0.4/drivers/char/random.c linux-3.0.4/drivers/char/random.c ---- linux-3.0.4/drivers/char/random.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/char/random.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/char/random.c 2011-08-23 21:48:14.000000000 -0400 @@ -261,8 +261,13 @@ /* @@ -24172,7 +24172,7 @@ diff -urNp linux-3.0.4/drivers/firewire/core-card.c linux-3.0.4/drivers/firewire card->driver->update_phy_reg(card, 4, PHY_LINK_ACTIVE | PHY_CONTENDER, 0); diff -urNp linux-3.0.4/drivers/firewire/core-cdev.c linux-3.0.4/drivers/firewire/core-cdev.c ---- linux-3.0.4/drivers/firewire/core-cdev.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/firewire/core-cdev.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/firewire/core-cdev.c 2011-08-23 21:47:55.000000000 -0400 @@ -1313,8 +1313,7 @@ static int init_iso_resource(struct clie int ret; @@ -24515,7 +24515,7 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_debugfs.c linux-3.0.4/drivers/g if (IS_GEN6(dev)) { seq_printf(m, "Graphics Interrupt mask (%s): %08x\n", diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c ---- linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c 2011-08-23 21:47:55.000000000 -0400 @@ -1169,7 +1169,7 @@ static bool i915_switcheroo_can_switch(s bool can_switch; @@ -24578,7 +24578,7 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_gem_execbuffer.c linux-3.0.4/dr /* The actual obj->write_domain will be updated with * pending_write_domain after we emit the accumulated flush for all diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_irq.c linux-3.0.4/drivers/gpu/drm/i915/i915_irq.c ---- linux-3.0.4/drivers/gpu/drm/i915/i915_irq.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/gpu/drm/i915/i915_irq.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/gpu/drm/i915/i915_irq.c 2011-08-23 21:47:55.000000000 -0400 @@ -473,7 +473,7 @@ static irqreturn_t ivybridge_irq_handler u32 de_iir, gt_iir, de_ier, pch_iir, pm_iir; @@ -24626,7 +24626,7 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_irq.c linux-3.0.4/drivers/gpu/d INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func); INIT_WORK(&dev_priv->error_work, i915_error_work_func); diff -urNp linux-3.0.4/drivers/gpu/drm/i915/intel_display.c linux-3.0.4/drivers/gpu/drm/i915/intel_display.c ---- linux-3.0.4/drivers/gpu/drm/i915/intel_display.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/gpu/drm/i915/intel_display.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/gpu/drm/i915/intel_display.c 2011-08-23 21:47:55.000000000 -0400 @@ -1961,7 +1961,7 @@ intel_pipe_set_base(struct drm_crtc *crt @@ -24974,7 +24974,7 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/radeon/radeon_atombios.c linux-3.0.4/driv return false; diff -urNp linux-3.0.4/drivers/gpu/drm/radeon/radeon_device.c linux-3.0.4/drivers/gpu/drm/radeon/radeon_device.c ---- linux-3.0.4/drivers/gpu/drm/radeon/radeon_device.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/gpu/drm/radeon/radeon_device.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/gpu/drm/radeon/radeon_device.c 2011-08-23 21:47:55.000000000 -0400 @@ -678,7 +678,7 @@ static bool radeon_switcheroo_can_switch bool can_switch; @@ -24986,7 +24986,7 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/radeon/radeon_device.c linux-3.0.4/driver return can_switch; } diff -urNp linux-3.0.4/drivers/gpu/drm/radeon/radeon_display.c linux-3.0.4/drivers/gpu/drm/radeon/radeon_display.c ---- linux-3.0.4/drivers/gpu/drm/radeon/radeon_display.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/gpu/drm/radeon/radeon_display.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/gpu/drm/radeon/radeon_display.c 2011-08-23 21:48:14.000000000 -0400 @@ -946,6 +946,8 @@ void radeon_compute_pll_legacy(struct ra uint32_t post_div; @@ -26766,7 +26766,7 @@ diff -urNp linux-3.0.4/drivers/lguest/x86/switcher_32.S linux-3.0.4/drivers/lgue // Every interrupt can come to us here // But we must truly tell each apart. diff -urNp linux-3.0.4/drivers/md/dm.c linux-3.0.4/drivers/md/dm.c ---- linux-3.0.4/drivers/md/dm.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/md/dm.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/md/dm.c 2011-08-23 21:47:55.000000000 -0400 @@ -164,9 +164,9 @@ struct mapped_device { /* @@ -28836,7 +28836,7 @@ diff -urNp linux-3.0.4/drivers/net/mlx4/main.c linux-3.0.4/drivers/net/mlx4/main if (err) { if (err == -EACCES) diff -urNp linux-3.0.4/drivers/net/niu.c linux-3.0.4/drivers/net/niu.c ---- linux-3.0.4/drivers/net/niu.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/net/niu.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/net/niu.c 2011-08-23 21:48:14.000000000 -0400 @@ -9056,6 +9056,8 @@ static void __devinit niu_try_msix(struc int i, num_irqs, err; @@ -29494,7 +29494,7 @@ diff -urNp linux-3.0.4/drivers/net/ppp_generic.c linux-3.0.4/drivers/net/ppp_gen err = 0; break; diff -urNp linux-3.0.4/drivers/net/r8169.c linux-3.0.4/drivers/net/r8169.c ---- linux-3.0.4/drivers/net/r8169.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/net/r8169.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/net/r8169.c 2011-08-23 21:47:55.000000000 -0400 @@ -645,12 +645,12 @@ struct rtl8169_private { struct mdio_ops { @@ -29838,7 +29838,7 @@ diff -urNp linux-3.0.4/drivers/net/wimax/i2400m/usb-fw.c linux-3.0.4/drivers/net i2400m, ack, ack_size); BUG_ON(_ack == i2400m->bm_ack_buf); diff -urNp linux-3.0.4/drivers/net/wireless/airo.c linux-3.0.4/drivers/net/wireless/airo.c ---- linux-3.0.4/drivers/net/wireless/airo.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/net/wireless/airo.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/net/wireless/airo.c 2011-08-23 21:48:14.000000000 -0400 @@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s BSSListElement * loop_net; @@ -30063,7 +30063,7 @@ diff -urNp linux-3.0.4/drivers/net/wireless/ath/ath9k/htc_drv_debug.c linux-3.0. "Mgmt endpoint", skb_queue_len(&priv->tx.mgmt_ep_queue)); diff -urNp linux-3.0.4/drivers/net/wireless/ath/ath9k/hw.h linux-3.0.4/drivers/net/wireless/ath/ath9k/hw.h ---- linux-3.0.4/drivers/net/wireless/ath/ath9k/hw.h 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/net/wireless/ath/ath9k/hw.h 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/net/wireless/ath/ath9k/hw.h 2011-08-23 21:47:55.000000000 -0400 @@ -585,7 +585,7 @@ struct ath_hw_private_ops { @@ -31061,7 +31061,7 @@ diff -urNp linux-3.0.4/drivers/scsi/hpsa.c linux-3.0.4/drivers/scsi/hpsa.c } diff -urNp linux-3.0.4/drivers/scsi/hpsa.h linux-3.0.4/drivers/scsi/hpsa.h ---- linux-3.0.4/drivers/scsi/hpsa.h 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/scsi/hpsa.h 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/scsi/hpsa.h 2011-08-23 21:47:55.000000000 -0400 @@ -73,7 +73,7 @@ struct ctlr_info { unsigned int msix_vector; @@ -31438,7 +31438,7 @@ diff -urNp linux-3.0.4/drivers/scsi/osd/osd_initiator.c linux-3.0.4/drivers/scsi if (!or) return -ENOMEM; diff -urNp linux-3.0.4/drivers/scsi/pmcraid.c linux-3.0.4/drivers/scsi/pmcraid.c ---- linux-3.0.4/drivers/scsi/pmcraid.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/scsi/pmcraid.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/scsi/pmcraid.c 2011-08-23 21:47:56.000000000 -0400 @@ -201,8 +201,8 @@ static int pmcraid_slave_alloc(struct sc res->scsi_dev = scsi_dev; @@ -31640,7 +31640,7 @@ diff -urNp linux-3.0.4/drivers/scsi/scsi_debug.c linux-3.0.4/drivers/scsi/scsi_d return errsts; memset(arr, 0, sizeof(arr)); diff -urNp linux-3.0.4/drivers/scsi/scsi_lib.c linux-3.0.4/drivers/scsi/scsi_lib.c ---- linux-3.0.4/drivers/scsi/scsi_lib.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/scsi/scsi_lib.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/scsi/scsi_lib.c 2011-08-23 21:47:56.000000000 -0400 @@ -1412,7 +1412,7 @@ static void scsi_kill_request(struct req shost = sdev->host; @@ -31832,7 +31832,7 @@ diff -urNp linux-3.0.4/drivers/spi/spi.c linux-3.0.4/drivers/spi/spi.c static u8 *buf; diff -urNp linux-3.0.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c linux-3.0.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c ---- linux-3.0.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-08-23 21:48:14.000000000 -0400 @@ -362,7 +362,7 @@ static struct ar_cookie s_ar_cookie_mem[ (((ar)->arTargetType == TARGET_TYPE_AR6003) ? AR6003_HOST_INTEREST_ITEM_ADDRESS(item) : 0)) @@ -31963,7 +31963,7 @@ diff -urNp linux-3.0.4/drivers/staging/et131x/et131x_adapter.h linux-3.0.4/drive u32 noxmtbuf; /* # Tx packets discarded */ diff -urNp linux-3.0.4/drivers/staging/hv/channel.c linux-3.0.4/drivers/staging/hv/channel.c ---- linux-3.0.4/drivers/staging/hv/channel.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/staging/hv/channel.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/staging/hv/channel.c 2011-08-23 21:47:56.000000000 -0400 @@ -433,8 +433,8 @@ int vmbus_establish_gpadl(struct vmbus_c int ret = 0; @@ -32017,7 +32017,7 @@ diff -urNp linux-3.0.4/drivers/staging/hv/hyperv_vmbus.h linux-3.0.4/drivers/sta /* * Represents channel interrupts. Each bit position represents a diff -urNp linux-3.0.4/drivers/staging/hv/rndis_filter.c linux-3.0.4/drivers/staging/hv/rndis_filter.c ---- linux-3.0.4/drivers/staging/hv/rndis_filter.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/staging/hv/rndis_filter.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/staging/hv/rndis_filter.c 2011-08-23 21:47:56.000000000 -0400 @@ -43,7 +43,7 @@ struct rndis_device { @@ -32251,7 +32251,7 @@ diff -urNp linux-3.0.4/drivers/staging/usbip/vhci.h linux-3.0.4/drivers/staging/ /* * NOTE: diff -urNp linux-3.0.4/drivers/staging/usbip/vhci_hcd.c linux-3.0.4/drivers/staging/usbip/vhci_hcd.c ---- linux-3.0.4/drivers/staging/usbip/vhci_hcd.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/staging/usbip/vhci_hcd.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/staging/usbip/vhci_hcd.c 2011-08-23 21:47:56.000000000 -0400 @@ -511,7 +511,7 @@ static void vhci_tx_urb(struct urb *urb) return; @@ -32828,7 +32828,7 @@ diff -urNp linux-3.0.4/drivers/tty/ipwireless/tty.c linux-3.0.4/drivers/tty/ipwi ipwireless_disassociate_network_ttys(network, ttyj->channel_idx); diff -urNp linux-3.0.4/drivers/tty/n_gsm.c linux-3.0.4/drivers/tty/n_gsm.c ---- linux-3.0.4/drivers/tty/n_gsm.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/drivers/tty/n_gsm.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/drivers/tty/n_gsm.c 2011-08-23 21:47:56.000000000 -0400 @@ -1589,7 +1589,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s return NULL; @@ -36623,7 +36623,7 @@ diff -urNp linux-3.0.4/fs/attr.c linux-3.0.4/fs/attr.c goto out_sig; if (offset > inode->i_sb->s_maxbytes) diff -urNp linux-3.0.4/fs/befs/linuxvfs.c linux-3.0.4/fs/befs/linuxvfs.c ---- linux-3.0.4/fs/befs/linuxvfs.c 2011-08-29 23:26:13.000000000 -0400 +--- linux-3.0.4/fs/befs/linuxvfs.c 2011-09-02 18:11:26.000000000 -0400 +++ linux-3.0.4/fs/befs/linuxvfs.c 2011-08-29 23:26:27.000000000 -0400 @@ -503,7 +503,7 @@ static void befs_put_link(struct dentry { @@ -37856,7 +37856,7 @@ diff -urNp linux-3.0.4/fs/cifs/cifs_debug.c linux-3.0.4/fs/cifs/cifs_debug.c } } diff -urNp linux-3.0.4/fs/cifs/cifsfs.c linux-3.0.4/fs/cifs/cifsfs.c ---- linux-3.0.4/fs/cifs/cifsfs.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/fs/cifs/cifsfs.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/fs/cifs/cifsfs.c 2011-08-25 17:18:05.000000000 -0400 @@ -994,7 +994,7 @@ cifs_init_request_bufs(void) cifs_req_cachep = kmem_cache_create("cifs_request", @@ -38223,7 +38223,7 @@ diff -urNp linux-3.0.4/fs/dcache.c linux-3.0.4/fs/dcache.c dcache_init(); inode_init(); diff -urNp linux-3.0.4/fs/ecryptfs/inode.c linux-3.0.4/fs/ecryptfs/inode.c ---- linux-3.0.4/fs/ecryptfs/inode.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/fs/ecryptfs/inode.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/fs/ecryptfs/inode.c 2011-08-23 21:47:56.000000000 -0400 @@ -704,7 +704,7 @@ static int ecryptfs_readlink_lower(struc old_fs = get_fs(); @@ -38945,7 +38945,7 @@ diff -urNp linux-3.0.4/fs/ext4/balloc.c linux-3.0.4/fs/ext4/balloc.c if (free_blocks >= (nblocks + dirty_blocks)) return 1; diff -urNp linux-3.0.4/fs/ext4/ext4.h linux-3.0.4/fs/ext4/ext4.h ---- linux-3.0.4/fs/ext4/ext4.h 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/fs/ext4/ext4.h 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/fs/ext4/ext4.h 2011-08-23 21:47:56.000000000 -0400 @@ -1177,19 +1177,19 @@ struct ext4_sb_info { unsigned long s_mb_last_start; @@ -38978,7 +38978,7 @@ diff -urNp linux-3.0.4/fs/ext4/ext4.h linux-3.0.4/fs/ext4/ext4.h /* locality groups */ diff -urNp linux-3.0.4/fs/ext4/mballoc.c linux-3.0.4/fs/ext4/mballoc.c ---- linux-3.0.4/fs/ext4/mballoc.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/fs/ext4/mballoc.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/fs/ext4/mballoc.c 2011-08-23 21:48:14.000000000 -0400 @@ -1793,7 +1793,7 @@ void ext4_mb_simple_scan_group(struct ex BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len); @@ -40686,7 +40686,7 @@ diff -urNp linux-3.0.4/fs/fuse/cuse.c linux-3.0.4/fs/fuse/cuse.c cuse_class = class_create(THIS_MODULE, "cuse"); if (IS_ERR(cuse_class)) diff -urNp linux-3.0.4/fs/fuse/dev.c linux-3.0.4/fs/fuse/dev.c ---- linux-3.0.4/fs/fuse/dev.c 2011-08-29 23:26:14.000000000 -0400 +--- linux-3.0.4/fs/fuse/dev.c 2011-09-02 18:11:26.000000000 -0400 +++ linux-3.0.4/fs/fuse/dev.c 2011-08-29 23:26:27.000000000 -0400 @@ -1238,7 +1238,7 @@ static ssize_t fuse_dev_splice_read(stru ret = 0; @@ -41664,7 +41664,7 @@ diff -urNp linux-3.0.4/fs/nfs/inode.c linux-3.0.4/fs/nfs/inode.c void nfs_fattr_init(struct nfs_fattr *fattr) diff -urNp linux-3.0.4/fs/nfsd/nfs4state.c linux-3.0.4/fs/nfsd/nfs4state.c ---- linux-3.0.4/fs/nfsd/nfs4state.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/fs/nfsd/nfs4state.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/fs/nfsd/nfs4state.c 2011-08-23 21:48:14.000000000 -0400 @@ -3794,6 +3794,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc unsigned int strhashval; @@ -41927,7 +41927,7 @@ diff -urNp linux-3.0.4/fs/ocfs2/symlink.c linux-3.0.4/fs/ocfs2/symlink.c } diff -urNp linux-3.0.4/fs/open.c linux-3.0.4/fs/open.c --- linux-3.0.4/fs/open.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/fs/open.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/fs/open.c 2011-09-14 09:16:46.000000000 -0400 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _ error = locks_verify_truncate(inode, NULL, length); if (!error) @@ -41972,18 +41972,13 @@ diff -urNp linux-3.0.4/fs/open.c linux-3.0.4/fs/open.c if (!error) set_fs_pwd(current->fs, &file->f_path); out_putf: -@@ -438,7 +454,18 @@ SYSCALL_DEFINE1(chroot, const char __use +@@ -438,7 +454,13 @@ SYSCALL_DEFINE1(chroot, const char __use if (error) goto dput_and_out; + if (gr_handle_chroot_chroot(path.dentry, path.mnt)) + goto dput_and_out; + -+ if (gr_handle_chroot_caps(&path)) { -+ error = -ENOMEM; -+ goto dput_and_out; -+ } -+ set_fs_root(current->fs, &path); + + gr_handle_chroot_chdir(&path); @@ -41991,7 +41986,7 @@ diff -urNp linux-3.0.4/fs/open.c linux-3.0.4/fs/open.c error = 0; dput_and_out: path_put(&path); -@@ -466,12 +493,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd +@@ -466,12 +488,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd err = mnt_want_write_file(file); if (err) goto out_putf; @@ -42017,7 +42012,7 @@ diff -urNp linux-3.0.4/fs/open.c linux-3.0.4/fs/open.c newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; err = notify_change(dentry, &newattrs); -@@ -499,12 +539,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons +@@ -499,12 +534,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons error = mnt_want_write(path.mnt); if (error) goto dput_and_out; @@ -42043,7 +42038,7 @@ diff -urNp linux-3.0.4/fs/open.c linux-3.0.4/fs/open.c newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; error = notify_change(path.dentry, &newattrs); -@@ -528,6 +581,9 @@ static int chown_common(struct path *pat +@@ -528,6 +576,9 @@ static int chown_common(struct path *pat int error; struct iattr newattrs; @@ -42053,7 +42048,7 @@ diff -urNp linux-3.0.4/fs/open.c linux-3.0.4/fs/open.c newattrs.ia_valid = ATTR_CTIME; if (user != (uid_t) -1) { newattrs.ia_valid |= ATTR_UID; -@@ -998,7 +1054,10 @@ long do_sys_open(int dfd, const char __u +@@ -998,7 +1049,10 @@ long do_sys_open(int dfd, const char __u if (!IS_ERR(tmp)) { fd = get_unused_fd_flags(flags); if (fd >= 0) { @@ -42338,8 +42333,8 @@ diff -urNp linux-3.0.4/fs/proc/array.c linux-3.0.4/fs/proc/array.c +} +#endif diff -urNp linux-3.0.4/fs/proc/base.c linux-3.0.4/fs/proc/base.c ---- linux-3.0.4/fs/proc/base.c 2011-08-23 21:44:40.000000000 -0400 -+++ linux-3.0.4/fs/proc/base.c 2011-08-23 21:48:14.000000000 -0400 +--- linux-3.0.4/fs/proc/base.c 2011-09-02 18:11:21.000000000 -0400 ++++ linux-3.0.4/fs/proc/base.c 2011-09-13 14:50:28.000000000 -0400 @@ -107,6 +107,22 @@ struct pid_entry { union proc_op op; }; @@ -42405,7 +42400,7 @@ diff -urNp linux-3.0.4/fs/proc/base.c linux-3.0.4/fs/proc/base.c + if (PAX_RAND_FLAGS(mm) && + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) { + mmput(mm); -+ return res; ++ return 0; + } +#endif + @@ -48198,8 +48193,8 @@ diff -urNp linux-3.0.4/grsecurity/gracl.c linux-3.0.4/grsecurity/gracl.c + diff -urNp linux-3.0.4/grsecurity/gracl_cap.c linux-3.0.4/grsecurity/gracl_cap.c --- linux-3.0.4/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/grsecurity/gracl_cap.c 2011-08-23 21:48:14.000000000 -0400 -@@ -0,0 +1,139 @@ ++++ linux-3.0.4/grsecurity/gracl_cap.c 2011-09-14 09:21:24.000000000 -0400 +@@ -0,0 +1,101 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -48207,49 +48202,11 @@ diff -urNp linux-3.0.4/grsecurity/gracl_cap.c linux-3.0.4/grsecurity/gracl_cap.c +#include <linux/grsecurity.h> +#include <linux/grinternal.h> + -+static const char *captab_log[] = { -+ "CAP_CHOWN", -+ "CAP_DAC_OVERRIDE", -+ "CAP_DAC_READ_SEARCH", -+ "CAP_FOWNER", -+ "CAP_FSETID", -+ "CAP_KILL", -+ "CAP_SETGID", -+ "CAP_SETUID", -+ "CAP_SETPCAP", -+ "CAP_LINUX_IMMUTABLE", -+ "CAP_NET_BIND_SERVICE", -+ "CAP_NET_BROADCAST", -+ "CAP_NET_ADMIN", -+ "CAP_NET_RAW", -+ "CAP_IPC_LOCK", -+ "CAP_IPC_OWNER", -+ "CAP_SYS_MODULE", -+ "CAP_SYS_RAWIO", -+ "CAP_SYS_CHROOT", -+ "CAP_SYS_PTRACE", -+ "CAP_SYS_PACCT", -+ "CAP_SYS_ADMIN", -+ "CAP_SYS_BOOT", -+ "CAP_SYS_NICE", -+ "CAP_SYS_RESOURCE", -+ "CAP_SYS_TIME", -+ "CAP_SYS_TTY_CONFIG", -+ "CAP_MKNOD", -+ "CAP_LEASE", -+ "CAP_AUDIT_WRITE", -+ "CAP_AUDIT_CONTROL", -+ "CAP_SETFCAP", -+ "CAP_MAC_OVERRIDE", -+ "CAP_MAC_ADMIN", -+ "CAP_SYSLOG" -+}; -+ -+EXPORT_SYMBOL(gr_is_capable); -+EXPORT_SYMBOL(gr_is_capable_nolog); ++extern const char *captab_log[]; ++extern int captab_log_entries; + +int -+gr_is_capable(const int cap) ++gr_acl_is_capable(const int cap) +{ + struct task_struct *task = current; + const struct cred *cred = current_cred(); @@ -48301,13 +48258,13 @@ diff -urNp linux-3.0.4/grsecurity/gracl_cap.c linux-3.0.4/grsecurity/gracl_cap.c + return 1; + } + -+ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap)) ++ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap)) + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]); + return 0; +} + +int -+gr_is_capable_nolog(const int cap) ++gr_acl_is_capable_nolog(const int cap) +{ + struct acl_subject_label *curracl; + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set; @@ -49814,8 +49771,8 @@ diff -urNp linux-3.0.4/grsecurity/grsec_chdir.c linux-3.0.4/grsecurity/grsec_chd +} diff -urNp linux-3.0.4/grsecurity/grsec_chroot.c linux-3.0.4/grsecurity/grsec_chroot.c --- linux-3.0.4/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/grsecurity/grsec_chroot.c 2011-08-23 21:48:14.000000000 -0400 -@@ -0,0 +1,349 @@ ++++ linux-3.0.4/grsecurity/grsec_chroot.c 2011-09-15 06:47:48.000000000 -0400 +@@ -0,0 +1,351 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -50096,33 +50053,39 @@ diff -urNp linux-3.0.4/grsecurity/grsec_chroot.c linux-3.0.4/grsecurity/grsec_ch + return 0; +} + ++extern const char *captab_log[]; ++extern int captab_log_entries; ++ +int -+gr_handle_chroot_caps(struct path *path) ++gr_chroot_is_capable(const int cap) +{ +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS -+ if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL && -+ (init_task.fs->root.dentry != path->dentry) && -+ (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) { -+ ++ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) { + kernel_cap_t chroot_caps = GR_CHROOT_CAPS; -+ const struct cred *old = current_cred(); -+ struct cred *new = prepare_creds(); -+ if (new == NULL) -+ return 1; -+ -+ new->cap_permitted = cap_drop(old->cap_permitted, -+ chroot_caps); -+ new->cap_inheritable = cap_drop(old->cap_inheritable, -+ chroot_caps); -+ new->cap_effective = cap_drop(old->cap_effective, -+ chroot_caps); -+ -+ commit_creds(new); ++ if (cap_raised(chroot_caps, cap)) { ++ const struct cred *creds = current_cred(); ++ if (cap_raised(creds->cap_effective, cap) && cap < captab_log_entries) { ++ gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, current, captab_log[cap]); ++ } ++ return 0; ++ } ++ } ++#endif ++ return 1; ++} + -+ return 0; ++int ++gr_chroot_is_capable_nolog(const int cap) ++{ ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS ++ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) { ++ kernel_cap_t chroot_caps = GR_CHROOT_CAPS; ++ if (cap_raised(chroot_caps, cap)) { ++ return 0; ++ } + } +#endif -+ return 0; ++ return 1; +} + +int @@ -50161,10 +50124,6 @@ diff -urNp linux-3.0.4/grsecurity/grsec_chroot.c linux-3.0.4/grsecurity/grsec_ch +#endif + return 0; +} -+ -+#ifdef CONFIG_SECURITY -+EXPORT_SYMBOL(gr_handle_chroot_caps); -+#endif diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_disabled.c --- linux-3.0.4/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-3.0.4/grsecurity/grsec_disabled.c 2011-08-23 21:48:14.000000000 -0400 @@ -50618,8 +50577,8 @@ diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_ +#endif diff -urNp linux-3.0.4/grsecurity/grsec_exec.c linux-3.0.4/grsecurity/grsec_exec.c --- linux-3.0.4/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/grsecurity/grsec_exec.c 2011-08-25 17:25:59.000000000 -0400 -@@ -0,0 +1,72 @@ ++++ linux-3.0.4/grsecurity/grsec_exec.c 2011-09-14 09:20:28.000000000 -0400 +@@ -0,0 +1,145 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -50630,6 +50589,7 @@ diff -urNp linux-3.0.4/grsecurity/grsec_exec.c linux-3.0.4/grsecurity/grsec_exec +#include <linux/grsecurity.h> +#include <linux/grinternal.h> +#include <linux/capability.h> ++#include <linux/module.h> + +#include <asm/uaccess.h> + @@ -50692,6 +50652,78 @@ diff -urNp linux-3.0.4/grsecurity/grsec_exec.c linux-3.0.4/grsecurity/grsec_exec +#endif + return; +} ++ ++#ifdef CONFIG_GRKERNSEC ++extern int gr_acl_is_capable(const int cap); ++extern int gr_acl_is_capable_nolog(const int cap); ++extern int gr_chroot_is_capable(const int cap); ++extern int gr_chroot_is_capable_nolog(const int cap); ++#endif ++ ++const char *captab_log[] = { ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG" ++}; ++ ++int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]); ++ ++int gr_is_capable(const int cap) ++{ ++#ifdef CONFIG_GRKERNSEC ++ if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap)) ++ return 1; ++ return 0; ++#else ++ return 1; ++#endif ++} ++ ++int gr_is_capable_nolog(const int cap) ++{ ++#ifdef CONFIG_GRKERNSEC ++ if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap)) ++ return 1; ++ return 0; ++#else ++ return 1; ++#endif ++} ++ ++EXPORT_SYMBOL(gr_is_capable); ++EXPORT_SYMBOL(gr_is_capable_nolog); diff -urNp linux-3.0.4/grsecurity/grsec_fifo.c linux-3.0.4/grsecurity/grsec_fifo.c --- linux-3.0.4/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-3.0.4/grsecurity/grsec_fifo.c 2011-08-23 21:48:14.000000000 -0400 @@ -51069,8 +51101,8 @@ diff -urNp linux-3.0.4/grsecurity/grsec_link.c linux-3.0.4/grsecurity/grsec_link +} diff -urNp linux-3.0.4/grsecurity/grsec_log.c linux-3.0.4/grsecurity/grsec_log.c --- linux-3.0.4/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/grsecurity/grsec_log.c 2011-08-23 21:48:14.000000000 -0400 -@@ -0,0 +1,310 @@ ++++ linux-3.0.4/grsecurity/grsec_log.c 2011-09-14 23:17:55.000000000 -0400 +@@ -0,0 +1,313 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -51123,20 +51155,23 @@ diff -urNp linux-3.0.4/grsecurity/grsec_log.c linux-3.0.4/grsecurity/grsec_log.c + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT; + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt; + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf; ++ unsigned long curr_secs = get_seconds(); + + if (audit == GR_DO_AUDIT) + goto set_fmt; + -+ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) { -+ grsec_alert_wtime = jiffies; ++ if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) { ++ grsec_alert_wtime = curr_secs; + grsec_alert_fyet = 0; -+ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { -+ grsec_alert_fyet++; -+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) { -+ grsec_alert_wtime = jiffies; -+ grsec_alert_fyet++; -+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); -+ return FLOODING; ++ } else if (time_before(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) { ++ if (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST) { ++ grsec_alert_fyet++; ++ } else if (grsec_alert_fyet && grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) { ++ grsec_alert_wtime = curr_secs; ++ grsec_alert_fyet++; ++ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); ++ return FLOODING; ++ } + } else return FLOODING; + +set_fmt: @@ -52567,7 +52602,7 @@ diff -urNp linux-3.0.4/grsecurity/grsum.c linux-3.0.4/grsecurity/grsum.c +} diff -urNp linux-3.0.4/grsecurity/Kconfig linux-3.0.4/grsecurity/Kconfig --- linux-3.0.4/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/grsecurity/Kconfig 2011-08-25 17:25:34.000000000 -0400 ++++ linux-3.0.4/grsecurity/Kconfig 2011-09-15 00:00:57.000000000 -0400 @@ -0,0 +1,1038 @@ +# +# grecurity configuration @@ -53203,7 +53238,7 @@ diff -urNp linux-3.0.4/grsecurity/Kconfig linux-3.0.4/grsecurity/Kconfig + bool "Capability restrictions" + depends on GRKERNSEC_CHROOT + help -+ If you say Y here, the capabilities on all root processes within a ++ If you say Y here, the capabilities on all processes within a + chroot jail will be lowered to stop module insertion, raw i/o, + system and net admin tasks, rebooting the system, modifying immutable + files, modifying IPC owned by another, and changing the system time. @@ -53596,7 +53631,7 @@ diff -urNp linux-3.0.4/grsecurity/Kconfig linux-3.0.4/grsecurity/Kconfig + +config GRKERNSEC_FLOODBURST + int "Number of messages in a burst (maximum)" -+ default 4 ++ default 6 + help + This option allows you to choose the maximum number of messages allowed + within the flood time interval you chose in a separate option. The @@ -53609,8 +53644,8 @@ diff -urNp linux-3.0.4/grsecurity/Kconfig linux-3.0.4/grsecurity/Kconfig +endmenu diff -urNp linux-3.0.4/grsecurity/Makefile linux-3.0.4/grsecurity/Makefile --- linux-3.0.4/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/grsecurity/Makefile 2011-08-23 21:48:14.000000000 -0400 -@@ -0,0 +1,34 @@ ++++ linux-3.0.4/grsecurity/Makefile 2011-09-14 23:29:56.000000000 -0400 +@@ -0,0 +1,35 @@ +# grsecurity's ACL system was originally written in 2001 by Michael Dalton +# during 2001-2009 it has been completely redesigned by Brad Spengler +# into an RBAC system @@ -53642,6 +53677,7 @@ diff -urNp linux-3.0.4/grsecurity/Makefile linux-3.0.4/grsecurity/Makefile +$(obj)/grsec_hidesym.o: + @-chmod -f 500 /boot + @-chmod -f 500 /lib/modules ++ @-chmod -f 500 /lib64/modules + @-chmod -f 700 . + @echo ' grsec: protected kernel image paths' +endif @@ -55417,8 +55453,8 @@ diff -urNp linux-3.0.4/include/linux/grinternal.h linux-3.0.4/include/linux/grin +#endif diff -urNp linux-3.0.4/include/linux/grmsg.h linux-3.0.4/include/linux/grmsg.h --- linux-3.0.4/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/include/linux/grmsg.h 2011-08-25 17:27:26.000000000 -0400 -@@ -0,0 +1,107 @@ ++++ linux-3.0.4/include/linux/grmsg.h 2011-09-14 09:16:54.000000000 -0400 +@@ -0,0 +1,108 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " @@ -55511,6 +55547,7 @@ diff -urNp linux-3.0.4/include/linux/grmsg.h linux-3.0.4/include/linux/grmsg.h +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4" +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process " +#define GR_CAP_ACL_MSG "use of %s denied for " ++#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for " +#define GR_CAP_ACL_MSG2 "use of %s permitted for " +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for " +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for " @@ -55528,8 +55565,8 @@ diff -urNp linux-3.0.4/include/linux/grmsg.h linux-3.0.4/include/linux/grmsg.h +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by " diff -urNp linux-3.0.4/include/linux/grsecurity.h linux-3.0.4/include/linux/grsecurity.h --- linux-3.0.4/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/include/linux/grsecurity.h 2011-08-25 17:27:36.000000000 -0400 -@@ -0,0 +1,227 @@ ++++ linux-3.0.4/include/linux/grsecurity.h 2011-09-14 09:16:54.000000000 -0400 +@@ -0,0 +1,226 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -55594,7 +55631,6 @@ diff -urNp linux-3.0.4/include/linux/grsecurity.h linux-3.0.4/include/linux/grse +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt); +int gr_handle_chroot_chroot(const struct dentry *dentry, + const struct vfsmount *mnt); -+int gr_handle_chroot_caps(struct path *path); +void gr_handle_chroot_chdir(struct path *path); +int gr_handle_chroot_chmod(const struct dentry *dentry, + const struct vfsmount *mnt, const int mode); @@ -56060,7 +56096,7 @@ diff -urNp linux-3.0.4/include/linux/mfd/abx500.h linux-3.0.4/include/linux/mfd/ int abx500_register_ops(struct device *core_dev, struct abx500_ops *ops); void abx500_remove_ops(struct device *dev); diff -urNp linux-3.0.4/include/linux/mm.h linux-3.0.4/include/linux/mm.h ---- linux-3.0.4/include/linux/mm.h 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/include/linux/mm.h 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/include/linux/mm.h 2011-08-23 21:47:56.000000000 -0400 @@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void @@ -56444,7 +56480,7 @@ diff -urNp linux-3.0.4/include/linux/namei.h linux-3.0.4/include/linux/namei.h return nd->saved_names[nd->depth]; } diff -urNp linux-3.0.4/include/linux/netdevice.h linux-3.0.4/include/linux/netdevice.h ---- linux-3.0.4/include/linux/netdevice.h 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/include/linux/netdevice.h 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/include/linux/netdevice.h 2011-08-23 21:47:56.000000000 -0400 @@ -979,6 +979,7 @@ struct net_device_ops { int (*ndo_set_features)(struct net_device *dev, @@ -56634,7 +56670,7 @@ diff -urNp linux-3.0.4/include/linux/ptrace.h linux-3.0.4/include/linux/ptrace.h static inline int ptrace_reparented(struct task_struct *child) { diff -urNp linux-3.0.4/include/linux/random.h linux-3.0.4/include/linux/random.h ---- linux-3.0.4/include/linux/random.h 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/include/linux/random.h 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/include/linux/random.h 2011-08-23 21:47:56.000000000 -0400 @@ -69,12 +69,17 @@ void srandom32(u32 seed); @@ -58580,7 +58616,7 @@ diff -urNp linux-3.0.4/ipc/msg.c linux-3.0.4/ipc/msg.c msg_params.flg = msgflg; diff -urNp linux-3.0.4/ipc/sem.c linux-3.0.4/ipc/sem.c ---- linux-3.0.4/ipc/sem.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/ipc/sem.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/ipc/sem.c 2011-08-23 21:48:14.000000000 -0400 @@ -318,10 +318,15 @@ static inline int sem_more_checks(struct return 0; @@ -59134,8 +59170,8 @@ diff -urNp linux-3.0.4/kernel/debug/kdb/kdb_main.c linux-3.0.4/kernel/debug/kdb/ #ifdef CONFIG_MODULE_UNLOAD { diff -urNp linux-3.0.4/kernel/events/core.c linux-3.0.4/kernel/events/core.c ---- linux-3.0.4/kernel/events/core.c 2011-08-23 21:44:40.000000000 -0400 -+++ linux-3.0.4/kernel/events/core.c 2011-08-23 21:47:56.000000000 -0400 +--- linux-3.0.4/kernel/events/core.c 2011-09-02 18:11:21.000000000 -0400 ++++ linux-3.0.4/kernel/events/core.c 2011-09-14 09:08:05.000000000 -0400 @@ -170,7 +170,7 @@ int perf_proc_update_handler(struct ctl_ return 0; } @@ -59193,6 +59229,21 @@ diff -urNp linux-3.0.4/kernel/events/core.c linux-3.0.4/kernel/events/core.c } if (read_format & PERF_FORMAT_ID) values[n++] = primary_event_id(event); +@@ -4833,12 +4833,12 @@ static void perf_event_mmap_event(struct + * need to add enough zero bytes after the string to handle + * the 64bit alignment we do later. + */ +- buf = kzalloc(PATH_MAX + sizeof(u64), GFP_KERNEL); ++ buf = kzalloc(PATH_MAX, GFP_KERNEL); + if (!buf) { + name = strncpy(tmp, "//enomem", sizeof(tmp)); + goto got_name; + } +- name = d_path(&file->f_path, buf, PATH_MAX); ++ name = d_path(&file->f_path, buf, PATH_MAX - sizeof(u64)); + if (IS_ERR(name)) { + name = strncpy(tmp, "//toolong", sizeof(tmp)); + goto got_name; @@ -6190,7 +6190,7 @@ perf_event_alloc(struct perf_event_attr event->parent = parent_event; @@ -59633,7 +59684,7 @@ diff -urNp linux-3.0.4/kernel/fork.c linux-3.0.4/kernel/fork.c else new_fs = fs; diff -urNp linux-3.0.4/kernel/futex.c linux-3.0.4/kernel/futex.c ---- linux-3.0.4/kernel/futex.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/kernel/futex.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/kernel/futex.c 2011-08-23 21:48:14.000000000 -0400 @@ -54,6 +54,7 @@ #include <linux/mount.h> @@ -61630,7 +61681,80 @@ diff -urNp linux-3.0.4/kernel/rcutorture.c linux-3.0.4/kernel/rcutorture.c per_cpu(rcu_torture_count, cpu)[i] = 0; diff -urNp linux-3.0.4/kernel/rcutree.c linux-3.0.4/kernel/rcutree.c --- linux-3.0.4/kernel/rcutree.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/kernel/rcutree.c 2011-08-23 21:47:56.000000000 -0400 ++++ linux-3.0.4/kernel/rcutree.c 2011-09-14 09:08:05.000000000 -0400 +@@ -356,9 +356,9 @@ void rcu_enter_nohz(void) + } + /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */ + smp_mb__before_atomic_inc(); /* See above. */ +- atomic_inc(&rdtp->dynticks); ++ atomic_inc_unchecked(&rdtp->dynticks); + smp_mb__after_atomic_inc(); /* Force ordering with next sojourn. */ +- WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1); ++ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1); + local_irq_restore(flags); + + /* If the interrupt queued a callback, get out of dyntick mode. */ +@@ -387,10 +387,10 @@ void rcu_exit_nohz(void) + return; + } + smp_mb__before_atomic_inc(); /* Force ordering w/previous sojourn. */ +- atomic_inc(&rdtp->dynticks); ++ atomic_inc_unchecked(&rdtp->dynticks); + /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */ + smp_mb__after_atomic_inc(); /* See above. */ +- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1)); ++ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1)); + local_irq_restore(flags); + } + +@@ -406,14 +406,14 @@ void rcu_nmi_enter(void) + struct rcu_dynticks *rdtp = &__get_cpu_var(rcu_dynticks); + + if (rdtp->dynticks_nmi_nesting == 0 && +- (atomic_read(&rdtp->dynticks) & 0x1)) ++ (atomic_read_unchecked(&rdtp->dynticks) & 0x1)) + return; + rdtp->dynticks_nmi_nesting++; + smp_mb__before_atomic_inc(); /* Force delay from prior write. */ +- atomic_inc(&rdtp->dynticks); ++ atomic_inc_unchecked(&rdtp->dynticks); + /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */ + smp_mb__after_atomic_inc(); /* See above. */ +- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1)); ++ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1)); + } + + /** +@@ -432,9 +432,9 @@ void rcu_nmi_exit(void) + return; + /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */ + smp_mb__before_atomic_inc(); /* See above. */ +- atomic_inc(&rdtp->dynticks); ++ atomic_inc_unchecked(&rdtp->dynticks); + smp_mb__after_atomic_inc(); /* Force delay to next write. */ +- WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1); ++ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1); + } + + /** +@@ -469,7 +469,7 @@ void rcu_irq_exit(void) + */ + static int dyntick_save_progress_counter(struct rcu_data *rdp) + { +- rdp->dynticks_snap = atomic_add_return(0, &rdp->dynticks->dynticks); ++ rdp->dynticks_snap = atomic_add_return_unchecked(0, &rdp->dynticks->dynticks); + return 0; + } + +@@ -484,7 +484,7 @@ static int rcu_implicit_dynticks_qs(stru + unsigned long curr; + unsigned long snap; + +- curr = (unsigned long)atomic_add_return(0, &rdp->dynticks->dynticks); ++ curr = (unsigned long)atomic_add_return_unchecked(0, &rdp->dynticks->dynticks); + snap = (unsigned long)rdp->dynticks_snap; + + /* @@ -1470,7 +1470,7 @@ __rcu_process_callbacks(struct rcu_state /* * Do softirq processing for the current CPU. @@ -61640,6 +61764,18 @@ diff -urNp linux-3.0.4/kernel/rcutree.c linux-3.0.4/kernel/rcutree.c { __rcu_process_callbacks(&rcu_sched_state, &__get_cpu_var(rcu_sched_data)); +diff -urNp linux-3.0.4/kernel/rcutree.h linux-3.0.4/kernel/rcutree.h +--- linux-3.0.4/kernel/rcutree.h 2011-07-21 22:17:23.000000000 -0400 ++++ linux-3.0.4/kernel/rcutree.h 2011-09-14 09:08:05.000000000 -0400 +@@ -86,7 +86,7 @@ + struct rcu_dynticks { + int dynticks_nesting; /* Track irq/process nesting level. */ + int dynticks_nmi_nesting; /* Track NMI nesting level. */ +- atomic_t dynticks; /* Even value for dynticks-idle, else odd. */ ++ atomic_unchecked_t dynticks; /* Even value for dynticks-idle, else odd. */ + }; + + /* RCU's kthread states for tracing. */ diff -urNp linux-3.0.4/kernel/rcutree_plugin.h linux-3.0.4/kernel/rcutree_plugin.h --- linux-3.0.4/kernel/rcutree_plugin.h 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/kernel/rcutree_plugin.h 2011-08-23 21:47:56.000000000 -0400 @@ -62123,7 +62259,7 @@ diff -urNp linux-3.0.4/kernel/softirq.c linux-3.0.4/kernel/softirq.c struct tasklet_struct *list; diff -urNp linux-3.0.4/kernel/sys.c linux-3.0.4/kernel/sys.c ---- linux-3.0.4/kernel/sys.c 2011-08-29 23:26:14.000000000 -0400 +--- linux-3.0.4/kernel/sys.c 2011-09-02 18:11:26.000000000 -0400 +++ linux-3.0.4/kernel/sys.c 2011-08-29 23:26:27.000000000 -0400 @@ -158,6 +158,12 @@ static int set_one_prio(struct task_stru error = -EACCES; @@ -62792,7 +62928,7 @@ diff -urNp linux-3.0.4/kernel/trace/trace.c linux-3.0.4/kernel/trace/trace.c struct dentry *d_tracer; diff -urNp linux-3.0.4/kernel/trace/trace_events.c linux-3.0.4/kernel/trace/trace_events.c ---- linux-3.0.4/kernel/trace/trace_events.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/kernel/trace/trace_events.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/kernel/trace/trace_events.c 2011-08-23 21:47:56.000000000 -0400 @@ -1318,10 +1318,6 @@ static LIST_HEAD(ftrace_module_file_list struct ftrace_module_file_ops { @@ -63140,8 +63276,8 @@ diff -urNp linux-3.0.4/localversion-grsec linux-3.0.4/localversion-grsec @@ -0,0 +1 @@ +-grsec diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile ---- linux-3.0.4/Makefile 2011-08-29 23:26:13.000000000 -0400 -+++ linux-3.0.4/Makefile 2011-09-01 17:26:49.000000000 -0400 +--- linux-3.0.4/Makefile 2011-09-02 18:11:26.000000000 -0400 ++++ linux-3.0.4/Makefile 2011-09-14 11:16:43.000000000 -0400 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" HOSTCC = gcc @@ -63167,23 +63303,30 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile KBUILD_AFLAGS_KERNEL := KBUILD_CFLAGS_KERNEL := KBUILD_AFLAGS := -D__ASSEMBLY__ -@@ -408,6 +411,7 @@ export RCS_TAR_IGNORE := --exclude SCCS +@@ -407,8 +410,8 @@ export RCS_TAR_IGNORE := --exclude SCCS + # Rules shared between *config targets and build targets # Basic helpers built in scripts/ - PHONY += scripts_basic -+scripts_basic: KBUILD_CFLAGS := $(filter-out $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN),$(KBUILD_CFLAGS)) - scripts_basic: +-PHONY += scripts_basic +-scripts_basic: ++PHONY += scripts_basic gcc-plugins ++scripts_basic: gcc-plugins $(Q)$(MAKE) $(build)=scripts/basic $(Q)rm -f .tmp_quiet_recordmcount -@@ -564,6 +568,24 @@ else + +@@ -564,6 +567,28 @@ else KBUILD_CFLAGS += -O2 endif -+ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh $(HOSTCC)), y) ++ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh $(HOSTCC) $(CC)), y) +CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN ++ifdef CONFIG_KALLOCSTAT_PLUGIN ++KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so ++endif +ifdef CONFIG_PAX_MEMORY_STACKLEAK +STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -fplugin-arg-stackleak_plugin-track-lowest-sp=100 +endif ++GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) +export CONSTIFY_PLUGIN STACKLEAK_PLUGIN +gcc-plugins: + $(Q)$(MAKE) $(build)=tools/gcc @@ -63200,7 +63343,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile include $(srctree)/arch/$(SRCARCH)/Makefile ifneq ($(CONFIG_FRAME_WARN),0) -@@ -708,7 +730,7 @@ export mod_strip_cmd +@@ -708,7 +733,7 @@ export mod_strip_cmd ifeq ($(KBUILD_EXTMOD),) @@ -63209,34 +63352,34 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -907,6 +929,8 @@ define rule_vmlinux-modpost +@@ -907,6 +932,8 @@ define rule_vmlinux-modpost endef # vmlinux image - including updated kernel symbols -+$(vmlinux-all): KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++$(vmlinux-all): KBUILD_CFLAGS += $(GCC_PLUGINS) +$(vmlinux-all): gcc-plugins vmlinux: $(vmlinux-lds) $(vmlinux-init) $(vmlinux-main) vmlinux.o $(kallsyms.o) FORCE ifdef CONFIG_HEADERS_CHECK $(Q)$(MAKE) -f $(srctree)/Makefile headers_check -@@ -941,7 +965,8 @@ $(sort $(vmlinux-init) $(vmlinux-main)) +@@ -941,7 +968,8 @@ $(sort $(vmlinux-init) $(vmlinux-main)) # Error messages still appears in the original language PHONY += $(vmlinux-dirs) -$(vmlinux-dirs): prepare scripts -+$(vmlinux-dirs): KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++$(vmlinux-dirs): KBUILD_CFLAGS += $(GCC_PLUGINS) +$(vmlinux-dirs): gcc-plugins prepare scripts $(Q)$(MAKE) $(build)=$@ # Store (new) KERNELRELASE string in include/config/kernel.release -@@ -986,6 +1011,7 @@ prepare0: archprepare FORCE +@@ -986,6 +1014,7 @@ prepare0: archprepare FORCE $(Q)$(MAKE) $(build)=. missing-syscalls # All the preparing.. -+prepare: KBUILD_CFLAGS := $(filter-out $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN),$(KBUILD_CFLAGS)) ++prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS),$(KBUILD_CFLAGS)) prepare: prepare0 # Generate some files -@@ -1102,7 +1128,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modu +@@ -1102,7 +1131,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modu # Target to prepare building external modules PHONY += modules_prepare @@ -63245,7 +63388,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile # Target to install modules PHONY += modules_install -@@ -1198,7 +1224,7 @@ distclean: mrproper +@@ -1198,7 +1227,7 @@ distclean: mrproper @find $(srctree) $(RCS_FIND_IGNORE) \ \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ @@ -63254,26 +63397,26 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ -type f -print | xargs rm -f -@@ -1359,6 +1385,7 @@ PHONY += $(module-dirs) modules +@@ -1359,6 +1388,7 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) -+modules: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++modules: KBUILD_CFLAGS += $(GCC_PLUGINS) modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1485,17 +1512,19 @@ else +@@ -1485,17 +1515,19 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif -%.s: %.c prepare scripts FORCE -+%.s: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++%.s: KBUILD_CFLAGS += $(GCC_PLUGINS) +%.s: %.c gcc-plugins prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.i: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -%.o: %.c prepare scripts FORCE -+%.o: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++%.o: KBUILD_CFLAGS += $(GCC_PLUGINS) +%.o: %.c gcc-plugins prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.lst: %.c prepare scripts FORCE @@ -63286,18 +63429,18 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1505,11 +1534,13 @@ endif +@@ -1505,11 +1537,13 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) -%/: prepare scripts FORCE -+%/: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++%/: KBUILD_CFLAGS += $(GCC_PLUGINS) +%/: gcc-plugins prepare scripts FORCE $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) -%.ko: prepare scripts FORCE -+%.ko: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) ++%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS) +%.ko: gcc-plugins prepare scripts FORCE $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ @@ -63584,7 +63727,7 @@ diff -urNp linux-3.0.4/mm/madvise.c linux-3.0.4/mm/madvise.c if (end == start) goto out; diff -urNp linux-3.0.4/mm/memory.c linux-3.0.4/mm/memory.c ---- linux-3.0.4/mm/memory.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/mm/memory.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/mm/memory.c 2011-08-23 21:47:56.000000000 -0400 @@ -457,8 +457,12 @@ static inline void free_pmd_range(struct return; @@ -67084,7 +67227,7 @@ diff -urNp linux-3.0.4/mm/util.c linux-3.0.4/mm/util.c mm->unmap_area = arch_unmap_area; } diff -urNp linux-3.0.4/mm/vmalloc.c linux-3.0.4/mm/vmalloc.c ---- linux-3.0.4/mm/vmalloc.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/mm/vmalloc.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/mm/vmalloc.c 2011-08-23 21:47:56.000000000 -0400 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd, @@ -68157,7 +68300,7 @@ diff -urNp linux-3.0.4/net/ipv4/inet_diag.c linux-3.0.4/net/ipv4/inet_diag.c tmo = req->expires - jiffies; if (tmo < 0) diff -urNp linux-3.0.4/net/ipv4/inet_hashtables.c linux-3.0.4/net/ipv4/inet_hashtables.c ---- linux-3.0.4/net/ipv4/inet_hashtables.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/net/ipv4/inet_hashtables.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/net/ipv4/inet_hashtables.c 2011-08-23 21:55:24.000000000 -0400 @@ -18,12 +18,15 @@ #include <linux/sched.h> @@ -68185,7 +68328,7 @@ diff -urNp linux-3.0.4/net/ipv4/inet_hashtables.c linux-3.0.4/net/ipv4/inet_hash inet_twsk_deschedule(tw, death_row); while (twrefcnt) { diff -urNp linux-3.0.4/net/ipv4/inetpeer.c linux-3.0.4/net/ipv4/inetpeer.c ---- linux-3.0.4/net/ipv4/inetpeer.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/net/ipv4/inetpeer.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/net/ipv4/inetpeer.c 2011-08-23 21:48:14.000000000 -0400 @@ -481,6 +481,8 @@ struct inet_peer *inet_getpeer(struct in unsigned int sequence; @@ -68327,7 +68470,7 @@ diff -urNp linux-3.0.4/net/ipv4/raw.c linux-3.0.4/net/ipv4/raw.c static int raw_seq_show(struct seq_file *seq, void *v) diff -urNp linux-3.0.4/net/ipv4/route.c linux-3.0.4/net/ipv4/route.c ---- linux-3.0.4/net/ipv4/route.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/net/ipv4/route.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/net/ipv4/route.c 2011-08-23 21:47:56.000000000 -0400 @@ -304,7 +304,7 @@ static inline unsigned int rt_hash(__be3 @@ -68378,7 +68521,7 @@ diff -urNp linux-3.0.4/net/ipv4/tcp.c linux-3.0.4/net/ipv4/tcp.c return -EFAULT; diff -urNp linux-3.0.4/net/ipv4/tcp_ipv4.c linux-3.0.4/net/ipv4/tcp_ipv4.c ---- linux-3.0.4/net/ipv4/tcp_ipv4.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/net/ipv4/tcp_ipv4.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/net/ipv4/tcp_ipv4.c 2011-08-23 21:48:14.000000000 -0400 @@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly; int sysctl_tcp_low_latency __read_mostly; @@ -68808,7 +68951,7 @@ diff -urNp linux-3.0.4/net/ipv6/raw.c linux-3.0.4/net/ipv6/raw.c static int raw6_seq_show(struct seq_file *seq, void *v) diff -urNp linux-3.0.4/net/ipv6/tcp_ipv6.c linux-3.0.4/net/ipv6/tcp_ipv6.c ---- linux-3.0.4/net/ipv6/tcp_ipv6.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/net/ipv6/tcp_ipv6.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/net/ipv6/tcp_ipv6.c 2011-08-23 21:48:14.000000000 -0400 @@ -93,6 +93,10 @@ static struct tcp_md5sig_key *tcp_v6_md5 } @@ -68910,7 +69053,7 @@ diff -urNp linux-3.0.4/net/ipv6/tcp_ipv6.c linux-3.0.4/net/ipv6/tcp_ipv6.c static int tcp6_seq_show(struct seq_file *seq, void *v) diff -urNp linux-3.0.4/net/ipv6/udp.c linux-3.0.4/net/ipv6/udp.c ---- linux-3.0.4/net/ipv6/udp.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/net/ipv6/udp.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/net/ipv6/udp.c 2011-08-23 21:48:14.000000000 -0400 @@ -50,6 +50,10 @@ #include <linux/seq_file.h> @@ -69250,7 +69393,7 @@ diff -urNp linux-3.0.4/net/mac80211/ieee80211_i.h linux-3.0.4/net/mac80211/ieee8 /* number of interfaces with corresponding FIF_ flags */ int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll, diff -urNp linux-3.0.4/net/mac80211/iface.c linux-3.0.4/net/mac80211/iface.c ---- linux-3.0.4/net/mac80211/iface.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/net/mac80211/iface.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/net/mac80211/iface.c 2011-08-23 21:47:56.000000000 -0400 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_ break; @@ -69319,7 +69462,7 @@ diff -urNp linux-3.0.4/net/mac80211/main.c linux-3.0.4/net/mac80211/main.c /* * Goal: diff -urNp linux-3.0.4/net/mac80211/mlme.c linux-3.0.4/net/mac80211/mlme.c ---- linux-3.0.4/net/mac80211/mlme.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/net/mac80211/mlme.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/net/mac80211/mlme.c 2011-08-23 21:48:14.000000000 -0400 @@ -1444,6 +1444,8 @@ static bool ieee80211_assoc_success(stru bool have_higher_than_11mbit = false; @@ -69439,7 +69582,7 @@ diff -urNp linux-3.0.4/net/netfilter/ipvs/ip_vs_core.c linux-3.0.4/net/netfilter if ((ipvs->sync_state & IP_VS_STATE_MASTER) && cp->protocol == IPPROTO_SCTP) { diff -urNp linux-3.0.4/net/netfilter/ipvs/ip_vs_ctl.c linux-3.0.4/net/netfilter/ipvs/ip_vs_ctl.c ---- linux-3.0.4/net/netfilter/ipvs/ip_vs_ctl.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/net/netfilter/ipvs/ip_vs_ctl.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/net/netfilter/ipvs/ip_vs_ctl.c 2011-08-23 21:48:14.000000000 -0400 @@ -782,7 +782,7 @@ __ip_vs_update_dest(struct ip_vs_service ip_vs_rs_hash(ipvs, dest); @@ -70287,7 +70430,7 @@ diff -urNp linux-3.0.4/net/sctp/socket.c linux-3.0.4/net/sctp/socket.c to += addrlen; cnt++; diff -urNp linux-3.0.4/net/socket.c linux-3.0.4/net/socket.c ---- linux-3.0.4/net/socket.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/net/socket.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/net/socket.c 2011-08-23 21:48:14.000000000 -0400 @@ -88,6 +88,7 @@ #include <linux/nsproxy.h> @@ -70894,10 +71037,10 @@ diff -urNp linux-3.0.4/scripts/basic/fixdep.c linux-3.0.4/scripts/basic/fixdep.c fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n", diff -urNp linux-3.0.4/scripts/gcc-plugin.sh linux-3.0.4/scripts/gcc-plugin.sh --- linux-3.0.4/scripts/gcc-plugin.sh 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/scripts/gcc-plugin.sh 2011-08-31 18:39:25.000000000 -0400 ++++ linux-3.0.4/scripts/gcc-plugin.sh 2011-09-14 09:08:05.000000000 -0400 @@ -0,0 +1,2 @@ +#!/bin/sh -+echo "#include \"gcc-plugin.h\"\n#include \"rtl.h\"" | $* -x c -shared - -o /dev/null -I`$* -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y" ++echo "#include \"gcc-plugin.h\"\n#include \"rtl.h\"" | $1 -x c -shared - -o /dev/null -I`$2 -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y" diff -urNp linux-3.0.4/scripts/Makefile.build linux-3.0.4/scripts/Makefile.build --- linux-3.0.4/scripts/Makefile.build 2011-07-21 22:17:23.000000000 -0400 +++ linux-3.0.4/scripts/Makefile.build 2011-08-23 21:47:56.000000000 -0400 @@ -71142,7 +71285,7 @@ diff -urNp linux-3.0.4/scripts/pnmtologo.c linux-3.0.4/scripts/pnmtologo.c write_hex_cnt = 0; for (i = 0; i < logo_clutsize; i++) { diff -urNp linux-3.0.4/security/apparmor/lsm.c linux-3.0.4/security/apparmor/lsm.c ---- linux-3.0.4/security/apparmor/lsm.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/security/apparmor/lsm.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/security/apparmor/lsm.c 2011-08-23 21:48:14.000000000 -0400 @@ -621,7 +621,7 @@ static int apparmor_task_setrlimit(struc return error; @@ -72351,7 +72494,7 @@ diff -urNp linux-3.0.4/sound/pci/ymfpci/ymfpci_main.c linux-3.0.4/sound/pci/ymfp chip->pci = pci; chip->irq = -1; diff -urNp linux-3.0.4/sound/soc/soc-core.c linux-3.0.4/sound/soc/soc-core.c ---- linux-3.0.4/sound/soc/soc-core.c 2011-08-23 21:44:40.000000000 -0400 +--- linux-3.0.4/sound/soc/soc-core.c 2011-09-02 18:11:21.000000000 -0400 +++ linux-3.0.4/sound/soc/soc-core.c 2011-08-23 21:47:56.000000000 -0400 @@ -1021,7 +1021,7 @@ static snd_pcm_uframes_t soc_pcm_pointer } @@ -72687,10 +72830,177 @@ diff -urNp linux-3.0.4/tools/gcc/constify_plugin.c linux-3.0.4/tools/gcc/constif + + return 0; +} +diff -urNp linux-3.0.4/tools/gcc/kallocstat_plugin.c linux-3.0.4/tools/gcc/kallocstat_plugin.c +--- linux-3.0.4/tools/gcc/kallocstat_plugin.c 1969-12-31 19:00:00.000000000 -0500 ++++ linux-3.0.4/tools/gcc/kallocstat_plugin.c 2011-09-14 09:08:05.000000000 -0400 +@@ -0,0 +1,163 @@ ++/* ++ * Copyright 2011 by the PaX Team <pageexec@freemail.hu> ++ * Licensed under the GPL v2 ++ * ++ * Note: the choice of the license means that the compilation process is ++ * NOT 'eligible' as defined by gcc's library exception to the GPL v3, ++ * but for the kernel it doesn't matter since it doesn't link against ++ * any of the gcc libraries ++ * ++ * gcc plugin to find the distribution of k*alloc sizes ++ * ++ * TODO: ++ * ++ * BUGS: ++ * - none known ++ */ ++#include "gcc-plugin.h" ++#include "config.h" ++#include "system.h" ++#include "coretypes.h" ++#include "tree.h" ++#include "tree-pass.h" ++#include "intl.h" ++#include "plugin-version.h" ++#include "tm.h" ++#include "toplev.h" ++#include "basic-block.h" ++#include "gimple.h" ++//#include "expr.h" where are you... ++#include "diagnostic.h" ++#include "rtl.h" ++#include "emit-rtl.h" ++#include "function.h" ++ ++int plugin_is_GPL_compatible; ++ ++static const char * const kalloc_functions[] = { ++ "__kmalloc", ++ "kmalloc", ++ "kmalloc_large", ++ "kmalloc_node", ++ "kmalloc_order", ++ "kmalloc_order_trace", ++ "kmalloc_slab", ++ "kzalloc", ++ "kzalloc_node", ++}; ++ ++static struct plugin_info kallocstat_plugin_info = { ++ .version = "201109121100", ++}; ++ ++static unsigned int execute_kallocstat(void); ++ ++static struct gimple_opt_pass kallocstat_pass = { ++ .pass = { ++ .type = GIMPLE_PASS, ++ .name = "kallocstat", ++ .gate = NULL, ++ .execute = execute_kallocstat, ++ .sub = NULL, ++ .next = NULL, ++ .static_pass_number = 0, ++ .tv_id = TV_NONE, ++ .properties_required = 0, ++ .properties_provided = 0, ++ .properties_destroyed = 0, ++ .todo_flags_start = 0, ++ .todo_flags_finish = 0 ++ } ++}; ++ ++static bool is_kalloc(const char *fnname) ++{ ++ size_t i; ++ ++ for (i = 0; i < ARRAY_SIZE(kalloc_functions); i++) ++ if (!strcmp(fnname, kalloc_functions[i])) ++ return true; ++ return false; ++} ++ ++static unsigned int execute_kallocstat(void) ++{ ++ basic_block bb; ++ gimple_stmt_iterator gsi; ++ ++ // 1. loop through BBs and GIMPLE statements ++ FOR_EACH_BB(bb) { ++ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { ++ // gimple match: ++ tree fndecl, size; ++ gimple call_stmt; ++ const char *fnname; ++ ++ // is it a call ++ call_stmt = gsi_stmt(gsi); ++ if (!is_gimple_call(call_stmt)) ++ continue; ++ fndecl = gimple_call_fndecl(call_stmt); ++ if (fndecl == NULL_TREE) ++ continue; ++ if (TREE_CODE(fndecl) != FUNCTION_DECL) ++ continue; ++ ++ // is it a call to k*alloc ++ fnname = IDENTIFIER_POINTER(DECL_NAME(fndecl)); ++ if (!is_kalloc(fnname)) ++ continue; ++ ++ // is the size arg the result of a simple const assignment ++ size = gimple_call_arg(call_stmt, 0); ++ while (true) { ++ gimple def_stmt; ++ expanded_location xloc; ++ size_t size_val; ++ ++ if (TREE_CODE(size) != SSA_NAME) ++ break; ++ def_stmt = SSA_NAME_DEF_STMT(size); ++ if (!def_stmt || !is_gimple_assign(def_stmt)) ++ break; ++ if (gimple_num_ops(def_stmt) != 2) ++ break; ++ size = gimple_assign_rhs1(def_stmt); ++ if (!TREE_CONSTANT(size)) ++ continue; ++ xloc = expand_location(gimple_location(def_stmt)); ++ if (!xloc.file) ++ xloc = expand_location(DECL_SOURCE_LOCATION(current_function_decl)); ++ size_val = TREE_INT_CST_LOW(size); ++ fprintf(stderr, "kallocsize: %8zu %8zx %s %s:%u\n", size_val, size_val, fnname, xloc.file, xloc.line); ++ break; ++ } ++//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO); ++//debug_tree(gimple_call_fn(call_stmt)); ++//print_node(stderr, "pax", fndecl, 4); ++ } ++ } ++ ++ return 0; ++} ++ ++int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version) ++{ ++ const char * const plugin_name = plugin_info->base_name; ++ struct register_pass_info kallocstat_pass_info = { ++ .pass = &kallocstat_pass.pass, ++ .reference_pass_name = "ssa", ++ .ref_pass_instance_number = 0, ++ .pos_op = PASS_POS_INSERT_AFTER ++ }; ++ ++ if (!plugin_default_version_check(version, &gcc_version)) { ++ error(G_("incompatible gcc/plugin versions")); ++ return 1; ++ } ++ ++ register_callback(plugin_name, PLUGIN_INFO, NULL, &kallocstat_plugin_info); ++ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kallocstat_pass_info); ++ ++ return 0; ++} diff -urNp linux-3.0.4/tools/gcc/Makefile linux-3.0.4/tools/gcc/Makefile --- linux-3.0.4/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/tools/gcc/Makefile 2011-08-23 21:47:56.000000000 -0400 -@@ -0,0 +1,12 @@ ++++ linux-3.0.4/tools/gcc/Makefile 2011-09-14 09:08:05.000000000 -0400 +@@ -0,0 +1,13 @@ +#CC := gcc +#PLUGIN_SOURCE_FILES := pax_plugin.c +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES)) @@ -72699,14 +73009,15 @@ diff -urNp linux-3.0.4/tools/gcc/Makefile linux-3.0.4/tools/gcc/Makefile + +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include + -+hostlibs-y := stackleak_plugin.so constify_plugin.so ++hostlibs-y := stackleak_plugin.so constify_plugin.so kallocstat_plugin.so +always := $(hostlibs-y) +stackleak_plugin-objs := stackleak_plugin.o +constify_plugin-objs := constify_plugin.o ++kallocstat_plugin-objs := kallocstat_plugin.o diff -urNp linux-3.0.4/tools/gcc/stackleak_plugin.c linux-3.0.4/tools/gcc/stackleak_plugin.c --- linux-3.0.4/tools/gcc/stackleak_plugin.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/tools/gcc/stackleak_plugin.c 2011-08-23 21:47:56.000000000 -0400 -@@ -0,0 +1,243 @@ ++++ linux-3.0.4/tools/gcc/stackleak_plugin.c 2011-09-14 09:08:05.000000000 -0400 +@@ -0,0 +1,249 @@ +/* + * Copyright 2011 by the PaX Team <pageexec@freemail.hu> + * Licensed under the GPL v2 @@ -72724,7 +73035,7 @@ diff -urNp linux-3.0.4/tools/gcc/stackleak_plugin.c linux-3.0.4/tools/gcc/stackl + * - initialize all local variables + * + * BUGS: -+ * - cloned functions are instrumented twice ++ * - none known + */ +#include "gcc-plugin.h" +#include "config.h" @@ -72751,7 +73062,7 @@ diff -urNp linux-3.0.4/tools/gcc/stackleak_plugin.c linux-3.0.4/tools/gcc/stackl +static bool init_locals; + +static struct plugin_info stackleak_plugin_info = { -+ .version = "201106030000", ++ .version = "201109112100", + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n" +// "initialize-locals\t\tforcibly initialize all stack frames\n" +}; @@ -72804,13 +73115,13 @@ diff -urNp linux-3.0.4/tools/gcc/stackleak_plugin.c linux-3.0.4/tools/gcc/stackl +static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi, bool before) +{ + gimple call; -+ tree decl, type; ++ tree fndecl, type; + + // insert call to void pax_track_stack(void) + type = build_function_type_list(void_type_node, NULL_TREE); -+ decl = build_fn_decl(track_function, type); -+ DECL_ASSEMBLER_NAME(decl); // for LTO -+ call = gimple_build_call(decl, 0); ++ fndecl = build_fn_decl(track_function, type); ++ DECL_ASSEMBLER_NAME(fndecl); // for LTO ++ call = gimple_build_call(fndecl, 0); + if (before) + gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING); + else @@ -72819,40 +73130,46 @@ diff -urNp linux-3.0.4/tools/gcc/stackleak_plugin.c linux-3.0.4/tools/gcc/stackl + +static unsigned int execute_stackleak_tree_instrument(void) +{ -+ basic_block bb; ++ basic_block bb, entry_bb; + gimple_stmt_iterator gsi; ++ bool prologue_instrumented = false; ++ ++ entry_bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb; + + // 1. loop through BBs and GIMPLE statements + FOR_EACH_BB(bb) { + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) { + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450> -+ tree decl; ++ tree fndecl; + gimple stmt = gsi_stmt(gsi); + + if (!is_gimple_call(stmt)) + continue; -+ decl = gimple_call_fndecl(stmt); -+ if (!decl) ++ fndecl = gimple_call_fndecl(stmt); ++ if (!fndecl) + continue; -+ if (TREE_CODE(decl) != FUNCTION_DECL) ++ if (TREE_CODE(fndecl) != FUNCTION_DECL) + continue; -+ if (!DECL_BUILT_IN(decl)) ++ if (!DECL_BUILT_IN(fndecl)) + continue; -+ if (DECL_BUILT_IN_CLASS(decl) != BUILT_IN_NORMAL) ++ if (DECL_BUILT_IN_CLASS(fndecl) != BUILT_IN_NORMAL) + continue; -+ if (DECL_FUNCTION_CODE(decl) != BUILT_IN_ALLOCA) ++ if (DECL_FUNCTION_CODE(fndecl) != BUILT_IN_ALLOCA) + continue; + + // 2. insert track call after each __builtin_alloca call + stackleak_add_instrumentation(&gsi, false); -+// print_node(stderr, "pax", decl, 4); ++ if (bb == entry_bb) ++ prologue_instrumented = true; ++// print_node(stderr, "pax", fndecl, 4); + } + } + + // 3. insert track call at the beginning -+ bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb; -+ gsi = gsi_start_bb(bb); -+ stackleak_add_instrumentation(&gsi, true); ++ if (!prologue_instrumented) { ++ gsi = gsi_start_bb(entry_bb); ++ stackleak_add_instrumentation(&gsi, true); ++ } + + return 0; +} diff --git a/3.0.4/4423_grsec-remove-protected-paths.patch b/3.0.4/4423_grsec-remove-protected-paths.patch index da4c861..abd9b99 100644 --- a/3.0.4/4423_grsec-remove-protected-paths.patch +++ b/3.0.4/4423_grsec-remove-protected-paths.patch @@ -1,20 +1,18 @@ -From: Anthony G. Basile <basile@opensource.dyc.edu> +From: Anthony G. Basile <blueness@gentoo.org> -We don't want to allow GRSEC's Makefile to change permissions on -paths in the filesystem. +We don't want GRSEC's Makefile to change permissions on paths in +the filesystem. ---- a/grsecurity/Makefile 2010-05-21 06:52:24.000000000 -0400 -+++ b/grsecurity/Makefile 2010-05-21 06:54:54.000000000 -0400 -@@ -27,8 +27,8 @@ +diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile +--- a/grsecurity/Makefile 2011-09-15 13:36:25.000000000 -0400 ++++ b/grsecurity/Makefile 2011-09-15 13:44:58.000000000 -0400 +@@ -27,9 +27,4 @@ ifdef CONFIG_GRKERNSEC_HIDESYM extra-y := grsec_hidesym.o $(obj)/grsec_hidesym.o: - @-chmod -f 500 /boot - @-chmod -f 500 /lib/modules +- @-chmod -f 500 /lib64/modules - @-chmod -f 700 . - @echo ' grsec: protected kernel image paths' -+ # @-chmod -f 500 /boot -+ # @-chmod -f 500 /lib/modules -+ # @-chmod -f 700 . -+ # @echo ' grsec: protected kernel image paths' endif |