diff options
Diffstat (limited to '2.6.32')
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9-2.6.32.59-201203212033.patch (renamed from 2.6.32/4420_grsecurity-2.9-2.6.32.59-201203201932.patch) | 107 | ||||
-rw-r--r-- | 2.6.32/4455_grsec-kconfig-gentoo.patch | 5 |
3 files changed, 72 insertions, 42 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 0a02821..078f367 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -30,7 +30,7 @@ Patch: 1058_linux-2.6.32.59.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9-2.6.32.59-201203201932.patch +Patch: 4420_grsecurity-2.9-2.6.32.59-201203212033.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9-2.6.32.59-201203201932.patch b/2.6.32/4420_grsecurity-2.9-2.6.32.59-201203212033.patch index 64b036f..0b63ac0 100644 --- a/2.6.32/4420_grsecurity-2.9-2.6.32.59-201203201932.patch +++ b/2.6.32/4420_grsecurity-2.9-2.6.32.59-201203212033.patch @@ -22651,7 +22651,7 @@ index e6d925f..8cdd779 100644 .disabled_by_bios = vmx_disabled_by_bios, .hardware_setup = hardware_setup, diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index df1cefb..ff86cc2 100644 +index df1cefb..31447ca 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -82,7 +82,7 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu); @@ -22728,23 +22728,19 @@ index df1cefb..ff86cc2 100644 return -EINVAL; if (irqchip_in_kernel(vcpu->kvm)) return -ENXIO; -@@ -2764,7 +2774,14 @@ int emulator_write_emulated(unsigned long addr, - } - EXPORT_SYMBOL_GPL(emulator_write_emulated); - --static int emulator_cmpxchg_emulated(unsigned long addr, -+static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt, -+ unsigned long addr, -+ const void *old, -+ const void *new, -+ unsigned int bytes, -+ struct kvm_vcpu *vcpu) __size_overflow(5); -+static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt, -+ unsigned long addr, +@@ -2768,6 +2778,11 @@ static int emulator_cmpxchg_emulated(unsigned long addr, const void *old, const void *new, unsigned int bytes, -@@ -3260,10 +3277,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = { ++ struct kvm_vcpu *vcpu) __size_overflow(5); ++static int emulator_cmpxchg_emulated(unsigned long addr, ++ const void *old, ++ const void *new, ++ unsigned int bytes, + struct kvm_vcpu *vcpu) + { + printk_once(KERN_WARNING "kvm: emulating exchange as write\n"); +@@ -3260,10 +3275,10 @@ static struct notifier_block kvmclock_cpufreq_notifier_block = { .notifier_call = kvmclock_cpufreq_notifier }; @@ -74908,10 +74904,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..d785922 +index 0000000..d881a39 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4117 @@ +@@ -0,0 +1,4156 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -75566,22 +75562,60 @@ index 0000000..d785922 + unsigned int index = + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size); + struct acl_role_label **curr; -+ struct acl_role_label *tmp; ++ struct acl_role_label *tmp, *tmp2; + + curr = &acl_role_set.r_hash[index]; + -+ /* if role was already inserted due to domains and already has -+ a role in the same bucket as it attached, then we need to -+ combine these two buckets -+ */ -+ if (role->next) { -+ tmp = role->next; -+ while (tmp->next) ++ /* simple case, slot is empty, just set it to our role */ ++ if (*curr == NULL) { ++ *curr = role; ++ } else { ++ /* example: ++ 1 -> 2 -> 3 (adding 2 -> 3 to here) ++ 2 -> 3 ++ */ ++ /* first check to see if we can already be reached via this slot */ ++ tmp = *curr; ++ while (tmp && tmp != role) + tmp = tmp->next; -+ tmp->next = *curr; -+ } else -+ role->next = *curr; -+ *curr = role; ++ if (tmp == role) { ++ /* we don't need to add ourselves to this slot's chain */ ++ return; ++ } ++ /* we need to add ourselves to this chain, two cases */ ++ if (role->next == NULL) { ++ /* simple case, append the current chain to our role */ ++ role->next = *curr; ++ *curr = role; ++ } else { ++ /* 1 -> 2 -> 3 -> 4 ++ 2 -> 3 -> 4 ++ 3 -> 4 (adding 1 -> 2 -> 3 -> 4 to here) ++ */ ++ /* trickier case: walk our role's chain until we find ++ the role for the start of the current slot's chain */ ++ tmp = role; ++ tmp2 = *curr; ++ while (tmp->next && tmp->next != tmp2) ++ tmp = tmp->next; ++ if (tmp->next == tmp2) { ++ /* from example above, we found 3, so just ++ replace this slot's chain with ours */ ++ *curr = role; ++ } else { ++ /* we didn't find a subset of our role's chain ++ in the current slot's chain, so append their ++ chain to ours, and set us as the first role in ++ the slot's chain ++ ++ we could fold this case with the case above, ++ but making it explicit for clarity ++ */ ++ tmp->next = tmp2; ++ *curr = role; ++ } ++ } ++ } + + return; +} @@ -75910,6 +75944,7 @@ index 0000000..d785922 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db)); + + default_role = NULL; ++ kernel_role = NULL; + role_list = NULL; + + return; @@ -84490,7 +84525,7 @@ index e2bd73e..fea8ed3 100644 #endif /* _ASM_GENERIC_PGTABLE_H */ diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h -index b218b85..62dbfdc 100644 +index b218b85..043ee5b 100644 --- a/include/asm-generic/uaccess.h +++ b/include/asm-generic/uaccess.h @@ -76,6 +76,8 @@ extern unsigned long search_exception_table(unsigned long); @@ -84535,15 +84570,7 @@ index b218b85..62dbfdc 100644 static inline long copy_to_user(void __user *to, const void *from, unsigned long n) { -@@ -276,6 +283,7 @@ __strncpy_from_user(char *dst, const char __user *src, long count) - #endif - - static inline long -+static inline long - strncpy_from_user(char *dst, const char __user *src, long count) - { - if (!access_ok(VERIFY_READ, src, 1)) -@@ -307,6 +315,8 @@ static inline long strlen_user(const char __user *src) +@@ -307,6 +314,8 @@ static inline long strlen_user(const char __user *src) */ #ifndef __clear_user static inline __must_check unsigned long @@ -84552,7 +84579,7 @@ index b218b85..62dbfdc 100644 __clear_user(void __user *to, unsigned long n) { memset((void __force *)to, 0, n); -@@ -315,6 +325,8 @@ __clear_user(void __user *to, unsigned long n) +@@ -315,6 +324,8 @@ __clear_user(void __user *to, unsigned long n) #endif static inline __must_check unsigned long diff --git a/2.6.32/4455_grsec-kconfig-gentoo.patch b/2.6.32/4455_grsec-kconfig-gentoo.patch index b7e7322..495638e 100644 --- a/2.6.32/4455_grsec-kconfig-gentoo.patch +++ b/2.6.32/4455_grsec-kconfig-gentoo.patch @@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_LOW bool "Low" -@@ -192,6 +192,259 @@ +@@ -192,6 +192,262 @@ - Restricted sysfs/debugfs - Active kernel exploit response @@ -67,6 +67,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_PTRACE_READEXEC + select GRKERNSEC_SETXID + select GRKERNSEC_VM86 if (X86_32) + select GRKERNSEC_IO @@ -152,6 +153,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_PTRACE_READEXEC + select GRKERNSEC_SETXID + select GRKERNSEC_VM86 if (X86_32) + select GRKERNSEC_PROC_IPADDR @@ -236,6 +238,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_PTRACE_READEXEC + select GRKERNSEC_SETXID + select GRKERNSEC_VM86 if (X86_32) + select GRKERNSEC_PROC_IPADDR |