diff options
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311102303.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311071632.patch) | 11 | ||||
-rw-r--r-- | 3.11.7/0000_README | 2 | ||||
-rw-r--r-- | 3.11.7/4420_grsecurity-2.9.1-3.11.7-201311102306.patch (renamed from 3.11.7/4420_grsecurity-2.9.1-3.11.7-201311071634.patch) | 75 | ||||
-rw-r--r-- | 3.2.52/0000_README | 2 | ||||
-rw-r--r-- | 3.2.52/4420_grsecurity-2.9.1-3.2.52-201311102305.patch (renamed from 3.2.52/4420_grsecurity-2.9.1-3.2.52-201311071633.patch) | 35 |
6 files changed, 81 insertions, 46 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index b5c69e3..70f19f5 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch From: http://www.kernel.org Desc: Linux 2.6.32.61 -Patch: 4420_grsecurity-2.9.1-2.6.32.61-201311071632.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.61-201311102303.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311071632.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311102303.patch index acf589b..59e84fb 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311071632.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311102303.patch @@ -110626,18 +110626,21 @@ index 0000000..7cd6065 @@ -0,0 +1 @@ +-grsec diff --git a/mm/Kconfig b/mm/Kconfig -index 2c19c0b..f3c3f83 100644 +index 2c19c0b..713bf49 100644 --- a/mm/Kconfig +++ b/mm/Kconfig -@@ -228,7 +228,7 @@ config KSM +@@ -228,8 +228,9 @@ config KSM config DEFAULT_MMAP_MIN_ADDR int "Low address space to protect from user allocation" depends on MMU - default 4096 -+ default 65536 - help +- help ++ default 32768 if ALPHA || ARM || PARISC || SPARC32 ++ default 65536 ++ help This is the portion of low virtual memory which should be protected from userspace allocation. Keeping a user from writing to low pages + can help reduce the impact of kernel NULL pointer bugs. diff --git a/mm/backing-dev.c b/mm/backing-dev.c index d824401..9f5244a 100644 --- a/mm/backing-dev.c diff --git a/3.11.7/0000_README b/3.11.7/0000_README index ff6ef32..c06ec7f 100644 --- a/3.11.7/0000_README +++ b/3.11.7/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.11.7-201311071634.patch +Patch: 4420_grsecurity-2.9.1-3.11.7-201311102306.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.11.7/4420_grsecurity-2.9.1-3.11.7-201311071634.patch b/3.11.7/4420_grsecurity-2.9.1-3.11.7-201311102306.patch index 6499bdd..30881d8 100644 --- a/3.11.7/4420_grsecurity-2.9.1-3.11.7-201311071634.patch +++ b/3.11.7/4420_grsecurity-2.9.1-3.11.7-201311102306.patch @@ -3631,7 +3631,7 @@ index cad3ca86..1d79e0f 100644 extern void ux500_cpu_die(unsigned int cpu); diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig -index cd2c88e..7430282 100644 +index cd2c88e..bb527b3 100644 --- a/arch/arm/mm/Kconfig +++ b/arch/arm/mm/Kconfig @@ -446,7 +446,7 @@ config CPU_32v5 @@ -3655,7 +3655,7 @@ index cd2c88e..7430282 100644 config KUSER_HELPERS bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS default y -+ depends on !(CPU_V6 || CPU_V6K || CPU_V7) ++ depends on !(CPU_V6 || CPU_V6K || CPU_V7) || GRKERNSEC_OLD_ARM_USERLAND help Warning: disabling this option may break user programs. @@ -59646,11 +59646,14 @@ index 4677bb7..408e936 100644 rcu_read_lock(); task = pid_task(proc_pid(dir), PIDTYPE_PID); diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c -index 7129046..f2779c6 100644 +index 7129046..130793a 100644 --- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c -@@ -13,11 +13,15 @@ +@@ -11,13 +11,18 @@ + #include <linux/namei.h> + #include <linux/mm.h> #include <linux/module.h> ++#include <linux/nsproxy.h> #include "internal.h" +extern int gr_handle_chroot_sysctl(const int op); @@ -59667,7 +59670,7 @@ index 7129046..f2779c6 100644 void proc_sys_poll_notify(struct ctl_table_poll *poll) { -@@ -467,6 +471,9 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry, +@@ -467,6 +472,9 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry, err = NULL; d_set_d_op(dentry, &proc_sys_dentry_operations); @@ -59677,7 +59680,7 @@ index 7129046..f2779c6 100644 d_add(dentry, inode); out: -@@ -482,6 +489,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, +@@ -482,6 +490,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, struct inode *inode = file_inode(filp); struct ctl_table_header *head = grab_header(inode); struct ctl_table *table = PROC_I(inode)->sysctl_entry; @@ -59685,7 +59688,7 @@ index 7129046..f2779c6 100644 ssize_t error; size_t res; -@@ -493,7 +501,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, +@@ -493,7 +502,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, * and won't be until we finish. */ error = -EPERM; @@ -59694,7 +59697,7 @@ index 7129046..f2779c6 100644 goto out; /* if that can happen at all, it should be -EINVAL, not -EISDIR */ -@@ -501,6 +509,22 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, +@@ -501,6 +510,27 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, if (!table->proc_handler) goto out; @@ -59710,14 +59713,19 @@ index 7129046..f2779c6 100644 + dput(filp->f_path.dentry); + if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op)) + goto out; -+ if (write && !capable(CAP_SYS_ADMIN)) -+ goto out; ++ if (write) { ++ if (current->nsproxy->net_ns != table->extra2) { ++ if (!capable(CAP_SYS_ADMIN)) ++ goto out; ++ } else if (!nsown_capable(CAP_NET_ADMIN)) ++ goto out; ++ } +#endif + /* careful: calling conventions are nasty here */ res = count; error = table->proc_handler(table, write, buf, &res, ppos); -@@ -598,6 +622,9 @@ static bool proc_sys_fill_cache(struct file *file, +@@ -598,6 +628,9 @@ static bool proc_sys_fill_cache(struct file *file, return false; } else { d_set_d_op(child, &proc_sys_dentry_operations); @@ -59727,7 +59735,7 @@ index 7129046..f2779c6 100644 d_add(child, inode); } } else { -@@ -641,6 +668,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table, +@@ -641,6 +674,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table, if ((*pos)++ < ctx->pos) return true; @@ -59737,7 +59745,7 @@ index 7129046..f2779c6 100644 if (unlikely(S_ISLNK(table->mode))) res = proc_sys_link_fill_cache(file, ctx, head, table); else -@@ -734,6 +764,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct +@@ -734,6 +770,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct if (IS_ERR(head)) return PTR_ERR(head); @@ -59747,7 +59755,7 @@ index 7129046..f2779c6 100644 generic_fillattr(inode, stat); if (table) stat->mode = (stat->mode & S_IFMT) | table->mode; -@@ -756,13 +789,13 @@ static const struct file_operations proc_sys_dir_file_operations = { +@@ -756,13 +795,13 @@ static const struct file_operations proc_sys_dir_file_operations = { .llseek = generic_file_llseek, }; @@ -59763,7 +59771,7 @@ index 7129046..f2779c6 100644 .lookup = proc_sys_lookup, .permission = proc_sys_permission, .setattr = proc_sys_setattr, -@@ -839,7 +872,7 @@ static struct ctl_dir *find_subdir(struct ctl_dir *dir, +@@ -839,7 +878,7 @@ static struct ctl_dir *find_subdir(struct ctl_dir *dir, static struct ctl_dir *new_dir(struct ctl_table_set *set, const char *name, int namelen) { @@ -59772,7 +59780,7 @@ index 7129046..f2779c6 100644 struct ctl_dir *new; struct ctl_node *node; char *new_name; -@@ -851,7 +884,7 @@ static struct ctl_dir *new_dir(struct ctl_table_set *set, +@@ -851,7 +890,7 @@ static struct ctl_dir *new_dir(struct ctl_table_set *set, return NULL; node = (struct ctl_node *)(new + 1); @@ -59781,7 +59789,7 @@ index 7129046..f2779c6 100644 new_name = (char *)(table + 2); memcpy(new_name, name, namelen); new_name[namelen] = '\0'; -@@ -1020,7 +1053,8 @@ static int sysctl_check_table(const char *path, struct ctl_table *table) +@@ -1020,7 +1059,8 @@ static int sysctl_check_table(const char *path, struct ctl_table *table) static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table *table, struct ctl_table_root *link_root) { @@ -59791,7 +59799,7 @@ index 7129046..f2779c6 100644 struct ctl_table_header *links; struct ctl_node *node; char *link_name; -@@ -1043,7 +1077,7 @@ static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table +@@ -1043,7 +1083,7 @@ static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table return NULL; node = (struct ctl_node *)(links + 1); @@ -59800,7 +59808,7 @@ index 7129046..f2779c6 100644 link_name = (char *)&link_table[nr_entries + 1]; for (link = link_table, entry = table; entry->procname; link++, entry++) { -@@ -1291,8 +1325,8 @@ static int register_leaf_sysctl_tables(const char *path, char *pos, +@@ -1291,8 +1331,8 @@ static int register_leaf_sysctl_tables(const char *path, char *pos, struct ctl_table_header ***subheader, struct ctl_table_set *set, struct ctl_table *table) { @@ -59811,7 +59819,7 @@ index 7129046..f2779c6 100644 int nr_files = 0; int nr_dirs = 0; int err = -ENOMEM; -@@ -1304,10 +1338,9 @@ static int register_leaf_sysctl_tables(const char *path, char *pos, +@@ -1304,10 +1344,9 @@ static int register_leaf_sysctl_tables(const char *path, char *pos, nr_files++; } @@ -59823,7 +59831,7 @@ index 7129046..f2779c6 100644 files = kzalloc(sizeof(struct ctl_table) * (nr_files + 1), GFP_KERNEL); if (!files) -@@ -1325,7 +1358,7 @@ static int register_leaf_sysctl_tables(const char *path, char *pos, +@@ -1325,7 +1364,7 @@ static int register_leaf_sysctl_tables(const char *path, char *pos, /* Register everything except a directory full of subdirectories */ if (nr_files || !nr_dirs) { struct ctl_table_header *header; @@ -60973,10 +60981,10 @@ index 96dda62..d6c6a52 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..0fd7c82 +index 0000000..6d8c857 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1080 @@ +@@ -0,0 +1,1094 @@ +# +# grecurity configuration +# @@ -61213,6 +61221,20 @@ index 0000000..0fd7c82 + This deters repeated kernel exploitation/bruteforcing attempts + and is useful for later forensics. + ++config GRKERNSEC_OLD_ARM_USERLAND ++ bool "Old ARM userland compatibility" ++ depends on ARM && (CPU_V6 || CPU_V6K || CPU_V7) ++ help ++ If you say Y here, stubs of executable code to perform such operations ++ as "compare-exchange" will be placed at fixed locations in the ARM vector ++ table. This is unfortunately needed for old ARM userland meant to run ++ across a wide range of processors. Without this option enabled, ++ the get_tls and data memory barrier stubs will be emulated by the kernel, ++ which is enough for Linaro userlands or other userlands designed for v6 ++ and newer ARM CPUs. It's recommended that you try without this option enabled ++ first, and only enable it if your userland does not boot (it will likely fail ++ at init time). ++ +endmenu +menu "Role Based Access Control Options" +depends on GRKERNSEC @@ -85796,10 +85818,10 @@ index 0000000..7cd6065 @@ -0,0 +1 @@ +-grsec diff --git a/mm/Kconfig b/mm/Kconfig -index 6509d27..dbec5b8 100644 +index 6509d27..3c15063 100644 --- a/mm/Kconfig +++ b/mm/Kconfig -@@ -317,10 +317,10 @@ config KSM +@@ -317,10 +317,11 @@ config KSM root has set /sys/kernel/mm/ksm/run to 1 (if CONFIG_SYSFS is set). config DEFAULT_MMAP_MIN_ADDR @@ -85808,12 +85830,13 @@ index 6509d27..dbec5b8 100644 depends on MMU - default 4096 - help ++ default 32768 if ALPHA || ARM || PARISC || SPARC32 + default 65536 + help This is the portion of low virtual memory which should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs. -@@ -351,7 +351,7 @@ config MEMORY_FAILURE +@@ -351,7 +352,7 @@ config MEMORY_FAILURE config HWPOISON_INJECT tristate "HWPoison pages injector" diff --git a/3.2.52/0000_README b/3.2.52/0000_README index a5b9436..711b31b 100644 --- a/3.2.52/0000_README +++ b/3.2.52/0000_README @@ -126,7 +126,7 @@ Patch: 1051_linux-3.2.52.patch From: http://www.kernel.org Desc: Linux 3.2.52 -Patch: 4420_grsecurity-2.9.1-3.2.52-201311071633.patch +Patch: 4420_grsecurity-2.9.1-3.2.52-201311102305.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.52/4420_grsecurity-2.9.1-3.2.52-201311071633.patch b/3.2.52/4420_grsecurity-2.9.1-3.2.52-201311102305.patch index c2c26e8..125d100 100644 --- a/3.2.52/4420_grsecurity-2.9.1-3.2.52-201311071633.patch +++ b/3.2.52/4420_grsecurity-2.9.1-3.2.52-201311102305.patch @@ -57691,11 +57691,14 @@ index f738024..226e98e 100644 .exit = proc_net_ns_exit, }; diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c -index 0be1aa4..ed25c53 100644 +index 0be1aa4..21298e5 100644 --- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c -@@ -9,11 +9,13 @@ +@@ -7,13 +7,16 @@ + #include <linux/proc_fs.h> + #include <linux/security.h> #include <linux/namei.h> ++#include <linux/nsproxy.h> #include "internal.h" +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op); @@ -57710,7 +57713,7 @@ index 0be1aa4..ed25c53 100644 void proc_sys_poll_notify(struct ctl_table_poll *poll) { -@@ -128,8 +130,14 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry, +@@ -128,8 +131,14 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry, err = NULL; d_set_d_op(dentry, &proc_sys_dentry_operations); @@ -57725,20 +57728,25 @@ index 0be1aa4..ed25c53 100644 out: if (h) sysctl_head_finish(h); -@@ -162,6 +170,12 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, +@@ -162,6 +171,17 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, if (!table->proc_handler) goto out; +#ifdef CONFIG_GRKERNSEC + error = -EPERM; -+ if (write && !capable(CAP_SYS_ADMIN)) -+ goto out; ++ if (write) { ++ if (current->nsproxy->net_ns != table->extra2) { ++ if (!capable(CAP_SYS_ADMIN)) ++ goto out; ++ } else if (!nsown_capable(CAP_NET_ADMIN)) ++ goto out; ++ } +#endif + /* careful: calling conventions are nasty here */ res = count; error = table->proc_handler(table, write, buf, &res, ppos); -@@ -259,6 +273,9 @@ static int proc_sys_fill_cache(struct file *filp, void *dirent, +@@ -259,6 +279,9 @@ static int proc_sys_fill_cache(struct file *filp, void *dirent, return -ENOMEM; } else { d_set_d_op(child, &proc_sys_dentry_operations); @@ -57748,7 +57756,7 @@ index 0be1aa4..ed25c53 100644 d_add(child, inode); } } else { -@@ -287,6 +304,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table, +@@ -287,6 +310,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table, if (*pos < file->f_pos) continue; @@ -57758,7 +57766,7 @@ index 0be1aa4..ed25c53 100644 res = proc_sys_fill_cache(file, dirent, filldir, head, table); if (res) return res; -@@ -412,6 +432,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct +@@ -412,6 +438,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct if (IS_ERR(head)) return PTR_ERR(head); @@ -57768,7 +57776,7 @@ index 0be1aa4..ed25c53 100644 generic_fillattr(inode, stat); if (table) stat->mode = (stat->mode & S_IFMT) | table->mode; -@@ -434,13 +457,13 @@ static const struct file_operations proc_sys_dir_file_operations = { +@@ -434,13 +463,13 @@ static const struct file_operations proc_sys_dir_file_operations = { .llseek = generic_file_llseek, }; @@ -85258,10 +85266,10 @@ index 0000000..7cd6065 @@ -0,0 +1 @@ +-grsec diff --git a/mm/Kconfig b/mm/Kconfig -index 011b110..fad8776 100644 +index 011b110..05d1b6f 100644 --- a/mm/Kconfig +++ b/mm/Kconfig -@@ -241,10 +241,10 @@ config KSM +@@ -241,10 +241,11 @@ config KSM root has set /sys/kernel/mm/ksm/run to 1 (if CONFIG_SYSFS is set). config DEFAULT_MMAP_MIN_ADDR @@ -85270,12 +85278,13 @@ index 011b110..fad8776 100644 depends on MMU - default 4096 - help ++ default 32768 if ALPHA || ARM || PARISC || SPARC32 + default 65536 + help This is the portion of low virtual memory which should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs. -@@ -274,7 +274,7 @@ config MEMORY_FAILURE +@@ -274,7 +275,7 @@ config MEMORY_FAILURE config HWPOISON_INJECT tristate "HWPoison pages injector" |