packages: kernel/kernel-grsec_full.patch interdiff for grsecurity-2.1.14-2...

arekm arekm at pld-linux.org
Sun Aug 2 12:41:32 CEST 2009 

Author: arekm                        Date: Sun Aug  2 10:41:32 2009 GMT
Module: packages                      Tag: HEAD
---- Log message:
 interdiff for grsecurity-2.1.14-2.6.30.4-200908011535.patch

---- Files affected:
packages/kernel:
   kernel-grsec_full.patch (1.7 -> 1.8) 

---- Diffs:

================================================================
Index: packages/kernel/kernel-grsec_full.patch
diff -u packages/kernel/kernel-grsec_full.patch:1.7 packages/kernel/kernel-grsec_full.patch:1.8
--- packages/kernel/kernel-grsec_full.patch:1.7	Fri Jul 31 12:02:33 2009
+++ packages/kernel/kernel-grsec_full.patch	Sun Aug  2 12:41:27 2009
@@ -44205,3 +44205,103 @@
  		  struct module *module)
  {
  	int r;
+diff -u linux-2.6.30.4/arch/x86/kernel/head_64.S linux-2.6.30.4/arch/x86/kernel/head_64.S
+--- linux-2.6.30.4/arch/x86/kernel/head_64.S	2009-07-30 09:48:09.947450201 -0400
++++ linux-2.6.30.4/arch/x86/kernel/head_64.S	2009-08-01 08:46:06.399105315 -0400
+@@ -454,7 +454,7 @@
+ 	.section .rodata,"a", at progbits
+ 	.align L1_CACHE_BYTES
+ ENTRY(idt_table)
+-	.fill 256,16,0
++	.fill 512,8,0
+ 
+ 	.section .bss.page_aligned, "aw", @nobits
+ 	.align PAGE_SIZE
+diff -u linux-2.6.30.4/arch/x86/kernel/module_32.c linux-2.6.30.4/arch/x86/kernel/module_32.c
+--- linux-2.6.30.4/arch/x86/kernel/module_32.c	2009-07-30 09:48:09.950015875 -0400
++++ linux-2.6.30.4/arch/x86/kernel/module_32.c	2009-08-01 15:35:35.138919235 -0400
+@@ -107,6 +107,7 @@
+ 		WARN_ON(1);
+ 	}
+ }
++EXPORT_SYMBOL(module_free_exec);
+ #endif
+ 
+ /* We don't need anything special. */
+diff -u linux-2.6.30.4/arch/x86/kernel/module_64.c linux-2.6.30.4/arch/x86/kernel/module_64.c
+--- linux-2.6.30.4/arch/x86/kernel/module_64.c	2009-07-30 09:48:09.950015875 -0400
++++ linux-2.6.30.4/arch/x86/kernel/module_64.c	2009-08-01 15:35:35.161871747 -0400
+@@ -67,10 +67,12 @@
+ {
+ 	module_free(mod, module_region);
+ }
++EXPORT_SYMBOL(module_free_exec);
+ 
+ void *module_alloc_exec(unsigned long size)
+ {
+ 	return __module_alloc(size, PAGE_KERNEL_RX);
++EXPORT_SYMBOL(module_alloc_exec);
+ }
+ #else
+ void *module_alloc(unsigned long size)
+diff -u linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S
+--- linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S	2009-07-30 19:56:23.500027109 -0400
++++ linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S	2009-08-01 08:46:06.438873305 -0400
+@@ -62,8 +62,8 @@
+   . = ALIGN(PAGE_SIZE);		/* Align data segment to page size boundary */
+ #endif
+ 				/* Data */
+-  _data = .;
+   .data : AT(ADDR(.data) - LOAD_OFFSET) {
++	_data = .;
+ 	DATA_DATA
+ 	CONSTRUCTORS
+ 	} :data
+diff -u linux-2.6.30.4/fs/exec.c linux-2.6.30.4/fs/exec.c
+--- linux-2.6.30.4/fs/exec.c	2009-07-30 11:10:49.146300194 -0400
++++ linux-2.6.30.4/fs/exec.c	2009-08-01 14:58:11.881121157 -0400
+@@ -124,7 +124,7 @@
+ 		goto out;
+ 
+ 	file = do_filp_open(AT_FDCWD, tmp,
+-				O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
++				O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
+ 				MAY_READ | MAY_EXEC | MAY_OPEN);
+ 	putname(tmp);
+ 	error = PTR_ERR(file);
+@@ -680,7 +680,7 @@
+ 	int err;
+ 
+ 	file = do_filp_open(AT_FDCWD, name,
+-				O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
++				O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
+ 				MAY_EXEC | MAY_OPEN);
+ 	if (IS_ERR(file))
+ 		goto out;
+diff -u linux-2.6.30.4/grsecurity/gracl_fs.c linux-2.6.30.4/grsecurity/gracl_fs.c
+--- linux-2.6.30.4/grsecurity/gracl_fs.c	2009-07-30 11:10:49.347341041 -0400
++++ linux-2.6.30.4/grsecurity/gracl_fs.c	2009-08-01 15:00:28.098114831 -0400
+@@ -48,7 +48,8 @@
+ 		reqmode |= GR_WRITE;
+ 	if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
+ 		reqmode |= GR_READ;
+-
++	if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
++		reqmode &= ~GR_READ;
+ 	mode =
+ 	    gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
+ 			   mnt);
+diff -u linux-2.6.30.4/include/linux/fs.h linux-2.6.30.4/include/linux/fs.h
+--- linux-2.6.30.4/include/linux/fs.h	2009-07-30 09:48:10.109883773 -0400
++++ linux-2.6.30.4/include/linux/fs.h	2009-08-01 14:57:12.341093728 -0400
+@@ -87,6 +87,10 @@
+  */
+ #define FMODE_NOCMTIME		((__force fmode_t)2048)
+ 
++/* Hack for grsec so as not to require read permission simply to execute
++   a binary */
++#define FMODE_GREXEC		((__force fmode_t)8192)
++
+ /*
+  * The below are the various read and write types that we support. Some of
+  * them include behavioral modifiers that send information down to the
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-grsec_full.patch?r1=1.7&r2=1.8&f=u

More information about the pld-cvs-commit mailing list