packages (GRSECURITY_RAW): kernel/kernel-grsec_full.patch http://www.grsecu...
arekm
arekm at pld-linux.org
Sun Oct 24 15:13:51 CEST 2010
Author: arekm Date: Sun Oct 24 13:13:51 2010 GMT
Module: packages Tag: GRSECURITY_RAW
---- Log message:
http://www.grsecurity.net/~spender/grsecurity-2.2.0-2.6.35.7-201010232009.patch
---- Files affected:
packages/kernel:
kernel-grsec_full.patch (1.3.2.42 -> 1.3.2.43)
---- Diffs:
================================================================
Index: packages/kernel/kernel-grsec_full.patch
diff -u packages/kernel/kernel-grsec_full.patch:1.3.2.42 packages/kernel/kernel-grsec_full.patch:1.3.2.43
--- packages/kernel/kernel-grsec_full.patch:1.3.2.42 Fri Oct 15 23:38:10 2010
+++ packages/kernel/kernel-grsec_full.patch Sun Oct 24 15:13:36 2010
@@ -2857,8 +2857,8 @@
}
diff -urNp linux-2.6.35.7/arch/powerpc/mm/slice.c linux-2.6.35.7/arch/powerpc/mm/slice.c
--- linux-2.6.35.7/arch/powerpc/mm/slice.c 2010-08-26 19:47:12.000000000 -0400
-+++ linux-2.6.35.7/arch/powerpc/mm/slice.c 2010-09-17 20:12:09.000000000 -0400
-@@ -98,10 +98,9 @@ static int slice_area_is_free(struct mm_
++++ linux-2.6.35.7/arch/powerpc/mm/slice.c 2010-10-23 20:08:39.000000000 -0400
+@@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
if ((mm->task_size - len) < addr)
return 0;
vma = find_vma(mm, addr);
@@ -2866,11 +2866,8 @@
+ return check_heap_stack_gap(vma, addr, len);
}
--static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
- {
- return !slice_area_is_free(mm, slice << SLICE_LOW_SHIFT,
- 1ul << SLICE_LOW_SHIFT);
-@@ -256,7 +255,7 @@ full_search:
+ static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
+@@ -256,7 +256,7 @@ full_search:
addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
continue;
}
@@ -2879,7 +2876,7 @@
/*
* Remember the place where we stopped the search:
*/
-@@ -336,7 +335,7 @@ static unsigned long slice_find_area_top
+@@ -336,7 +336,7 @@ static unsigned long slice_find_area_top
* return with success:
*/
vma = find_vma(mm, addr);
@@ -2888,7 +2885,7 @@
/* remember the address as a hint for next time */
if (use_cache)
mm->free_area_cache = addr;
-@@ -426,6 +425,11 @@ unsigned long slice_get_unmapped_area(un
+@@ -426,6 +426,11 @@ unsigned long slice_get_unmapped_area(un
if (fixed && addr > (mm->task_size - len))
return -EINVAL;
@@ -26024,6 +26021,65 @@
return -EFAULT;
return i;
}
+diff -urNp linux-2.6.35.7/drivers/media/video/v4l2-compat-ioctl32.c linux-2.6.35.7/drivers/media/video/v4l2-compat-ioctl32.c
+--- linux-2.6.35.7/drivers/media/video/v4l2-compat-ioctl32.c 2010-08-26 19:47:12.000000000 -0400
++++ linux-2.6.35.7/drivers/media/video/v4l2-compat-ioctl32.c 2010-10-19 18:15:40.000000000 -0400
+@@ -193,17 +193,24 @@ static int put_video_window32(struct vid
+ struct video_code32 {
+ char loadwhat[16]; /* name or tag of file being passed */
+ compat_int_t datasize;
+- unsigned char *data;
++ compat_uptr_t data;
+ };
+
+-static int get_microcode32(struct video_code *kp, struct video_code32 __user *up)
++static struct video_code __user *get_microcode32(struct video_code32 *kp)
+ {
+- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
+- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) ||
+- get_user(kp->datasize, &up->datasize) ||
+- copy_from_user(kp->data, up->data, up->datasize))
+- return -EFAULT;
+- return 0;
++ struct video_code __user *up;
++
++ up = compat_alloc_user_space(sizeof(*up));
++
++ /*
++ * NOTE! We don't actually care if these fail. If the
++ * user address is invalid, the native ioctl will do
++ * the error handling for us
++ */
++ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
++ (void) put_user(kp->datasize, &up->datasize);
++ (void) put_user(compat_ptr(kp->data), &up->data);
++ return up;
+ }
+
+ #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32)
+@@ -744,7 +751,7 @@ static long do_video_ioctl(struct file *
+ struct video_tuner vt;
+ struct video_buffer vb;
+ struct video_window vw;
+- struct video_code vc;
++ struct video_code32 vc;
+ struct video_audio va;
+ #endif
+ struct v4l2_format v2f;
+@@ -823,8 +830,11 @@ static long do_video_ioctl(struct file *
+ break;
+
+ case VIDIOCSMICROCODE:
+- err = get_microcode32(&karg.vc, up);
+- compatible_arg = 0;
++ /* Copy the 32-bit "video_code32" to kernel space */
++ if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
++ return -EFAULT;
++ /* Convert the 32-bit version to a 64-bit version in user space */
++ up = get_microcode32(&karg.vc);
+ break;
+
+ case VIDIOCSFREQ:
diff -urNp linux-2.6.35.7/drivers/message/fusion/mptbase.c linux-2.6.35.7/drivers/message/fusion/mptbase.c
--- linux-2.6.35.7/drivers/message/fusion/mptbase.c 2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.7/drivers/message/fusion/mptbase.c 2010-09-17 20:12:37.000000000 -0400
@@ -33084,7 +33140,7 @@
+#endif
diff -urNp linux-2.6.35.7/fs/proc/base.c linux-2.6.35.7/fs/proc/base.c
--- linux-2.6.35.7/fs/proc/base.c 2010-08-26 19:47:12.000000000 -0400
-+++ linux-2.6.35.7/fs/proc/base.c 2010-09-22 18:45:42.000000000 -0400
++++ linux-2.6.35.7/fs/proc/base.c 2010-10-20 17:37:57.000000000 -0400
@@ -103,6 +103,22 @@ struct pid_entry {
union proc_op op;
};
@@ -33128,7 +33184,7 @@
len = mm->arg_end - mm->arg_start;
if (len > PAGE_SIZE)
-@@ -276,12 +298,26 @@ out:
+@@ -276,12 +298,28 @@ out:
return res;
}
@@ -33146,7 +33202,9 @@
unsigned int nwords = 0;
+
+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+ if (PAX_RAND_FLAGS(mm)) {
++ /* allow if we're currently ptracing this task */
++ if (PAX_RAND_FLAGS(mm) &&
++ (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
+ mmput(mm);
+ return res;
+ }
@@ -33155,7 +33213,7 @@
do {
nwords += 2;
} while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
-@@ -295,7 +331,7 @@ static int proc_pid_auxv(struct task_str
+@@ -295,7 +333,7 @@ static int proc_pid_auxv(struct task_str
}
@@ -33164,7 +33222,7 @@
/*
* Provides a wchan file via kallsyms in a proper one-value-per-file format.
* Returns the resolved symbol. If that fails, simply return the address.
-@@ -317,7 +353,7 @@ static int proc_pid_wchan(struct task_st
+@@ -317,7 +355,7 @@ static int proc_pid_wchan(struct task_st
}
#endif /* CONFIG_KALLSYMS */
@@ -33173,7 +33231,7 @@
#define MAX_STACK_TRACE_DEPTH 64
-@@ -511,7 +547,7 @@ static int proc_pid_limits(struct task_s
+@@ -511,7 +549,7 @@ static int proc_pid_limits(struct task_s
return count;
}
@@ -33182,7 +33240,7 @@
static int proc_pid_syscall(struct task_struct *task, char *buffer)
{
long nr;
-@@ -920,6 +956,9 @@ static ssize_t environ_read(struct file
+@@ -920,6 +958,9 @@ static ssize_t environ_read(struct file
if (!task)
goto out_no_task;
@@ -33192,7 +33250,7 @@
if (!ptrace_may_access(task, PTRACE_MODE_READ))
goto out;
-@@ -1514,7 +1553,11 @@ static struct inode *proc_pid_make_inode
+@@ -1514,7 +1555,11 @@ static struct inode *proc_pid_make_inode
rcu_read_lock();
cred = __task_cred(task);
inode->i_uid = cred->euid;
@@ -33204,7 +33262,7 @@
rcu_read_unlock();
}
security_task_to_inode(task, inode);
-@@ -1532,6 +1575,9 @@ static int pid_getattr(struct vfsmount *
+@@ -1532,6 +1577,9 @@ static int pid_getattr(struct vfsmount *
struct inode *inode = dentry->d_inode;
struct task_struct *task;
const struct cred *cred;
@@ -33214,7 +33272,7 @@
generic_fillattr(inode, stat);
-@@ -1539,12 +1585,34 @@ static int pid_getattr(struct vfsmount *
+@@ -1539,12 +1587,34 @@ static int pid_getattr(struct vfsmount *
stat->uid = 0;
stat->gid = 0;
task = pid_task(proc_pid(inode), PIDTYPE_PID);
@@ -33250,7 +33308,7 @@
}
}
rcu_read_unlock();
-@@ -1576,11 +1644,20 @@ static int pid_revalidate(struct dentry
+@@ -1576,11 +1646,20 @@ static int pid_revalidate(struct dentry
if (task) {
if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
@@ -33271,7 +33329,7 @@
rcu_read_unlock();
} else {
inode->i_uid = 0;
-@@ -1701,7 +1778,8 @@ static int proc_fd_info(struct inode *in
+@@ -1701,7 +1780,8 @@ static int proc_fd_info(struct inode *in
int fd = proc_fd(inode);
if (task) {
@@ -33281,7 +33339,7 @@
put_task_struct(task);
}
if (files) {
-@@ -1953,12 +2031,22 @@ static const struct file_operations proc
+@@ -1953,12 +2033,22 @@ static const struct file_operations proc
static int proc_fd_permission(struct inode *inode, int mask)
{
int rv;
@@ -33306,7 +33364,7 @@
return rv;
}
-@@ -2067,6 +2155,9 @@ static struct dentry *proc_pident_lookup
+@@ -2067,6 +2157,9 @@ static struct dentry *proc_pident_lookup
if (!task)
goto out_no_task;
@@ -33316,7 +33374,7 @@
/*
* Yes, it does not scale. And it should not. Don't add
* new entries into /proc/<tgid>/ without very good reasons.
-@@ -2111,6 +2202,9 @@ static int proc_pident_readdir(struct fi
+@@ -2111,6 +2204,9 @@ static int proc_pident_readdir(struct fi
if (!task)
goto out_no_task;
@@ -33326,7 +33384,7 @@
ret = 0;
i = filp->f_pos;
switch (i) {
-@@ -2380,7 +2474,7 @@ static void *proc_self_follow_link(struc
+@@ -2380,7 +2476,7 @@ static void *proc_self_follow_link(struc
static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
void *cookie)
{
@@ -33335,7 +33393,7 @@
if (!IS_ERR(s))
__putname(s);
}
-@@ -2580,7 +2674,7 @@ static const struct pid_entry tgid_base_
+@@ -2580,7 +2676,7 @@ static const struct pid_entry tgid_base_
REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
#endif
REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
@@ -33344,7 +33402,7 @@
INF("syscall", S_IRUSR, proc_pid_syscall),
#endif
INF("cmdline", S_IRUGO, proc_pid_cmdline),
-@@ -2605,10 +2699,10 @@ static const struct pid_entry tgid_base_
+@@ -2605,10 +2701,10 @@ static const struct pid_entry tgid_base_
#ifdef CONFIG_SECURITY
DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
#endif
@@ -33357,7 +33415,7 @@
ONE("stack", S_IRUSR, proc_pid_stack),
#endif
#ifdef CONFIG_SCHEDSTATS
-@@ -2638,6 +2732,9 @@ static const struct pid_entry tgid_base_
+@@ -2638,6 +2734,9 @@ static const struct pid_entry tgid_base_
#ifdef CONFIG_TASK_IO_ACCOUNTING
INF("io", S_IRUGO, proc_tgid_io_accounting),
#endif
@@ -33367,7 +33425,7 @@
};
static int proc_tgid_base_readdir(struct file * filp,
-@@ -2762,7 +2859,14 @@ static struct dentry *proc_pid_instantia
+@@ -2762,7 +2861,14 @@ static struct dentry *proc_pid_instantia
if (!inode)
goto out;
@@ -33382,7 +33440,7 @@
inode->i_op = &proc_tgid_base_inode_operations;
inode->i_fop = &proc_tgid_base_operations;
inode->i_flags|=S_IMMUTABLE;
-@@ -2804,7 +2908,11 @@ struct dentry *proc_pid_lookup(struct in
+@@ -2804,7 +2910,11 @@ struct dentry *proc_pid_lookup(struct in
if (!task)
goto out;
@@ -33394,7 +33452,7 @@
put_task_struct(task);
out:
return result;
-@@ -2869,6 +2977,11 @@ int proc_pid_readdir(struct file * filp,
+@@ -2869,6 +2979,11 @@ int proc_pid_readdir(struct file * filp,
{
unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
@@ -33406,7 +33464,7 @@
struct tgid_iter iter;
struct pid_namespace *ns;
-@@ -2887,8 +3000,27 @@ int proc_pid_readdir(struct file * filp,
+@@ -2887,8 +3002,27 @@ int proc_pid_readdir(struct file * filp,
for (iter = next_tgid(ns, iter);
iter.task;
iter.tgid += 1, iter = next_tgid(ns, iter)) {
@@ -33435,7 +33493,7 @@
put_task_struct(iter.task);
goto out;
}
-@@ -2915,7 +3047,7 @@ static const struct pid_entry tid_base_s
+@@ -2915,7 +3049,7 @@ static const struct pid_entry tid_base_s
REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
#endif
REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
@@ -33444,7 +33502,7 @@
INF("syscall", S_IRUSR, proc_pid_syscall),
#endif
INF("cmdline", S_IRUGO, proc_pid_cmdline),
-@@ -2939,10 +3071,10 @@ static const struct pid_entry tid_base_s
+@@ -2939,10 +3073,10 @@ static const struct pid_entry tid_base_s
#ifdef CONFIG_SECURITY
DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
#endif
@@ -40951,8 +41009,8 @@
+}
diff -urNp linux-2.6.35.7/grsecurity/grsec_init.c linux-2.6.35.7/grsecurity/grsec_init.c
--- linux-2.6.35.7/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/grsecurity/grsec_init.c 2010-09-17 20:12:37.000000000 -0400
-@@ -0,0 +1,266 @@
++++ linux-2.6.35.7/grsecurity/grsec_init.c 2010-10-18 21:01:30.000000000 -0400
+@@ -0,0 +1,270 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
@@ -41010,6 +41068,7 @@
+int grsec_socket_server_gid;
+int grsec_resource_logging;
+int grsec_disable_privio;
++int grsec_enable_log_rwxmaps;
+int grsec_lock;
+
+DEFINE_SPINLOCK(grsec_alert_lock);
@@ -41107,6 +41166,9 @@
+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
+ grsec_enable_audit_textrel = 1;
+#endif
++#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
++ grsec_enable_log_rwxmaps = 1;
++#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+ grsec_enable_group = 1;
+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
@@ -41268,8 +41330,8 @@
+}
diff -urNp linux-2.6.35.7/grsecurity/grsec_log.c linux-2.6.35.7/grsecurity/grsec_log.c
--- linux-2.6.35.7/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/grsecurity/grsec_log.c 2010-09-28 19:11:11.000000000 -0400
-@@ -0,0 +1,306 @@
++++ linux-2.6.35.7/grsecurity/grsec_log.c 2010-10-18 21:01:30.000000000 -0400
+@@ -0,0 +1,310 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
@@ -41544,6 +41606,10 @@
+ ulong1 = va_arg(ap, unsigned long);
+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
+ break;
++ case GR_RWXMAP:
++ file = va_arg(ap, struct file *);
++ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
++ break;
+ case GR_PSACCT:
+ {
+ unsigned int wday, cday;
@@ -41731,6 +41797,46 @@
+#endif
+ return 0;
+}
+diff -urNp linux-2.6.35.7/grsecurity/grsec_pax.c linux-2.6.35.7/grsecurity/grsec_pax.c
+--- linux-2.6.35.7/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.35.7/grsecurity/grsec_pax.c 2010-10-18 21:01:30.000000000 -0400
+@@ -0,0 +1,36 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/mm.h>
++#include <linux/file.h>
++#include <linux/grinternal.h>
++#include <linux/grsecurity.h>
++
++void
++gr_log_textrel(struct vm_area_struct * vma)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
++ if (grsec_enable_audit_textrel)
++ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
++#endif
++ return;
++}
++
++void
++gr_log_rwxmmap(struct file *file)
++{
++#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
++ if (grsec_enable_log_rwxmaps)
++ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
++#endif
++ return;
++}
++
++void
++gr_log_rwxmprotect(struct file *file)
++{
++#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
++ if (grsec_enable_log_rwxmaps)
++ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
++#endif
++ return;
++}
diff -urNp linux-2.6.35.7/grsecurity/grsec_ptrace.c linux-2.6.35.7/grsecurity/grsec_ptrace.c
--- linux-2.6.35.7/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.35.7/grsecurity/grsec_ptrace.c 2010-09-17 20:12:37.000000000 -0400
@@ -42095,8 +42201,8 @@
+}
diff -urNp linux-2.6.35.7/grsecurity/grsec_sysctl.c linux-2.6.35.7/grsecurity/grsec_sysctl.c
--- linux-2.6.35.7/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/grsecurity/grsec_sysctl.c 2010-09-17 20:18:57.000000000 -0400
-@@ -0,0 +1,424 @@
++++ linux-2.6.35.7/grsecurity/grsec_sysctl.c 2010-10-18 21:02:33.000000000 -0400
+@@ -0,0 +1,433 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/sysctl.h>
@@ -42185,6 +42291,15 @@
+ .proc_handler = &proc_dointvec,
+ },
+#endif
++#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
++ {
++ .procname = "rwxmap_logging",
++ .data = &grsec_enable_log_rwxmaps,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+ {
+ .procname = "signal_logging",
@@ -42521,26 +42636,6 @@
+ { }
+};
+#endif
-diff -urNp linux-2.6.35.7/grsecurity/grsec_textrel.c linux-2.6.35.7/grsecurity/grsec_textrel.c
---- linux-2.6.35.7/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/grsecurity/grsec_textrel.c 2010-09-17 20:12:37.000000000 -0400
-@@ -0,0 +1,16 @@
-+#include <linux/kernel.h>
-+#include <linux/sched.h>
-+#include <linux/mm.h>
-+#include <linux/file.h>
-+#include <linux/grinternal.h>
-+#include <linux/grsecurity.h>
-+
-+void
-+gr_log_textrel(struct vm_area_struct * vma)
-+{
-+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
-+ if (grsec_enable_audit_textrel)
-+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
-+#endif
-+ return;
-+}
diff -urNp linux-2.6.35.7/grsecurity/grsec_time.c linux-2.6.35.7/grsecurity/grsec_time.c
--- linux-2.6.35.7/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.35.7/grsecurity/grsec_time.c 2010-09-17 20:12:37.000000000 -0400
@@ -42668,8 +42763,8 @@
+}
diff -urNp linux-2.6.35.7/grsecurity/Kconfig linux-2.6.35.7/grsecurity/Kconfig
--- linux-2.6.35.7/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/grsecurity/Kconfig 2010-09-17 20:12:37.000000000 -0400
-@@ -0,0 +1,986 @@
++++ linux-2.6.35.7/grsecurity/Kconfig 2010-10-18 21:01:30.000000000 -0400
+@@ -0,0 +1,995 @@
+#
+# grecurity configuration
+#
@@ -43369,6 +43464,15 @@
+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
+ the RBAC system), and thus does not create privacy concerns.
+
++config GRKERNSEC_RWXMAP_LOG
++ bool 'Denied RWX mmap/mprotect logging'
++ depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
++ help
++ If you say Y here, calls to mmap() and mprotect() with explicit
++ usage of PROT_WRITE and PROT_EXEC together will be logged when
++ denied by the PAX_MPROTECT feature. If the sysctl option is
++ enabled, a sysctl option with name "rwxmap_logging" is created.
++
+config GRKERNSEC_AUDIT_TEXTREL
+ bool 'ELF text relocations logging (READ HELP)'
+ depends on PAX_MPROTECT
@@ -43658,7 +43762,7 @@
+endmenu
diff -urNp linux-2.6.35.7/grsecurity/Makefile linux-2.6.35.7/grsecurity/Makefile
--- linux-2.6.35.7/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/grsecurity/Makefile 2010-09-17 20:12:37.000000000 -0400
++++ linux-2.6.35.7/grsecurity/Makefile 2010-10-18 21:01:30.000000000 -0400
@@ -0,0 +1,29 @@
+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
+# during 2001-2009 it has been completely redesigned by Brad Spengler
@@ -43670,7 +43774,7 @@
+
+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
+ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
-+ grsec_time.o grsec_tpe.o grsec_link.o grsec_textrel.o grsec_ptrace.o
++ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
+
+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
@@ -45361,8 +45465,8 @@
+#endif
diff -urNp linux-2.6.35.7/include/linux/grinternal.h linux-2.6.35.7/include/linux/grinternal.h
--- linux-2.6.35.7/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/include/linux/grinternal.h 2010-09-28 19:04:00.000000000 -0400
-@@ -0,0 +1,211 @@
++++ linux-2.6.35.7/include/linux/grinternal.h 2010-10-18 21:05:08.000000000 -0400
+@@ -0,0 +1,214 @@
+#ifndef __GRINTERNAL_H
+#define __GRINTERNAL_H
+
@@ -45437,6 +45541,7 @@
+extern int grsec_audit_gid;
+extern int grsec_enable_group;
+extern int grsec_enable_audit_textrel;
++extern int grsec_enable_log_rwxmaps;
+extern int grsec_enable_mount;
+extern int grsec_enable_chdir;
+extern int grsec_resource_logging;
@@ -45533,7 +45638,8 @@
+ GR_SIG2,
+ GR_CRASH1,
+ GR_CRASH2,
-+ GR_PSACCT
++ GR_PSACCT,
++ GR_RWXMAP
+};
+
+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
@@ -45568,6 +45674,7 @@
+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
++#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
+
+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
+
@@ -45576,8 +45683,8 @@
+#endif
diff -urNp linux-2.6.35.7/include/linux/grmsg.h linux-2.6.35.7/include/linux/grmsg.h
--- linux-2.6.35.7/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/include/linux/grmsg.h 2010-09-23 20:39:33.000000000 -0400
-@@ -0,0 +1,108 @@
++++ linux-2.6.35.7/include/linux/grmsg.h 2010-10-18 21:01:30.000000000 -0400
+@@ -0,0 +1,110 @@
+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -45682,14 +45789,16 @@
+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
++#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
++#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
+#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
+#define GR_VM86_MSG "denied use of vm86 by "
+#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
diff -urNp linux-2.6.35.7/include/linux/grsecurity.h linux-2.6.35.7/include/linux/grsecurity.h
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-grsec_full.patch?r1=1.3.2.42&r2=1.3.2.43&f=u
More information about the pld-cvs-commit
mailing list