packages (LINUX_2_6_32): kernel/kernel-grsec_full.patch - http://grsecurity...
hawk
hawk at pld-linux.org
Fri Feb 10 11:10:29 CET 2012
Author: hawk Date: Fri Feb 10 10:10:29 2012 GMT
Module: packages Tag: LINUX_2_6_32
---- Log message:
- http://grsecurity.net/~spender/grsecurity-2.2.2-2.6.32.56-201202071726.patch
---- Files affected:
packages/kernel:
kernel-grsec_full.patch (1.29.2.6 -> 1.29.2.7)
---- Diffs:
================================================================
Index: packages/kernel/kernel-grsec_full.patch
diff -u packages/kernel/kernel-grsec_full.patch:1.29.2.6 packages/kernel/kernel-grsec_full.patch:1.29.2.7
--- packages/kernel/kernel-grsec_full.patch:1.29.2.6 Thu Jan 19 11:23:54 2012
+++ packages/kernel/kernel-grsec_full.patch Fri Feb 10 11:10:11 2012
@@ -185,7 +185,7 @@
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index e480d8c..c7b2c86 100644
+index 81ad738..cbdaeb0 100644
--- a/Makefile
+++ b/Makefile
@@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -7848,7 +7848,7 @@
if (err)
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
-index 4edd8eb..a558697 100644
+index 4edd8eb..29124b4 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -13,7 +13,9 @@
@@ -7907,12 +7907,13 @@
movl %ebp,%ebp /* zero extension */
pushq $__USER32_DS
CFI_ADJUST_CFA_OFFSET 8
-@@ -135,28 +157,41 @@ ENTRY(ia32_sysenter_target)
+@@ -135,28 +157,42 @@ ENTRY(ia32_sysenter_target)
pushfq
CFI_ADJUST_CFA_OFFSET 8
/*CFI_REL_OFFSET rflags,0*/
- movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
- CFI_REGISTER rip,r10
++ orl $X86_EFLAGS_IF,(%rsp)
+ GET_THREAD_INFO(%r11)
+ movl TI_sysenter_return(%r11), %r11d
+ CFI_REGISTER rip,r11
@@ -7955,7 +7956,7 @@
CFI_REMEMBER_STATE
jnz sysenter_tracesys
cmpq $(IA32_NR_syscalls-1),%rax
-@@ -166,13 +201,15 @@ sysenter_do_call:
+@@ -166,13 +202,15 @@ sysenter_do_call:
sysenter_dispatch:
call *ia32_sys_call_table(,%rax,8)
movq %rax,RAX-ARGOFFSET(%rsp)
@@ -7974,7 +7975,7 @@
/* clear IF, that popfq doesn't enable interrupts early */
andl $~0x200,EFLAGS-R11(%rsp)
movl RIP-R11(%rsp),%edx /* User %eip */
-@@ -200,6 +237,9 @@ sysexit_from_sys_call:
+@@ -200,6 +238,9 @@ sysexit_from_sys_call:
movl %eax,%esi /* 2nd arg: syscall number */
movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
call audit_syscall_entry
@@ -7984,7 +7985,7 @@
movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
cmpq $(IA32_NR_syscalls-1),%rax
ja ia32_badsys
-@@ -211,7 +251,7 @@ sysexit_from_sys_call:
+@@ -211,7 +252,7 @@ sysexit_from_sys_call:
.endm
.macro auditsys_exit exit
@@ -7993,7 +7994,7 @@
jnz ia32_ret_from_sys_call
TRACE_IRQS_ON
sti
-@@ -221,12 +261,12 @@ sysexit_from_sys_call:
+@@ -221,12 +262,12 @@ sysexit_from_sys_call:
movzbl %al,%edi /* zero-extend that into %edi */
inc %edi /* first arg, 0->1(AUDITSC_SUCCESS), 1->2(AUDITSC_FAILURE) */
call audit_syscall_exit
@@ -8008,7 +8009,7 @@
jz \exit
CLEAR_RREGS -ARGOFFSET
jmp int_with_check
-@@ -244,7 +284,7 @@ sysexit_audit:
+@@ -244,7 +285,7 @@ sysexit_audit:
sysenter_tracesys:
#ifdef CONFIG_AUDITSYSCALL
@@ -8017,7 +8018,7 @@
jz sysenter_auditsys
#endif
SAVE_REST
-@@ -252,6 +292,9 @@ sysenter_tracesys:
+@@ -252,6 +293,9 @@ sysenter_tracesys:
movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
@@ -8027,7 +8028,7 @@
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
cmpq $(IA32_NR_syscalls-1),%rax
-@@ -283,19 +326,20 @@ ENDPROC(ia32_sysenter_target)
+@@ -283,19 +327,20 @@ ENDPROC(ia32_sysenter_target)
ENTRY(ia32_cstar_target)
CFI_STARTPROC32 simple
CFI_SIGNAL_FRAME
@@ -8050,7 +8051,7 @@
movl %eax,%eax /* zero extension */
movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
movq %rcx,RIP-ARGOFFSET(%rsp)
-@@ -311,13 +355,19 @@ ENTRY(ia32_cstar_target)
+@@ -311,13 +356,19 @@ ENTRY(ia32_cstar_target)
/* no need to do an access_ok check here because r8 has been
32bit zero extended */
/* hardware stack frame is complete now */
@@ -8073,7 +8074,7 @@
CFI_REMEMBER_STATE
jnz cstar_tracesys
cmpq $IA32_NR_syscalls-1,%rax
-@@ -327,13 +377,15 @@ cstar_do_call:
+@@ -327,13 +378,15 @@ cstar_do_call:
cstar_dispatch:
call *ia32_sys_call_table(,%rax,8)
movq %rax,RAX-ARGOFFSET(%rsp)
@@ -8092,7 +8093,7 @@
RESTORE_ARGS 1,-ARG_SKIP,1,1,1
movl RIP-ARGOFFSET(%rsp),%ecx
CFI_REGISTER rip,rcx
-@@ -361,7 +413,7 @@ sysretl_audit:
+@@ -361,7 +414,7 @@ sysretl_audit:
cstar_tracesys:
#ifdef CONFIG_AUDITSYSCALL
@@ -8101,7 +8102,7 @@
jz cstar_auditsys
#endif
xchgl %r9d,%ebp
-@@ -370,6 +422,9 @@ cstar_tracesys:
+@@ -370,6 +423,9 @@ cstar_tracesys:
movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
@@ -8111,7 +8112,7 @@
LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
RESTORE_REST
xchgl %ebp,%r9d
-@@ -415,11 +470,6 @@ ENTRY(ia32_syscall)
+@@ -415,11 +471,6 @@ ENTRY(ia32_syscall)
CFI_REL_OFFSET rip,RIP-RIP
PARAVIRT_ADJUST_EXCEPTION_FRAME
SWAPGS
@@ -8123,7 +8124,7 @@
movl %eax,%eax
pushq %rax
CFI_ADJUST_CFA_OFFSET 8
-@@ -427,9 +477,15 @@ ENTRY(ia32_syscall)
+@@ -427,9 +478,15 @@ ENTRY(ia32_syscall)
/* note the registers are not zero extended to the sf.
this could be a problem. */
SAVE_ARGS 0,0,1
@@ -8142,7 +8143,7 @@
jnz ia32_tracesys
cmpq $(IA32_NR_syscalls-1),%rax
ja ia32_badsys
-@@ -448,6 +504,9 @@ ia32_tracesys:
+@@ -448,6 +505,9 @@ ia32_tracesys:
movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
@@ -8152,7 +8153,7 @@
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
cmpq $(IA32_NR_syscalls-1),%rax
-@@ -462,6 +521,7 @@ ia32_badsys:
+@@ -462,6 +522,7 @@ ia32_badsys:
quiet_ni_syscall:
movq $-ENOSYS,%rax
@@ -13948,10 +13949,18 @@
.store = store,
};
diff --git a/arch/x86/kernel/cpu/mcheck/p5.c b/arch/x86/kernel/cpu/mcheck/p5.c
-index 5c0e653..1e82c7c 100644
+index 5c0e653..0882b0a 100644
--- a/arch/x86/kernel/cpu/mcheck/p5.c
+++ b/arch/x86/kernel/cpu/mcheck/p5.c
-@@ -50,7 +50,9 @@ void intel_p5_mcheck_init(struct cpuinfo_x86 *c)
+@@ -12,6 +12,7 @@
+ #include <asm/system.h>
+ #include <asm/mce.h>
+ #include <asm/msr.h>
++#include <asm/pgtable.h>
+
+ /* By default disabled */
+ int mce_p5_enabled __read_mostly;
+@@ -50,7 +51,9 @@ void intel_p5_mcheck_init(struct cpuinfo_x86 *c)
if (!cpu_has(c, X86_FEATURE_MCE))
return;
@@ -13962,10 +13971,18 @@
wmb();
diff --git a/arch/x86/kernel/cpu/mcheck/winchip.c b/arch/x86/kernel/cpu/mcheck/winchip.c
-index 54060f5..e6ba93d 100644
+index 54060f5..c1a7577 100644
--- a/arch/x86/kernel/cpu/mcheck/winchip.c
+++ b/arch/x86/kernel/cpu/mcheck/winchip.c
-@@ -24,7 +24,9 @@ void winchip_mcheck_init(struct cpuinfo_x86 *c)
+@@ -11,6 +11,7 @@
+ #include <asm/system.h>
+ #include <asm/mce.h>
+ #include <asm/msr.h>
++#include <asm/pgtable.h>
+
+ /* Machine check handler for WinChip C6: */
+ static void winchip_machine_check(struct pt_regs *regs, long error_code)
+@@ -24,7 +25,9 @@ void winchip_mcheck_init(struct cpuinfo_x86 *c)
{
u32 lo, hi;
@@ -14296,9 +14313,9 @@
@@ -180,7 +180,7 @@ void dump_stack(void)
#endif
- printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
-- current->pid, current->comm, current->xid, print_tainted(),
-+ task_pid_nr(current), current->comm, current->xid, print_tainted(),
+ printk("Pid: %d, comm: %.20s %s %s %.*s\n",
+- current->pid, current->comm, print_tainted(),
++ task_pid_nr(current), current->comm, print_tainted(),
init_utsname()->release,
(int)strcspn(init_utsname()->version, " "),
init_utsname()->version);
@@ -18795,9 +18812,9 @@
@@ -170,7 +170,7 @@ void __show_regs(struct pt_regs *regs, int all)
if (!board)
board = "";
- printk(KERN_INFO "Pid: %d, comm: %.20s xid: #%u %s %s %.*s %s\n",
-- current->pid, current->comm, current->xid, print_tainted(),
-+ task_pid_nr(current), current->comm, current->xid, print_tainted(),
+ printk(KERN_INFO "Pid: %d, comm: %.20s %s %s %.*s %s\n",
+- current->pid, current->comm, print_tainted(),
++ task_pid_nr(current), current->comm, print_tainted(),
init_utsname()->release,
(int)strcspn(init_utsname()->version, " "),
init_utsname()->version, board);
@@ -25342,7 +25359,7 @@
return (void *)vaddr;
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
-index 2feb9bd..3646202 100644
+index 2feb9bd..ab91e7b 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
@@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
@@ -25372,7 +25389,17 @@
return NULL;
WARN_ON_ONCE(is_ram);
}
-@@ -407,7 +404,7 @@ static int __init early_ioremap_debug_setup(char *str)
+@@ -378,6 +375,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
+
+ /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */
+ if (page_is_ram(start >> PAGE_SHIFT))
++#ifdef CONFIG_HIGHMEM
++ if ((start >> PAGE_SHIFT) < max_low_pfn)
++#endif
+ return __va(phys);
+
+ addr = (void __force *)ioremap_default(start, PAGE_SIZE);
+@@ -407,7 +407,7 @@ static int __init early_ioremap_debug_setup(char *str)
early_param("early_ioremap_debug", early_ioremap_debug_setup);
static __initdata int after_paging_init;
@@ -25381,7 +25408,7 @@
static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
{
-@@ -439,8 +436,7 @@ void __init early_ioremap_init(void)
+@@ -439,8 +439,7 @@ void __init early_ioremap_init(void)
slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
@@ -25408,7 +25435,7 @@
pte = kmemcheck_pte_lookup(address);
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
-index c8191de..2975082 100644
+index c9e57af..07a321b 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size(void)
@@ -27299,10 +27326,10 @@
.store = elv_attr_store,
};
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
-index 1d5a780..0e2fb8c 100644
+index 2be0a97..bded3fd 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
-@@ -220,8 +220,20 @@ EXPORT_SYMBOL(blk_verify_command);
+@@ -221,8 +221,20 @@ EXPORT_SYMBOL(blk_verify_command);
static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
struct sg_io_hdr *hdr, fmode_t mode)
{
@@ -27324,7 +27351,7 @@
if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
return -EPERM;
-@@ -430,6 +442,8 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
+@@ -431,6 +443,8 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
int err;
unsigned int in_len, out_len, bytes, opcode, cmdlen;
char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
@@ -27333,7 +27360,7 @@
if (!sic)
return -EINVAL;
-@@ -463,9 +477,18 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
+@@ -464,9 +478,18 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
*/
err = -EFAULT;
rq->cmd_len = cmdlen;
@@ -30383,7 +30410,7 @@
DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
sizeof(DAC960_SCSI_Inquiry_T) +
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
-index ca9c548..ca6899c 100644
+index 68b90d9..7e2e3f3 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1011,6 +1011,8 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
@@ -31709,9 +31736,18 @@
acpi_os_unmap_memory(virt, len);
return 0;
diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
-index 123cedf..137edef 100644
+index 123cedf..6664cb4 100644
--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
+@@ -146,7 +146,7 @@ static int tty_open(struct inode *, struct file *);
+ static int tty_release(struct inode *, struct file *);
+ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+ #ifdef CONFIG_COMPAT
+-static long tty_compat_ioctl(struct file *file, unsigned int cmd,
++long tty_compat_ioctl(struct file *file, unsigned int cmd,
+ unsigned long arg);
+ #else
+ #define tty_compat_ioctl NULL
@@ -1774,6 +1774,7 @@ got_driver:
if (IS_ERR(tty)) {
@@ -32625,7 +32661,7 @@
DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
-index ba14553..182d0bb 100644
+index 519161e..98c840c 100644
--- a/drivers/gpu/drm/drm_fops.c
+++ b/drivers/gpu/drm/drm_fops.c
@@ -66,7 +66,7 @@ static int drm_setup(struct drm_device * dev)
@@ -32665,9 +32701,9 @@
- dev->open_count);
+ local_read(&dev->open_count));
- /* if the master has gone away we can't do anything with the lock */
- if (file_priv->minor->master)
-@@ -524,9 +524,9 @@ int drm_release(struct inode *inode, struct file *filp)
+ /* Release any auth tokens that might point to this file_priv,
+ (do that under the drm_global_mutex) */
+@@ -529,9 +529,9 @@ int drm_release(struct inode *inode, struct file *filp)
* End inline drm_release
*/
@@ -32680,7 +32716,7 @@
DRM_ERROR("Device busy: %d\n",
atomic_read(&dev->ioctl_count));
diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
-index 8bf3770..7942280 100644
+index 8bf3770..79422805 100644
--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -83,11 +83,11 @@ drm_gem_init(struct drm_device *dev)
@@ -33850,7 +33886,7 @@
vga_put(pdev, io_state);
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index f3f1415..e561d90 100644
+index 11f8069..4783396 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1752,7 +1752,7 @@ static bool hid_ignore(struct hid_device *hdev)
@@ -33938,7 +33974,7 @@
int ycalib; /* calibrated null value for y */
int zcalib; /* calibrated null value for z */
diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
-index 2040507..706ec1e 100644
+index 740785e..5a5c6c6 100644
--- a/drivers/hwmon/sht15.c
+++ b/drivers/hwmon/sht15.c
@@ -112,7 +112,7 @@ struct sht15_data {
@@ -34798,6 +34834,30 @@
.show = cm_show_counter
};
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 8fd3a6f..61d8075 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -2267,6 +2267,9 @@ static int cma_resolve_ib_udp(struct rdma_id_private *id_priv,
+
+ req.private_data_len = sizeof(struct cma_hdr) +
+ conn_param->private_data_len;
++ if (req.private_data_len < conn_param->private_data_len)
++ return -EINVAL;
++
+ req.private_data = kzalloc(req.private_data_len, GFP_ATOMIC);
+ if (!req.private_data)
+ return -ENOMEM;
+@@ -2314,6 +2317,9 @@ static int cma_connect_ib(struct rdma_id_private *id_priv,
+ memset(&req, 0, sizeof req);
+ offset = cma_user_data_offset(id_priv->id.ps);
+ req.private_data_len = offset + conn_param->private_data_len;
++ if (req.private_data_len < conn_param->private_data_len)
++ return -EINVAL;
++
+ private_data = kzalloc(req.private_data_len, GFP_ATOMIC);
+ if (!private_data)
+ return -ENOMEM;
diff --git a/drivers/infiniband/core/fmr_pool.c b/drivers/infiniband/core/fmr_pool.c
index 4507043..14ad522 100644
--- a/drivers/infiniband/core/fmr_pool.c
@@ -41467,10 +41527,10 @@
sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
if (!sg_proc_sgp)
diff --git a/drivers/scsi/sym53c8xx_2/sym_glue.c b/drivers/scsi/sym53c8xx_2/sym_glue.c
-index 45374d6..61ee484 100644
+index c19ca5e..3eb5959 100644
--- a/drivers/scsi/sym53c8xx_2/sym_glue.c
+++ b/drivers/scsi/sym53c8xx_2/sym_glue.c
-@@ -1754,6 +1754,8 @@ static int __devinit sym2_probe(struct pci_dev *pdev,
+@@ -1758,6 +1758,8 @@ static int __devinit sym2_probe(struct pci_dev *pdev,
int do_iounmap = 0;
int do_disable_device = 1;
@@ -42446,19 +42506,6 @@
if (!left--) {
if (instance->disconnected)
-diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
-index 3e564bf..949b448 100644
---- a/drivers/usb/class/cdc-wdm.c
-+++ b/drivers/usb/class/cdc-wdm.c
-@@ -314,7 +314,7 @@ static ssize_t wdm_write
- if (r < 0)
- goto outnp;
-
-- if (!file->f_flags && O_NONBLOCK)
-+ if (!(file->f_flags & O_NONBLOCK))
- r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
- &desc->flags));
- else
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index 24e6205..fe5a5d4 100644
--- a/drivers/usb/core/hcd.c
@@ -46241,9 +46288,9 @@
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -31,6 +31,7 @@
+ #include <linux/random.h>
#include <linux/elf.h>
#include <linux/utsname.h>
- #include <linux/vs_memory.h>
+#include <linux/xattr.h>
#include <asm/uaccess.h>
#include <asm/param.h>
@@ -47858,7 +47905,7 @@
return hit;
}
diff --git a/fs/compat.c b/fs/compat.c
-index d1e2411..27064e4 100644
+index d1e2411..b1eda5d 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(char __user *filename, struct compat_timeval _
@@ -48015,7 +48062,18 @@
retval = unshare_files(&displaced);
if (retval)
-@@ -1499,6 +1541,15 @@ int compat_do_execve(char * filename,
+@@ -1493,12 +1535,26 @@ int compat_do_execve(char * filename,
+ if (IS_ERR(file))
+ goto out_unmark;
+
++ if (gr_ptrace_readexec(file, bprm->unsafe)) {
++ retval = -EPERM;
++ goto out_file;
++ }
++
+ sched_exec();
+
+ bprm->file = file;
bprm->filename = filename;
bprm->interp = filename;
@@ -48031,7 +48089,7 @@
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
-@@ -1528,9 +1579,40 @@ int compat_do_execve(char * filename,
+@@ -1528,9 +1584,40 @@ int compat_do_execve(char * filename,
if (retval < 0)
goto out;
@@ -48058,7 +48116,7 @@
+#endif
+
+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
-+ bprm->unsafe & LSM_UNSAFE_SHARE);
++ bprm->unsafe);
+ if (retval < 0)
+ goto out_fail;
+
@@ -48073,7 +48131,7 @@
/* execve succeeded */
current->fs->in_exec = 0;
-@@ -1541,6 +1623,14 @@ int compat_do_execve(char * filename,
+@@ -1541,6 +1628,14 @@ int compat_do_execve(char * filename,
put_files_struct(displaced);
return retval;
@@ -48088,7 +48146,7 @@
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1711,6 +1801,8 @@ int compat_core_sys_select(int n, compat_ulong_t __user *inp,
+@@ -1711,6 +1806,8 @@ int compat_core_sys_select(int n, compat_ulong_t __user *inp,
struct fdtable *fdt;
long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
@@ -48097,7 +48155,7 @@
if (n < 0)
goto out_nofds;
-@@ -2151,7 +2243,7 @@ asmlinkage long compat_sys_nfsservctl(int cmd,
+@@ -2151,7 +2248,7 @@ asmlinkage long compat_sys_nfsservctl(int cmd,
oldfs = get_fs();
set_fs(KERNEL_DS);
/* The __user pointer casts are valid because of the set_fs() */
@@ -48204,6 +48262,22 @@
dcache_init();
inode_init();
+diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
+index 39c6ee8..dcee0f1 100644
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -269,7 +269,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
+ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
+ {
+ return debugfs_create_file(name,
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++ S_IFDIR | S_IRWXU,
++#else
+ S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
++#endif
+ parent, NULL, NULL);
+ }
+ EXPORT_SYMBOL_GPL(debugfs_create_dir);
diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
index c010ecf..a8d8c59 100644
--- a/fs/dlm/lockspace.c
@@ -48217,6 +48291,78 @@
.show = dlm_attr_show,
.store = dlm_attr_store,
};
+diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
+index 7a5f1ac..205b034 100644
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -418,17 +418,6 @@ static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
+ rc);
+ goto out;
+ }
+- if (unlikely(ecryptfs_verbosity > 0)) {
+- ecryptfs_printk(KERN_DEBUG, "Encrypting extent "
+- "with iv:\n");
+- ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes);
+- ecryptfs_printk(KERN_DEBUG, "First 8 bytes before "
+- "encryption:\n");
+- ecryptfs_dump_hex((char *)
+- (page_address(page)
+- + (extent_offset * crypt_stat->extent_size)),
+- 8);
+- }
+ rc = ecryptfs_encrypt_page_offset(crypt_stat, enc_extent_page, 0,
+ page, (extent_offset
+ * crypt_stat->extent_size),
+@@ -441,14 +430,6 @@ static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
+ goto out;
+ }
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-grsec_full.patch?r1=1.29.2.6&r2=1.29.2.7&f=u
More information about the pld-cvs-commit
mailing list