SOURCES (AC-branch): grsecurity-2.1.11-2.4.36-200801031900.patch -...
hawk
hawk at pld-linux.org
Mon Jan 21 15:24:15 CET 2008
Author: hawk Date: Mon Jan 21 14:24:15 2008 GMT
Module: SOURCES Tag: AC-branch
---- Log message:
- pldized
---- Files affected:
SOURCES:
grsecurity-2.1.11-2.4.36-200801031900.patch (1.1.2.1 -> 1.1.2.2)
---- Diffs:
================================================================
Index: SOURCES/grsecurity-2.1.11-2.4.36-200801031900.patch
diff -u SOURCES/grsecurity-2.1.11-2.4.36-200801031900.patch:1.1.2.1 SOURCES/grsecurity-2.1.11-2.4.36-200801031900.patch:1.1.2.2
--- SOURCES/grsecurity-2.1.11-2.4.36-200801031900.patch:1.1.2.1 Mon Jan 21 13:15:55 2008
+++ SOURCES/grsecurity-2.1.11-2.4.36-200801031900.patch Mon Jan 21 15:24:10 2008
@@ -1908,7 +1908,7 @@
+ */
+ tss->esp0 = next->esp0;
+
- if (prev->ioperm || next->ioperm) {
+ if (unlikely(prev->ioperm || next->ioperm)) {
if (next->ioperm) {
/*
@@ -705,6 +742,11 @@ void fastcall __switch_to(struct task_st
@@ -8080,12 +8080,10 @@
default:
return -ENXIO;
}
-@@ -720,7 +775,10 @@ void __init memory_devfs_register (void)
- {5, "zero", S_IRUGO | S_IWUGO, &zero_fops},
- {7, "full", S_IRUGO | S_IWUGO, &full_fops},
+@@ -720,6 +775,9 @@ void __init memory_devfs_register (void)
{8, "random", S_IRUGO | S_IWUSR, &random_fops},
-- {9, "urandom", S_IRUGO | S_IWUSR, &urandom_fops}
-+ {9, "urandom", S_IRUGO | S_IWUSR, &urandom_fops},
+ {9, "urandom", S_IRUGO | S_IWUSR, &urandom_fops},
+ {10, "anon", S_IRUGO | S_IWUSR, &anon_file_operations},
+#ifdef CONFIG_GRKERNSEC
+ {13,"grsec", S_IRUSR | S_IWUGO, &grsec_fops}
+#endif
@@ -9464,7 +9462,7 @@
goto ok;
}
-@@ -1053,8 +1080,22 @@ do_last:
+@@ -1053,9 +1080,23 @@ do_last:
/* Negative dentry, just create the file */
if (!dentry->d_inode) {
@@ -9479,8 +9477,9 @@
+ goto exit_dput;
+ }
+
- error = vfs_create(dir->d_inode, dentry,
- mode & ~current->fs->umask);
+ if (!IS_POSIXACL(dir->d_inode))
+ mode &= ~current->fs->umask;
+ error = vfs_create(dir->d_inode, dentry, mode);
+ if (!error)
+ gr_handle_create(dentry, nd->mnt);
+
@@ -9572,19 +9571,18 @@
up(&nd.dentry->d_inode->i_sem);
path_release(&nd);
out:
-@@ -1355,8 +1442,17 @@ asmlinkage long sys_mkdir(const char * p
- dentry = lookup_create(&nd, 1);
- error = PTR_ERR(dentry);
+@@ -1355,7 +1442,16 @@ asmlinkage long sys_mkdir(const char * p
if (!IS_ERR(dentry)) {
-- error = vfs_mkdir(nd.dentry->d_inode, dentry,
+ if (!IS_POSIXACL(nd.dentry->d_inode))
+ mode &= ~current->fs->umask;
+- error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
+ error = 0;
+
+ if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt))
+ error = -EACCES;
+
+ if(!error)
-+ error = vfs_mkdir(nd.dentry->d_inode, dentry,
- mode & ~current->fs->umask);
++ error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
+ if(!error)
+ gr_handle_create(dentry, nd.mnt);
+
@@ -16195,7 +16193,7 @@
+gr_handle_chroot_setpriority(const struct task_struct *p, const int niceval)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
-+ if (grsec_enable_chroot_nice && (niceval < p->nice)
++ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
+ && proc_is_chrooted(current)) {
+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
+ return -EACCES;
@@ -18901,9 +18899,9 @@
+void pax_switch_segments(struct task_struct *);
+
- #define prepare_to_switch() do { } while(0)
#define switch_to(prev,next,last) do { \
asm volatile("pushl %%esi\n\t" \
+ "pushl %%edi\n\t" \
diff -urNp linux-2.4.36/include/asm-i386/uaccess.h linux-2.4.36/include/asm-i386/uaccess.h
--- linux-2.4.36/include/asm-i386/uaccess.h 2008-01-01 07:06:40.000000000 -0500
+++ linux-2.4.36/include/asm-i386/uaccess.h 2008-01-03 18:26:29.000000000 -0500
@@ -21421,9 +21419,9 @@
+#include <asm/current.h>
+
- static inline struct task_struct *find_task_by_pid(int pid)
+ static inline task_t *find_task_by_pid(int pid)
{
- struct task_struct *p, **htable = &pidhash[pid_hashfn(pid)];
+ struct task_t *p, **htable = &pidhash[pid_hashfn(pid)];
@@ -557,6 +641,8 @@ static inline struct task_struct *find_t
for(p = *htable; p && p->pid != pid; p = p->pidhash_next)
;
@@ -21738,14 +21736,66 @@
diff -urNp linux-2.4.36/kernel/exit.c linux-2.4.36/kernel/exit.c
--- linux-2.4.36/kernel/exit.c 2008-01-01 07:06:40.000000000 -0500
+++ linux-2.4.36/kernel/exit.c 2008-01-03 18:26:29.000000000 -0500
-@@ -16,6 +16,7 @@
+@@ -7,6 +7,7 @@
+ #include <linux/config.h>
+ #include <linux/slab.h>
+ #include <linux/interrupt.h>
++#include <linux/file.h>
+ #include <linux/smp_lock.h>
+ #include <linux/module.h>
+ #include <linux/completion.h>
+@@ -16,6 +17,11 @@
#ifdef CONFIG_BSD_PROCESS_ACCT
#include <linux/acct.h>
#endif
+#include <linux/grsecurity.h>
++
++#ifdef CONFIG_GRKERNSEC
++extern rwlock_t grsec_exec_file_lock;
++#endif
#include <asm/uaccess.h>
#include <asm/pgtable.h>
+@@ -128,12 +129,23 @@ void reparent_to_init(void)
+
+ write_lock_irq(&tasklist_lock);
+
++#ifdef CONFIG_GRKERNSEC
++ write_lock(&grsec_exec_file_lock);
++ if (current->exec_file) {
++ fput(current->exec_file);
++ current->exec_file = NULL;
++ }
++ write_unlock(&grsec_exec_file_lock);
++#endif
++
+ /* Reparent to init */
+ REMOVE_LINKS(current);
+ current->p_pptr = child_reaper;
+ current->p_opptr = child_reaper;
+ SET_LINKS(current);
+
++ gr_set_kernel_label(current);
++
+ /* Set the exit signal to SIGCHLD so we signal init on exit */
+ current->exit_signal = SIGCHLD;
+
+@@ -157,6 +177,15 @@ void daemonize(void)
+ {
+ struct fs_struct *fs;
+
++#ifdef CONFIG_GRKERNSEC
++ write_lock(&grsec_exec_file_lock);
++ if (current->exec_file) {
++ fput(current->exec_file);
++ current->exec_file = NULL;
++ }
++ write_unlock(&grsec_exec_file_lock);
++#endif
++ gr_set_kernel_label(current);
+
+ /*
+ * If we were started as result of loading a module, close all of the
@@ -439,10 +440,16 @@ fake_volatile:
#ifdef CONFIG_BSD_PROCESS_ACCT
acct_process(code);
@@ -21902,9 +21952,9 @@
--- linux-2.4.36/kernel/printk.c 2008-01-01 07:06:40.000000000 -0500
+++ linux-2.4.36/kernel/printk.c 2008-01-03 18:26:29.000000000 -0500
@@ -26,6 +26,7 @@
- #include <linux/module.h>
#include <linux/interrupt.h> /* For in_interrupt() */
#include <linux/config.h>
+ #include <linux/delay.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -21924,26 +21974,18 @@
diff -urNp linux-2.4.36/kernel/sched.c linux-2.4.36/kernel/sched.c
--- linux-2.4.36/kernel/sched.c 2008-01-01 07:06:40.000000000 -0500
+++ linux-2.4.36/kernel/sched.c 2008-01-03 18:26:29.000000000 -0500
-@@ -22,6 +22,7 @@
- #include <linux/config.h>
- #include <linux/mm.h>
- #include <linux/init.h>
-+#include <linux/file.h>
- #include <linux/smp_lock.h>
- #include <linux/nmi.h>
- #include <linux/interrupt.h>
@@ -29,6 +30,11 @@
+ #include <asm/mmu_context.h>
+ #include <linux/kernel_stat.h>
#include <linux/completion.h>
- #include <linux/prefetch.h>
- #include <linux/compiler.h>
+#include <linux/grsecurity.h>
+
+#ifdef CONFIG_GRKERNSEC
+extern rwlock_t grsec_exec_file_lock;
+#endif
- #include <asm/uaccess.h>
- #include <asm/mmu_context.h>
+ /*
+ * Convert user-nice values [ -20 ... 0 ... 19 ]
@@ -910,6 +916,9 @@ asmlinkage long sys_nice(int increment)
return -EPERM;
if (increment < -40)
@@ -21954,46 +21996,6 @@
}
if (increment > 40)
increment = 40;
-@@ -1288,12 +1297,23 @@ void reparent_to_init(void)
-
- write_lock_irq(&tasklist_lock);
-
-+#ifdef CONFIG_GRKERNSEC
-+ write_lock(&grsec_exec_file_lock);
-+ if (this_task->exec_file) {
-+ fput(this_task->exec_file);
-+ this_task->exec_file = NULL;
-+ }
-+ write_unlock(&grsec_exec_file_lock);
-+#endif
-+
- /* Reparent to init */
- REMOVE_LINKS(this_task);
- this_task->p_pptr = child_reaper;
- this_task->p_opptr = child_reaper;
- SET_LINKS(this_task);
-
-+ gr_set_kernel_label(this_task);
-+
- /* Set the exit signal to SIGCHLD so we signal init on exit */
- this_task->exit_signal = SIGCHLD;
-
-@@ -1327,6 +1347,15 @@ void daemonize(void)
- {
- struct fs_struct *fs;
-
-+#ifdef CONFIG_GRKERNSEC
-+ write_lock(&grsec_exec_file_lock);
-+ if (current->exec_file) {
-+ fput(current->exec_file);
-+ current->exec_file = NULL;
-+ }
-+ write_unlock(&grsec_exec_file_lock);
-+#endif
-+ gr_set_kernel_label(current);
-
- /*
- * If we were started as result of loading a module, close all of the
diff -urNp linux-2.4.36/kernel/signal.c linux-2.4.36/kernel/signal.c
--- linux-2.4.36/kernel/signal.c 2008-01-01 07:06:40.000000000 -0500
+++ linux-2.4.36/kernel/signal.c 2008-01-03 18:26:29.000000000 -0500
@@ -22078,7 +22080,7 @@
+ return -EACCES;
+ }
+
- if (niceval < p->nice && !capable(CAP_SYS_NICE))
+ if (niceval < task_nice(p) && !capable(CAP_SYS_NICE))
error = -EACCES;
else
@@ -417,6 +425,10 @@ asmlinkage long sys_setregid(gid_t rgid,
@@ -22548,16 +22550,6 @@
diff -urNp linux-2.4.36/Makefile linux-2.4.36/Makefile
--- linux-2.4.36/Makefile 2008-01-01 07:06:40.000000000 -0500
+++ linux-2.4.36/Makefile 2008-01-03 18:26:29.000000000 -0500
-@@ -6,6 +6,9 @@ EXTRAVERSION =
- KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
-
- ARCH := $(shell uname -m | sed -e s/i.86/i386/ -e s/sun4u/sparc64/ -e s/arm.*/arm/ -e s/sa110/arm/)
-+#do this so we don't have to release a new patch for each .x.y unless necessary
-+EXTRAVERSION :=$(EXTRAVERSION)-grsec
-+KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
- KERNELPATH=kernel-$(shell echo $(KERNELRELEASE) | sed -e "s/-//g")
-
- CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -133,9 +136,10 @@ export SVGA_MODE = -DSVGA_MODE=NORMAL_VG
CORE_FILES =kernel/kernel.o mm/mm.o fs/fs.o ipc/ipc.o
@@ -23090,36 +23082,37 @@
return 0;
}
-+static unsigned long __do_mmap_pgoff(struct file * file, unsigned long addr, unsigned long len,
+-unsigned long do_mmap_pgoff(struct mm_struct *mm, struct file * file,
++static unsigned long __do_mmap_pgoff(struct mm_struct *mm, struct file * file, unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags, unsigned long pgoff);
+
- unsigned long do_mmap_pgoff(struct file * file, unsigned long addr, unsigned long len,
++unsigned long do_mmap_pgoff(struct mm_struct *mm, struct file * file, unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flag, unsigned long pgoff)
+{
+ unsigned long ret = -EINVAL;
+
+#ifdef CONFIG_PAX_SEGMEXEC
-+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) &&
++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
+ (len > SEGMEXEC_TASK_SIZE || (addr > SEGMEXEC_TASK_SIZE-len)))
+ goto out;
+#endif
+
-+ ret = __do_mmap_pgoff(file, addr, len, prot, flag, pgoff);
++ ret = __do_mmap_pgoff(mm, file, addr, len, prot, flag, pgoff);
+
+#ifdef CONFIG_PAX_SEGMEXEC
-+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && ret < TASK_SIZE && ((flag & MAP_TYPE) == MAP_PRIVATE)
++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ret < TASK_SIZE && ((flag & MAP_TYPE) == MAP_PRIVATE)
+
+#ifdef CONFIG_PAX_MPROTECT
-+ && (!(current->mm->pax_flags & MF_PAX_MPROTECT) || ((prot & PROT_EXEC) && file && !(prot & PROT_WRITE)))
++ && (!(mm->pax_flags & MF_PAX_MPROTECT) || ((prot & PROT_EXEC) && file && !(prot & PROT_WRITE)))
+#endif
+
+ )
+ {
+ unsigned long ret_m;
+ prot = prot & PROT_EXEC ? prot & ~PROT_WRITE : PROT_NONE;
-+ ret_m = __do_mmap_pgoff(NULL, ret + SEGMEXEC_TASK_SIZE, 0UL, prot, flag | MAP_MIRROR | MAP_FIXED, ret);
++ ret_m = __do_mmap_pgoff(mm, NULL, ret + SEGMEXEC_TASK_SIZE, 0UL, prot, flag | MAP_MIRROR | MAP_FIXED, ret);
+ if (ret_m >= TASK_SIZE) {
-+ do_munmap(current->mm, ret, len);
++ do_munmap(mm, ret, len);
+ ret = ret_m;
+ }
+ }
@@ -23130,11 +23123,11 @@
+ return ret;
+}
+
-+static unsigned long __do_mmap_pgoff(struct file * file, unsigned long addr, unsigned long len,
- unsigned long prot, unsigned long flags, unsigned long pgoff)
- {
- struct mm_struct * mm = current->mm;
-@@ -403,6 +451,28 @@ unsigned long do_mmap_pgoff(struct file
++static unsigned long __do_mmap_pgoff(struct mm_struct *mm, struct file * file,
+ unsigned long addr, unsigned long len,
+ unsigned long prot, unsigned long flags,
+ unsigned long pgoff)
+@@ -401,6 +449,28 @@ unsigned long do_mmap_pgoff(struct mm_st
int error;
rb_node_t ** rb_link, * rb_parent;
@@ -23545,7 +23538,55 @@
newprot = protection_map[newflags & 0xf];
if (start == vma->vm_start) {
if (end == vma->vm_end)
-@@ -264,6 +317,69 @@ static int mprotect_fixup(struct vm_area
+@@ -256,6 +372,17 @@ asmlinkage long sys_mprotect(unsigned lo
+ end = start + len;
+ if (end < start)
+ return -ENOMEM;
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
++ if (end > SEGMEXEC_TASK_SIZE)
++ return -EINVAL;
++ } else
++#endif
++
++ if (end > TASK_SIZE)
++ return -EINVAL;
++
+ if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
+ return -EINVAL;
+ if (end == start)
+@@ -258,6 +385,16 @@ asmlinkage long sys_mprotect(unsigned lo
+ if (!vma || vma->vm_start > start)
+ goto out;
+
++ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
++ error = -EACCES;
++ goto out;
++ }
++
++#ifdef CONFIG_PAX_MPROTECT
++ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && (prot & PROT_WRITE))
++ pax_handle_maywrite(vma, start);
++#endif
++
+ for (nstart = start ; ; ) {
+ unsigned int newflags;
+ int last = 0;
+@@ -345,6 +437,12 @@ long do_mprotect(struct mm_struct
+ goto out;
+ }
+
++#ifdef CONFIG_PAX_MPROTECT
++ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
++ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && !(prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE))
++ newflags &= ~VM_MAYWRITE;
++#endif
++
+ if (vma->vm_end > end) {
+ error = mprotect_fixup(vma, &prev, nstart, end, newflags);
+ goto out;
+@@ -364,6 +417,69 @@ static int mprotect_fixup(struct vm_area
return 0;
}
@@ -23615,54 +23656,6 @@
asmlinkage long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
{
unsigned long nstart, end, tmp;
-@@ -276,6 +392,17 @@ asmlinkage long sys_mprotect(unsigned lo
- end = start + len;
- if (end < start)
- return -ENOMEM;
-+
-+#ifdef CONFIG_PAX_SEGMEXEC
-+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
-+ if (end > SEGMEXEC_TASK_SIZE)
-+ return -EINVAL;
-+ } else
-+#endif
-+
-+ if (end > TASK_SIZE)
-+ return -EINVAL;
-+
- if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
- return -EINVAL;
- if (end == start)
-@@ -288,6 +415,16 @@ asmlinkage long sys_mprotect(unsigned lo
- if (!vma || vma->vm_start > start)
- goto out;
-
-+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
-+ error = -EACCES;
-+ goto out;
-+ }
-+
-+#ifdef CONFIG_PAX_MPROTECT
-+ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && (prot & PROT_WRITE))
-+ pax_handle_maywrite(vma, start);
-+#endif
-+
- for (nstart = start ; ; ) {
- unsigned int newflags;
- int last = 0;
-@@ -300,6 +437,12 @@ asmlinkage long sys_mprotect(unsigned lo
- goto out;
- }
-
-+#ifdef CONFIG_PAX_MPROTECT
-+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
-+ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && !(prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE))
-+ newflags &= ~VM_MAYWRITE;
-+#endif
-+
- if (vma->vm_end > end) {
- error = mprotect_fixup(vma, &prev, nstart, end, newflags);
- goto out;
diff -urNp linux-2.4.36/mm/mremap.c linux-2.4.36/mm/mremap.c
--- linux-2.4.36/mm/mremap.c 2008-01-01 07:06:40.000000000 -0500
+++ linux-2.4.36/mm/mremap.c 2008-01-03 18:26:29.000000000 -0500
@@ -23795,9 +23788,9 @@
--- linux-2.4.36/net/ipv4/netfilter/Config.in 2008-01-01 07:06:40.000000000 -0500
+++ linux-2.4.36/net/ipv4/netfilter/Config.in 2008-01-03 18:26:29.000000000 -0500
@@ -33,6 +33,7 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
- dep_tristate ' LENGTH match support' CONFIG_IP_NF_MATCH_LENGTH $CONFIG_IP_NF_IPTABLES
dep_tristate ' TTL match support' CONFIG_IP_NF_MATCH_TTL $CONFIG_IP_NF_IPTABLES
dep_tristate ' tcpmss match support' CONFIG_IP_NF_MATCH_TCPMSS $CONFIG_IP_NF_IPTABLES
+ dep_tristate ' realm match support' CONFIG_IP_NF_MATCH_REALM $CONFIG_IP_NF_IPTABLES
+ dep_tristate ' stealth match support' CONFIG_IP_NF_MATCH_STEALTH $CONFIG_IP_NF_IPTABLES
if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
dep_tristate ' Helper match support' CONFIG_IP_NF_MATCH_HELPER $CONFIG_IP_NF_IPTABLES
@@ -23919,9 +23912,9 @@
--- linux-2.4.36/net/ipv4/netfilter/Makefile 2008-01-01 07:06:40.000000000 -0500
+++ linux-2.4.36/net/ipv4/netfilter/Makefile 2008-01-03 18:26:29.000000000 -0500
@@ -86,6 +86,7 @@ obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_s
- obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
- obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
+ obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
+ obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o
+obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
# targets
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/grsecurity-2.1.11-2.4.36-200801031900.patch?r1=1.1.2.1&r2=1.1.2.2&f=u
More information about the pld-cvs-commit
mailing list