packages (GRSECURITY_RAW): kernel/kernel-grsec_full.patch http://www.grsecu...

arekm arekm at pld-linux.org
Sun Aug 2 12:38:10 CEST 2009 

Author: arekm                        Date: Sun Aug  2 10:38:10 2009 GMT
Module: packages                      Tag: GRSECURITY_RAW
---- Log message:
http://www.grsecurity.net/~spender/grsecurity-2.1.14-2.6.30.4-200908011535.patch

---- Files affected:
packages/kernel:
   kernel-grsec_full.patch (1.3.2.3 -> 1.3.2.4) 

---- Diffs:

================================================================
Index: packages/kernel/kernel-grsec_full.patch
diff -u packages/kernel/kernel-grsec_full.patch:1.3.2.3 packages/kernel/kernel-grsec_full.patch:1.3.2.4
--- packages/kernel/kernel-grsec_full.patch:1.3.2.3	Fri Jul 31 11:02:00 2009
+++ packages/kernel/kernel-grsec_full.patch	Sun Aug  2 12:38:03 2009
@@ -9077,7 +9077,7 @@
 +	.endr
 diff -urNp linux-2.6.30.4/arch/x86/kernel/head_64.S linux-2.6.30.4/arch/x86/kernel/head_64.S
 --- linux-2.6.30.4/arch/x86/kernel/head_64.S	2009-07-24 17:47:51.000000000 -0400
-+++ linux-2.6.30.4/arch/x86/kernel/head_64.S	2009-07-30 09:48:09.947450201 -0400
++++ linux-2.6.30.4/arch/x86/kernel/head_64.S	2009-08-01 08:46:06.399105315 -0400
 @@ -39,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
  L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
  L4_START_KERNEL = pgd_index(__START_KERNEL_map)
@@ -9308,7 +9308,7 @@
  	.align L1_CACHE_BYTES
  ENTRY(idt_table)
 -	.skip IDT_ENTRIES * 16
-+	.fill 256,16,0
++	.fill 512,8,0
  
  	.section .bss.page_aligned, "aw", @nobits
  	.align PAGE_SIZE
@@ -9621,7 +9621,7 @@
  	page_list[PA_CONTROL_PAGE] = __pa(control_page);
 diff -urNp linux-2.6.30.4/arch/x86/kernel/module_32.c linux-2.6.30.4/arch/x86/kernel/module_32.c
 --- linux-2.6.30.4/arch/x86/kernel/module_32.c	2009-07-24 17:47:51.000000000 -0400
-+++ linux-2.6.30.4/arch/x86/kernel/module_32.c	2009-07-30 09:48:09.950015875 -0400
++++ linux-2.6.30.4/arch/x86/kernel/module_32.c	2009-08-01 15:35:35.138919235 -0400
 @@ -23,6 +23,9 @@
  #include <linux/kernel.h>
  #include <linux/bug.h>
@@ -9664,7 +9664,7 @@
  
  /* Free memory returned from module_alloc */
  void module_free(struct module *mod, void *module_region)
-@@ -45,6 +70,45 @@ void module_free(struct module *mod, voi
+@@ -45,6 +70,46 @@ void module_free(struct module *mod, voi
  	   table entries. */
  }
  
@@ -9705,12 +9705,13 @@
 +		WARN_ON(1);
 +	}
 +}
++EXPORT_SYMBOL(module_free_exec);
 +#endif
 +
  /* We don't need anything special. */
  int module_frob_arch_sections(Elf_Ehdr *hdr,
  			      Elf_Shdr *sechdrs,
-@@ -63,14 +127,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
+@@ -63,14 +128,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
  	unsigned int i;
  	Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
  	Elf32_Sym *sym;
@@ -9734,7 +9735,7 @@
  		/* This is the symbol it is referring to.  Note that all
  		   undefined symbols have been resolved.  */
  		sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
-@@ -78,12 +148,32 @@ int apply_relocate(Elf32_Shdr *sechdrs,
+@@ -78,12 +149,32 @@ int apply_relocate(Elf32_Shdr *sechdrs,
  
  		switch (ELF32_R_TYPE(rel[i].r_info)) {
  		case R_386_32:
@@ -9771,7 +9772,7 @@
  			printk(KERN_ERR "module %s: Unknown relocation: %u\n",
 diff -urNp linux-2.6.30.4/arch/x86/kernel/module_64.c linux-2.6.30.4/arch/x86/kernel/module_64.c
 --- linux-2.6.30.4/arch/x86/kernel/module_64.c	2009-07-24 17:47:51.000000000 -0400
-+++ linux-2.6.30.4/arch/x86/kernel/module_64.c	2009-07-30 09:48:09.950015875 -0400
++++ linux-2.6.30.4/arch/x86/kernel/module_64.c	2009-08-01 15:35:35.161871747 -0400
 @@ -40,7 +40,7 @@ void module_free(struct module *mod, voi
  	   table entries. */
  }
@@ -9781,7 +9782,7 @@
  {
  	struct vm_struct *area;
  
-@@ -54,8 +54,31 @@ void *module_alloc(unsigned long size)
+@@ -54,8 +54,33 @@ void *module_alloc(unsigned long size)
  	if (!area)
  		return NULL;
  
@@ -9799,10 +9800,12 @@
 +{
 +	module_free(mod, module_region);
 +}
++EXPORT_SYMBOL(module_free_exec);
 +
 +void *module_alloc_exec(unsigned long size)
 +{
 +	return __module_alloc(size, PAGE_KERNEL_RX);
++EXPORT_SYMBOL(module_alloc_exec);
  }
 +#else
 +void *module_alloc(unsigned long size)
@@ -9814,7 +9817,7 @@
  #endif
  
  /* We don't need anything special. */
-@@ -79,6 +102,10 @@ int apply_relocate_add(Elf64_Shdr *sechd
+@@ -79,6 +104,10 @@ int apply_relocate_add(Elf64_Shdr *sechd
  	void *loc;
  	u64 val;
  
@@ -9825,7 +9828,7 @@
  	DEBUGP("Applying relocate section %u to %u\n", relsec,
  	       sechdrs[relsec].sh_info);
  	for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
-@@ -101,21 +128,61 @@ int apply_relocate_add(Elf64_Shdr *sechd
+@@ -101,21 +130,61 @@ int apply_relocate_add(Elf64_Shdr *sechd
  		case R_X86_64_NONE:
  			break;
  		case R_X86_64_64:
@@ -11468,7 +11471,7 @@
  	*(.bss)
 diff -urNp linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S
 --- linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S	2009-07-24 17:47:51.000000000 -0400
-+++ linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S	2009-07-30 19:56:23.500027109 -0400
++++ linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S	2009-08-01 08:46:06.438873305 -0400
 @@ -13,11 +13,11 @@
  OUTPUT_FORMAT("elf64-x86-64", "elf64-x86-64", "elf64-x86-64")
  OUTPUT_ARCH(i386:x86-64)
@@ -11497,8 +11500,8 @@
    . = ALIGN(PAGE_SIZE);		/* Align data segment to page size boundary */
 +#endif
  				/* Data */
-+  _data = .;
    .data : AT(ADDR(.data) - LOAD_OFFSET) {
++	_data = .;
  	DATA_DATA
  	CONSTRUCTORS
 -	_edata = .;			/* End of data section */
@@ -21977,7 +21980,7 @@
  	.write_begin = ecryptfs_write_begin,
 diff -urNp linux-2.6.30.4/fs/exec.c linux-2.6.30.4/fs/exec.c
 --- linux-2.6.30.4/fs/exec.c	2009-07-24 17:47:51.000000000 -0400
-+++ linux-2.6.30.4/fs/exec.c	2009-07-30 11:10:49.146300194 -0400
++++ linux-2.6.30.4/fs/exec.c	2009-08-01 14:58:11.881121157 -0400
 @@ -54,12 +54,24 @@
  #include <linux/kmod.h>
  #include <linux/fsnotify.h>
@@ -22003,6 +22006,15 @@
  int core_uses_pid;
  char core_pattern[CORENAME_MAX_SIZE] = "core";
  int suid_dumpable = 0;
+@@ -112,7 +124,7 @@ SYSCALL_DEFINE1(uselib, const char __use
+ 		goto out;
+ 
+ 	file = do_filp_open(AT_FDCWD, tmp,
+-				O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
++				O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
+ 				MAY_READ | MAY_EXEC | MAY_OPEN);
+ 	putname(tmp);
+ 	error = PTR_ERR(file);
 @@ -160,18 +172,10 @@ static struct page *get_arg_page(struct 
  		int write)
  {
@@ -22119,6 +22131,15 @@
  }
  EXPORT_SYMBOL(setup_arg_pages);
  
+@@ -650,7 +680,7 @@ struct file *open_exec(const char *name)
+ 	int err;
+ 
+ 	file = do_filp_open(AT_FDCWD, name,
+-				O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
++				O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
+ 				MAY_EXEC | MAY_OPEN);
+ 	if (IS_ERR(file))
+ 		goto out;
 @@ -1046,7 +1076,7 @@ int check_unsafe_exec(struct linux_binpr
  	}
  	rcu_read_unlock();
@@ -29680,8 +29701,8 @@
 +
 diff -urNp linux-2.6.30.4/grsecurity/gracl_fs.c linux-2.6.30.4/grsecurity/gracl_fs.c
 --- linux-2.6.30.4/grsecurity/gracl_fs.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.30.4/grsecurity/gracl_fs.c	2009-07-30 11:10:49.347341041 -0400
-@@ -0,0 +1,423 @@
++++ linux-2.6.30.4/grsecurity/gracl_fs.c	2009-08-01 15:00:28.098114831 -0400
+@@ -0,0 +1,424 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/types.h>
@@ -29732,7 +29753,8 @@
 +		reqmode |= GR_WRITE;
 +	if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
 +		reqmode |= GR_READ;
-+
++	if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
++		reqmode &= ~GR_READ;
 +	mode =
 +	    gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
 +			   mnt);
@@ -35035,8 +35057,19 @@
  
 diff -urNp linux-2.6.30.4/include/linux/fs.h linux-2.6.30.4/include/linux/fs.h
 --- linux-2.6.30.4/include/linux/fs.h	2009-07-24 17:47:51.000000000 -0400
-+++ linux-2.6.30.4/include/linux/fs.h	2009-07-30 09:48:10.109883773 -0400
-@@ -2423,7 +2423,7 @@ static int __fops ## _open(struct inode 
++++ linux-2.6.30.4/include/linux/fs.h	2009-08-01 14:57:12.341093728 -0400
+@@ -87,6 +87,10 @@ struct inodes_stat_t {
+  */
+ #define FMODE_NOCMTIME		((__force fmode_t)2048)
+ 
++/* Hack for grsec so as not to require read permission simply to execute
++   a binary */
++#define FMODE_GREXEC		((__force fmode_t)8192)
++
+ /*
+  * The below are the various read and write types that we support. Some of
+  * them include behavioral modifiers that send information down to the
+@@ -2423,7 +2427,7 @@ static int __fops ## _open(struct inode 
  	__simple_attr_check_format(__fmt, 0ull);			\
  	return simple_attr_open(inode, file, __get, __set, __fmt);	\
  }									\
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-grsec_full.patch?r1=1.3.2.3&r2=1.3.2.4&f=u

More information about the pld-cvs-commit mailing list