packages: kernel/kernel-grsec_fixes.patch, kernel/kernel-grsec_full.patch, ...
arekm
arekm at pld-linux.org
Wed Jan 19 19:00:51 CET 2011
Author: arekm Date: Wed Jan 19 18:00:51 2011 GMT
Module: packages Tag: HEAD
---- Log message:
- update grsec to http://grsecurity.net/~spender/grsecurity-2.2.1-2.6.37-201101172105.patch
---- Files affected:
packages/kernel:
kernel-grsec_fixes.patch (1.19 -> 1.20) , kernel-grsec_full.patch (1.55 -> 1.56) , kernel.spec (1.872 -> 1.873)
---- Diffs:
================================================================
Index: packages/kernel/kernel-grsec_fixes.patch
diff -u packages/kernel/kernel-grsec_fixes.patch:1.19 packages/kernel/kernel-grsec_fixes.patch:1.20
--- packages/kernel/kernel-grsec_fixes.patch:1.19 Mon Jan 17 13:18:07 2011
+++ packages/kernel/kernel-grsec_fixes.patch Wed Jan 19 19:00:46 2011
@@ -165,32 +165,4 @@
if (err) {
sock_release(newsock);
---- linux-2.6.37/include/linux/slab.h~ 2011-01-17 11:48:00.934382737 +0100
-+++ linux-2.6.37/include/linux/slab.h 2011-01-17 12:38:01.843508841 +0100
-@@ -344,7 +344,7 @@
- #define kmalloc(x, y) \
- ({ \
- void *___retval; \
-- intoverflow_t ___x = (intoverflow_t)x; \
-+ intoverflow_t ___x = (intoverflow_t)(x); \
- if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
- ___retval = NULL; \
- else \
-@@ -355,7 +355,7 @@
- #define kmalloc_node(x, y, z) \
- ({ \
- void *___retval; \
-- intoverflow_t ___x = (intoverflow_t)x; \
-+ intoverflow_t ___x = (intoverflow_t)(x); \
- if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
- ___retval = NULL; \
- else \
-@@ -366,7 +366,7 @@
- #define kzalloc(x, y) \
- ({ \
- void *___retval; \
-- intoverflow_t ___x = (intoverflow_t)x; \
-+ intoverflow_t ___x = (intoverflow_t)(x); \
- if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
- ___retval = NULL; \
- else \
+
================================================================
Index: packages/kernel/kernel-grsec_full.patch
diff -u packages/kernel/kernel-grsec_full.patch:1.55 packages/kernel/kernel-grsec_full.patch:1.56
--- packages/kernel/kernel-grsec_full.patch:1.55 Mon Jan 17 12:14:23 2011
+++ packages/kernel/kernel-grsec_full.patch Wed Jan 19 19:00:46 2011
@@ -27514,6 +27514,19 @@
static struct kgdb_io kgdboc_io_ops = {
.name = "kgdboc",
.read_char = kgdboc_get_char,
+diff -urNp linux-2.6.37/drivers/staging/autofs/root.c linux-2.6.37/drivers/staging/autofs/root.c
+--- linux-2.6.37/drivers/staging/autofs/root.c 2011-01-04 19:50:19.000000000 -0500
++++ linux-2.6.37/drivers/staging/autofs/root.c 2011-01-17 21:04:34.000000000 -0500
+@@ -308,7 +308,8 @@ static int autofs_root_symlink(struct in
+ set_bit(n,sbi->symlink_bitmap);
+ sl = &sbi->symlink[n];
+ sl->len = strlen(symname);
+- sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
++ slsize = sl->len + 1;
++ sl->data = kmalloc(slsize, GFP_KERNEL);
+ if (!sl->data) {
+ clear_bit(n,sbi->symlink_bitmap);
+ unlock_kernel();
diff -urNp linux-2.6.37/drivers/staging/bcm/Bcmchar.c linux-2.6.37/drivers/staging/bcm/Bcmchar.c
--- linux-2.6.37/drivers/staging/bcm/Bcmchar.c 2011-01-04 19:50:19.000000000 -0500
+++ linux-2.6.37/drivers/staging/bcm/Bcmchar.c 2011-01-17 02:41:01.000000000 -0500
@@ -31928,7 +31941,7 @@
lock_flocks();
diff -urNp linux-2.6.37/fs/namei.c linux-2.6.37/fs/namei.c
--- linux-2.6.37/fs/namei.c 2011-01-04 19:50:19.000000000 -0500
-+++ linux-2.6.37/fs/namei.c 2011-01-17 02:46:52.000000000 -0500
++++ linux-2.6.37/fs/namei.c 2011-01-17 11:57:48.000000000 -0500
@@ -221,14 +221,6 @@ int generic_permission(struct inode *ino
return ret;
@@ -32146,7 +32159,19 @@
mutex_unlock(&dir->d_inode->i_mutex);
audit_inode(pathname, path->dentry);
-@@ -2013,6 +2064,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
+@@ -1838,6 +1889,11 @@ reval:
+ error = security_inode_follow_link(path.dentry, &nd);
+ if (error)
+ goto exit_dput;
++ if (gr_handle_follow_link(path.dentry->d_parent->d_inode,
++ path.dentry->d_inode, path.dentry, nd.path.mnt)) {
++ error = -EACCES;
++ goto exit_dput;
++ }
+ error = __do_follow_link(&path, &nd, &cookie);
+ if (unlikely(error)) {
+ /* nd.path had been dropped */
+@@ -2013,6 +2069,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
error = may_mknod(mode);
if (error)
goto out_dput;
@@ -32164,7 +32189,7 @@
error = mnt_want_write(nd.path.mnt);
if (error)
goto out_dput;
-@@ -2033,6 +2095,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
+@@ -2033,6 +2100,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
}
out_drop_write:
mnt_drop_write(nd.path.mnt);
@@ -32174,7 +32199,7 @@
out_dput:
dput(dentry);
out_unlock:
-@@ -2085,6 +2150,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
+@@ -2085,6 +2155,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
if (IS_ERR(dentry))
goto out_unlock;
@@ -32186,7 +32211,7 @@
if (!IS_POSIXACL(nd.path.dentry->d_inode))
mode &= ~current_umask();
error = mnt_want_write(nd.path.mnt);
-@@ -2096,6 +2166,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
+@@ -2096,6 +2171,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
out_drop_write:
mnt_drop_write(nd.path.mnt);
@@ -32197,7 +32222,7 @@
out_dput:
dput(dentry);
out_unlock:
-@@ -2177,6 +2251,8 @@ static long do_rmdir(int dfd, const char
+@@ -2177,6 +2256,8 @@ static long do_rmdir(int dfd, const char
char * name;
struct dentry *dentry;
struct nameidata nd;
@@ -32206,7 +32231,7 @@
error = user_path_parent(dfd, pathname, &nd, &name);
if (error)
-@@ -2201,6 +2277,19 @@ static long do_rmdir(int dfd, const char
+@@ -2201,6 +2282,19 @@ static long do_rmdir(int dfd, const char
error = PTR_ERR(dentry);
if (IS_ERR(dentry))
goto exit2;
@@ -32226,7 +32251,7 @@
error = mnt_want_write(nd.path.mnt);
if (error)
goto exit3;
-@@ -2208,6 +2297,8 @@ static long do_rmdir(int dfd, const char
+@@ -2208,6 +2302,8 @@ static long do_rmdir(int dfd, const char
if (error)
goto exit4;
error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
@@ -32235,7 +32260,7 @@
exit4:
mnt_drop_write(nd.path.mnt);
exit3:
-@@ -2270,6 +2361,8 @@ static long do_unlinkat(int dfd, const c
+@@ -2270,6 +2366,8 @@ static long do_unlinkat(int dfd, const c
struct dentry *dentry;
struct nameidata nd;
struct inode *inode = NULL;
@@ -32244,7 +32269,7 @@
error = user_path_parent(dfd, pathname, &nd, &name);
if (error)
-@@ -2289,8 +2382,17 @@ static long do_unlinkat(int dfd, const c
+@@ -2289,8 +2387,17 @@ static long do_unlinkat(int dfd, const c
if (nd.last.name[nd.last.len])
goto slashes;
inode = dentry->d_inode;
@@ -32263,7 +32288,7 @@
error = mnt_want_write(nd.path.mnt);
if (error)
goto exit2;
-@@ -2298,6 +2400,8 @@ static long do_unlinkat(int dfd, const c
+@@ -2298,6 +2405,8 @@ static long do_unlinkat(int dfd, const c
if (error)
goto exit3;
error = vfs_unlink(nd.path.dentry->d_inode, dentry);
@@ -32272,7 +32297,7 @@
exit3:
mnt_drop_write(nd.path.mnt);
exit2:
-@@ -2375,6 +2479,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
+@@ -2375,6 +2484,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
if (IS_ERR(dentry))
goto out_unlock;
@@ -32284,7 +32309,7 @@
error = mnt_want_write(nd.path.mnt);
if (error)
goto out_dput;
-@@ -2382,6 +2491,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
+@@ -2382,6 +2496,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
if (error)
goto out_drop_write;
error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
@@ -32293,7 +32318,7 @@
out_drop_write:
mnt_drop_write(nd.path.mnt);
out_dput:
-@@ -2474,6 +2585,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
+@@ -2474,6 +2590,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
goto out_unlock;
@@ -32314,7 +32339,7 @@
error = mnt_want_write(nd.path.mnt);
if (error)
goto out_dput;
-@@ -2481,6 +2606,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
+@@ -2481,6 +2611,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
if (error)
goto out_drop_write;
error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
@@ -32323,7 +32348,7 @@
out_drop_write:
mnt_drop_write(nd.path.mnt);
out_dput:
-@@ -2714,6 +2841,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
+@@ -2714,6 +2846,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
if (new_dentry == trap)
goto exit5;
@@ -32336,7 +32361,7 @@
error = mnt_want_write(oldnd.path.mnt);
if (error)
goto exit5;
-@@ -2723,6 +2856,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
+@@ -2723,6 +2861,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
goto exit6;
error = vfs_rename(old_dir->d_inode, old_dentry,
new_dir->d_inode, new_dentry);
@@ -34763,7 +34788,7 @@
+}
diff -urNp linux-2.6.37/grsecurity/gracl.c linux-2.6.37/grsecurity/gracl.c
--- linux-2.6.37/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.37/grsecurity/gracl.c 2011-01-17 02:41:02.000000000 -0500
++++ linux-2.6.37/grsecurity/gracl.c 2011-01-17 20:20:28.000000000 -0500
@@ -0,0 +1,3991 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
@@ -37806,7 +37831,7 @@
+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
+ error = -EAGAIN;
+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
-+ lock_kernel();
++ preempt_disable();
+
+ pax_open_kernel();
+ gr_status &= ~GR_READY;
@@ -37814,10 +37839,10 @@
+
+ free_variables();
+ if (!(error2 = gracl_init(gr_usermode))) {
-+ unlock_kernel();
++ preempt_enable();
+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
+ } else {
-+ unlock_kernel();
++ preempt_enable();
+ error = error2;
+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
+ }
================================================================
Index: packages/kernel/kernel.spec
diff -u packages/kernel/kernel.spec:1.872 packages/kernel/kernel.spec:1.873
--- packages/kernel/kernel.spec:1.872 Mon Jan 17 20:39:21 2011
+++ packages/kernel/kernel.spec Wed Jan 19 19:00:46 2011
@@ -89,7 +89,7 @@
%define basever 2.6.37
%define postver %{nil}
-%define rel 1
+%define rel 1.1
%define _enable_debug_packages 0
@@ -293,7 +293,7 @@
# based on ftp://ftp.leg.uct.ac.za/pub/linux/rip/tmpfs_root-2.6.30.diff.gz
Patch7000: kernel-inittmpfs.patch
-# based on http://www.grsecurity.net/~spender/grsecurity-2.2.1-2.6.37-201101170305.patch
+# based on http://www.grsecurity.net/~spender/grsecurity-2.2.1-2.6.37-201101172105.patch
# NOTE: put raw upstream patches on kernel-grsec_full.patch:GRSECURITY_RAW for reference
# (since upstream deletes older patches)
Patch9999: kernel-grsec_full.patch
@@ -1530,6 +1530,9 @@
All persons listed below can be reached at <cvs_login>@pld-linux.org
$Log$
+Revision 1.873 2011/01/19 18:00:46 arekm
+- update grsec to http://grsecurity.net/~spender/grsecurity-2.2.1-2.6.37-201101172105.patch
+
Revision 1.872 2011/01/17 19:39:21 arekm
- rel 1
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-grsec_fixes.patch?r1=1.19&r2=1.20&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-grsec_full.patch?r1=1.55&r2=1.56&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel.spec?r1=1.872&r2=1.873&f=u
More information about the pld-cvs-commit
mailing list