* [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.33/, 2.6.32/, 3.6.6/
@ 2012-11-08 12:12 Anthony G. Basile
0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2012-11-08 12:12 UTC (permalink / raw
To: gentoo-commits
commit: ff6e8b2b912e491042af8475e8cc1aa2aea9744f
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Nov 8 12:12:21 2012 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Nov 8 12:12:21 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=ff6e8b2b
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.33,3.6.6}-201211072001
---
2.6.32/0000_README | 2 +-
..._grsecurity-2.9.1-2.6.32.60-201211071959.patch} | 29 ++++++++++-----
3.2.33/0000_README | 2 +-
...420_grsecurity-2.9.1-3.2.33-201211072000.patch} | 38 +++++++++++++++++---
3.6.6/0000_README | 2 +-
...4420_grsecurity-2.9.1-3.6.6-201211072001.patch} | 38 +++++++++++++++++---
6 files changed, 89 insertions(+), 22 deletions(-)
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index bbe4567..8bd0698 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.59
-Patch: 4420_grsecurity-2.9.1-2.6.32.60-201211042106.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211042106.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch
similarity index 99%
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211042106.patch
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch
index e2f2160..82352cf 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211042106.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch
@@ -27117,10 +27117,18 @@ index f46c3407..f7e72b0 100644
}
if (mm->get_unmapped_area == arch_get_unmapped_area)
diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
-index 73ffd55..5c2a82a 100644
+index 73ffd55..e88dff5 100644
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
-@@ -13,6 +13,7 @@
+@@ -1,6 +1,7 @@
+ #include <linux/initrd.h>
+ #include <linux/ioport.h>
+ #include <linux/swap.h>
++#include <linux/tboot.h>
+
+ #include <asm/cacheflush.h>
+ #include <asm/e820.h>
+@@ -13,6 +14,7 @@
#include <asm/tlbflush.h>
#include <asm/tlb.h>
#include <asm/proto.h>
@@ -27128,7 +27136,7 @@ index 73ffd55..5c2a82a 100644
DEFINE_PER_CPU(struct mmu_gather, mmu_gathers);
-@@ -69,11 +70,7 @@ static void __init find_early_table_space(unsigned long end, int use_pse,
+@@ -69,11 +71,7 @@ static void __init find_early_table_space(unsigned long end, int use_pse,
* cause a hotspot and fill up ZONE_DMA. The page tables
* need roughly 0.5KB per GB.
*/
@@ -27141,7 +27149,7 @@ index 73ffd55..5c2a82a 100644
e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
tables, PAGE_SIZE);
if (e820_table_start == -1UL)
-@@ -147,7 +144,7 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
+@@ -147,7 +145,7 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
#endif
set_nx();
@@ -27150,7 +27158,7 @@ index 73ffd55..5c2a82a 100644
printk(KERN_INFO "NX (Execute Disable) protection: active\n");
/* Enable PSE if available */
-@@ -329,10 +326,32 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
+@@ -329,10 +327,35 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
* Access has to be given to non-kernel-ram areas as well, these contain the PCI
* mmio resources as well as potential bios/acpi data regions.
*/
@@ -27169,21 +27177,24 @@ index 73ffd55..5c2a82a 100644
+ /* allow EBDA */
+ if (pagenr >= ebda_start && pagenr < ebda_end)
+ return 1;
++ /* if tboot is in use, allow access to its hardcoded serial log range */
++ if (tboot_enabled() && ((0x60000 >> PAGE_SHIFT) <= pagenr) && (pagenr < (0x68000 >> PAGE_SHIFT)))
++ return 1;
+ /* allow ISA/video mem */
+ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
+ return 1;
+ /* throw out everything else below 1MB */
-+ if (pagenr <= 256)
+ if (pagenr <= 256)
+ return 0;
+#else
- if (pagenr <= 256)
++ if (pagenr < 256)
return 1;
+#endif
+
if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
return 0;
if (!page_is_ram(pagenr))
-@@ -377,8 +396,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
+@@ -377,8 +400,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
#endif
}
@@ -112040,7 +112051,7 @@ index b9644d8..537313b 100644
return -EFAULT;
diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
-index 1eba160..c35d91f 100644
+index 1eba160b..c35d91f 100644
--- a/net/ipv4/tcp_illinois.c
+++ b/net/ipv4/tcp_illinois.c
@@ -313,11 +313,13 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
diff --git a/3.2.33/0000_README b/3.2.33/0000_README
index cef651c..4f37d3a 100644
--- a/3.2.33/0000_README
+++ b/3.2.33/0000_README
@@ -50,7 +50,7 @@ Patch: 1032_linux-3.2.33.patch
From: http://www.kernel.org
Desc: Linux 3.2.33
-Patch: 4420_grsecurity-2.9.1-3.2.33-201211042155.patch
+Patch: 4420_grsecurity-2.9.1-3.2.33-201211072000.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211042155.patch b/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211072000.patch
similarity index 99%
rename from 3.2.33/4420_grsecurity-2.9.1-3.2.33-201211042155.patch
rename to 3.2.33/4420_grsecurity-2.9.1-3.2.33-201211072000.patch
index 42ec9ae..3d86532 100644
--- a/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211042155.patch
+++ b/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211072000.patch
@@ -24864,10 +24864,18 @@ index df7d12c..abafe9e 100644
}
if (mm->get_unmapped_area == arch_get_unmapped_area)
diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
-index 87488b9..cb10023 100644
+index 87488b9..ec24280 100644
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
-@@ -15,6 +15,8 @@
+@@ -3,6 +3,7 @@
+ #include <linux/ioport.h>
+ #include <linux/swap.h>
+ #include <linux/memblock.h>
++#include <linux/tboot.h>
+
+ #include <asm/cacheflush.h>
+ #include <asm/e820.h>
+@@ -15,6 +16,8 @@
#include <asm/tlbflush.h>
#include <asm/tlb.h>
#include <asm/proto.h>
@@ -24876,7 +24884,7 @@ index 87488b9..cb10023 100644
unsigned long __initdata pgt_buf_start;
unsigned long __meminitdata pgt_buf_end;
-@@ -31,7 +33,7 @@ int direct_gbpages
+@@ -31,7 +34,7 @@ int direct_gbpages
static void __init find_early_table_space(unsigned long end, int use_pse,
int use_gbpages)
{
@@ -24885,7 +24893,7 @@ index 87488b9..cb10023 100644
phys_addr_t base;
puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
-@@ -310,10 +312,37 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
+@@ -310,10 +313,40 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
* Access has to be given to non-kernel-ram areas as well, these contain the PCI
* mmio resources as well as potential bios/acpi data regions.
*/
@@ -24904,6 +24912,9 @@ index 87488b9..cb10023 100644
+ /* allow EBDA */
+ if (pagenr >= ebda_start && pagenr < ebda_end)
+ return 1;
++ /* if tboot is in use, allow access to its hardcoded serial log range */
++ if (tboot_enabled() && ((0x60000 >> PAGE_SHIFT) <= pagenr) && (pagenr < (0x68000 >> PAGE_SHIFT)))
++ return 1;
+#else
+ if (!pagenr)
+ return 1;
@@ -24924,7 +24935,7 @@ index 87488b9..cb10023 100644
if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
return 0;
if (!page_is_ram(pagenr))
-@@ -370,8 +399,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
+@@ -370,8 +403,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
#endif
}
@@ -43028,6 +43039,23 @@ index e56c934..fc22f4b 100644
} u;
struct list_head list;
};
+diff --git a/drivers/xen/xenfs/xenstored.c b/drivers/xen/xenfs/xenstored.c
+index fef20db..d28b1ab 100644
+--- a/drivers/xen/xenfs/xenstored.c
++++ b/drivers/xen/xenfs/xenstored.c
+@@ -24,7 +24,12 @@ static int xsd_release(struct inode *inode, struct file *file)
+ static int xsd_kva_open(struct inode *inode, struct file *file)
+ {
+ file->private_data = (void *)kasprintf(GFP_KERNEL, "0x%p",
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ NULL);
++#else
+ xen_store_interface);
++#endif
++
+ if (!file->private_data)
+ return -ENOMEM;
+ return 0;
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index 879ed88..bc03a01 100644
--- a/fs/9p/vfs_inode.c
diff --git a/3.6.6/0000_README b/3.6.6/0000_README
index 3c4b928..b78c8e4 100644
--- a/3.6.6/0000_README
+++ b/3.6.6/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9.1-3.6.6-201211051957.patch
+Patch: 4420_grsecurity-2.9.1-3.6.6-201211072001.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211051957.patch b/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211072001.patch
similarity index 99%
rename from 3.6.6/4420_grsecurity-2.9.1-3.6.6-201211051957.patch
rename to 3.6.6/4420_grsecurity-2.9.1-3.6.6-201211072001.patch
index b18fa60..e6e5d8f 100644
--- a/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211051957.patch
+++ b/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211072001.patch
@@ -24594,10 +24594,18 @@ index b91e485..d00e7c9 100644
}
if (mm->get_unmapped_area == arch_get_unmapped_area)
diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
-index d7aea41..f753ad2 100644
+index d7aea41..0fc945b 100644
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
-@@ -16,6 +16,8 @@
+@@ -4,6 +4,7 @@
+ #include <linux/swap.h>
+ #include <linux/memblock.h>
+ #include <linux/bootmem.h> /* for max_low_pfn */
++#include <linux/tboot.h>
+
+ #include <asm/cacheflush.h>
+ #include <asm/e820.h>
+@@ -16,6 +17,8 @@
#include <asm/tlb.h>
#include <asm/proto.h>
#include <asm/dma.h> /* for MAX_DMA_PFN */
@@ -24606,7 +24614,7 @@ index d7aea41..f753ad2 100644
unsigned long __initdata pgt_buf_start;
unsigned long __meminitdata pgt_buf_end;
-@@ -44,7 +46,7 @@ static void __init find_early_table_space(struct map_range *mr, int nr_range)
+@@ -44,7 +47,7 @@ static void __init find_early_table_space(struct map_range *mr, int nr_range)
{
int i;
unsigned long puds = 0, pmds = 0, ptes = 0, tables;
@@ -24615,7 +24623,7 @@ index d7aea41..f753ad2 100644
phys_addr_t base;
for (i = 0; i < nr_range; i++) {
-@@ -321,10 +323,37 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
+@@ -321,10 +324,40 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
* Access has to be given to non-kernel-ram areas as well, these contain the PCI
* mmio resources as well as potential bios/acpi data regions.
*/
@@ -24635,6 +24643,9 @@ index d7aea41..f753ad2 100644
+ /* allow EBDA */
+ if (pagenr >= ebda_start && pagenr < ebda_end)
+ return 1;
++ /* if tboot is in use, allow access to its hardcoded serial log range */
++ if (tboot_enabled() && ((0x60000 >> PAGE_SHIFT) <= pagenr) && (pagenr < (0x68000 >> PAGE_SHIFT)))
++ return 1;
+#else
+ if (!pagenr)
+ return 1;
@@ -24654,7 +24665,7 @@ index d7aea41..f753ad2 100644
if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
return 0;
if (!page_is_ram(pagenr))
-@@ -381,8 +410,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
+@@ -381,8 +414,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
#endif
}
@@ -42746,6 +42757,23 @@ index 89f7625..ac72702 100644
/* On error, dump existing buffer */
u->len = 0;
rc = -EINVAL;
+diff --git a/drivers/xen/xenfs/xenstored.c b/drivers/xen/xenfs/xenstored.c
+index fef20db..d28b1ab 100644
+--- a/drivers/xen/xenfs/xenstored.c
++++ b/drivers/xen/xenfs/xenstored.c
+@@ -24,7 +24,12 @@ static int xsd_release(struct inode *inode, struct file *file)
+ static int xsd_kva_open(struct inode *inode, struct file *file)
+ {
+ file->private_data = (void *)kasprintf(GFP_KERNEL, "0x%p",
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ NULL);
++#else
+ xen_store_interface);
++#endif
++
+ if (!file->private_data)
+ return -ENOMEM;
+ return 0;
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index cbf9dbb..35c3af7 100644
--- a/fs/9p/vfs_inode.c
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.33/, 2.6.32/, 3.6.6/
@ 2012-11-14 2:19 Anthony G. Basile
0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2012-11-14 2:19 UTC (permalink / raw
To: gentoo-commits
commit: dad447bb6b1815cc9ed8f12cda3c1d37d59c9e70
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Nov 14 02:19:12 2012 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Nov 14 02:19:12 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=dad447bb
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.33,3.6.6}-201211122213
---
2.6.32/0000_README | 2 +-
..._grsecurity-2.9.1-2.6.32.60-201211122212.patch} | 49 ++++++++++++--------
3.2.33/0000_README | 6 ++-
...420_grsecurity-2.9.1-3.2.33-201211122213.patch} | 49 ++++++++++++--------
3.2.33/4425-tmpfs-user-namespace.patch | 28 +++++++++++
3.6.6/0000_README | 6 ++-
...4420_grsecurity-2.9.1-3.6.6-201211122213.patch} | 49 ++++++++++++--------
3.6.6/4425-tmpfs-user-namespace.patch | 28 +++++++++++
8 files changed, 157 insertions(+), 60 deletions(-)
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 8bd0698..ac627bb 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.59
-Patch: 4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.60-201211122212.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211122212.patch
similarity index 99%
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211122212.patch
index 82352cf..4b4bbbc 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211122212.patch
@@ -84681,10 +84681,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..b50e14d
+index 0000000..42c1316
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4187 @@
+@@ -0,0 +1,4198 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -85747,7 +85747,7 @@ index 0000000..b50e14d
+}
+
+static struct acl_subject_label *
-+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied);
+
+static int
+copy_user_glob(struct acl_object_label *obj)
@@ -85833,13 +85833,18 @@ index 0000000..b50e14d
+ return ret;
+
+ if (o_tmp->nested) {
-+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
++ int already_copied;
++
++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied);
+ if (IS_ERR(o_tmp->nested))
+ return PTR_ERR(o_tmp->nested);
+
-+ /* insert into nested subject list */
-+ o_tmp->nested->next = role->hash->first;
-+ role->hash->first = o_tmp->nested;
++ /* insert into nested subject list if we haven't copied this one yet
++ to prevent duplicate entries */
++ if (!already_copied) {
++ o_tmp->nested->next = role->hash->first;
++ role->hash->first = o_tmp->nested;
++ }
+ }
+ }
+
@@ -85958,7 +85963,7 @@ index 0000000..b50e14d
+}
+
+static struct acl_subject_label *
-+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied)
+{
+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
+ unsigned int len;
@@ -85970,13 +85975,19 @@ index 0000000..b50e14d
+ unsigned int i_num;
+ int err;
+
++ if (already_copied != NULL)
++ *already_copied = 0;
++
+ s_tmp = lookup_subject_map(userp);
+
+ /* we've already copied this subject into the kernel, just return
+ the reference to it, and don't copy it over again
+ */
-+ if (s_tmp)
++ if (s_tmp) {
++ if (already_copied != NULL)
++ *already_copied = 1;
+ return(s_tmp);
++ }
+
+ if ((s_tmp = (struct acl_subject_label *)
+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
@@ -86062,7 +86073,7 @@ index 0000000..b50e14d
+
+ /* set pointer for parent subject */
+ if (s_tmp->parent_subject) {
-+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL);
+
+ if (IS_ERR(s_tmp2))
+ return s_tmp2;
@@ -86146,7 +86157,7 @@ index 0000000..b50e14d
+ continue;
+ }
+
-+ ret = do_copy_user_subj(userp, role);
++ ret = do_copy_user_subj(userp, role, NULL);
+
+ err = PTR_ERR(ret);
+ if (IS_ERR(ret))
@@ -102648,7 +102659,7 @@ index d4aba4f..0bb4763 100644
seq_printf(m, "%40s %14lu %29s %s\n", name,
stats->contending_point[i],
diff --git a/kernel/module.c b/kernel/module.c
-index 4b270e6..5e2eb1b 100644
+index 4b270e6..ca3d254 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -55,6 +55,7 @@
@@ -102742,7 +102753,7 @@ index 4b270e6..5e2eb1b 100644
+ p = strstr(mod->args, "grsec_modharden_fs");
+
+ if (p) {
-+ char *endptr = p + strlen("grsec_modharden_fs");
++ char *endptr = p + sizeof("grsec_modharden_fs") - 1;
+ /* copy \0 as well */
+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
+ is_fs_load = 1;
@@ -103140,7 +103151,7 @@ index 4b270e6..5e2eb1b 100644
+ err = -EPERM;
+ goto cleanup;
+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
-+ p += strlen("grsec_modharden_normal");
++ p += sizeof("grsec_modharden_normal") - 1;
+ p2 = strstr(p, "_");
+ if (p2) {
+ *p2 = '\0';
@@ -113604,7 +113615,7 @@ index f900dc3..5e45346 100644
struct nlattr *nla;
diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
new file mode 100644
-index 0000000..b1bac76
+index 0000000..725bece
--- /dev/null
+++ b/net/netfilter/xt_gradm.c
@@ -0,0 +1,51 @@
@@ -113643,13 +113654,13 @@ index 0000000..b1bac76
+};
+
+static int __init gradm_mt_init(void)
-+{
-+ return xt_register_match(&gradm_mt_reg);
++{
++ return xt_register_match(&gradm_mt_reg);
+}
+
+static void __exit gradm_mt_exit(void)
-+{
-+ xt_unregister_match(&gradm_mt_reg);
++{
++ xt_unregister_match(&gradm_mt_reg);
+}
+
+module_init(gradm_mt_init);
diff --git a/3.2.33/0000_README b/3.2.33/0000_README
index 4f37d3a..c03c7c6 100644
--- a/3.2.33/0000_README
+++ b/3.2.33/0000_README
@@ -50,10 +50,14 @@ Patch: 1032_linux-3.2.33.patch
From: http://www.kernel.org
Desc: Linux 3.2.33
-Patch: 4420_grsecurity-2.9.1-3.2.33-201211072000.patch
+Patch: 4420_grsecurity-2.9.1-3.2.33-201211122213.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
+Patch: 4425-tmpfs-user-namespace.patch
+From: Anthony G. Basile <blueness@gentoo.org>
+Desc: Enable XATTR_USER_PREFIX namespace on tmpfs
+
Patch: 4430_grsec-remove-localversion-grsec.patch
From: Kerin Millar <kerframil@gmail.com>
Desc: Removes grsecurity's localversion-grsec file
diff --git a/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211072000.patch b/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211122213.patch
similarity index 99%
rename from 3.2.33/4420_grsecurity-2.9.1-3.2.33-201211072000.patch
rename to 3.2.33/4420_grsecurity-2.9.1-3.2.33-201211122213.patch
index 3d86532..7a220ce 100644
--- a/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211072000.patch
+++ b/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211122213.patch
@@ -52333,10 +52333,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..ddf281c
+index 0000000..7feb2c5
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4202 @@
+@@ -0,0 +1,4213 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -53397,7 +53397,7 @@ index 0000000..ddf281c
+}
+
+static struct acl_subject_label *
-+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied);
+
+static int
+copy_user_glob(struct acl_object_label *obj)
@@ -53483,13 +53483,18 @@ index 0000000..ddf281c
+ return ret;
+
+ if (o_tmp->nested) {
-+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
++ int already_copied;
++
++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied);
+ if (IS_ERR(o_tmp->nested))
+ return PTR_ERR(o_tmp->nested);
+
-+ /* insert into nested subject list */
-+ o_tmp->nested->next = role->hash->first;
-+ role->hash->first = o_tmp->nested;
++ /* insert into nested subject list if we haven't copied this one yet
++ to prevent duplicate entries */
++ if (!already_copied) {
++ o_tmp->nested->next = role->hash->first;
++ role->hash->first = o_tmp->nested;
++ }
+ }
+ }
+
@@ -53608,7 +53613,7 @@ index 0000000..ddf281c
+}
+
+static struct acl_subject_label *
-+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied)
+{
+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
+ unsigned int len;
@@ -53620,13 +53625,19 @@ index 0000000..ddf281c
+ unsigned int i_num;
+ int err;
+
++ if (already_copied != NULL)
++ *already_copied = 0;
++
+ s_tmp = lookup_subject_map(userp);
+
+ /* we've already copied this subject into the kernel, just return
+ the reference to it, and don't copy it over again
+ */
-+ if (s_tmp)
++ if (s_tmp) {
++ if (already_copied != NULL)
++ *already_copied = 1;
+ return(s_tmp);
++ }
+
+ if ((s_tmp = (struct acl_subject_label *)
+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
@@ -53712,7 +53723,7 @@ index 0000000..ddf281c
+
+ /* set pointer for parent subject */
+ if (s_tmp->parent_subject) {
-+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL);
+
+ if (IS_ERR(s_tmp2))
+ return s_tmp2;
@@ -53796,7 +53807,7 @@ index 0000000..ddf281c
+ continue;
+ }
+
-+ ret = do_copy_user_subj(userp, role);
++ ret = do_copy_user_subj(userp, role, NULL);
+
+ err = PTR_ERR(ret);
+ if (IS_ERR(ret))
@@ -69087,7 +69098,7 @@ index 91c32a0..7b88d63 100644
seq_printf(m, "%40s %14lu %29s %pS\n",
name, stats->contending_point[i],
diff --git a/kernel/module.c b/kernel/module.c
-index 6c8fa34..0ab39b6 100644
+index 6c8fa34..b289138 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -58,6 +58,7 @@
@@ -69250,7 +69261,7 @@ index 6c8fa34..0ab39b6 100644
+
+ p = strstr(mod->args, "grsec_modharden_fs");
+ if (p) {
-+ char *endptr = p + strlen("grsec_modharden_fs");
++ char *endptr = p + sizeof("grsec_modharden_fs") - 1;
+ /* copy \0 as well */
+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
+ is_fs_load = 1;
@@ -69660,7 +69671,7 @@ index 6c8fa34..0ab39b6 100644
+ err = -EPERM;
+ goto free_modinfo;
+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
-+ p += strlen("grsec_modharden_normal");
++ p += sizeof("grsec_modharden_normal") - 1;
+ p2 = strstr(p, "_");
+ if (p2) {
+ *p2 = '\0';
@@ -80157,7 +80168,7 @@ index 66b2c54..c7884e3 100644
struct nlattr *nla;
diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
new file mode 100644
-index 0000000..6905327
+index 0000000..c566332
--- /dev/null
+++ b/net/netfilter/xt_gradm.c
@@ -0,0 +1,51 @@
@@ -80196,13 +80207,13 @@ index 0000000..6905327
+};
+
+static int __init gradm_mt_init(void)
-+{
-+ return xt_register_match(&gradm_mt_reg);
++{
++ return xt_register_match(&gradm_mt_reg);
+}
+
+static void __exit gradm_mt_exit(void)
-+{
-+ xt_unregister_match(&gradm_mt_reg);
++{
++ xt_unregister_match(&gradm_mt_reg);
+}
+
+module_init(gradm_mt_init);
diff --git a/3.2.33/4425-tmpfs-user-namespace.patch b/3.2.33/4425-tmpfs-user-namespace.patch
new file mode 100644
index 0000000..a7d2649
--- /dev/null
+++ b/3.2.33/4425-tmpfs-user-namespace.patch
@@ -0,0 +1,28 @@
+Enable XATTR_USER_PREFIX extended attribute namespace for tmpfs
+
+For XATTR_PAX_FLAGS markings to work on a tmpfs filesystem, we
+need to accept XATTR_USER_PREFIX extended attribute namespace
+as valid. In Gentoo and other distros that make use of tmpfs
+for their packaging systems, this makes it possible to pax mark
+executables built in tmpfs before being tarred or otherwised
+packaged.
+
+X-Gentoo-Bug: 432434
+X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=432434
+Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
+---
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 67afba5..697a181 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -1804,7 +1804,8 @@ static int shmem_xattr_validate(const char *name)
+ {
+ struct { const char *prefix; size_t len; } arr[] = {
+ { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
+- { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
++ { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN },
++ { XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN }
+ };
+ int i;
+
diff --git a/3.6.6/0000_README b/3.6.6/0000_README
index b78c8e4..306bcfd 100644
--- a/3.6.6/0000_README
+++ b/3.6.6/0000_README
@@ -2,10 +2,14 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9.1-3.6.6-201211072001.patch
+Patch: 4420_grsecurity-2.9.1-3.6.6-201211122213.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
+Patch: 4425-tmpfs-user-namespace.patch
+From: Anthony G. Basile <blueness@gentoo.org>
+Desc: Enable XATTR_USER_PREFIX namespace on tmpfs
+
Patch: 4430_grsec-remove-localversion-grsec.patch
From: Kerin Millar <kerframil@gmail.com>
Desc: Removes grsecurity's localversion-grsec file
diff --git a/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211072001.patch b/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211122213.patch
similarity index 99%
rename from 3.6.6/4420_grsecurity-2.9.1-3.6.6-201211072001.patch
rename to 3.6.6/4420_grsecurity-2.9.1-3.6.6-201211122213.patch
index e6e5d8f..164e8e9 100644
--- a/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211072001.patch
+++ b/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211122213.patch
@@ -51741,10 +51741,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..3d58260
+index 0000000..b736032
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4029 @@
+@@ -0,0 +1,4040 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -52809,7 +52809,7 @@ index 0000000..3d58260
+}
+
+static struct acl_subject_label *
-+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied);
+
+static int
+copy_user_glob(struct acl_object_label *obj)
@@ -52895,13 +52895,18 @@ index 0000000..3d58260
+ return ret;
+
+ if (o_tmp->nested) {
-+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
++ int already_copied;
++
++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied);
+ if (IS_ERR(o_tmp->nested))
+ return PTR_ERR(o_tmp->nested);
+
-+ /* insert into nested subject list */
-+ o_tmp->nested->next = role->hash->first;
-+ role->hash->first = o_tmp->nested;
++ /* insert into nested subject list if we haven't copied this one yet
++ to prevent duplicate entries */
++ if (!already_copied) {
++ o_tmp->nested->next = role->hash->first;
++ role->hash->first = o_tmp->nested;
++ }
+ }
+ }
+
@@ -53020,7 +53025,7 @@ index 0000000..3d58260
+}
+
+static struct acl_subject_label *
-+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied)
+{
+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
+ unsigned int len;
@@ -53032,13 +53037,19 @@ index 0000000..3d58260
+ unsigned int i_num;
+ int err;
+
++ if (already_copied != NULL)
++ *already_copied = 0;
++
+ s_tmp = lookup_subject_map(userp);
+
+ /* we've already copied this subject into the kernel, just return
+ the reference to it, and don't copy it over again
+ */
-+ if (s_tmp)
++ if (s_tmp) {
++ if (already_copied != NULL)
++ *already_copied = 1;
+ return(s_tmp);
++ }
+
+ if ((s_tmp = (struct acl_subject_label *)
+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
@@ -53124,7 +53135,7 @@ index 0000000..3d58260
+
+ /* set pointer for parent subject */
+ if (s_tmp->parent_subject) {
-+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL);
+
+ if (IS_ERR(s_tmp2))
+ return s_tmp2;
@@ -53208,7 +53219,7 @@ index 0000000..3d58260
+ continue;
+ }
+
-+ ret = do_copy_user_subj(userp, role);
++ ret = do_copy_user_subj(userp, role, NULL);
+
+ err = PTR_ERR(ret);
+ if (IS_ERR(ret))
@@ -68212,7 +68223,7 @@ index 91c32a0..7b88d63 100644
seq_printf(m, "%40s %14lu %29s %pS\n",
name, stats->contending_point[i],
diff --git a/kernel/module.c b/kernel/module.c
-index 9ad9ee9..de7a157 100644
+index 9ad9ee9..f6e05c2 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -58,6 +58,7 @@
@@ -68393,7 +68404,7 @@ index 9ad9ee9..de7a157 100644
+
+ p = strstr(mod->args, "grsec_modharden_fs");
+ if (p) {
-+ char *endptr = p + strlen("grsec_modharden_fs");
++ char *endptr = p + sizeof("grsec_modharden_fs") - 1;
+ /* copy \0 as well */
+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
+ is_fs_load = 1;
@@ -68803,7 +68814,7 @@ index 9ad9ee9..de7a157 100644
+ err = -EPERM;
+ goto free_modinfo;
+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
-+ p += strlen("grsec_modharden_normal");
++ p += sizeof("grsec_modharden_normal") - 1;
+ p2 = strstr(p, "_");
+ if (p2) {
+ *p2 = '\0';
@@ -78672,7 +78683,7 @@ index 5cfb5be..217c6d8 100644
if (data_len) {
diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
new file mode 100644
-index 0000000..6905327
+index 0000000..c566332
--- /dev/null
+++ b/net/netfilter/xt_gradm.c
@@ -0,0 +1,51 @@
@@ -78711,13 +78722,13 @@ index 0000000..6905327
+};
+
+static int __init gradm_mt_init(void)
-+{
-+ return xt_register_match(&gradm_mt_reg);
++{
++ return xt_register_match(&gradm_mt_reg);
+}
+
+static void __exit gradm_mt_exit(void)
-+{
-+ xt_unregister_match(&gradm_mt_reg);
++{
++ xt_unregister_match(&gradm_mt_reg);
+}
+
+module_init(gradm_mt_init);
diff --git a/3.6.6/4425-tmpfs-user-namespace.patch b/3.6.6/4425-tmpfs-user-namespace.patch
new file mode 100644
index 0000000..b48d735
--- /dev/null
+++ b/3.6.6/4425-tmpfs-user-namespace.patch
@@ -0,0 +1,28 @@
+Enable XATTR_USER_PREFIX extended attribute namespace for tmpfs
+
+For XATTR_PAX_FLAGS markings to work on a tmpfs filesystem, we
+need to accept XATTR_USER_PREFIX extended attribute namespace
+as valid. In Gentoo and other distros that make use of tmpfs
+for their packaging systems, this makes it possible to pax mark
+executables built in tmpfs before being tarred or otherwised
+packaged.
+
+X-Gentoo-Bug: 432434
+X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=432434
+Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
+---
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 67afba5..697a181 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2208,7 +2208,8 @@ static int shmem_xattr_validate(const char *name)
+ {
+ struct { const char *prefix; size_t len; } arr[] = {
+ { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
+- { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
++ { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN },
++ { XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN }
+ };
+ int i;
+
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-11-14 2:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-14 2:19 [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.33/, 2.6.32/, 3.6.6/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2012-11-08 12:12 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox