From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Ql9JZ-0001yR-DJ for garchives@archives.gentoo.org; Mon, 25 Jul 2011 00:46:33 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 74A0B21C0A4; Mon, 25 Jul 2011 00:45:46 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 1390C21C0A4 for ; Mon, 25 Jul 2011 00:45:45 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 36E821B4022 for ; Mon, 25 Jul 2011 00:45:45 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id 8EB508001E for ; Mon, 25 Jul 2011 00:45:44 +0000 (UTC) From: "Anthony G. Basile" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" Message-ID: <8404b2f746939508c30b80630d6c4ff2333e1bd2.blueness@gentoo> Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.39/, 2.6.32/ X-VCS-Repository: proj/hardened-patchset X-VCS-Files: 2.6.32/0000_README 2.6.32/4420_grsecurity-2.2.2-2.6.32.43-201107142110.patch 2.6.32/4420_grsecurity-2.2.2-2.6.32.43-201107191826.patch 2.6.39/0000_README 2.6.39/4420_grsecurity-2.2.2-2.6.39.3-201107161559.patch 2.6.39/4420_grsecurity-2.2.2-2.6.39.3-201107191826.patch X-VCS-Directories: 2.6.39/ 2.6.32/ X-VCS-Committer: blueness X-VCS-Committer-Name: Anthony G. Basile X-VCS-Revision: 8404b2f746939508c30b80630d6c4ff2333e1bd2 Date: Mon, 25 Jul 2011 00:45:44 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 6489f7a9c74158bca05eb31cf8fed894 commit: 8404b2f746939508c30b80630d6c4ff2333e1bd2 Author: Anthony G. Basile gentoo org> AuthorDate: Mon Jul 25 00:39:08 2011 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Mon Jul 25 00:45:19 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-patc= hset.git;a=3Dcommit;h=3D8404b2f7 Update Grsec/PaX 2.2.2-2.6.32.43-201107191826 2.2.2-2.6.39.3-201107191826 --- 2.6.32/0000_README | 2 +- ..._grsecurity-2.2.2-2.6.32.43-201107191826.patch} | 110 ++++++++++++++= ------ 2.6.39/0000_README | 2 +- ...0_grsecurity-2.2.2-2.6.39.3-201107191826.patch} | 99 +++++++++++---= --- 4 files changed, 142 insertions(+), 71 deletions(-) diff --git a/2.6.32/0000_README b/2.6.32/0000_README index b4d5b5c..d1f7ce8 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -3,7 +3,7 @@ README =20 Individual Patch Descriptions: ------------------------------------------------------------------------= ----- -Patch: 4420_grsecurity-2.2.2-2.6.32.43-201107142110.patch +Patch: 4420_grsecurity-2.2.2-2.6.32.43-201107191826.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity =20 diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.43-201107142110.patch b/= 2.6.32/4420_grsecurity-2.2.2-2.6.32.43-201107191826.patch similarity index 99% rename from 2.6.32/4420_grsecurity-2.2.2-2.6.32.43-201107142110.patch rename to 2.6.32/4420_grsecurity-2.2.2-2.6.32.43-201107191826.patch index f729b69..27cdae4 100644 --- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.43-201107142110.patch +++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.43-201107191826.patch @@ -15572,8 +15572,18 @@ diff -urNp linux-2.6.32.43/arch/x86/kernel/modul= e.c linux-2.6.32.43/arch/x86/ker goto overflow; diff -urNp linux-2.6.32.43/arch/x86/kernel/paravirt.c linux-2.6.32.43/ar= ch/x86/kernel/paravirt.c --- linux-2.6.32.43/arch/x86/kernel/paravirt.c 2011-03-27 14:31:47.00000= 0000 -0400 -+++ linux-2.6.32.43/arch/x86/kernel/paravirt.c 2011-05-16 21:46:57.00000= 0000 -0400 -@@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu ++++ linux-2.6.32.43/arch/x86/kernel/paravirt.c 2011-07-19 18:26:50.00000= 0000 -0400 +@@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x) + { + return x; + } ++#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE) ++PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64); ++#endif +=20 + void __init default_banner(void) + { +@@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu * corresponding structure. */ static void *get_call_destination(u8 type) { @@ -15582,7 +15592,7 @@ diff -urNp linux-2.6.32.43/arch/x86/kernel/paravi= rt.c linux-2.6.32.43/arch/x86/k .pv_init_ops =3D pv_init_ops, .pv_time_ops =3D pv_time_ops, .pv_cpu_ops =3D pv_cpu_ops, -@@ -133,6 +133,9 @@ static void *get_call_destination(u8 typ +@@ -133,6 +136,9 @@ static void *get_call_destination(u8 typ .pv_lock_ops =3D pv_lock_ops, #endif }; @@ -15592,7 +15602,7 @@ diff -urNp linux-2.6.32.43/arch/x86/kernel/paravi= rt.c linux-2.6.32.43/arch/x86/k return *((void **)&tmpl + type); } =20 -@@ -145,14 +148,14 @@ unsigned paravirt_patch_default(u8 type, +@@ -145,15 +151,19 @@ unsigned paravirt_patch_default(u8 type, if (opfunc =3D=3D NULL) /* If there's no function, patch it with a ud2a (BUG) */ ret =3D paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a)); @@ -15608,9 +15618,14 @@ diff -urNp linux-2.6.32.43/arch/x86/kernel/parav= irt.c linux-2.6.32.43/arch/x86/k - else if (opfunc =3D=3D _paravirt_ident_64) + else if (opfunc =3D=3D (void *)_paravirt_ident_64) ret =3D paravirt_patch_ident_64(insnbuf, len); ++#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE) ++ else if (opfunc =3D=3D (void *)__raw_callee_save__paravirt_ident_64) ++ ret =3D paravirt_patch_ident_64(insnbuf, len); ++#endif =20 else if (type =3D=3D PARAVIRT_PATCH(pv_cpu_ops.iret) || -@@ -178,7 +181,7 @@ unsigned paravirt_patch_insns(void *insn + type =3D=3D PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) || +@@ -178,7 +188,7 @@ unsigned paravirt_patch_insns(void *insn if (insn_len > len || start =3D=3D NULL) insn_len =3D len; else @@ -15619,7 +15634,7 @@ diff -urNp linux-2.6.32.43/arch/x86/kernel/paravi= rt.c linux-2.6.32.43/arch/x86/k =20 return insn_len; } -@@ -294,22 +297,22 @@ void arch_flush_lazy_mmu_mode(void) +@@ -294,22 +304,22 @@ void arch_flush_lazy_mmu_mode(void) preempt_enable(); } =20 @@ -15646,7 +15661,7 @@ diff -urNp linux-2.6.32.43/arch/x86/kernel/paravi= rt.c linux-2.6.32.43/arch/x86/k .save_fl =3D __PV_IS_CALLEE_SAVE(native_save_fl), .restore_fl =3D __PV_IS_CALLEE_SAVE(native_restore_fl), .irq_disable =3D __PV_IS_CALLEE_SAVE(native_irq_disable), -@@ -321,7 +324,7 @@ struct pv_irq_ops pv_irq_ops =3D { +@@ -321,7 +331,7 @@ struct pv_irq_ops pv_irq_ops =3D { #endif }; =20 @@ -15655,7 +15670,7 @@ diff -urNp linux-2.6.32.43/arch/x86/kernel/paravi= rt.c linux-2.6.32.43/arch/x86/k .cpuid =3D native_cpuid, .get_debugreg =3D native_get_debugreg, .set_debugreg =3D native_set_debugreg, -@@ -382,7 +385,7 @@ struct pv_cpu_ops pv_cpu_ops =3D { +@@ -382,21 +392,26 @@ struct pv_cpu_ops pv_cpu_ops =3D { .end_context_switch =3D paravirt_nop, }; =20 @@ -15664,7 +15679,19 @@ diff -urNp linux-2.6.32.43/arch/x86/kernel/parav= irt.c linux-2.6.32.43/arch/x86/k #ifdef CONFIG_X86_LOCAL_APIC .startup_ipi_hook =3D paravirt_nop, #endif -@@ -396,7 +399,7 @@ struct pv_apic_ops pv_apic_ops =3D { + }; +=20 +-#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE) ++#ifdef CONFIG_X86_32 ++#ifdef CONFIG_X86_PAE ++/* 64-bit pagetable entries */ ++#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64) ++#else + /* 32-bit pagetable entries */ + #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32) ++#endif + #else + /* 64-bit pagetable entries */ #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64) #endif =20 @@ -15673,7 +15700,7 @@ diff -urNp linux-2.6.32.43/arch/x86/kernel/paravi= rt.c linux-2.6.32.43/arch/x86/k =20 .read_cr2 =3D native_read_cr2, .write_cr2 =3D native_write_cr2, -@@ -467,6 +470,12 @@ struct pv_mmu_ops pv_mmu_ops =3D { +@@ -467,6 +482,12 @@ struct pv_mmu_ops pv_mmu_ops =3D { }, =20 .set_fixmap =3D native_set_fixmap, @@ -20339,8 +20366,16 @@ diff -urNp linux-2.6.32.43/arch/x86/lib/usercopy= _64.c linux-2.6.32.43/arch/x86/l =20 diff -urNp linux-2.6.32.43/arch/x86/Makefile linux-2.6.32.43/arch/x86/Ma= kefile --- linux-2.6.32.43/arch/x86/Makefile 2011-03-27 14:31:47.000000000 -040= 0 -+++ linux-2.6.32.43/arch/x86/Makefile 2011-04-17 15:56:46.000000000 -040= 0 -@@ -189,3 +189,12 @@ define archhelp ++++ linux-2.6.32.43/arch/x86/Makefile 2011-07-19 18:16:02.000000000 -040= 0 +@@ -44,6 +44,7 @@ ifeq ($(CONFIG_X86_32),y) + else + BITS :=3D 64 + UTS_MACHINE :=3D x86_64 ++ biarch :=3D $(call cc-option,-m64) + CHECKFLAGS +=3D -D__x86_64__ -m64 +=20 + KBUILD_AFLAGS +=3D -m64 +@@ -189,3 +190,12 @@ define archhelp echo ' FDARGS=3D"..." arguments for the booted ker= nel' echo ' FDINITRD=3Dfile initrd for the booted kernel= ' endef @@ -50202,8 +50237,8 @@ diff -urNp linux-2.6.32.43/grsecurity/grsec_chdir= .c linux-2.6.32.43/grsecurity/g +} diff -urNp linux-2.6.32.43/grsecurity/grsec_chroot.c linux-2.6.32.43/grs= ecurity/grsec_chroot.c --- linux-2.6.32.43/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000= 000 -0500 -+++ linux-2.6.32.43/grsecurity/grsec_chroot.c 2011-07-14 19:24:30.000000= 000 -0400 -@@ -0,0 +1,378 @@ ++++ linux-2.6.32.43/grsecurity/grsec_chroot.c 2011-07-18 17:14:10.000000= 000 -0400 +@@ -0,0 +1,384 @@ +#include +#include +#include @@ -50429,14 +50464,19 @@ diff -urNp linux-2.6.32.43/grsecurity/grsec_chr= oot.c linux-2.6.32.43/grsecurity/ + + if ((p =3D find_task_by_vpid_unrestricted(shm_cprid))) { + starttime =3D p->start_time.tv_sec; -+ if (unlikely(!have_same_root(current, p) && -+ time_before_eq((unsigned long)starttime, (unsigned long)shm_cre= atetime))) { -+ read_unlock(&tasklist_lock); -+ rcu_read_unlock(); -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG); -+ return 0; ++ if (time_before_eq((unsigned long)starttime, (unsigned long)shm_creat= etime)) { ++ if (have_same_root(current, p)) { ++ goto allow; ++ } else { ++ read_unlock(&tasklist_lock); ++ rcu_read_unlock(); ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG); ++ return 0; ++ } + } -+ } else if ((p =3D find_task_by_vpid_unrestricted(shm_lapid))) { ++ /* creator exited, pid reuse, fall through to next check */ ++ } ++ if ((p =3D find_task_by_vpid_unrestricted(shm_lapid))) { + if (unlikely(!have_same_root(current, p))) { + read_unlock(&tasklist_lock); + rcu_read_unlock(); @@ -50445,6 +50485,7 @@ diff -urNp linux-2.6.32.43/grsecurity/grsec_chroo= t.c linux-2.6.32.43/grsecurity/ + } + } + ++allow: + read_unlock(&tasklist_lock); + rcu_read_unlock(); +#endif @@ -70775,7 +70816,7 @@ diff -urNp linux-2.6.32.43/net/sysctl_net.c linux= -2.6.32.43/net/sysctl_net.c } diff -urNp linux-2.6.32.43/net/unix/af_unix.c linux-2.6.32.43/net/unix/a= f_unix.c --- linux-2.6.32.43/net/unix/af_unix.c 2011-05-10 22:12:02.000000000 -04= 00 -+++ linux-2.6.32.43/net/unix/af_unix.c 2011-05-10 22:12:34.000000000 -04= 00 ++++ linux-2.6.32.43/net/unix/af_unix.c 2011-07-18 18:17:33.000000000 -04= 00 @@ -745,6 +745,12 @@ static struct sock *unix_find_other(stru err =3D -ECONNREFUSED; if (!S_ISSOCK(inode->i_mode)) @@ -70822,18 +70863,7 @@ diff -urNp linux-2.6.32.43/net/unix/af_unix.c li= nux-2.6.32.43/net/unix/af_unix.c mutex_unlock(&nd.path.dentry->d_inode->i_mutex); dput(nd.path.dentry); nd.path.dentry =3D dentry; -@@ -872,6 +892,10 @@ out_mknod_drop_write: - goto out_unlock; - } -=20 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX -+ sk->sk_peercred.pid =3D current->pid; -+#endif -+ - list =3D &unix_socket_table[addr->hash]; - } else { - list =3D &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-= 1)]; -@@ -2211,7 +2235,11 @@ static int unix_seq_show(struct seq_file +@@ -2211,7 +2231,11 @@ static int unix_seq_show(struct seq_file unix_state_lock(s); =20 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu", @@ -71245,6 +71275,18 @@ diff -urNp linux-2.6.32.43/scripts/mod/sumversio= n.c linux-2.6.32.43/scripts/mod/ warn("writing sum in %s failed: %s\n", filename, strerror(errno)); goto out; +diff -urNp linux-2.6.32.43/scripts/package/mkspec linux-2.6.32.43/script= s/package/mkspec +--- linux-2.6.32.43/scripts/package/mkspec 2011-03-27 14:31:47.000000000= -0400 ++++ linux-2.6.32.43/scripts/package/mkspec 2011-07-19 18:19:12.000000000= -0400 +@@ -70,7 +70,7 @@ echo 'mkdir -p $RPM_BUILD_ROOT/boot $RPM + echo 'mkdir -p $RPM_BUILD_ROOT/lib/firmware' + echo "%endif" +=20 +-echo 'INSTALL_MOD_PATH=3D$RPM_BUILD_ROOT make %{_smp_mflags} KBUILD_SRC= =3D modules_install' ++echo 'INSTALL_MOD_PATH=3D$RPM_BUILD_ROOT make %{?_smp_mflags} KBUILD_SR= C=3D modules_install' + echo "%ifarch ia64" + echo 'cp $KBUILD_IMAGE $RPM_BUILD_ROOT'"/boot/efi/vmlinuz-$KERNELRELEAS= E" + echo 'ln -s '"efi/vmlinuz-$KERNELRELEASE" '$RPM_BUILD_ROOT'"/boot/" diff -urNp linux-2.6.32.43/scripts/pnmtologo.c linux-2.6.32.43/scripts/p= nmtologo.c --- linux-2.6.32.43/scripts/pnmtologo.c 2011-03-27 14:31:47.000000000 -0= 400 +++ linux-2.6.32.43/scripts/pnmtologo.c 2011-04-17 15:56:46.000000000 -0= 400 diff --git a/2.6.39/0000_README b/2.6.39/0000_README index 4559efd..66fcae4 100644 --- a/2.6.39/0000_README +++ b/2.6.39/0000_README @@ -3,7 +3,7 @@ README =20 Individual Patch Descriptions: ------------------------------------------------------------------------= ----- -Patch: 4420_grsecurity-2.2.2-2.6.39.3-201107161559.patch +Patch: 4420_grsecurity-2.2.2-2.6.39.3-201107191826.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity =20 diff --git a/2.6.39/4420_grsecurity-2.2.2-2.6.39.3-201107161559.patch b/2= .6.39/4420_grsecurity-2.2.2-2.6.39.3-201107191826.patch similarity index 99% rename from 2.6.39/4420_grsecurity-2.2.2-2.6.39.3-201107161559.patch rename to 2.6.39/4420_grsecurity-2.2.2-2.6.39.3-201107191826.patch index b63ab98..f85e905 100644 --- a/2.6.39/4420_grsecurity-2.2.2-2.6.39.3-201107161559.patch +++ b/2.6.39/4420_grsecurity-2.2.2-2.6.39.3-201107191826.patch @@ -16527,8 +16527,18 @@ diff -urNp linux-2.6.39.3/arch/x86/kernel/module= .c linux-2.6.39.3/arch/x86/kerne goto overflow; diff -urNp linux-2.6.39.3/arch/x86/kernel/paravirt.c linux-2.6.39.3/arch= /x86/kernel/paravirt.c --- linux-2.6.39.3/arch/x86/kernel/paravirt.c 2011-05-19 00:06:34.000000= 000 -0400 -+++ linux-2.6.39.3/arch/x86/kernel/paravirt.c 2011-05-22 19:36:30.000000= 000 -0400 -@@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu ++++ linux-2.6.39.3/arch/x86/kernel/paravirt.c 2011-07-19 18:26:58.000000= 000 -0400 +@@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x) + { + return x; + } ++#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE) ++PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64); ++#endif +=20 + void __init default_banner(void) + { +@@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu * corresponding structure. */ static void *get_call_destination(u8 type) { @@ -16537,7 +16547,7 @@ diff -urNp linux-2.6.39.3/arch/x86/kernel/paravir= t.c linux-2.6.39.3/arch/x86/ker .pv_init_ops =3D pv_init_ops, .pv_time_ops =3D pv_time_ops, .pv_cpu_ops =3D pv_cpu_ops, -@@ -133,6 +133,9 @@ static void *get_call_destination(u8 typ +@@ -133,6 +136,9 @@ static void *get_call_destination(u8 typ .pv_lock_ops =3D pv_lock_ops, #endif }; @@ -16547,7 +16557,7 @@ diff -urNp linux-2.6.39.3/arch/x86/kernel/paravir= t.c linux-2.6.39.3/arch/x86/ker return *((void **)&tmpl + type); } =20 -@@ -145,14 +148,14 @@ unsigned paravirt_patch_default(u8 type, +@@ -145,15 +151,19 @@ unsigned paravirt_patch_default(u8 type, if (opfunc =3D=3D NULL) /* If there's no function, patch it with a ud2a (BUG) */ ret =3D paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a)); @@ -16563,9 +16573,14 @@ diff -urNp linux-2.6.39.3/arch/x86/kernel/paravi= rt.c linux-2.6.39.3/arch/x86/ker - else if (opfunc =3D=3D _paravirt_ident_64) + else if (opfunc =3D=3D (void *)_paravirt_ident_64) ret =3D paravirt_patch_ident_64(insnbuf, len); ++#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE) ++ else if (opfunc =3D=3D (void *)__raw_callee_save__paravirt_ident_64) ++ ret =3D paravirt_patch_ident_64(insnbuf, len); ++#endif =20 else if (type =3D=3D PARAVIRT_PATCH(pv_cpu_ops.iret) || -@@ -178,7 +181,7 @@ unsigned paravirt_patch_insns(void *insn + type =3D=3D PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) || +@@ -178,7 +188,7 @@ unsigned paravirt_patch_insns(void *insn if (insn_len > len || start =3D=3D NULL) insn_len =3D len; else @@ -16574,7 +16589,7 @@ diff -urNp linux-2.6.39.3/arch/x86/kernel/paravir= t.c linux-2.6.39.3/arch/x86/ker =20 return insn_len; } -@@ -294,22 +297,22 @@ void arch_flush_lazy_mmu_mode(void) +@@ -294,22 +304,22 @@ void arch_flush_lazy_mmu_mode(void) preempt_enable(); } =20 @@ -16601,7 +16616,7 @@ diff -urNp linux-2.6.39.3/arch/x86/kernel/paravir= t.c linux-2.6.39.3/arch/x86/ker .save_fl =3D __PV_IS_CALLEE_SAVE(native_save_fl), .restore_fl =3D __PV_IS_CALLEE_SAVE(native_restore_fl), .irq_disable =3D __PV_IS_CALLEE_SAVE(native_irq_disable), -@@ -321,7 +324,7 @@ struct pv_irq_ops pv_irq_ops =3D { +@@ -321,7 +331,7 @@ struct pv_irq_ops pv_irq_ops =3D { #endif }; =20 @@ -16610,7 +16625,7 @@ diff -urNp linux-2.6.39.3/arch/x86/kernel/paravir= t.c linux-2.6.39.3/arch/x86/ker .cpuid =3D native_cpuid, .get_debugreg =3D native_get_debugreg, .set_debugreg =3D native_set_debugreg, -@@ -382,7 +385,7 @@ struct pv_cpu_ops pv_cpu_ops =3D { +@@ -382,21 +392,26 @@ struct pv_cpu_ops pv_cpu_ops =3D { .end_context_switch =3D paravirt_nop, }; =20 @@ -16619,7 +16634,19 @@ diff -urNp linux-2.6.39.3/arch/x86/kernel/paravi= rt.c linux-2.6.39.3/arch/x86/ker #ifdef CONFIG_X86_LOCAL_APIC .startup_ipi_hook =3D paravirt_nop, #endif -@@ -396,7 +399,7 @@ struct pv_apic_ops pv_apic_ops =3D { + }; +=20 +-#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE) ++#ifdef CONFIG_X86_32 ++#ifdef CONFIG_X86_PAE ++/* 64-bit pagetable entries */ ++#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64) ++#else + /* 32-bit pagetable entries */ + #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32) ++#endif + #else + /* 64-bit pagetable entries */ #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64) #endif =20 @@ -16628,7 +16655,7 @@ diff -urNp linux-2.6.39.3/arch/x86/kernel/paravir= t.c linux-2.6.39.3/arch/x86/ker =20 .read_cr2 =3D native_read_cr2, .write_cr2 =3D native_write_cr2, -@@ -465,6 +468,12 @@ struct pv_mmu_ops pv_mmu_ops =3D { +@@ -465,6 +480,12 @@ struct pv_mmu_ops pv_mmu_ops =3D { }, =20 .set_fixmap =3D native_set_fixmap, @@ -21193,8 +21220,16 @@ diff -urNp linux-2.6.39.3/arch/x86/lib/usercopy_= 64.c linux-2.6.39.3/arch/x86/lib =20 diff -urNp linux-2.6.39.3/arch/x86/Makefile linux-2.6.39.3/arch/x86/Make= file --- linux-2.6.39.3/arch/x86/Makefile 2011-05-19 00:06:34.000000000 -0400 -+++ linux-2.6.39.3/arch/x86/Makefile 2011-05-22 19:36:30.000000000 -0400 -@@ -195,3 +195,12 @@ define archhelp ++++ linux-2.6.39.3/arch/x86/Makefile 2011-07-19 18:16:36.000000000 -0400 +@@ -44,6 +44,7 @@ ifeq ($(CONFIG_X86_32),y) + else + BITS :=3D 64 + UTS_MACHINE :=3D x86_64 ++ biarch :=3D $(call cc-option,-m64) + CHECKFLAGS +=3D -D__x86_64__ -m64 +=20 + KBUILD_AFLAGS +=3D -m64 +@@ -195,3 +196,12 @@ define archhelp echo ' FDARGS=3D"..." arguments for the booted ker= nel' echo ' FDINITRD=3Dfile initrd for the booted kernel= ' endef @@ -57458,8 +57493,8 @@ diff -urNp linux-2.6.39.3/grsecurity/grsec_chdir.= c linux-2.6.39.3/grsecurity/grs +} diff -urNp linux-2.6.39.3/grsecurity/grsec_chroot.c linux-2.6.39.3/grsec= urity/grsec_chroot.c --- linux-2.6.39.3/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.0000000= 00 -0500 -+++ linux-2.6.39.3/grsecurity/grsec_chroot.c 2011-07-16 15:27:28.0000000= 00 -0400 -@@ -0,0 +1,343 @@ ++++ linux-2.6.39.3/grsecurity/grsec_chroot.c 2011-07-18 17:20:05.0000000= 00 -0400 +@@ -0,0 +1,349 @@ +#include +#include +#include @@ -57650,14 +57685,19 @@ diff -urNp linux-2.6.39.3/grsecurity/grsec_chro= ot.c linux-2.6.39.3/grsecurity/gr + + if ((p =3D find_task_by_vpid_unrestricted(shm_cprid))) { + starttime =3D p->start_time.tv_sec; -+ if (unlikely(!have_same_root(current, p) && -+ time_before_eq((unsigned long)starttime, (unsigned long)shm_cre= atetime))) { -+ read_unlock(&tasklist_lock); -+ rcu_read_unlock(); -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG); -+ return 0; ++ if (time_before_eq((unsigned long)starttime, (unsigned long)shm_creat= etime)) { ++ if (have_same_root(current, p)) { ++ goto allow; ++ } else { ++ read_unlock(&tasklist_lock); ++ rcu_read_unlock(); ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG); ++ return 0; ++ } + } -+ } else if ((p =3D find_task_by_vpid_unrestricted(shm_lapid))) { ++ /* creator exited, pid reuse, fall through to next check */ ++ } ++ if ((p =3D find_task_by_vpid_unrestricted(shm_lapid))) { + if (unlikely(!have_same_root(current, p))) { + read_unlock(&tasklist_lock); + rcu_read_unlock(); @@ -57666,6 +57706,7 @@ diff -urNp linux-2.6.39.3/grsecurity/grsec_chroot= .c linux-2.6.39.3/grsecurity/gr + } + } + ++allow: + read_unlock(&tasklist_lock); + rcu_read_unlock(); +#endif @@ -79332,7 +79373,7 @@ diff -urNp linux-2.6.39.3/net/sysctl_net.c linux-= 2.6.39.3/net/sysctl_net.c } diff -urNp linux-2.6.39.3/net/unix/af_unix.c linux-2.6.39.3/net/unix/af_= unix.c --- linux-2.6.39.3/net/unix/af_unix.c 2011-05-19 00:06:34.000000000 -040= 0 -+++ linux-2.6.39.3/net/unix/af_unix.c 2011-07-16 15:36:42.000000000 -040= 0 ++++ linux-2.6.39.3/net/unix/af_unix.c 2011-07-18 18:16:27.000000000 -040= 0 @@ -767,6 +767,12 @@ static struct sock *unix_find_other(stru err =3D -ECONNREFUSED; if (!S_ISSOCK(inode->i_mode)) @@ -79379,19 +79420,7 @@ diff -urNp linux-2.6.39.3/net/unix/af_unix.c lin= ux-2.6.39.3/net/unix/af_unix.c mutex_unlock(&nd.path.dentry->d_inode->i_mutex); dput(nd.path.dentry); nd.path.dentry =3D dentry; -@@ -894,6 +914,11 @@ out_mknod_drop_write: - goto out_unlock; - } -=20 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX -+ put_pid(sk->sk_peer_pid); -+ sk->sk_peer_pid =3D get_pid(task_tgid(current)); -+#endif -+ - list =3D &unix_socket_table[addr->hash]; - } else { - list =3D &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-= 1)]; -@@ -2255,7 +2280,11 @@ static int unix_seq_show(struct seq_file +@@ -2255,7 +2275,11 @@ static int unix_seq_show(struct seq_file unix_state_lock(s); =20 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",