diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2012-01-04 10:44:12 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2012-01-04 10:44:12 -0500 |
commit | 13991bf0cb74669e255c8b42442869e980f9d22b (patch) | |
tree | c03a448155b00a9fdfbbbc1723461a43220dc3fd /2.6.32 | |
parent | Removed EXTRAVERSION = hunk (diff) | |
download | hardened-patchset-13991bf0cb74669e255c8b42442869e980f9d22b.tar.gz hardened-patchset-13991bf0cb74669e255c8b42442869e980f9d22b.tar.bz2 hardened-patchset-13991bf0cb74669e255c8b42442869e980f9d22b.zip |
Grsec/PaX: 2.2.2-2.6.32.52-201201031758 + 2.2.2-3.1.7-201201032037.patch
Diffstat (limited to '2.6.32')
-rw-r--r-- | 2.6.32/0000_README | 6 | ||||
-rw-r--r-- | 2.6.32/1050_linux-2.6.32.51.patch | 575 | ||||
-rw-r--r-- | 2.6.32/1051_linux-2.6.32.52.patch | 12 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.2.2-2.6.32.52-201201031758.patch (renamed from 2.6.32/4420_grsecurity-2.2.2-2.6.32.51-201112222105.patch) | 405 | ||||
-rw-r--r-- | 2.6.32/4435_grsec-kconfig-gentoo.patch | 4 | ||||
-rw-r--r-- | 2.6.32/4437-grsec-kconfig-proc-user.patch | 4 | ||||
-rw-r--r-- | 2.6.32/4440_selinux-avc_audit-log-curr_ip.patch | 2 |
7 files changed, 406 insertions, 602 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index c414b52..3fcd732 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -3,11 +3,11 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1050_linux-2.6.32.51.patch +Patch: 1051_linux-2.6.32.52.patch From: http://www.kernel.org -Desc: Linux 2.6.32.51 +Desc: Linux 2.6.32.52 -Patch: 4420_grsecurity-2.2.2-2.6.32.51-201112222105.patch +Patch: 4420_grsecurity-2.2.2-2.6.32.52-201201031758.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/1050_linux-2.6.32.51.patch b/2.6.32/1050_linux-2.6.32.51.patch deleted file mode 100644 index 196ebde..0000000 --- a/2.6.32/1050_linux-2.6.32.51.patch +++ /dev/null @@ -1,575 +0,0 @@ -diff --git a/arch/arm/mach-davinci/board-dm646x-evm.c b/arch/arm/mach-davinci/board-dm646x-evm.c -index 24e0e13..6b25227 100644 ---- a/arch/arm/mach-davinci/board-dm646x-evm.c -+++ b/arch/arm/mach-davinci/board-dm646x-evm.c -@@ -502,7 +502,7 @@ static int setup_vpif_input_channel_mode(int mux_mode) - int val; - u32 value; - -- if (!vpif_vsclkdis_reg || !cpld_client) -+ if (!vpif_vidclkctl_reg || !cpld_client) - return -ENXIO; - - val = i2c_smbus_read_byte(cpld_client); -@@ -510,7 +510,7 @@ static int setup_vpif_input_channel_mode(int mux_mode) - return val; - - spin_lock_irqsave(&vpif_reg_lock, flags); -- value = __raw_readl(vpif_vsclkdis_reg); -+ value = __raw_readl(vpif_vidclkctl_reg); - if (mux_mode) { - val &= VPIF_INPUT_TWO_CHANNEL; - value |= VIDCH1CLK; -@@ -518,7 +518,7 @@ static int setup_vpif_input_channel_mode(int mux_mode) - val |= VPIF_INPUT_ONE_CHANNEL; - value &= ~VIDCH1CLK; - } -- __raw_writel(value, vpif_vsclkdis_reg); -+ __raw_writel(value, vpif_vidclkctl_reg); - spin_unlock_irqrestore(&vpif_reg_lock, flags); - - err = i2c_smbus_write_byte(cpld_client, val); -diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c -index 044897b..829edf0 100644 ---- a/arch/x86/oprofile/backtrace.c -+++ b/arch/x86/oprofile/backtrace.c -@@ -11,6 +11,8 @@ - #include <linux/oprofile.h> - #include <linux/sched.h> - #include <linux/mm.h> -+#include <linux/highmem.h> -+ - #include <asm/ptrace.h> - #include <asm/uaccess.h> - #include <asm/stacktrace.h> -@@ -47,6 +49,42 @@ static struct stacktrace_ops backtrace_ops = { - .address = backtrace_address, - }; - -+/* from arch/x86/kernel/cpu/perf_event.c: */ -+ -+/* -+ * best effort, GUP based copy_from_user() that assumes IRQ or NMI context -+ */ -+static unsigned long -+copy_from_user_nmi(void *to, const void __user *from, unsigned long n) -+{ -+ unsigned long offset, addr = (unsigned long)from; -+ unsigned long size, len = 0; -+ struct page *page; -+ void *map; -+ int ret; -+ -+ do { -+ ret = __get_user_pages_fast(addr, 1, 0, &page); -+ if (!ret) -+ break; -+ -+ offset = addr & (PAGE_SIZE - 1); -+ size = min(PAGE_SIZE - offset, n - len); -+ -+ map = kmap_atomic(page, KM_USER0); -+ memcpy(to, map+offset, size); -+ kunmap_atomic(map, KM_USER0); -+ put_page(page); -+ -+ len += size; -+ to += size; -+ addr += size; -+ -+ } while (len < n); -+ -+ return len; -+} -+ - struct frame_head { - struct frame_head *bp; - unsigned long ret; -@@ -54,12 +92,12 @@ struct frame_head { - - static struct frame_head *dump_user_backtrace(struct frame_head *head) - { -+ /* Also check accessibility of one struct frame_head beyond: */ - struct frame_head bufhead[2]; -+ unsigned long bytes; - -- /* Also check accessibility of one struct frame_head beyond */ -- if (!access_ok(VERIFY_READ, head, sizeof(bufhead))) -- return NULL; -- if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead))) -+ bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead)); -+ if (bytes != sizeof(bufhead)) - return NULL; - - oprofile_add_trace(bufhead[0].ret); -diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c -index ca6b336..8f0e49b 100644 ---- a/arch/x86/oprofile/nmi_int.c -+++ b/arch/x86/oprofile/nmi_int.c -@@ -750,12 +750,12 @@ int __init op_nmi_init(struct oprofile_operations *ops) - - void op_nmi_exit(void) - { -- if (using_nmi) { -- exit_sysfs(); -+ if (!using_nmi) -+ return; -+ exit_sysfs(); - #ifdef CONFIG_SMP -- unregister_cpu_notifier(&oprofile_cpu_nb); -+ unregister_cpu_notifier(&oprofile_cpu_nb); - #endif -- } - if (model->exit) - model->exit(); - } -diff --git a/drivers/oprofile/buffer_sync.c b/drivers/oprofile/buffer_sync.c -index 5c4df24..334ccd6 100644 ---- a/drivers/oprofile/buffer_sync.c -+++ b/drivers/oprofile/buffer_sync.c -@@ -140,6 +140,13 @@ static struct notifier_block module_load_nb = { - .notifier_call = module_load_notify, - }; - -+static void free_all_tasks(void) -+{ -+ /* make sure we don't leak task structs */ -+ process_task_mortuary(); -+ process_task_mortuary(); -+} -+ - int sync_start(void) - { - int err; -@@ -147,8 +154,6 @@ int sync_start(void) - if (!zalloc_cpumask_var(&marked_cpus, GFP_KERNEL)) - return -ENOMEM; - -- mutex_lock(&buffer_mutex); -- - err = task_handoff_register(&task_free_nb); - if (err) - goto out1; -@@ -165,7 +170,6 @@ int sync_start(void) - start_cpu_work(); - - out: -- mutex_unlock(&buffer_mutex); - return err; - out4: - profile_event_unregister(PROFILE_MUNMAP, &munmap_nb); -@@ -173,6 +177,7 @@ out3: - profile_event_unregister(PROFILE_TASK_EXIT, &task_exit_nb); - out2: - task_handoff_unregister(&task_free_nb); -+ free_all_tasks(); - out1: - free_cpumask_var(marked_cpus); - goto out; -@@ -181,20 +186,16 @@ out1: - - void sync_stop(void) - { -- /* flush buffers */ -- mutex_lock(&buffer_mutex); - end_cpu_work(); - unregister_module_notifier(&module_load_nb); - profile_event_unregister(PROFILE_MUNMAP, &munmap_nb); - profile_event_unregister(PROFILE_TASK_EXIT, &task_exit_nb); - task_handoff_unregister(&task_free_nb); -- mutex_unlock(&buffer_mutex); -- flush_scheduled_work(); -+ barrier(); /* do all of the above first */ - -- /* make sure we don't leak task structs */ -- process_task_mortuary(); -- process_task_mortuary(); -+ flush_scheduled_work(); - -+ free_all_tasks(); - free_cpumask_var(marked_cpus); - } - -diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c -index 9d3d8cf..cec9bff 100644 ---- a/drivers/usb/class/cdc-acm.c -+++ b/drivers/usb/class/cdc-acm.c -@@ -1528,6 +1528,16 @@ static struct usb_device_id acm_ids[] = { - }, - { USB_DEVICE(0x22b8, 0x6425), /* Motorola MOTOMAGX phones */ - }, -+ /* Motorola H24 HSPA module: */ -+ { USB_DEVICE(0x22b8, 0x2d91) }, /* modem */ -+ { USB_DEVICE(0x22b8, 0x2d92) }, /* modem + diagnostics */ -+ { USB_DEVICE(0x22b8, 0x2d93) }, /* modem + AT port */ -+ { USB_DEVICE(0x22b8, 0x2d95) }, /* modem + AT port + diagnostics */ -+ { USB_DEVICE(0x22b8, 0x2d96) }, /* modem + NMEA */ -+ { USB_DEVICE(0x22b8, 0x2d97) }, /* modem + diagnostics + NMEA */ -+ { USB_DEVICE(0x22b8, 0x2d99) }, /* modem + AT port + NMEA */ -+ { USB_DEVICE(0x22b8, 0x2d9a) }, /* modem + AT port + diagnostics + NMEA */ -+ - { USB_DEVICE(0x0572, 0x1329), /* Hummingbird huc56s (Conexant) */ - .driver_info = NO_UNION_NORMAL, /* union descriptor misplaced on - data interface instead of -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index 8572c79..72ba88f 100644 ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -3228,7 +3228,7 @@ static int ext4_da_write_end(struct file *file, - */ - - new_i_size = pos + copied; -- if (new_i_size > EXT4_I(inode)->i_disksize) { -+ if (copied && new_i_size > EXT4_I(inode)->i_disksize) { - if (ext4_da_should_update_i_disksize(page, end)) { - down_write(&EXT4_I(inode)->i_data_sem); - if (new_i_size > EXT4_I(inode)->i_disksize) { -diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c -index 052f214..0609e71 100644 ---- a/fs/hfs/btree.c -+++ b/fs/hfs/btree.c -@@ -45,11 +45,26 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke - case HFS_EXT_CNID: - hfs_inode_read_fork(tree->inode, mdb->drXTExtRec, mdb->drXTFlSize, - mdb->drXTFlSize, be32_to_cpu(mdb->drXTClpSiz)); -+ if (HFS_I(tree->inode)->alloc_blocks > -+ HFS_I(tree->inode)->first_blocks) { -+ printk(KERN_ERR "hfs: invalid btree extent records\n"); -+ unlock_new_inode(tree->inode); -+ goto free_inode; -+ } -+ - tree->inode->i_mapping->a_ops = &hfs_btree_aops; - break; - case HFS_CAT_CNID: - hfs_inode_read_fork(tree->inode, mdb->drCTExtRec, mdb->drCTFlSize, - mdb->drCTFlSize, be32_to_cpu(mdb->drCTClpSiz)); -+ -+ if (!HFS_I(tree->inode)->first_blocks) { -+ printk(KERN_ERR "hfs: invalid btree extent records " -+ "(0 size).\n"); -+ unlock_new_inode(tree->inode); -+ goto free_inode; -+ } -+ - tree->inode->i_mapping->a_ops = &hfs_btree_aops; - break; - default: -@@ -58,11 +73,6 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke - } - unlock_new_inode(tree->inode); - -- if (!HFS_I(tree->inode)->first_blocks) { -- printk(KERN_ERR "hfs: invalid btree extent records (0 size).\n"); -- goto free_inode; -- } -- - mapping = tree->inode->i_mapping; - page = read_mapping_page(mapping, 0, NULL); - if (IS_ERR(page)) -diff --git a/fs/jbd/journal.c b/fs/jbd/journal.c -index 45905ff..70713d5 100644 ---- a/fs/jbd/journal.c -+++ b/fs/jbd/journal.c -@@ -1070,6 +1070,14 @@ static int journal_get_superblock(journal_t *journal) - goto out; - } - -+ if (be32_to_cpu(sb->s_first) == 0 || -+ be32_to_cpu(sb->s_first) >= journal->j_maxlen) { -+ printk(KERN_WARNING -+ "JBD: Invalid start block of journal: %u\n", -+ be32_to_cpu(sb->s_first)); -+ goto out; -+ } -+ - return 0; - - out: -diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c -index 17af879..c00de9c 100644 ---- a/fs/jbd2/journal.c -+++ b/fs/jbd2/journal.c -@@ -1183,6 +1183,14 @@ static int journal_get_superblock(journal_t *journal) - goto out; - } - -+ if (be32_to_cpu(sb->s_first) == 0 || -+ be32_to_cpu(sb->s_first) >= journal->j_maxlen) { -+ printk(KERN_WARNING -+ "JBD2: Invalid start block of journal: %u\n", -+ be32_to_cpu(sb->s_first)); -+ goto out; -+ } -+ - return 0; - - out: -diff --git a/include/linux/log2.h b/include/linux/log2.h -index 25b8086..fd7ff3d 100644 ---- a/include/linux/log2.h -+++ b/include/linux/log2.h -@@ -185,7 +185,6 @@ unsigned long __rounddown_pow_of_two(unsigned long n) - #define rounddown_pow_of_two(n) \ - ( \ - __builtin_constant_p(n) ? ( \ -- (n == 1) ? 0 : \ - (1UL << ilog2(n))) : \ - __rounddown_pow_of_two(n) \ - ) -diff --git a/kernel/taskstats.c b/kernel/taskstats.c -index b080920..a4ef542 100644 ---- a/kernel/taskstats.c -+++ b/kernel/taskstats.c -@@ -592,6 +592,7 @@ static struct genl_ops taskstats_ops = { - .cmd = TASKSTATS_CMD_GET, - .doit = taskstats_user_cmd, - .policy = taskstats_cmd_get_policy, -+ .flags = GENL_ADMIN_PERM, - }; - - static struct genl_ops cgroupstats_ops = { -diff --git a/mm/percpu.c b/mm/percpu.c -index 3bfd6e2..c90614a 100644 ---- a/mm/percpu.c -+++ b/mm/percpu.c -@@ -110,9 +110,9 @@ static int pcpu_atom_size __read_mostly; - static int pcpu_nr_slots __read_mostly; - static size_t pcpu_chunk_struct_size __read_mostly; - --/* cpus with the lowest and highest unit numbers */ --static unsigned int pcpu_first_unit_cpu __read_mostly; --static unsigned int pcpu_last_unit_cpu __read_mostly; -+/* cpus with the lowest and highest unit addresses */ -+static unsigned int pcpu_low_unit_cpu __read_mostly; -+static unsigned int pcpu_high_unit_cpu __read_mostly; - - /* the address of the first chunk which starts with the kernel static area */ - void *pcpu_base_addr __read_mostly; -@@ -746,8 +746,8 @@ static void pcpu_pre_unmap_flush(struct pcpu_chunk *chunk, - int page_start, int page_end) - { - flush_cache_vunmap( -- pcpu_chunk_addr(chunk, pcpu_first_unit_cpu, page_start), -- pcpu_chunk_addr(chunk, pcpu_last_unit_cpu, page_end)); -+ pcpu_chunk_addr(chunk, pcpu_low_unit_cpu, page_start), -+ pcpu_chunk_addr(chunk, pcpu_high_unit_cpu, page_end)); - } - - static void __pcpu_unmap_pages(unsigned long addr, int nr_pages) -@@ -809,8 +809,8 @@ static void pcpu_post_unmap_tlb_flush(struct pcpu_chunk *chunk, - int page_start, int page_end) - { - flush_tlb_kernel_range( -- pcpu_chunk_addr(chunk, pcpu_first_unit_cpu, page_start), -- pcpu_chunk_addr(chunk, pcpu_last_unit_cpu, page_end)); -+ pcpu_chunk_addr(chunk, pcpu_low_unit_cpu, page_start), -+ pcpu_chunk_addr(chunk, pcpu_high_unit_cpu, page_end)); - } - - static int __pcpu_map_pages(unsigned long addr, struct page **pages, -@@ -887,8 +887,8 @@ static void pcpu_post_map_flush(struct pcpu_chunk *chunk, - int page_start, int page_end) - { - flush_cache_vmap( -- pcpu_chunk_addr(chunk, pcpu_first_unit_cpu, page_start), -- pcpu_chunk_addr(chunk, pcpu_last_unit_cpu, page_end)); -+ pcpu_chunk_addr(chunk, pcpu_low_unit_cpu, page_start), -+ pcpu_chunk_addr(chunk, pcpu_high_unit_cpu, page_end)); - } - - /** -@@ -1680,7 +1680,9 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai, - - for (cpu = 0; cpu < nr_cpu_ids; cpu++) - unit_map[cpu] = UINT_MAX; -- pcpu_first_unit_cpu = NR_CPUS; -+ -+ pcpu_low_unit_cpu = NR_CPUS; -+ pcpu_high_unit_cpu = NR_CPUS; - - for (group = 0, unit = 0; group < ai->nr_groups; group++, unit += i) { - const struct pcpu_group_info *gi = &ai->groups[group]; -@@ -1700,9 +1702,13 @@ int __init pcpu_setup_first_chunk(const struct pcpu_alloc_info *ai, - unit_map[cpu] = unit + i; - unit_off[cpu] = gi->base_offset + i * ai->unit_size; - -- if (pcpu_first_unit_cpu == NR_CPUS) -- pcpu_first_unit_cpu = cpu; -- pcpu_last_unit_cpu = cpu; -+ /* determine low/high unit_cpu */ -+ if (pcpu_low_unit_cpu == NR_CPUS || -+ unit_off[cpu] < unit_off[pcpu_low_unit_cpu]) -+ pcpu_low_unit_cpu = cpu; -+ if (pcpu_high_unit_cpu == NR_CPUS || -+ unit_off[cpu] > unit_off[pcpu_high_unit_cpu]) -+ pcpu_high_unit_cpu = cpu; - } - } - pcpu_nr_units = unit; -diff --git a/mm/util.c b/mm/util.c -index b377ce4..e48b493 100644 ---- a/mm/util.c -+++ b/mm/util.c -@@ -233,6 +233,19 @@ void arch_pick_mmap_layout(struct mm_struct *mm) - } - #endif - -+/* -+ * Like get_user_pages_fast() except its IRQ-safe in that it won't fall -+ * back to the regular GUP. -+ * If the architecture not support this fucntion, simply return with no -+ * page pinned -+ */ -+int __attribute__((weak)) __get_user_pages_fast(unsigned long start, -+ int nr_pages, int write, struct page **pages) -+{ -+ return 0; -+} -+EXPORT_SYMBOL_GPL(__get_user_pages_fast); -+ - /** - * get_user_pages_fast() - pin user pages in memory - * @start: starting user address -diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c -index faf54c6..9bd850a 100644 ---- a/net/xfrm/xfrm_algo.c -+++ b/net/xfrm/xfrm_algo.c -@@ -411,8 +411,8 @@ static struct xfrm_algo_desc ealg_list[] = { - .desc = { - .sadb_alg_id = SADB_X_EALG_AESCTR, - .sadb_alg_ivlen = 8, -- .sadb_alg_minbits = 128, -- .sadb_alg_maxbits = 256 -+ .sadb_alg_minbits = 160, -+ .sadb_alg_maxbits = 288 - } - }, - }; -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index ba44dc0..6419095 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -432,6 +432,8 @@ static int alc_mux_enum_put(struct snd_kcontrol *kcontrol, - imux = &spec->input_mux[mux_idx]; - if (!imux->num_items && mux_idx > 0) - imux = &spec->input_mux[0]; -+ if (!imux->num_items) -+ return 0; - - type = get_wcaps_type(get_wcaps(codec, nid)); - if (type == AC_WID_AUD_MIX) { -diff --git a/sound/pci/sis7019.c b/sound/pci/sis7019.c -index 1a5ff06..b11ee62 100644 ---- a/sound/pci/sis7019.c -+++ b/sound/pci/sis7019.c -@@ -40,6 +40,7 @@ MODULE_SUPPORTED_DEVICE("{{SiS,SiS7019 Audio Accelerator}}"); - static int index = SNDRV_DEFAULT_IDX1; /* Index 0-MAX */ - static char *id = SNDRV_DEFAULT_STR1; /* ID for this card */ - static int enable = 1; -+static int codecs = 1; - - module_param(index, int, 0444); - MODULE_PARM_DESC(index, "Index value for SiS7019 Audio Accelerator."); -@@ -47,6 +48,8 @@ module_param(id, charp, 0444); - MODULE_PARM_DESC(id, "ID string for SiS7019 Audio Accelerator."); - module_param(enable, bool, 0444); - MODULE_PARM_DESC(enable, "Enable SiS7019 Audio Accelerator."); -+module_param(codecs, int, 0444); -+MODULE_PARM_DESC(codecs, "Set bit to indicate that codec number is expected to be present (default 1)"); - - static struct pci_device_id snd_sis7019_ids[] = { - { PCI_DEVICE(PCI_VENDOR_ID_SI, 0x7019) }, -@@ -139,6 +142,9 @@ struct sis7019 { - dma_addr_t silence_dma_addr; - }; - -+/* These values are also used by the module param 'codecs' to indicate -+ * which codecs should be present. -+ */ - #define SIS_PRIMARY_CODEC_PRESENT 0x0001 - #define SIS_SECONDARY_CODEC_PRESENT 0x0002 - #define SIS_TERTIARY_CODEC_PRESENT 0x0004 -@@ -1075,6 +1081,7 @@ static int sis_chip_init(struct sis7019 *sis) - { - unsigned long io = sis->ioport; - void __iomem *ioaddr = sis->ioaddr; -+ unsigned long timeout; - u16 status; - int count; - int i; -@@ -1101,21 +1108,45 @@ static int sis_chip_init(struct sis7019 *sis) - while ((inw(io + SIS_AC97_STATUS) & SIS_AC97_STATUS_BUSY) && --count) - udelay(1); - -+ /* Command complete, we can let go of the semaphore now. -+ */ -+ outl(SIS_AC97_SEMA_RELEASE, io + SIS_AC97_SEMA); -+ if (!count) -+ return -EIO; -+ - /* Now that we've finished the reset, find out what's attached. -+ * There are some codec/board combinations that take an extremely -+ * long time to come up. 350+ ms has been observed in the field, -+ * so we'll give them up to 500ms. - */ -- status = inl(io + SIS_AC97_STATUS); -- if (status & SIS_AC97_STATUS_CODEC_READY) -- sis->codecs_present |= SIS_PRIMARY_CODEC_PRESENT; -- if (status & SIS_AC97_STATUS_CODEC2_READY) -- sis->codecs_present |= SIS_SECONDARY_CODEC_PRESENT; -- if (status & SIS_AC97_STATUS_CODEC3_READY) -- sis->codecs_present |= SIS_TERTIARY_CODEC_PRESENT; -- -- /* All done, let go of the semaphore, and check for errors -+ sis->codecs_present = 0; -+ timeout = msecs_to_jiffies(500) + jiffies; -+ while (time_before_eq(jiffies, timeout)) { -+ status = inl(io + SIS_AC97_STATUS); -+ if (status & SIS_AC97_STATUS_CODEC_READY) -+ sis->codecs_present |= SIS_PRIMARY_CODEC_PRESENT; -+ if (status & SIS_AC97_STATUS_CODEC2_READY) -+ sis->codecs_present |= SIS_SECONDARY_CODEC_PRESENT; -+ if (status & SIS_AC97_STATUS_CODEC3_READY) -+ sis->codecs_present |= SIS_TERTIARY_CODEC_PRESENT; -+ -+ if (sis->codecs_present == codecs) -+ break; -+ -+ msleep(1); -+ } -+ -+ /* All done, check for errors. - */ -- outl(SIS_AC97_SEMA_RELEASE, io + SIS_AC97_SEMA); -- if (!sis->codecs_present || !count) -+ if (!sis->codecs_present) { -+ printk(KERN_ERR "sis7019: could not find any codecs\n"); - return -EIO; -+ } -+ -+ if (sis->codecs_present != codecs) { -+ printk(KERN_WARNING "sis7019: missing codecs, found %0x, expected %0x\n", -+ sis->codecs_present, codecs); -+ } - - /* Let the hardware know that the audio driver is alive, - * and enable PCM slots on the AC-link for L/R playback (3 & 4) and -@@ -1387,6 +1418,17 @@ static int __devinit snd_sis7019_probe(struct pci_dev *pci, - if (!enable) - goto error_out; - -+ /* The user can specify which codecs should be present so that we -+ * can wait for them to show up if they are slow to recover from -+ * the AC97 cold reset. We default to a single codec, the primary. -+ * -+ * We assume that SIS_PRIMARY_*_PRESENT matches bits 0-2. -+ */ -+ codecs &= SIS_PRIMARY_CODEC_PRESENT | SIS_SECONDARY_CODEC_PRESENT | -+ SIS_TERTIARY_CODEC_PRESENT; -+ if (!codecs) -+ codecs = SIS_PRIMARY_CODEC_PRESENT; -+ - rc = snd_card_create(index, id, THIS_MODULE, sizeof(*sis), &card); - if (rc < 0) - goto error_out; diff --git a/2.6.32/1051_linux-2.6.32.52.patch b/2.6.32/1051_linux-2.6.32.52.patch new file mode 100644 index 0000000..0f82a0c --- /dev/null +++ b/2.6.32/1051_linux-2.6.32.52.patch @@ -0,0 +1,12 @@ +diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c +index b38baff..0d809ae 100644 +--- a/kernel/time/clockevents.c ++++ b/kernel/time/clockevents.c +@@ -221,7 +221,6 @@ void clockevents_exchange_device(struct clock_event_device *old, + * released list and do a notify add later. + */ + if (old) { +- old->event_handler = clockevents_handle_noop; + clockevents_set_mode(old, CLOCK_EVT_MODE_UNUSED); + list_del(&old->list); + list_add(&old->list, &clockevents_released); diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.51-201112222105.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.52-201201031758.patch index 1a4e34c..40137ff 100644 --- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.51-201112222105.patch +++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.52-201201031758.patch @@ -185,7 +185,7 @@ index c840e7d..f4c451c 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 1c640ea..b545bdc 100644 +index 8f775f5..272691c 100644 --- a/Makefile +++ b/Makefile @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -52923,6 +52923,55 @@ index b442dac..aab29cb 100644 if (!capable(CAP_SYS_RAWIO)) return -EPERM; if (kcore_need_update) +diff --git a/fs/proc/kmsg.c b/fs/proc/kmsg.c +index 7ca7834..cfe90a4 100644 +--- a/fs/proc/kmsg.c ++++ b/fs/proc/kmsg.c +@@ -12,37 +12,37 @@ + #include <linux/poll.h> + #include <linux/proc_fs.h> + #include <linux/fs.h> ++#include <linux/syslog.h> + + #include <asm/uaccess.h> + #include <asm/io.h> + + extern wait_queue_head_t log_wait; + +-extern int do_syslog(int type, char __user *bug, int count); +- + static int kmsg_open(struct inode * inode, struct file * file) + { +- return do_syslog(1,NULL,0); ++ return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_FILE); + } + + static int kmsg_release(struct inode * inode, struct file * file) + { +- (void) do_syslog(0,NULL,0); ++ (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_FILE); + return 0; + } + + static ssize_t kmsg_read(struct file *file, char __user *buf, + size_t count, loff_t *ppos) + { +- if ((file->f_flags & O_NONBLOCK) && !do_syslog(9, NULL, 0)) ++ if ((file->f_flags & O_NONBLOCK) && ++ !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE)) + return -EAGAIN; +- return do_syslog(2, buf, count); ++ return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_FILE); + } + + static unsigned int kmsg_poll(struct file *file, poll_table *wait) + { + poll_wait(file, &log_wait, wait); +- if (do_syslog(9, NULL, 0)) ++ if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE)) + return POLLIN | POLLRDNORM; + return 0; + } diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c index a65239c..ad1182a 100644 --- a/fs/proc/meminfo.c @@ -68248,7 +68297,7 @@ index 1ee2c05..81b7ec4 100644 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */ diff --git a/include/linux/security.h b/include/linux/security.h -index d40d23f..253bd14 100644 +index d40d23f..d739b08 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -34,6 +34,7 @@ @@ -68259,6 +68308,53 @@ index d40d23f..253bd14 100644 #include <net/flow.h> /* Maximum number of letters for an LSM name string */ +@@ -76,7 +77,7 @@ extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, + extern int cap_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp); + extern int cap_task_setioprio(struct task_struct *p, int ioprio); + extern int cap_task_setnice(struct task_struct *p, int nice); +-extern int cap_syslog(int type); ++extern int cap_syslog(int type, bool from_file); + extern int cap_vm_enough_memory(struct mm_struct *mm, long pages); + + struct msghdr; +@@ -1331,6 +1332,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) + * logging to the console. + * See the syslog(2) manual page for an explanation of the @type values. + * @type contains the type of action. ++ * @from_file indicates the context of action (if it came from /proc). + * Return 0 if permission is granted. + * @settime: + * Check permission to change the system time. +@@ -1445,7 +1447,7 @@ struct security_operations { + int (*sysctl) (struct ctl_table *table, int op); + int (*quotactl) (int cmds, int type, int id, struct super_block *sb); + int (*quota_on) (struct dentry *dentry); +- int (*syslog) (int type); ++ int (*syslog) (int type, bool from_file); + int (*settime) (struct timespec *ts, struct timezone *tz); + int (*vm_enough_memory) (struct mm_struct *mm, long pages); + +@@ -1740,7 +1742,7 @@ int security_acct(struct file *file); + int security_sysctl(struct ctl_table *table, int op); + int security_quotactl(int cmds, int type, int id, struct super_block *sb); + int security_quota_on(struct dentry *dentry); +-int security_syslog(int type); ++int security_syslog(int type, bool from_file); + int security_settime(struct timespec *ts, struct timezone *tz); + int security_vm_enough_memory(long pages); + int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); +@@ -1986,9 +1988,9 @@ static inline int security_quota_on(struct dentry *dentry) + return 0; + } + +-static inline int security_syslog(int type) ++static inline int security_syslog(int type, bool from_file) + { +- return cap_syslog(type); ++ return cap_syslog(type, from_file); + } + + static inline int security_settime(struct timespec *ts, struct timezone *tz) diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h index 8366d8f..2307490 100644 --- a/include/linux/seq_file.h @@ -68693,6 +68789,64 @@ index 9d68fed..71f02cc 100644 }; struct sysfs_dirent; +diff --git a/include/linux/syslog.h b/include/linux/syslog.h +new file mode 100644 +index 0000000..3891139 +--- /dev/null ++++ b/include/linux/syslog.h +@@ -0,0 +1,52 @@ ++/* Syslog internals ++ * ++ * Copyright 2010 Canonical, Ltd. ++ * Author: Kees Cook <kees.cook@canonical.com> ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2, or (at your option) ++ * any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; see the file COPYING. If not, write to ++ * the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. ++ */ ++ ++#ifndef _LINUX_SYSLOG_H ++#define _LINUX_SYSLOG_H ++ ++/* Close the log. Currently a NOP. */ ++#define SYSLOG_ACTION_CLOSE 0 ++/* Open the log. Currently a NOP. */ ++#define SYSLOG_ACTION_OPEN 1 ++/* Read from the log. */ ++#define SYSLOG_ACTION_READ 2 ++/* Read all messages remaining in the ring buffer. */ ++#define SYSLOG_ACTION_READ_ALL 3 ++/* Read and clear all messages remaining in the ring buffer */ ++#define SYSLOG_ACTION_READ_CLEAR 4 ++/* Clear ring buffer. */ ++#define SYSLOG_ACTION_CLEAR 5 ++/* Disable printk's to console */ ++#define SYSLOG_ACTION_CONSOLE_OFF 6 ++/* Enable printk's to console */ ++#define SYSLOG_ACTION_CONSOLE_ON 7 ++/* Set level of messages printed to console */ ++#define SYSLOG_ACTION_CONSOLE_LEVEL 8 ++/* Return number of unread characters in the log buffer */ ++#define SYSLOG_ACTION_SIZE_UNREAD 9 ++/* Return size of the log buffer */ ++#define SYSLOG_ACTION_SIZE_BUFFER 10 ++ ++#define SYSLOG_FROM_CALL 0 ++#define SYSLOG_FROM_FILE 1 ++ ++int do_syslog(int type, char __user *buf, int count, bool from_file); ++ ++#endif /* _LINUX_SYSLOG_H */ diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h index a8cc4e1..98d3b85 100644 --- a/include/linux/thread_info.h @@ -72993,21 +73147,137 @@ index 40dd021..fb30ceb 100644 mutex_lock(&pm_mutex); suspend_ops = ops; diff --git a/kernel/printk.c b/kernel/printk.c -index 4cade47..637e78a 100644 +index 4cade47..4d17900 100644 --- a/kernel/printk.c +++ b/kernel/printk.c -@@ -278,6 +278,11 @@ int do_syslog(int type, char __user *buf, int len) +@@ -33,6 +33,7 @@ + #include <linux/bootmem.h> + #include <linux/syscalls.h> + #include <linux/kexec.h> ++#include <linux/syslog.h> + + #include <asm/uaccess.h> + +@@ -256,38 +257,30 @@ static inline void boot_delay_msec(void) + } + #endif + +-/* +- * Commands to do_syslog: +- * +- * 0 -- Close the log. Currently a NOP. +- * 1 -- Open the log. Currently a NOP. +- * 2 -- Read from the log. +- * 3 -- Read all messages remaining in the ring buffer. +- * 4 -- Read and clear all messages remaining in the ring buffer +- * 5 -- Clear ring buffer. +- * 6 -- Disable printk's to console +- * 7 -- Enable printk's to console +- * 8 -- Set level of messages printed to console +- * 9 -- Return number of unread characters in the log buffer +- * 10 -- Return size of the log buffer +- */ +-int do_syslog(int type, char __user *buf, int len) ++int do_syslog(int type, char __user *buf, int len, bool from_file) + { + unsigned i, j, limit, count; + int do_clear = 0; char c; int error = 0; +- error = security_syslog(type); +#ifdef CONFIG_GRKERNSEC_DMESG -+ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN)) ++ if (grsec_enable_dmesg && ++ (!from_file || (from_file && type == SYSLOG_ACTION_OPEN)) && ++ !capable(CAP_SYS_ADMIN)) + return -EPERM; +#endif + - error = security_syslog(type); ++ error = security_syslog(type, from_file); if (error) return error; + + switch (type) { +- case 0: /* Close log */ ++ case SYSLOG_ACTION_CLOSE: /* Close log */ + break; +- case 1: /* Open log */ ++ case SYSLOG_ACTION_OPEN: /* Open log */ + break; +- case 2: /* Read from log */ ++ case SYSLOG_ACTION_READ: /* Read from log */ + error = -EINVAL; + if (!buf || len < 0) + goto out; +@@ -318,10 +311,12 @@ int do_syslog(int type, char __user *buf, int len) + if (!error) + error = i; + break; +- case 4: /* Read/clear last kernel messages */ ++ /* Read/clear last kernel messages */ ++ case SYSLOG_ACTION_READ_CLEAR: + do_clear = 1; + /* FALL THRU */ +- case 3: /* Read last kernel messages */ ++ /* Read last kernel messages */ ++ case SYSLOG_ACTION_READ_ALL: + error = -EINVAL; + if (!buf || len < 0) + goto out; +@@ -374,21 +369,25 @@ int do_syslog(int type, char __user *buf, int len) + } + } + break; +- case 5: /* Clear ring buffer */ ++ /* Clear ring buffer */ ++ case SYSLOG_ACTION_CLEAR: + logged_chars = 0; + break; +- case 6: /* Disable logging to console */ ++ /* Disable logging to console */ ++ case SYSLOG_ACTION_CONSOLE_OFF: + if (saved_console_loglevel == -1) + saved_console_loglevel = console_loglevel; + console_loglevel = minimum_console_loglevel; + break; +- case 7: /* Enable logging to console */ ++ /* Enable logging to console */ ++ case SYSLOG_ACTION_CONSOLE_ON: + if (saved_console_loglevel != -1) { + console_loglevel = saved_console_loglevel; + saved_console_loglevel = -1; + } + break; +- case 8: /* Set level of messages printed to console */ ++ /* Set level of messages printed to console */ ++ case SYSLOG_ACTION_CONSOLE_LEVEL: + error = -EINVAL; + if (len < 1 || len > 8) + goto out; +@@ -399,10 +398,12 @@ int do_syslog(int type, char __user *buf, int len) + saved_console_loglevel = -1; + error = 0; + break; +- case 9: /* Number of chars in the log buffer */ ++ /* Number of chars in the log buffer */ ++ case SYSLOG_ACTION_SIZE_UNREAD: + error = log_end - log_start; + break; +- case 10: /* Size of the log buffer */ ++ /* Size of the log buffer */ ++ case SYSLOG_ACTION_SIZE_BUFFER: + error = log_buf_len; + break; + default: +@@ -415,7 +416,7 @@ out: + + SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) + { +- return do_syslog(type, buf, len); ++ return do_syslog(type, buf, len, SYSLOG_FROM_CALL); + } + + /* diff --git a/kernel/profile.c b/kernel/profile.c index dfadc5b..7f59404 100644 --- a/kernel/profile.c @@ -83894,19 +84164,19 @@ index fce07a7..5f12858 100644 }; diff --git a/security/commoncap.c b/security/commoncap.c -index fe30751..cdc60e1 100644 +index fe30751..aaba312 100644 --- a/security/commoncap.c +++ b/security/commoncap.c -@@ -27,7 +27,7 @@ +@@ -27,6 +27,8 @@ #include <linux/sched.h> #include <linux/prctl.h> #include <linux/securebits.h> -- ++#include <linux/syslog.h> +#include <net/sock.h> + /* * If a non-root user executes a setuid-root binary in - * !secure(SECURE_NOROOT) mode, then we raise capabilities. -@@ -50,9 +50,18 @@ static void warn_setuid_and_fcaps_mixed(char *fname) +@@ -50,9 +52,18 @@ static void warn_setuid_and_fcaps_mixed(char *fname) } } @@ -83925,7 +84195,7 @@ index fe30751..cdc60e1 100644 return 0; } -@@ -582,6 +591,9 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) +@@ -582,6 +593,9 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) { const struct cred *cred = current_cred(); @@ -83935,6 +84205,27 @@ index fe30751..cdc60e1 100644 if (cred->uid != 0) { if (bprm->cap_effective) return 1; +@@ -956,13 +970,18 @@ error: + /** + * cap_syslog - Determine whether syslog function is permitted + * @type: Function requested ++ * @from_file: Whether this request came from an open file (i.e. /proc) + * + * Determine whether the current process is permitted to use a particular + * syslog function, returning 0 if permission is granted, -ve if not. + */ +-int cap_syslog(int type) ++int cap_syslog(int type, bool from_file) + { +- if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) ++ /* /proc/kmsg can open be opened by CAP_SYS_ADMIN */ ++ if (type != SYSLOG_ACTION_OPEN && from_file) ++ return 0; ++ if ((type != SYSLOG_ACTION_READ_ALL && ++ type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN)) + return -EPERM; + return 0; + } diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 165eb53..b1db4eb 100644 --- a/security/integrity/ima/ima.h @@ -84052,7 +84343,7 @@ index 2f7ffa6..0455400 100644 }; diff --git a/security/security.c b/security/security.c -index c4c6732..3a3d821 100644 +index c4c6732..7abf13b 100644 --- a/security/security.c +++ b/security/security.c @@ -24,7 +24,7 @@ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; @@ -84073,11 +84364,31 @@ index c4c6732..3a3d821 100644 { if (verify(ops)) { printk(KERN_DEBUG "%s could not verify " +@@ -199,9 +199,9 @@ int security_quota_on(struct dentry *dentry) + return security_ops->quota_on(dentry); + } + +-int security_syslog(int type) ++int security_syslog(int type, bool from_file) + { +- return security_ops->syslog(type); ++ return security_ops->syslog(type, from_file); + } + + int security_settime(struct timespec *ts, struct timezone *tz) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index a106754..2805823 100644 +index a106754..ca3a589 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -131,7 +131,7 @@ int selinux_enabled = 1; +@@ -76,6 +76,7 @@ + #include <linux/selinux.h> + #include <linux/mutex.h> + #include <linux/posix-timers.h> ++#include <linux/syslog.h> + + #include "avc.h" + #include "objsec.h" +@@ -131,7 +132,7 @@ int selinux_enabled = 1; * Minimal support for a secondary security module, * just to allow the use of the capability module. */ @@ -84086,7 +84397,50 @@ index a106754..2805823 100644 /* Lists of inode and superblock security structures initialized before the policy was loaded. */ -@@ -5457,7 +5457,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) +@@ -2050,29 +2051,30 @@ static int selinux_quota_on(struct dentry *dentry) + return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); + } + +-static int selinux_syslog(int type) ++static int selinux_syslog(int type, bool from_file) + { + int rc; + +- rc = cap_syslog(type); ++ rc = cap_syslog(type, from_file); + if (rc) + return rc; + + switch (type) { +- case 3: /* Read last kernel messages */ +- case 10: /* Return size of the log buffer */ ++ case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ ++ case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ + rc = task_has_system(current, SYSTEM__SYSLOG_READ); + break; +- case 6: /* Disable logging to console */ +- case 7: /* Enable logging to console */ +- case 8: /* Set level of messages printed to console */ ++ case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ ++ case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ ++ /* Set level of messages printed to console */ ++ case SYSLOG_ACTION_CONSOLE_LEVEL: + rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); + break; +- case 0: /* Close log */ +- case 1: /* Open log */ +- case 2: /* Read from log */ +- case 4: /* Read/clear last kernel messages */ +- case 5: /* Clear ring buffer */ ++ case SYSLOG_ACTION_CLOSE: /* Close log */ ++ case SYSLOG_ACTION_OPEN: /* Open log */ ++ case SYSLOG_ACTION_READ: /* Read from log */ ++ case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */ ++ case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */ + default: + rc = task_has_system(current, SYSTEM__SYSLOG_MOD); + break; +@@ -5457,7 +5459,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) #endif @@ -84095,7 +84449,7 @@ index a106754..2805823 100644 .name = "selinux", .ptrace_access_check = selinux_ptrace_access_check, -@@ -5841,7 +5841,9 @@ int selinux_disable(void) +@@ -5841,7 +5843,9 @@ int selinux_disable(void) avc_disable(); /* Reset security_ops to the secondary module, dummy or capability. */ @@ -84132,9 +84486,24 @@ index ff17820..d68084c 100644 avtab_cache_init(); if (policydb_read(&policydb, fp)) { diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index c33b6bb..9651403 100644 +index c33b6bb..b51f19e 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c +@@ -157,12 +157,12 @@ static int smack_ptrace_traceme(struct task_struct *ptp) + * + * Returns 0 on success, error code otherwise. + */ +-static int smack_syslog(int type) ++static int smack_syslog(int type, bool from_file) + { + int rc; + char *sp = current_security(); + +- rc = cap_syslog(type); ++ rc = cap_syslog(type, from_file); + if (rc != 0) + return rc; + @@ -3073,7 +3073,7 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) return 0; } diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch index 5f4693e..9097814 100644 --- a/2.6.32/4435_grsec-kconfig-gentoo.patch +++ b/2.6.32/4435_grsec-kconfig-gentoo.patch @@ -27,7 +27,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig config GRKERNSEC_LOW bool "Low" -@@ -190,6 +190,261 @@ +@@ -190,6 +190,259 @@ - Restricted sysfs/debugfs - Active kernel exploit response @@ -138,7 +138,6 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_CHROOT_CAPS + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_SYSFS_RESTRICT + select GRKERNSEC_PROC + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) + select GRKERNSEC_HIDESYM @@ -223,7 +222,6 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig + select GRKERNSEC_CHROOT_CAPS + select GRKERNSEC_CHROOT_SYSCTL + select GRKERNSEC_CHROOT_FINDTASK -+ select GRKERNSEC_SYSFS_RESTRICT + select GRKERNSEC_PROC + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR) + select GRKERNSEC_HIDESYM diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch index ca88ef7..d84eb57 100644 --- a/2.6.32/4437-grsec-kconfig-proc-user.patch +++ b/2.6.32/4437-grsec-kconfig-proc-user.patch @@ -6,7 +6,7 @@ in a different way to avoid bug #366019. This patch should eventually go upstre diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400 +++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400 -@@ -667,7 +667,7 @@ +@@ -665,7 +665,7 @@ config GRKERNSEC_PROC_USER bool "Restrict /proc to user only" @@ -15,7 +15,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help If you say Y here, non-root users will only be able to view their own processes, and restricts them from viewing network-related information, -@@ -675,7 +675,7 @@ +@@ -673,7 +673,7 @@ config GRKERNSEC_PROC_USERGROUP bool "Allow special group" diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch index 34c78d5..5bbfa24 100644 --- a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch +++ b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400 -@@ -1266,6 +1266,27 @@ +@@ -1264,6 +1264,27 @@ menu "Logging Options" depends on GRKERNSEC |