Grsec/PaX: 2.9.1-{2.6.32.60,3.2.37,3.7.3}-20130118151820130118

author: Anthony G. Basile <blueness@gentoo.org> 2013-01-19 17:32:11 -0500
committer: Anthony G. Basile <blueness@gentoo.org> 2013-01-19 17:32:11 -0500
commit: bc4716dff18954724cb61d76de7dd8ea1418462a (patch)
tree: fc4ab84d69ccc9054ec07bffd00e77a5fdb12aae /2.6.32
parent: Add missing patch for 3.2.36-201301041854 (diff)
download: hardened-patchset-bc4716dff18954724cb61d76de7dd8ea1418462a.tar.gz
hardened-patchset-bc4716dff18954724cb61d76de7dd8ea1418462a.tar.bz2
hardened-patchset-bc4716dff18954724cb61d76de7dd8ea1418462a.zip
4 files changed, 149 insertions, 95 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index c0dac22..bb6d062 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch:	1059_linux-2.6.32.60.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.60-201301032033.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.60-201301181517.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301032033.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301181517.patch
index 4ef624e..1eea97a 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301032033.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301181517.patch
@@ -77003,7 +77003,7 @@ index ff57421..f65f88a 100644
  
  out_free_fd:
 diff --git a/fs/exec.c b/fs/exec.c
-index 86fafc6..ddb5122 100644
+index 86fafc6..9154c823 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -56,12 +56,33 @@
@@ -77105,7 +77105,18 @@ index 86fafc6..ddb5122 100644
  	return 0;
  err:
  	up_write(&mm->mmap_sem);
-@@ -510,7 +545,7 @@ int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm)
+@@ -400,8 +435,9 @@ static int count(char __user * __user * argv, int max)
+ 			if (!p)
+ 				break;
+ 			argv++;
+-			if (i++ >= max)
++			if (i >= max)
+ 				return -E2BIG;
++			++i;
+ 
+ 			if (fatal_signal_pending(current))
+ 				return -ERESTARTNOHAND;
+@@ -510,7 +546,7 @@ int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm)
  	int r;
  	mm_segment_t oldfs = get_fs();
  	set_fs(KERNEL_DS);
@@ -77114,7 +77125,7 @@ index 86fafc6..ddb5122 100644
  	set_fs(oldfs);
  	return r;
  }
-@@ -540,7 +575,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
+@@ -540,7 +576,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
  	unsigned long new_end = old_end - shift;
  	struct mmu_gather *tlb;
  
@@ -77124,7 +77135,7 @@ index 86fafc6..ddb5122 100644
  
  	/*
  	 * ensure there are no vmas between where we want to go
-@@ -549,6 +585,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
+@@ -549,6 +586,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
  	if (vma != find_vma(mm, new_start))
  		return -EFAULT;
  
@@ -77135,7 +77146,7 @@ index 86fafc6..ddb5122 100644
  	/*
  	 * cover the whole range: [new_start, old_end)
  	 */
-@@ -630,10 +670,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -630,10 +671,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
  	stack_top = arch_align_stack(stack_top);
  	stack_top = PAGE_ALIGN(stack_top);
  
@@ -77146,7 +77157,7 @@ index 86fafc6..ddb5122 100644
  	stack_shift = vma->vm_end - stack_top;
  
  	bprm->p -= stack_shift;
-@@ -645,6 +681,14 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -645,6 +682,14 @@ int setup_arg_pages(struct linux_binprm *bprm,
  	bprm->exec -= stack_shift;
  
  	down_write(&mm->mmap_sem);
@@ -77161,7 +77172,7 @@ index 86fafc6..ddb5122 100644
  	vm_flags = VM_STACK_FLAGS;
  
  	/*
-@@ -658,19 +702,24 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -658,19 +703,24 @@ int setup_arg_pages(struct linux_binprm *bprm,
  		vm_flags &= ~VM_EXEC;
  	vm_flags |= mm->def_flags;
  
@@ -77193,7 +77204,7 @@ index 86fafc6..ddb5122 100644
  	stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
  	stack_size = vma->vm_end - vma->vm_start;
  	/*
-@@ -721,6 +770,8 @@ struct file *open_exec(const char *name)
+@@ -721,6 +771,8 @@ struct file *open_exec(const char *name)
  
  	fsnotify_open(file->f_path.dentry);
  
@@ -77202,7 +77213,7 @@ index 86fafc6..ddb5122 100644
  	err = deny_write_access(file);
  	if (err)
  		goto exit;
-@@ -744,7 +795,7 @@ int kernel_read(struct file *file, loff_t offset,
+@@ -744,7 +796,7 @@ int kernel_read(struct file *file, loff_t offset,
  	old_fs = get_fs();
  	set_fs(get_ds());
  	/* The cast to a user pointer is valid due to the set_fs() */
@@ -77211,7 +77222,7 @@ index 86fafc6..ddb5122 100644
  	set_fs(old_fs);
  	return result;
  }
-@@ -985,6 +1036,21 @@ void set_task_comm(struct task_struct *tsk, char *buf)
+@@ -985,6 +1037,21 @@ void set_task_comm(struct task_struct *tsk, char *buf)
  	perf_event_comm(tsk);
  }
  
@@ -77233,7 +77244,7 @@ index 86fafc6..ddb5122 100644
  int flush_old_exec(struct linux_binprm * bprm)
  {
  	int retval;
-@@ -999,6 +1065,7 @@ int flush_old_exec(struct linux_binprm * bprm)
+@@ -999,6 +1066,7 @@ int flush_old_exec(struct linux_binprm * bprm)
  
  	set_mm_exe_file(bprm->mm, bprm->file);
  
@@ -77241,7 +77252,7 @@ index 86fafc6..ddb5122 100644
  	/*
  	 * Release all of the old mmap stuff
  	 */
-@@ -1023,10 +1090,6 @@ EXPORT_SYMBOL(flush_old_exec);
+@@ -1023,10 +1091,6 @@ EXPORT_SYMBOL(flush_old_exec);
  
  void setup_new_exec(struct linux_binprm * bprm)
  {
@@ -77252,7 +77263,7 @@ index 86fafc6..ddb5122 100644
  	arch_pick_mmap_layout(current->mm);
  
  	/* This is the point of no return */
-@@ -1037,18 +1100,7 @@ void setup_new_exec(struct linux_binprm * bprm)
+@@ -1037,18 +1101,7 @@ void setup_new_exec(struct linux_binprm * bprm)
  	else
  		set_dumpable(current->mm, suid_dumpable);
  
@@ -77272,7 +77283,7 @@ index 86fafc6..ddb5122 100644
  
  	/* Set the new mm task size. We have to do that late because it may
  	 * depend on TIF_32BIT which is only updated in flush_thread() on
-@@ -1090,14 +1142,14 @@ EXPORT_SYMBOL(setup_new_exec);
+@@ -1090,14 +1143,14 @@ EXPORT_SYMBOL(setup_new_exec);
   */
  int prepare_bprm_creds(struct linux_binprm *bprm)
  {
@@ -77289,7 +77300,7 @@ index 86fafc6..ddb5122 100644
  	return -ENOMEM;
  }
  
-@@ -1105,7 +1157,7 @@ void free_bprm(struct linux_binprm *bprm)
+@@ -1105,7 +1158,7 @@ void free_bprm(struct linux_binprm *bprm)
  {
  	free_arg_pages(bprm);
  	if (bprm->cred) {
@@ -77298,7 +77309,7 @@ index 86fafc6..ddb5122 100644
  		abort_creds(bprm->cred);
  	}
  	kfree(bprm);
-@@ -1126,13 +1178,13 @@ void install_exec_creds(struct linux_binprm *bprm)
+@@ -1126,13 +1179,13 @@ void install_exec_creds(struct linux_binprm *bprm)
  	 * credentials; any time after this it may be unlocked.
  	 */
  	security_bprm_committed_creds(bprm);
@@ -77314,7 +77325,7 @@ index 86fafc6..ddb5122 100644
   *   PTRACE_ATTACH
   */
  int check_unsafe_exec(struct linux_binprm *bprm)
-@@ -1152,7 +1204,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1152,7 +1205,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
  	}
  	rcu_read_unlock();
  
@@ -77323,7 +77334,7 @@ index 86fafc6..ddb5122 100644
  		bprm->unsafe |= LSM_UNSAFE_SHARE;
  	} else {
  		res = -EAGAIN;
-@@ -1339,6 +1391,21 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
+@@ -1339,6 +1392,21 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
  
  EXPORT_SYMBOL(search_binary_handler);
  
@@ -77345,7 +77356,7 @@ index 86fafc6..ddb5122 100644
  /*
   * sys_execve() executes a new program.
   */
-@@ -1347,11 +1414,35 @@ int do_execve(char * filename,
+@@ -1347,11 +1415,35 @@ int do_execve(char * filename,
  	char __user *__user *envp,
  	struct pt_regs * regs)
  {
@@ -77381,7 +77392,7 @@ index 86fafc6..ddb5122 100644
  
  	retval = unshare_files(&displaced);
  	if (retval)
-@@ -1377,12 +1468,27 @@ int do_execve(char * filename,
+@@ -1377,12 +1469,27 @@ int do_execve(char * filename,
  	if (IS_ERR(file))
  		goto out_unmark;
  
@@ -77409,7 +77420,7 @@ index 86fafc6..ddb5122 100644
  	retval = bprm_mm_init(bprm);
  	if (retval)
  		goto out_file;
-@@ -1399,25 +1505,66 @@ int do_execve(char * filename,
+@@ -1399,25 +1506,66 @@ int do_execve(char * filename,
  	if (retval < 0)
  		goto out;
  
@@ -77480,7 +77491,7 @@ index 86fafc6..ddb5122 100644
  	current->fs->in_exec = 0;
  	current->in_execve = 0;
  	acct_update_integrals(current);
-@@ -1426,6 +1573,14 @@ int do_execve(char * filename,
+@@ -1426,6 +1574,14 @@ int do_execve(char * filename,
  		put_files_struct(displaced);
  	return retval;
  
@@ -77495,7 +77506,7 @@ index 86fafc6..ddb5122 100644
  out:
  	if (bprm->mm) {
  		acct_arg_size(bprm, 0);
-@@ -1591,6 +1746,251 @@ out:
+@@ -1591,6 +1747,251 @@ out:
  	return ispipe;
  }
  
@@ -77747,7 +77758,7 @@ index 86fafc6..ddb5122 100644
  static int zap_process(struct task_struct *start)
  {
  	struct task_struct *t;
-@@ -1793,17 +2193,17 @@ static void wait_for_dump_helpers(struct file *file)
+@@ -1793,17 +2194,17 @@ static void wait_for_dump_helpers(struct file *file)
  	pipe = file->f_path.dentry->d_inode->i_pipe;
  
  	pipe_lock(pipe);
@@ -77770,7 +77781,7 @@ index 86fafc6..ddb5122 100644
  	pipe_unlock(pipe);
  
  }
-@@ -1826,10 +2226,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -1826,10 +2227,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	char **helper_argv = NULL;
  	int helper_argc = 0;
  	int dump_count = 0;
@@ -77785,7 +77796,7 @@ index 86fafc6..ddb5122 100644
  	binfmt = mm->binfmt;
  	if (!binfmt || !binfmt->core_dump)
  		goto fail;
-@@ -1874,6 +2277,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -1874,6 +2278,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	 */
  	clear_thread_flag(TIF_SIGPENDING);
  
@@ -77794,7 +77805,7 @@ index 86fafc6..ddb5122 100644
  	/*
  	 * lock_kernel() because format_corename() is controlled by sysctl, which
  	 * uses lock_kernel()
-@@ -1908,7 +2313,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -1908,7 +2314,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  			goto fail_unlock;
  		}
  
@@ -77803,7 +77814,7 @@ index 86fafc6..ddb5122 100644
  		if (core_pipe_limit && (core_pipe_limit < dump_count)) {
  			printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
  			       task_tgid_vnr(current), current->comm);
-@@ -1972,7 +2377,7 @@ close_fail:
+@@ -1972,7 +2378,7 @@ close_fail:
  	filp_close(file, NULL);
  fail_dropcount:
  	if (dump_count)
@@ -78236,7 +78247,7 @@ index a24c58e..53f91ee 100644
  
  	if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
 diff --git a/fs/fs_struct.c b/fs/fs_struct.c
-index eee0590..34791ce 100644
+index eee0590..0a5b2ee 100644
 --- a/fs/fs_struct.c
 +++ b/fs/fs_struct.c
 @@ -4,6 +4,7 @@
@@ -78269,14 +78280,7 @@ index eee0590..34791ce 100644
  				count++;
  			}
  			if (fs->pwd.dentry == old_root->dentry
-@@ -84,12 +93,15 @@ void exit_fs(struct task_struct *tsk)
- {
- 	struct fs_struct *fs = tsk->fs;
- 
-+	gr_put_exec_file(tsk);
-+	
- 	if (fs) {
- 		int kill;
+@@ -89,7 +98,8 @@ void exit_fs(struct task_struct *tsk)
  		task_lock(tsk);
  		write_lock(&fs->lock);
  		tsk->fs = NULL;
@@ -78286,7 +78290,7 @@ index eee0590..34791ce 100644
  		write_unlock(&fs->lock);
  		task_unlock(tsk);
  		if (kill)
-@@ -102,7 +114,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
+@@ -102,7 +112,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
  	struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
  	/* We don't need to lock fs - think why ;-) */
  	if (fs) {
@@ -78295,7 +78299,7 @@ index eee0590..34791ce 100644
  		fs->in_exec = 0;
  		rwlock_init(&fs->lock);
  		fs->umask = old->umask;
-@@ -127,8 +139,9 @@ int unshare_fs_struct(void)
+@@ -127,8 +137,9 @@ int unshare_fs_struct(void)
  
  	task_lock(current);
  	write_lock(&fs->lock);
@@ -78306,7 +78310,7 @@ index eee0590..34791ce 100644
  	write_unlock(&fs->lock);
  	task_unlock(current);
  
-@@ -141,13 +154,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct);
+@@ -141,13 +152,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct);
  
  int current_umask(void)
  {
@@ -78322,15 +78326,7 @@ index eee0590..34791ce 100644
  	.lock		= __RW_LOCK_UNLOCKED(init_fs.lock),
  	.umask		= 0022,
  };
-@@ -156,18 +169,21 @@ void daemonize_fs_struct(void)
- {
- 	struct fs_struct *fs = current->fs;
- 
-+	gr_put_exec_file(current);
-+
- 	if (fs) {
- 		int kill;
- 
+@@ -162,12 +173,13 @@ void daemonize_fs_struct(void)
  		task_lock(current);
  
  		write_lock(&init_fs.lock);
@@ -84038,10 +84034,10 @@ index e89734e..5e84d8d 100644
  			return 0;
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..7efd211
+index 0000000..7cf22bd
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,946 @@
+@@ -0,0 +1,964 @@
 +#
 +# grecurity configuration
 +#
@@ -84848,6 +84844,24 @@ index 0000000..7efd211
 +	  prevents a socket from lasting more than 45 seconds in LAST_ACK
 +	  state.
 +
++config GRKERNSEC_NO_SIMULT_CONNECT
++	bool "Disable TCP Simultaneous Connect"
++	default y if GRKERNSEC_CONFIG_AUTO
++	depends on NET
++	help
++	  If you say Y here, a feature by Willy Tarreau will be enabled that
++	  removes a weakness in Linux's strict implementation of TCP that
++	  allows two clients to connect to each other without either entering
++	  a listening state.  The weakness allows an attacker to easily prevent
++	  a client from connecting to a known server provided the source port
++	  for the connection is guessed correctly.
++
++	  As the weakness could be used to prevent an antivirus or IPS from
++	  fetching updates, or prevent an SSL gateway from fetching a CRL,
++	  it should be eliminated by enabling this option.  Though Linux is
++	  one of few operating systems supporting simultaneous connect, it
++	  has no legitimate use in practice and is rarely supported by firewalls.
++	
 +config GRKERNSEC_SOCKET
 +	bool "Socket restrictions"
 +	depends on NET
@@ -89455,10 +89469,10 @@ index 0000000..955ddfb
 +
 diff --git a/grsecurity/gracl_fs.c b/grsecurity/gracl_fs.c
 new file mode 100644
-index 0000000..5804e36
+index 0000000..5a3ac97
 --- /dev/null
 +++ b/grsecurity/gracl_fs.c
-@@ -0,0 +1,437 @@
+@@ -0,0 +1,431 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/types.h>
@@ -89866,7 +89880,6 @@ index 0000000..5804e36
 +{
 +	u16 id;
 +	char *rolename;
-+	struct file *exec_file;
 +
 +	if (unlikely(current->acl_sp_role && gr_acl_is_enabled() && 
 +		     !(current->role->roletype & GR_ROLE_PERSIST))) {
@@ -89876,13 +89889,8 @@ index 0000000..5804e36
 +		gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
 +	}
 +
-+	write_lock(&grsec_exec_file_lock);
-+	exec_file = current->exec_file;
-+	current->exec_file = NULL;
-+	write_unlock(&grsec_exec_file_lock);
-+
-+	if (exec_file)
-+		fput(exec_file);
++	gr_put_exec_file(current);
++	return;
 +}
 +
 +int
@@ -102179,7 +102187,7 @@ index 9c06d10..5b211dc 100644
  	if (ret < 0)
  		return ret;
 diff --git a/kernel/exit.c b/kernel/exit.c
-index a2a1659..55ff5d7 100644
+index a2a1659..df8479c 100644
 --- a/kernel/exit.c
 +++ b/kernel/exit.c
 @@ -174,6 +174,10 @@ void release_task(struct task_struct * p)
@@ -102202,16 +102210,17 @@ index a2a1659..55ff5d7 100644
  	recalc_sigpending();
  	spin_unlock_irq(&current->sighand->siglock);
  	return 0;
-@@ -433,6 +437,8 @@ void daemonize(const char *name, ...)
+@@ -433,6 +437,9 @@ void daemonize(const char *name, ...)
  	vsnprintf(current->comm, sizeof(current->comm), name, args);
  	va_end(args);
  
++	gr_put_exec_file(current);
 +	gr_set_kernel_label(current);
 +
  	/*
  	 * If we were started as result of loading a module, close all of the
  	 * user space pages.  We don't need them, and if we didn't close them
-@@ -897,17 +903,17 @@ NORET_TYPE void do_exit(long code)
+@@ -897,17 +904,17 @@ NORET_TYPE void do_exit(long code)
  	struct task_struct *tsk = current;
  	int group_dead;
  
@@ -102236,7 +102245,7 @@ index a2a1659..55ff5d7 100644
  	 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
  	 * continuing. Amongst other possible reasons, this is to prevent
  	 * mm_release()->clear_child_tid() from writing to a user-controlled
-@@ -915,6 +921,13 @@ NORET_TYPE void do_exit(long code)
+@@ -915,6 +922,13 @@ NORET_TYPE void do_exit(long code)
  	 */
  	set_fs(USER_DS);
  
@@ -102250,7 +102259,7 @@ index a2a1659..55ff5d7 100644
  	tracehook_report_exit(&code);
  
  	validate_creds_for_do_exit(tsk);
-@@ -973,6 +986,9 @@ NORET_TYPE void do_exit(long code)
+@@ -973,6 +987,9 @@ NORET_TYPE void do_exit(long code)
  	tsk->exit_code = code;
  	taskstats_exit(tsk, group_dead);
  
@@ -102260,7 +102269,7 @@ index a2a1659..55ff5d7 100644
  	exit_mm(tsk);
  
  	if (group_dead)
-@@ -1059,7 +1075,7 @@ SYSCALL_DEFINE1(exit, int, error_code)
+@@ -1059,7 +1076,7 @@ SYSCALL_DEFINE1(exit, int, error_code)
   * Take down every thread in the group.  This is called by fatal signals
   * as well as by sys_exit_group (below).
   */
@@ -102269,7 +102278,7 @@ index a2a1659..55ff5d7 100644
  do_group_exit(int exit_code)
  {
  	struct signal_struct *sig = current->signal;
-@@ -1188,7 +1204,7 @@ static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p)
+@@ -1188,7 +1205,7 @@ static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p)
  
  	if (unlikely(wo->wo_flags & WNOWAIT)) {
  		int exit_code = p->exit_code;
@@ -102279,7 +102288,7 @@ index a2a1659..55ff5d7 100644
  		get_task_struct(p);
  		read_unlock(&tasklist_lock);
 diff --git a/kernel/fork.c b/kernel/fork.c
-index c28f804..96ea6cb 100644
+index c28f804..3a04506 100644
 --- a/kernel/fork.c
 +++ b/kernel/fork.c
 @@ -240,21 +240,26 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
@@ -102427,17 +102436,19 @@ index c28f804..96ea6cb 100644
  
  	retval = copy_creds(p, clone_flags);
  	if (retval < 0)
-@@ -1236,6 +1280,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
- 	/* Need tasklist lock for parent etc handling! */
- 	write_lock_irq(&tasklist_lock);
+@@ -1263,6 +1307,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+ 		goto bad_fork_free_pid;
+ 	}
  
-+	/* synchronizes with gr_set_acls() */
++	/* synchronizes with gr_set_acls()
++	   we need to call this past the point of no return for fork()
++	*/
 +	gr_copy_label(p);
 +
- 	/* CLONE_PARENT re-uses the old parent */
- 	if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) {
- 		p->real_parent = current->real_parent;
-@@ -1337,6 +1384,8 @@ bad_fork_cleanup_count:
+ 	if (clone_flags & CLONE_THREAD) {
+ 		atomic_inc(&current->signal->count);
+ 		atomic_inc(&current->signal->live);
+@@ -1337,6 +1386,8 @@ bad_fork_cleanup_count:
  bad_fork_free:
  	free_task(p);
  fork_out:
@@ -102446,7 +102457,7 @@ index c28f804..96ea6cb 100644
  	return ERR_PTR(retval);
  }
  
-@@ -1430,6 +1479,8 @@ long do_fork(unsigned long clone_flags,
+@@ -1430,6 +1481,8 @@ long do_fork(unsigned long clone_flags,
  		if (clone_flags & CLONE_PARENT_SETTID)
  			put_user(nr, parent_tidptr);
  
@@ -102455,7 +102466,7 @@ index c28f804..96ea6cb 100644
  		if (clone_flags & CLONE_VFORK) {
  			p->vfork_done = &vfork;
  			init_completion(&vfork);
-@@ -1562,7 +1613,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
+@@ -1562,7 +1615,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
  		return 0;
  
  	/* don't need lock here; in the worst case we'll do useless copy */
@@ -102464,7 +102475,7 @@ index c28f804..96ea6cb 100644
  		return 0;
  
  	*new_fsp = copy_fs_struct(fs);
-@@ -1685,7 +1736,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -1685,7 +1738,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
  			fs = current->fs;
  			write_lock(&fs->lock);
  			current->fs = new_fs;
@@ -113226,7 +113237,7 @@ index 1eba160b..c35d91f 100644
  	}
  }
 diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index db755c4..fbca78e 100644
+index db755c4..07d671b 100644
 --- a/net/ipv4/tcp_input.c
 +++ b/net/ipv4/tcp_input.c
 @@ -82,6 +82,9 @@ int sysctl_tcp_dsack __read_mostly = 1;
@@ -113300,7 +113311,18 @@ index db755c4..fbca78e 100644
  {
  	struct tcp_sock *tp = tcp_sk(sk);
  
-@@ -5100,7 +5127,16 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
+@@ -5093,38 +5120,48 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
+ 		 * an acknowledgment should be sent in reply (unless the RST
+ 		 * bit is set, if so drop the segment and return)".
+ 		 */
+-		if (!th->rst)
++		if (!th->rst) {
++			if (th->syn)
++				goto syn_challenge;
+ 			tcp_send_dupack(sk, skb);
++		}
+ 		goto discard;
+ 	}
  
  	/* Step 2: check RST bit */
  	if (th->rst) {
@@ -113318,8 +113340,11 @@ index db755c4..fbca78e 100644
  		goto discard;
  	}
  
-@@ -5111,20 +5147,22 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
- 
+-	/* ts_recent update must be made after we are sure that the packet
+-	 * is in window.
+-	 */
+-	tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
+-
  	/* step 3: check security and precedence [ignored] */
  
 -	/* step 4: Check for a SYN in window. */
@@ -113328,6 +113353,7 @@ index db755c4..fbca78e 100644
 +	 * RFC 5691 4.2 : Send a challenge ack
 +	 */
 +	if (th->syn) {
++syn_challenge:
  		if (syn_inerr)
  			TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_INERRS);
 -		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPABORTONSYN);
@@ -113348,7 +113374,7 @@ index db755c4..fbca78e 100644
  }
  
  /*
-@@ -5154,7 +5192,6 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb,
+@@ -5154,7 +5191,6 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb,
  			struct tcphdr *th, unsigned len)
  {
  	struct tcp_sock *tp = tcp_sk(sk);
@@ -113356,7 +113382,7 @@ index db755c4..fbca78e 100644
  
  	/*
  	 *	Header prediction.
-@@ -5330,16 +5367,18 @@ slow_path:
+@@ -5330,18 +5366,25 @@ slow_path:
  	if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb))
  		goto csum_error;
  
@@ -113378,8 +113404,31 @@ index db755c4..fbca78e 100644
 +	if (tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
  		goto discard;
  
++	/* ts_recent update must be made after we are sure that the packet
++	 * is in window.
++	 */
++	tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
++
  	tcp_rcv_rtt_measure_ts(sk, skb);
-@@ -5618,7 +5657,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ 
+ 	/* Process urgent data. */
+@@ -5542,6 +5585,7 @@ discard:
+ 	    tcp_paws_reject(&tp->rx_opt, 0))
+ 		goto discard_and_undo;
+ 
++#ifndef CONFIG_GRKERNSEC_NO_SIMULT_CONNECT
+ 	if (th->syn) {
+ 		/* We see SYN without ACK. It is attempt of
+ 		 * simultaneous connect with crossed SYNs.
+@@ -5590,6 +5634,7 @@ discard:
+ 		goto discard;
+ #endif
+ 	}
++#endif
+ 	/* "fifth, if neither of the SYN or RST bits is set then
+ 	 * drop the segment and return."
+ 	 */
+@@ -5618,7 +5663,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
  	struct tcp_sock *tp = tcp_sk(sk);
  	struct inet_connection_sock *icsk = inet_csk(sk);
  	int queued = 0;
@@ -113387,7 +113436,7 @@ index db755c4..fbca78e 100644
  
  	tp->rx_opt.saw_tstamp = 0;
  
-@@ -5634,7 +5672,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -5634,7 +5678,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
  			goto discard;
  
  		if (th->syn) {
@@ -113396,7 +113445,7 @@ index db755c4..fbca78e 100644
  				goto discard;
  			if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
  				return 1;
-@@ -5673,12 +5711,14 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -5673,12 +5717,14 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
  		return 0;
  	}
  
@@ -113415,13 +113464,18 @@ index db755c4..fbca78e 100644
  		int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0;
  
  		switch (sk->sk_state) {
-@@ -5789,8 +5829,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+@@ -5789,8 +5835,12 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
  			}
  			break;
  		}
 -	} else
 -		goto discard;
 +	}
++
++	/* ts_recent update must be made after we are sure that the packet
++	 * is in window.
++	 */
++	tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
  
  	/* step 6: check the URG bit */
  	tcp_urg(sk, skb, th);
diff --git a/2.6.32/4450_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch
index 71d438f..7d4f60c 100644
--- a/2.6.32/4450_grsec-kconfig-default-gids.patch
+++ b/2.6.32/4450_grsec-kconfig-default-gids.patch
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -825,7 +825,7 @@
+@@ -843,7 +843,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -846,7 +846,7 @@
+@@ -864,7 +864,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -864,7 +864,7 @@
+@@ -882,7 +882,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER
diff --git a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
index 5af1cce..43ed69a 100644
--- a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-04-17 18:47:02.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-04-17 18:51:15.000000000 -0400
-@@ -923,6 +923,27 @@
+@@ -941,6 +941,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
author	Anthony G. Basile <blueness@gentoo.org>	2013-01-19 17:32:11 -0500
committer	Anthony G. Basile <blueness@gentoo.org>	2013-01-19 17:32:11 -0500
commit	bc4716dff18954724cb61d76de7dd8ea1418462a (patch)
tree	fc4ab84d69ccc9054ec07bffd00e77a5fdb12aae /2.6.32
parent	Add missing patch for 3.2.36-201301041854 (diff)
download	hardened-patchset-bc4716dff18954724cb61d76de7dd8ea1418462a.tar.gz hardened-patchset-bc4716dff18954724cb61d76de7dd8ea1418462a.tar.bz2 hardened-patchset-bc4716dff18954724cb61d76de7dd8ea1418462a.zip