diff options
author | 2013-01-19 17:32:11 -0500 | |
---|---|---|
committer | 2013-01-19 17:32:11 -0500 | |
commit | bc4716dff18954724cb61d76de7dd8ea1418462a (patch) | |
tree | fc4ab84d69ccc9054ec07bffd00e77a5fdb12aae /2.6.32 | |
parent | Add missing patch for 3.2.36-201301041854 (diff) | |
download | hardened-patchset-bc4716dff18954724cb61d76de7dd8ea1418462a.tar.gz hardened-patchset-bc4716dff18954724cb61d76de7dd8ea1418462a.tar.bz2 hardened-patchset-bc4716dff18954724cb61d76de7dd8ea1418462a.zip |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.37,3.7.3}-20130118151820130118
Diffstat (limited to '2.6.32')
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301181517.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301032033.patch) | 234 | ||||
-rw-r--r-- | 2.6.32/4450_grsec-kconfig-default-gids.patch | 6 | ||||
-rw-r--r-- | 2.6.32/4465_selinux-avc_audit-log-curr_ip.patch | 2 |
4 files changed, 149 insertions, 95 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index c0dac22..bb6d062 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201301032033.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201301181517.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301032033.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301181517.patch index 4ef624e..1eea97a 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301032033.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201301181517.patch @@ -77003,7 +77003,7 @@ index ff57421..f65f88a 100644 out_free_fd: diff --git a/fs/exec.c b/fs/exec.c -index 86fafc6..ddb5122 100644 +index 86fafc6..9154c823 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -56,12 +56,33 @@ @@ -77105,7 +77105,18 @@ index 86fafc6..ddb5122 100644 return 0; err: up_write(&mm->mmap_sem); -@@ -510,7 +545,7 @@ int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm) +@@ -400,8 +435,9 @@ static int count(char __user * __user * argv, int max) + if (!p) + break; + argv++; +- if (i++ >= max) ++ if (i >= max) + return -E2BIG; ++ ++i; + + if (fatal_signal_pending(current)) + return -ERESTARTNOHAND; +@@ -510,7 +546,7 @@ int copy_strings_kernel(int argc,char ** argv, struct linux_binprm *bprm) int r; mm_segment_t oldfs = get_fs(); set_fs(KERNEL_DS); @@ -77114,7 +77125,7 @@ index 86fafc6..ddb5122 100644 set_fs(oldfs); return r; } -@@ -540,7 +575,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) +@@ -540,7 +576,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) unsigned long new_end = old_end - shift; struct mmu_gather *tlb; @@ -77124,7 +77135,7 @@ index 86fafc6..ddb5122 100644 /* * ensure there are no vmas between where we want to go -@@ -549,6 +585,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) +@@ -549,6 +586,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) if (vma != find_vma(mm, new_start)) return -EFAULT; @@ -77135,7 +77146,7 @@ index 86fafc6..ddb5122 100644 /* * cover the whole range: [new_start, old_end) */ -@@ -630,10 +670,6 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -630,10 +671,6 @@ int setup_arg_pages(struct linux_binprm *bprm, stack_top = arch_align_stack(stack_top); stack_top = PAGE_ALIGN(stack_top); @@ -77146,7 +77157,7 @@ index 86fafc6..ddb5122 100644 stack_shift = vma->vm_end - stack_top; bprm->p -= stack_shift; -@@ -645,6 +681,14 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -645,6 +682,14 @@ int setup_arg_pages(struct linux_binprm *bprm, bprm->exec -= stack_shift; down_write(&mm->mmap_sem); @@ -77161,7 +77172,7 @@ index 86fafc6..ddb5122 100644 vm_flags = VM_STACK_FLAGS; /* -@@ -658,19 +702,24 @@ int setup_arg_pages(struct linux_binprm *bprm, +@@ -658,19 +703,24 @@ int setup_arg_pages(struct linux_binprm *bprm, vm_flags &= ~VM_EXEC; vm_flags |= mm->def_flags; @@ -77193,7 +77204,7 @@ index 86fafc6..ddb5122 100644 stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE; stack_size = vma->vm_end - vma->vm_start; /* -@@ -721,6 +770,8 @@ struct file *open_exec(const char *name) +@@ -721,6 +771,8 @@ struct file *open_exec(const char *name) fsnotify_open(file->f_path.dentry); @@ -77202,7 +77213,7 @@ index 86fafc6..ddb5122 100644 err = deny_write_access(file); if (err) goto exit; -@@ -744,7 +795,7 @@ int kernel_read(struct file *file, loff_t offset, +@@ -744,7 +796,7 @@ int kernel_read(struct file *file, loff_t offset, old_fs = get_fs(); set_fs(get_ds()); /* The cast to a user pointer is valid due to the set_fs() */ @@ -77211,7 +77222,7 @@ index 86fafc6..ddb5122 100644 set_fs(old_fs); return result; } -@@ -985,6 +1036,21 @@ void set_task_comm(struct task_struct *tsk, char *buf) +@@ -985,6 +1037,21 @@ void set_task_comm(struct task_struct *tsk, char *buf) perf_event_comm(tsk); } @@ -77233,7 +77244,7 @@ index 86fafc6..ddb5122 100644 int flush_old_exec(struct linux_binprm * bprm) { int retval; -@@ -999,6 +1065,7 @@ int flush_old_exec(struct linux_binprm * bprm) +@@ -999,6 +1066,7 @@ int flush_old_exec(struct linux_binprm * bprm) set_mm_exe_file(bprm->mm, bprm->file); @@ -77241,7 +77252,7 @@ index 86fafc6..ddb5122 100644 /* * Release all of the old mmap stuff */ -@@ -1023,10 +1090,6 @@ EXPORT_SYMBOL(flush_old_exec); +@@ -1023,10 +1091,6 @@ EXPORT_SYMBOL(flush_old_exec); void setup_new_exec(struct linux_binprm * bprm) { @@ -77252,7 +77263,7 @@ index 86fafc6..ddb5122 100644 arch_pick_mmap_layout(current->mm); /* This is the point of no return */ -@@ -1037,18 +1100,7 @@ void setup_new_exec(struct linux_binprm * bprm) +@@ -1037,18 +1101,7 @@ void setup_new_exec(struct linux_binprm * bprm) else set_dumpable(current->mm, suid_dumpable); @@ -77272,7 +77283,7 @@ index 86fafc6..ddb5122 100644 /* Set the new mm task size. We have to do that late because it may * depend on TIF_32BIT which is only updated in flush_thread() on -@@ -1090,14 +1142,14 @@ EXPORT_SYMBOL(setup_new_exec); +@@ -1090,14 +1143,14 @@ EXPORT_SYMBOL(setup_new_exec); */ int prepare_bprm_creds(struct linux_binprm *bprm) { @@ -77289,7 +77300,7 @@ index 86fafc6..ddb5122 100644 return -ENOMEM; } -@@ -1105,7 +1157,7 @@ void free_bprm(struct linux_binprm *bprm) +@@ -1105,7 +1158,7 @@ void free_bprm(struct linux_binprm *bprm) { free_arg_pages(bprm); if (bprm->cred) { @@ -77298,7 +77309,7 @@ index 86fafc6..ddb5122 100644 abort_creds(bprm->cred); } kfree(bprm); -@@ -1126,13 +1178,13 @@ void install_exec_creds(struct linux_binprm *bprm) +@@ -1126,13 +1179,13 @@ void install_exec_creds(struct linux_binprm *bprm) * credentials; any time after this it may be unlocked. */ security_bprm_committed_creds(bprm); @@ -77314,7 +77325,7 @@ index 86fafc6..ddb5122 100644 * PTRACE_ATTACH */ int check_unsafe_exec(struct linux_binprm *bprm) -@@ -1152,7 +1204,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) +@@ -1152,7 +1205,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -77323,7 +77334,7 @@ index 86fafc6..ddb5122 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1339,6 +1391,21 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) +@@ -1339,6 +1392,21 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) EXPORT_SYMBOL(search_binary_handler); @@ -77345,7 +77356,7 @@ index 86fafc6..ddb5122 100644 /* * sys_execve() executes a new program. */ -@@ -1347,11 +1414,35 @@ int do_execve(char * filename, +@@ -1347,11 +1415,35 @@ int do_execve(char * filename, char __user *__user *envp, struct pt_regs * regs) { @@ -77381,7 +77392,7 @@ index 86fafc6..ddb5122 100644 retval = unshare_files(&displaced); if (retval) -@@ -1377,12 +1468,27 @@ int do_execve(char * filename, +@@ -1377,12 +1469,27 @@ int do_execve(char * filename, if (IS_ERR(file)) goto out_unmark; @@ -77409,7 +77420,7 @@ index 86fafc6..ddb5122 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1399,25 +1505,66 @@ int do_execve(char * filename, +@@ -1399,25 +1506,66 @@ int do_execve(char * filename, if (retval < 0) goto out; @@ -77480,7 +77491,7 @@ index 86fafc6..ddb5122 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1426,6 +1573,14 @@ int do_execve(char * filename, +@@ -1426,6 +1574,14 @@ int do_execve(char * filename, put_files_struct(displaced); return retval; @@ -77495,7 +77506,7 @@ index 86fafc6..ddb5122 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1591,6 +1746,251 @@ out: +@@ -1591,6 +1747,251 @@ out: return ispipe; } @@ -77747,7 +77758,7 @@ index 86fafc6..ddb5122 100644 static int zap_process(struct task_struct *start) { struct task_struct *t; -@@ -1793,17 +2193,17 @@ static void wait_for_dump_helpers(struct file *file) +@@ -1793,17 +2194,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -77770,7 +77781,7 @@ index 86fafc6..ddb5122 100644 pipe_unlock(pipe); } -@@ -1826,10 +2226,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -1826,10 +2227,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) char **helper_argv = NULL; int helper_argc = 0; int dump_count = 0; @@ -77785,7 +77796,7 @@ index 86fafc6..ddb5122 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -1874,6 +2277,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -1874,6 +2278,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) */ clear_thread_flag(TIF_SIGPENDING); @@ -77794,7 +77805,7 @@ index 86fafc6..ddb5122 100644 /* * lock_kernel() because format_corename() is controlled by sysctl, which * uses lock_kernel() -@@ -1908,7 +2313,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -1908,7 +2314,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) goto fail_unlock; } @@ -77803,7 +77814,7 @@ index 86fafc6..ddb5122 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -1972,7 +2377,7 @@ close_fail: +@@ -1972,7 +2378,7 @@ close_fail: filp_close(file, NULL); fail_dropcount: if (dump_count) @@ -78236,7 +78247,7 @@ index a24c58e..53f91ee 100644 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) { diff --git a/fs/fs_struct.c b/fs/fs_struct.c -index eee0590..34791ce 100644 +index eee0590..0a5b2ee 100644 --- a/fs/fs_struct.c +++ b/fs/fs_struct.c @@ -4,6 +4,7 @@ @@ -78269,14 +78280,7 @@ index eee0590..34791ce 100644 count++; } if (fs->pwd.dentry == old_root->dentry -@@ -84,12 +93,15 @@ void exit_fs(struct task_struct *tsk) - { - struct fs_struct *fs = tsk->fs; - -+ gr_put_exec_file(tsk); -+ - if (fs) { - int kill; +@@ -89,7 +98,8 @@ void exit_fs(struct task_struct *tsk) task_lock(tsk); write_lock(&fs->lock); tsk->fs = NULL; @@ -78286,7 +78290,7 @@ index eee0590..34791ce 100644 write_unlock(&fs->lock); task_unlock(tsk); if (kill) -@@ -102,7 +114,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) +@@ -102,7 +112,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old) struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL); /* We don't need to lock fs - think why ;-) */ if (fs) { @@ -78295,7 +78299,7 @@ index eee0590..34791ce 100644 fs->in_exec = 0; rwlock_init(&fs->lock); fs->umask = old->umask; -@@ -127,8 +139,9 @@ int unshare_fs_struct(void) +@@ -127,8 +137,9 @@ int unshare_fs_struct(void) task_lock(current); write_lock(&fs->lock); @@ -78306,7 +78310,7 @@ index eee0590..34791ce 100644 write_unlock(&fs->lock); task_unlock(current); -@@ -141,13 +154,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct); +@@ -141,13 +152,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct); int current_umask(void) { @@ -78322,15 +78326,7 @@ index eee0590..34791ce 100644 .lock = __RW_LOCK_UNLOCKED(init_fs.lock), .umask = 0022, }; -@@ -156,18 +169,21 @@ void daemonize_fs_struct(void) - { - struct fs_struct *fs = current->fs; - -+ gr_put_exec_file(current); -+ - if (fs) { - int kill; - +@@ -162,12 +173,13 @@ void daemonize_fs_struct(void) task_lock(current); write_lock(&init_fs.lock); @@ -84038,10 +84034,10 @@ index e89734e..5e84d8d 100644 return 0; diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..7efd211 +index 0000000..7cf22bd --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,946 @@ +@@ -0,0 +1,964 @@ +# +# grecurity configuration +# @@ -84848,6 +84844,24 @@ index 0000000..7efd211 + prevents a socket from lasting more than 45 seconds in LAST_ACK + state. + ++config GRKERNSEC_NO_SIMULT_CONNECT ++ bool "Disable TCP Simultaneous Connect" ++ default y if GRKERNSEC_CONFIG_AUTO ++ depends on NET ++ help ++ If you say Y here, a feature by Willy Tarreau will be enabled that ++ removes a weakness in Linux's strict implementation of TCP that ++ allows two clients to connect to each other without either entering ++ a listening state. The weakness allows an attacker to easily prevent ++ a client from connecting to a known server provided the source port ++ for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from ++ fetching updates, or prevent an SSL gateway from fetching a CRL, ++ it should be eliminated by enabling this option. Though Linux is ++ one of few operating systems supporting simultaneous connect, it ++ has no legitimate use in practice and is rarely supported by firewalls. ++ +config GRKERNSEC_SOCKET + bool "Socket restrictions" + depends on NET @@ -89455,10 +89469,10 @@ index 0000000..955ddfb + diff --git a/grsecurity/gracl_fs.c b/grsecurity/gracl_fs.c new file mode 100644 -index 0000000..5804e36 +index 0000000..5a3ac97 --- /dev/null +++ b/grsecurity/gracl_fs.c -@@ -0,0 +1,437 @@ +@@ -0,0 +1,431 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/types.h> @@ -89866,7 +89880,6 @@ index 0000000..5804e36 +{ + u16 id; + char *rolename; -+ struct file *exec_file; + + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() && + !(current->role->roletype & GR_ROLE_PERSIST))) { @@ -89876,13 +89889,8 @@ index 0000000..5804e36 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id); + } + -+ write_lock(&grsec_exec_file_lock); -+ exec_file = current->exec_file; -+ current->exec_file = NULL; -+ write_unlock(&grsec_exec_file_lock); -+ -+ if (exec_file) -+ fput(exec_file); ++ gr_put_exec_file(current); ++ return; +} + +int @@ -102179,7 +102187,7 @@ index 9c06d10..5b211dc 100644 if (ret < 0) return ret; diff --git a/kernel/exit.c b/kernel/exit.c -index a2a1659..55ff5d7 100644 +index a2a1659..df8479c 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -174,6 +174,10 @@ void release_task(struct task_struct * p) @@ -102202,16 +102210,17 @@ index a2a1659..55ff5d7 100644 recalc_sigpending(); spin_unlock_irq(¤t->sighand->siglock); return 0; -@@ -433,6 +437,8 @@ void daemonize(const char *name, ...) +@@ -433,6 +437,9 @@ void daemonize(const char *name, ...) vsnprintf(current->comm, sizeof(current->comm), name, args); va_end(args); ++ gr_put_exec_file(current); + gr_set_kernel_label(current); + /* * If we were started as result of loading a module, close all of the * user space pages. We don't need them, and if we didn't close them -@@ -897,17 +903,17 @@ NORET_TYPE void do_exit(long code) +@@ -897,17 +904,17 @@ NORET_TYPE void do_exit(long code) struct task_struct *tsk = current; int group_dead; @@ -102236,7 +102245,7 @@ index a2a1659..55ff5d7 100644 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before * continuing. Amongst other possible reasons, this is to prevent * mm_release()->clear_child_tid() from writing to a user-controlled -@@ -915,6 +921,13 @@ NORET_TYPE void do_exit(long code) +@@ -915,6 +922,13 @@ NORET_TYPE void do_exit(long code) */ set_fs(USER_DS); @@ -102250,7 +102259,7 @@ index a2a1659..55ff5d7 100644 tracehook_report_exit(&code); validate_creds_for_do_exit(tsk); -@@ -973,6 +986,9 @@ NORET_TYPE void do_exit(long code) +@@ -973,6 +987,9 @@ NORET_TYPE void do_exit(long code) tsk->exit_code = code; taskstats_exit(tsk, group_dead); @@ -102260,7 +102269,7 @@ index a2a1659..55ff5d7 100644 exit_mm(tsk); if (group_dead) -@@ -1059,7 +1075,7 @@ SYSCALL_DEFINE1(exit, int, error_code) +@@ -1059,7 +1076,7 @@ SYSCALL_DEFINE1(exit, int, error_code) * Take down every thread in the group. This is called by fatal signals * as well as by sys_exit_group (below). */ @@ -102269,7 +102278,7 @@ index a2a1659..55ff5d7 100644 do_group_exit(int exit_code) { struct signal_struct *sig = current->signal; -@@ -1188,7 +1204,7 @@ static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p) +@@ -1188,7 +1205,7 @@ static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p) if (unlikely(wo->wo_flags & WNOWAIT)) { int exit_code = p->exit_code; @@ -102279,7 +102288,7 @@ index a2a1659..55ff5d7 100644 get_task_struct(p); read_unlock(&tasklist_lock); diff --git a/kernel/fork.c b/kernel/fork.c -index c28f804..96ea6cb 100644 +index c28f804..3a04506 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -240,21 +240,26 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -102427,17 +102436,19 @@ index c28f804..96ea6cb 100644 retval = copy_creds(p, clone_flags); if (retval < 0) -@@ -1236,6 +1280,9 @@ static struct task_struct *copy_process(unsigned long clone_flags, - /* Need tasklist lock for parent etc handling! */ - write_lock_irq(&tasklist_lock); +@@ -1263,6 +1307,11 @@ static struct task_struct *copy_process(unsigned long clone_flags, + goto bad_fork_free_pid; + } -+ /* synchronizes with gr_set_acls() */ ++ /* synchronizes with gr_set_acls() ++ we need to call this past the point of no return for fork() ++ */ + gr_copy_label(p); + - /* CLONE_PARENT re-uses the old parent */ - if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) { - p->real_parent = current->real_parent; -@@ -1337,6 +1384,8 @@ bad_fork_cleanup_count: + if (clone_flags & CLONE_THREAD) { + atomic_inc(¤t->signal->count); + atomic_inc(¤t->signal->live); +@@ -1337,6 +1386,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -102446,7 +102457,7 @@ index c28f804..96ea6cb 100644 return ERR_PTR(retval); } -@@ -1430,6 +1479,8 @@ long do_fork(unsigned long clone_flags, +@@ -1430,6 +1481,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -102455,7 +102466,7 @@ index c28f804..96ea6cb 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1562,7 +1613,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1562,7 +1615,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -102464,7 +102475,7 @@ index c28f804..96ea6cb 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1685,7 +1736,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1685,7 +1738,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; write_lock(&fs->lock); current->fs = new_fs; @@ -113226,7 +113237,7 @@ index 1eba160b..c35d91f 100644 } } diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index db755c4..fbca78e 100644 +index db755c4..07d671b 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -82,6 +82,9 @@ int sysctl_tcp_dsack __read_mostly = 1; @@ -113300,7 +113311,18 @@ index db755c4..fbca78e 100644 { struct tcp_sock *tp = tcp_sk(sk); -@@ -5100,7 +5127,16 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, +@@ -5093,38 +5120,48 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, + * an acknowledgment should be sent in reply (unless the RST + * bit is set, if so drop the segment and return)". + */ +- if (!th->rst) ++ if (!th->rst) { ++ if (th->syn) ++ goto syn_challenge; + tcp_send_dupack(sk, skb); ++ } + goto discard; + } /* Step 2: check RST bit */ if (th->rst) { @@ -113318,8 +113340,11 @@ index db755c4..fbca78e 100644 goto discard; } -@@ -5111,20 +5147,22 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, - +- /* ts_recent update must be made after we are sure that the packet +- * is in window. +- */ +- tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq); +- /* step 3: check security and precedence [ignored] */ - /* step 4: Check for a SYN in window. */ @@ -113328,6 +113353,7 @@ index db755c4..fbca78e 100644 + * RFC 5691 4.2 : Send a challenge ack + */ + if (th->syn) { ++syn_challenge: if (syn_inerr) TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_INERRS); - NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPABORTONSYN); @@ -113348,7 +113374,7 @@ index db755c4..fbca78e 100644 } /* -@@ -5154,7 +5192,6 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb, +@@ -5154,7 +5191,6 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb, struct tcphdr *th, unsigned len) { struct tcp_sock *tp = tcp_sk(sk); @@ -113356,7 +113382,7 @@ index db755c4..fbca78e 100644 /* * Header prediction. -@@ -5330,16 +5367,18 @@ slow_path: +@@ -5330,18 +5366,25 @@ slow_path: if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb)) goto csum_error; @@ -113378,8 +113404,31 @@ index db755c4..fbca78e 100644 + if (tcp_ack(sk, skb, FLAG_SLOWPATH) < 0) goto discard; ++ /* ts_recent update must be made after we are sure that the packet ++ * is in window. ++ */ ++ tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq); ++ tcp_rcv_rtt_measure_ts(sk, skb); -@@ -5618,7 +5657,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + + /* Process urgent data. */ +@@ -5542,6 +5585,7 @@ discard: + tcp_paws_reject(&tp->rx_opt, 0)) + goto discard_and_undo; + ++#ifndef CONFIG_GRKERNSEC_NO_SIMULT_CONNECT + if (th->syn) { + /* We see SYN without ACK. It is attempt of + * simultaneous connect with crossed SYNs. +@@ -5590,6 +5634,7 @@ discard: + goto discard; + #endif + } ++#endif + /* "fifth, if neither of the SYN or RST bits is set then + * drop the segment and return." + */ +@@ -5618,7 +5663,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, struct tcp_sock *tp = tcp_sk(sk); struct inet_connection_sock *icsk = inet_csk(sk); int queued = 0; @@ -113387,7 +113436,7 @@ index db755c4..fbca78e 100644 tp->rx_opt.saw_tstamp = 0; -@@ -5634,7 +5672,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5634,7 +5678,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto discard; if (th->syn) { @@ -113396,7 +113445,7 @@ index db755c4..fbca78e 100644 goto discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) return 1; -@@ -5673,12 +5711,14 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5673,12 +5717,14 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, return 0; } @@ -113415,13 +113464,18 @@ index db755c4..fbca78e 100644 int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0; switch (sk->sk_state) { -@@ -5789,8 +5829,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5789,8 +5835,12 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, } break; } - } else - goto discard; + } ++ ++ /* ts_recent update must be made after we are sure that the packet ++ * is in window. ++ */ ++ tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq); /* step 6: check the URG bit */ tcp_urg(sk, skb, th); diff --git a/2.6.32/4450_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch index 71d438f..7d4f60c 100644 --- a/2.6.32/4450_grsec-kconfig-default-gids.patch +++ b/2.6.32/4450_grsec-kconfig-default-gids.patch @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -825,7 +825,7 @@ +@@ -843,7 +843,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -846,7 +846,7 @@ +@@ -864,7 +864,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -864,7 +864,7 @@ +@@ -882,7 +882,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER diff --git a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch index 5af1cce..43ed69a 100644 --- a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch +++ b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400 -@@ -923,6 +923,27 @@ +@@ -941,6 +941,27 @@ menu "Logging Options" depends on GRKERNSEC |