Grsec/PaX: 2.9.1-{2.6.32.60,3.2.35,3.6.9}-20121207164120121207

author: Anthony G. Basile <blueness@gentoo.org> 2012-12-09 21:33:36 -0500
committer: Anthony G. Basile <blueness@gentoo.org> 2012-12-09 22:39:47 -0500
commit: d994308b9ee141c7fef9a62d37ef87707494f854 (patch)
tree: 8d59eb597e13a737ef5173b291fdbc0109e063d6 /2.6.32
parent: Grsec/PaX: 2.9.1-{2.6.32.60,3.2.34,3.6.9}-201212041903 (diff)
download: hardened-patchset-d994308b9ee141c7fef9a62d37ef87707494f854.tar.gz
hardened-patchset-d994308b9ee141c7fef9a62d37ef87707494f854.tar.bz2
hardened-patchset-d994308b9ee141c7fef9a62d37ef87707494f854.zip
2 files changed, 38 insertions, 23 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 640e15f..1443d3a 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch:	1059_linux-2.6.32.60.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.60-201212041903.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.60-201212071640.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212041903.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212071640.patch
index 585b0cc..06f7fb7 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212041903.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212071640.patch
@@ -76791,7 +76791,7 @@ index ff57421..f65f88a 100644
  
  out_free_fd:
 diff --git a/fs/exec.c b/fs/exec.c
-index 86fafc6..ab06586 100644
+index 86fafc6..ddb5122 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -56,12 +56,33 @@
@@ -77568,7 +77568,7 @@ index 86fafc6..ab06586 100644
  	audit_core_dumps(signr);
  
 +	if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
-+		gr_handle_brute_attach(current, mm->flags);
++		gr_handle_brute_attach(mm->flags);
 +
  	binfmt = mm->binfmt;
  	if (!binfmt || !binfmt->core_dump)
@@ -92700,10 +92700,10 @@ index 0000000..78f8733
 +}
 diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
 new file mode 100644
-index 0000000..c648492
+index 0000000..d450a74
 --- /dev/null
 +++ b/grsecurity/grsec_sig.c
-@@ -0,0 +1,206 @@
+@@ -0,0 +1,219 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/delay.h>
@@ -92781,6 +92781,7 @@ index 0000000..c648492
 +
 +#ifdef CONFIG_GRKERNSEC_BRUTE
 +#define GR_USER_BAN_TIME (15 * 60)
++#define GR_DAEMON_BRUTE_TIME (30 * 60)
 +
 +static int __get_dumpable(unsigned long mm_flags)
 +{
@@ -92791,10 +92792,12 @@ index 0000000..c648492
 +}
 +#endif
 +
-+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
++void gr_handle_brute_attach(unsigned long mm_flags)
 +{
 +#ifdef CONFIG_GRKERNSEC_BRUTE
++	struct task_struct *p = current;
 +	uid_t uid = 0;
++	int daemon = 0;
 +
 +	if (!grsec_enable_brute)
 +		return;
@@ -92802,9 +92805,11 @@ index 0000000..c648492
 +	rcu_read_lock();
 +	read_lock(&tasklist_lock);
 +	read_lock(&grsec_exec_file_lock);
-+	if (p->real_parent && p->real_parent->exec_file == p->exec_file)
++	if (p->real_parent && p->real_parent->exec_file == p->exec_file) {
++		p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME;
 +		p->real_parent->brute = 1;
-+	else {
++		daemon = 1;
++	} else {
 +		const struct cred *cred = __task_cred(p), *cred2;
 +		struct task_struct *tsk, *tsk2;
 +
@@ -92836,6 +92841,8 @@ index 0000000..c648492
 +
 +	if (uid)
 +		printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
++	else if (daemon)
++		gr_log_noargs(GR_DONT_AUDIT, GR_BRUTE_DAEMON_MSG);
 +#endif
 +	return;
 +}
@@ -92843,8 +92850,14 @@ index 0000000..c648492
 +void gr_handle_brute_check(void)
 +{
 +#ifdef CONFIG_GRKERNSEC_BRUTE
-+	if (current->brute)
-+		msleep(30 * 1000);
++	struct task_struct *p = current;
++
++	if (unlikely(p->brute)) {
++		if (!grsec_enable_brute)
++			p->brute = 0;
++		else if (time_before(get_seconds(), p->brute_expires))
++			msleep(30 * 1000);
++	}
 +#endif
 +	return;
 +}
@@ -96667,10 +96680,10 @@ index 0000000..3322652
 +#endif
 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
 new file mode 100644
-index 0000000..ac88734
+index 0000000..18863d1
 --- /dev/null
 +++ b/include/linux/grmsg.h
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,111 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -96781,9 +96794,10 @@ index 0000000..ac88734
 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
 +#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by "
 +#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
++#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..0e2a522
+index 0000000..6e2f8bc
 --- /dev/null
 +++ b/include/linux/grsecurity.h
 @@ -0,0 +1,226 @@
@@ -96809,7 +96823,7 @@ index 0000000..0e2a522
 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
 +#endif
 +
-+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
++void gr_handle_brute_attach(unsigned long mm_flags);
 +void gr_handle_brute_check(void);
 +void gr_handle_kernel_exploit(void);
 +int gr_process_user_ban(void);
@@ -98401,7 +98415,7 @@ index 3392c59..a746428 100644
  #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE)
  /**
 diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 71849bf..903514a 100644
+index 71849bf..42936d2 100644
 --- a/include/linux/sched.h
 +++ b/include/linux/sched.h
 @@ -101,6 +101,7 @@ struct bio;
@@ -98529,7 +98543,7 @@ index 71849bf..903514a 100644
  	struct io_context *io_context;
  
  	unsigned long ptrace_message;
-@@ -1519,6 +1544,27 @@ struct task_struct {
+@@ -1519,6 +1544,28 @@ struct task_struct {
  	unsigned long default_timer_slack_ns;
  
  	struct list_head	*scm_work_list;
@@ -98546,6 +98560,7 @@ index 71849bf..903514a 100644
 +	struct acl_subject_label *acl;
 +	struct acl_role_label *role;
 +	struct file *exec_file;
++	unsigned long brute_expires;
 +	u16 acl_role_id;
 +	/* is this the task that authenticated to the special role */
 +	u8 acl_sp_role;
@@ -98557,7 +98572,7 @@ index 71849bf..903514a 100644
  #ifdef CONFIG_FUNCTION_GRAPH_TRACER
  	/* Index of current stored adress in ret_stack */
  	int curr_ret_stack;
-@@ -1542,6 +1588,57 @@ struct task_struct {
+@@ -1542,6 +1589,57 @@ struct task_struct {
  #endif /* CONFIG_TRACING */
  };
  
@@ -98615,7 +98630,7 @@ index 71849bf..903514a 100644
  /* Future-safe accessor for struct task_struct's cpus_allowed. */
  #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed)
  
-@@ -1740,7 +1837,7 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *
+@@ -1740,7 +1838,7 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *
  #define PF_DUMPCORE	0x00000200	/* dumped core */
  #define PF_SIGNALED	0x00000400	/* killed by a signal */
  #define PF_MEMALLOC	0x00000800	/* Allocating memory */
@@ -98624,7 +98639,7 @@ index 71849bf..903514a 100644
  #define PF_USED_MATH	0x00002000	/* if unset the fpu must be initialized before use */
  #define PF_FREEZING	0x00004000	/* freeze in progress. do not account to load */
  #define PF_NOFREEZE	0x00008000	/* this thread should not be frozen */
-@@ -1978,7 +2075,9 @@ void yield(void);
+@@ -1978,7 +2076,9 @@ void yield(void);
  extern struct exec_domain	default_exec_domain;
  
  union thread_union {
@@ -98634,7 +98649,7 @@ index 71849bf..903514a 100644
  	unsigned long stack[THREAD_SIZE/sizeof(long)];
  };
  
-@@ -2011,6 +2110,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2011,6 +2111,7 @@ extern struct pid_namespace init_pid_ns;
   */
  
  extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -98642,7 +98657,7 @@ index 71849bf..903514a 100644
  extern struct task_struct *find_task_by_pid_ns(pid_t nr,
  		struct pid_namespace *ns);
  
-@@ -2155,7 +2255,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2155,7 +2256,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
  extern void exit_itimers(struct signal_struct *);
  extern void flush_itimer_signals(void);
  
@@ -98651,7 +98666,7 @@ index 71849bf..903514a 100644
  
  extern void daemonize(const char *, ...);
  extern int allow_signal(int);
-@@ -2284,9 +2384,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2284,9 +2385,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
  
  #endif
  
@@ -98663,7 +98678,7 @@ index 71849bf..903514a 100644
  
  	return (obj >= stack) && (obj < (stack + THREAD_SIZE));
  }
-@@ -2616,6 +2716,23 @@ static inline unsigned long rlimit_max(unsigned int limit)
+@@ -2616,6 +2717,23 @@ static inline unsigned long rlimit_max(unsigned int limit)
  	return task_rlimit_max(current, limit);
  }
author	Anthony G. Basile <blueness@gentoo.org>	2012-12-09 21:33:36 -0500
committer	Anthony G. Basile <blueness@gentoo.org>	2012-12-09 22:39:47 -0500
commit	d994308b9ee141c7fef9a62d37ef87707494f854 (patch)
tree	8d59eb597e13a737ef5173b291fdbc0109e063d6 /2.6.32
parent	Grsec/PaX: 2.9.1-{2.6.32.60,3.2.34,3.6.9}-201212041903 (diff)
download	hardened-patchset-d994308b9ee141c7fef9a62d37ef87707494f854.tar.gz hardened-patchset-d994308b9ee141c7fef9a62d37ef87707494f854.tar.bz2 hardened-patchset-d994308b9ee141c7fef9a62d37ef87707494f854.zip