diff options
author | 2012-12-09 21:33:36 -0500 | |
---|---|---|
committer | 2012-12-09 22:39:47 -0500 | |
commit | d994308b9ee141c7fef9a62d37ef87707494f854 (patch) | |
tree | 8d59eb597e13a737ef5173b291fdbc0109e063d6 /2.6.32 | |
parent | Grsec/PaX: 2.9.1-{2.6.32.60,3.2.34,3.6.9}-201212041903 (diff) | |
download | hardened-patchset-d994308b9ee141c7fef9a62d37ef87707494f854.tar.gz hardened-patchset-d994308b9ee141c7fef9a62d37ef87707494f854.tar.bz2 hardened-patchset-d994308b9ee141c7fef9a62d37ef87707494f854.zip |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.35,3.6.9}-20121207164120121207
Diffstat (limited to '2.6.32')
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212071640.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212041903.patch) | 59 |
2 files changed, 38 insertions, 23 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 640e15f..1443d3a 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201212041903.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201212071640.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212041903.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212071640.patch index 585b0cc..06f7fb7 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212041903.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212071640.patch @@ -76791,7 +76791,7 @@ index ff57421..f65f88a 100644 out_free_fd: diff --git a/fs/exec.c b/fs/exec.c -index 86fafc6..ab06586 100644 +index 86fafc6..ddb5122 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -56,12 +56,33 @@ @@ -77568,7 +77568,7 @@ index 86fafc6..ab06586 100644 audit_core_dumps(signr); + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL) -+ gr_handle_brute_attach(current, mm->flags); ++ gr_handle_brute_attach(mm->flags); + binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) @@ -92700,10 +92700,10 @@ index 0000000..78f8733 +} diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c new file mode 100644 -index 0000000..c648492 +index 0000000..d450a74 --- /dev/null +++ b/grsecurity/grsec_sig.c -@@ -0,0 +1,206 @@ +@@ -0,0 +1,219 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/delay.h> @@ -92781,6 +92781,7 @@ index 0000000..c648492 + +#ifdef CONFIG_GRKERNSEC_BRUTE +#define GR_USER_BAN_TIME (15 * 60) ++#define GR_DAEMON_BRUTE_TIME (30 * 60) + +static int __get_dumpable(unsigned long mm_flags) +{ @@ -92791,10 +92792,12 @@ index 0000000..c648492 +} +#endif + -+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags) ++void gr_handle_brute_attach(unsigned long mm_flags) +{ +#ifdef CONFIG_GRKERNSEC_BRUTE ++ struct task_struct *p = current; + uid_t uid = 0; ++ int daemon = 0; + + if (!grsec_enable_brute) + return; @@ -92802,9 +92805,11 @@ index 0000000..c648492 + rcu_read_lock(); + read_lock(&tasklist_lock); + read_lock(&grsec_exec_file_lock); -+ if (p->real_parent && p->real_parent->exec_file == p->exec_file) ++ if (p->real_parent && p->real_parent->exec_file == p->exec_file) { ++ p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME; + p->real_parent->brute = 1; -+ else { ++ daemon = 1; ++ } else { + const struct cred *cred = __task_cred(p), *cred2; + struct task_struct *tsk, *tsk2; + @@ -92836,6 +92841,8 @@ index 0000000..c648492 + + if (uid) + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60); ++ else if (daemon) ++ gr_log_noargs(GR_DONT_AUDIT, GR_BRUTE_DAEMON_MSG); +#endif + return; +} @@ -92843,8 +92850,14 @@ index 0000000..c648492 +void gr_handle_brute_check(void) +{ +#ifdef CONFIG_GRKERNSEC_BRUTE -+ if (current->brute) -+ msleep(30 * 1000); ++ struct task_struct *p = current; ++ ++ if (unlikely(p->brute)) { ++ if (!grsec_enable_brute) ++ p->brute = 0; ++ else if (time_before(get_seconds(), p->brute_expires)) ++ msleep(30 * 1000); ++ } +#endif + return; +} @@ -96667,10 +96680,10 @@ index 0000000..3322652 +#endif diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h new file mode 100644 -index 0000000..ac88734 +index 0000000..18863d1 --- /dev/null +++ b/include/linux/grmsg.h -@@ -0,0 +1,110 @@ +@@ -0,0 +1,111 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " @@ -96781,9 +96794,10 @@ index 0000000..ac88734 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by " +#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by " +#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by " ++#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..0e2a522 +index 0000000..6e2f8bc --- /dev/null +++ b/include/linux/grsecurity.h @@ -0,0 +1,226 @@ @@ -96809,7 +96823,7 @@ index 0000000..0e2a522 +#error "CONFIG_PAX enabled, but no PaX options are enabled." +#endif + -+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags); ++void gr_handle_brute_attach(unsigned long mm_flags); +void gr_handle_brute_check(void); +void gr_handle_kernel_exploit(void); +int gr_process_user_ban(void); @@ -98401,7 +98415,7 @@ index 3392c59..a746428 100644 #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE) /** diff --git a/include/linux/sched.h b/include/linux/sched.h -index 71849bf..903514a 100644 +index 71849bf..42936d2 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -101,6 +101,7 @@ struct bio; @@ -98529,7 +98543,7 @@ index 71849bf..903514a 100644 struct io_context *io_context; unsigned long ptrace_message; -@@ -1519,6 +1544,27 @@ struct task_struct { +@@ -1519,6 +1544,28 @@ struct task_struct { unsigned long default_timer_slack_ns; struct list_head *scm_work_list; @@ -98546,6 +98560,7 @@ index 71849bf..903514a 100644 + struct acl_subject_label *acl; + struct acl_role_label *role; + struct file *exec_file; ++ unsigned long brute_expires; + u16 acl_role_id; + /* is this the task that authenticated to the special role */ + u8 acl_sp_role; @@ -98557,7 +98572,7 @@ index 71849bf..903514a 100644 #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored adress in ret_stack */ int curr_ret_stack; -@@ -1542,6 +1588,57 @@ struct task_struct { +@@ -1542,6 +1589,57 @@ struct task_struct { #endif /* CONFIG_TRACING */ }; @@ -98615,7 +98630,7 @@ index 71849bf..903514a 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed) -@@ -1740,7 +1837,7 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t * +@@ -1740,7 +1838,7 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t * #define PF_DUMPCORE 0x00000200 /* dumped core */ #define PF_SIGNALED 0x00000400 /* killed by a signal */ #define PF_MEMALLOC 0x00000800 /* Allocating memory */ @@ -98624,7 +98639,7 @@ index 71849bf..903514a 100644 #define PF_USED_MATH 0x00002000 /* if unset the fpu must be initialized before use */ #define PF_FREEZING 0x00004000 /* freeze in progress. do not account to load */ #define PF_NOFREEZE 0x00008000 /* this thread should not be frozen */ -@@ -1978,7 +2075,9 @@ void yield(void); +@@ -1978,7 +2076,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -98634,7 +98649,7 @@ index 71849bf..903514a 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2011,6 +2110,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2011,6 +2111,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -98642,7 +98657,7 @@ index 71849bf..903514a 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2155,7 +2255,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2155,7 +2256,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -98651,7 +98666,7 @@ index 71849bf..903514a 100644 extern void daemonize(const char *, ...); extern int allow_signal(int); -@@ -2284,9 +2384,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2284,9 +2385,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -98663,7 +98678,7 @@ index 71849bf..903514a 100644 return (obj >= stack) && (obj < (stack + THREAD_SIZE)); } -@@ -2616,6 +2716,23 @@ static inline unsigned long rlimit_max(unsigned int limit) +@@ -2616,6 +2717,23 @@ static inline unsigned long rlimit_max(unsigned int limit) return task_rlimit_max(current, limit); } |