summaryrefslogtreecommitdiff
path: root/2.6.32
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2013-09-29 15:13:23 -0400
committerAnthony G. Basile <blueness@gentoo.org>2013-09-29 15:13:23 -0400
commit290728f2970dde95a2499c72844cff0e09f97bae (patch)
treeb4ca1da3752b0a685a81a96d77253d2463c5e80a /2.6.32
parentGrsec/PaX: 2.9.1-3.11.1-201309221838 (diff)
downloadhardened-patchset-290728f2970dde95a2499c72844cff0e09f97bae.tar.gz
hardened-patchset-290728f2970dde95a2499c72844cff0e09f97bae.tar.bz2
hardened-patchset-290728f2970dde95a2499c72844cff0e09f97bae.zip
Grsec/PaX: 2.9.1-{2.6.32.61,3.2.51,3.11.2}-20130928110220130928
Diffstat (limited to '2.6.32')
-rw-r--r--2.6.32/0000_README2
-rw-r--r--2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309281101.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309052115.patch)88
-rw-r--r--2.6.32/4440_grsec-remove-protected-paths.patch2
-rw-r--r--2.6.32/4450_grsec-kconfig-default-gids.patch12
-rw-r--r--2.6.32/4465_selinux-avc_audit-log-curr_ip.patch2
5 files changed, 63 insertions, 43 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index c481225..381f8d3 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.61
-Patch: 4420_grsecurity-2.9.1-2.6.32.61-201309052115.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.61-201309281101.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309052115.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309281101.patch
index 41ba8b2..80f4104 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309052115.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201309281101.patch
@@ -45625,7 +45625,7 @@ index 3beb26d..6ce9c4a 100644
INIT_LIST_HEAD(&rdev->fence_drv.emited);
INIT_LIST_HEAD(&rdev->fence_drv.signaled);
diff --git a/drivers/gpu/drm/radeon/radeon_ioc32.c b/drivers/gpu/drm/radeon/radeon_ioc32.c
-index a1bf11d..4a123c0 100644
+index a1bf11de..4a123c0 100644
--- a/drivers/gpu/drm/radeon/radeon_ioc32.c
+++ b/drivers/gpu/drm/radeon/radeon_ioc32.c
@@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(struct file *file, unsigned int cmd,
@@ -91904,10 +91904,10 @@ index 0000000..5a3ac97
+}
diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c
new file mode 100644
-index 0000000..b6b5239
+index 0000000..462a28e
--- /dev/null
+++ b/grsecurity/gracl_ip.c
-@@ -0,0 +1,388 @@
+@@ -0,0 +1,387 @@
+#include <linux/kernel.h>
+#include <asm/uaccess.h>
+#include <asm/errno.h>
@@ -92000,6 +92000,8 @@ index 0000000..b6b5239
+ return gr_sockfamilies[family];
+}
+
++extern const struct net_proto_family *net_families[NPROTO] __read_mostly;
++
+int
+gr_search_socket(const int domain, const int type, const int protocol)
+{
@@ -92079,10 +92081,7 @@ index 0000000..b6b5239
+ if (domain == PF_INET)
+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
-+ else
-+#ifndef CONFIG_IPV6
-+ if (domain != PF_INET6)
-+#endif
++ else if (net_families[domain] != NULL)
+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
+ gr_socktype_to_name(type), protocol);
+
@@ -95482,7 +95481,7 @@ index 0000000..7512ea9
+}
diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
new file mode 100644
-index 0000000..5a6d4bc
+index 0000000..5a6d4bc1
--- /dev/null
+++ b/grsecurity/grsec_sysctl.c
@@ -0,0 +1,527 @@
@@ -111522,7 +111521,7 @@ index aaca868..2ebecdc 100644
err = -EPERM;
goto out;
diff --git a/mm/mlock.c b/mm/mlock.c
-index 2d846cf..ca1e492 100644
+index 2d846cf..1183f13 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -13,6 +13,7 @@
@@ -111625,7 +111624,15 @@ index 2d846cf..ca1e492 100644
newflags = vma->vm_flags | VM_LOCKED;
if (!(flags & MCL_CURRENT))
-@@ -570,6 +572,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
+@@ -545,6 +547,7 @@ static int do_mlockall(int flags)
+
+ /* Ignore errors */
+ mlock_fixup(vma, &prev, vma->vm_start, vma->vm_end, newflags);
++ cond_resched();
+ }
+ out:
+ return 0;
+@@ -570,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
lock_limit >>= PAGE_SHIFT;
ret = -ENOMEM;
@@ -118962,7 +118969,7 @@ index e04c9f8..51bc18e 100644
+ (rtt >> sctp_rto_alpha);
} else {
diff --git a/net/socket.c b/net/socket.c
-index bf9fc68..0ea7e39 100644
+index bf9fc68..27b436e 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -87,6 +87,7 @@
@@ -118995,6 +119002,15 @@ index bf9fc68..0ea7e39 100644
static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
unsigned long nr_segs, loff_t pos);
+@@ -148,7 +164,7 @@ static const struct file_operations socket_file_ops = {
+ */
+
+ static DEFINE_SPINLOCK(net_family_lock);
+-static const struct net_proto_family *net_families[NPROTO] __read_mostly;
++const struct net_proto_family *net_families[NPROTO] __read_mostly;
+
+ /*
+ * Statistics counters of the socket lists
@@ -298,7 +314,7 @@ static int sockfs_get_sb(struct file_system_type *fs_type,
mnt);
}
@@ -119013,24 +119029,28 @@ index bf9fc68..0ea7e39 100644
/* Compatibility.
-@@ -1283,6 +1301,16 @@ SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)
- if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
- flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
+@@ -1174,6 +1192,20 @@ static int __sock_create(struct net *net, int family, int type, int protocol,
+ if (err)
+ return err;
-+ if(!gr_search_socket(family, type, protocol)) {
-+ retval = -EACCES;
-+ goto out;
++ if(!kern && !gr_search_socket(family, type, protocol)) {
++ if (net_families[family] == NULL)
++ return -EAFNOSUPPORT;
++ else
++ return -EACCES;
+ }
+
-+ if (gr_handle_sock_all(family, type, protocol)) {
-+ retval = -EACCES;
-+ goto out;
++ if (!kern && gr_handle_sock_all(family, type, protocol)) {
++ if (net_families[family] == NULL)
++ return -EAFNOSUPPORT;
++ else
++ return -EACCES;
+ }
+
- retval = sock_create(family, type, protocol, &sock);
- if (retval < 0)
- goto out;
-@@ -1415,6 +1443,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+ /*
+ * Allocate the socket and allow the family to set things up. if
+ * the protocol is 0, the family is instructed to select an appropriate
+@@ -1415,6 +1447,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
if (sock) {
err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
if (err >= 0) {
@@ -119045,7 +119065,7 @@ index bf9fc68..0ea7e39 100644
err = security_socket_bind(sock,
(struct sockaddr *)&address,
addrlen);
-@@ -1423,6 +1459,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+@@ -1423,6 +1463,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
(struct sockaddr *)
&address, addrlen);
}
@@ -119053,7 +119073,7 @@ index bf9fc68..0ea7e39 100644
fput_light(sock->file, fput_needed);
}
return err;
-@@ -1446,10 +1483,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
+@@ -1446,10 +1487,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
if ((unsigned)backlog > somaxconn)
backlog = somaxconn;
@@ -119074,7 +119094,7 @@ index bf9fc68..0ea7e39 100644
fput_light(sock->file, fput_needed);
}
return err;
-@@ -1492,6 +1539,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+@@ -1492,6 +1543,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
newsock->type = sock->type;
newsock->ops = sock->ops;
@@ -119093,7 +119113,7 @@ index bf9fc68..0ea7e39 100644
/*
* We don't need try_module_get here, as the listening socket (sock)
* has the protocol module (sock->ops->owner) held.
-@@ -1534,6 +1593,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+@@ -1534,6 +1597,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
fd_install(newfd, newfile);
err = newfd;
@@ -119102,7 +119122,7 @@ index bf9fc68..0ea7e39 100644
out_put:
fput_light(sock->file, fput_needed);
out:
-@@ -1571,6 +1632,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+@@ -1571,6 +1636,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
int, addrlen)
{
struct socket *sock;
@@ -119110,7 +119130,7 @@ index bf9fc68..0ea7e39 100644
struct sockaddr_storage address;
int err, fput_needed;
-@@ -1581,6 +1643,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+@@ -1581,6 +1647,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
if (err < 0)
goto out_put;
@@ -119128,7 +119148,7 @@ index bf9fc68..0ea7e39 100644
err =
security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
if (err)
-@@ -1728,7 +1801,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+@@ -1728,7 +1805,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
struct socket *sock;
struct iovec iov;
struct msghdr msg;
@@ -119137,7 +119157,7 @@ index bf9fc68..0ea7e39 100644
int err, err2;
int fput_needed;
-@@ -1882,6 +1955,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
+@@ -1882,6 +1959,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
int err, ctl_len, iov_size, total_len;
int fput_needed;
@@ -119146,7 +119166,7 @@ index bf9fc68..0ea7e39 100644
err = -EFAULT;
if (MSG_CMSG_COMPAT & flags) {
if (get_compat_msghdr(&msg_sys, msg_compat))
-@@ -1987,7 +2062,7 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
+@@ -1987,7 +2066,7 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
int fput_needed;
/* kernel mode address */
@@ -119155,7 +119175,7 @@ index bf9fc68..0ea7e39 100644
/* user mode address pointers */
struct sockaddr __user *uaddr;
-@@ -2022,7 +2097,7 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
+@@ -2022,7 +2101,7 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
* kernel msghdr to use the kernel address space)
*/
diff --git a/2.6.32/4440_grsec-remove-protected-paths.patch b/2.6.32/4440_grsec-remove-protected-paths.patch
index 339cc6e..38d465e 100644
--- a/2.6.32/4440_grsec-remove-protected-paths.patch
+++ b/2.6.32/4440_grsec-remove-protected-paths.patch
@@ -6,7 +6,7 @@ the filesystem.
diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile
--- a/grsecurity/Makefile 2011-10-19 19:48:21.000000000 -0400
+++ b/grsecurity/Makefile 2011-10-19 19:50:44.000000000 -0400
-@@ -29,10 +29,4 @@
+@@ -34,10 +34,4 @@
ifdef CONFIG_GRKERNSEC_HIDESYM
extra-y := grsec_hidesym.o
$(obj)/grsec_hidesym.o:
diff --git a/2.6.32/4450_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch
index 87aa8e4..3dfdc8f 100644
--- a/2.6.32/4450_grsec-kconfig-default-gids.patch
+++ b/2.6.32/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
-@@ -570,7 +570,7 @@
+@@ -572,7 +572,7 @@
config GRKERNSEC_AUDIT_GID
int "GID for auditing"
depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_EXECLOG
bool "Exec logging"
-@@ -790,7 +790,7 @@
+@@ -792,7 +792,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*enabled* for. If the sysctl option is enabled, a sysctl option
-@@ -799,7 +799,7 @@
+@@ -801,7 +801,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -892,7 +892,7 @@
+@@ -894,7 +894,7 @@
config GRKERNSEC_SOCKET_ALL_GID
int "GID to deny all sockets for"
depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable socket access for. Remember to
add the users you want socket access disabled for to the GID
-@@ -913,7 +913,7 @@
+@@ -915,7 +915,7 @@
config GRKERNSEC_SOCKET_CLIENT_GID
int "GID to deny client sockets for"
depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable client socket access for.
Remember to add the users you want client socket access disabled for to
-@@ -931,7 +931,7 @@
+@@ -933,7 +933,7 @@
config GRKERNSEC_SOCKET_SERVER_GID
int "GID to deny server sockets for"
depends on GRKERNSEC_SOCKET_SERVER
diff --git a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
index 19027c3..418ae16 100644
--- a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400
-@@ -990,6 +990,27 @@
+@@ -1027,6 +1027,27 @@
menu "Logging Options"
depends on GRKERNSEC