diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2012-07-03 16:16:56 -0400 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2012-07-03 16:16:56 -0400 |
commit | 6edf97e61755fad523fe8905dfa547b3077587c3 (patch) | |
tree | bb35135f19ad9ef9db5b0fe83559219c29808310 /3.4.4 | |
parent | Grsec/PaX: 2.9.1-3.2.21-201206251800 (diff) | |
download | hardened-patchset-6edf97e61755fad523fe8905dfa547b3077587c3.tar.gz hardened-patchset-6edf97e61755fad523fe8905dfa547b3077587c3.tar.bz2 hardened-patchset-6edf97e61755fad523fe8905dfa547b3077587c3.zip |
Grsec/PaX: 2.9-{2.6.32.59,3.2.21,3.4.4}-20120702192120120702
Diffstat (limited to '3.4.4')
-rw-r--r-- | 3.4.4/0000_README | 2 | ||||
-rw-r--r-- | 3.4.4/2600_FW_MIPS_FILE_06_regression.patch | 12 | ||||
-rw-r--r-- | 3.4.4/4420_grsecurity-2.9.1-3.4.4-201207021921.patch (renamed from 3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch) | 424 | ||||
-rw-r--r-- | 3.4.4/4450_grsec-kconfig-default-gids.patch | 21 | ||||
-rw-r--r-- | 3.4.4/4465_selinux-avc_audit-log-curr_ip.patch | 2 |
5 files changed, 290 insertions, 171 deletions
diff --git a/3.4.4/0000_README b/3.4.4/0000_README index 61e9d20..0d09685 100644 --- a/3.4.4/0000_README +++ b/3.4.4/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.4.4-201206251759.patch +Patch: 4420_grsecurity-2.9.1-3.4.4-201207021921.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.4.4/2600_FW_MIPS_FILE_06_regression.patch b/3.4.4/2600_FW_MIPS_FILE_06_regression.patch new file mode 100644 index 0000000..0ad48d4 --- /dev/null +++ b/3.4.4/2600_FW_MIPS_FILE_06_regression.patch @@ -0,0 +1,12 @@ +diff -Naur linux-3.4.2-hardened.orig//drivers/net/ethernet/broadcom/bnx2.c linux-3.4.2-hardened/drivers/net/ethernet/broadcom/bnx2.c +--- linux-3.4.2-hardened.orig//drivers/net/ethernet/broadcom/bnx2.c 2012-05-20 22:29:13.000000000 +0000 ++++ linux-3.4.2-hardened/drivers/net/ethernet/broadcom/bnx2.c 2012-07-03 11:38:35.437623841 +0000 +@@ -59,7 +59,7 @@ + #define DRV_MODULE_NAME "bnx2" + #define DRV_MODULE_VERSION "2.2.1" + #define DRV_MODULE_RELDATE "Dec 18, 2011" +-#define FW_MIPS_FILE_06 "bnx2/bnx2-mips-06-6.2.3.fw" ++#define FW_MIPS_FILE_06 "bnx2/bnx2-mips-06-6.2.1.fw" + #define FW_RV2P_FILE_06 "bnx2/bnx2-rv2p-06-6.0.15.fw" + #define FW_MIPS_FILE_09 "bnx2/bnx2-mips-09-6.2.1b.fw" + #define FW_RV2P_FILE_09_Ax "bnx2/bnx2-rv2p-09ax-6.0.17.fw" diff --git a/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch b/3.4.4/4420_grsecurity-2.9.1-3.4.4-201207021921.patch index 083b3e1..8901db2 100644 --- a/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch +++ b/3.4.4/4420_grsecurity-2.9.1-3.4.4-201207021921.patch @@ -41631,7 +41631,7 @@ index d146e18..12d1bd1 100644 fd_offset + ex.a_text); if (error != N_DATADDR(ex)) { diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 16f7354..185d8dc 100644 +index 16f7354..666524e 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -32,6 +32,7 @@ @@ -41762,17 +41762,16 @@ index 16f7354..185d8dc 100644 error = -ENOMEM; goto out_close; } -@@ -525,6 +549,351 @@ out: +@@ -525,6 +549,349 @@ out: return error; } -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_XATTR_PAX_FLAGS) ++#ifdef CONFIG_PAX_PT_PAX_FLAGS ++#ifdef CONFIG_PAX_SOFTMODE +static unsigned long pax_parse_pt_pax_softmode(const struct elf_phdr * const elf_phdata) +{ + unsigned long pax_flags = 0UL; + -+#ifdef CONFIG_PAX_PT_PAX_FLAGS -+ +#ifdef CONFIG_PAX_PAGEEXEC + if (elf_phdata->p_flags & PF_PAGEEXEC) + pax_flags |= MF_PAX_PAGEEXEC; @@ -41807,17 +41806,14 @@ index 16f7354..185d8dc 100644 + pax_flags |= MF_PAX_RANDMMAP; +#endif + -+#endif -+ + return pax_flags; +} ++#endif + +static unsigned long pax_parse_pt_pax_hardmode(const struct elf_phdr * const elf_phdata) +{ + unsigned long pax_flags = 0UL; + -+#ifdef CONFIG_PAX_PT_PAX_FLAGS -+ +#ifdef CONFIG_PAX_PAGEEXEC + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC)) + pax_flags |= MF_PAX_PAGEEXEC; @@ -41852,24 +41848,23 @@ index 16f7354..185d8dc 100644 + pax_flags |= MF_PAX_RANDMMAP; +#endif + -+#endif -+ + return pax_flags; +} ++#endif + -+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex) ++#ifdef CONFIG_PAX_XATTR_PAX_FLAGS ++#ifdef CONFIG_PAX_SOFTMODE ++static unsigned long pax_parse_xattr_pax_softmode(unsigned long pax_flags_softmode) +{ + unsigned long pax_flags = 0UL; + -+#ifdef CONFIG_PAX_EI_PAX -+ +#ifdef CONFIG_PAX_PAGEEXEC -+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC)) ++ if (pax_flags_softmode & MF_PAX_PAGEEXEC) + pax_flags |= MF_PAX_PAGEEXEC; +#endif + +#ifdef CONFIG_PAX_SEGMEXEC -+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC)) ++ if (pax_flags_softmode & MF_PAX_SEGMEXEC) + pax_flags |= MF_PAX_SEGMEXEC; +#endif + @@ -41883,87 +41878,35 @@ index 16f7354..185d8dc 100644 +#endif + +#ifdef CONFIG_PAX_EMUTRAMP -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP)) ++ if (pax_flags_softmode & MF_PAX_EMUTRAMP) + pax_flags |= MF_PAX_EMUTRAMP; +#endif + +#ifdef CONFIG_PAX_MPROTECT -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT)) ++ if (pax_flags_softmode & MF_PAX_MPROTECT) + pax_flags |= MF_PAX_MPROTECT; +#endif + -+#ifdef CONFIG_PAX_ASLR -+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP)) ++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK) ++ if (randomize_va_space && (pax_flags_softmode & MF_PAX_RANDMMAP)) + pax_flags |= MF_PAX_RANDMMAP; +#endif + -+#else -+ -+#ifdef CONFIG_PAX_PAGEEXEC -+ pax_flags |= MF_PAX_PAGEEXEC; -+#endif -+ -+#ifdef CONFIG_PAX_MPROTECT -+ pax_flags |= MF_PAX_MPROTECT; -+#endif -+ -+#ifdef CONFIG_PAX_RANDMMAP -+ pax_flags |= MF_PAX_RANDMMAP; -+#endif -+ -+#ifdef CONFIG_PAX_SEGMEXEC -+ if (!(pax_flags & MF_PAX_PAGEEXEC) || !(__supported_pte_mask & _PAGE_NX)) { -+ pax_flags &= ~MF_PAX_PAGEEXEC; -+ pax_flags |= MF_PAX_SEGMEXEC; -+ } -+#endif -+ -+#endif -+ + return pax_flags; +} -+ -+static unsigned long pax_parse_pt_pax(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata) -+{ -+ -+#ifdef CONFIG_PAX_PT_PAX_FLAGS -+ unsigned long i; -+ -+ for (i = 0UL; i < elf_ex->e_phnum; i++) -+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) { -+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) || -+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) || -+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) || -+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) || -+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP))) -+ return ~0UL; -+ -+#ifdef CONFIG_PAX_SOFTMODE -+ if (pax_softmode) -+ return pax_parse_pt_pax_softmode(&elf_phdata[i]); -+ else -+#endif -+ -+ return pax_parse_pt_pax_hardmode(&elf_phdata[i]); -+ break; -+ } +#endif + -+ return ~0UL; -+} -+ -+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS -+static unsigned long pax_parse_xattr_pax_softmode(unsigned long pax_flags_softmode) ++static unsigned long pax_parse_xattr_pax_hardmode(unsigned long pax_flags_hardmode) +{ + unsigned long pax_flags = 0UL; + +#ifdef CONFIG_PAX_PAGEEXEC -+ if (pax_flags_softmode & MF_PAX_PAGEEXEC) ++ if (!(pax_flags_hardmode & MF_PAX_PAGEEXEC)) + pax_flags |= MF_PAX_PAGEEXEC; +#endif + +#ifdef CONFIG_PAX_SEGMEXEC -+ if (pax_flags_softmode & MF_PAX_SEGMEXEC) ++ if (!(pax_flags_hardmode & MF_PAX_SEGMEXEC)) + pax_flags |= MF_PAX_SEGMEXEC; +#endif + @@ -41977,34 +41920,38 @@ index 16f7354..185d8dc 100644 +#endif + +#ifdef CONFIG_PAX_EMUTRAMP -+ if (pax_flags_softmode & MF_PAX_EMUTRAMP) ++ if (!(pax_flags_hardmode & MF_PAX_EMUTRAMP)) + pax_flags |= MF_PAX_EMUTRAMP; +#endif + +#ifdef CONFIG_PAX_MPROTECT -+ if (pax_flags_softmode & MF_PAX_MPROTECT) ++ if (!(pax_flags_hardmode & MF_PAX_MPROTECT)) + pax_flags |= MF_PAX_MPROTECT; +#endif + +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK) -+ if (randomize_va_space && (pax_flags_softmode & MF_PAX_RANDMMAP)) ++ if (randomize_va_space && !(pax_flags_hardmode & MF_PAX_RANDMMAP)) + pax_flags |= MF_PAX_RANDMMAP; +#endif + + return pax_flags; +} ++#endif + -+static unsigned long pax_parse_xattr_pax_hardmode(unsigned long pax_flags_hardmode) ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_XATTR_PAX_FLAGS) ++static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex) +{ + unsigned long pax_flags = 0UL; + ++#ifdef CONFIG_PAX_EI_PAX ++ +#ifdef CONFIG_PAX_PAGEEXEC -+ if (!(pax_flags_hardmode & MF_PAX_PAGEEXEC)) ++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC)) + pax_flags |= MF_PAX_PAGEEXEC; +#endif + +#ifdef CONFIG_PAX_SEGMEXEC -+ if (!(pax_flags_hardmode & MF_PAX_SEGMEXEC)) ++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC)) + pax_flags |= MF_PAX_SEGMEXEC; +#endif + @@ -42018,24 +41965,75 @@ index 16f7354..185d8dc 100644 +#endif + +#ifdef CONFIG_PAX_EMUTRAMP -+ if (!(pax_flags_hardmode & MF_PAX_EMUTRAMP)) ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP)) + pax_flags |= MF_PAX_EMUTRAMP; +#endif + +#ifdef CONFIG_PAX_MPROTECT -+ if (!(pax_flags_hardmode & MF_PAX_MPROTECT)) ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT)) + pax_flags |= MF_PAX_MPROTECT; +#endif + -+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK) -+ if (randomize_va_space && !(pax_flags_hardmode & MF_PAX_RANDMMAP)) ++#ifdef CONFIG_PAX_ASLR ++ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP)) + pax_flags |= MF_PAX_RANDMMAP; +#endif + ++#else ++ ++#ifdef CONFIG_PAX_PAGEEXEC ++ pax_flags |= MF_PAX_PAGEEXEC; ++#endif ++ ++#ifdef CONFIG_PAX_MPROTECT ++ pax_flags |= MF_PAX_MPROTECT; ++#endif ++ ++#ifdef CONFIG_PAX_RANDMMAP ++ pax_flags |= MF_PAX_RANDMMAP; ++#endif ++ ++#ifdef CONFIG_PAX_SEGMEXEC ++ if (!(pax_flags & MF_PAX_PAGEEXEC) || !(__supported_pte_mask & _PAGE_NX)) { ++ pax_flags &= ~MF_PAX_PAGEEXEC; ++ pax_flags |= MF_PAX_SEGMEXEC; ++ } ++#endif ++ ++#endif ++ + return pax_flags; +} ++ ++static unsigned long pax_parse_pt_pax(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata) ++{ ++ ++#ifdef CONFIG_PAX_PT_PAX_FLAGS ++ unsigned long i; ++ ++ for (i = 0UL; i < elf_ex->e_phnum; i++) ++ if (elf_phdata[i].p_type == PT_PAX_FLAGS) { ++ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) || ++ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) || ++ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) || ++ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) || ++ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP))) ++ return ~0UL; ++ ++#ifdef CONFIG_PAX_SOFTMODE ++ if (pax_softmode) ++ return pax_parse_pt_pax_softmode(&elf_phdata[i]); ++ else +#endif + ++ return pax_parse_pt_pax_hardmode(&elf_phdata[i]); ++ break; ++ } ++#endif ++ ++ return ~0UL; ++} ++ +static unsigned long pax_parse_xattr_pax(struct file * const file) +{ + @@ -42114,7 +42112,7 @@ index 16f7354..185d8dc 100644 /* * These are the functions used to load ELF style executables and shared * libraries. There is no binary dependent code anywhere else. -@@ -541,6 +910,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) +@@ -541,6 +908,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) { unsigned int random_variable = 0; @@ -42126,7 +42124,7 @@ index 16f7354..185d8dc 100644 if ((current->flags & PF_RANDOMIZE) && !(current->personality & ADDR_NO_RANDOMIZE)) { random_variable = get_random_int() & STACK_RND_MASK; -@@ -559,7 +933,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -559,7 +931,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) unsigned long load_addr = 0, load_bias = 0; int load_addr_set = 0; char * elf_interpreter = NULL; @@ -42135,7 +42133,7 @@ index 16f7354..185d8dc 100644 struct elf_phdr *elf_ppnt, *elf_phdata; unsigned long elf_bss, elf_brk; int retval, i; -@@ -569,11 +943,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -569,11 +941,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) unsigned long start_code, end_code, start_data, end_data; unsigned long reloc_func_desc __maybe_unused = 0; int executable_stack = EXSTACK_DEFAULT; @@ -42148,7 +42146,7 @@ index 16f7354..185d8dc 100644 loc = kmalloc(sizeof(*loc), GFP_KERNEL); if (!loc) { -@@ -709,11 +1083,81 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -709,11 +1081,81 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) goto out_free_dentry; /* OK, This is the point of no return */ @@ -42231,7 +42229,7 @@ index 16f7354..185d8dc 100644 if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; -@@ -804,6 +1248,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -804,6 +1246,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) #else load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); #endif @@ -42252,7 +42250,7 @@ index 16f7354..185d8dc 100644 } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, -@@ -836,9 +1294,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -836,9 +1292,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) * allowed task size. Note that p_filesz must always be * <= p_memsz so it is only necessary to check p_memsz. */ @@ -42265,7 +42263,7 @@ index 16f7354..185d8dc 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -877,11 +1335,40 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -877,11 +1333,40 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -42309,7 +42307,7 @@ index 16f7354..185d8dc 100644 if (elf_interpreter) { unsigned long uninitialized_var(interp_map_addr); -@@ -1109,7 +1596,7 @@ static bool always_dump_vma(struct vm_area_struct *vma) +@@ -1109,7 +1594,7 @@ static bool always_dump_vma(struct vm_area_struct *vma) * Decide what to dump of a segment, part, all or none. */ static unsigned long vma_dump_size(struct vm_area_struct *vma, @@ -42318,7 +42316,7 @@ index 16f7354..185d8dc 100644 { #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) -@@ -1146,7 +1633,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, +@@ -1146,7 +1631,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, if (vma->vm_file == NULL) return 0; @@ -42327,7 +42325,7 @@ index 16f7354..185d8dc 100644 goto whole; /* -@@ -1368,9 +1855,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) +@@ -1368,9 +1853,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; int i = 0; @@ -42339,7 +42337,7 @@ index 16f7354..185d8dc 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -1892,14 +2379,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, +@@ -1892,14 +2377,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, } static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma, @@ -42356,7 +42354,7 @@ index 16f7354..185d8dc 100644 return size; } -@@ -1993,7 +2480,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1993,7 +2478,7 @@ static int elf_core_dump(struct coredump_params *cprm) dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); @@ -42365,7 +42363,7 @@ index 16f7354..185d8dc 100644 offset += elf_core_extra_data_size(); e_shoff = offset; -@@ -2007,10 +2494,12 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2007,10 +2492,12 @@ static int elf_core_dump(struct coredump_params *cprm) offset = dataoff; size += sizeof(*elf); @@ -42378,7 +42376,7 @@ index 16f7354..185d8dc 100644 if (size > cprm->limit || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note))) goto end_coredump; -@@ -2024,7 +2513,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2024,7 +2511,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -42387,7 +42385,7 @@ index 16f7354..185d8dc 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -2035,6 +2524,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2035,6 +2522,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_align = ELF_EXEC_PAGESIZE; size += sizeof(phdr); @@ -42395,7 +42393,7 @@ index 16f7354..185d8dc 100644 if (size > cprm->limit || !dump_write(cprm->file, &phdr, sizeof(phdr))) goto end_coredump; -@@ -2059,7 +2549,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2059,7 +2547,7 @@ static int elf_core_dump(struct coredump_params *cprm) unsigned long addr; unsigned long end; @@ -42404,7 +42402,7 @@ index 16f7354..185d8dc 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2068,6 +2558,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2068,6 +2556,7 @@ static int elf_core_dump(struct coredump_params *cprm) page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -42412,7 +42410,7 @@ index 16f7354..185d8dc 100644 stop = ((size += PAGE_SIZE) > cprm->limit) || !dump_write(cprm->file, kaddr, PAGE_SIZE); -@@ -2085,6 +2576,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2085,6 +2574,7 @@ static int elf_core_dump(struct coredump_params *cprm) if (e_phnum == PN_XNUM) { size += sizeof(*shdr4extnum); @@ -42420,7 +42418,7 @@ index 16f7354..185d8dc 100644 if (size > cprm->limit || !dump_write(cprm->file, shdr4extnum, sizeof(*shdr4extnum))) -@@ -2105,6 +2597,97 @@ out: +@@ -2105,6 +2595,97 @@ out: #endif /* CONFIG_ELF_CORE */ @@ -46233,7 +46231,7 @@ index 0d68f1f..f216b79 100644 lock_flocks(); diff --git a/fs/namei.c b/fs/namei.c -index c427919..e37fd3f 100644 +index c427919..232326c 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -278,16 +278,32 @@ int generic_permission(struct inode *inode, int mask) @@ -46308,7 +46306,27 @@ index c427919..e37fd3f 100644 error = 0; if (s) error = __vfs_follow_link(nd, s); -@@ -1753,6 +1769,21 @@ static int path_lookupat(int dfd, const char *name, +@@ -1355,6 +1371,9 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd) + if (!res) + res = walk_component(nd, path, &nd->last, + nd->last_type, LOOKUP_FOLLOW); ++ if (res >= 0 && gr_handle_symlink_owner(&link, nd->inode)) { ++ res = -EACCES; ++ } + put_link(nd, &link, cookie); + } while (res > 0); + +@@ -1746,6 +1765,9 @@ static int path_lookupat(int dfd, const char *name, + err = follow_link(&link, nd, &cookie); + if (!err) + err = lookup_last(nd, &path); ++ if (!err && gr_handle_symlink_owner(&link, nd->inode)) { ++ err = -EACCES; ++ } + put_link(nd, &link, cookie); + } + } +@@ -1753,6 +1775,21 @@ static int path_lookupat(int dfd, const char *name, if (!err) err = complete_walk(nd); @@ -46330,7 +46348,7 @@ index c427919..e37fd3f 100644 if (!err && nd->flags & LOOKUP_DIRECTORY) { if (!nd->inode->i_op->lookup) { path_put(&nd->path); -@@ -1780,6 +1811,15 @@ static int do_path_lookup(int dfd, const char *name, +@@ -1780,6 +1817,15 @@ static int do_path_lookup(int dfd, const char *name, retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd); if (likely(!retval)) { @@ -46346,7 +46364,7 @@ index c427919..e37fd3f 100644 if (unlikely(!audit_dummy_context())) { if (nd->path.dentry && nd->inode) audit_inode(name, nd->path.dentry); -@@ -2126,6 +2166,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2126,6 +2172,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -46360,7 +46378,7 @@ index c427919..e37fd3f 100644 return 0; } -@@ -2187,6 +2234,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2187,6 +2240,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = complete_walk(nd); if (error) return ERR_PTR(error); @@ -46377,7 +46395,7 @@ index c427919..e37fd3f 100644 audit_inode(pathname, nd->path.dentry); if (open_flag & O_CREAT) { error = -EISDIR; -@@ -2197,6 +2254,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2197,6 +2260,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = complete_walk(nd); if (error) return ERR_PTR(error); @@ -46394,7 +46412,7 @@ index c427919..e37fd3f 100644 audit_inode(pathname, dir); goto ok; } -@@ -2218,6 +2285,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2218,6 +2291,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = complete_walk(nd); if (error) return ERR_PTR(error); @@ -46411,7 +46429,7 @@ index c427919..e37fd3f 100644 error = -ENOTDIR; if (nd->flags & LOOKUP_DIRECTORY) { -@@ -2258,6 +2335,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2258,6 +2341,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode) { umode_t mode = op->mode; @@ -46424,7 +46442,7 @@ index c427919..e37fd3f 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2281,6 +2364,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2281,6 +2370,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = vfs_create(dir->d_inode, dentry, mode, nd); if (error) goto exit_mutex_unlock; @@ -46433,7 +46451,7 @@ index c427919..e37fd3f 100644 mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); nd->path.dentry = dentry; -@@ -2290,6 +2375,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2290,6 +2381,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path, /* * It already exists. */ @@ -46453,7 +46471,23 @@ index c427919..e37fd3f 100644 mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path->dentry); -@@ -2502,6 +2600,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path +@@ -2407,8 +2511,14 @@ static struct file *path_openat(int dfd, const char *pathname, + error = follow_link(&link, nd, &cookie); + if (unlikely(error)) + filp = ERR_PTR(error); +- else ++ else { + filp = do_last(nd, &path, op, pathname); ++ if (!IS_ERR(filp) && gr_handle_symlink_owner(&link, nd->inode)) { ++ if (filp) ++ fput(filp); ++ filp = ERR_PTR(-EACCES); ++ } ++ } + put_link(nd, &link, cookie); + } + out: +@@ -2502,6 +2612,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path *path = nd.path; return dentry; eexist: @@ -46465,7 +46499,7 @@ index c427919..e37fd3f 100644 dput(dentry); dentry = ERR_PTR(-EEXIST); fail: -@@ -2524,6 +2627,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat +@@ -2524,6 +2639,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat } EXPORT_SYMBOL(user_path_create); @@ -46486,7 +46520,7 @@ index c427919..e37fd3f 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -2591,6 +2708,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, +@@ -2591,6 +2720,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -46504,7 +46538,7 @@ index c427919..e37fd3f 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out_drop_write; -@@ -2608,6 +2736,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, +@@ -2608,6 +2748,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, } out_drop_write: mnt_drop_write(path.mnt); @@ -46514,7 +46548,7 @@ index c427919..e37fd3f 100644 out_dput: dput(dentry); mutex_unlock(&path.dentry->d_inode->i_mutex); -@@ -2661,12 +2792,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode) +@@ -2661,12 +2804,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode) error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -46536,7 +46570,7 @@ index c427919..e37fd3f 100644 out_dput: dput(dentry); mutex_unlock(&path.dentry->d_inode->i_mutex); -@@ -2746,6 +2886,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2746,6 +2898,8 @@ static long do_rmdir(int dfd, const char __user *pathname) char * name; struct dentry *dentry; struct nameidata nd; @@ -46545,7 +46579,7 @@ index c427919..e37fd3f 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2774,6 +2916,15 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2774,6 +2928,15 @@ static long do_rmdir(int dfd, const char __user *pathname) error = -ENOENT; goto exit3; } @@ -46561,7 +46595,7 @@ index c427919..e37fd3f 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2781,6 +2932,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2781,6 +2944,8 @@ static long do_rmdir(int dfd, const char __user *pathname) if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -46570,7 +46604,7 @@ index c427919..e37fd3f 100644 exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2843,6 +2996,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2843,6 +3008,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -46579,7 +46613,7 @@ index c427919..e37fd3f 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2865,6 +3020,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2865,6 +3032,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (!inode) goto slashes; ihold(inode); @@ -46596,7 +46630,7 @@ index c427919..e37fd3f 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2872,6 +3037,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2872,6 +3049,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -46605,7 +46639,7 @@ index c427919..e37fd3f 100644 exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -2947,10 +3114,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2947,10 +3126,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -46624,7 +46658,7 @@ index c427919..e37fd3f 100644 out_drop_write: mnt_drop_write(path.mnt); out_dput: -@@ -3025,6 +3200,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3025,6 +3212,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, { struct dentry *new_dentry; struct path old_path, new_path; @@ -46632,7 +46666,7 @@ index c427919..e37fd3f 100644 int how = 0; int error; -@@ -3048,7 +3224,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3048,7 +3236,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if (error) return error; @@ -46641,7 +46675,7 @@ index c427919..e37fd3f 100644 error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out; -@@ -3059,13 +3235,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3059,13 +3247,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, error = mnt_want_write(new_path.mnt); if (error) goto out_dput; @@ -46672,7 +46706,7 @@ index c427919..e37fd3f 100644 dput(new_dentry); mutex_unlock(&new_path.dentry->d_inode->i_mutex); path_put(&new_path); -@@ -3299,6 +3492,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3299,6 +3504,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, if (new_dentry == trap) goto exit5; @@ -46685,7 +46719,7 @@ index c427919..e37fd3f 100644 error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -3308,6 +3507,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3308,6 +3519,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -46695,7 +46729,7 @@ index c427919..e37fd3f 100644 exit6: mnt_drop_write(oldnd.path.mnt); exit5: -@@ -3333,6 +3535,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -3333,6 +3547,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -46704,7 +46738,7 @@ index c427919..e37fd3f 100644 int len; len = PTR_ERR(link); -@@ -3342,7 +3546,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -3342,7 +3558,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -49109,10 +49143,10 @@ index 3011b87..1ab03e9 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..2d6e3a8 +index 0000000..b9e7d6f --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,915 @@ +@@ -0,0 +1,940 @@ +# +# grecurity configuration +# @@ -49386,6 +49420,31 @@ index 0000000..2d6e3a8 + able to hardlink to files they do not own. If the sysctl option is + enabled, a sysctl option with name "linking_restrictions" is created. + ++config GRKERNSEC_SYMLINKOWN ++ bool "Kernel-enforced SymlinksIfOwnerMatch" ++ default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER ++ help ++ Apache's SymlinksIfOwnerMatch option has an inherent race condition ++ that prevents it from being used as a security feature. As Apache ++ verifies the symlink by performing a stat() against the target of ++ the symlink before it is followed, an attacker can setup a symlink ++ to point to a same-owned file, then replace the symlink with one ++ that targets another user's file just after Apache "validates" the ++ symlink -- a classic TOCTOU race. If you say Y here, a complete, ++ race-free replacement for Apache's "SymlinksIfOwnerMatch" option ++ will be in place for the group you specify. If the sysctl option ++ is enabled, a sysctl option with name "enforce_symlinksifowner" is ++ created. ++ ++config GRKERNSEC_SYMLINKOWN_GID ++ int "GID for users with kernel-enforced SymlinksIfOwnerMatch" ++ depends on GRKERNSEC_SYMLINKOWN ++ default 1006 ++ help ++ Setting this GID determines what group kernel-enforced ++ SymlinksIfOwnerMatch will be enabled for. If the sysctl option ++ is enabled, a sysctl option with name "symlinkown_gid" is created. ++ +config GRKERNSEC_FIFO + bool "FIFO restrictions" + default y if GRKERNSEC_CONFIG_AUTO @@ -49789,7 +49848,7 @@ index 0000000..2d6e3a8 + +config GRKERNSEC_TPE + bool "Trusted Path Execution (TPE)" -+ default y if GRKERNSEC_CONFIG_AUTO ++ default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER + help + If you say Y here, you will be able to choose a gid to add to the + supplementary groups of users you want to mark as "untrusted." @@ -50074,10 +50133,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..00b6c54 +index 0000000..dc0417e --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4012 @@ +@@ -0,0 +1,4016 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -54032,11 +54091,15 @@ index 0000000..00b6c54 + return 1; + + subj = task->acl; ++ read_lock(&gr_inode_lock); + do { + obj = lookup_acl_obj_label(ino, dev, subj); -+ if (obj != NULL) ++ if (obj != NULL) { ++ read_unlock(&gr_inode_lock); + return (obj->mode & GR_FIND) ? 1 : 0; ++ } + } while ((subj = subj->parent_subject)); ++ read_unlock(&gr_inode_lock); + + /* this is purely an optimization since we're looking for an object + for the directory we're doing a readdir on @@ -56869,10 +56932,10 @@ index 0000000..8ca18bf +} diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c new file mode 100644 -index 0000000..01ddde4 +index 0000000..05a6015 --- /dev/null +++ b/grsecurity/grsec_init.c -@@ -0,0 +1,277 @@ +@@ -0,0 +1,283 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -56884,6 +56947,8 @@ index 0000000..01ddde4 + +int grsec_enable_ptrace_readexec; +int grsec_enable_setxid; ++int grsec_enable_symlinkown; ++int grsec_symlinkown_gid; +int grsec_enable_brute; +int grsec_enable_link; +int grsec_enable_dmesg; @@ -57127,6 +57192,10 @@ index 0000000..01ddde4 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL + grsec_enable_chroot_sysctl = 1; +#endif ++#ifdef CONFIG_GRKERNSEC_SYMLINKOWN ++ grsec_enable_symlinkown = 1; ++ grsec_symlinkown_gid = CONFIG_GRKERNSEC_SYMLINKOWN_GID; ++#endif +#ifdef CONFIG_GRKERNSEC_TPE + grsec_enable_tpe = 1; + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID; @@ -57152,16 +57221,32 @@ index 0000000..01ddde4 +} diff --git a/grsecurity/grsec_link.c b/grsecurity/grsec_link.c new file mode 100644 -index 0000000..3efe141 +index 0000000..35a96d1 --- /dev/null +++ b/grsecurity/grsec_link.c -@@ -0,0 +1,43 @@ +@@ -0,0 +1,59 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/fs.h> +#include <linux/file.h> +#include <linux/grinternal.h> + ++int gr_handle_symlink_owner(const struct path *link, const struct inode *target) ++{ ++#ifdef CONFIG_GRKERNSEC_SYMLINKOWN ++ const struct inode *link_inode = link->dentry->d_inode; ++ ++ if (grsec_enable_symlinkown && in_group_p(grsec_symlinkown_gid) && ++ /* ignore root-owned links, e.g. /proc/self */ ++ link_inode->i_uid && ++ link_inode->i_uid != target->i_uid) { ++ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINKOWNER_MSG, link->dentry, link->mnt, link_inode->i_uid, target->i_uid); ++ return 1; ++ } ++#endif ++ return 0; ++} ++ +int +gr_handle_follow_link(const struct inode *parent, + const struct inode *inode, @@ -58184,10 +58269,10 @@ index 0000000..4030d57 +} diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c new file mode 100644 -index 0000000..8316f6f +index 0000000..f55ef0f --- /dev/null +++ b/grsecurity/grsec_sysctl.c -@@ -0,0 +1,453 @@ +@@ -0,0 +1,469 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/sysctl.h> @@ -58235,6 +58320,22 @@ index 0000000..8316f6f + .proc_handler = &proc_dointvec, + }, +#endif ++#ifdef CONFIG_GRKERNSEC_SYMLINKOWN ++ { ++ .procname = "enforce_symlinksifowner", ++ .data = &grsec_enable_symlinkown, ++ .maxlen = sizeof(int), ++ .mode = 0600, ++ .proc_handler = &proc_dointvec, ++ }, ++ { ++ .procname = "symlinkown_gid", ++ .data = &grsec_symlinkown_gid, ++ .maxlen = sizeof(int), ++ .mode = 0600, ++ .proc_handler = &proc_dointvec, ++ }, ++#endif +#ifdef CONFIG_GRKERNSEC_BRUTE + { + .procname = "deter_bruteforce", @@ -60580,10 +60681,10 @@ index 0000000..b30e9bc +#endif diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h new file mode 100644 -index 0000000..da390f1 +index 0000000..c9292f7 --- /dev/null +++ b/include/linux/grinternal.h -@@ -0,0 +1,221 @@ +@@ -0,0 +1,223 @@ +#ifndef __GRINTERNAL_H +#define __GRINTERNAL_H + @@ -60645,6 +60746,8 @@ index 0000000..da390f1 +extern int grsec_enable_chroot_caps; +extern int grsec_enable_chroot_sysctl; +extern int grsec_enable_chroot_unix; ++extern int grsec_enable_symlinkown; ++extern int grsec_symlinkown_gid; +extern int grsec_enable_tpe; +extern int grsec_tpe_gid; +extern int grsec_enable_tpe_all; @@ -60807,10 +60910,10 @@ index 0000000..da390f1 +#endif diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h new file mode 100644 -index 0000000..ae576a1 +index 0000000..54f4e85 --- /dev/null +++ b/include/linux/grmsg.h -@@ -0,0 +1,109 @@ +@@ -0,0 +1,110 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " @@ -60920,12 +61023,13 @@ index 0000000..ae576a1 +#define GR_PTRACE_READEXEC_MSG "denied ptrace of unreadable binary %.950s by " +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by " +#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by " ++#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..acd05db +index 0000000..38bfb04 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,232 @@ +@@ -0,0 +1,233 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -61110,6 +61214,7 @@ index 0000000..acd05db + const struct vfsmount *parent_mnt, + const struct dentry *old_dentry, + const struct vfsmount *old_mnt, const char *to); ++int gr_handle_symlink_owner(const struct path *link, const struct inode *target); +int gr_acl_handle_rename(struct dentry *new_dentry, + struct dentry *parent_dentry, + const struct vfsmount *parent_mnt, @@ -77602,10 +77707,10 @@ index 5c11312..72742b5 100644 write_hex_cnt = 0; for (i = 0; i < logo_clutsize; i++) { diff --git a/security/Kconfig b/security/Kconfig -index ccc61f8..3334dd6 100644 +index ccc61f8..d0e12f0 100644 --- a/security/Kconfig +++ b/security/Kconfig -@@ -4,6 +4,849 @@ +@@ -4,6 +4,860 @@ menu "Security options" @@ -77781,6 +77886,7 @@ index ccc61f8..3334dd6 100644 + +config GRKERNSEC_TPE_GID + int "GID for untrusted users" ++ depends on GRKERNSEC_CONFIG_SERVER + default 1005 + help + Setting this GID determines which group untrusted users should @@ -77789,6 +77895,16 @@ index ccc61f8..3334dd6 100644 + The users will only be able to execute binaries in directories owned and + writable only by the root user. + ++config GRKERNSEC_SYMLINKOWN_GID ++ int "GID for users with kernel-enforced SymlinksIfOwnerMatch" ++ depends on GRKERNSEC_CONFIG_SERVER ++ default 1006 ++ help ++ Setting this GID determines what group kernel-enforced ++ SymlinksIfOwnerMatch will be enabled for. If the sysctl option ++ is enabled, a sysctl option with name "symlinkown_gid" is created. ++ ++ +endmenu + +menu "Customize Configuration" @@ -78455,7 +78571,7 @@ index ccc61f8..3334dd6 100644 config KEYS bool "Enable access key retention support" help -@@ -169,7 +1012,7 @@ config INTEL_TXT +@@ -169,7 +1023,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX diff --git a/3.4.4/4450_grsec-kconfig-default-gids.patch b/3.4.4/4450_grsec-kconfig-default-gids.patch index a728d1a..bb24abe 100644 --- a/3.4.4/4450_grsec-kconfig-default-gids.patch +++ b/3.4.4/4450_grsec-kconfig-default-gids.patch @@ -16,7 +16,7 @@ from shooting themselves in the foot. diff -Nuar a/grsecurity/Kconfig b/Kconfig --- a/grsecurity/Kconfig 2012-07-01 12:54:58.000000000 -0400 +++ b/grsecurity/Kconfig 2012-07-01 13:00:04.000000000 -0400 -@@ -495,7 +495,7 @@ +@@ -520,7 +520,7 @@ config GRKERNSEC_AUDIT_GID int "GID for auditing" depends on GRKERNSEC_AUDIT_GROUP @@ -25,7 +25,7 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig config GRKERNSEC_EXECLOG bool "Exec logging" -@@ -710,7 +710,7 @@ +@@ -735,7 +735,7 @@ config GRKERNSEC_TPE_GID int "GID for untrusted users" depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT @@ -34,7 +34,7 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig help Setting this GID determines what group TPE restrictions will be *enabled* for. If the sysctl option is enabled, a sysctl option -@@ -719,7 +719,7 @@ +@@ -744,7 +744,7 @@ config GRKERNSEC_TPE_GID int "GID for trusted users" depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT @@ -43,7 +43,7 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig help Setting this GID determines what group TPE restrictions will be *disabled* for. If the sysctl option is enabled, a sysctl option -@@ -794,7 +794,7 @@ +@@ -819,7 +819,7 @@ config GRKERNSEC_SOCKET_ALL_GID int "GID to deny all sockets for" depends on GRKERNSEC_SOCKET_ALL @@ -52,7 +52,7 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig help Here you can choose the GID to disable socket access for. Remember to add the users you want socket access disabled for to the GID -@@ -815,7 +815,7 @@ +@@ -840,7 +840,7 @@ config GRKERNSEC_SOCKET_CLIENT_GID int "GID to deny client sockets for" depends on GRKERNSEC_SOCKET_CLIENT @@ -61,7 +61,7 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig help Here you can choose the GID to disable client socket access for. Remember to add the users you want client socket access disabled for to -@@ -833,7 +833,7 @@ +@@ -858,7 +858,7 @@ config GRKERNSEC_SOCKET_SERVER_GID int "GID to deny server sockets for" depends on GRKERNSEC_SOCKET_SERVER @@ -82,12 +82,3 @@ diff -Nuar a/security/Kconfig b/security/Kconfig help Setting this GID determines which group will be exempted from grsecurity's /proc restrictions, allowing users of the specified -@@ -176,7 +176,7 @@ - - config GRKERNSEC_TPE_GID - int "GID for untrusted users" -- default 1005 -+ default 100 - help - Setting this GID determines which group untrusted users should - be added to. These users will be placed under grsecurity's Trusted Path diff --git a/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch b/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch index fe28523..48acad7 100644 --- a/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -892,6 +892,27 @@ +@@ -917,6 +917,27 @@ menu "Logging Options" depends on GRKERNSEC |