Updated Grsec/PaX to 2.1.14-2.6.33.3-201005012055 for kernel 2.6.33.3

Cleaned up line numbers on patches

5 files changed, 60 insertions, 16 deletions

diff --git a/kernel/2.6.33/0000_README b/kernel/2.6.33/0000_README
new file mode 100644
index 0000000..3f3358a
--- /dev/null
+++ b/kernel/2.6.33/0000_README
@@ -0,0 +1,44 @@
+README
+-----------------------------------------------------------------------------
+
+Individual Patch Descriptions:
+-----------------------------------------------------------------------------
+Patch:	4420_grsecurity-2.1.14-2.6.33.3-201005012055.patch
+From:	http://www.grsecurity.net
+Desc:	hardened-sources base patch from upstream grsecurity
+Note:	This was modified and already incorporate 4423_grsec-remove-protected-paths.patch
+
+Patch:	4421_grsec-remove-localversion-grsec.patch
+From:	Kerin Millar <kerframil@gmail.com>
+Desc:	Removes grsecurity's localversion-grsec file
+
+Patch:	4422_grsec-mute-warnings.patch
+From:	Alexander Gabert <gaberta@fh-trier.de>
+	Gordon Malm <gengor@gentoo.org>
+Desc:	Removes verbose compile warning settings from grsecurity, restores
+	mainline Linux kernel behavior
+
+Patch:	4425_grsec-pax-without-grsec.patch
+From:	Gordon Malm <gengor@gentoo.org>
+Desc:	Allows PaX features to be selected without enabling GRKERNSEC
+
+Patch:	4430_grsec-kconfig-default-gids.patch
+From:	Kerin Millar <kerframil@gmail.com>
+Desc:	Sets sane(r) default GIDs on various grsecurity group-dependent
+	features
+
+Patch:	4435_grsec-kconfig-gentoo.patch
+From:	Gordon Malm <gengor@gentoo.org>
+	Kerin Millar <kerframil@gmail.com>
+Desc:	Adds Hardened Gentoo [server/workstation] security levels, sets
+	Hardened Gentoo [workstation] as default
+
+Patch:	4440_selinux-avc_audit-log-curr_ip.patch
+From:	Gordon Malm <gengor@gentoo.org>
+Desc:	Configurable option to add src IP address to SELinux log messages
+
+Patch:	4445_disable-compat_vdso.patch
+From:	Gordon Malm <gengor@gentoo.org>
+	Kerin Millar <kerframil@gmail.com>
+Desc:	Disables VDSO_COMPAT operation completely
+ 
diff --git a/kernel/2.6.33/4422_grsec-mute-warnings.patch b/kernel/2.6.33/4422_grsec-mute-warnings.patch
index 90d934d..b3004ed 100644
--- a/kernel/2.6.33/4422_grsec-mute-warnings.patch
+++ b/kernel/2.6.33/4422_grsec-mute-warnings.patch
@@ -24,7 +24,7 @@ Acked-by: Christian Heim <phreak@gentoo.org>
 
 --- a/Makefile	2009-07-29 05:34:01.695857499 +0100
 +++ b/Makefile	2009-07-29 05:58:15.098857201 +0100
-@@ -221,7 +221,7 @@
+@@ -227,7 +227,7 @@
  
  HOSTCC       = gcc
  HOSTCXX      = g++
diff --git a/kernel/2.6.33/4425_grsec-pax-without-grsec.patch b/kernel/2.6.33/4425_grsec-pax-without-grsec.patch
index 6d987b9..9a50663 100644
--- a/kernel/2.6.33/4425_grsec-pax-without-grsec.patch
+++ b/kernel/2.6.33/4425_grsec-pax-without-grsec.patch
@@ -13,7 +13,7 @@ The original version of this patch contained no credits/description.
 
 --- a/arch/x86/mm/fault.c
 +++ b/arch/x86/mm/fault.c
-@@ -610,10 +610,12 @@
+@@ -635,10 +635,12 @@
  
  #ifdef CONFIG_PAX_KERNEXEC
  	if (init_mm.start_code <= address && address < init_mm.end_code) {
@@ -28,7 +28,7 @@ The original version of this patch contained no credits/description.
  	}
 --- a/fs/exec.c
 +++ b/fs/exec.c
-@@ -1730,9 +1730,11 @@
+@@ -1759,9 +1759,11 @@
  		}
  		up_read(&mm->mmap_sem);
  	}
@@ -40,7 +40,7 @@ The original version of this patch contained no credits/description.
  		printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
  	printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
  			"PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
-@@ -1747,10 +1749,12 @@
+@@ -1776,10 +1778,12 @@
  #ifdef CONFIG_PAX_REFCOUNT
  void pax_report_refcount_overflow(struct pt_regs *regs)
  {
@@ -53,7 +53,7 @@ The original version of this patch contained no credits/description.
  		printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
  				 current->comm, task_pid_nr(current), current_uid(), current_euid());
  	print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
-@@ -1762,10 +1766,12 @@
+@@ -1791,10 +1795,12 @@
  #ifdef CONFIG_PAX_USERCOPY
  void pax_report_leak_to_user(const void *ptr, unsigned long len)
  {
@@ -66,7 +66,7 @@ The original version of this patch contained no credits/description.
  		printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
  	dump_stack();
  	do_group_exit(SIGKILL);
-@@ -1773,10 +1779,12 @@
+@@ -1802,10 +1808,12 @@
  
  void pax_report_overflow_from_user(const void *ptr, unsigned long len)
  {
@@ -81,7 +81,7 @@ The original version of this patch contained no credits/description.
  	do_group_exit(SIGKILL);
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -10,7 +10,7 @@ menu "PaX"
+@@ -19,7 +19,7 @@ menu "PaX"
  
  config PAX
  	bool "Enable various PaX features"
diff --git a/kernel/2.6.33/4430_grsec-kconfig-default-gids.patch b/kernel/2.6.33/4430_grsec-kconfig-default-gids.patch
index 614adbc..2f75e87 100644
--- a/kernel/2.6.33/4430_grsec-kconfig-default-gids.patch
+++ b/kernel/2.6.33/4430_grsec-kconfig-default-gids.patch
@@ -11,7 +11,7 @@ from shooting themselves in the foot.
 
 --- a/grsecurity/Kconfig
 +++ b/grsecurity/Kconfig
-@@ -352,7 +564,7 @@
+@@ -396,7 +396,7 @@
  config GRKERNSEC_PROC_GID
  	int "GID for special group"
  	depends on GRKERNSEC_PROC_USERGROUP
@@ -20,7 +20,7 @@ from shooting themselves in the foot.
  
  config GRKERNSEC_PROC_ADD
  	bool "Additional restrictions"
-@@ -547,7 +759,7 @@
+@@ -605,7 +605,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
  	depends on GRKERNSEC_AUDIT_GROUP
@@ -29,7 +29,7 @@ from shooting themselves in the foot.
  
  config GRKERNSEC_EXECLOG
  	bool "Exec logging"
-@@ -700,7 +912,7 @@
+@@ -774,7 +774,7 @@
  config GRKERNSEC_TPE_GID
  	int "GID for untrusted users"
  	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -38,7 +38,7 @@ from shooting themselves in the foot.
  	help
  	  If you have selected the "Invert GID option" above, setting this
  	  GID determines what group TPE restrictions will be *disabled* for.
-@@ -712,7 +924,7 @@
+@@ -786,7 +786,7 @@
  config GRKERNSEC_TPE_GID
  	int "GID for trusted users"
  	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -47,7 +47,7 @@ from shooting themselves in the foot.
  	help
  	  If you have selected the "Invert GID option" above, setting this
  	  GID determines what group TPE restrictions will be *disabled* for.
-@@ -754,7 +966,7 @@
+@@ -860,7 +860,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -56,7 +56,7 @@ from shooting themselves in the foot.
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -775,7 +987,7 @@
+@@ -881,7 +881,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -65,7 +65,7 @@ from shooting themselves in the foot.
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -793,7 +1005,7 @@
+@@ -899,7 +899,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER
diff --git a/kernel/2.6.33/4440_selinux-avc_audit-log-curr_ip.patch b/kernel/2.6.33/4440_selinux-avc_audit-log-curr_ip.patch
index 560bc89..876da33 100644
--- a/kernel/2.6.33/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/kernel/2.6.33/4440_selinux-avc_audit-log-curr_ip.patch
@@ -21,7 +21,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 
 --- a/grsecurity/Kconfig
 +++ b/grsecurity/Kconfig
-@@ -1044,6 +1044,27 @@ endmenu
+@@ -1352,6 +1352,27 @@ endmenu
  menu "Logging Options"
  depends on GRKERNSEC
  
@@ -51,7 +51,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
  	default 10
 --- a/security/selinux/avc.c
 +++ b/security/selinux/avc.c
-@@ -202,6 +202,11 @@ static void avc_dump_query(struct audit_
+@@ -143,6 +143,11 @@ static void avc_dump_query(struct audit_
  	char *scontext;
  	u32 scontext_len;