Update Grsec/PaX20101212

2.2.1-2.6.32.27-201012121726 against 2.6.32.27 2.2.1-2.6.36.2-201012121726 against 2.6.36.2
author: Anthony G. Basile <basile@opensource.dyc.edu> 2010-12-13 08:39:34 -0500
committer: Anthony G. Basile <basile@opensource.dyc.edu> 2010-12-13 08:39:34 -0500
commit: 04e9cc0dae8747fbb72da8500f76ab99785ee9ce (patch)
tree: 6525429e801079ec7df9de472732939012df37dd
parent: Refreshed 2.6.36 patches (diff)
download: hardened-patchset-04e9cc0dae8747fbb72da8500f76ab99785ee9ce.tar.gz
hardened-patchset-04e9cc0dae8747fbb72da8500f76ab99785ee9ce.tar.bz2
hardened-patchset-04e9cc0dae8747fbb72da8500f76ab99785ee9ce.zip
4 files changed, 83 insertions, 61 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index a893b88..1457c2b 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.1-2.6.32.27-201012101715.patch
+Patch:	4420_grsecurity-2.2.1-2.6.32.27-201012121726.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.2.1-2.6.32.27-201012101715.patch b/2.6.32/4420_grsecurity-2.2.1-2.6.32.27-201012121726.patch
index dc83a66..82522a7 100644
--- a/2.6.32/4420_grsecurity-2.2.1-2.6.32.27-201012101715.patch
+++ b/2.6.32/4420_grsecurity-2.2.1-2.6.32.27-201012121726.patch
@@ -12376,7 +12376,7 @@ diff -urNp linux-2.6.32.27/arch/x86/kernel/head32.c linux-2.6.32.27/arch/x86/ker
  	/* Reserve INITRD */
 diff -urNp linux-2.6.32.27/arch/x86/kernel/head_32.S linux-2.6.32.27/arch/x86/kernel/head_32.S
 --- linux-2.6.32.27/arch/x86/kernel/head_32.S	2010-12-09 18:13:03.000000000 -0500
-+++ linux-2.6.32.27/arch/x86/kernel/head_32.S	2010-12-09 18:53:59.000000000 -0500
++++ linux-2.6.32.27/arch/x86/kernel/head_32.S	2010-12-12 15:55:11.000000000 -0500
 @@ -19,10 +19,17 @@
  #include <asm/setup.h>
  #include <asm/processor-flags.h>
@@ -12682,7 +12682,7 @@ diff -urNp linux-2.6.32.27/arch/x86/kernel/head_32.S linux-2.6.32.27/arch/x86/ke
  ENTRY(swapper_pg_dir)
  	.fill 1024,4,0
  #endif
-+
++.section .swapper_pg_fixmap,"a",@progbits
  swapper_pg_fixmap:
  	.fill 1024,4,0
  #ifdef CONFIG_X86_TRAMPOLINE
@@ -15310,7 +15310,7 @@ diff -urNp linux-2.6.32.27/arch/x86/kernel/vmi_32.c linux-2.6.32.27/arch/x86/ker
  	local_irq_save(flags);
 diff -urNp linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S
 --- linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S	2010-08-13 16:24:37.000000000 -0400
-+++ linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S	2010-12-09 18:12:55.000000000 -0500
++++ linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S	2010-12-12 15:54:32.000000000 -0500
 @@ -26,6 +26,13 @@
  #include <asm/page_types.h>
  #include <asm/cache.h>
@@ -15391,7 +15391,7 @@ diff -urNp linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.27/arch/x8
  		HEAD_TEXT
  #ifdef CONFIG_X86_32
  		. = ALIGN(PAGE_SIZE);
-@@ -82,28 +104,69 @@ SECTIONS
+@@ -82,28 +104,71 @@ SECTIONS
  		IRQENTRY_TEXT
  		*(.fixup)
  		*(.gnu.warning)
@@ -15434,8 +15434,10 @@ diff -urNp linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.27/arch/x8
 +		*(.idt)
 +		. = ALIGN(PAGE_SIZE);
 +		*(.empty_zero_page)
++		*(.swapper_pg_fixmap)
 +		*(.swapper_pg_pmd)
 +		*(.swapper_pg_dir)
++		*(.trampoline_pg_dir)
 +	} :rodata
 +#endif
 +
@@ -15468,7 +15470,7 @@ diff -urNp linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.27/arch/x8
  
  		PAGE_ALIGNED_DATA(PAGE_SIZE)
  
-@@ -166,12 +229,6 @@ SECTIONS
+@@ -166,12 +231,6 @@ SECTIONS
  	}
  	vgetcpu_mode = VVIRT(.vgetcpu_mode);
  
@@ -15481,7 +15483,7 @@ diff -urNp linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.27/arch/x8
  	.vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
  		*(.vsyscall_3)
  	}
-@@ -187,12 +244,19 @@ SECTIONS
+@@ -187,12 +246,19 @@ SECTIONS
  #endif /* CONFIG_X86_64 */
  
  	/* Init code and data - will be freed after init */
@@ -15504,7 +15506,7 @@ diff -urNp linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.27/arch/x8
  	/*
  	 * percpu offsets are zero-based on SMP.  PERCPU_VADDR() changes the
  	 * output PHDR, so the next output section - .init.text - should
-@@ -201,12 +265,27 @@ SECTIONS
+@@ -201,12 +267,27 @@ SECTIONS
  	PERCPU_VADDR(0, :percpu)
  #endif
  
@@ -15537,7 +15539,7 @@ diff -urNp linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.27/arch/x8
  
  	.x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
  		__x86_cpu_dev_start = .;
-@@ -232,19 +311,11 @@ SECTIONS
+@@ -232,19 +313,11 @@ SECTIONS
  		*(.altinstr_replacement)
  	}
  
@@ -15558,7 +15560,7 @@ diff -urNp linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.27/arch/x8
  	PERCPU(PAGE_SIZE)
  #endif
  
-@@ -267,12 +338,6 @@ SECTIONS
+@@ -267,12 +340,6 @@ SECTIONS
  		. = ALIGN(PAGE_SIZE);
  	}
  
@@ -15571,7 +15573,7 @@ diff -urNp linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.27/arch/x8
  	/* BSS */
  	. = ALIGN(PAGE_SIZE);
  	.bss : AT(ADDR(.bss) - LOAD_OFFSET) {
-@@ -288,6 +353,7 @@ SECTIONS
+@@ -288,6 +355,7 @@ SECTIONS
  		__brk_base = .;
  		. += 64 * 1024;		/* 64k alignment slop space */
  		*(.brk_reservation)	/* areas brk users have reserved */
@@ -15579,7 +15581,7 @@ diff -urNp linux-2.6.32.27/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.27/arch/x8
  		__brk_limit = .;
  	}
  
-@@ -316,13 +382,12 @@ SECTIONS
+@@ -316,13 +384,12 @@ SECTIONS
   * for the boot processor.
   */
  #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
@@ -36641,8 +36643,8 @@ diff -urNp linux-2.6.32.27/grsecurity/gracl_alloc.c linux-2.6.32.27/grsecurity/g
 +}
 diff -urNp linux-2.6.32.27/grsecurity/gracl.c linux-2.6.32.27/grsecurity/gracl.c
 --- linux-2.6.32.27/grsecurity/gracl.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.27/grsecurity/gracl.c	2010-12-09 18:12:39.000000000 -0500
-@@ -0,0 +1,3963 @@
++++ linux-2.6.32.27/grsecurity/gracl.c	2010-12-12 17:03:16.000000000 -0500
+@@ -0,0 +1,3971 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -38405,9 +38407,17 @@ diff -urNp linux-2.6.32.27/grsecurity/gracl.c linux-2.6.32.27/grsecurity/gracl.c
 +	    const struct dentry *curr_dentry,
 +	    const struct acl_subject_label *subj, char **path, const int checkglob)
 +{
++	int newglob = checkglob;
++
++	/* if we aren't checking a subdirectory of the original path yet, don't do glob checking
++	   as we don't want a /* rule to match instead of the / object
++	*/
++	if (orig_dentry == curr_dentry)
++		newglob = 0;
++
 +	return __full_lookup(orig_dentry, orig_mnt,
 +			     curr_dentry->d_inode->i_ino, 
-+			     curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
++			     curr_dentry->d_inode->i_sb->s_dev, subj, path, newglob);
 +}
 +
 +static struct acl_object_label *
@@ -41184,8 +41194,8 @@ diff -urNp linux-2.6.32.27/grsecurity/gracl_fs.c linux-2.6.32.27/grsecurity/grac
 +}
 diff -urNp linux-2.6.32.27/grsecurity/gracl_ip.c linux-2.6.32.27/grsecurity/gracl_ip.c
 --- linux-2.6.32.27/grsecurity/gracl_ip.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.27/grsecurity/gracl_ip.c	2010-12-09 20:34:28.000000000 -0500
-@@ -0,0 +1,378 @@
++++ linux-2.6.32.27/grsecurity/gracl_ip.c	2010-12-12 17:18:42.000000000 -0500
+@@ -0,0 +1,382 @@
 +#include <linux/kernel.h>
 +#include <asm/uaccess.h>
 +#include <asm/errno.h>
@@ -41354,8 +41364,12 @@ diff -urNp linux-2.6.32.27/grsecurity/gracl_ip.c linux-2.6.32.27/grsecurity/grac
 +	}
 +
 +exit_fail:
-+	gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain), 
-+		    gr_socktype_to_name(type), gr_proto_to_name(protocol));
++	if (domain == PF_INET)
++		gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain), 
++			    gr_socktype_to_name(type), gr_proto_to_name(protocol));
++	else
++		gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain), 
++			    gr_socktype_to_name(type), protocol);
 +
 +	return 0;
 +exit:
@@ -44137,8 +44151,8 @@ diff -urNp linux-2.6.32.27/grsecurity/grsec_sig.c linux-2.6.32.27/grsecurity/grs
 +
 diff -urNp linux-2.6.32.27/grsecurity/grsec_sock.c linux-2.6.32.27/grsecurity/grsec_sock.c
 --- linux-2.6.32.27/grsecurity/grsec_sock.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.27/grsecurity/grsec_sock.c	2010-12-09 18:12:39.000000000 -0500
-@@ -0,0 +1,271 @@
++++ linux-2.6.32.27/grsecurity/grsec_sock.c	2010-12-12 17:14:55.000000000 -0500
+@@ -0,0 +1,275 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -44180,6 +44194,7 @@ diff -urNp linux-2.6.32.27/grsecurity/grsec_sock.c linux-2.6.32.27/grsecurity/gr
 +
 +extern const char * gr_socktype_to_name(unsigned char type);
 +extern const char * gr_proto_to_name(unsigned char proto);
++extern const char * gr_sockfamily_to_name(unsigned char family);
 +
 +static __inline__ int 
 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
@@ -44331,8 +44346,11 @@ diff -urNp linux-2.6.32.27/grsecurity/grsec_sock.c linux-2.6.32.27/grsecurity/gr
 +{
 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
 +	if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
-+	    (family != AF_UNIX) && (family != AF_LOCAL)) {
-+		gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
++	    (family != AF_UNIX)) {
++		if (family == AF_INET)
++			gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
++		else
++			gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NONINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
 +		return -EACCES;
 +	}
 +#endif
@@ -47040,7 +47058,7 @@ diff -urNp linux-2.6.32.27/include/linux/compiler-gcc4.h linux-2.6.32.27/include
  #endif
 diff -urNp linux-2.6.32.27/include/linux/compiler.h linux-2.6.32.27/include/linux/compiler.h
 --- linux-2.6.32.27/include/linux/compiler.h	2010-08-13 16:24:37.000000000 -0400
-+++ linux-2.6.32.27/include/linux/compiler.h	2010-12-09 18:12:29.000000000 -0500
++++ linux-2.6.32.27/include/linux/compiler.h	2010-12-12 11:50:10.000000000 -0500
 @@ -256,6 +256,22 @@ void ftrace_likely_update(struct ftrace_
  #define __cold
  #endif
@@ -47064,14 +47082,6 @@ diff -urNp linux-2.6.32.27/include/linux/compiler.h linux-2.6.32.27/include/linu
  /* Simple shorthand for a section definition */
  #ifndef __section
  # define __section(S) __attribute__ ((__section__(#S)))
-@@ -278,6 +294,6 @@ void ftrace_likely_update(struct ftrace_
-  * use is to mediate communication between process-level code and irq/NMI
-  * handlers, all running on the same CPU.
-  */
--#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
-+#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
- 
- #endif /* __LINUX_COMPILER_H */
 diff -urNp linux-2.6.32.27/include/linux/decompress/mm.h linux-2.6.32.27/include/linux/decompress/mm.h
 --- linux-2.6.32.27/include/linux/decompress/mm.h	2010-08-13 16:24:37.000000000 -0400
 +++ linux-2.6.32.27/include/linux/decompress/mm.h	2010-12-09 18:12:29.000000000 -0500
@@ -47899,8 +47909,8 @@ diff -urNp linux-2.6.32.27/include/linux/grdefs.h linux-2.6.32.27/include/linux/
 +#endif
 diff -urNp linux-2.6.32.27/include/linux/grinternal.h linux-2.6.32.27/include/linux/grinternal.h
 --- linux-2.6.32.27/include/linux/grinternal.h	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.27/include/linux/grinternal.h	2010-12-09 18:12:29.000000000 -0500
-@@ -0,0 +1,214 @@
++++ linux-2.6.32.27/include/linux/grinternal.h	2010-12-12 17:08:08.000000000 -0500
+@@ -0,0 +1,216 @@
 +#ifndef __GRINTERNAL_H
 +#define __GRINTERNAL_H
 +
@@ -48054,6 +48064,7 @@ diff -urNp linux-2.6.32.27/include/linux/grinternal.h linux-2.6.32.27/include/li
 +	GR_ONE_INT_TWO_STR,
 +	GR_ONE_STR,
 +	GR_STR_INT,
++	GR_TWO_STR_INT,
 +	GR_TWO_INT,
 +	GR_THREE_INT,
 +	GR_FIVE_INT_TWO_STR,
@@ -48093,6 +48104,7 @@ diff -urNp linux-2.6.32.27/include/linux/grinternal.h linux-2.6.32.27/include/li
 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
++#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
@@ -48117,7 +48129,7 @@ diff -urNp linux-2.6.32.27/include/linux/grinternal.h linux-2.6.32.27/include/li
 +#endif
 diff -urNp linux-2.6.32.27/include/linux/grmsg.h linux-2.6.32.27/include/linux/grmsg.h
 --- linux-2.6.32.27/include/linux/grmsg.h	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.27/include/linux/grmsg.h	2010-12-09 18:12:29.000000000 -0500
++++ linux-2.6.32.27/include/linux/grmsg.h	2010-12-12 17:19:08.000000000 -0500
 @@ -0,0 +1,111 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
@@ -48207,7 +48219,7 @@ diff -urNp linux-2.6.32.27/include/linux/grmsg.h linux-2.6.32.27/include/linux/g
 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
-+#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
++#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
 +#define GR_BIND_MSG "denied bind() by "
 +#define GR_CONNECT_MSG "denied connect() by "
 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
diff --git a/2.6.36/0000_README b/2.6.36/0000_README
index 0043e2b..8e686d0 100644
--- a/2.6.36/0000_README
+++ b/2.6.36/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.1-2.6.36.2-201012101715.patch
+Patch:	4420_grsecurity-2.2.1-2.6.36.2-201012121726.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.36/4420_grsecurity-2.2.1-2.6.36.2-201012101715.patch b/2.6.36/4420_grsecurity-2.2.1-2.6.36.2-201012121726.patch
index 3b8f1f7..5cccdee 100644
--- a/2.6.36/4420_grsecurity-2.2.1-2.6.36.2-201012101715.patch
+++ b/2.6.36/4420_grsecurity-2.2.1-2.6.36.2-201012121726.patch
@@ -35315,8 +35315,8 @@ diff -urNp linux-2.6.36.2/grsecurity/gracl_alloc.c linux-2.6.36.2/grsecurity/gra
 +}
 diff -urNp linux-2.6.36.2/grsecurity/gracl.c linux-2.6.36.2/grsecurity/gracl.c
 --- linux-2.6.36.2/grsecurity/gracl.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.36.2/grsecurity/gracl.c	2010-12-09 20:24:32.000000000 -0500
-@@ -0,0 +1,3897 @@
++++ linux-2.6.36.2/grsecurity/gracl.c	2010-12-12 17:03:39.000000000 -0500
+@@ -0,0 +1,3905 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -37013,9 +37013,17 @@ diff -urNp linux-2.6.36.2/grsecurity/gracl.c linux-2.6.36.2/grsecurity/gracl.c
 +	    const struct dentry *curr_dentry,
 +	    const struct acl_subject_label *subj, char **path, const int checkglob)
 +{
++	int newglob = checkglob;
++
++	/* if we aren't checking a subdirectory of the original path yet, don't do glob checking
++	   as we don't want a /* rule to match instead of the / object
++	*/
++	if (orig_dentry == curr_dentry)
++		newglob = 0;
++
 +	return __full_lookup(orig_dentry, orig_mnt,
 +			     curr_dentry->d_inode->i_ino, 
-+			     curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
++			     curr_dentry->d_inode->i_sb->s_dev, subj, path, newglob);
 +}
 +
 +static struct acl_object_label *
@@ -39792,8 +39800,8 @@ diff -urNp linux-2.6.36.2/grsecurity/gracl_fs.c linux-2.6.36.2/grsecurity/gracl_
 +}
 diff -urNp linux-2.6.36.2/grsecurity/gracl_ip.c linux-2.6.36.2/grsecurity/gracl_ip.c
 --- linux-2.6.36.2/grsecurity/gracl_ip.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.36.2/grsecurity/gracl_ip.c	2010-12-09 20:33:49.000000000 -0500
-@@ -0,0 +1,378 @@
++++ linux-2.6.36.2/grsecurity/gracl_ip.c	2010-12-12 17:13:37.000000000 -0500
+@@ -0,0 +1,382 @@
 +#include <linux/kernel.h>
 +#include <asm/uaccess.h>
 +#include <asm/errno.h>
@@ -39962,8 +39970,12 @@ diff -urNp linux-2.6.36.2/grsecurity/gracl_ip.c linux-2.6.36.2/grsecurity/gracl_
 +	}
 +
 +exit_fail:
-+	gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain), 
-+		    gr_socktype_to_name(type), gr_proto_to_name(protocol));
++	if (domain == PF_INET)
++		gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain), 
++			    gr_socktype_to_name(type), gr_proto_to_name(protocol));
++	else
++		gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain), 
++			    gr_socktype_to_name(type), protocol);
 +
 +	return 0;
 +exit:
@@ -42728,8 +42740,8 @@ diff -urNp linux-2.6.36.2/grsecurity/grsec_sig.c linux-2.6.36.2/grsecurity/grsec
 +
 diff -urNp linux-2.6.36.2/grsecurity/grsec_sock.c linux-2.6.36.2/grsecurity/grsec_sock.c
 --- linux-2.6.36.2/grsecurity/grsec_sock.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.36.2/grsecurity/grsec_sock.c	2010-12-09 20:24:32.000000000 -0500
-@@ -0,0 +1,271 @@
++++ linux-2.6.36.2/grsecurity/grsec_sock.c	2010-12-12 17:16:39.000000000 -0500
+@@ -0,0 +1,275 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -42771,6 +42783,7 @@ diff -urNp linux-2.6.36.2/grsecurity/grsec_sock.c linux-2.6.36.2/grsecurity/grse
 +
 +extern const char * gr_socktype_to_name(unsigned char type);
 +extern const char * gr_proto_to_name(unsigned char proto);
++extern const char * gr_sockfamily_to_name(unsigned char family);
 +
 +static __inline__ int 
 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
@@ -42922,8 +42935,11 @@ diff -urNp linux-2.6.36.2/grsecurity/grsec_sock.c linux-2.6.36.2/grsecurity/grse
 +{
 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
 +	if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
-+	    (family != AF_UNIX) && (family != AF_LOCAL)) {
-+		gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
++	    (family != AF_UNIX)) {
++		if (family == AF_INET)
++			gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
++		else
++			gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
 +		return -EACCES;
 +	}
 +#endif
@@ -45545,7 +45561,7 @@ diff -urNp linux-2.6.36.2/include/linux/compiler-gcc4.h linux-2.6.36.2/include/l
  #if __GNUC_MINOR__ > 0
 diff -urNp linux-2.6.36.2/include/linux/compiler.h linux-2.6.36.2/include/linux/compiler.h
 --- linux-2.6.36.2/include/linux/compiler.h	2010-10-20 16:30:22.000000000 -0400
-+++ linux-2.6.36.2/include/linux/compiler.h	2010-12-09 20:24:06.000000000 -0500
++++ linux-2.6.36.2/include/linux/compiler.h	2010-12-12 11:50:33.000000000 -0500
 @@ -269,6 +269,22 @@ void ftrace_likely_update(struct ftrace_
  #define __cold
  #endif
@@ -45569,14 +45585,6 @@ diff -urNp linux-2.6.36.2/include/linux/compiler.h linux-2.6.36.2/include/linux/
  /* Simple shorthand for a section definition */
  #ifndef __section
  # define __section(S) __attribute__ ((__section__(#S)))
-@@ -302,6 +318,6 @@ void ftrace_likely_update(struct ftrace_
-  * use is to mediate communication between process-level code and irq/NMI
-  * handlers, all running on the same CPU.
-  */
--#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
-+#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
- 
- #endif /* __LINUX_COMPILER_H */
 diff -urNp linux-2.6.36.2/include/linux/decompress/mm.h linux-2.6.36.2/include/linux/decompress/mm.h
 --- linux-2.6.36.2/include/linux/decompress/mm.h	2010-10-20 16:30:22.000000000 -0400
 +++ linux-2.6.36.2/include/linux/decompress/mm.h	2010-12-09 20:24:06.000000000 -0500
@@ -46379,8 +46387,8 @@ diff -urNp linux-2.6.36.2/include/linux/grdefs.h linux-2.6.36.2/include/linux/gr
 +#endif
 diff -urNp linux-2.6.36.2/include/linux/grinternal.h linux-2.6.36.2/include/linux/grinternal.h
 --- linux-2.6.36.2/include/linux/grinternal.h	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.36.2/include/linux/grinternal.h	2010-12-09 20:24:05.000000000 -0500
-@@ -0,0 +1,214 @@
++++ linux-2.6.36.2/include/linux/grinternal.h	2010-12-12 17:06:37.000000000 -0500
+@@ -0,0 +1,216 @@
 +#ifndef __GRINTERNAL_H
 +#define __GRINTERNAL_H
 +
@@ -46534,6 +46542,7 @@ diff -urNp linux-2.6.36.2/include/linux/grinternal.h linux-2.6.36.2/include/linu
 +	GR_ONE_INT_TWO_STR,
 +	GR_ONE_STR,
 +	GR_STR_INT,
++	GR_TWO_STR_INT,
 +	GR_TWO_INT,
 +	GR_THREE_INT,
 +	GR_FIVE_INT_TWO_STR,
@@ -46573,6 +46582,7 @@ diff -urNp linux-2.6.36.2/include/linux/grinternal.h linux-2.6.36.2/include/linu
 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
++#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
@@ -46597,7 +46607,7 @@ diff -urNp linux-2.6.36.2/include/linux/grinternal.h linux-2.6.36.2/include/linu
 +#endif
 diff -urNp linux-2.6.36.2/include/linux/grmsg.h linux-2.6.36.2/include/linux/grmsg.h
 --- linux-2.6.36.2/include/linux/grmsg.h	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.36.2/include/linux/grmsg.h	2010-12-09 20:24:06.000000000 -0500
++++ linux-2.6.36.2/include/linux/grmsg.h	2010-12-12 17:19:24.000000000 -0500
 @@ -0,0 +1,111 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
@@ -46687,7 +46697,7 @@ diff -urNp linux-2.6.36.2/include/linux/grmsg.h linux-2.6.36.2/include/linux/grm
 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
-+#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
++#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
 +#define GR_BIND_MSG "denied bind() by "
 +#define GR_CONNECT_MSG "denied connect() by "
 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
author	Anthony G. Basile <basile@opensource.dyc.edu>	2010-12-13 08:39:34 -0500
committer	Anthony G. Basile <basile@opensource.dyc.edu>	2010-12-13 08:39:34 -0500
commit	04e9cc0dae8747fbb72da8500f76ab99785ee9ce (patch)
tree	6525429e801079ec7df9de472732939012df37dd
parent	Refreshed 2.6.36 patches (diff)
download	hardened-patchset-04e9cc0dae8747fbb72da8500f76ab99785ee9ce.tar.gz hardened-patchset-04e9cc0dae8747fbb72da8500f76ab99785ee9ce.tar.bz2 hardened-patchset-04e9cc0dae8747fbb72da8500f76ab99785ee9ce.zip