diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2014-01-04 10:08:35 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2014-01-04 10:08:35 -0500 |
| commit | b7b6c63d4ed778e1e1588005c377e93c69eb0283 (patch) | |
| tree | 4433eb13e4c111214c6b4e47bc3d6ce78b07e9ce | |
| parent | Grsec/PaX: 3.0-3.12.6-201312301223 (diff) | |
| download | hardened-patchset-20140102.tar.gz hardened-patchset-20140102.tar.bz2 hardened-patchset-20140102.zip | |
Grsec/PaX: 3.0-3.12.6-20140102172620140102
| -rw-r--r-- | 3.12.6/0000_README | 2 | ||||
| -rw-r--r-- | 3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch (renamed from 3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch) | 184 |
2 files changed, 110 insertions, 76 deletions
diff --git a/3.12.6/0000_README b/3.12.6/0000_README index 9a0fb55..0c79077 100644 --- a/3.12.6/0000_README +++ b/3.12.6/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.12.6-201312301223.patch +Patch: 4420_grsecurity-3.0-3.12.6-201401021726.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch index a396411..e1b8944 100644 --- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch +++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch @@ -45673,43 +45673,40 @@ index f4a18f5..ff2463c 100644 int retval = -ENOMEM; diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 7128cfd..db7c65b 100644 +index 7128cfd..6fdc261 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c -@@ -634,6 +634,10 @@ pci_write_config(struct file* filp, struct kobject *kobj, +@@ -634,6 +634,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8*) buf; -+#ifdef CONFIG_GRKERNSEC_KMEM -+ return -EPERM; -+#endif ++ if (!capable(CAP_SYS_RAWIO)) ++ return -EPERM; + if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { -@@ -940,6 +944,10 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, +@@ -940,6 +943,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, resource_size_t start, end; int i; -+#ifdef CONFIG_GRKERNSEC_KMEM -+ return -EPERM; -+#endif ++ if (!capable(CAP_SYS_RAWIO)) ++ return -EPERM; + for (i = 0; i < PCI_ROM_RESOURCE; i++) if (res == &pdev->resource[i]) break; -@@ -1047,6 +1055,10 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, - struct bin_attribute *attr, char *buf, - loff_t off, size_t count) - { -+#ifdef CONFIG_GRKERNSEC_KMEM -+ return -EPERM; -+#endif -+ - return pci_resource_io(filp, kobj, attr, buf, off, count, true); - } +@@ -997,6 +1003,9 @@ pci_resource_io(struct file *filp, struct kobject *kobj, + unsigned long port = off; + int i; -@@ -1083,7 +1095,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine) ++ if (!capable(CAP_SYS_RAWIO)) ++ return -EPERM; ++ + for (i = 0; i < PCI_ROM_RESOURCE; i++) + if (res == &pdev->resource[i]) + break; +@@ -1083,7 +1092,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine) { /* allocate attribute structure, piggyback attribute name */ int name_len = write_combine ? 13 : 10; @@ -45718,7 +45715,7 @@ index 7128cfd..db7c65b 100644 int retval; res_attr = kzalloc(sizeof(*res_attr) + name_len, GFP_ATOMIC); -@@ -1268,7 +1280,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor +@@ -1268,7 +1277,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor static int pci_create_capabilities_sysfs(struct pci_dev *dev) { int retval; @@ -45727,7 +45724,7 @@ index 7128cfd..db7c65b 100644 /* If the device has VPD, try to expose it in sysfs. */ if (dev->vpd) { -@@ -1315,7 +1327,7 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev) +@@ -1315,7 +1324,7 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev) { int retval; int rom_size = 0; @@ -45780,43 +45777,20 @@ index 7ef0f86..17b710f 100644 /* No printks while decoding is disabled! */ if (!dev->mmio_always_on) { diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index cdc7836..2e0eb94 100644 +index cdc7836..0c964c9 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c -@@ -117,6 +117,10 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof +@@ -117,6 +117,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof int size = dev->cfg_size; int cnt; -+#ifdef CONFIG_GRKERNSEC_KMEM -+ return -EPERM; -+#endif ++ if (!capable(CAP_SYS_RAWIO)) ++ return -EPERM; + if (pos >= size) return 0; if (nbytes >= size) -@@ -196,6 +200,10 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, - #endif /* HAVE_PCI_MMAP */ - int ret = 0; - -+#ifdef CONFIG_GRKERNSEC_KMEM -+ return -EPERM; -+#endif -+ - switch (cmd) { - case PCIIOC_CONTROLLER: - ret = pci_domain_nr(dev->bus); -@@ -234,6 +242,10 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) - struct pci_filp_private *fpriv = file->private_data; - int i, ret; - -+#ifdef CONFIG_GRKERNSEC_KMEM -+ return -EPERM; -+#endif -+ - if (!capable(CAP_SYS_RAWIO)) - return -EPERM; - -@@ -434,7 +446,16 @@ static const struct file_operations proc_bus_pci_dev_operations = { +@@ -434,7 +437,16 @@ static const struct file_operations proc_bus_pci_dev_operations = { static int __init pci_proc_init(void) { struct pci_dev *dev = NULL; @@ -45833,21 +45807,6 @@ index cdc7836..2e0eb94 100644 proc_create("devices", 0, proc_bus_pci_dir, &proc_bus_pci_dev_operations); proc_initialized = 1; -diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index e1c1ec5..bef4210 100644 ---- a/drivers/pci/syscall.c -+++ b/drivers/pci/syscall.c -@@ -92,6 +92,10 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, - u32 dword; - int err = 0; - -+#ifdef CONFIG_GRKERNSEC_KMEM -+ return -EPERM -+#endif -+ - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c index 19c313b..ed28b38 100644 --- a/drivers/platform/x86/asus-wmi.c @@ -61309,21 +61268,96 @@ index 6b6a993..807cccc 100644 kfree(s); } diff --git a/fs/proc/stat.c b/fs/proc/stat.c -index 1cf86c0..5668e11 100644 +index 1cf86c0..f61473c 100644 --- a/fs/proc/stat.c +++ b/fs/proc/stat.c -@@ -218,7 +218,11 @@ static const struct file_operations proc_stat_operations = { +@@ -11,6 +11,7 @@ + #include <linux/irqnr.h> + #include <asm/cputime.h> + #include <linux/tick.h> ++#include <linux/grsecurity.h> - static int __init proc_stat_init(void) - { + #ifndef arch_irq_stat_cpu + #define arch_irq_stat_cpu(cpu) 0 +@@ -87,13 +88,28 @@ static int show_stat(struct seq_file *p, void *v) + u64 sum_softirq = 0; + unsigned int per_softirq_sums[NR_SOFTIRQS] = {0}; + struct timespec boottime; ++ int unrestricted = 1; ++ +#ifdef CONFIG_GRKERNSEC_PROC_ADD -+ proc_create_grsec("stat", 0, NULL, &proc_stat_operations); -+#else - proc_create("stat", 0, NULL, &proc_stat_operations); ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP ++ && !in_group_p(grsec_proc_gid) +#endif - return 0; - } - module_init(proc_stat_init); ++ ) ++ unrestricted = 0; ++#endif ++#endif + + user = nice = system = idle = iowait = + irq = softirq = steal = 0; + guest = guest_nice = 0; + getboottime(&boottime); + jif = boottime.tv_sec; ++ if (!unrestricted) ++ jif = 0; + ++ if (unrestricted) { + for_each_possible_cpu(i) { + user += kcpustat_cpu(i).cpustat[CPUTIME_USER]; + nice += kcpustat_cpu(i).cpustat[CPUTIME_NICE]; +@@ -116,6 +132,7 @@ static int show_stat(struct seq_file *p, void *v) + } + } + sum += arch_irq_stat(); ++ } + + seq_puts(p, "cpu "); + seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user)); +@@ -131,6 +148,7 @@ static int show_stat(struct seq_file *p, void *v) + seq_putc(p, '\n'); + + for_each_online_cpu(i) { ++ if (unrestricted) { + /* Copy values here to work around gcc-2.95.3, gcc-2.96 */ + user = kcpustat_cpu(i).cpustat[CPUTIME_USER]; + nice = kcpustat_cpu(i).cpustat[CPUTIME_NICE]; +@@ -142,6 +160,7 @@ static int show_stat(struct seq_file *p, void *v) + steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL]; + guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST]; + guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE]; ++ } + seq_printf(p, "cpu%d", i); + seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user)); + seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(nice)); +@@ -159,7 +178,7 @@ static int show_stat(struct seq_file *p, void *v) + + /* sum again ? it could be updated? */ + for_each_irq_nr(j) +- seq_put_decimal_ull(p, ' ', kstat_irqs(j)); ++ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs(j) : 0ULL); + + seq_printf(p, + "\nctxt %llu\n" +@@ -167,11 +186,11 @@ static int show_stat(struct seq_file *p, void *v) + "processes %lu\n" + "procs_running %lu\n" + "procs_blocked %lu\n", +- nr_context_switches(), +- (unsigned long)jif, +- total_forks, +- nr_running(), +- nr_iowait()); ++ unrestricted ? nr_context_switches() : 0ULL, ++ unrestricted ? (unsigned long)jif : 0UL, ++ unrestricted ? total_forks : 0UL, ++ unrestricted ? nr_running() : 0UL, ++ unrestricted ? nr_iowait() : 0UL); + + seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq); + diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 390bdab..83c1e8a 100644 --- a/fs/proc/task_mmu.c |