Grsec/PaX: 3.0-{3.2.55,3.13.5}-20140303144520140303

author: Anthony G. Basile <blueness@gentoo.org> 2014-03-04 19:06:23 -0500
committer: Anthony G. Basile <blueness@gentoo.org> 2014-03-04 19:06:23 -0500
commit: ff347075a6a4931a0ef4e63420cf5b6be10f4f37 (patch)
tree: 1f9954e6bff179c83f385c1f8a362e74a2796e3d
parent: Grsec/PaX: 3.0-{3.2.55,3.13.5}-201402241943 (diff)
download: hardened-patchset-ff347075a6a4931a0ef4e63420cf5b6be10f4f37.tar.gz
hardened-patchset-ff347075a6a4931a0ef4e63420cf5b6be10f4f37.tar.bz2
hardened-patchset-ff347075a6a4931a0ef4e63420cf5b6be10f4f37.zip
4 files changed, 307 insertions, 60 deletions
diff --git a/3.13.5/0000_README b/3.13.5/0000_README
index 7516385..838ac74 100644
--- a/3.13.5/0000_README
+++ b/3.13.5/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.13.5-201402241943.patch
+Patch:	4420_grsecurity-3.0-3.13.5-201403031445.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.13.5/4420_grsecurity-3.0-3.13.5-201402241943.patch b/3.13.5/4420_grsecurity-3.0-3.13.5-201403031445.patch
index 0356b07..eaf708f 100644
--- a/3.13.5/4420_grsecurity-3.0-3.13.5-201402241943.patch
+++ b/3.13.5/4420_grsecurity-3.0-3.13.5-201403031445.patch
@@ -2124,19 +2124,6 @@ index 1571d12..b8a9b43 100644
  	pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask);
  	return pte;
  }
-diff --git a/arch/arm/include/asm/proc-fns.h b/arch/arm/include/asm/proc-fns.h
-index 5324c11..bcae5f0 100644
---- a/arch/arm/include/asm/proc-fns.h
-+++ b/arch/arm/include/asm/proc-fns.h
-@@ -75,7 +75,7 @@ extern struct processor {
- 	unsigned int suspend_size;
- 	void (*do_suspend)(void *);
- 	void (*do_resume)(void *);
--} processor;
-+} __do_const processor;
- 
- #ifndef MULTI_CPU
- extern void cpu_proc_init(void);
 diff --git a/arch/arm/include/asm/psci.h b/arch/arm/include/asm/psci.h
 index c4ae171..ea0c0c2 100644
 --- a/arch/arm/include/asm/psci.h
@@ -3045,7 +3032,7 @@ index 0dd3b79..e018f64 100644
  	if (secure_computing(scno) == -1)
  		return -1;
 diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
-index 987a7f5..d9d6071 100644
+index 987a7f5..ab0c397 100644
 --- a/arch/arm/kernel/setup.c
 +++ b/arch/arm/kernel/setup.c
 @@ -100,21 +100,23 @@ EXPORT_SYMBOL(system_serial_high);
@@ -3057,7 +3044,7 @@ index 987a7f5..d9d6071 100644
  
  #ifdef MULTI_CPU
 -struct processor processor __read_mostly;
-+struct processor processor;
++struct processor processor __read_only;
  #endif
  #ifdef MULTI_TLB
 -struct cpu_tlb_fns cpu_tlb __read_mostly;
@@ -3093,15 +3080,6 @@ index 987a7f5..d9d6071 100644
  			 (mmfr0 & 0x000000f0) == 0x00000020)
  			cpu_arch = CPU_ARCH_ARMv6;
  		else
-@@ -573,7 +579,7 @@ static void __init setup_processor(void)
- 	__cpu_architecture = __get_cpu_architecture();
- 
- #ifdef MULTI_CPU
--	processor = *list->proc;
-+	memcpy((void *)&processor, list->proc, sizeof processor);
- #endif
- #ifdef MULTI_TLB
- 	cpu_tlb = *list->tlb;
 diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
 index 04d6388..5115238 100644
 --- a/arch/arm/kernel/signal.c
@@ -27905,7 +27883,7 @@ index da7837e..86c6ebf 100644
  
  	vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index d89d51b..f3c612a 100644
+index d89d51b..fa94855 100644
 --- a/arch/x86/kvm/x86.c
 +++ b/arch/x86/kvm/x86.c
 @@ -1791,8 +1791,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
@@ -27937,6 +27915,15 @@ index d89d51b..f3c612a 100644
  {
  	int r;
  	struct kvm_x86_ops *ops = opaque;
+@@ -6163,7 +6165,7 @@ static int complete_emulated_mmio(struct kvm_vcpu *vcpu)
+ 		frag->len -= len;
+ 	}
+ 
+-	if (vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments) {
++	if (vcpu->mmio_cur_fragment >= vcpu->mmio_nr_fragments) {
+ 		vcpu->mmio_needed = 0;
+ 
+ 		/* FIXME: return into emulator if single-stepping.  */
 diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c
 index bdf8532..f63c587 100644
 --- a/arch/x86/lguest/boot.c
@@ -62183,6 +62170,45 @@ index 0e0752e..7cfdd50 100644
  		wake_up_interruptible(&pipe->wait);
  	ret = -ERESTARTSYS;
  	goto err;
+diff --git a/fs/posix_acl.c b/fs/posix_acl.c
+index 8bd2135..eab9adb 100644
+--- a/fs/posix_acl.c
++++ b/fs/posix_acl.c
+@@ -19,6 +19,7 @@
+ #include <linux/sched.h>
+ #include <linux/posix_acl.h>
+ #include <linux/export.h>
++#include <linux/grsecurity.h>
+ 
+ #include <linux/errno.h>
+ 
+@@ -183,7 +184,7 @@ posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p)
+ 		}
+ 	}
+         if (mode_p)
+-                *mode_p = (*mode_p & ~S_IRWXUGO) | mode;
++                *mode_p = ((*mode_p & ~S_IRWXUGO) | mode) & ~gr_acl_umask();
+         return not_equiv;
+ }
+ 
+@@ -331,7 +332,7 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p)
+ 		mode &= (group_obj->e_perm << 3) | ~S_IRWXG;
+ 	}
+ 
+-	*mode_p = (*mode_p & ~S_IRWXUGO) | mode;
++	*mode_p = ((*mode_p & ~S_IRWXUGO) | mode) & ~gr_acl_umask();
+         return not_equiv;
+ }
+ 
+@@ -389,6 +390,8 @@ posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p)
+ 	struct posix_acl *clone = posix_acl_clone(*acl, gfp);
+ 	int err = -ENOMEM;
+ 	if (clone) {
++		*mode_p &= ~gr_acl_umask();
++
+ 		err = posix_acl_create_masq(clone, mode_p);
+ 		if (err < 0) {
+ 			posix_acl_release(clone);
 diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig
 index 2183fcf..3c32a98 100644
 --- a/fs/proc/Kconfig
@@ -64525,10 +64551,18 @@ index 3377dff..f394815 100644
  	}
  	fdput(f);
 diff --git a/fs/xattr_acl.c b/fs/xattr_acl.c
-index 9fbea87..6b19972 100644
+index 9fbea87..417b3c2 100644
 --- a/fs/xattr_acl.c
 +++ b/fs/xattr_acl.c
-@@ -76,8 +76,8 @@ struct posix_acl *
+@@ -10,6 +10,7 @@
+ #include <linux/posix_acl_xattr.h>
+ #include <linux/gfp.h>
+ #include <linux/user_namespace.h>
++#include <linux/grsecurity.h>
+ 
+ /*
+  * Fix up the uids and gids in posix acl extended attributes in place.
+@@ -76,11 +77,12 @@ struct posix_acl *
  posix_acl_from_xattr(struct user_namespace *user_ns,
  		     const void *value, size_t size)
  {
@@ -64539,6 +64573,37 @@ index 9fbea87..6b19972 100644
  	int count;
  	struct posix_acl *acl;
  	struct posix_acl_entry *acl_e;
++	umode_t umask = gr_acl_umask();
+ 
+ 	if (!value)
+ 		return NULL;
+@@ -106,12 +108,18 @@ posix_acl_from_xattr(struct user_namespace *user_ns,
+ 
+ 		switch(acl_e->e_tag) {
+ 			case ACL_USER_OBJ:
++				acl_e->e_perm &= ~((umask & S_IRWXU) >> 6);
++				break;
+ 			case ACL_GROUP_OBJ:
+ 			case ACL_MASK:
++				acl_e->e_perm &= ~((umask & S_IRWXG) >> 3);
++				break;
+ 			case ACL_OTHER:
++				acl_e->e_perm &= ~(umask & S_IRWXO);
+ 				break;
+ 
+ 			case ACL_USER:
++				acl_e->e_perm &= ~((umask & S_IRWXU) >> 6);
+ 				acl_e->e_uid =
+ 					make_kuid(user_ns,
+ 						  le32_to_cpu(entry->e_id));
+@@ -119,6 +127,7 @@ posix_acl_from_xattr(struct user_namespace *user_ns,
+ 					goto fail;
+ 				break;
+ 			case ACL_GROUP:
++				acl_e->e_perm &= ~((umask & S_IRWXG) >> 3);
+ 				acl_e->e_gid =
+ 					make_kgid(user_ns,
+ 						  le32_to_cpu(entry->e_id));
 diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
 index 3b2c14b..de031fe 100644
 --- a/fs/xfs/xfs_bmap.c
@@ -64598,10 +64663,10 @@ index 104455b..764c512 100644
  		kfree(s);
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..ffff596
+index 0000000..031e895
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1153 @@
+@@ -0,0 +1,1157 @@
 +#
 +# grecurity configuration
 +#
@@ -64836,6 +64901,10 @@ index 0000000..ffff596
 +	  with the existing seed and will be removed by a make mrproper or
 +	  make distclean.
 +
++          Note that the implementation requires gcc 4.6.4. or newer.  You may need
++	  to install the supporting headers explicitly in addition to the normal
++	  gcc package.
++
 +config GRKERNSEC_RANDSTRUCT_PERFORMANCE
 +	bool "Use cacheline-aware structure randomization"
 +	depends on GRKERNSEC_RANDSTRUCT
@@ -99816,7 +99885,7 @@ index 4fe4fb4..87a89e5 100644
  	return 0;
  }
 diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index bca50b9..8f8a85e 100644
+index bca50b9..782ec12 100644
 --- a/net/netlink/af_netlink.c
 +++ b/net/netlink/af_netlink.c
 @@ -249,7 +249,7 @@ static void netlink_overrun(struct sock *sk)
@@ -99828,6 +99897,17 @@ index bca50b9..8f8a85e 100644
  }
  
  static void netlink_rcv_wake(struct sock *sk)
+@@ -1481,8 +1481,8 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
+ 	if (addr->sa_family != AF_NETLINK)
+ 		return -EINVAL;
+ 
+-	/* Only superuser is allowed to send multicasts */
+-	if (nladdr->nl_groups && !netlink_capable(sock, NL_CFG_F_NONROOT_SEND))
++	if ((nladdr->nl_groups || nladdr->nl_pid) &&
++	    !netlink_capable(sock, NL_CFG_F_NONROOT_SEND))
+ 		return -EPERM;
+ 
+ 	if (!nlk->portid)
 @@ -2940,7 +2940,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
  			   sk_wmem_alloc_get(s),
  			   nlk->cb_running,
diff --git a/3.2.55/0000_README b/3.2.55/0000_README
index 0a4207c..e75270d 100644
--- a/3.2.55/0000_README
+++ b/3.2.55/0000_README
@@ -138,7 +138,7 @@ Patch:	1054_linux-3.2.55.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.55
 
-Patch:	4420_grsecurity-3.0-3.2.55-201402241936.patch
+Patch:	4420_grsecurity-3.0-3.2.55-201403022154.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.55/4420_grsecurity-3.0-3.2.55-201402241936.patch b/3.2.55/4420_grsecurity-3.0-3.2.55-201403022154.patch
index f875551..5e79266 100644
--- a/3.2.55/4420_grsecurity-3.0-3.2.55-201402241936.patch
+++ b/3.2.55/4420_grsecurity-3.0-3.2.55-201403022154.patch
@@ -43786,10 +43786,18 @@ index 46db5c5..37c1536 100644
  	err = platform_driver_register(&sk_isa_driver);
  	if (err)
 diff --git a/drivers/net/tun.c b/drivers/net/tun.c
-index ee1aab0..31aa71c 100644
+index ee1aab0..7d4fd21 100644
 --- a/drivers/net/tun.c
 +++ b/drivers/net/tun.c
-@@ -359,7 +359,7 @@ static void tun_free_netdev(struct net_device *dev)
+@@ -186,7 +186,6 @@ static void __tun_detach(struct tun_struct *tun)
+ 	netif_tx_lock_bh(tun->dev);
+ 	netif_carrier_off(tun->dev);
+ 	tun->tfile = NULL;
+-	tun->socket.file = NULL;
+ 	netif_tx_unlock_bh(tun->dev);
+ 
+ 	/* Drop read queue */
+@@ -359,7 +358,7 @@ static void tun_free_netdev(struct net_device *dev)
  {
  	struct tun_struct *tun = netdev_priv(dev);
  
@@ -43798,7 +43806,7 @@ index ee1aab0..31aa71c 100644
  }
  
  /* Net device open. */
-@@ -983,10 +983,18 @@ static int tun_recvmsg(struct kiocb *iocb, struct socket *sock,
+@@ -983,10 +982,18 @@ static int tun_recvmsg(struct kiocb *iocb, struct socket *sock,
  	return ret;
  }
  
@@ -43817,7 +43825,7 @@ index ee1aab0..31aa71c 100644
  };
  
  static struct proto tun_proto = {
-@@ -1113,10 +1121,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
+@@ -1113,10 +1120,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
  		tun->vnet_hdr_sz = sizeof(struct virtio_net_hdr);
  
  		err = -ENOMEM;
@@ -43830,7 +43838,7 @@ index ee1aab0..31aa71c 100644
  		tun->socket.wq = &tun->wq;
  		init_waitqueue_head(&tun->wq.wait);
  		tun->socket.ops = &tun_socket_ops;
-@@ -1177,7 +1186,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
+@@ -1177,7 +1185,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
  	return 0;
  
   err_free_sk:
@@ -43839,7 +43847,7 @@ index ee1aab0..31aa71c 100644
   err_free_dev:
  	free_netdev(dev);
   failed:
-@@ -1236,7 +1245,7 @@ static int set_offload(struct tun_struct *tun, unsigned long arg)
+@@ -1236,7 +1244,7 @@ static int set_offload(struct tun_struct *tun, unsigned long arg)
  }
  
  static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
@@ -43848,7 +43856,7 @@ index ee1aab0..31aa71c 100644
  {
  	struct tun_file *tfile = file->private_data;
  	struct tun_struct *tun;
-@@ -1247,6 +1256,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
+@@ -1247,6 +1255,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
  	int vnet_hdr_sz;
  	int ret;
  
@@ -60145,6 +60153,45 @@ index 8ca88fc..d1f8b8a 100644
  	inode->i_fop = &rdwr_pipefifo_fops;
  
  	/*
+diff --git a/fs/posix_acl.c b/fs/posix_acl.c
+index cea4623..c19c78b 100644
+--- a/fs/posix_acl.c
++++ b/fs/posix_acl.c
+@@ -19,6 +19,7 @@
+ #include <linux/sched.h>
+ #include <linux/posix_acl.h>
+ #include <linux/module.h>
++#include <linux/grsecurity.h>
+ 
+ #include <linux/errno.h>
+ 
+@@ -180,7 +181,7 @@ posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p)
+ 		}
+ 	}
+         if (mode_p)
+-                *mode_p = (*mode_p & ~S_IRWXUGO) | mode;
++                *mode_p = ((*mode_p & ~S_IRWXUGO) | mode) & ~gr_acl_umask();
+         return not_equiv;
+ }
+ 
+@@ -331,7 +332,7 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p)
+ 		mode &= (group_obj->e_perm << 3) | ~S_IRWXG;
+ 	}
+ 
+-	*mode_p = (*mode_p & ~S_IRWXUGO) | mode;
++	*mode_p = ((*mode_p & ~S_IRWXUGO) | mode) & ~gr_acl_umask();
+         return not_equiv;
+ }
+ 
+@@ -389,6 +390,8 @@ posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p)
+ 	struct posix_acl *clone = posix_acl_clone(*acl, gfp);
+ 	int err = -ENOMEM;
+ 	if (clone) {
++		*mode_p &= ~gr_acl_umask();
++
+ 		err = posix_acl_create_masq(clone, mode_p);
+ 		if (err < 0) {
+ 			posix_acl_release(clone);
 diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig
 index 15af622..0e9f4467 100644
 --- a/fs/proc/Kconfig
@@ -62655,10 +62702,19 @@ index 67583de..328e065 100644
  	}
  	fput(f);
 diff --git a/fs/xattr_acl.c b/fs/xattr_acl.c
-index 8d5a506..7f62712 100644
+index 8d5a506..e4a8a5f 100644
 --- a/fs/xattr_acl.c
 +++ b/fs/xattr_acl.c
-@@ -17,8 +17,8 @@
+@@ -9,7 +9,7 @@
+ #include <linux/fs.h>
+ #include <linux/posix_acl_xattr.h>
+ #include <linux/gfp.h>
+-
++#include <linux/grsecurity.h>
+ 
+ /*
+  * Convert from extended attribute to in-memory representation.
+@@ -17,11 +17,12 @@
  struct posix_acl *
  posix_acl_from_xattr(const void *value, size_t size)
  {
@@ -62669,6 +62725,34 @@ index 8d5a506..7f62712 100644
  	int count;
  	struct posix_acl *acl;
  	struct posix_acl_entry *acl_e;
++	umode_t umask = gr_acl_umask();
+ 
+ 	if (!value)
+ 		return NULL;
+@@ -47,14 +48,23 @@ posix_acl_from_xattr(const void *value, size_t size)
+ 
+ 		switch(acl_e->e_tag) {
+ 			case ACL_USER_OBJ:
++				acl_e->e_perm &= ~((umask & S_IRWXU) >> 6);
++				break;
+ 			case ACL_GROUP_OBJ:
+ 			case ACL_MASK:
++				acl_e->e_perm &= ~((umask & S_IRWXG) >> 3);
++				break;
+ 			case ACL_OTHER:
++				acl_e->e_perm &= ~(umask & S_IRWXO);
+ 				acl_e->e_id = ACL_UNDEFINED_ID;
+ 				break;
+ 
+ 			case ACL_USER:
++				acl_e->e_perm &= ~((umask & S_IRWXU) >> 6);
++				acl_e->e_id = le32_to_cpu(entry->e_id);
++				break;
+ 			case ACL_GROUP:
++				acl_e->e_perm &= ~((umask & S_IRWXG) >> 3);
+ 				acl_e->e_id = le32_to_cpu(entry->e_id);
+ 				break;
+ 
 diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
 index d0ab788..827999b 100644
 --- a/fs/xfs/xfs_bmap.c
@@ -62756,10 +62840,10 @@ index 8a89949..6776861 100644
  xfs_init_zones(void)
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..849ba36
+index 0000000..9ad8151
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1139 @@
+@@ -0,0 +1,1143 @@
 +#
 +# grecurity configuration
 +#
@@ -62994,6 +63078,10 @@ index 0000000..849ba36
 +	  with the existing seed and will be removed by a make mrproper or
 +	  make distclean.
 +
++          Note that the implementation requires gcc 4.6.4. or newer.  You may need
++	  to install the supporting headers explicitly in addition to the normal
++	  gcc package.
++
 +config GRKERNSEC_RANDSTRUCT_PERFORMANCE
 +	bool "Use cacheline-aware structure randomization"
 +	depends on GRKERNSEC_RANDSTRUCT
@@ -90125,7 +90213,7 @@ index d9df745..e73c2fe 100644
  static inline void *ptr_to_indirect(void *ptr)
  {
 diff --git a/lib/random32.c b/lib/random32.c
-index 1f44bdc..1e5b2df 100644
+index 1f44bdc..fb616c7 100644
 --- a/lib/random32.c
 +++ b/lib/random32.c
 @@ -2,19 +2,19 @@
@@ -90173,12 +90261,13 @@ index 1f44bdc..1e5b2df 100644
  #include <linux/jiffies.h>
  #include <linux/random.h>
 +#include <linux/sched.h>
-+
+ 
+-static DEFINE_PER_CPU(struct rnd_state, net_rand_state);
 +#ifdef CONFIG_RANDOM32_SELFTEST
 +static void __init prandom_state_selftest(void);
 +#endif
- 
- static DEFINE_PER_CPU(struct rnd_state, net_rand_state);
++
++static DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy;
  
  /**
 - *	prandom32 - seeded pseudo-random number generator.
@@ -100780,9 +100869,20 @@ index 4fe4fb4..87a89e5 100644
  	return 0;
  }
 diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index 2369e96..3c3f7de 100644
+index 2369e96..7aadc6a 100644
 --- a/net/netlink/af_netlink.c
 +++ b/net/netlink/af_netlink.c
+@@ -706,8 +706,8 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
+ 	if (addr->sa_family != AF_NETLINK)
+ 		return -EINVAL;
+ 
+-	/* Only superuser is allowed to send multicasts */
+-	if (nladdr->nl_groups && !netlink_capable(sock, NL_NONROOT_SEND))
++	if ((nladdr->nl_groups || nladdr->nl_pid) &&
++	    !netlink_capable(sock, NL_NONROOT_SEND))
+ 		return -EPERM;
+ 
+ 	if (!nlk->pid)
 @@ -753,7 +753,7 @@ static void netlink_overrun(struct sock *sk)
  			sk->sk_error_report(sk);
  		}
@@ -106197,6 +106297,25 @@ index b43813c..74be837 100644
  }
  #else
  static inline int selinux_xfrm_enabled(void)
+diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
+index a7f61d5..4d7c0b4 100644
+--- a/security/selinux/ss/policydb.c
++++ b/security/selinux/ss/policydb.c
+@@ -3202,10 +3202,10 @@ static int filename_write_helper(void *key, void *data, void *ptr)
+ 	if (rc)
+ 		return rc;
+ 
+-	buf[0] = ft->stype;
+-	buf[1] = ft->ttype;
+-	buf[2] = ft->tclass;
+-	buf[3] = otype->otype;
++	buf[0] = cpu_to_le32(ft->stype);
++	buf[1] = cpu_to_le32(ft->ttype);
++	buf[2] = cpu_to_le32(ft->tclass);
++	buf[3] = cpu_to_le32(otype->otype);
+ 
+ 	rc = put_entry(buf, sizeof(u32), 4, fp);
+ 	if (rc)
 diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
 index 185f849..72b20b1 100644
 --- a/security/selinux/ss/services.c
@@ -108985,10 +109104,10 @@ index 0000000..dd73713
 +}
 diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c
 new file mode 100644
-index 0000000..7e39d81
+index 0000000..1a98bed
 --- /dev/null
 +++ b/tools/gcc/latent_entropy_plugin.c
-@@ -0,0 +1,403 @@
+@@ -0,0 +1,451 @@
 +/*
 + * Copyright 2012-2014 by the PaX Team <pageexec@freemail.hu>
 + * Licensed under the GPL v2
@@ -109017,7 +109136,7 @@ index 0000000..7e39d81
 +static tree latent_entropy_decl;
 +
 +static struct plugin_info latent_entropy_plugin_info = {
-+	.version	= "201402210120",
++	.version	= "201402240545",
 +	.help		= NULL
 +};
 +
@@ -109040,6 +109159,12 @@ index 0000000..7e39d81
 +static tree handle_latent_entropy_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
 +{
 +	tree type;
++	unsigned long long mask;
++#if BUILDING_GCC_VERSION <= 4007
++	VEC(constructor_elt, gc) *vals;
++#else
++	vec<constructor_elt, va_gc> *vals;
++#endif
 +
 +	switch (TREE_CODE(*node)) {
 +	default:
@@ -109064,22 +109189,64 @@ index 0000000..7e39d81
 +		switch (TREE_CODE(type)) {
 +		default:
 +			*no_add_attrs = true;
-+			error("variable %qD with %qE attribute must be an integer or a fixed length integer array type", *node, name);
++			error("variable %qD with %qE attribute must be an integer or a fixed length integer array type or a fixed sized structure with integer fields", *node, name);
 +			break;
 +
++		case RECORD_TYPE: {
++			tree field;
++			unsigned int nelt = 0;
++
++			for (field = TYPE_FIELDS(type); field; nelt++, field = TREE_CHAIN(field)) {
++				tree fieldtype;
++
++				fieldtype = TREE_TYPE(field);
++				if (TREE_CODE(fieldtype) != INTEGER_TYPE) {
++					*no_add_attrs = true;
++					error("structure variable %qD with %qE attribute has a non-integer field %qE", *node, name, field);
++					break;
++				}
++			}
++
++			if (field)
++				break;
++
++#if BUILDING_GCC_VERSION <= 4007
++			vals = VEC_alloc(constructor_elt, gc, nelt);
++#else
++			vec_alloc(vals, nelt);
++#endif
++
++			for (field = TYPE_FIELDS(type); field; field = TREE_CHAIN(field)) {
++				tree fieldtype;
++
++				fieldtype = TREE_TYPE(field);
++				mask = 1ULL << (TREE_INT_CST_LOW(TYPE_SIZE(fieldtype)) - 1);
++				mask = 2 * (mask - 1) + 1;
++
++				if (TYPE_UNSIGNED(fieldtype))
++					CONSTRUCTOR_APPEND_ELT(vals, field, build_int_cstu(fieldtype, mask & get_random_const()));
++				else
++					CONSTRUCTOR_APPEND_ELT(vals, field, build_int_cst(fieldtype, mask & get_random_const()));
++			}
++
++			DECL_INITIAL(*node) = build_constructor(type, vals);
++//debug_tree(DECL_INITIAL(*node));
++			break;
++		}
++
 +		case INTEGER_TYPE:
-+			DECL_INITIAL(*node) = build_int_cstu(type, get_random_const());
++			mask = 1ULL << (TREE_INT_CST_LOW(TYPE_SIZE(type)) - 1);
++			mask = 2 * (mask - 1) + 1;
++
++			if (TYPE_UNSIGNED(type))
++				DECL_INITIAL(*node) = build_int_cstu(type, mask & get_random_const());
++			else
++				DECL_INITIAL(*node) = build_int_cst(type, mask & get_random_const());
 +			break;
 +
 +		case ARRAY_TYPE: {
 +			tree elt_type, array_size, elt_size;
-+			unsigned long long mask;
 +			unsigned int i, nelt;
-+#if BUILDING_GCC_VERSION <= 4007
-+			VEC(constructor_elt, gc) *vals;
-+#else
-+			vec<constructor_elt, va_gc> *vals;
-+#endif
 +
 +			elt_type = TREE_TYPE(type);
 +			elt_size = TYPE_SIZE_UNIT(TREE_TYPE(type));
@@ -109087,7 +109254,7 @@ index 0000000..7e39d81
 +
 +			if (TREE_CODE(elt_type) != INTEGER_TYPE || !array_size || TREE_CODE(array_size) != INTEGER_CST) {
 +				*no_add_attrs = true;
-+				error("variable %qD with %qE attribute must be a fixed length integer array type", *node, name);
++				error("array variable %qD with %qE attribute must be a fixed length integer array type", *node, name);
 +				break;
 +			}
 +
author	Anthony G. Basile <blueness@gentoo.org>	2014-03-04 19:06:23 -0500
committer	Anthony G. Basile <blueness@gentoo.org>	2014-03-04 19:06:23 -0500
commit	ff347075a6a4931a0ef4e63420cf5b6be10f4f37 (patch)
tree	1f9954e6bff179c83f385c1f8a362e74a2796e3d
parent	Grsec/PaX: 3.0-{3.2.55,3.13.5}-201402241943 (diff)
download	hardened-patchset-ff347075a6a4931a0ef4e63420cf5b6be10f4f37.tar.gz hardened-patchset-ff347075a6a4931a0ef4e63420cf5b6be10f4f37.tar.bz2 hardened-patchset-ff347075a6a4931a0ef4e63420cf5b6be10f4f37.zip