summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2013-12-31 14:39:15 -0500
committerAnthony G. Basile <blueness@gentoo.org>2013-12-31 14:39:15 -0500
commit895b4e7fd913d74bc4edcc9f8b63dd29d46651d8 (patch)
tree061aa887396e8609210b25189fdefc1a2fc6cd70
parentGrsec/PaX: 3.0-{2.6.32,3.2.53,3.12.6}-201312262020 (diff)
downloadhardened-patchset-895b4e7fd913d74bc4edcc9f8b63dd29d46651d8.tar.gz
hardened-patchset-895b4e7fd913d74bc4edcc9f8b63dd29d46651d8.tar.bz2
hardened-patchset-895b4e7fd913d74bc4edcc9f8b63dd29d46651d8.zip
Grsec/PaX: 3.0-3.12.6-20131230122320131230
-rw-r--r--3.12.6/0000_README2
-rw-r--r--3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch (renamed from 3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch)99
-rw-r--r--3.12.6/4450_grsec-kconfig-default-gids.patch12
-rw-r--r--3.12.6/4465_selinux-avc_audit-log-curr_ip.patch2
4 files changed, 89 insertions, 26 deletions
diff --git a/3.12.6/0000_README b/3.12.6/0000_README
index 55926d8..9a0fb55 100644
--- a/3.12.6/0000_README
+++ b/3.12.6/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.12.6-201312262020.patch
+Patch: 4420_grsecurity-3.0-3.12.6-201312301223.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch
index 639a445..a396411 100644
--- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch
+++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch
@@ -60943,6 +60943,22 @@ index 651d09a..60c73ae 100644
/*
* base.c
+diff --git a/fs/proc/interrupts.c b/fs/proc/interrupts.c
+index 05029c0..7ea1987 100644
+--- a/fs/proc/interrupts.c
++++ b/fs/proc/interrupts.c
+@@ -47,7 +47,11 @@ static const struct file_operations proc_interrupts_operations = {
+
+ static int __init proc_interrupts_init(void)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ proc_create_grsec("interrupts", 0, NULL, &proc_interrupts_operations);
++#else
+ proc_create("interrupts", 0, NULL, &proc_interrupts_operations);
++#endif
+ return 0;
+ }
+ module_init(proc_interrupts_init);
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index 06ea155..9a798c7 100644
--- a/fs/proc/kcore.c
@@ -61292,6 +61308,22 @@ index 6b6a993..807cccc 100644
if (!IS_ERR(s))
kfree(s);
}
+diff --git a/fs/proc/stat.c b/fs/proc/stat.c
+index 1cf86c0..5668e11 100644
+--- a/fs/proc/stat.c
++++ b/fs/proc/stat.c
+@@ -218,7 +218,11 @@ static const struct file_operations proc_stat_operations = {
+
+ static int __init proc_stat_init(void)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ proc_create_grsec("stat", 0, NULL, &proc_stat_operations);
++#else
+ proc_create("stat", 0, NULL, &proc_stat_operations);
++#endif
+ return 0;
+ }
+ module_init(proc_stat_init);
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 390bdab..83c1e8a 100644
--- a/fs/proc/task_mmu.c
@@ -62471,10 +62503,10 @@ index 2b8952d..a60c6be 100644
kfree(s);
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..04e9889
+index 0000000..5b2538b
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1112 @@
+@@ -0,0 +1,1116 @@
+#
+# grecurity configuration
+#
@@ -63270,15 +63302,19 @@ index 0000000..04e9889
+ a sysctl option with name "consistent_setxid" is created.
+
+config GRKERNSEC_HARDEN_IPC
-+ bool "Disallow access to world-accessible IPC objects"
++ bool "Disallow access to overly-permissive IPC objects"
+ default y if GRKERNSEC_CONFIG_AUTO
+ depends on SYSVIPC
+ help
-+ If you say Y here, access to overly-permissive IPC (shared memory,
-+ message queues, and semaphores) will be denied for processes whose
-+ effective user or group would not grant them permission. It's a
-+ common error to grant too much permission to these objects, with
-+ impact ranging from denial of service and information leaking to
++ If you say Y here, access to overly-permissive IPC objects (shared
++ memory, message queues, and semaphores) will be denied for processes
++ given the following criteria beyond normal permission checks:
++ 1) If the IPC object is world-accessible and the euid doesn't match
++ that of the creator or current uid for the IPC object
++ 2) If the IPC object is group-accessible and the egid doesn't
++ match that of the creator or current gid for the IPC object
++ It's a common error to grant too much permission to these objects,
++ with impact ranging from denial of service and information leaking to
+ privilege escalation. This feature was developed in response to
+ research by Tim Brown:
+ http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
@@ -71471,10 +71507,10 @@ index 0000000..a88e901
+}
diff --git a/grsecurity/grsec_ipc.c b/grsecurity/grsec_ipc.c
new file mode 100644
-index 0000000..f365de0
+index 0000000..78d1680
--- /dev/null
+++ b/grsecurity/grsec_ipc.c
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,48 @@
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <linux/sched.h>
@@ -71488,10 +71524,36 @@ index 0000000..f365de0
+gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, int requested_mode, int granted_mode)
+{
+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
-+ int write = (requested_mode & 00002);
++ int write;
++ int orig_granted_mode;
++ kuid_t euid;
++ kgid_t egid;
+
-+ if (grsec_enable_harden_ipc && !(requested_mode & ~granted_mode & 0007) && !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) {
-+ gr_log_str2_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", write ? "writ" : "read", GR_GLOBAL_UID(ipcp->cuid));
++ if (!grsec_enable_harden_ipc)
++ return 0;
++
++ euid = current_euid();
++ egid = current_egid();
++
++ write = requested_mode & 00002;
++ orig_granted_mode = ipcp->mode;
++
++ if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid))
++ orig_granted_mode >>= 6;
++ else {
++ /* if likely wrong permissions, lock to user */
++ if (orig_granted_mode & 0007)
++ orig_granted_mode = 0;
++ /* otherwise do a egid-only check */
++ else if (gid_eq(egid, ipcp->cgid) || gid_eq(egid, ipcp->gid))
++ orig_granted_mode >>= 3;
++ /* otherwise, no access */
++ else
++ orig_granted_mode = 0;
++ }
++ if (!(requested_mode & ~granted_mode & 0007) && (requested_mode & ~orig_granted_mode & 0007) &&
++ !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) {
++ gr_log_str_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", GR_GLOBAL_UID(ipcp->cuid));
+ return 0;
+ }
+#endif
@@ -75995,7 +76057,7 @@ index 0000000..d25522e
+#endif
diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
new file mode 100644
-index 0000000..2b07594
+index 0000000..195cbe4
--- /dev/null
+++ b/include/linux/grmsg.h
@@ -0,0 +1,115 @@
@@ -76113,7 +76175,7 @@ index 0000000..2b07594
+#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
+#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
+#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for "
-+#define GR_IPC_DENIED_MSG "denied %s of globally-%sable IPC with creator uid %u by "
++#define GR_IPC_DENIED_MSG "denied %s of overly-permissive IPC object with creator uid %u by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
index 0000000..d8b5b48
@@ -81460,7 +81522,7 @@ index 7a51443..3a257d8 100644
ipc_unlock_object(&shp->shm_perm);
rcu_read_unlock();
diff --git a/ipc/util.c b/ipc/util.c
-index 7684f41..f7da711 100644
+index 7684f41..5bf1880 100644
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -71,6 +71,8 @@ struct ipc_proc_iface {
@@ -81472,11 +81534,12 @@ index 7684f41..f7da711 100644
static void ipc_memory_notifier(struct work_struct *work)
{
ipcns_notify(IPCNS_MEMCHANGED);
-@@ -560,6 +562,9 @@ int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)
+@@ -560,6 +562,10 @@ int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)
granted_mode >>= 6;
else if (in_group_p(ipcp->cgid) || in_group_p(ipcp->gid))
granted_mode >>= 3;
-+ else if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode))
++
++ if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode))
+ return -1;
+
/* is there some bit set in requested_mode but not in granted_mode? */
diff --git a/3.12.6/4450_grsec-kconfig-default-gids.patch b/3.12.6/4450_grsec-kconfig-default-gids.patch
index aa9d567..cdd1703 100644
--- a/3.12.6/4450_grsec-kconfig-default-gids.patch
+++ b/3.12.6/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
-@@ -621,7 +621,7 @@
+@@ -626,7 +626,7 @@
config GRKERNSEC_AUDIT_GID
int "GID for auditing"
depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_EXECLOG
bool "Exec logging"
-@@ -848,7 +848,7 @@
+@@ -857,7 +857,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*enabled* for. If the sysctl option is enabled, a sysctl option
-@@ -857,7 +857,7 @@
+@@ -866,7 +866,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -950,7 +950,7 @@
+@@ -959,7 +959,7 @@
config GRKERNSEC_SOCKET_ALL_GID
int "GID to deny all sockets for"
depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable socket access for. Remember to
add the users you want socket access disabled for to the GID
-@@ -971,7 +971,7 @@
+@@ -980,7 +980,7 @@
config GRKERNSEC_SOCKET_CLIENT_GID
int "GID to deny client sockets for"
depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable client socket access for.
Remember to add the users you want client socket access disabled for to
-@@ -989,7 +989,7 @@
+@@ -998,7 +998,7 @@
config GRKERNSEC_SOCKET_SERVER_GID
int "GID to deny server sockets for"
depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch b/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch
index 6490fca..04ec3fb 100644
--- a/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
-@@ -1084,6 +1084,27 @@
+@@ -1093,6 +1093,27 @@
menu "Logging Options"
depends on GRKERNSEC