Grsec/PaX: 3.0-{2.6.32,3.2.53,3.12.6}-20131226202020131226

author: Anthony G. Basile <blueness@gentoo.org> 2013-12-27 09:52:45 -0500
committer: Anthony G. Basile <blueness@gentoo.org> 2013-12-27 09:52:45 -0500
commit: c21d30c5844b0da4014a5bc2619aff7f87106fd2 (patch)
tree: 8518255236f5d0e7540ff2ac555be7aacf7d0f9c
parent: Grsec/PaX: 3.0-{2.6.32,3.2.53,3.12.6}-201312251834 (diff)
download: hardened-patchset-c21d30c5844b0da4014a5bc2619aff7f87106fd2.tar.gz
hardened-patchset-c21d30c5844b0da4014a5bc2619aff7f87106fd2.tar.bz2
hardened-patchset-c21d30c5844b0da4014a5bc2619aff7f87106fd2.zip
6 files changed, 147 insertions, 169 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 92be49f..88db1be 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -38,7 +38,7 @@ Patch:	1060_linux-2.6.32.61.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.61
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.61-201312251831.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.61-201312262018.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312251831.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312262018.patch
index 01a0f17..46790bb 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312251831.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201312262018.patch
@@ -1,16 +1,3 @@
-                .|,
-                -*-
-               '/'\`
-               /`'o\
-              /#,o'`\
-             o/`"#,`\o
-             /`o``"#,\
-            o/#,`'o'`\o
-            /o`"#,`',o\
-           o`-._`"#_.-'o
-               _|"|_
-               \=%=/   hjw
-                """
 diff --git a/Documentation/dontdiff b/Documentation/dontdiff
 index e1efc40..3569a2f 100644
 --- a/Documentation/dontdiff
@@ -62459,57 +62446,57 @@ index 0000000..c7ed692
 --- /dev/null
 +++ b/drivers/net/benet/version.h
 @@ -0,0 +1,51 @@
-+#define STR_BE_BRANCH "0" 
-+#define STR_BE_BUILD "479" 
-+#define STR_BE_DOT   "0"
-+#define STR_BE_MINOR "0"
-+#define STR_BE_MAJOR "4"
-+
-+#define BE_BRANCH 0 
-+#define BE_BUILD 479 
-+#define BE_DOT   0
-+#define BE_MINOR 0
-+#define BE_MAJOR 4
-+
-+#define MGMT_BRANCH 0
-+#define MGMT_BUILDNUM 479
-+#define MGMT_MINOR 0
-+#define MGMT_MAJOR 4
-+
-+#define BE_REDBOOT_VERSION "2.0.5.0"
-+
-+//start-auto
-+#define BUILD_MONTH "12"
-+#define BUILD_MONTH_NAME "December"
-+#define BUILD_DAY "6"
-+#define BUILD_YEAR "2011"
-+#define BUILD_24HOUR "21"
-+#define BUILD_12HOUR "9"
-+#define BUILD_AM_PM "PM"
-+#define BUILD_MIN "48"
-+#define BUILD_SEC "05"
-+#define BUILD_MONTH_NUMBER 12
-+#define BUILD_DAY_NUMBER 6
-+#define BUILD_YEAR_NUMBER 2011
-+#define BUILD_24HOUR_NUMBER 21
-+#define BUILD_12HOUR_NUMBER 9
-+#define BUILD_MIN_NUMBER 48
-+#define BUILD_SEC_NUMBER 5
-+#undef MAJOR_BUILD
-+#undef MINOR_BUILD
-+#undef DOT_BUILD
-+#define NUMBERED_BUILD
-+#undef BRANCH_BUILD
-+//end-auto
-+
-+#define ELX_FCOE_XROM_BIOS_VER "7.03a1"
-+#define ELX_FCoE_X86_VER       "4.02a1"
-+#define ELX_FCoE_EFI_VER       "5.01a1"
-+#define ELX_FCoE_FCODE_VER     "4.01a0"
-+#define ELX_PXE_BIOS_VER       "3.00a5"
-+#define ELX_UEFI_NIC_VER       "2.10A10"
-+#define ELX_UEFI_FCODE_VER     "1.10A0"
-+#define ELX_ISCSI_BIOS_VER     "1.00A8"
++#define STR_BE_BRANCH "0" 
++#define STR_BE_BUILD "479" 
++#define STR_BE_DOT   "0"
++#define STR_BE_MINOR "0"
++#define STR_BE_MAJOR "4"
++
++#define BE_BRANCH 0 
++#define BE_BUILD 479 
++#define BE_DOT   0
++#define BE_MINOR 0
++#define BE_MAJOR 4
++
++#define MGMT_BRANCH 0
++#define MGMT_BUILDNUM 479
++#define MGMT_MINOR 0
++#define MGMT_MAJOR 4
++
++#define BE_REDBOOT_VERSION "2.0.5.0"
++
++//start-auto
++#define BUILD_MONTH "12"
++#define BUILD_MONTH_NAME "December"
++#define BUILD_DAY "6"
++#define BUILD_YEAR "2011"
++#define BUILD_24HOUR "21"
++#define BUILD_12HOUR "9"
++#define BUILD_AM_PM "PM"
++#define BUILD_MIN "48"
++#define BUILD_SEC "05"
++#define BUILD_MONTH_NUMBER 12
++#define BUILD_DAY_NUMBER 6
++#define BUILD_YEAR_NUMBER 2011
++#define BUILD_24HOUR_NUMBER 21
++#define BUILD_12HOUR_NUMBER 9
++#define BUILD_MIN_NUMBER 48
++#define BUILD_SEC_NUMBER 5
++#undef MAJOR_BUILD
++#undef MINOR_BUILD
++#undef DOT_BUILD
++#define NUMBERED_BUILD
++#undef BRANCH_BUILD
++//end-auto
++
++#define ELX_FCOE_XROM_BIOS_VER "7.03a1"
++#define ELX_FCoE_X86_VER       "4.02a1"
++#define ELX_FCoE_EFI_VER       "5.01a1"
++#define ELX_FCoE_FCODE_VER     "4.01a0"
++#define ELX_PXE_BIOS_VER       "3.00a5"
++#define ELX_UEFI_NIC_VER       "2.10A10"
++#define ELX_UEFI_FCODE_VER     "1.10A0"
++#define ELX_ISCSI_BIOS_VER     "1.00A8"
 diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c
 index 4874b2b..67f8526 100644
 --- a/drivers/net/bnx2.c
@@ -85982,10 +85969,10 @@ index e89734e..5e84d8d 100644
  			return 0;
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..105b285
+index 0000000..9712ce3
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1050 @@
+@@ -0,0 +1,1055 @@
 +#
 +# grecurity configuration
 +#
@@ -86355,7 +86342,12 @@ index 0000000..105b285
 +	  This option acts independently of grsec_lock: once it is set to 1,
 +	  it cannot be turned off.  Therefore, please be mindful of the resulting
 +	  behavior if this option is enabled in an init script on a read-only
-+	  filesystem.  This feature is mainly intended for secure embedded systems.
++	  filesystem.
++	  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
++	  and GRKERNSEC_IO should be enabled and module loading disabled via
++	  config or at runtime.
++	  This feature is mainly intended for secure embedded systems.
++	  
 +
 +config GRKERNSEC_DEVICE_SIDECHANNEL
 +	bool "Eliminate stat/notify-based device sidechannels"
@@ -87087,7 +87079,7 @@ index 0000000..b0b77d5
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..1276b13
+index 0000000..a24562a
 --- /dev/null
 +++ b/grsecurity/gracl.c
 @@ -0,0 +1,4309 @@
@@ -87390,7 +87382,7 @@ index 0000000..1276b13
 +gr_handle_rawio(const struct inode *inode)
 +{
 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
-+	if (inode && S_ISBLK(inode->i_mode) &&
++	if (inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR)) &&
 +	    grsec_enable_chroot_caps && proc_is_chrooted(current) &&
 +	    !capable(CAP_SYS_RAWIO))
 +		return 1;
@@ -95245,13 +95237,14 @@ index 0000000..f536303
 +}
 diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c
 new file mode 100644
-index 0000000..2131422
+index 0000000..cd9e124
 --- /dev/null
 +++ b/grsecurity/grsec_mount.c
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,65 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mount.h>
++#include <linux/major.h>
 +#include <linux/grsecurity.h>
 +#include <linux/grinternal.h>
 +
@@ -95302,8 +95295,10 @@ index 0000000..2131422
 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
 +{
 +#ifdef CONFIG_GRKERNSEC_ROFS
++	struct inode *inode = dentry->d_inode;
++
 +	if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
-+	    dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
++	    inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR))) {
 +		gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
 +		return -EPERM;
 +	} else
diff --git a/3.12.6/0000_README b/3.12.6/0000_README
index 6c77b46..55926d8 100644
--- a/3.12.6/0000_README
+++ b/3.12.6/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.12.6-201312251834.patch
+Patch:	4420_grsecurity-3.0-3.12.6-201312262020.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312251834.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch
index 8e02776..639a445 100644
--- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312251834.patch
+++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch
@@ -1,16 +1,3 @@
-                .|,
-                -*-
-               '/'\`
-               /`'o\
-              /#,o'`\
-             o/`"#,`\o
-             /`o``"#,\
-            o/#,`'o'`\o
-            /o`"#,`',o\
-           o`-._`"#_.-'o
-               _|"|_
-               \=%=/   hjw
-                """
 diff --git a/Documentation/dontdiff b/Documentation/dontdiff
 index b89a739..79768fb 100644
 --- a/Documentation/dontdiff
@@ -53580,7 +53567,7 @@ index 89dec7f..361b0d75 100644
  				fd_offset + ex.a_text);
  		if (error != N_DATADDR(ex)) {
 diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 4c94a79..228e9da 100644
+index 4c94a79..2610454 100644
 --- a/fs/binfmt_elf.c
 +++ b/fs/binfmt_elf.c
 @@ -34,6 +34,7 @@
@@ -53749,7 +53736,7 @@ index 4c94a79..228e9da 100644
  	}
  
  	error = load_addr;
-@@ -538,6 +569,322 @@ out:
+@@ -538,6 +569,315 @@ out:
  	return error;
  }
  
@@ -53983,41 +53970,34 @@ index 4c94a79..228e9da 100644
 +	unsigned long pax_flags_hardmode = 0UL, pax_flags_softmode = 0UL;
 +
 +	xattr_size = pax_getxattr(file->f_path.dentry, xattr_value, sizeof xattr_value);
-+	switch (xattr_size) {
-+	default:
++	if (xattr_size <= 0 || xattr_size > sizeof xattr_value)
 +		return ~0UL;
 +
-+	case -ENODATA:
-+		break;
-+
-+	case 0 ... sizeof xattr_value:
-+		for (i = 0; i < xattr_size; i++)
-+			switch (xattr_value[i]) {
-+			default:
-+				return ~0UL;
-+
-+#define parse_flag(option1, option2, flag)				\
-+			case option1:					\
-+				if (pax_flags_hardmode & MF_PAX_##flag)	\
-+					return ~0UL;			\
-+				pax_flags_hardmode |= MF_PAX_##flag;	\
-+				break;					\
-+			case option2:					\
-+				if (pax_flags_softmode & MF_PAX_##flag)	\
-+					return ~0UL;			\
-+				pax_flags_softmode |= MF_PAX_##flag;	\
-+				break;
++	for (i = 0; i < xattr_size; i++)
++		switch (xattr_value[i]) {
++		default:
++			return ~0UL;
++
++#define parse_flag(option1, option2, flag)			\
++		case option1:					\
++			if (pax_flags_hardmode & MF_PAX_##flag)	\
++				return ~0UL;			\
++			pax_flags_hardmode |= MF_PAX_##flag;	\
++			break;					\
++		case option2:					\
++			if (pax_flags_softmode & MF_PAX_##flag)	\
++				return ~0UL;			\
++			pax_flags_softmode |= MF_PAX_##flag;	\
++			break;
 +
-+			parse_flag('p', 'P', PAGEEXEC);
-+			parse_flag('e', 'E', EMUTRAMP);
-+			parse_flag('m', 'M', MPROTECT);
-+			parse_flag('r', 'R', RANDMMAP);
-+			parse_flag('s', 'S', SEGMEXEC);
++		parse_flag('p', 'P', PAGEEXEC);
++		parse_flag('e', 'E', EMUTRAMP);
++		parse_flag('m', 'M', MPROTECT);
++		parse_flag('r', 'R', RANDMMAP);
++		parse_flag('s', 'S', SEGMEXEC);
 +
 +#undef parse_flag
-+			}
-+		break;
-+	}
++		}
 +
 +	if (pax_flags_hardmode & pax_flags_softmode)
 +		return ~0UL;
@@ -54072,7 +54052,7 @@ index 4c94a79..228e9da 100644
  /*
   * These are the functions used to load ELF style executables and shared
   * libraries.  There is no binary dependent code anywhere else.
-@@ -554,6 +901,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
+@@ -554,6 +894,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
  {
  	unsigned int random_variable = 0;
  
@@ -54084,7 +54064,7 @@ index 4c94a79..228e9da 100644
  	if ((current->flags & PF_RANDOMIZE) &&
  		!(current->personality & ADDR_NO_RANDOMIZE)) {
  		random_variable = get_random_int() & STACK_RND_MASK;
-@@ -572,7 +924,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -572,7 +917,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
   	unsigned long load_addr = 0, load_bias = 0;
  	int load_addr_set = 0;
  	char * elf_interpreter = NULL;
@@ -54093,7 +54073,7 @@ index 4c94a79..228e9da 100644
  	struct elf_phdr *elf_ppnt, *elf_phdata;
  	unsigned long elf_bss, elf_brk;
  	int retval, i;
-@@ -582,12 +934,12 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -582,12 +927,12 @@ static int load_elf_binary(struct linux_binprm *bprm)
  	unsigned long start_code, end_code, start_data, end_data;
  	unsigned long reloc_func_desc __maybe_unused = 0;
  	int executable_stack = EXSTACK_DEFAULT;
@@ -54107,7 +54087,7 @@ index 4c94a79..228e9da 100644
  
  	loc = kmalloc(sizeof(*loc), GFP_KERNEL);
  	if (!loc) {
-@@ -723,11 +1075,82 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -723,11 +1068,82 @@ static int load_elf_binary(struct linux_binprm *bprm)
  		goto out_free_dentry;
  
  	/* OK, This is the point of no return */
@@ -54191,7 +54171,7 @@ index 4c94a79..228e9da 100644
  	if (elf_read_implies_exec(loc->elf_ex, executable_stack))
  		current->personality |= READ_IMPLIES_EXEC;
  
-@@ -817,6 +1240,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -817,6 +1233,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
  #else
  			load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
  #endif
@@ -54212,7 +54192,7 @@ index 4c94a79..228e9da 100644
  		}
  
  		error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
-@@ -849,9 +1286,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -849,9 +1279,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
  		 * allowed task size. Note that p_filesz must always be
  		 * <= p_memsz so it is only necessary to check p_memsz.
  		 */
@@ -54225,7 +54205,7 @@ index 4c94a79..228e9da 100644
  			/* set_brk can never work. Avoid overflows. */
  			send_sig(SIGKILL, current, 0);
  			retval = -EINVAL;
-@@ -890,17 +1327,45 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -890,17 +1320,45 @@ static int load_elf_binary(struct linux_binprm *bprm)
  		goto out_free_dentry;
  	}
  	if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -54277,7 +54257,7 @@ index 4c94a79..228e9da 100644
  					    load_bias);
  		if (!IS_ERR((void *)elf_entry)) {
  			/*
-@@ -1122,7 +1587,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
+@@ -1122,7 +1580,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
   * Decide what to dump of a segment, part, all or none.
   */
  static unsigned long vma_dump_size(struct vm_area_struct *vma,
@@ -54286,7 +54266,7 @@ index 4c94a79..228e9da 100644
  {
  #define FILTER(type)	(mm_flags & (1UL << MMF_DUMP_##type))
  
-@@ -1160,7 +1625,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
+@@ -1160,7 +1618,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
  	if (vma->vm_file == NULL)
  		return 0;
  
@@ -54295,7 +54275,7 @@ index 4c94a79..228e9da 100644
  		goto whole;
  
  	/*
-@@ -1385,9 +1850,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
+@@ -1385,9 +1843,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
  {
  	elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
  	int i = 0;
@@ -54307,7 +54287,7 @@ index 4c94a79..228e9da 100644
  	fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
  }
  
-@@ -1396,7 +1861,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
+@@ -1396,7 +1854,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
  {
  	mm_segment_t old_fs = get_fs();
  	set_fs(KERNEL_DS);
@@ -54316,7 +54296,7 @@ index 4c94a79..228e9da 100644
  	set_fs(old_fs);
  	fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
  }
-@@ -2023,14 +2488,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
+@@ -2023,14 +2481,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
  }
  
  static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
@@ -54333,7 +54313,7 @@ index 4c94a79..228e9da 100644
  	return size;
  }
  
-@@ -2123,7 +2588,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2123,7 +2581,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  
  	dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
  
@@ -54342,7 +54322,7 @@ index 4c94a79..228e9da 100644
  	offset += elf_core_extra_data_size();
  	e_shoff = offset;
  
-@@ -2137,10 +2602,12 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2137,10 +2595,12 @@ static int elf_core_dump(struct coredump_params *cprm)
  	offset = dataoff;
  
  	size += sizeof(*elf);
@@ -54355,7 +54335,7 @@ index 4c94a79..228e9da 100644
  	if (size > cprm->limit
  	    || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
  		goto end_coredump;
-@@ -2154,7 +2621,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2154,7 +2614,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  		phdr.p_offset = offset;
  		phdr.p_vaddr = vma->vm_start;
  		phdr.p_paddr = 0;
@@ -54364,7 +54344,7 @@ index 4c94a79..228e9da 100644
  		phdr.p_memsz = vma->vm_end - vma->vm_start;
  		offset += phdr.p_filesz;
  		phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-@@ -2165,6 +2632,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2165,6 +2625,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  		phdr.p_align = ELF_EXEC_PAGESIZE;
  
  		size += sizeof(phdr);
@@ -54372,7 +54352,7 @@ index 4c94a79..228e9da 100644
  		if (size > cprm->limit
  		    || !dump_write(cprm->file, &phdr, sizeof(phdr)))
  			goto end_coredump;
-@@ -2189,7 +2657,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2189,7 +2650,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  		unsigned long addr;
  		unsigned long end;
  
@@ -54381,7 +54361,7 @@ index 4c94a79..228e9da 100644
  
  		for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
  			struct page *page;
-@@ -2198,6 +2666,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2198,6 +2659,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  			page = get_dump_page(addr);
  			if (page) {
  				void *kaddr = kmap(page);
@@ -54389,7 +54369,7 @@ index 4c94a79..228e9da 100644
  				stop = ((size += PAGE_SIZE) > cprm->limit) ||
  					!dump_write(cprm->file, kaddr,
  						    PAGE_SIZE);
-@@ -2215,6 +2684,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2215,6 +2677,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  
  	if (e_phnum == PN_XNUM) {
  		size += sizeof(*shdr4extnum);
@@ -54397,7 +54377,7 @@ index 4c94a79..228e9da 100644
  		if (size > cprm->limit
  		    || !dump_write(cprm->file, shdr4extnum,
  				   sizeof(*shdr4extnum)))
-@@ -2235,6 +2705,167 @@ out:
+@@ -2235,6 +2698,167 @@ out:
  
  #endif		/* CONFIG_ELF_CORE */
  
@@ -62491,10 +62471,10 @@ index 2b8952d..a60c6be 100644
  		kfree(s);
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..a78d810
+index 0000000..04e9889
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1107 @@
+@@ -0,0 +1,1112 @@
 +#
 +# grecurity configuration
 +#
@@ -62913,7 +62893,12 @@ index 0000000..a78d810
 +	  This option acts independently of grsec_lock: once it is set to 1,
 +	  it cannot be turned off.  Therefore, please be mindful of the resulting
 +	  behavior if this option is enabled in an init script on a read-only
-+	  filesystem.  This feature is mainly intended for secure embedded systems.
++	  filesystem.
++	  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
++	  and GRKERNSEC_IO should be enabled and module loading disabled via
++	  config or at runtime.
++	  This feature is mainly intended for secure embedded systems.
++	  
 +
 +config GRKERNSEC_DEVICE_SIDECHANNEL
 +	bool "Eliminate stat/notify-based device sidechannels"
@@ -63653,7 +63638,7 @@ index 0000000..85beb79
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..6affeea
+index 0000000..90f71ce
 --- /dev/null
 +++ b/grsecurity/gracl.c
 @@ -0,0 +1,2679 @@
@@ -63808,7 +63793,7 @@ index 0000000..6affeea
 +gr_handle_rawio(const struct inode *inode)
 +{
 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
-+	if (inode && S_ISBLK(inode->i_mode) &&
++	if (inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR)) &&
 +	    grsec_enable_chroot_caps && proc_is_chrooted(current) &&
 +	    !capable(CAP_SYS_RAWIO))
 +		return 1;
@@ -71971,13 +71956,14 @@ index 0000000..f536303
 +}
 diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c
 new file mode 100644
-index 0000000..2131422
+index 0000000..cd9e124
 --- /dev/null
 +++ b/grsecurity/grsec_mount.c
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,65 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mount.h>
++#include <linux/major.h>
 +#include <linux/grsecurity.h>
 +#include <linux/grinternal.h>
 +
@@ -72028,8 +72014,10 @@ index 0000000..2131422
 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
 +{
 +#ifdef CONFIG_GRKERNSEC_ROFS
++	struct inode *inode = dentry->d_inode;
++
 +	if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
-+	    dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
++	    inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR))) {
 +		gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
 +		return -EPERM;
 +	} else
diff --git a/3.2.53/0000_README b/3.2.53/0000_README
index b20dfe9..62ff1d5 100644
--- a/3.2.53/0000_README
+++ b/3.2.53/0000_README
@@ -130,7 +130,7 @@ Patch:	1052_linux-3.2.53.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.53
 
-Patch:	4420_grsecurity-3.0-3.2.53-201312251832.patch
+Patch:	4420_grsecurity-3.0-3.2.53-201312262018.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.53/4420_grsecurity-3.0-3.2.53-201312251832.patch b/3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch
index 818d6db..02cb583 100644
--- a/3.2.53/4420_grsecurity-3.0-3.2.53-201312251832.patch
+++ b/3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch
@@ -1,16 +1,3 @@
-                .|,
-                -*-
-               '/'\`
-               /`'o\
-              /#,o'`\
-             o/`"#,`\o
-             /`o``"#,\
-            o/#,`'o'`\o
-            /o`"#,`',o\
-           o`-._`"#_.-'o
-               _|"|_
-               \=%=/   hjw
-                """
 diff --git a/Documentation/dontdiff b/Documentation/dontdiff
 index dfa6fc6..be27ac3 100644
 --- a/Documentation/dontdiff
@@ -61913,10 +61900,10 @@ index 8a89949..6776861 100644
  xfs_init_zones(void)
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..7e54fd7
+index 0000000..c4717f9
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1080 @@
+@@ -0,0 +1,1085 @@
 +#
 +# grecurity configuration
 +#
@@ -62326,7 +62313,12 @@ index 0000000..7e54fd7
 +	  This option acts independently of grsec_lock: once it is set to 1,
 +	  it cannot be turned off.  Therefore, please be mindful of the resulting
 +	  behavior if this option is enabled in an init script on a read-only
-+	  filesystem.  This feature is mainly intended for secure embedded systems.
++	  filesystem.
++	  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
++	  and GRKERNSEC_IO should be enabled and module loading disabled via
++	  config or at runtime.
++	  This feature is mainly intended for secure embedded systems.
++	  
 +
 +config GRKERNSEC_DEVICE_SIDECHANNEL
 +	bool "Eliminate stat/notify-based device sidechannels"
@@ -63048,7 +63040,7 @@ index 0000000..2f8793f
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..9b1fbce
+index 0000000..180140a
 --- /dev/null
 +++ b/grsecurity/gracl.c
 @@ -0,0 +1,2825 @@
@@ -63205,7 +63197,7 @@ index 0000000..9b1fbce
 +gr_handle_rawio(const struct inode *inode)
 +{
 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
-+	if (inode && S_ISBLK(inode->i_mode) &&
++	if (inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR)) &&
 +	    grsec_enable_chroot_caps && proc_is_chrooted(current) &&
 +	    !capable(CAP_SYS_RAWIO))
 +		return 1;
@@ -71425,13 +71417,14 @@ index 0000000..f536303
 +}
 diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c
 new file mode 100644
-index 0000000..2131422
+index 0000000..cd9e124
 --- /dev/null
 +++ b/grsecurity/grsec_mount.c
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,65 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mount.h>
++#include <linux/major.h>
 +#include <linux/grsecurity.h>
 +#include <linux/grinternal.h>
 +
@@ -71482,8 +71475,10 @@ index 0000000..2131422
 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
 +{
 +#ifdef CONFIG_GRKERNSEC_ROFS
++	struct inode *inode = dentry->d_inode;
++
 +	if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
-+	    dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
++	    inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR))) {
 +		gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
 +		return -EPERM;
 +	} else
author	Anthony G. Basile <blueness@gentoo.org>	2013-12-27 09:52:45 -0500
committer	Anthony G. Basile <blueness@gentoo.org>	2013-12-27 09:52:45 -0500
commit	c21d30c5844b0da4014a5bc2619aff7f87106fd2 (patch)
tree	8518255236f5d0e7540ff2ac555be7aacf7d0f9c
parent	Grsec/PaX: 3.0-{2.6.32,3.2.53,3.12.6}-201312251834 (diff)
download	hardened-patchset-c21d30c5844b0da4014a5bc2619aff7f87106fd2.tar.gz hardened-patchset-c21d30c5844b0da4014a5bc2619aff7f87106fd2.tar.bz2 hardened-patchset-c21d30c5844b0da4014a5bc2619aff7f87106fd2.zip