grsecurity-3.1-4.6.4-20160724201420160724

author: Anthony G. Basile <blueness@gentoo.org> 2016-07-26 02:55:48 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2016-07-26 02:55:48 -0400
commit: 626340b17d84dea8bf5f882750f594207fd5119c (patch)
tree: 02933e8ba2149a39f465214f54e784e2751db7e9
parent: grsecurity-3.1-4.6.4-201607192040 (diff)
download: hardened-patchset-626340b17d84dea8bf5f882750f594207fd5119c.tar.gz
hardened-patchset-626340b17d84dea8bf5f882750f594207fd5119c.tar.bz2
hardened-patchset-626340b17d84dea8bf5f882750f594207fd5119c.zip
2 files changed, 53 insertions, 30 deletions
diff --git a/4.6.4/0000_README b/4.6.4/0000_README
index 0a9f680..81410da 100644
--- a/4.6.4/0000_README
+++ b/4.6.4/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.1-4.6.4-201607192040.patch
+Patch:	4420_grsecurity-3.1-4.6.4-201607242014.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch b/4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch
index 4b02b21..f7868ce 100644
--- a/4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch
+++ b/4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch
@@ -877,7 +877,7 @@ index a876743..fe2a193 100644
  	  Counts number of I and D TLB Misses and exports them via Debugfs
  	  The counters can be cleared via Debugfs as well
 diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
-index cdfa6c2..aba8354 100644
+index cdfa6c2..f39881d 100644
 --- a/arch/arm/Kconfig
 +++ b/arch/arm/Kconfig
 @@ -53,6 +53,7 @@ config ARM
@@ -888,7 +888,15 @@ index cdfa6c2..aba8354 100644
  	select HAVE_GENERIC_DMA_COHERENT
  	select HAVE_HW_BREAKPOINT if (PERF_EVENTS && (CPU_V6 || CPU_V6K || CPU_V7))
  	select HAVE_IDE if PCI || ISA || PCMCIA
-@@ -1629,6 +1630,7 @@ config HIGHPTE
+@@ -1561,6 +1562,7 @@ config AEABI
+ config OABI_COMPAT
+ 	bool "Allow old ABI binaries to run with this kernel (EXPERIMENTAL)"
+ 	depends on AEABI && !THUMB2_KERNEL
++	depends on !GRKERNSEC
+ 	help
+ 	  This option preserves the old syscall interface along with the
+ 	  new (ARM EABI) one. It also provides a compatibility layer to
+@@ -1629,6 +1631,7 @@ config HIGHPTE
  config CPU_SW_DOMAIN_PAN
  	bool "Enable use of CPU domains to implement privileged no-access"
  	depends on MMU && !ARM_LPAE
@@ -896,7 +904,7 @@ index cdfa6c2..aba8354 100644
  	default y
  	help
  	  Increase kernel security by ensuring that normal kernel accesses
-@@ -1705,7 +1707,7 @@ config ALIGNMENT_TRAP
+@@ -1705,7 +1708,7 @@ config ALIGNMENT_TRAP
  
  config UACCESS_WITH_MEMCPY
  	bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()"
@@ -905,7 +913,7 @@ index cdfa6c2..aba8354 100644
  	default y if CPU_FEROCEON
  	help
  	  Implement faster copy_to_user and clear_user methods for CPU
-@@ -1960,6 +1962,7 @@ config KEXEC
+@@ -1960,6 +1963,7 @@ config KEXEC
  	depends on (!SMP || PM_SLEEP_SMP)
  	depends on !CPU_V7M
  	select KEXEC_CORE
@@ -913,7 +921,7 @@ index cdfa6c2..aba8354 100644
  	help
  	  kexec is a system call that implements the ability to shutdown your
  	  current kernel, and to start another kernel.  It is like a reboot
-@@ -2004,7 +2007,7 @@ config EFI_STUB
+@@ -2004,7 +2008,7 @@ config EFI_STUB
  
  config EFI
  	bool "UEFI runtime support"
@@ -23850,7 +23858,7 @@ index c3496619..3f3a7dc 100644
  asmlinkage void smp_deferred_error_interrupt(void);
  #endif
 diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
-index 2e7513d..73d9d20 100644
+index 2e7513d..792107f 100644
 --- a/arch/x86/include/asm/uaccess.h
 +++ b/arch/x86/include/asm/uaccess.h
 @@ -7,6 +7,7 @@
@@ -23887,7 +23895,7 @@ index 2e7513d..73d9d20 100644
 +	unsigned long __size = size;					\
 +	unsigned long __addr = (unsigned long)addr;			\
 +	bool __ret_ao = __range_not_ok(__addr, __size, user_addr_max()) == 0;\
-+	if (__ret_ao && __size) {					\
++	if (__ret_ao && __size < 256 * PAGE_SIZE) {			\
 +		unsigned long __addr_ao = __addr & PAGE_MASK;		\
 +		unsigned long __end_ao = __addr + __size - 1;		\
 +		if (unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) {	\
@@ -28460,7 +28468,7 @@ index e565e0e..fdfeb45 100644
  		}
  		memcpy(&code, ideal_nops[NOP_ATOMIC5], JUMP_LABEL_NOP_SIZE);
 diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c
-index 2da6ee9..4cbe3af 100644
+index 2da6ee9..fc0ca78 100644
 --- a/arch/x86/kernel/kgdb.c
 +++ b/arch/x86/kernel/kgdb.c
 @@ -228,7 +228,10 @@ static void kgdb_correct_hw_break(void)
@@ -28518,7 +28526,7 @@ index 2da6ee9..4cbe3af 100644
  	text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr,
  		  BREAK_INSTR_SIZE);
 -	err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
-+	err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
++	err = probe_kernel_read(opc, (const void *)ktla_ktva(bpt->bpt_addr), BREAK_INSTR_SIZE);
  	if (err)
  		return err;
  	if (memcmp(opc, arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE))
@@ -28527,7 +28535,7 @@ index 2da6ee9..4cbe3af 100644
  		goto knl_write;
  	text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE);
 -	err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
-+	err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
++	err = probe_kernel_read(opc, (const void *)ktla_ktva(bpt->bpt_addr), BREAK_INSTR_SIZE);
  	if (err || memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE))
  		goto knl_write;
  	return err;
@@ -124075,10 +124083,10 @@ index 0000000..696d76d
 +}
 diff --git a/grsecurity/gracl_res.c b/grsecurity/gracl_res.c
 new file mode 100644
-index 0000000..39645c9
+index 0000000..dfba8fd
 --- /dev/null
 +++ b/grsecurity/gracl_res.c
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,74 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/gracl.h>
@@ -124118,6 +124126,14 @@ index 0000000..39645c9
 +	if (unlikely(!restab_log[res]))
 +		return;
 +
++	/*
++	 * not really security relevant, too much userland code shared
++	 * from pulseaudio that blindly attempts to violate limits in a loop,
++	 * resulting in log spam
++	 */
++	if (res == RLIMIT_NICE)
++		return;
++
 +	if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
 +		rlim = task_rlimit_max(task, res);
 +	else
@@ -124136,8 +124152,6 @@ index 0000000..39645c9
 +	else if (res == RLIMIT_MEMLOCK &&
 +		 cap_raised(cred->cap_effective, CAP_IPC_LOCK))
 +		goto out_rcu_unlock;
-+	else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
-+		goto out_rcu_unlock;
 +	rcu_read_unlock();
 +
 +	gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
@@ -144283,7 +144297,7 @@ index 2c5e3a8..301fb1a 100644
  	return -ENOSYS;
  }
 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index 725587f..750f909 100644
+index 725587f..c7834cc 100644
 --- a/kernel/sysctl.c
 +++ b/kernel/sysctl.c
 @@ -95,7 +95,6 @@
@@ -144440,7 +144454,7 @@ index 725587f..750f909 100644
 -		.proc_handler	= proc_dointvec_minmax_sysadmin,
 +		.proc_handler	= proc_dointvec_minmax_secure_sysadmin,
 +#ifdef CONFIG_GRKERNSEC_HIDESYM
-+		.extra1		= &two,
++		.extra1		= &one,
 +#else
  		.extra1		= &zero,
 +#endif
@@ -146874,7 +146888,7 @@ index 4f5b1dd..7cab418 100644
 +}
 +EXPORT_SYMBOL(copy_to_user_overflow);
 diff --git a/lib/vsprintf.c b/lib/vsprintf.c
-index ccb664b..058e2978 100644
+index ccb664b..be065a5 100644
 --- a/lib/vsprintf.c
 +++ b/lib/vsprintf.c
 @@ -16,6 +16,9 @@
@@ -146902,7 +146916,7 @@ index ccb664b..058e2978 100644
  
 -int kptr_restrict __read_mostly;
 +#ifdef CONFIG_GRKERNSEC_HIDESYM
-+int kptr_restrict __read_only = 2;
++int kptr_restrict __read_only = 1;
 +#else
 +int kptr_restrict __read_only;
 +#endif
@@ -146959,7 +146973,17 @@ index ccb664b..058e2978 100644
  	case 'K':
  		switch (kptr_restrict) {
  		case 0:
-@@ -1724,6 +1743,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+@@ -1691,6 +1710,9 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+ 			 */
+ 			cred = current_cred();
+ 			if (!has_capability_noaudit(current, CAP_SYSLOG) ||
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++			    !has_capability_noaudit(current, CAP_SYS_ADMIN) ||
++#endif
+ 			    !uid_eq(cred->euid, cred->uid) ||
+ 			    !gid_eq(cred->egid, cred->gid))
+ 				ptr = NULL;
+@@ -1724,6 +1746,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
  	case 'G':
  		return flags_string(buf, end, ptr, fmt);
  	}
@@ -146982,7 +147006,7 @@ index ccb664b..058e2978 100644
  	spec.flags |= SMALL;
  	if (spec.field_width == -1) {
  		spec.field_width = default_width;
-@@ -2424,11 +2459,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
+@@ -2424,11 +2462,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
  	typeof(type) value;						\
  	if (sizeof(type) == 8) {					\
  		args = PTR_ALIGN(args, sizeof(u32));			\
@@ -146997,7 +147021,7 @@ index ccb664b..058e2978 100644
  	}								\
  	args += sizeof(type);						\
  	value;								\
-@@ -2491,7 +2526,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
+@@ -2491,7 +2529,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
  		case FORMAT_TYPE_STR: {
  			const char *str_arg = args;
  			args += strlen(str_arg) + 1;
@@ -163915,10 +163939,10 @@ index 0000000..ffe60f6
 +}
 diff --git a/scripts/gcc-plugins/constify_plugin.c b/scripts/gcc-plugins/constify_plugin.c
 new file mode 100644
-index 0000000..1a56d17
+index 0000000..b769ccf
 --- /dev/null
 +++ b/scripts/gcc-plugins/constify_plugin.c
-@@ -0,0 +1,583 @@
+@@ -0,0 +1,582 @@
 +/*
 + * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
 + * Copyright 2011-2016 by PaX Team <pageexec@freemail.hu>
@@ -163944,7 +163968,7 @@ index 0000000..1a56d17
 +static bool enabled = true;
 +
 +static struct plugin_info const_plugin_info = {
-+	.version	= "201606280200",
++	.version	= "201607241840",
 +	.help		= "disable\tturn off constification\n",
 +};
 +
@@ -164069,10 +164093,8 @@ index 0000000..1a56d17
 +				continue;
 +			if (!constified(ptrtype))
 +				continue;
-+			if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type)) {
-+				TREE_TYPE(field) = copy_node(TREE_TYPE(field));
-+				TREE_TYPE(TREE_TYPE(field)) = build_qualified_type(type, TYPE_QUALS(ptrtype) & ~TYPE_QUAL_CONST);
-+			}
++			if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type))
++				TREE_TYPE(field) = build_pointer_type(build_qualified_type(type, TYPE_QUALS(ptrtype) & ~TYPE_QUAL_CONST));
 +			continue;
 +		}
 +		if (TREE_CODE(fieldtype) != RECORD_TYPE && TREE_CODE(fieldtype) != UNION_TYPE)
@@ -164190,6 +164212,7 @@ index 0000000..1a56d17
 +
 +static void constify_type(tree type)
 +{
++	gcc_assert(type == TYPE_MAIN_VARIANT(type));
 +	TYPE_READONLY(type) = 1;
 +	C_TYPE_FIELDS_READONLY(type) = 1;
 +	TYPE_CONSTIFY_VISITED(type) = 1;
@@ -214202,7 +214225,7 @@ index 3a9b66c..2b38b21 100644
  	unsigned long flags;
  
 diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
-index 9106d8e..e7e2e3c 100644
+index 9106d8e..e7e2e3ca 100644
 --- a/sound/core/pcm_native.c
 +++ b/sound/core/pcm_native.c
 @@ -3014,11 +3014,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream,
author	Anthony G. Basile <blueness@gentoo.org>	2016-07-26 02:55:48 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2016-07-26 02:55:48 -0400
commit	626340b17d84dea8bf5f882750f594207fd5119c (patch)
tree	02933e8ba2149a39f465214f54e784e2751db7e9
parent	grsecurity-3.1-4.6.4-201607192040 (diff)
download	hardened-patchset-626340b17d84dea8bf5f882750f594207fd5119c.tar.gz hardened-patchset-626340b17d84dea8bf5f882750f594207fd5119c.tar.bz2 hardened-patchset-626340b17d84dea8bf5f882750f594207fd5119c.zip