diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2012-02-06 18:14:55 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2012-02-06 18:14:55 -0500 |
commit | 857b85562ea0d3b6d3011f743cfa70fcd2a73ebc (patch) | |
tree | bf424d4e26418d6d68dc18851f33c888bfefd7b5 | |
parent | Added patch to unlock PAX_XATTR_PAX_FLAGS option (diff) | |
download | hardened-patchset-857b85562ea0d3b6d3011f743cfa70fcd2a73ebc.tar.gz hardened-patchset-857b85562ea0d3b6d3011f743cfa70fcd2a73ebc.tar.bz2 hardened-patchset-857b85562ea0d3b6d3011f743cfa70fcd2a73ebc.zip |
Grsec/PaX: 2.2.2-2.6.32.56-201202051926 + 2.2.2-3.2.4-20120205192720120205
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch (renamed from 2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch) | 56 | ||||
-rw-r--r-- | 3.2.4/0000_README | 2 | ||||
-rw-r--r-- | 3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch (renamed from 3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch) | 56 |
4 files changed, 90 insertions, 26 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index cb858f1..6a881db 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -18,7 +18,7 @@ Patch: 1055_linux-2.6.32.56.patch From: http://www.kernel.org Desc: Linux 2.6.32.56 -Patch: 4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch +Patch: 4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch index c0e9b3a..b3de8e3 100644 --- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch +++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch @@ -64705,7 +64705,7 @@ index 0000000..0dc13c3 +EXPORT_SYMBOL(gr_log_timechange); diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c new file mode 100644 -index 0000000..a35ba33 +index 0000000..07e0dc0 --- /dev/null +++ b/grsecurity/grsec_tpe.c @@ -0,0 +1,73 @@ @@ -64756,7 +64756,7 @@ index 0000000..a35ba33 + msg2 = "file in group-writable directory"; + + if (msg && msg2) { -+ char fullmsg[64] = {0}; ++ char fullmsg[70] = {0}; + snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2); + gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt); + return 0; @@ -67139,7 +67139,7 @@ index 0000000..3826b91 +#endif diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h new file mode 100644 -index 0000000..b3347e2 +index 0000000..7f62b30 --- /dev/null +++ b/include/linux/grmsg.h @@ -0,0 +1,109 @@ @@ -67177,7 +67177,7 @@ index 0000000..b3347e2 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by " +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by " +#define GR_EXEC_ACL_MSG "%s execution of %.950s by " -+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.64s) of %.950s by " ++#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by " +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds" +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds" +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by " @@ -67254,10 +67254,10 @@ index 0000000..b3347e2 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..ebba836 +index 0000000..c597c46 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,223 @@ +@@ -0,0 +1,217 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -67273,12 +67273,6 @@ index 0000000..ebba836 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled." +#endif -+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) -+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." -+#endif -+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) -+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." -+#endif +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP) +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled." +#endif @@ -69462,6 +69456,44 @@ index a8cc4e1..98d3b85 100644 u32 val; u32 flags; u32 bitset; +diff --git a/include/linux/tracehook.h b/include/linux/tracehook.h +index 1eb44a9..f582df3 100644 +--- a/include/linux/tracehook.h ++++ b/include/linux/tracehook.h +@@ -69,12 +69,12 @@ static inline int tracehook_expect_breakpoints(struct task_struct *task) + /* + * ptrace report for syscall entry and exit looks identical. + */ +-static inline void ptrace_report_syscall(struct pt_regs *regs) ++static inline int ptrace_report_syscall(struct pt_regs *regs) + { + int ptrace = task_ptrace(current); + + if (!(ptrace & PT_PTRACED)) +- return; ++ return 0; + + ptrace_notify(SIGTRAP | ((ptrace & PT_TRACESYSGOOD) ? 0x80 : 0)); + +@@ -87,6 +87,8 @@ static inline void ptrace_report_syscall(struct pt_regs *regs) + send_sig(current->exit_code, current, 1); + current->exit_code = 0; + } ++ ++ return fatal_signal_pending(current); + } + + /** +@@ -111,8 +113,7 @@ static inline void ptrace_report_syscall(struct pt_regs *regs) + static inline __must_check int tracehook_report_syscall_entry( + struct pt_regs *regs) + { +- ptrace_report_syscall(regs); +- return 0; ++ return ptrace_report_syscall(regs); + } + + /** diff --git a/include/linux/tty.h b/include/linux/tty.h index e9c57e9..ee6d489 100644 --- a/include/linux/tty.h diff --git a/3.2.4/0000_README b/3.2.4/0000_README index 39e914d..285da06 100644 --- a/3.2.4/0000_README +++ b/3.2.4/0000_README @@ -10,7 +10,7 @@ Patch: 1003_linux-3.2.4.patch From: http://www.kernel.org Desc: Linux 3.2.4 -Patch: 4420_grsecurity-2.2.2-3.2.4-201202032052.patch +Patch: 4420_grsecurity-2.2.2-3.2.4-201202051927.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch b/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch index 9b95205..b2dcf41 100644 --- a/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch +++ b/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch @@ -56770,7 +56770,7 @@ index 0000000..0dc13c3 +EXPORT_SYMBOL(gr_log_timechange); diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c new file mode 100644 -index 0000000..a35ba33 +index 0000000..07e0dc0 --- /dev/null +++ b/grsecurity/grsec_tpe.c @@ -0,0 +1,73 @@ @@ -56821,7 +56821,7 @@ index 0000000..a35ba33 + msg2 = "file in group-writable directory"; + + if (msg && msg2) { -+ char fullmsg[64] = {0}; ++ char fullmsg[70] = {0}; + snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2); + gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt); + return 0; @@ -58870,7 +58870,7 @@ index 0000000..da390f1 +#endif diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h new file mode 100644 -index 0000000..b3347e2 +index 0000000..7f62b30 --- /dev/null +++ b/include/linux/grmsg.h @@ -0,0 +1,109 @@ @@ -58908,7 +58908,7 @@ index 0000000..b3347e2 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by " +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by " +#define GR_EXEC_ACL_MSG "%s execution of %.950s by " -+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.64s) of %.950s by " ++#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by " +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds" +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds" +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by " @@ -58985,10 +58985,10 @@ index 0000000..b3347e2 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..eb4885f +index 0000000..cb9f1c1 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,233 @@ +@@ -0,0 +1,227 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -59003,12 +59003,6 @@ index 0000000..eb4885f +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled." +#endif -+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) -+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." -+#endif -+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS) -+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled." -+#endif +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP) +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled." +#endif @@ -60895,6 +60889,44 @@ index 703cfa3..0b8ca72ac 100644 extern int proc_dointvec(struct ctl_table *, int, void __user *, size_t *, loff_t *); extern int proc_dointvec_minmax(struct ctl_table *, int, +diff --git a/include/linux/tracehook.h b/include/linux/tracehook.h +index a71a292..51bd91d 100644 +--- a/include/linux/tracehook.h ++++ b/include/linux/tracehook.h +@@ -54,12 +54,12 @@ struct linux_binprm; + /* + * ptrace report for syscall entry and exit looks identical. + */ +-static inline void ptrace_report_syscall(struct pt_regs *regs) ++static inline int ptrace_report_syscall(struct pt_regs *regs) + { + int ptrace = current->ptrace; + + if (!(ptrace & PT_PTRACED)) +- return; ++ return 0; + + ptrace_notify(SIGTRAP | ((ptrace & PT_TRACESYSGOOD) ? 0x80 : 0)); + +@@ -72,6 +72,8 @@ static inline void ptrace_report_syscall(struct pt_regs *regs) + send_sig(current->exit_code, current, 1); + current->exit_code = 0; + } ++ ++ return fatal_signal_pending(current); + } + + /** +@@ -96,8 +98,7 @@ static inline void ptrace_report_syscall(struct pt_regs *regs) + static inline __must_check int tracehook_report_syscall_entry( + struct pt_regs *regs) + { +- ptrace_report_syscall(regs); +- return 0; ++ return ptrace_report_syscall(regs); + } + + /** diff --git a/include/linux/tty_ldisc.h b/include/linux/tty_ldisc.h index ff7dc08..893e1bd 100644 --- a/include/linux/tty_ldisc.h |