Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/2.6.32
diff options
context:
space:
mode:
Diffstat (limited to '2.6.32')
-rw-r--r--2.6.32/0000_README2
-rw-r--r--2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305082213.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201304292054.patch)56
2 files changed, 48 insertions, 10 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 3b25af8..ec404fe 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.59
-Patch: 4420_grsecurity-2.9.1-2.6.32.60-201304292054.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.60-201305082213.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201304292054.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305082213.patch
index 31c0020..08033a1 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201304292054.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305082213.patch
@@ -85406,10 +85406,10 @@ index e89734e..5e84d8d 100644
return 0;
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..23e4fc1
+index 0000000..9351296
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1003 @@
+@@ -0,0 +1,1013 @@
+#
+# grecurity configuration
+#
@@ -85956,6 +85956,16 @@ index 0000000..23e4fc1
+ tasks. If the sysctl option is enabled, a sysctl option with
+ name "chroot_caps" is created.
+
++config GRKERNSEC_CHROOT_INITRD
++ bool "Exempt initrd tasks from restrictions"
++ default y if GRKERNSEC_CONFIG_AUTO
++ depends on GRKERNSEC_CHROOT && BLK_DEV_RAM
++ help
++ If you say Y here, tasks started prior to init will be exempted from
++ grsecurity's chroot restrictions. This option is mainly meant to
++ resolve Plymouth's performing privileged operations unnecessarily
++ in a chroot.
++
+endmenu
+menu "Kernel Auditing"
+depends on GRKERNSEC
@@ -92363,10 +92373,10 @@ index 0000000..bc0be01
+}
diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c
new file mode 100644
-index 0000000..80a3a4b
+index 0000000..bc7b363
--- /dev/null
+++ b/grsecurity/grsec_chroot.c
-@@ -0,0 +1,375 @@
+@@ -0,0 +1,388 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -92378,14 +92388,27 @@ index 0000000..80a3a4b
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
++#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
++static int gr_init_ran;
++#endif
++
+void gr_set_chroot_entries(struct task_struct *task, struct path *path)
+{
+#ifdef CONFIG_GRKERNSEC
+ if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
-+ path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
++ path->dentry != task->nsproxy->mnt_ns->root->mnt_root
++#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
++ && gr_init_ran
++#endif
++ )
+ task->gr_is_chrooted = 1;
-+ else
++ else {
++#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
++ if (task->pid == 1 && !gr_init_ran)
++ gr_init_ran = 1;
++#endif
+ task->gr_is_chrooted = 0;
++ }
+
+ task->gr_chroot_dentry = path->dentry;
+#endif
@@ -107819,7 +107842,7 @@ index 04a0252..4ee2bbb 100644
struct tasklet_struct *list;
diff --git a/kernel/sys.c b/kernel/sys.c
-index e9512b1..b436660 100644
+index e9512b1..b6c0a2e 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -133,6 +133,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
@@ -107981,7 +108004,22 @@ index e9512b1..b436660 100644
if (gid != old_fsgid) {
new->fsgid = gid;
goto change_okay;
-@@ -1282,7 +1323,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim)
+@@ -1273,6 +1314,14 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim)
+ if (resource != RLIMIT_CPU)
+ goto out;
+
++ /* Handle the case where a fork and setuid occur and then RLIMIT_NPROC
++ is changed to a lower value. Since tasks can be created by the same
++ user in between this limit change and an execve by this task, force
++ a recheck only for this task by setting PF_NPROC_EXCEEDED
++ */
++ if (resource == RLIMIT_NPROC)
++ current->flags |= PF_NPROC_EXCEEDED;
++
+ /*
+ * RLIMIT_CPU handling. Note that the kernel fails to return an error
+ * code if it rejected the user's attempt to set RLIMIT_CPU. This is a
+@@ -1282,7 +1331,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim)
if (new_rlim.rlim_cur == RLIM_INFINITY)
goto out;
@@ -107990,7 +108028,7 @@ index e9512b1..b436660 100644
out:
return 0;
}
-@@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
+@@ -1454,7 +1503,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
error = get_dumpable(me->mm);
break;
case PR_SET_DUMPABLE: