diff options
Diffstat (limited to '2.6.32')
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305082213.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201304292054.patch) | 56 |
2 files changed, 48 insertions, 10 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 3b25af8..ec404fe 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201304292054.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201305082213.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201304292054.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305082213.patch index 31c0020..08033a1 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201304292054.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201305082213.patch @@ -85406,10 +85406,10 @@ index e89734e..5e84d8d 100644 return 0; diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..23e4fc1 +index 0000000..9351296 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1003 @@ +@@ -0,0 +1,1013 @@ +# +# grecurity configuration +# @@ -85956,6 +85956,16 @@ index 0000000..23e4fc1 + tasks. If the sysctl option is enabled, a sysctl option with + name "chroot_caps" is created. + ++config GRKERNSEC_CHROOT_INITRD ++ bool "Exempt initrd tasks from restrictions" ++ default y if GRKERNSEC_CONFIG_AUTO ++ depends on GRKERNSEC_CHROOT && BLK_DEV_RAM ++ help ++ If you say Y here, tasks started prior to init will be exempted from ++ grsecurity's chroot restrictions. This option is mainly meant to ++ resolve Plymouth's performing privileged operations unnecessarily ++ in a chroot. ++ +endmenu +menu "Kernel Auditing" +depends on GRKERNSEC @@ -92363,10 +92373,10 @@ index 0000000..bc0be01 +} diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c new file mode 100644 -index 0000000..80a3a4b +index 0000000..bc7b363 --- /dev/null +++ b/grsecurity/grsec_chroot.c -@@ -0,0 +1,375 @@ +@@ -0,0 +1,388 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -92378,14 +92388,27 @@ index 0000000..80a3a4b +#include <linux/grsecurity.h> +#include <linux/grinternal.h> + ++#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD ++static int gr_init_ran; ++#endif ++ +void gr_set_chroot_entries(struct task_struct *task, struct path *path) +{ +#ifdef CONFIG_GRKERNSEC + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry && -+ path->dentry != task->nsproxy->mnt_ns->root->mnt_root) ++ path->dentry != task->nsproxy->mnt_ns->root->mnt_root ++#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD ++ && gr_init_ran ++#endif ++ ) + task->gr_is_chrooted = 1; -+ else ++ else { ++#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD ++ if (task->pid == 1 && !gr_init_ran) ++ gr_init_ran = 1; ++#endif + task->gr_is_chrooted = 0; ++ } + + task->gr_chroot_dentry = path->dentry; +#endif @@ -107819,7 +107842,7 @@ index 04a0252..4ee2bbb 100644 struct tasklet_struct *list; diff --git a/kernel/sys.c b/kernel/sys.c -index e9512b1..b436660 100644 +index e9512b1..b6c0a2e 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -133,6 +133,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) @@ -107981,7 +108004,22 @@ index e9512b1..b436660 100644 if (gid != old_fsgid) { new->fsgid = gid; goto change_okay; -@@ -1282,7 +1323,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) +@@ -1273,6 +1314,14 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) + if (resource != RLIMIT_CPU) + goto out; + ++ /* Handle the case where a fork and setuid occur and then RLIMIT_NPROC ++ is changed to a lower value. Since tasks can be created by the same ++ user in between this limit change and an execve by this task, force ++ a recheck only for this task by setting PF_NPROC_EXCEEDED ++ */ ++ if (resource == RLIMIT_NPROC) ++ current->flags |= PF_NPROC_EXCEEDED; ++ + /* + * RLIMIT_CPU handling. Note that the kernel fails to return an error + * code if it rejected the user's attempt to set RLIMIT_CPU. This is a +@@ -1282,7 +1331,7 @@ SYSCALL_DEFINE2(setrlimit, unsigned int, resource, struct rlimit __user *, rlim) if (new_rlim.rlim_cur == RLIM_INFINITY) goto out; @@ -107990,7 +108028,7 @@ index e9512b1..b436660 100644 out: return 0; } -@@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, +@@ -1454,7 +1503,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, error = get_dumpable(me->mm); break; case PR_SET_DUMPABLE: |