summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--2.6.32/0000_README2
-rw-r--r--2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311102303.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311071632.patch)11
-rw-r--r--3.11.7/0000_README2
-rw-r--r--3.11.7/4420_grsecurity-2.9.1-3.11.7-201311102306.patch (renamed from 3.11.7/4420_grsecurity-2.9.1-3.11.7-201311071634.patch)75
-rw-r--r--3.2.52/0000_README2
-rw-r--r--3.2.52/4420_grsecurity-2.9.1-3.2.52-201311102305.patch (renamed from 3.2.52/4420_grsecurity-2.9.1-3.2.52-201311071633.patch)35
6 files changed, 81 insertions, 46 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index b5c69e3..70f19f5 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -38,7 +38,7 @@ Patch: 1060_linux-2.6.32.61.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.61
-Patch: 4420_grsecurity-2.9.1-2.6.32.61-201311071632.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.61-201311102303.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311071632.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311102303.patch
index acf589b..59e84fb 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311071632.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311102303.patch
@@ -110626,18 +110626,21 @@ index 0000000..7cd6065
@@ -0,0 +1 @@
+-grsec
diff --git a/mm/Kconfig b/mm/Kconfig
-index 2c19c0b..f3c3f83 100644
+index 2c19c0b..713bf49 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
-@@ -228,7 +228,7 @@ config KSM
+@@ -228,8 +228,9 @@ config KSM
config DEFAULT_MMAP_MIN_ADDR
int "Low address space to protect from user allocation"
depends on MMU
- default 4096
-+ default 65536
- help
+- help
++ default 32768 if ALPHA || ARM || PARISC || SPARC32
++ default 65536
++ help
This is the portion of low virtual memory which should be protected
from userspace allocation. Keeping a user from writing to low pages
+ can help reduce the impact of kernel NULL pointer bugs.
diff --git a/mm/backing-dev.c b/mm/backing-dev.c
index d824401..9f5244a 100644
--- a/mm/backing-dev.c
diff --git a/3.11.7/0000_README b/3.11.7/0000_README
index ff6ef32..c06ec7f 100644
--- a/3.11.7/0000_README
+++ b/3.11.7/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9.1-3.11.7-201311071634.patch
+Patch: 4420_grsecurity-2.9.1-3.11.7-201311102306.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.11.7/4420_grsecurity-2.9.1-3.11.7-201311071634.patch b/3.11.7/4420_grsecurity-2.9.1-3.11.7-201311102306.patch
index 6499bdd..30881d8 100644
--- a/3.11.7/4420_grsecurity-2.9.1-3.11.7-201311071634.patch
+++ b/3.11.7/4420_grsecurity-2.9.1-3.11.7-201311102306.patch
@@ -3631,7 +3631,7 @@ index cad3ca86..1d79e0f 100644
extern void ux500_cpu_die(unsigned int cpu);
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
-index cd2c88e..7430282 100644
+index cd2c88e..bb527b3 100644
--- a/arch/arm/mm/Kconfig
+++ b/arch/arm/mm/Kconfig
@@ -446,7 +446,7 @@ config CPU_32v5
@@ -3655,7 +3655,7 @@ index cd2c88e..7430282 100644
config KUSER_HELPERS
bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS
default y
-+ depends on !(CPU_V6 || CPU_V6K || CPU_V7)
++ depends on !(CPU_V6 || CPU_V6K || CPU_V7) || GRKERNSEC_OLD_ARM_USERLAND
help
Warning: disabling this option may break user programs.
@@ -59646,11 +59646,14 @@ index 4677bb7..408e936 100644
rcu_read_lock();
task = pid_task(proc_pid(dir), PIDTYPE_PID);
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
-index 7129046..f2779c6 100644
+index 7129046..130793a 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
-@@ -13,11 +13,15 @@
+@@ -11,13 +11,18 @@
+ #include <linux/namei.h>
+ #include <linux/mm.h>
#include <linux/module.h>
++#include <linux/nsproxy.h>
#include "internal.h"
+extern int gr_handle_chroot_sysctl(const int op);
@@ -59667,7 +59670,7 @@ index 7129046..f2779c6 100644
void proc_sys_poll_notify(struct ctl_table_poll *poll)
{
-@@ -467,6 +471,9 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
+@@ -467,6 +472,9 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
err = NULL;
d_set_d_op(dentry, &proc_sys_dentry_operations);
@@ -59677,7 +59680,7 @@ index 7129046..f2779c6 100644
d_add(dentry, inode);
out:
-@@ -482,6 +489,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
+@@ -482,6 +490,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
struct inode *inode = file_inode(filp);
struct ctl_table_header *head = grab_header(inode);
struct ctl_table *table = PROC_I(inode)->sysctl_entry;
@@ -59685,7 +59688,7 @@ index 7129046..f2779c6 100644
ssize_t error;
size_t res;
-@@ -493,7 +501,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
+@@ -493,7 +502,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
* and won't be until we finish.
*/
error = -EPERM;
@@ -59694,7 +59697,7 @@ index 7129046..f2779c6 100644
goto out;
/* if that can happen at all, it should be -EINVAL, not -EISDIR */
-@@ -501,6 +509,22 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
+@@ -501,6 +510,27 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
if (!table->proc_handler)
goto out;
@@ -59710,14 +59713,19 @@ index 7129046..f2779c6 100644
+ dput(filp->f_path.dentry);
+ if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op))
+ goto out;
-+ if (write && !capable(CAP_SYS_ADMIN))
-+ goto out;
++ if (write) {
++ if (current->nsproxy->net_ns != table->extra2) {
++ if (!capable(CAP_SYS_ADMIN))
++ goto out;
++ } else if (!nsown_capable(CAP_NET_ADMIN))
++ goto out;
++ }
+#endif
+
/* careful: calling conventions are nasty here */
res = count;
error = table->proc_handler(table, write, buf, &res, ppos);
-@@ -598,6 +622,9 @@ static bool proc_sys_fill_cache(struct file *file,
+@@ -598,6 +628,9 @@ static bool proc_sys_fill_cache(struct file *file,
return false;
} else {
d_set_d_op(child, &proc_sys_dentry_operations);
@@ -59727,7 +59735,7 @@ index 7129046..f2779c6 100644
d_add(child, inode);
}
} else {
-@@ -641,6 +668,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table,
+@@ -641,6 +674,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table,
if ((*pos)++ < ctx->pos)
return true;
@@ -59737,7 +59745,7 @@ index 7129046..f2779c6 100644
if (unlikely(S_ISLNK(table->mode)))
res = proc_sys_link_fill_cache(file, ctx, head, table);
else
-@@ -734,6 +764,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
+@@ -734,6 +770,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
if (IS_ERR(head))
return PTR_ERR(head);
@@ -59747,7 +59755,7 @@ index 7129046..f2779c6 100644
generic_fillattr(inode, stat);
if (table)
stat->mode = (stat->mode & S_IFMT) | table->mode;
-@@ -756,13 +789,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
+@@ -756,13 +795,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
.llseek = generic_file_llseek,
};
@@ -59763,7 +59771,7 @@ index 7129046..f2779c6 100644
.lookup = proc_sys_lookup,
.permission = proc_sys_permission,
.setattr = proc_sys_setattr,
-@@ -839,7 +872,7 @@ static struct ctl_dir *find_subdir(struct ctl_dir *dir,
+@@ -839,7 +878,7 @@ static struct ctl_dir *find_subdir(struct ctl_dir *dir,
static struct ctl_dir *new_dir(struct ctl_table_set *set,
const char *name, int namelen)
{
@@ -59772,7 +59780,7 @@ index 7129046..f2779c6 100644
struct ctl_dir *new;
struct ctl_node *node;
char *new_name;
-@@ -851,7 +884,7 @@ static struct ctl_dir *new_dir(struct ctl_table_set *set,
+@@ -851,7 +890,7 @@ static struct ctl_dir *new_dir(struct ctl_table_set *set,
return NULL;
node = (struct ctl_node *)(new + 1);
@@ -59781,7 +59789,7 @@ index 7129046..f2779c6 100644
new_name = (char *)(table + 2);
memcpy(new_name, name, namelen);
new_name[namelen] = '\0';
-@@ -1020,7 +1053,8 @@ static int sysctl_check_table(const char *path, struct ctl_table *table)
+@@ -1020,7 +1059,8 @@ static int sysctl_check_table(const char *path, struct ctl_table *table)
static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table *table,
struct ctl_table_root *link_root)
{
@@ -59791,7 +59799,7 @@ index 7129046..f2779c6 100644
struct ctl_table_header *links;
struct ctl_node *node;
char *link_name;
-@@ -1043,7 +1077,7 @@ static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table
+@@ -1043,7 +1083,7 @@ static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table
return NULL;
node = (struct ctl_node *)(links + 1);
@@ -59800,7 +59808,7 @@ index 7129046..f2779c6 100644
link_name = (char *)&link_table[nr_entries + 1];
for (link = link_table, entry = table; entry->procname; link++, entry++) {
-@@ -1291,8 +1325,8 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
+@@ -1291,8 +1331,8 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
struct ctl_table_header ***subheader, struct ctl_table_set *set,
struct ctl_table *table)
{
@@ -59811,7 +59819,7 @@ index 7129046..f2779c6 100644
int nr_files = 0;
int nr_dirs = 0;
int err = -ENOMEM;
-@@ -1304,10 +1338,9 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
+@@ -1304,10 +1344,9 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
nr_files++;
}
@@ -59823,7 +59831,7 @@ index 7129046..f2779c6 100644
files = kzalloc(sizeof(struct ctl_table) * (nr_files + 1),
GFP_KERNEL);
if (!files)
-@@ -1325,7 +1358,7 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
+@@ -1325,7 +1364,7 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
/* Register everything except a directory full of subdirectories */
if (nr_files || !nr_dirs) {
struct ctl_table_header *header;
@@ -60973,10 +60981,10 @@ index 96dda62..d6c6a52 100644
kfree(s);
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..0fd7c82
+index 0000000..6d8c857
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1080 @@
+@@ -0,0 +1,1094 @@
+#
+# grecurity configuration
+#
@@ -61213,6 +61221,20 @@ index 0000000..0fd7c82
+ This deters repeated kernel exploitation/bruteforcing attempts
+ and is useful for later forensics.
+
++config GRKERNSEC_OLD_ARM_USERLAND
++ bool "Old ARM userland compatibility"
++ depends on ARM && (CPU_V6 || CPU_V6K || CPU_V7)
++ help
++ If you say Y here, stubs of executable code to perform such operations
++ as "compare-exchange" will be placed at fixed locations in the ARM vector
++ table. This is unfortunately needed for old ARM userland meant to run
++ across a wide range of processors. Without this option enabled,
++ the get_tls and data memory barrier stubs will be emulated by the kernel,
++ which is enough for Linaro userlands or other userlands designed for v6
++ and newer ARM CPUs. It's recommended that you try without this option enabled
++ first, and only enable it if your userland does not boot (it will likely fail
++ at init time).
++
+endmenu
+menu "Role Based Access Control Options"
+depends on GRKERNSEC
@@ -85796,10 +85818,10 @@ index 0000000..7cd6065
@@ -0,0 +1 @@
+-grsec
diff --git a/mm/Kconfig b/mm/Kconfig
-index 6509d27..dbec5b8 100644
+index 6509d27..3c15063 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
-@@ -317,10 +317,10 @@ config KSM
+@@ -317,10 +317,11 @@ config KSM
root has set /sys/kernel/mm/ksm/run to 1 (if CONFIG_SYSFS is set).
config DEFAULT_MMAP_MIN_ADDR
@@ -85808,12 +85830,13 @@ index 6509d27..dbec5b8 100644
depends on MMU
- default 4096
- help
++ default 32768 if ALPHA || ARM || PARISC || SPARC32
+ default 65536
+ help
This is the portion of low virtual memory which should be protected
from userspace allocation. Keeping a user from writing to low pages
can help reduce the impact of kernel NULL pointer bugs.
-@@ -351,7 +351,7 @@ config MEMORY_FAILURE
+@@ -351,7 +352,7 @@ config MEMORY_FAILURE
config HWPOISON_INJECT
tristate "HWPoison pages injector"
diff --git a/3.2.52/0000_README b/3.2.52/0000_README
index a5b9436..711b31b 100644
--- a/3.2.52/0000_README
+++ b/3.2.52/0000_README
@@ -126,7 +126,7 @@ Patch: 1051_linux-3.2.52.patch
From: http://www.kernel.org
Desc: Linux 3.2.52
-Patch: 4420_grsecurity-2.9.1-3.2.52-201311071633.patch
+Patch: 4420_grsecurity-2.9.1-3.2.52-201311102305.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.52/4420_grsecurity-2.9.1-3.2.52-201311071633.patch b/3.2.52/4420_grsecurity-2.9.1-3.2.52-201311102305.patch
index c2c26e8..125d100 100644
--- a/3.2.52/4420_grsecurity-2.9.1-3.2.52-201311071633.patch
+++ b/3.2.52/4420_grsecurity-2.9.1-3.2.52-201311102305.patch
@@ -57691,11 +57691,14 @@ index f738024..226e98e 100644
.exit = proc_net_ns_exit,
};
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
-index 0be1aa4..ed25c53 100644
+index 0be1aa4..21298e5 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
-@@ -9,11 +9,13 @@
+@@ -7,13 +7,16 @@
+ #include <linux/proc_fs.h>
+ #include <linux/security.h>
#include <linux/namei.h>
++#include <linux/nsproxy.h>
#include "internal.h"
+extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
@@ -57710,7 +57713,7 @@ index 0be1aa4..ed25c53 100644
void proc_sys_poll_notify(struct ctl_table_poll *poll)
{
-@@ -128,8 +130,14 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
+@@ -128,8 +131,14 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
err = NULL;
d_set_d_op(dentry, &proc_sys_dentry_operations);
@@ -57725,20 +57728,25 @@ index 0be1aa4..ed25c53 100644
out:
if (h)
sysctl_head_finish(h);
-@@ -162,6 +170,12 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
+@@ -162,6 +171,17 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
if (!table->proc_handler)
goto out;
+#ifdef CONFIG_GRKERNSEC
+ error = -EPERM;
-+ if (write && !capable(CAP_SYS_ADMIN))
-+ goto out;
++ if (write) {
++ if (current->nsproxy->net_ns != table->extra2) {
++ if (!capable(CAP_SYS_ADMIN))
++ goto out;
++ } else if (!nsown_capable(CAP_NET_ADMIN))
++ goto out;
++ }
+#endif
+
/* careful: calling conventions are nasty here */
res = count;
error = table->proc_handler(table, write, buf, &res, ppos);
-@@ -259,6 +273,9 @@ static int proc_sys_fill_cache(struct file *filp, void *dirent,
+@@ -259,6 +279,9 @@ static int proc_sys_fill_cache(struct file *filp, void *dirent,
return -ENOMEM;
} else {
d_set_d_op(child, &proc_sys_dentry_operations);
@@ -57748,7 +57756,7 @@ index 0be1aa4..ed25c53 100644
d_add(child, inode);
}
} else {
-@@ -287,6 +304,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table,
+@@ -287,6 +310,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table,
if (*pos < file->f_pos)
continue;
@@ -57758,7 +57766,7 @@ index 0be1aa4..ed25c53 100644
res = proc_sys_fill_cache(file, dirent, filldir, head, table);
if (res)
return res;
-@@ -412,6 +432,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
+@@ -412,6 +438,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
if (IS_ERR(head))
return PTR_ERR(head);
@@ -57768,7 +57776,7 @@ index 0be1aa4..ed25c53 100644
generic_fillattr(inode, stat);
if (table)
stat->mode = (stat->mode & S_IFMT) | table->mode;
-@@ -434,13 +457,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
+@@ -434,13 +463,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
.llseek = generic_file_llseek,
};
@@ -85258,10 +85266,10 @@ index 0000000..7cd6065
@@ -0,0 +1 @@
+-grsec
diff --git a/mm/Kconfig b/mm/Kconfig
-index 011b110..fad8776 100644
+index 011b110..05d1b6f 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
-@@ -241,10 +241,10 @@ config KSM
+@@ -241,10 +241,11 @@ config KSM
root has set /sys/kernel/mm/ksm/run to 1 (if CONFIG_SYSFS is set).
config DEFAULT_MMAP_MIN_ADDR
@@ -85270,12 +85278,13 @@ index 011b110..fad8776 100644
depends on MMU
- default 4096
- help
++ default 32768 if ALPHA || ARM || PARISC || SPARC32
+ default 65536
+ help
This is the portion of low virtual memory which should be protected
from userspace allocation. Keeping a user from writing to low pages
can help reduce the impact of kernel NULL pointer bugs.
-@@ -274,7 +274,7 @@ config MEMORY_FAILURE
+@@ -274,7 +275,7 @@ config MEMORY_FAILURE
config HWPOISON_INJECT
tristate "HWPoison pages injector"