summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--4.6.4/0000_README2
-rw-r--r--4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch (renamed from 4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch)81
2 files changed, 53 insertions, 30 deletions
diff --git a/4.6.4/0000_README b/4.6.4/0000_README
index 0a9f680..81410da 100644
--- a/4.6.4/0000_README
+++ b/4.6.4/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.6.4-201607192040.patch
+Patch: 4420_grsecurity-3.1-4.6.4-201607242014.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch b/4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch
index 4b02b21..f7868ce 100644
--- a/4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch
+++ b/4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch
@@ -877,7 +877,7 @@ index a876743..fe2a193 100644
Counts number of I and D TLB Misses and exports them via Debugfs
The counters can be cleared via Debugfs as well
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
-index cdfa6c2..aba8354 100644
+index cdfa6c2..f39881d 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -53,6 +53,7 @@ config ARM
@@ -888,7 +888,15 @@ index cdfa6c2..aba8354 100644
select HAVE_GENERIC_DMA_COHERENT
select HAVE_HW_BREAKPOINT if (PERF_EVENTS && (CPU_V6 || CPU_V6K || CPU_V7))
select HAVE_IDE if PCI || ISA || PCMCIA
-@@ -1629,6 +1630,7 @@ config HIGHPTE
+@@ -1561,6 +1562,7 @@ config AEABI
+ config OABI_COMPAT
+ bool "Allow old ABI binaries to run with this kernel (EXPERIMENTAL)"
+ depends on AEABI && !THUMB2_KERNEL
++ depends on !GRKERNSEC
+ help
+ This option preserves the old syscall interface along with the
+ new (ARM EABI) one. It also provides a compatibility layer to
+@@ -1629,6 +1631,7 @@ config HIGHPTE
config CPU_SW_DOMAIN_PAN
bool "Enable use of CPU domains to implement privileged no-access"
depends on MMU && !ARM_LPAE
@@ -896,7 +904,7 @@ index cdfa6c2..aba8354 100644
default y
help
Increase kernel security by ensuring that normal kernel accesses
-@@ -1705,7 +1707,7 @@ config ALIGNMENT_TRAP
+@@ -1705,7 +1708,7 @@ config ALIGNMENT_TRAP
config UACCESS_WITH_MEMCPY
bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()"
@@ -905,7 +913,7 @@ index cdfa6c2..aba8354 100644
default y if CPU_FEROCEON
help
Implement faster copy_to_user and clear_user methods for CPU
-@@ -1960,6 +1962,7 @@ config KEXEC
+@@ -1960,6 +1963,7 @@ config KEXEC
depends on (!SMP || PM_SLEEP_SMP)
depends on !CPU_V7M
select KEXEC_CORE
@@ -913,7 +921,7 @@ index cdfa6c2..aba8354 100644
help
kexec is a system call that implements the ability to shutdown your
current kernel, and to start another kernel. It is like a reboot
-@@ -2004,7 +2007,7 @@ config EFI_STUB
+@@ -2004,7 +2008,7 @@ config EFI_STUB
config EFI
bool "UEFI runtime support"
@@ -23850,7 +23858,7 @@ index c3496619..3f3a7dc 100644
asmlinkage void smp_deferred_error_interrupt(void);
#endif
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
-index 2e7513d..73d9d20 100644
+index 2e7513d..792107f 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -7,6 +7,7 @@
@@ -23887,7 +23895,7 @@ index 2e7513d..73d9d20 100644
+ unsigned long __size = size; \
+ unsigned long __addr = (unsigned long)addr; \
+ bool __ret_ao = __range_not_ok(__addr, __size, user_addr_max()) == 0;\
-+ if (__ret_ao && __size) { \
++ if (__ret_ao && __size < 256 * PAGE_SIZE) { \
+ unsigned long __addr_ao = __addr & PAGE_MASK; \
+ unsigned long __end_ao = __addr + __size - 1; \
+ if (unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
@@ -28460,7 +28468,7 @@ index e565e0e..fdfeb45 100644
}
memcpy(&code, ideal_nops[NOP_ATOMIC5], JUMP_LABEL_NOP_SIZE);
diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c
-index 2da6ee9..4cbe3af 100644
+index 2da6ee9..fc0ca78 100644
--- a/arch/x86/kernel/kgdb.c
+++ b/arch/x86/kernel/kgdb.c
@@ -228,7 +228,10 @@ static void kgdb_correct_hw_break(void)
@@ -28518,7 +28526,7 @@ index 2da6ee9..4cbe3af 100644
text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr,
BREAK_INSTR_SIZE);
- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
-+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
++ err = probe_kernel_read(opc, (const void *)ktla_ktva(bpt->bpt_addr), BREAK_INSTR_SIZE);
if (err)
return err;
if (memcmp(opc, arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE))
@@ -28527,7 +28535,7 @@ index 2da6ee9..4cbe3af 100644
goto knl_write;
text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE);
- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
-+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
++ err = probe_kernel_read(opc, (const void *)ktla_ktva(bpt->bpt_addr), BREAK_INSTR_SIZE);
if (err || memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE))
goto knl_write;
return err;
@@ -124075,10 +124083,10 @@ index 0000000..696d76d
+}
diff --git a/grsecurity/gracl_res.c b/grsecurity/gracl_res.c
new file mode 100644
-index 0000000..39645c9
+index 0000000..dfba8fd
--- /dev/null
+++ b/grsecurity/gracl_res.c
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,74 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/gracl.h>
@@ -124118,6 +124126,14 @@ index 0000000..39645c9
+ if (unlikely(!restab_log[res]))
+ return;
+
++ /*
++ * not really security relevant, too much userland code shared
++ * from pulseaudio that blindly attempts to violate limits in a loop,
++ * resulting in log spam
++ */
++ if (res == RLIMIT_NICE)
++ return;
++
+ if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
+ rlim = task_rlimit_max(task, res);
+ else
@@ -124136,8 +124152,6 @@ index 0000000..39645c9
+ else if (res == RLIMIT_MEMLOCK &&
+ cap_raised(cred->cap_effective, CAP_IPC_LOCK))
+ goto out_rcu_unlock;
-+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
-+ goto out_rcu_unlock;
+ rcu_read_unlock();
+
+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
@@ -144283,7 +144297,7 @@ index 2c5e3a8..301fb1a 100644
return -ENOSYS;
}
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index 725587f..750f909 100644
+index 725587f..c7834cc 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -95,7 +95,6 @@
@@ -144440,7 +144454,7 @@ index 725587f..750f909 100644
- .proc_handler = proc_dointvec_minmax_sysadmin,
+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
+#ifdef CONFIG_GRKERNSEC_HIDESYM
-+ .extra1 = &two,
++ .extra1 = &one,
+#else
.extra1 = &zero,
+#endif
@@ -146874,7 +146888,7 @@ index 4f5b1dd..7cab418 100644
+}
+EXPORT_SYMBOL(copy_to_user_overflow);
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
-index ccb664b..058e2978 100644
+index ccb664b..be065a5 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -16,6 +16,9 @@
@@ -146902,7 +146916,7 @@ index ccb664b..058e2978 100644
-int kptr_restrict __read_mostly;
+#ifdef CONFIG_GRKERNSEC_HIDESYM
-+int kptr_restrict __read_only = 2;
++int kptr_restrict __read_only = 1;
+#else
+int kptr_restrict __read_only;
+#endif
@@ -146959,7 +146973,17 @@ index ccb664b..058e2978 100644
case 'K':
switch (kptr_restrict) {
case 0:
-@@ -1724,6 +1743,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+@@ -1691,6 +1710,9 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+ */
+ cred = current_cred();
+ if (!has_capability_noaudit(current, CAP_SYSLOG) ||
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ !has_capability_noaudit(current, CAP_SYS_ADMIN) ||
++#endif
+ !uid_eq(cred->euid, cred->uid) ||
+ !gid_eq(cred->egid, cred->gid))
+ ptr = NULL;
+@@ -1724,6 +1746,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
case 'G':
return flags_string(buf, end, ptr, fmt);
}
@@ -146982,7 +147006,7 @@ index ccb664b..058e2978 100644
spec.flags |= SMALL;
if (spec.field_width == -1) {
spec.field_width = default_width;
-@@ -2424,11 +2459,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
+@@ -2424,11 +2462,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
typeof(type) value; \
if (sizeof(type) == 8) { \
args = PTR_ALIGN(args, sizeof(u32)); \
@@ -146997,7 +147021,7 @@ index ccb664b..058e2978 100644
} \
args += sizeof(type); \
value; \
-@@ -2491,7 +2526,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
+@@ -2491,7 +2529,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
case FORMAT_TYPE_STR: {
const char *str_arg = args;
args += strlen(str_arg) + 1;
@@ -163915,10 +163939,10 @@ index 0000000..ffe60f6
+}
diff --git a/scripts/gcc-plugins/constify_plugin.c b/scripts/gcc-plugins/constify_plugin.c
new file mode 100644
-index 0000000..1a56d17
+index 0000000..b769ccf
--- /dev/null
+++ b/scripts/gcc-plugins/constify_plugin.c
-@@ -0,0 +1,583 @@
+@@ -0,0 +1,582 @@
+/*
+ * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
+ * Copyright 2011-2016 by PaX Team <pageexec@freemail.hu>
@@ -163944,7 +163968,7 @@ index 0000000..1a56d17
+static bool enabled = true;
+
+static struct plugin_info const_plugin_info = {
-+ .version = "201606280200",
++ .version = "201607241840",
+ .help = "disable\tturn off constification\n",
+};
+
@@ -164069,10 +164093,8 @@ index 0000000..1a56d17
+ continue;
+ if (!constified(ptrtype))
+ continue;
-+ if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type)) {
-+ TREE_TYPE(field) = copy_node(TREE_TYPE(field));
-+ TREE_TYPE(TREE_TYPE(field)) = build_qualified_type(type, TYPE_QUALS(ptrtype) & ~TYPE_QUAL_CONST);
-+ }
++ if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type))
++ TREE_TYPE(field) = build_pointer_type(build_qualified_type(type, TYPE_QUALS(ptrtype) & ~TYPE_QUAL_CONST));
+ continue;
+ }
+ if (TREE_CODE(fieldtype) != RECORD_TYPE && TREE_CODE(fieldtype) != UNION_TYPE)
@@ -164190,6 +164212,7 @@ index 0000000..1a56d17
+
+static void constify_type(tree type)
+{
++ gcc_assert(type == TYPE_MAIN_VARIANT(type));
+ TYPE_READONLY(type) = 1;
+ C_TYPE_FIELDS_READONLY(type) = 1;
+ TYPE_CONSTIFY_VISITED(type) = 1;
@@ -214202,7 +214225,7 @@ index 3a9b66c..2b38b21 100644
unsigned long flags;
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
-index 9106d8e..e7e2e3c 100644
+index 9106d8e..e7e2e3ca 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -3014,11 +3014,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream,