From: Anthony G. Basile With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy. This patch has been updated to reflect that change. -- From: Jory Pratt Updated patch for kernel 2.6.32 The credits/description from the original version of this patch remain accurate and are included below. -- From: Gordon Malm Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC. This patch has been updated to keep current with newer kernel versions. The original version of this patch contained no credits/description. diff -Naur linux-2.6.32-hardened-r44.orig/arch/x86/mm/fault.c linux-2.6.32-hardened-r44/arch/x86/mm/fault.c --- linux-2.6.32-hardened-r44.orig/arch/x86/mm/fault.c 2011-04-17 18:15:54.000000000 -0400 +++ linux-2.6.32-hardened-r44/arch/x86/mm/fault.c 2011-04-17 18:28:11.000000000 -0400 @@ -658,10 +658,12 @@ #ifdef CONFIG_PAX_KERNEXEC if (init_mm.start_code <= address && address < init_mm.end_code) { +#ifdef CONFIG_GRKERNSEC if (current->signal->curr_ip) printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); else +#endif printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current), current_uid(), current_euid()); } diff -Naur linux-2.6.32-hardened-r44.orig/fs/exec.c linux-2.6.32-hardened-r44/fs/exec.c --- linux-2.6.32-hardened-r44.orig/fs/exec.c 2011-04-17 18:15:55.000000000 -0400 +++ linux-2.6.32-hardened-r44/fs/exec.c 2011-04-17 18:29:40.000000000 -0400 @@ -1794,9 +1794,11 @@ } up_read(&mm->mmap_sem); } +#ifdef CONFIG_GRKERNSEC if (tsk->signal->curr_ip) printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset); else +#endif printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset); printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, " "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), @@ -1811,10 +1813,12 @@ #ifdef CONFIG_PAX_REFCOUNT void pax_report_refcount_overflow(struct pt_regs *regs) { +#ifdef CONFIG_GRKERNSEC if (current->signal->curr_ip) printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); else +#endif printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current), current_uid(), current_euid()); print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); @@ -1874,10 +1878,12 @@ void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) { +#ifdef CONFIG_GRKERNSEC if (current->signal->curr_ip) printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); else +#endif printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len); diff -Naur linux-2.6.32-hardened-r44.orig/security/Kconfig linux-2.6.32-hardened-r44/security/Kconfig --- linux-2.6.32-hardened-r44.orig/security/Kconfig 2011-04-17 18:15:55.000000000 -0400 +++ linux-2.6.32-hardened-r44/security/Kconfig 2011-04-17 18:28:11.000000000 -0400 @@ -26,7 +26,7 @@ config PAX bool "Enable various PaX features" - depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) + depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) help This allows you to enable various PaX features. PaX adds intrusion prevention mechanisms to the kernel that reduce