Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/2.6.32/4425_grsec-pax-without-grsec.patch
blob: 48357e98c4db444dd22761700eed6f3d5fdcb7d8 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

From: Anthony G. Basile <blueness@gentoo.org>

With grsecurity-2.2.2-2.6.32.38-201104171745, the functions pax_report_leak_to_user and
pax_report_overflow_from_user in fs/exec.c were consolidated into pax_report_usercopy.
This patch has been updated to reflect that change.
--
From: Jory Pratt <anarchy@gentoo.org>
Updated patch for kernel 2.6.32

The credits/description from the original version of this patch remain accurate
and are included below.
--
From: Gordon Malm <gengor@gentoo.org>

Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC.

This patch has been updated to keep current with newer kernel versions.
The original version of this patch contained no credits/description.

diff -Naur linux-2.6.32-hardened-r44.orig/arch/x86/mm/fault.c linux-2.6.32-hardened-r44/arch/x86/mm/fault.c
--- linux-2.6.32-hardened-r44.orig/arch/x86/mm/fault.c	2011-04-17 18:15:54.000000000 -0400
+++ linux-2.6.32-hardened-r44/arch/x86/mm/fault.c	2011-04-17 18:28:11.000000000 -0400
@@ -658,10 +658,12 @@
 
 #ifdef CONFIG_PAX_KERNEXEC
 	if (init_mm.start_code <= address && address < init_mm.end_code) {
+#ifdef CONFIG_GRKERNSEC
 		if (current->signal->curr_ip)
 			printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
 					 &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
 		else
+#endif
 			printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
 					 current->comm, task_pid_nr(current), current_uid(), current_euid());
 	}
diff -Naur linux-2.6.32-hardened-r44.orig/fs/exec.c linux-2.6.32-hardened-r44/fs/exec.c
--- linux-2.6.32-hardened-r44.orig/fs/exec.c	2011-04-17 18:15:55.000000000 -0400
+++ linux-2.6.32-hardened-r44/fs/exec.c	2011-04-17 18:29:40.000000000 -0400
@@ -1791,9 +1791,11 @@
 		}
 		up_read(&mm->mmap_sem);
 	}
+#ifdef CONFIG_GRKERNSEC
 	if (tsk->signal->curr_ip)
 		printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
 	else
+#endif
 		printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
 	printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
 			"PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
@@ -1808,10 +1810,12 @@
 #ifdef CONFIG_PAX_REFCOUNT
 void pax_report_refcount_overflow(struct pt_regs *regs)
 {
+#ifdef CONFIG_GRKERNSEC
 	if (current->signal->curr_ip)
 		printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
 				 &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
 	else
+#endif
 		printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
 				 current->comm, task_pid_nr(current), current_uid(), current_euid());
 	print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
@@ -1871,10 +1875,12 @@
 
 NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
 {
+#ifdef CONFIG_GRKERNSEC
 	if (current->signal->curr_ip)
 		printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
 			&current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
 	else
+#endif
 		printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
 			to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
 
diff -Naur linux-2.6.32-hardened-r44.orig/security/Kconfig linux-2.6.32-hardened-r44/security/Kconfig
--- linux-2.6.32-hardened-r44.orig/security/Kconfig	2011-04-17 18:15:55.000000000 -0400
+++ linux-2.6.32-hardened-r44/security/Kconfig	2011-04-17 18:28:11.000000000 -0400
@@ -26,7 +26,7 @@
 	
 config PAX
 	bool "Enable various PaX features"
-	depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
+	depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
 	help
 	  This allows you to enable various PaX features.  PaX adds
 	  intrusion prevention mechanisms to the kernel that reduce