Grsec/PaX: 2.9.1-{2.6.32.61,3.2.52,3.11.7}-20131110230620131110

author: Anthony G. Basile <blueness@gentoo.org> 2013-11-11 08:27:00 -0500
committer: Anthony G. Basile <blueness@gentoo.org> 2013-11-11 08:27:00 -0500
commit: 0809800434ae1b918a0b5d819dbb48c7661cd4fe (patch)
tree: 544bcf89eff5b6fe727e1f2ce8cc1e445c61cda4
parent: Grsec/PaX: 2.9.1-{2.6.32.61,3.2.52,3.11.7}-201311071634 (diff)
download: hardened-patchset-0809800434ae1b918a0b5d819dbb48c7661cd4fe.tar.gz
hardened-patchset-0809800434ae1b918a0b5d819dbb48c7661cd4fe.tar.bz2
hardened-patchset-0809800434ae1b918a0b5d819dbb48c7661cd4fe.zip
6 files changed, 81 insertions, 46 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index b5c69e3..70f19f5 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -38,7 +38,7 @@ Patch:	1060_linux-2.6.32.61.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.61
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.61-201311071632.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.61-201311102303.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311071632.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311102303.patch
index acf589b..59e84fb 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311071632.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201311102303.patch
@@ -110626,18 +110626,21 @@ index 0000000..7cd6065
 @@ -0,0 +1 @@
 +-grsec
 diff --git a/mm/Kconfig b/mm/Kconfig
-index 2c19c0b..f3c3f83 100644
+index 2c19c0b..713bf49 100644
 --- a/mm/Kconfig
 +++ b/mm/Kconfig
-@@ -228,7 +228,7 @@ config KSM
+@@ -228,8 +228,9 @@ config KSM
  config DEFAULT_MMAP_MIN_ADDR
          int "Low address space to protect from user allocation"
  	depends on MMU
 -        default 4096
-+        default 65536
-         help
+-        help
++	default 32768 if ALPHA || ARM || PARISC || SPARC32
++	default 65536
++	help
  	  This is the portion of low virtual memory which should be protected
  	  from userspace allocation.  Keeping a user from writing to low pages
+ 	  can help reduce the impact of kernel NULL pointer bugs.
 diff --git a/mm/backing-dev.c b/mm/backing-dev.c
 index d824401..9f5244a 100644
 --- a/mm/backing-dev.c
diff --git a/3.11.7/0000_README b/3.11.7/0000_README
index ff6ef32..c06ec7f 100644
--- a/3.11.7/0000_README
+++ b/3.11.7/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.9.1-3.11.7-201311071634.patch
+Patch:	4420_grsecurity-2.9.1-3.11.7-201311102306.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.11.7/4420_grsecurity-2.9.1-3.11.7-201311071634.patch b/3.11.7/4420_grsecurity-2.9.1-3.11.7-201311102306.patch
index 6499bdd..30881d8 100644
--- a/3.11.7/4420_grsecurity-2.9.1-3.11.7-201311071634.patch
+++ b/3.11.7/4420_grsecurity-2.9.1-3.11.7-201311102306.patch
@@ -3631,7 +3631,7 @@ index cad3ca86..1d79e0f 100644
  extern void ux500_cpu_die(unsigned int cpu);
  
 diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
-index cd2c88e..7430282 100644
+index cd2c88e..bb527b3 100644
 --- a/arch/arm/mm/Kconfig
 +++ b/arch/arm/mm/Kconfig
 @@ -446,7 +446,7 @@ config CPU_32v5
@@ -3655,7 +3655,7 @@ index cd2c88e..7430282 100644
  config KUSER_HELPERS
  	bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS
  	default y
-+	depends on !(CPU_V6 || CPU_V6K || CPU_V7)
++	depends on !(CPU_V6 || CPU_V6K || CPU_V7) || GRKERNSEC_OLD_ARM_USERLAND
  	help
  	  Warning: disabling this option may break user programs.
  
@@ -59646,11 +59646,14 @@ index 4677bb7..408e936 100644
  	rcu_read_lock();
  	task = pid_task(proc_pid(dir), PIDTYPE_PID);
 diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
-index 7129046..f2779c6 100644
+index 7129046..130793a 100644
 --- a/fs/proc/proc_sysctl.c
 +++ b/fs/proc/proc_sysctl.c
-@@ -13,11 +13,15 @@
+@@ -11,13 +11,18 @@
+ #include <linux/namei.h>
+ #include <linux/mm.h>
  #include <linux/module.h>
++#include <linux/nsproxy.h>
  #include "internal.h"
  
 +extern int gr_handle_chroot_sysctl(const int op);
@@ -59667,7 +59670,7 @@ index 7129046..f2779c6 100644
  
  void proc_sys_poll_notify(struct ctl_table_poll *poll)
  {
-@@ -467,6 +471,9 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
+@@ -467,6 +472,9 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
  
  	err = NULL;
  	d_set_d_op(dentry, &proc_sys_dentry_operations);
@@ -59677,7 +59680,7 @@ index 7129046..f2779c6 100644
  	d_add(dentry, inode);
  
  out:
-@@ -482,6 +489,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
+@@ -482,6 +490,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
  	struct inode *inode = file_inode(filp);
  	struct ctl_table_header *head = grab_header(inode);
  	struct ctl_table *table = PROC_I(inode)->sysctl_entry;
@@ -59685,7 +59688,7 @@ index 7129046..f2779c6 100644
  	ssize_t error;
  	size_t res;
  
-@@ -493,7 +501,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
+@@ -493,7 +502,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
  	 * and won't be until we finish.
  	 */
  	error = -EPERM;
@@ -59694,7 +59697,7 @@ index 7129046..f2779c6 100644
  		goto out;
  
  	/* if that can happen at all, it should be -EINVAL, not -EISDIR */
-@@ -501,6 +509,22 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
+@@ -501,6 +510,27 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
  	if (!table->proc_handler)
  		goto out;
  
@@ -59710,14 +59713,19 @@ index 7129046..f2779c6 100644
 +	dput(filp->f_path.dentry);
 +	if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op))
 +		goto out;
-+	if (write && !capable(CAP_SYS_ADMIN))
-+		goto out;
++	if (write) {
++		if (current->nsproxy->net_ns != table->extra2) {
++			if (!capable(CAP_SYS_ADMIN))
++				goto out;
++		} else if (!nsown_capable(CAP_NET_ADMIN))
++			goto out;
++	}
 +#endif
 +
  	/* careful: calling conventions are nasty here */
  	res = count;
  	error = table->proc_handler(table, write, buf, &res, ppos);
-@@ -598,6 +622,9 @@ static bool proc_sys_fill_cache(struct file *file,
+@@ -598,6 +628,9 @@ static bool proc_sys_fill_cache(struct file *file,
  				return false;
  			} else {
  				d_set_d_op(child, &proc_sys_dentry_operations);
@@ -59727,7 +59735,7 @@ index 7129046..f2779c6 100644
  				d_add(child, inode);
  			}
  		} else {
-@@ -641,6 +668,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table,
+@@ -641,6 +674,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table,
  	if ((*pos)++ < ctx->pos)
  		return true;
  
@@ -59737,7 +59745,7 @@ index 7129046..f2779c6 100644
  	if (unlikely(S_ISLNK(table->mode)))
  		res = proc_sys_link_fill_cache(file, ctx, head, table);
  	else
-@@ -734,6 +764,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
+@@ -734,6 +770,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
  	if (IS_ERR(head))
  		return PTR_ERR(head);
  
@@ -59747,7 +59755,7 @@ index 7129046..f2779c6 100644
  	generic_fillattr(inode, stat);
  	if (table)
  		stat->mode = (stat->mode & S_IFMT) | table->mode;
-@@ -756,13 +789,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
+@@ -756,13 +795,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
  	.llseek		= generic_file_llseek,
  };
  
@@ -59763,7 +59771,7 @@ index 7129046..f2779c6 100644
  	.lookup		= proc_sys_lookup,
  	.permission	= proc_sys_permission,
  	.setattr	= proc_sys_setattr,
-@@ -839,7 +872,7 @@ static struct ctl_dir *find_subdir(struct ctl_dir *dir,
+@@ -839,7 +878,7 @@ static struct ctl_dir *find_subdir(struct ctl_dir *dir,
  static struct ctl_dir *new_dir(struct ctl_table_set *set,
  			       const char *name, int namelen)
  {
@@ -59772,7 +59780,7 @@ index 7129046..f2779c6 100644
  	struct ctl_dir *new;
  	struct ctl_node *node;
  	char *new_name;
-@@ -851,7 +884,7 @@ static struct ctl_dir *new_dir(struct ctl_table_set *set,
+@@ -851,7 +890,7 @@ static struct ctl_dir *new_dir(struct ctl_table_set *set,
  		return NULL;
  
  	node = (struct ctl_node *)(new + 1);
@@ -59781,7 +59789,7 @@ index 7129046..f2779c6 100644
  	new_name = (char *)(table + 2);
  	memcpy(new_name, name, namelen);
  	new_name[namelen] = '\0';
-@@ -1020,7 +1053,8 @@ static int sysctl_check_table(const char *path, struct ctl_table *table)
+@@ -1020,7 +1059,8 @@ static int sysctl_check_table(const char *path, struct ctl_table *table)
  static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table *table,
  	struct ctl_table_root *link_root)
  {
@@ -59791,7 +59799,7 @@ index 7129046..f2779c6 100644
  	struct ctl_table_header *links;
  	struct ctl_node *node;
  	char *link_name;
-@@ -1043,7 +1077,7 @@ static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table
+@@ -1043,7 +1083,7 @@ static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table
  		return NULL;
  
  	node = (struct ctl_node *)(links + 1);
@@ -59800,7 +59808,7 @@ index 7129046..f2779c6 100644
  	link_name = (char *)&link_table[nr_entries + 1];
  
  	for (link = link_table, entry = table; entry->procname; link++, entry++) {
-@@ -1291,8 +1325,8 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
+@@ -1291,8 +1331,8 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
  	struct ctl_table_header ***subheader, struct ctl_table_set *set,
  	struct ctl_table *table)
  {
@@ -59811,7 +59819,7 @@ index 7129046..f2779c6 100644
  	int nr_files = 0;
  	int nr_dirs = 0;
  	int err = -ENOMEM;
-@@ -1304,10 +1338,9 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
+@@ -1304,10 +1344,9 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
  			nr_files++;
  	}
  
@@ -59823,7 +59831,7 @@ index 7129046..f2779c6 100644
  		files = kzalloc(sizeof(struct ctl_table) * (nr_files + 1),
  				GFP_KERNEL);
  		if (!files)
-@@ -1325,7 +1358,7 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
+@@ -1325,7 +1364,7 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
  	/* Register everything except a directory full of subdirectories */
  	if (nr_files || !nr_dirs) {
  		struct ctl_table_header *header;
@@ -60973,10 +60981,10 @@ index 96dda62..d6c6a52 100644
  		kfree(s);
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..0fd7c82
+index 0000000..6d8c857
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1080 @@
+@@ -0,0 +1,1094 @@
 +#
 +# grecurity configuration
 +#
@@ -61213,6 +61221,20 @@ index 0000000..0fd7c82
 +	  This deters repeated kernel exploitation/bruteforcing attempts
 +	  and is useful for later forensics.
 +
++config GRKERNSEC_OLD_ARM_USERLAND
++	bool "Old ARM userland compatibility"
++	depends on ARM && (CPU_V6 || CPU_V6K || CPU_V7)
++	help
++	  If you say Y here, stubs of executable code to perform such operations
++	  as "compare-exchange" will be placed at fixed locations in the ARM vector
++	  table.  This is unfortunately needed for old ARM userland meant to run
++	  across a wide range of processors.  Without this option enabled,
++	  the get_tls and data memory barrier stubs will be emulated by the kernel,
++	  which is enough for Linaro userlands or other userlands designed for v6
++	  and newer ARM CPUs.  It's recommended that you try without this option enabled
++	  first, and only enable it if your userland does not boot (it will likely fail
++	  at init time).
++
 +endmenu
 +menu "Role Based Access Control Options"
 +depends on GRKERNSEC
@@ -85796,10 +85818,10 @@ index 0000000..7cd6065
 @@ -0,0 +1 @@
 +-grsec
 diff --git a/mm/Kconfig b/mm/Kconfig
-index 6509d27..dbec5b8 100644
+index 6509d27..3c15063 100644
 --- a/mm/Kconfig
 +++ b/mm/Kconfig
-@@ -317,10 +317,10 @@ config KSM
+@@ -317,10 +317,11 @@ config KSM
  	  root has set /sys/kernel/mm/ksm/run to 1 (if CONFIG_SYSFS is set).
  
  config DEFAULT_MMAP_MIN_ADDR
@@ -85808,12 +85830,13 @@ index 6509d27..dbec5b8 100644
  	depends on MMU
 -        default 4096
 -        help
++	default 32768 if ALPHA || ARM || PARISC || SPARC32
 +	default 65536
 +	help
  	  This is the portion of low virtual memory which should be protected
  	  from userspace allocation.  Keeping a user from writing to low pages
  	  can help reduce the impact of kernel NULL pointer bugs.
-@@ -351,7 +351,7 @@ config MEMORY_FAILURE
+@@ -351,7 +352,7 @@ config MEMORY_FAILURE
  
  config HWPOISON_INJECT
  	tristate "HWPoison pages injector"
diff --git a/3.2.52/0000_README b/3.2.52/0000_README
index a5b9436..711b31b 100644
--- a/3.2.52/0000_README
+++ b/3.2.52/0000_README
@@ -126,7 +126,7 @@ Patch:	1051_linux-3.2.52.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.52
 
-Patch:	4420_grsecurity-2.9.1-3.2.52-201311071633.patch
+Patch:	4420_grsecurity-2.9.1-3.2.52-201311102305.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.52/4420_grsecurity-2.9.1-3.2.52-201311071633.patch b/3.2.52/4420_grsecurity-2.9.1-3.2.52-201311102305.patch
index c2c26e8..125d100 100644
--- a/3.2.52/4420_grsecurity-2.9.1-3.2.52-201311071633.patch
+++ b/3.2.52/4420_grsecurity-2.9.1-3.2.52-201311102305.patch
@@ -57691,11 +57691,14 @@ index f738024..226e98e 100644
  	.exit = proc_net_ns_exit,
  };
 diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
-index 0be1aa4..ed25c53 100644
+index 0be1aa4..21298e5 100644
 --- a/fs/proc/proc_sysctl.c
 +++ b/fs/proc/proc_sysctl.c
-@@ -9,11 +9,13 @@
+@@ -7,13 +7,16 @@
+ #include <linux/proc_fs.h>
+ #include <linux/security.h>
  #include <linux/namei.h>
++#include <linux/nsproxy.h>
  #include "internal.h"
  
 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
@@ -57710,7 +57713,7 @@ index 0be1aa4..ed25c53 100644
  
  void proc_sys_poll_notify(struct ctl_table_poll *poll)
  {
-@@ -128,8 +130,14 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
+@@ -128,8 +131,14 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
  
  	err = NULL;
  	d_set_d_op(dentry, &proc_sys_dentry_operations);
@@ -57725,20 +57728,25 @@ index 0be1aa4..ed25c53 100644
  out:
  	if (h)
  		sysctl_head_finish(h);
-@@ -162,6 +170,12 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
+@@ -162,6 +171,17 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
  	if (!table->proc_handler)
  		goto out;
  
 +#ifdef CONFIG_GRKERNSEC
 +	error = -EPERM;
-+	if (write && !capable(CAP_SYS_ADMIN))
-+		goto out;
++	if (write) {
++		if (current->nsproxy->net_ns != table->extra2) {
++			if (!capable(CAP_SYS_ADMIN))
++				goto out;
++		} else if (!nsown_capable(CAP_NET_ADMIN))
++			goto out;
++	}
 +#endif
 +
  	/* careful: calling conventions are nasty here */
  	res = count;
  	error = table->proc_handler(table, write, buf, &res, ppos);
-@@ -259,6 +273,9 @@ static int proc_sys_fill_cache(struct file *filp, void *dirent,
+@@ -259,6 +279,9 @@ static int proc_sys_fill_cache(struct file *filp, void *dirent,
  				return -ENOMEM;
  			} else {
  				d_set_d_op(child, &proc_sys_dentry_operations);
@@ -57748,7 +57756,7 @@ index 0be1aa4..ed25c53 100644
  				d_add(child, inode);
  			}
  		} else {
-@@ -287,6 +304,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table,
+@@ -287,6 +310,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table,
  		if (*pos < file->f_pos)
  			continue;
  
@@ -57758,7 +57766,7 @@ index 0be1aa4..ed25c53 100644
  		res = proc_sys_fill_cache(file, dirent, filldir, head, table);
  		if (res)
  			return res;
-@@ -412,6 +432,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
+@@ -412,6 +438,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
  	if (IS_ERR(head))
  		return PTR_ERR(head);
  
@@ -57768,7 +57776,7 @@ index 0be1aa4..ed25c53 100644
  	generic_fillattr(inode, stat);
  	if (table)
  		stat->mode = (stat->mode & S_IFMT) | table->mode;
-@@ -434,13 +457,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
+@@ -434,13 +463,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
  	.llseek		= generic_file_llseek,
  };
  
@@ -85258,10 +85266,10 @@ index 0000000..7cd6065
 @@ -0,0 +1 @@
 +-grsec
 diff --git a/mm/Kconfig b/mm/Kconfig
-index 011b110..fad8776 100644
+index 011b110..05d1b6f 100644
 --- a/mm/Kconfig
 +++ b/mm/Kconfig
-@@ -241,10 +241,10 @@ config KSM
+@@ -241,10 +241,11 @@ config KSM
  	  root has set /sys/kernel/mm/ksm/run to 1 (if CONFIG_SYSFS is set).
  
  config DEFAULT_MMAP_MIN_ADDR
@@ -85270,12 +85278,13 @@ index 011b110..fad8776 100644
  	depends on MMU
 -        default 4096
 -        help
++	default 32768 if ALPHA || ARM || PARISC || SPARC32
 +	default 65536
 +	help
  	  This is the portion of low virtual memory which should be protected
  	  from userspace allocation.  Keeping a user from writing to low pages
  	  can help reduce the impact of kernel NULL pointer bugs.
-@@ -274,7 +274,7 @@ config MEMORY_FAILURE
+@@ -274,7 +275,7 @@ config MEMORY_FAILURE
  
  config HWPOISON_INJECT
  	tristate "HWPoison pages injector"
author	Anthony G. Basile <blueness@gentoo.org>	2013-11-11 08:27:00 -0500
committer	Anthony G. Basile <blueness@gentoo.org>	2013-11-11 08:27:00 -0500
commit	0809800434ae1b918a0b5d819dbb48c7661cd4fe (patch)
tree	544bcf89eff5b6fe727e1f2ce8cc1e445c61cda4
parent	Grsec/PaX: 2.9.1-{2.6.32.61,3.2.52,3.11.7}-201311071634 (diff)
download	hardened-patchset-0809800434ae1b918a0b5d819dbb48c7661cd4fe.tar.gz hardened-patchset-0809800434ae1b918a0b5d819dbb48c7661cd4fe.tar.bz2 hardened-patchset-0809800434ae1b918a0b5d819dbb48c7661cd4fe.zip