www.grsecu...

arekm Sun, 02 Aug 2009 03:38:32 -0700

Author: arekm                        Date: Sun Aug  2 10:38:10 2009 GMT
Module: packages                      Tag: GRSECURITY_RAW
---- Log message:
http://www.grsecurity.net/~spender/grsecurity-2.1.14-2.6.30.4-200908011535.patch


---- Files affected:
packages/kernel:
   kernel-grsec_full.patch (1.3.2.3 -> 1.3.2.4) 

---- Diffs:

================================================================
Index: packages/kernel/kernel-grsec_full.patch
diff -u packages/kernel/kernel-grsec_full.patch:1.3.2.3 
packages/kernel/kernel-grsec_full.patch:1.3.2.4
--- packages/kernel/kernel-grsec_full.patch:1.3.2.3     Fri Jul 31 11:02:00 2009
+++ packages/kernel/kernel-grsec_full.patch     Sun Aug  2 12:38:03 2009
@@ -9077,7 +9077,7 @@
 +      .endr
 diff -urNp linux-2.6.30.4/arch/x86/kernel/head_64.S 
linux-2.6.30.4/arch/x86/kernel/head_64.S
 --- linux-2.6.30.4/arch/x86/kernel/head_64.S   2009-07-24 17:47:51.000000000 
-0400
-+++ linux-2.6.30.4/arch/x86/kernel/head_64.S   2009-07-30 09:48:09.947450201 
-0400
++++ linux-2.6.30.4/arch/x86/kernel/head_64.S   2009-08-01 08:46:06.399105315 
-0400
 @@ -39,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
  L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
  L4_START_KERNEL = pgd_index(__START_KERNEL_map)
@@ -9308,7 +9308,7 @@
        .align L1_CACHE_BYTES
  ENTRY(idt_table)
 -      .skip IDT_ENTRIES * 16
-+      .fill 256,16,0
++      .fill 512,8,0
  
        .section .bss.page_aligned, "aw", @nobits
        .align PAGE_SIZE
@@ -9621,7 +9621,7 @@
        page_list[PA_CONTROL_PAGE] = __pa(control_page);
 diff -urNp linux-2.6.30.4/arch/x86/kernel/module_32.c 
linux-2.6.30.4/arch/x86/kernel/module_32.c
 --- linux-2.6.30.4/arch/x86/kernel/module_32.c 2009-07-24 17:47:51.000000000 
-0400
-+++ linux-2.6.30.4/arch/x86/kernel/module_32.c 2009-07-30 09:48:09.950015875 
-0400
++++ linux-2.6.30.4/arch/x86/kernel/module_32.c 2009-08-01 15:35:35.138919235 
-0400
 @@ -23,6 +23,9 @@
  #include <linux/kernel.h>
  #include <linux/bug.h>
@@ -9664,7 +9664,7 @@
  
  /* Free memory returned from module_alloc */
  void module_free(struct module *mod, void *module_region)
-@@ -45,6 +70,45 @@ void module_free(struct module *mod, voi
+@@ -45,6 +70,46 @@ void module_free(struct module *mod, voi
           table entries. */
  }
  
@@ -9705,12 +9705,13 @@
 +              WARN_ON(1);
 +      }
 +}
++EXPORT_SYMBOL(module_free_exec);
 +#endif
 +
  /* We don't need anything special. */
  int module_frob_arch_sections(Elf_Ehdr *hdr,
                              Elf_Shdr *sechdrs,
-@@ -63,14 +127,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
+@@ -63,14 +128,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
        unsigned int i;
        Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
        Elf32_Sym *sym;
@@ -9734,7 +9735,7 @@
                /* This is the symbol it is referring to.  Note that all
                   undefined symbols have been resolved.  */
                sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
-@@ -78,12 +148,32 @@ int apply_relocate(Elf32_Shdr *sechdrs,
+@@ -78,12 +149,32 @@ int apply_relocate(Elf32_Shdr *sechdrs,
  
                switch (ELF32_R_TYPE(rel[i].r_info)) {
                case R_386_32:
@@ -9771,7 +9772,7 @@
                        printk(KERN_ERR "module %s: Unknown relocation: %u\n",
 diff -urNp linux-2.6.30.4/arch/x86/kernel/module_64.c 
linux-2.6.30.4/arch/x86/kernel/module_64.c
 --- linux-2.6.30.4/arch/x86/kernel/module_64.c 2009-07-24 17:47:51.000000000 
-0400
-+++ linux-2.6.30.4/arch/x86/kernel/module_64.c 2009-07-30 09:48:09.950015875 
-0400
++++ linux-2.6.30.4/arch/x86/kernel/module_64.c 2009-08-01 15:35:35.161871747 
-0400
 @@ -40,7 +40,7 @@ void module_free(struct module *mod, voi
           table entries. */
  }
@@ -9781,7 +9782,7 @@
  {
        struct vm_struct *area;
  
-@@ -54,8 +54,31 @@ void *module_alloc(unsigned long size)
+@@ -54,8 +54,33 @@ void *module_alloc(unsigned long size)
        if (!area)
                return NULL;
  
@@ -9799,10 +9800,12 @@
 +{
 +      module_free(mod, module_region);
 +}
++EXPORT_SYMBOL(module_free_exec);
 +
 +void *module_alloc_exec(unsigned long size)
 +{
 +      return __module_alloc(size, PAGE_KERNEL_RX);
++EXPORT_SYMBOL(module_alloc_exec);
  }
 +#else
 +void *module_alloc(unsigned long size)
@@ -9814,7 +9817,7 @@
  #endif
  
  /* We don't need anything special. */
-@@ -79,6 +102,10 @@ int apply_relocate_add(Elf64_Shdr *sechd
+@@ -79,6 +104,10 @@ int apply_relocate_add(Elf64_Shdr *sechd
        void *loc;
        u64 val;
  
@@ -9825,7 +9828,7 @@
        DEBUGP("Applying relocate section %u to %u\n", relsec,
               sechdrs[relsec].sh_info);
        for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
-@@ -101,21 +128,61 @@ int apply_relocate_add(Elf64_Shdr *sechd
+@@ -101,21 +130,61 @@ int apply_relocate_add(Elf64_Shdr *sechd
                case R_X86_64_NONE:
                        break;
                case R_X86_64_64:
@@ -11468,7 +11471,7 @@
        *(.bss)
 diff -urNp linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S 
linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S
 --- linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S    2009-07-24 
17:47:51.000000000 -0400
-+++ linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S    2009-07-30 
19:56:23.500027109 -0400
++++ linux-2.6.30.4/arch/x86/kernel/vmlinux_64.lds.S    2009-08-01 
08:46:06.438873305 -0400
 @@ -13,11 +13,11 @@
  OUTPUT_FORMAT("elf64-x86-64", "elf64-x86-64", "elf64-x86-64")
  OUTPUT_ARCH(i386:x86-64)
@@ -11497,8 +11500,8 @@
    . = ALIGN(PAGE_SIZE);               /* Align data segment to page size 
boundary */
 +#endif
                                /* Data */
-+  _data = .;
    .data : AT(ADDR(.data) - LOAD_OFFSET) {
++      _data = .;
        DATA_DATA
        CONSTRUCTORS
 -      _edata = .;                     /* End of data section */
@@ -21977,7 +21980,7 @@
        .write_begin = ecryptfs_write_begin,
 diff -urNp linux-2.6.30.4/fs/exec.c linux-2.6.30.4/fs/exec.c
 --- linux-2.6.30.4/fs/exec.c   2009-07-24 17:47:51.000000000 -0400
-+++ linux-2.6.30.4/fs/exec.c   2009-07-30 11:10:49.146300194 -0400
++++ linux-2.6.30.4/fs/exec.c   2009-08-01 14:58:11.881121157 -0400
 @@ -54,12 +54,24 @@
  #include <linux/kmod.h>
  #include <linux/fsnotify.h>
@@ -22003,6 +22006,15 @@
  int core_uses_pid;
  char core_pattern[CORENAME_MAX_SIZE] = "core";
  int suid_dumpable = 0;
+@@ -112,7 +124,7 @@ SYSCALL_DEFINE1(uselib, const char __use
+               goto out;
+ 
+       file = do_filp_open(AT_FDCWD, tmp,
+-                              O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
++                              O_LARGEFILE | O_RDONLY | FMODE_EXEC | 
FMODE_GREXEC, 0,
+                               MAY_READ | MAY_EXEC | MAY_OPEN);
+       putname(tmp);
+       error = PTR_ERR(file);
 @@ -160,18 +172,10 @@ static struct page *get_arg_page(struct 
                int write)
  {
@@ -22119,6 +22131,15 @@
  }
  EXPORT_SYMBOL(setup_arg_pages);
  
+@@ -650,7 +680,7 @@ struct file *open_exec(const char *name)
+       int err;
+ 
+       file = do_filp_open(AT_FDCWD, name,
+-                              O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
++                              O_LARGEFILE | O_RDONLY | FMODE_EXEC | 
FMODE_GREXEC, 0,
+                               MAY_EXEC | MAY_OPEN);
+       if (IS_ERR(file))
+               goto out;
 @@ -1046,7 +1076,7 @@ int check_unsafe_exec(struct linux_binpr
        }
        rcu_read_unlock();
@@ -29680,8 +29701,8 @@
 +
 diff -urNp linux-2.6.30.4/grsecurity/gracl_fs.c 
linux-2.6.30.4/grsecurity/gracl_fs.c
 --- linux-2.6.30.4/grsecurity/gracl_fs.c       1969-12-31 19:00:00.000000000 
-0500
-+++ linux-2.6.30.4/grsecurity/gracl_fs.c       2009-07-30 11:10:49.347341041 
-0400
-@@ -0,0 +1,423 @@
++++ linux-2.6.30.4/grsecurity/gracl_fs.c       2009-08-01 15:00:28.098114831 
-0400
+@@ -0,0 +1,424 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/types.h>
@@ -29732,7 +29753,8 @@
 +              reqmode |= GR_WRITE;
 +      if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
 +              reqmode |= GR_READ;
-+
++      if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
++              reqmode &= ~GR_READ;
 +      mode =
 +          gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
 +                         mnt);
@@ -35035,8 +35057,19 @@
  
 diff -urNp linux-2.6.30.4/include/linux/fs.h linux-2.6.30.4/include/linux/fs.h
 --- linux-2.6.30.4/include/linux/fs.h  2009-07-24 17:47:51.000000000 -0400
-+++ linux-2.6.30.4/include/linux/fs.h  2009-07-30 09:48:10.109883773 -0400
-@@ -2423,7 +2423,7 @@ static int __fops ## _open(struct inode 
++++ linux-2.6.30.4/include/linux/fs.h  2009-08-01 14:57:12.341093728 -0400
+@@ -87,6 +87,10 @@ struct inodes_stat_t {
+  */
+ #define FMODE_NOCMTIME                ((__force fmode_t)2048)
+ 
++/* Hack for grsec so as not to require read permission simply to execute
++   a binary */
++#define FMODE_GREXEC          ((__force fmode_t)8192)
++
+ /*
+  * The below are the various read and write types that we support. Some of
+  * them include behavioral modifiers that send information down to the
+@@ -2423,7 +2427,7 @@ static int __fops ## _open(struct inode 
        __simple_attr_check_format(__fmt, 0ull);                        \
        return simple_attr_open(inode, file, __get, __set, __fmt);      \
  }                                                                     \
================================================================

---- CVS-web:
    
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-grsec_full.patch?r1=1.3.2.3&r2=1.3.2.4&f=u

_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

packages (GRSECURITY_RAW): kernel/kernel-grsec_full.patch http://www.grsecu...

Reply via email to