main/linux-grsec: upgrade to grsecurity-2.2.2-3.2.2-201201302345

2 files changed, 51 insertions, 24 deletions

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index f5bc959faa..386393bf11 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=3.2.2
 _kernver=3.2
-pkgrel=1
+pkgrel=2
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}}
 install=
 source="ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2
 	ftp://ftp.kernel.org/pub/linux/kernel/v3.0/patch-$pkgver.bz2
-	grsecurity-2.2.2-3.2.2-201201290115.patch
+	grsecurity-2.2.2-3.2.2-201201302345.patch
 	
 	0004-arp-flush-arp-cache-on-device-change.patch
 
@@ -141,7 +141,7 @@ dev() {
 
 md5sums="7ceb61f87c097fc17509844b71268935  linux-3.2.tar.bz2
 e9e53fba37c5e2afa4cdecab234120bd  patch-3.2.2.bz2
-55e85afceade7adcc216f26996549f1f  grsecurity-2.2.2-3.2.2-201201290115.patch
+54c66601d38283f4561acd7cf48f7a0a  grsecurity-2.2.2-3.2.2-201201302345.patch
 776adeeb5272093574f8836c5037dd7d  0004-arp-flush-arp-cache-on-device-change.patch
 f3eda7112ef074a4121ec6de943c63ee  x86-centaur-enable-cx8-for-via-eden-too.patch
 62cc7d7b5ba7ef05b72ff91c0411c189  linux-3.0.x-regression-with-ipv4-routes-having-mtu.patch
diff --git a/main/linux-grsec/grsecurity-2.2.2-3.2.2-201201290115.patch b/main/linux-grsec/grsecurity-2.2.2-3.2.2-201201302345.patch
index 407965667a..5a35b2ea25 100644
--- a/main/linux-grsec/grsecurity-2.2.2-3.2.2-201201290115.patch
+++ b/main/linux-grsec/grsecurity-2.2.2-3.2.2-201201302345.patch
@@ -41403,6 +41403,22 @@ index f7908ae..920a680 100644
  
  	dcache_init();
  	inode_init();
+diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
+index f3a257d..715ac0f 100644
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -261,7 +261,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
+ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
+ {
+ 	return debugfs_create_file(name, 
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++				   S_IFDIR | S_IRWXU,
++#else
+ 				   S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
++#endif
+ 				   parent, NULL, NULL);
+ }
+ EXPORT_SYMBOL_GPL(debugfs_create_dir);
 diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
 index 2a83425..b082cec 100644
 --- a/fs/ecryptfs/crypto.c
@@ -46894,6 +46910,29 @@ index fa2defa..8601650 100644
  		ret = -EAGAIN;
  
  	pipe_unlock(ipipe);
+diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
+index 7fdf6a7..e6cd8ad 100644
+--- a/fs/sysfs/dir.c
++++ b/fs/sysfs/dir.c
+@@ -642,6 +642,18 @@ static int create_dir(struct kobject *kobj, struct sysfs_dirent *parent_sd,
+ 	struct sysfs_dirent *sd;
+ 	int rc;
+ 
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++	const char *parent_name = parent_sd->s_name;
++
++	mode = S_IFDIR | S_IRWXU;
++
++	if ((!strcmp(parent_name, "") && (!strcmp(name, "devices") || !strcmp(name, "fs"))) ||
++	    (!strcmp(parent_name, "devices") && !strcmp(name, "system")) ||
++	    (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") || !strcmp(name, "fuse"))) ||
++	    (!strcmp(parent_name, "system") && !strcmp(name, "cpu")))
++		mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
++#endif
++
+ 	/* allocate */
+ 	sd = sysfs_new_dirent(name, mode, SYSFS_DIR);
+ 	if (!sd)
 diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
 index d4e6080b..0e58b99 100644
 --- a/fs/sysfs/file.c
@@ -46943,22 +46982,6 @@ index d4e6080b..0e58b99 100644
  		wake_up_interruptible(&od->poll);
  	}
  
-diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
-index e34f0d9..740ea7b 100644
---- a/fs/sysfs/mount.c
-+++ b/fs/sysfs/mount.c
-@@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
- 	.s_name		= "",
- 	.s_count	= ATOMIC_INIT(1),
- 	.s_flags	= SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
-+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
-+	.s_mode		= S_IFDIR | S_IRWXU,
-+#else
- 	.s_mode		= S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
-+#endif
- 	.s_ino		= 1,
- };
- 
 diff --git a/fs/sysfs/symlink.c b/fs/sysfs/symlink.c
 index a7ac78f..02158e1 100644
 --- a/fs/sysfs/symlink.c
@@ -47167,10 +47190,10 @@ index ce9268a..ee98d0b 100644
  
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..ab77366
+index 0000000..dfd3d34
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1065 @@
+@@ -0,0 +1,1069 @@
 +#
 +# grecurity configuration
 +#
@@ -47641,15 +47664,19 @@ index 0000000..ab77366
 +	depends on SYSFS
 +	help
 +	  If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
-+	  any filesystem normally mounted under it (e.g. debugfs) will only
-+	  be accessible by root.  These filesystems generally provide access
++	  any filesystem normally mounted under it (e.g. debugfs) will be
++	  mostly accessible only by root.  These filesystems generally provide access
 +	  to hardware and debug information that isn't appropriate for unprivileged
 +	  users of the system.  Sysfs and debugfs have also become a large source
 +	  of new vulnerabilities, ranging from infoleaks to local compromise.
 +	  There has been very little oversight with an eye toward security involved
 +	  in adding new exporters of information to these filesystems, so their
 +	  use is discouraged.
-+	  This option is equivalent to a chmod 0700 of the mount paths.
++	  For reasons of compatibility, a few directories have been whitelisted
++	  for access by non-root users:
++	  /sys/fs/selinux
++	  /sys/fs/fuse
++	  /sys/devices/system/cpu
 +
 +config GRKERNSEC_ROFS
 +	bool "Runtime read-only mount protection"