diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2012-02-14 12:07:08 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-02-14 14:05:18 +0000 |
| commit | 60f21916599d030d0e52e5b7a35ba2609e9677dc (patch) | |
| tree | 8632bf867579528ff7974b133a50730dd6e7fe2e /main/linux-grsec | |
| parent | 5aae7195ed0f17c02cec41e149ef86fd6185fbc4 (diff) | |
| download | aports-60f21916599d030d0e52e5b7a35ba2609e9677dc.tar.bz2 aports-60f21916599d030d0e52e5b7a35ba2609e9677dc.tar.xz | |
main/linux-grsec: upgrade to grsecurity-2.2.2-3.2.6-201202131824
Diffstat (limited to 'main/linux-grsec')
| -rw-r--r-- | main/linux-grsec/APKBUILD | 12 | ||||
| -rw-r--r-- | main/linux-grsec/grsecurity-2.2.2-3.2.6-201202131824.patch (renamed from main/linux-grsec/grsecurity-2.2.2-3.2.5-201202061800.patch) | 872 |
2 files changed, 475 insertions, 409 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 7b618c1743..1f5b17a825 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -2,7 +2,7 @@ _flavor=grsec pkgname=linux-${_flavor} -pkgver=3.2.5 +pkgver=3.2.6 _kernver=3.2 pkgrel=0 pkgdesc="Linux kernel with grsecurity" @@ -12,9 +12,9 @@ makedepends="perl installkernel bash gmp-dev" options="!strip" _config=${config:-kernelconfig.${CARCH}} install= -source="ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2 - ftp://ftp.kernel.org/pub/linux/kernel/v3.0/patch-$pkgver.bz2 - grsecurity-2.2.2-3.2.5-201202061800.patch +source="http://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2 + http://ftp.kernel.org/pub/linux/kernel/v3.0/patch-$pkgver.bz2 + grsecurity-2.2.2-3.2.6-201202131824.patch 0004-arp-flush-arp-cache-on-device-change.patch @@ -140,8 +140,8 @@ dev() { } md5sums="7ceb61f87c097fc17509844b71268935 linux-3.2.tar.bz2 -fb4d0b76b4c9a42977d75c4b2f3948d0 patch-3.2.5.bz2 -ea0ecef24bf10a8c0f9c4b705a10daf8 grsecurity-2.2.2-3.2.5-201202061800.patch +2bd4679899df503177a3b61ae2068749 patch-3.2.6.bz2 +905e73610bfdb7fd497fa95adcbea2ce grsecurity-2.2.2-3.2.6-201202131824.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch f3eda7112ef074a4121ec6de943c63ee x86-centaur-enable-cx8-for-via-eden-too.patch 62cc7d7b5ba7ef05b72ff91c0411c189 linux-3.0.x-regression-with-ipv4-routes-having-mtu.patch diff --git a/main/linux-grsec/grsecurity-2.2.2-3.2.5-201202061800.patch b/main/linux-grsec/grsecurity-2.2.2-3.2.6-201202131824.patch index 8adfe9cc59..2ac63128e2 100644 --- a/main/linux-grsec/grsecurity-2.2.2-3.2.5-201202061800.patch +++ b/main/linux-grsec/grsecurity-2.2.2-3.2.6-201202131824.patch @@ -186,7 +186,7 @@ index 81c287f..d456d02 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index e9dd0ff..e4c0733 100644 +index 47fe496..c50bd2a 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -2910,7 +2910,7 @@ index 73709f7..6b90313 100644 if (!fixed && addr) { addr = _ALIGN_UP(addr, 1ul << pshift); diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h -index 547f1a6..3fff354 100644 +index 547f1a6..0b22b53 100644 --- a/arch/s390/include/asm/elf.h +++ b/arch/s390/include/asm/elf.h @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled; @@ -2924,8 +2924,8 @@ index 547f1a6..3fff354 100644 +#ifdef CONFIG_PAX_ASLR +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL) + -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 ) -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 ) ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26) ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26) +#endif /* This yields a mask that user programs can use to figure out what @@ -13486,7 +13486,7 @@ index f3f6f53..0841b66 100644 /* diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index faf8d5e..f58c441 100644 +index faf8d5e..4f16a68 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -55,6 +55,8 @@ @@ -14001,7 +14001,15 @@ index faf8d5e..f58c441 100644 je retint_restore_args movl $_TIF_ALLWORK_MASK,%edi /* edi: mask to check */ -@@ -669,7 +966,7 @@ int_restore_rest: +@@ -623,6 +920,7 @@ GLOBAL(int_with_check) + andl %edi,%edx + jnz int_careful + andl $~TS_COMPAT,TI_status(%rcx) ++ pax_erase_kstack + jmp retint_swapgs + + /* Either reschedule or signal or syscall exit tracking needed. */ +@@ -669,7 +967,7 @@ int_restore_rest: TRACE_IRQS_OFF jmp int_with_check CFI_ENDPROC @@ -14010,7 +14018,7 @@ index faf8d5e..f58c441 100644 /* * Certain special system calls that need to save a complete full stack frame. -@@ -685,7 +982,7 @@ ENTRY(\label) +@@ -685,7 +983,7 @@ ENTRY(\label) call \func jmp ptregscall_common CFI_ENDPROC @@ -14019,7 +14027,7 @@ index faf8d5e..f58c441 100644 .endm PTREGSCALL stub_clone, sys_clone, %r8 -@@ -703,9 +1000,10 @@ ENTRY(ptregscall_common) +@@ -703,9 +1001,10 @@ ENTRY(ptregscall_common) movq_cfi_restore R12+8, r12 movq_cfi_restore RBP+8, rbp movq_cfi_restore RBX+8, rbx @@ -14031,7 +14039,7 @@ index faf8d5e..f58c441 100644 ENTRY(stub_execve) CFI_STARTPROC -@@ -720,7 +1018,7 @@ ENTRY(stub_execve) +@@ -720,7 +1019,7 @@ ENTRY(stub_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -14040,7 +14048,7 @@ index faf8d5e..f58c441 100644 /* * sigreturn is special because it needs to restore all registers on return. -@@ -738,7 +1036,7 @@ ENTRY(stub_rt_sigreturn) +@@ -738,7 +1037,7 @@ ENTRY(stub_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -14049,7 +14057,7 @@ index faf8d5e..f58c441 100644 /* * Build the entry stubs and pointer table with some assembler magic. -@@ -773,7 +1071,7 @@ vector=vector+1 +@@ -773,7 +1072,7 @@ vector=vector+1 2: jmp common_interrupt .endr CFI_ENDPROC @@ -14058,7 +14066,7 @@ index faf8d5e..f58c441 100644 .previous END(interrupt) -@@ -793,6 +1091,16 @@ END(interrupt) +@@ -793,6 +1092,16 @@ END(interrupt) subq $ORIG_RAX-RBP, %rsp CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP SAVE_ARGS_IRQ @@ -14075,7 +14083,7 @@ index faf8d5e..f58c441 100644 call \func .endm -@@ -824,7 +1132,7 @@ ret_from_intr: +@@ -824,7 +1133,7 @@ ret_from_intr: exit_intr: GET_THREAD_INFO(%rcx) @@ -14084,12 +14092,11 @@ index faf8d5e..f58c441 100644 je retint_kernel /* Interrupt came from user space */ -@@ -846,12 +1154,16 @@ retint_swapgs: /* return to user-space */ +@@ -846,12 +1155,15 @@ retint_swapgs: /* return to user-space */ * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) + pax_exit_kernel_user -+ pax_erase_kstack TRACE_IRQS_IRETQ SWAPGS jmp restore_args @@ -21424,7 +21431,7 @@ index d0474ad..36e9257 100644 extern u32 pnp_bios_is_utter_crap; pnp_bios_is_utter_crap = 1; diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c -index 5db0490..13bd09c 100644 +index 5db0490..2ddce45 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -13,11 +13,18 @@ @@ -21528,7 +21535,7 @@ index 5db0490..13bd09c 100644 spin_lock(&pgd_lock); + +#ifdef CONFIG_PAX_PER_CPU_PGD -+ for (cpu = 0; cpu < NR_CPUS; ++cpu) { ++ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { + pgd_t *pgd = get_cpu_pgd(cpu); + pmd_t *ret; +#else @@ -22396,7 +22403,7 @@ index f581a18..29efd37 100644 } if (mm->get_unmapped_area == arch_get_unmapped_area) diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c -index 87488b9..a55509f 100644 +index 87488b9..399f416 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -15,6 +15,7 @@ @@ -22463,7 +22470,7 @@ index 87488b9..a55509f 100644 + limit = (limit - 1UL) >> PAGE_SHIFT; + + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE); -+ for (cpu = 0; cpu < NR_CPUS; cpu++) { ++ for (cpu = 0; cpu < nr_cpu_ids; cpu++) { + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC); + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S); + } @@ -22813,7 +22820,7 @@ index 29f7c6d..b46b35b 100644 printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10); diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index bbaaa00..16dffad 100644 +index bbaaa00..796fa65 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpages_on); @@ -22842,7 +22849,7 @@ index bbaaa00..16dffad 100644 spin_lock(&pgd_lock); + +#ifdef CONFIG_PAX_PER_CPU_PGD -+ for (cpu = 0; cpu < NR_CPUS; ++cpu) { ++ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { + pgd_t *pgd = pgd_offset_cpu(cpu, address); +#else list_for_each_entry(page, &pgd_list, lru) { @@ -23149,7 +23156,7 @@ index b008656..773eac2 100644 struct split_state { diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c -index f9e5267..6f6e27f 100644 +index f9e5267..77b1a40 100644 --- a/arch/x86/mm/pageattr.c +++ b/arch/x86/mm/pageattr.c @@ -261,7 +261,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, @@ -23213,7 +23220,7 @@ index f9e5267..6f6e27f 100644 +#endif +#ifdef CONFIG_PAX_PER_CPU_PGD -+ for (cpu = 0; cpu < NR_CPUS; ++cpu) { ++ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { + pgd_t *pgd = get_cpu_pgd(cpu); +#else list_for_each_entry(page, &pgd_list, lru) { @@ -23337,7 +23344,7 @@ index 9f0614d..92ae64a 100644 p += get_opcode(p, &opcode); for (i = 0; i < ARRAY_SIZE(imm_wop); i++) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c -index 8573b83..6372501 100644 +index 8573b83..c3b1a30 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -84,10 +84,52 @@ static inline void pgd_list_del(pgd_t *pgd) @@ -23376,7 +23383,7 @@ index 8573b83..6372501 100644 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn) +#define pxd_free(mm, pud) pud_free((mm), (pud)) +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud)) -+#define pyd_offset(mm ,address) pgd_offset((mm), (address)) ++#define pyd_offset(mm, address) pgd_offset((mm), (address)) +#define PYD_SIZE PGDIR_SIZE +#else +#define pxd_t pmd_t @@ -23384,7 +23391,7 @@ index 8573b83..6372501 100644 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn) +#define pxd_free(mm, pud) pmd_free((mm), (pud)) +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud)) -+#define pyd_offset(mm ,address) pud_offset((mm), (address)) ++#define pyd_offset(mm, address) pud_offset((mm), (address)) +#define PYD_SIZE PUD_SIZE +#endif + @@ -23734,7 +23741,7 @@ index 6687022..ceabcfa 100644 + pax_force_retaddr ret diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c -index 7c1b765..3d8ea45 100644 +index 7c1b765..8c072c6 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -117,6 +117,10 @@ static inline void bpf_flush_icache(void *start, void *end) @@ -23822,7 +23829,7 @@ index 7c1b765..3d8ea45 100644 static void jit_free_defer(struct work_struct *arg) { - module_free(NULL, arg); -+ module_free_exec(NULL, ((struct bpf_jit_work*)arg)->image); ++ module_free_exec(NULL, ((struct bpf_jit_work *)arg)->image); + kfree(arg); } @@ -23893,7 +23900,7 @@ index cb29191..036766d 100644 return 1; } diff --git a/arch/x86/pci/pcbios.c b/arch/x86/pci/pcbios.c -index db0e9a5..8844dea 100644 +index db0e9a5..0372c14 100644 --- a/arch/x86/pci/pcbios.c +++ b/arch/x86/pci/pcbios.c @@ -79,50 +79,93 @@ union bios32 { @@ -23974,7 +23981,7 @@ index db0e9a5..8844dea 100644 + flags |= 8; + } + -+ for (cpu = 0; cpu < NR_CPUS; cpu++) { ++ for (cpu = 0; cpu < nr_cpu_ids; cpu++) { + gdt = get_cpu_gdt_table(cpu); + pack_descriptor(&d, address, length, 0x9b, flags); + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S); @@ -25051,14 +25058,14 @@ index 5d41894..22021e4 100644 EXPORT_SYMBOL_GPL(cper_next_record_id); diff --git a/drivers/acpi/ec_sys.c b/drivers/acpi/ec_sys.c -index 6c47ae9..8ab9132 100644 +index 6c47ae9..abfdd63 100644 --- a/drivers/acpi/ec_sys.c +++ b/drivers/acpi/ec_sys.c @@ -12,6 +12,7 @@ #include <linux/acpi.h> #include <linux/debugfs.h> #include <linux/module.h> -+#include <asm/uaccess.h> ++#include <linux/uaccess.h> #include "internal.h" MODULE_AUTHOR("Thomas Renninger <trenn@suse.de>"); @@ -28131,7 +28138,7 @@ index c9339f4..f5e1b9d 100644 int front_offset; } drm_i810_private_t; diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c -index 004b048..7588eba 100644 +index b2e3c97..58cf079 100644 --- a/drivers/gpu/drm/i915/i915_debugfs.c +++ b/drivers/gpu/drm/i915/i915_debugfs.c @@ -499,7 +499,7 @@ static int i915_interrupt_info(struct seq_file *m, void *data) @@ -28153,7 +28160,7 @@ index 004b048..7588eba 100644 mutex_unlock(&dev->struct_mutex); diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c -index a9ae374..43c1e9e 100644 +index c4da951..3c59c5c 100644 --- a/drivers/gpu/drm/i915/i915_dma.c +++ b/drivers/gpu/drm/i915/i915_dma.c @@ -1172,7 +1172,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev) @@ -28166,7 +28173,7 @@ index a9ae374..43c1e9e 100644 return can_switch; } diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h -index 554bef7..d24791c 100644 +index ae294a0..1755461 100644 --- a/drivers/gpu/drm/i915/i915_drv.h +++ b/drivers/gpu/drm/i915/i915_drv.h @@ -229,7 +229,7 @@ struct drm_i915_display_funcs { @@ -28178,7 +28185,7 @@ index 554bef7..d24791c 100644 struct intel_device_info { u8 gen; -@@ -312,7 +312,7 @@ typedef struct drm_i915_private { +@@ -318,7 +318,7 @@ typedef struct drm_i915_private { int current_page; int page_flipping; @@ -28187,7 +28194,7 @@ index 554bef7..d24791c 100644 /* protects the irq masks */ spinlock_t irq_lock; -@@ -887,7 +887,7 @@ struct drm_i915_gem_object { +@@ -893,7 +893,7 @@ struct drm_i915_gem_object { * will be page flipped away on the next vblank. When it * reaches 0, dev_priv->pending_flip_queue will be woken up. */ @@ -28196,7 +28203,7 @@ index 554bef7..d24791c 100644 }; #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base) -@@ -1267,7 +1267,7 @@ extern int intel_setup_gmbus(struct drm_device *dev); +@@ -1273,7 +1273,7 @@ extern int intel_setup_gmbus(struct drm_device *dev); extern void intel_teardown_gmbus(struct drm_device *dev); extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed); extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit); @@ -28231,7 +28238,7 @@ index b9da890..cad1d98 100644 for (i = 0; i < count; i++) { char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c -index b40004b..7c53a75 100644 +index d47a53b..61154c2 100644 --- a/drivers/gpu/drm/i915/i915_irq.c +++ b/drivers/gpu/drm/i915/i915_irq.c @@ -475,7 +475,7 @@ static irqreturn_t ivybridge_irq_handler(DRM_IRQ_ARGS) @@ -28261,7 +28268,7 @@ index b40004b..7c53a75 100644 iir = I915_READ(IIR); -@@ -1743,7 +1743,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) +@@ -1750,7 +1750,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) { drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; @@ -28270,7 +28277,7 @@ index b40004b..7c53a75 100644 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func); INIT_WORK(&dev_priv->error_work, i915_error_work_func); -@@ -1931,7 +1931,7 @@ static void i915_driver_irq_preinstall(struct drm_device * dev) +@@ -1938,7 +1938,7 @@ static void i915_driver_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -28485,7 +28492,7 @@ index 2f6daae..c9d7b9e 100644 } diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c -index 5f0bc57..eb9fac8 100644 +index 7ce3fde..cb3ea04 100644 --- a/drivers/gpu/drm/nouveau/nouveau_gem.c +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c @@ -314,7 +314,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv, @@ -28649,7 +28656,7 @@ index 8227e76..ce0b195 100644 /* * Asic structures diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c -index 9b39145..389b93b 100644 +index 9231564..78b00fd 100644 --- a/drivers/gpu/drm/radeon/radeon_device.c +++ b/drivers/gpu/drm/radeon/radeon_device.c @@ -687,7 +687,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) @@ -30768,6 +30775,19 @@ index a3bd163..8956575 100644 typedef struct _diva_os_xdi_adapter { struct list_head link; +diff --git a/drivers/isdn/i4l/isdn_net.c b/drivers/isdn/i4l/isdn_net.c +index 2339d73..802ab87 100644 +--- a/drivers/isdn/i4l/isdn_net.c ++++ b/drivers/isdn/i4l/isdn_net.c +@@ -1901,7 +1901,7 @@ static int isdn_net_header(struct sk_buff *skb, struct net_device *dev, + { + isdn_net_local *lp = netdev_priv(dev); + unsigned char *p; +- ushort len = 0; ++ int len = 0; + + switch (lp->p_encap) { + case ISDN_NET_ENCAP_ETHER: diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c index 1f355bb..43f1fea 100644 --- a/drivers/isdn/icn/icn.c @@ -35299,7 +35319,7 @@ index ed147c4..94fc3c6 100644 /* core tmem accessor functions */ diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c -index 8599545..7761358 100644 +index 0c1d5c73..88e90a8 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -1364,7 +1364,7 @@ static int iscsit_handle_data_out(struct iscsi_conn *conn, unsigned char *buf) @@ -35343,7 +35363,7 @@ index 6845228..df77141 100644 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count); diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c -index e87d0eb..856cbcc 100644 +index 861628e..659ae80 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -1343,7 +1343,7 @@ struct se_device *transport_add_device_to_core_hba( @@ -35385,7 +35405,7 @@ index e87d0eb..856cbcc 100644 cmd->t_task_list_num) atomic_set(&cmd->t_transport_sent, 1); -@@ -4260,7 +4260,7 @@ bool transport_wait_for_tasks(struct se_cmd *cmd) +@@ -4273,7 +4273,7 @@ bool transport_wait_for_tasks(struct se_cmd *cmd) atomic_set(&cmd->transport_lun_stop, 0); } if (!atomic_read(&cmd->t_transport_active) || @@ -35394,7 +35414,7 @@ index e87d0eb..856cbcc 100644 spin_unlock_irqrestore(&cmd->t_state_lock, flags); return false; } -@@ -4509,7 +4509,7 @@ int transport_check_aborted_status(struct se_cmd *cmd, int send_status) +@@ -4522,7 +4522,7 @@ int transport_check_aborted_status(struct se_cmd *cmd, int send_status) { int ret = 0; @@ -35403,7 +35423,7 @@ index e87d0eb..856cbcc 100644 if (!send_status || (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS)) return 1; -@@ -4546,7 +4546,7 @@ void transport_send_task_abort(struct se_cmd *cmd) +@@ -4559,7 +4559,7 @@ void transport_send_task_abort(struct se_cmd *cmd) */ if (cmd->data_direction == DMA_TO_DEVICE) { if (cmd->se_tfo->write_pending_status(cmd) != 0) { @@ -35872,7 +35892,7 @@ index a605549..6bd3c96 100644 } diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c -index 5e096f4..0da1363 100644 +index 65447c5..0526f0a 100644 --- a/drivers/tty/vt/vt_ioctl.c +++ b/drivers/tty/vt/vt_ioctl.c @@ -207,9 +207,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm, struct kbd_str @@ -39597,7 +39617,7 @@ index a6395bd..a5b24c4 100644 fd_offset + ex.a_text); up_write(¤t->mm->mmap_sem); diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 21ac5ee..c1090ea 100644 +index 21ac5ee..31d14e9 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -32,6 +32,7 @@ @@ -39625,7 +39645,7 @@ index 21ac5ee..c1090ea 100644 .core_dump = elf_core_dump, + +#ifdef CONFIG_PAX_MPROTECT -+ .handle_mprotect= elf_handle_mprotect, ++ .handle_mprotect= elf_handle_mprotect, +#endif + .min_coredump = ELF_EXEC_PAGESIZE, @@ -39728,7 +39748,7 @@ index 21ac5ee..c1090ea 100644 error = -ENOMEM; goto out_close; } -@@ -528,6 +552,348 @@ out: +@@ -528,6 +552,351 @@ out: return error; } @@ -39917,6 +39937,7 @@ index 21ac5ee..c1090ea 100644 + return ~0UL; +} + ++#ifdef CONFIG_PAX_XATTR_PAX_FLAGS +static unsigned long pax_parse_xattr_pax_softmode(unsigned long pax_flags_softmode) +{ + unsigned long pax_flags = 0UL; @@ -39998,6 +40019,7 @@ index 21ac5ee..c1090ea 100644 + + return pax_flags; +} ++#endif + +static unsigned long pax_parse_xattr_pax(struct file * const file) +{ @@ -40046,6 +40068,7 @@ index 21ac5ee..c1090ea 100644 +#else + return ~0UL; +#endif ++ +} + +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_XATTR_PAX_FLAGS) @@ -40077,7 +40100,7 @@ index 21ac5ee..c1090ea 100644 /* * These are the functions used to load ELF style executables and shared * libraries. There is no binary dependent code anywhere else. -@@ -544,6 +910,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) +@@ -544,6 +913,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) { unsigned int random_variable = 0; @@ -40089,7 +40112,7 @@ index 21ac5ee..c1090ea 100644 if ((current->flags & PF_RANDOMIZE) && !(current->personality & ADDR_NO_RANDOMIZE)) { random_variable = get_random_int() & STACK_RND_MASK; -@@ -562,7 +933,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -562,7 +936,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) unsigned long load_addr = 0, load_bias = 0; int load_addr_set = 0; char * elf_interpreter = NULL; @@ -40098,7 +40121,7 @@ index 21ac5ee..c1090ea 100644 struct elf_phdr *elf_ppnt, *elf_phdata; unsigned long elf_bss, elf_brk; int retval, i; -@@ -572,11 +943,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -572,11 +946,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) unsigned long start_code, end_code, start_data, end_data; unsigned long reloc_func_desc __maybe_unused = 0; int executable_stack = EXSTACK_DEFAULT; @@ -40111,7 +40134,7 @@ index 21ac5ee..c1090ea 100644 loc = kmalloc(sizeof(*loc), GFP_KERNEL); if (!loc) { -@@ -713,11 +1084,81 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -713,11 +1087,81 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) /* OK, This is the point of no return */ current->flags &= ~PF_FORKNOEXEC; @@ -40194,7 +40217,7 @@ index 21ac5ee..c1090ea 100644 if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; -@@ -808,6 +1249,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -808,6 +1252,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) #else load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); #endif @@ -40215,7 +40238,7 @@ index 21ac5ee..c1090ea 100644 } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, -@@ -840,9 +1295,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -840,9 +1298,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) * allowed task size. Note that p_filesz must always be * <= p_memsz so it is only necessary to check p_memsz. */ @@ -40228,7 +40251,7 @@ index 21ac5ee..c1090ea 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -870,6 +1325,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -870,6 +1328,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) start_data += load_bias; end_data += load_bias; @@ -40240,7 +40263,7 @@ index 21ac5ee..c1090ea 100644 /* Calling set_brk effectively mmaps the pages that we need * for the bss and break sections. We must do this before * mapping in the interpreter, to make sure it doesn't wind -@@ -881,9 +1341,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -881,9 +1344,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -40255,7 +40278,7 @@ index 21ac5ee..c1090ea 100644 } if (elf_interpreter) { -@@ -1098,7 +1560,7 @@ out: +@@ -1098,7 +1563,7 @@ out: * Decide what to dump of a segment, part, all or none. */ static unsigned long vma_dump_size(struct vm_area_struct *vma, @@ -40264,7 +40287,7 @@ index 21ac5ee..c1090ea 100644 { #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) -@@ -1132,7 +1594,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, +@@ -1132,7 +1597,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, if (vma->vm_file == NULL) return 0; @@ -40273,7 +40296,7 @@ index 21ac5ee..c1090ea 100644 goto whole; /* -@@ -1354,9 +1816,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) +@@ -1354,9 +1819,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; int i = 0; @@ -40285,7 +40308,7 @@ index 21ac5ee..c1090ea 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -1862,14 +2324,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, +@@ -1862,14 +2327,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum, } static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma, @@ -40302,7 +40325,7 @@ index 21ac5ee..c1090ea 100644 return size; } -@@ -1963,7 +2425,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1963,7 +2428,7 @@ static int elf_core_dump(struct coredump_params *cprm) dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE); @@ -40311,7 +40334,7 @@ index 21ac5ee..c1090ea 100644 offset += elf_core_extra_data_size(); e_shoff = offset; -@@ -1977,10 +2439,12 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1977,10 +2442,12 @@ static int elf_core_dump(struct coredump_params *cprm) offset = dataoff; size += sizeof(*elf); @@ -40324,7 +40347,7 @@ index 21ac5ee..c1090ea 100644 if (size > cprm->limit || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note))) goto end_coredump; -@@ -1994,7 +2458,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -1994,7 +2461,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -40333,7 +40356,7 @@ index 21ac5ee..c1090ea 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -2005,6 +2469,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2005,6 +2472,7 @@ static int elf_core_dump(struct coredump_params *cprm) phdr.p_align = ELF_EXEC_PAGESIZE; size += sizeof(phdr); @@ -40341,7 +40364,7 @@ index 21ac5ee..c1090ea 100644 if (size > cprm->limit || !dump_write(cprm->file, &phdr, sizeof(phdr))) goto end_coredump; -@@ -2029,7 +2494,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2029,7 +2497,7 @@ static int elf_core_dump(struct coredump_params *cprm) unsigned long addr; unsigned long end; @@ -40350,7 +40373,7 @@ index 21ac5ee..c1090ea 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2038,6 +2503,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2038,6 +2506,7 @@ static int elf_core_dump(struct coredump_params *cprm) page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -40358,7 +40381,7 @@ index 21ac5ee..c1090ea 100644 stop = ((size += PAGE_SIZE) > cprm->limit) || !dump_write(cprm->file, kaddr, PAGE_SIZE); -@@ -2055,6 +2521,7 @@ static int elf_core_dump(struct coredump_params *cprm) +@@ -2055,6 +2524,7 @@ static int elf_core_dump(struct coredump_params *cprm) if (e_phnum == PN_XNUM) { size += sizeof(*shdr4extnum); @@ -40366,7 +40389,7 @@ index 21ac5ee..c1090ea 100644 if (size > cprm->limit || !dump_write(cprm->file, shdr4extnum, sizeof(*shdr4extnum))) -@@ -2075,6 +2542,97 @@ out: +@@ -2075,6 +2545,97 @@ out: #endif /* CONFIG_ELF_CORE */ @@ -41396,7 +41419,7 @@ index 0dc5a3d..d3cdeea 100644 i += packet_length_size; if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c -index 54eb14c..e51b453 100644 +index 608c1c3..7d040a8 100644 --- a/fs/ecryptfs/read_write.c +++ b/fs/ecryptfs/read_write.c @@ -48,7 +48,7 @@ int ecryptfs_write_lower(struct inode *ecryptfs_inode, char *data, @@ -41408,30 +41431,7 @@ index 54eb14c..e51b453 100644 set_fs(fs_save); mark_inode_dirty_sync(ecryptfs_inode); return rc; -@@ -130,7 +130,12 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset, - pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT); - size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK); - size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); -- size_t total_remaining_bytes = ((offset + size) - pos); -+ loff_t total_remaining_bytes = ((offset + size) - pos); -+ -+ if (fatal_signal_pending(current)) { -+ rc = -EINTR; -+ break; -+ } - - if (fatal_signal_pending(current)) { - rc = -EINTR; -@@ -141,7 +146,7 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset, - num_bytes = total_remaining_bytes; - if (pos < offset) { - /* remaining zeros to write, up to destination offset */ -- size_t total_remaining_zeros = (offset - pos); -+ loff_t total_remaining_zeros = (offset - pos); - - if (num_bytes > total_remaining_zeros) - num_bytes = total_remaining_zeros; -@@ -244,7 +249,7 @@ int ecryptfs_read_lower(char *data, loff_t offset, size_t size, +@@ -244,7 +244,7 @@ int ecryptfs_read_lower(char *data, loff_t offset, size_t size, return -EIO; fs_save = get_fs(); set_fs(get_ds()); @@ -41441,7 +41441,7 @@ index 54eb14c..e51b453 100644 return rc; } diff --git a/fs/exec.c b/fs/exec.c -index 3625464..fac01f4 100644 +index 3625464..7949233 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,12 +55,28 @@ @@ -41678,7 +41678,68 @@ index 3625464..fac01f4 100644 set_fs(old_fs); return result; } -@@ -1247,7 +1268,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) +@@ -1067,6 +1088,21 @@ void set_task_comm(struct task_struct *tsk, char *buf) + perf_event_comm(tsk); + } + ++static void filename_to_taskname(char *tcomm, const char *fn, unsigned int len) ++{ ++ int i, ch; ++ ++ /* Copies the binary name from after last slash */ ++ for (i = 0; (ch = *(fn++)) != '\0';) { ++ if (ch == '/') ++ i = 0; /* overwrite what we wrote */ ++ else ++ if (i < len - 1) ++ tcomm[i++] = ch; ++ } ++ tcomm[i] = '\0'; ++} ++ + int flush_old_exec(struct linux_binprm * bprm) + { + int retval; +@@ -1081,6 +1117,7 @@ int flush_old_exec(struct linux_binprm * bprm) + + set_mm_exe_file(bprm->mm, bprm->file); + ++ filename_to_taskname(bprm->tcomm, bprm->filename, sizeof(bprm->tcomm)); + /* + * Release all of the old mmap stuff + */ +@@ -1112,10 +1149,6 @@ EXPORT_SYMBOL(would_dump); + + void setup_new_exec(struct linux_binprm * bprm) + { +- int i, ch; +- const char *name; +- char tcomm[sizeof(current->comm)]; +- + arch_pick_mmap_layout(current->mm); + + /* This is the point of no return */ +@@ -1126,18 +1159,7 @@ void setup_new_exec(struct linux_binprm * bprm) + else + set_dumpable(current->mm, suid_dumpable); + +- name = bprm->filename; +- +- /* Copies the binary name from after last slash */ +- for (i=0; (ch = *(name++)) != '\0';) { +- if (ch == '/') +- i = 0; /* overwrite what we wrote */ +- else +- if (i < (sizeof(tcomm) - 1)) +- tcomm[i++] = ch; +- } +- tcomm[i] = '\0'; +- set_task_comm(current, tcomm); ++ set_task_comm(current, bprm->tcomm); + + /* Set the new mm task size. We have to do that late because it may + * depend on TIF_32BIT which is only updated in flush_thread() on +@@ -1247,7 +1269,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -41687,7 +41748,18 @@ index 3625464..fac01f4 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1450,6 +1471,11 @@ static int do_execve_common(const char *filename, +@@ -1442,6 +1464,10 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) + + EXPORT_SYMBOL(search_binary_handler); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++atomic64_unchecked_t global_exec_counter = ATOMIC64_INIT(0); ++#endif ++ + /* + * sys_execve() executes a new program. + */ +@@ -1450,6 +1476,11 @@ static int do_execve_common(const char *filename, struct user_arg_ptr envp, struct pt_regs *regs) { @@ -41699,7 +41771,7 @@ index 3625464..fac01f4 100644 struct linux_binprm *bprm; struct file *file; struct files_struct *displaced; -@@ -1457,6 +1483,8 @@ static int do_execve_common(const char *filename, +@@ -1457,6 +1488,8 @@ static int do_execve_common(const char *filename, int retval; const struct cred *cred = current_cred(); @@ -41708,7 +41780,7 @@ index 3625464..fac01f4 100644 /* * We move the actual failure in case of RLIMIT_NPROC excess from * set*uid() to execve() because too many poorly written programs -@@ -1497,12 +1525,27 @@ static int do_execve_common(const char *filename, +@@ -1497,12 +1530,27 @@ static int do_execve_common(const char *filename, if (IS_ERR(file)) goto out_unmark; @@ -41736,7 +41808,7 @@ index 3625464..fac01f4 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1532,9 +1575,40 @@ static int do_execve_common(const char *filename, +@@ -1532,11 +1580,46 @@ static int do_execve_common(const char *filename, if (retval < 0) goto out; @@ -41777,8 +41849,14 @@ index 3625464..fac01f4 100644 +#endif /* execve succeeded */ ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ current->exec_id = atomic64_inc_return_unchecked(&global_exec_counter); ++#endif ++ current->fs->in_exec = 0; -@@ -1545,6 +1619,14 @@ static int do_execve_common(const char *filename, + current->in_execve = 0; + acct_update_integrals(current); +@@ -1545,6 +1628,14 @@ static int do_execve_common(const char *filename, put_files_struct(displaced); return retval; @@ -41793,7 +41871,7 @@ index 3625464..fac01f4 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1618,7 +1700,7 @@ static int expand_corename(struct core_name *cn) +@@ -1618,7 +1709,7 @@ static int expand_corename(struct core_name *cn) { char *old_corename = cn->corename; @@ -41802,7 +41880,7 @@ index 3625464..fac01f4 100644 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL); if (!cn->corename) { -@@ -1715,7 +1797,7 @@ static int format_corename(struct core_name *cn, long signr) +@@ -1715,7 +1806,7 @@ static int format_corename(struct core_name *cn, long signr) int pid_in_pattern = 0; int err = 0; @@ -41811,7 +41889,7 @@ index 3625464..fac01f4 100644 cn->corename = kmalloc(cn->size, GFP_KERNEL); cn->used = 0; -@@ -1812,6 +1894,218 @@ out: +@@ -1812,6 +1903,218 @@ out: return ispipe; } @@ -42030,7 +42108,7 @@ index 3625464..fac01f4 100644 static int zap_process(struct task_struct *start, int exit_code) { struct task_struct *t; -@@ -2023,17 +2317,17 @@ static void wait_for_dump_helpers(struct file *file) +@@ -2023,17 +2326,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -42053,7 +42131,7 @@ index 3625464..fac01f4 100644 pipe_unlock(pipe); } -@@ -2094,7 +2388,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2094,7 +2397,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) int retval = 0; int flag = 0; int ispipe; @@ -42062,7 +42140,7 @@ index 3625464..fac01f4 100644 struct coredump_params cprm = { .signr = signr, .regs = regs, -@@ -2109,6 +2403,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2109,6 +2412,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) audit_core_dumps(signr); @@ -42072,7 +42150,7 @@ index 3625464..fac01f4 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -2176,7 +2473,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2176,7 +2482,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } cprm.limit = RLIM_INFINITY; @@ -42081,7 +42159,7 @@ index 3625464..fac01f4 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -2203,6 +2500,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2203,6 +2509,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } else { struct inode *inode; @@ -42090,7 +42168,7 @@ index 3625464..fac01f4 100644 if (cprm.limit < binfmt->min_coredump) goto fail_unlock; -@@ -2246,7 +2545,7 @@ close_fail: +@@ -2246,7 +2554,7 @@ close_fail: filp_close(cprm.file, NULL); fail_dropcount: if (ispipe) @@ -42099,7 +42177,7 @@ index 3625464..fac01f4 100644 fail_unlock: kfree(cn.corename); fail_corename: -@@ -2265,7 +2564,7 @@ fail: +@@ -2265,7 +2573,7 @@ fail: */ int dump_write(struct file *file, const void *addr, int nr) { @@ -45174,7 +45252,7 @@ index 15af622..0e9f4467 100644 help Various /proc files exist to monitor process memory utilization: diff --git a/fs/proc/array.c b/fs/proc/array.c -index 3a1dafd..d41fc37 100644 +index 3a1dafd..1456746 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -60,6 +60,7 @@ @@ -45232,7 +45310,21 @@ index 3a1dafd..d41fc37 100644 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task, int whole) { -@@ -449,6 +480,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -378,6 +409,13 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + char tcomm[sizeof(task->comm)]; + unsigned long flags; + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("stat"); ++ return 0; ++ } ++#endif ++ + state = *get_task_state(task); + vsize = eip = esp = 0; + permitted = ptrace_may_access(task, PTRACE_MODE_READ); +@@ -449,6 +487,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, gtime = task->gtime; } @@ -45252,7 +45344,7 @@ index 3a1dafd..d41fc37 100644 /* scale priority and nice values from timeslices to -20..20 */ /* to make it look like a "normal" Unix priority/nice value */ priority = task_prio(task); -@@ -489,9 +533,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -489,9 +540,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, vsize, mm ? get_mm_rss(mm) : 0, rsslim, @@ -45268,7 +45360,21 @@ index 3a1dafd..d41fc37 100644 esp, eip, /* The signal information here is obsolete. -@@ -544,3 +594,18 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, +@@ -535,6 +592,13 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, + unsigned long size = 0, resident = 0, shared = 0, text = 0, data = 0; + struct mm_struct *mm = get_task_mm(task); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("statm"); ++ return 0; ++ } ++#endif ++ + if (mm) { + size = task_statm(mm, &shared, &text, &data, &resident); + mmput(mm); +@@ -544,3 +608,18 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, return 0; } @@ -45288,7 +45394,7 @@ index 3a1dafd..d41fc37 100644 +} +#endif diff --git a/fs/proc/base.c b/fs/proc/base.c -index 1fc1dca..357b933 100644 +index 1ace83d..357b933 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -107,6 +107,22 @@ struct pid_entry { @@ -45428,164 +45534,19 @@ index 1fc1dca..357b933 100644 put_task_struct(task); } return allowed; -@@ -775,6 +793,13 @@ static int mem_open(struct inode* inode, struct file* file) - if (IS_ERR(mm)) - return PTR_ERR(mm); - -+ if (mm) { -+ /* ensure this mm_struct can't be freed */ -+ atomic_inc(&mm->mm_count); -+ /* but do not pin its memory */ -+ mmput(mm); -+ } -+ - /* OK to pass negative loff_t, we can catch out-of-range */ - file->f_mode |= FMODE_UNSIGNED_OFFSET; - file->private_data = mm; -@@ -782,57 +807,18 @@ static int mem_open(struct inode* inode, struct file* file) - return 0; - } - --static ssize_t mem_read(struct file * file, char __user * buf, -- size_t count, loff_t *ppos) -+static ssize_t mem_rw(struct file *file, char __user *buf, -+ size_t count, loff_t *ppos, int write) - { -- int ret; -- char *page; -- unsigned long src = *ppos; - struct mm_struct *mm = file->private_data; -- -- if (!mm) -- return 0; -- -- page = (char *)__get_free_page(GFP_TEMPORARY); -- if (!page) -- return -ENOMEM; -- -- ret = 0; -- -- while (count > 0) { -- int this_len, retval; -- -- this_len = (count > PAGE_SIZE) ? PAGE_SIZE : count; -- retval = access_remote_vm(mm, src, page, this_len, 0); -- if (!retval) { -- if (!ret) -- ret = -EIO; -- break; -- } -- -- if (copy_to_user(buf, page, retval)) { -- ret = -EFAULT; -- break; -- } -- -- ret += retval; -- src += retval; -- buf += retval; -- count -= retval; -- } -- *ppos = src; -- -- free_page((unsigned long) page); -- return ret; --} -- --static ssize_t mem_write(struct file * file, const char __user *buf, -- size_t count, loff_t *ppos) --{ -- int copied; -+ unsigned long addr = *ppos; -+ ssize_t copied; +@@ -797,6 +815,11 @@ static ssize_t mem_rw(struct file *file, char __user *buf, + ssize_t copied; char *page; -- unsigned long dst = *ppos; -- struct mm_struct *mm = file->private_data; -+ + +#ifdef CONFIG_GRKERNSEC + if (write) + return -EPERM; +#endif - ++ if (!mm) return 0; -@@ -842,31 +828,54 @@ static ssize_t mem_write(struct file * file, const char __user *buf, - return -ENOMEM; - - copied = 0; -+ if (!atomic_inc_not_zero(&mm->mm_users)) -+ goto free; -+ - while (count > 0) { -- int this_len, retval; -+ int this_len = min_t(int, count, PAGE_SIZE); - -- this_len = (count > PAGE_SIZE) ? PAGE_SIZE : count; -- if (copy_from_user(page, buf, this_len)) { -+ if (write && copy_from_user(page, buf, this_len)) { - copied = -EFAULT; - break; - } -- retval = access_remote_vm(mm, dst, page, this_len, 1); -- if (!retval) { -+ -+ this_len = access_remote_vm(mm, addr, page, this_len, write); -+ if (!this_len) { - if (!copied) - copied = -EIO; - break; - } -- copied += retval; -- buf += retval; -- dst += retval; -- count -= retval; -+ -+ if (!write && copy_to_user(buf, page, this_len)) { -+ copied = -EFAULT; -+ break; -+ } -+ -+ buf += this_len; -+ addr += this_len; -+ copied += this_len; -+ count -= this_len; - } -- *ppos = dst; -+ *ppos = addr; - -+ mmput(mm); -+free: - free_page((unsigned long) page); - return copied; - } - -+static ssize_t mem_read(struct file *file, char __user *buf, -+ size_t count, loff_t *ppos) -+{ -+ return mem_rw(file, buf, count, ppos, 0); -+} -+ -+static ssize_t mem_write(struct file *file, const char __user *buf, -+ size_t count, loff_t *ppos) -+{ -+ return mem_rw(file, (char __user*)buf, count, ppos, 1); -+} -+ - loff_t mem_lseek(struct file *file, loff_t offset, int orig) - { - switch (orig) { -@@ -886,8 +895,8 @@ loff_t mem_lseek(struct file *file, loff_t offset, int orig) - static int mem_release(struct inode *inode, struct file *file) - { - struct mm_struct *mm = file->private_data; -- -- mmput(mm); -+ if (mm) -+ mmdrop(mm); - return 0; - } -@@ -911,6 +920,9 @@ static ssize_t environ_read(struct file *file, char __user *buf, +@@ -897,6 +920,9 @@ static ssize_t environ_read(struct file *file, char __user *buf, if (!task) goto out_no_task; @@ -45595,7 +45556,7 @@ index 1fc1dca..357b933 100644 ret = -ENOMEM; page = (char *)__get_free_page(GFP_TEMPORARY); if (!page) -@@ -1533,7 +1545,7 @@ static void *proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd) +@@ -1519,7 +1545,7 @@ static void *proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd) path_put(&nd->path); /* Are we allowed to snoop on the tasks file descriptors? */ @@ -45604,7 +45565,7 @@ index 1fc1dca..357b933 100644 goto out; error = PROC_I(inode)->op.proc_get_link(inode, &nd->path); -@@ -1572,8 +1584,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b +@@ -1558,8 +1584,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b struct path path; /* Are we allowed to snoop on the tasks file descriptors? */ @@ -45625,7 +45586,7 @@ index 1fc1dca..357b933 100644 error = PROC_I(inode)->op.proc_get_link(inode, &path); if (error) -@@ -1638,7 +1660,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t +@@ -1624,7 +1660,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t rcu_read_lock(); cred = __task_cred(task); inode->i_uid = cred->euid; @@ -45637,7 +45598,7 @@ index 1fc1dca..357b933 100644 rcu_read_unlock(); } security_task_to_inode(task, inode); -@@ -1656,6 +1682,9 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) +@@ -1642,6 +1682,9 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) struct inode *inode = dentry->d_inode; struct task_struct *task; const struct cred *cred; @@ -45647,7 +45608,7 @@ index 1fc1dca..357b933 100644 generic_fillattr(inode, stat); -@@ -1663,13 +1692,41 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) +@@ -1649,13 +1692,41 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) stat->uid = 0; stat->gid = 0; task = pid_task(proc_pid(inode), PIDTYPE_PID); @@ -45690,7 +45651,7 @@ index 1fc1dca..357b933 100644 } rcu_read_unlock(); return 0; -@@ -1706,11 +1763,20 @@ int pid_revalidate(struct dentry *dentry, struct nameidata *nd) +@@ -1692,11 +1763,20 @@ int pid_revalidate(struct dentry *dentry, struct nameidata *nd) if (task) { if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || @@ -45711,7 +45672,7 @@ index 1fc1dca..357b933 100644 rcu_read_unlock(); } else { inode->i_uid = 0; -@@ -1828,7 +1894,8 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info) +@@ -1814,7 +1894,8 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info) int fd = proc_fd(inode); if (task) { @@ -45721,7 +45682,7 @@ index 1fc1dca..357b933 100644 put_task_struct(task); } if (files) { -@@ -2096,11 +2163,21 @@ static const struct file_operations proc_fd_operations = { +@@ -2082,11 +2163,21 @@ static const struct file_operations proc_fd_operations = { */ static int proc_fd_permission(struct inode *inode, int mask) { @@ -45745,7 +45706,7 @@ index 1fc1dca..357b933 100644 return rv; } -@@ -2210,6 +2287,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir, +@@ -2196,6 +2287,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir, if (!task) goto out_no_task; @@ -45755,7 +45716,7 @@ index 1fc1dca..357b933 100644 /* * Yes, it does not scale. And it should not. Don't add * new entries into /proc/<tgid>/ without very good reasons. -@@ -2254,6 +2334,9 @@ static int proc_pident_readdir(struct file *filp, +@@ -2240,6 +2334,9 @@ static int proc_pident_readdir(struct file *filp, if (!task) goto out_no_task; @@ -45765,7 +45726,7 @@ index 1fc1dca..357b933 100644 ret = 0; i = filp->f_pos; switch (i) { -@@ -2524,7 +2607,7 @@ static void *proc_self_follow_link(struct dentry *dentry, struct nameidata *nd) +@@ -2510,7 +2607,7 @@ static void *proc_self_follow_link(struct dentry *dentry, struct nameidata *nd) static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie) { @@ -45774,7 +45735,7 @@ index 1fc1dca..357b933 100644 if (!IS_ERR(s)) __putname(s); } -@@ -2722,7 +2805,7 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2708,7 +2805,7 @@ static const struct pid_entry tgid_base_stuff[] = { REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations), #endif REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations), @@ -45783,7 +45744,7 @@ index 1fc1dca..357b933 100644 INF("syscall", S_IRUGO, proc_pid_syscall), #endif INF("cmdline", S_IRUGO, proc_pid_cmdline), -@@ -2747,10 +2830,10 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2733,10 +2830,10 @@ static const struct pid_entry tgid_base_stuff[] = { #ifdef CONFIG_SECURITY DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations), #endif @@ -45796,7 +45757,7 @@ index 1fc1dca..357b933 100644 ONE("stack", S_IRUGO, proc_pid_stack), #endif #ifdef CONFIG_SCHEDSTATS -@@ -2784,6 +2867,9 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2770,6 +2867,9 @@ static const struct pid_entry tgid_base_stuff[] = { #ifdef CONFIG_HARDWALL INF("hardwall", S_IRUGO, proc_pid_hardwall), #endif @@ -45806,7 +45767,7 @@ index 1fc1dca..357b933 100644 }; static int proc_tgid_base_readdir(struct file * filp, -@@ -2909,7 +2995,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir, +@@ -2895,7 +2995,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir, if (!inode) goto out; @@ -45821,7 +45782,7 @@ index 1fc1dca..357b933 100644 inode->i_op = &proc_tgid_base_inode_operations; inode->i_fop = &proc_tgid_base_operations; inode->i_flags|=S_IMMUTABLE; -@@ -2951,7 +3044,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct +@@ -2937,7 +3044,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct if (!task) goto out; @@ -45833,7 +45794,7 @@ index 1fc1dca..357b933 100644 put_task_struct(task); out: return result; -@@ -3016,6 +3113,11 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) +@@ -3002,6 +3113,11 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) { unsigned int nr; struct task_struct *reaper; @@ -45845,7 +45806,7 @@ index 1fc1dca..357b933 100644 struct tgid_iter iter; struct pid_namespace *ns; -@@ -3039,8 +3141,27 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) +@@ -3025,8 +3141,27 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) for (iter = next_tgid(ns, iter); iter.task; iter.tgid += 1, iter = next_tgid(ns, iter)) { @@ -45874,7 +45835,7 @@ index 1fc1dca..357b933 100644 put_task_struct(iter.task); goto out; } -@@ -3068,7 +3189,7 @@ static const struct pid_entry tid_base_stuff[] = { +@@ -3054,7 +3189,7 @@ static const struct pid_entry tid_base_stuff[] = { REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations), #endif REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations), @@ -45883,7 +45844,7 @@ index 1fc1dca..357b933 100644 INF("syscall", S_IRUGO, proc_pid_syscall), #endif INF("cmdline", S_IRUGO, proc_pid_cmdline), -@@ -3092,10 +3213,10 @@ static const struct pid_entry tid_base_stuff[] = { +@@ -3078,10 +3213,10 @@ static const struct pid_entry tid_base_stuff[] = { #ifdef CONFIG_SECURITY DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations), #endif @@ -46216,10 +46177,18 @@ index 03102d9..4ae347e 100644 } diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 7dcd2a2..d1d9cb6 100644 +index 7dcd2a2..b2f410e 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c -@@ -52,8 +52,13 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) +@@ -11,6 +11,7 @@ + #include <linux/rmap.h> + #include <linux/swap.h> + #include <linux/swapops.h> ++#include <linux/grsecurity.h> + + #include <asm/elf.h> + #include <asm/uaccess.h> +@@ -52,8 +53,13 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) "VmExe:\t%8lu kB\n" "VmLib:\t%8lu kB\n" "VmPTE:\t%8lu kB\n" @@ -46235,7 +46204,7 @@ index 7dcd2a2..d1d9cb6 100644 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10), mm->locked_vm << (PAGE_SHIFT-10), mm->pinned_vm << (PAGE_SHIFT-10), -@@ -62,7 +67,13 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) +@@ -62,7 +68,13 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) data << (PAGE_SHIFT-10), mm->stack_vm << (PAGE_SHIFT-10), text, lib, (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10, @@ -46250,7 +46219,7 @@ index 7dcd2a2..d1d9cb6 100644 } unsigned long task_vsize(struct mm_struct *mm) -@@ -209,6 +220,12 @@ static int do_maps_open(struct inode *inode, struct file *file, +@@ -209,6 +221,12 @@ static int do_maps_open(struct inode *inode, struct file *file, return ret; } @@ -46263,7 +46232,7 @@ index 7dcd2a2..d1d9cb6 100644 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) { struct mm_struct *mm = vma->vm_mm; -@@ -227,13 +244,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -227,13 +245,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT; } @@ -46282,7 +46251,7 @@ index 7dcd2a2..d1d9cb6 100644 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n", start, -@@ -242,7 +259,11 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -242,7 +260,11 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) flags & VM_WRITE ? 'w' : '-', flags & VM_EXEC ? 'x' : '-', flags & VM_MAYSHARE ? 's' : 'p', @@ -46294,7 +46263,7 @@ index 7dcd2a2..d1d9cb6 100644 MAJOR(dev), MINOR(dev), ino, &len); /* -@@ -251,7 +272,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -251,7 +273,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) */ if (file) { pad_len_spaces(m, len); @@ -46303,7 +46272,7 @@ index 7dcd2a2..d1d9cb6 100644 } else { const char *name = arch_vma_name(vma); if (!name) { -@@ -259,8 +280,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -259,8 +281,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) { name = "[heap]"; @@ -46315,9 +46284,30 @@ index 7dcd2a2..d1d9cb6 100644 name = "[stack]"; } } else { -@@ -435,11 +457,16 @@ static int show_smap(struct seq_file *m, void *v) +@@ -281,6 +304,13 @@ static int show_map(struct seq_file *m, void *v) + struct proc_maps_private *priv = m->private; + struct task_struct *task = priv->task; + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("maps"); ++ return 0; ++ } ++#endif ++ + show_map_vma(m, vma); + + if (m->count < m->size) /* vma is copied successfully */ +@@ -434,12 +464,23 @@ static int show_smap(struct seq_file *m, void *v) + .private = &mss, }; ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("smaps"); ++ return 0; ++ } ++#endif memset(&mss, 0, sizeof mss); - mss.vma = vma; - /* mmap_sem is held in m_start */ @@ -46337,7 +46327,7 @@ index 7dcd2a2..d1d9cb6 100644 show_map_vma(m, vma); seq_printf(m, -@@ -457,7 +484,11 @@ static int show_smap(struct seq_file *m, void *v) +@@ -457,7 +498,11 @@ static int show_smap(struct seq_file *m, void *v) "KernelPageSize: %8lu kB\n" "MMUPageSize: %8lu kB\n" "Locked: %8lu kB\n", @@ -46349,7 +46339,29 @@ index 7dcd2a2..d1d9cb6 100644 mss.resident >> 10, (unsigned long)(mss.pss >> (10 + PSS_SHIFT)), mss.shared_clean >> 10, -@@ -1036,7 +1067,7 @@ static int show_numa_map(struct seq_file *m, void *v) +@@ -1015,6 +1060,13 @@ static int show_numa_map(struct seq_file *m, void *v) + int n; + char buffer[50]; + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("numa_maps"); ++ return 0; ++ } ++#endif ++ + if (!mm) + return 0; + +@@ -1032,11 +1084,15 @@ static int show_numa_map(struct seq_file *m, void *v) + mpol_to_str(buffer, sizeof(buffer), pol, 0); + mpol_cond_put(pol); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ seq_printf(m, "%08lx %s", PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : vma->vm_start, buffer); ++#else + seq_printf(m, "%08lx %s", vma->vm_start, buffer); ++#endif if (file) { seq_printf(m, " file="); @@ -46551,10 +46563,20 @@ index d33418f..2a5345e 100644 return -EINVAL; diff --git a/fs/seq_file.c b/fs/seq_file.c -index dba43c3..a99fb63 100644 +index dba43c3..1dfaf14 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c -@@ -76,7 +76,8 @@ static int traverse(struct seq_file *m, loff_t offset) +@@ -40,6 +40,9 @@ int seq_open(struct file *file, const struct seq_operations *op) + memset(p, 0, sizeof(*p)); + mutex_init(&p->lock); + p->op = op; ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ p->exec_id = current->exec_id; ++#endif + + /* + * Wrappers around seq_open(e.g. swaps_open) need to be +@@ -76,7 +79,8 @@ static int traverse(struct seq_file *m, loff_t offset) return 0; } if (!m->buf) { @@ -46564,7 +46586,7 @@ index dba43c3..a99fb63 100644 if (!m->buf) return -ENOMEM; } -@@ -116,7 +117,8 @@ static int traverse(struct seq_file *m, loff_t offset) +@@ -116,7 +120,8 @@ static int traverse(struct seq_file *m, loff_t offset) Eoverflow: m->op->stop(m, p); kfree(m->buf); @@ -46574,7 +46596,7 @@ index dba43c3..a99fb63 100644 return !m->buf ? -ENOMEM : -EAGAIN; } -@@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) +@@ -169,7 +174,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) m->version = file->f_version; /* grab buffer if we didn't have one */ if (!m->buf) { @@ -46584,7 +46606,7 @@ index dba43c3..a99fb63 100644 if (!m->buf) goto Enomem; } -@@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) +@@ -210,7 +216,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) goto Fill; m->op->stop(m, p); kfree(m->buf); @@ -46594,7 +46616,7 @@ index dba43c3..a99fb63 100644 if (!m->buf) goto Enomem; m->count = 0; -@@ -549,7 +553,7 @@ static void single_stop(struct seq_file *p, void *v) +@@ -549,7 +556,7 @@ static void single_stop(struct seq_file *p, void *v) int single_open(struct file *file, int (*show)(struct seq_file *, void *), void *data) { @@ -47011,10 +47033,10 @@ index 23ce927..e274cc1 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..dfd3d34 +index 0000000..8faa28b --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1069 @@ +@@ -0,0 +1,1073 @@ +# +# grecurity configuration +# @@ -47285,6 +47307,10 @@ index 0000000..dfd3d34 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will + give no information about the addresses of its mappings if + PaX features that rely on random addresses are enabled on the task. ++ In addition to sanitizing this information and disabling other ++ dangerous sources of information, this option causes reads of sensitive ++ /proc/<pid> entries where the file descriptor was opened in a different ++ task than the one performing the read. Such attempts are logged. + If you use PaX it is greatly recommended that you say Y here as it + closes up a hole that makes the full ASLR useless for suid + binaries. @@ -48086,10 +48112,10 @@ index 0000000..dfd3d34 +endmenu diff --git a/grsecurity/Makefile b/grsecurity/Makefile new file mode 100644 -index 0000000..be9ae3a +index 0000000..1b9afa9 --- /dev/null +++ b/grsecurity/Makefile -@@ -0,0 +1,36 @@ +@@ -0,0 +1,38 @@ +# grsecurity's ACL system was originally written in 2001 by Michael Dalton +# during 2001-2009 it has been completely redesigned by Brad Spengler +# into an RBAC system @@ -48098,6 +48124,8 @@ index 0000000..be9ae3a +# are copyright Brad Spengler - Open Source Security, Inc., and released +# under the GPL v2 or higher + ++KBUILD_CFLAGS += -Werror ++ +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \ + grsec_mount.o grsec_sig.o grsec_sysctl.o \ + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o @@ -48128,10 +48156,10 @@ index 0000000..be9ae3a +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..d3b423d +index 0000000..6e989da --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4155 @@ +@@ -0,0 +1,4163 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -50600,6 +50628,8 @@ index 0000000..d3b423d + } +} + ++extern int gr_acl_is_capable(const int cap); ++ +void +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid) +{ @@ -50621,6 +50651,12 @@ index 0000000..d3b423d + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL)) + role = lookup_acl_role_label(task, uid, gid); + ++ /* don't change the role if we're not a privileged process */ ++ if (role && task->role != role && ++ (((role->roletype & GR_ROLE_USER) && gr_acl_is_capable(CAP_SETUID)) || ++ ((role->roletype & GR_ROLE_GROUP) && gr_acl_is_capable(CAP_SETGID)))) ++ return; ++ + /* perform subject lookup in possibly new role + we can use this result below in the case where role == task->role + */ @@ -55669,10 +55705,10 @@ index 0000000..a45d2e9 +} diff --git a/grsecurity/grsec_mem.c b/grsecurity/grsec_mem.c new file mode 100644 -index 0000000..6c0416b +index 0000000..f536303 --- /dev/null +++ b/grsecurity/grsec_mem.c -@@ -0,0 +1,33 @@ +@@ -0,0 +1,40 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -55706,6 +55742,13 @@ index 0000000..6c0416b + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG); + return; +} ++ ++void ++gr_log_badprocpid(const char *entry) ++{ ++ gr_log_str(GR_DONT_AUDIT, GR_BADPROCPID_MSG, entry); ++ return; ++} diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c new file mode 100644 index 0000000..2131422 @@ -57568,10 +57611,27 @@ index 49a83ca..df96b54 100644 #undef __HANDLE_ITEM }; diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h -index fd88a39..f4d0bad 100644 +index fd88a39..8a801b4 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h -@@ -88,6 +88,7 @@ struct linux_binfmt { +@@ -18,7 +18,7 @@ struct pt_regs; + #define BINPRM_BUF_SIZE 128 + + #ifdef __KERNEL__ +-#include <linux/list.h> ++#include <linux/sched.h> + + #define CORENAME_MAX_SIZE 128 + +@@ -58,6 +58,7 @@ struct linux_binprm { + unsigned interp_flags; + unsigned interp_data; + unsigned long loader, exec; ++ char tcomm[TASK_COMM_LEN]; + }; + + #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0 +@@ -88,6 +89,7 @@ struct linux_binfmt { int (*load_binary)(struct linux_binprm *, struct pt_regs * regs); int (*load_shlib)(struct file *); int (*core_dump)(struct coredump_params *cprm); @@ -58896,10 +58956,10 @@ index 0000000..da390f1 +#endif diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h new file mode 100644 -index 0000000..7f62b30 +index 0000000..8b9ed56 --- /dev/null +++ b/include/linux/grmsg.h -@@ -0,0 +1,109 @@ +@@ -0,0 +1,110 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " @@ -59009,12 +59069,13 @@ index 0000000..7f62b30 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by " +#define GR_PTRACE_READEXEC_MSG "denied ptrace of unreadable binary %.950s by " +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by " ++#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..cb9f1c1 +index 0000000..10c8ced --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,227 @@ +@@ -0,0 +1,229 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -59231,6 +59292,8 @@ index 0000000..cb9f1c1 +void gr_handle_vm86(void); +void gr_handle_mem_readwrite(u64 from, u64 to); + ++void gr_log_badprocpid(const char *entry); ++ +extern int grsec_enable_dmesg; +extern int grsec_disable_privio; +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK @@ -60311,7 +60374,7 @@ index 2148b12..519b820 100644 static inline void anon_vma_merge(struct vm_area_struct *vma, diff --git a/include/linux/sched.h b/include/linux/sched.h -index 1c4f3e9..f29cbeb 100644 +index 1c4f3e9..dafcd27 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -101,6 +101,7 @@ struct bio_list; @@ -60420,13 +60483,16 @@ index 1c4f3e9..f29cbeb 100644 #ifdef CONFIG_DEBUG_MUTEXES /* mutex deadlock detection */ struct mutex_waiter *blocked_on; -@@ -1540,6 +1566,24 @@ struct task_struct { +@@ -1540,6 +1566,27 @@ struct task_struct { unsigned long default_timer_slack_ns; struct list_head *scm_work_list; + +#ifdef CONFIG_GRKERNSEC + /* grsecurity */ ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ long long exec_id; ++#endif +#ifdef CONFIG_GRKERNSEC_SETXID + const struct cred *delayed_cred; +#endif @@ -60445,7 +60511,7 @@ index 1c4f3e9..f29cbeb 100644 #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack */ int curr_ret_stack; -@@ -1574,6 +1618,51 @@ struct task_struct { +@@ -1574,6 +1621,51 @@ struct task_struct { #endif }; @@ -60497,7 +60563,7 @@ index 1c4f3e9..f29cbeb 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -2081,7 +2170,9 @@ void yield(void); +@@ -2081,7 +2173,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -60507,7 +60573,7 @@ index 1c4f3e9..f29cbeb 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2114,6 +2205,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2114,6 +2208,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -60515,7 +60581,7 @@ index 1c4f3e9..f29cbeb 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2235,6 +2327,12 @@ static inline void mmdrop(struct mm_struct * mm) +@@ -2235,6 +2330,12 @@ static inline void mmdrop(struct mm_struct * mm) extern void mmput(struct mm_struct *); /* Grab a reference to a task's mm, if it is not already going away */ extern struct mm_struct *get_task_mm(struct task_struct *task); @@ -60528,7 +60594,7 @@ index 1c4f3e9..f29cbeb 100644 /* Remove the current tasks stale references to the old mm_struct */ extern void mm_release(struct task_struct *, struct mm_struct *); /* Allocate a new mm structure and copy contents from tsk->mm */ -@@ -2251,7 +2349,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2251,7 +2352,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -60537,7 +60603,7 @@ index 1c4f3e9..f29cbeb 100644 extern void daemonize(const char *, ...); extern int allow_signal(int); -@@ -2416,13 +2514,17 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2416,13 +2517,17 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -60584,10 +60650,20 @@ index e8c619d..e0cbd1c 100644 /* Maximum number of letters for an LSM name string */ diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h -index 0b69a46..e9e5538 100644 +index 0b69a46..4796016 100644 --- a/include/linux/seq_file.h +++ b/include/linux/seq_file.h -@@ -33,6 +33,7 @@ struct seq_operations { +@@ -24,6 +24,9 @@ struct seq_file { + struct mutex lock; + const struct seq_operations *op; + int poll_event; ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ long long exec_id; ++#endif + void *private; + }; + +@@ -33,6 +36,7 @@ struct seq_operations { void * (*next) (struct seq_file *m, void *v, loff_t *pos); int (*show) (struct seq_file *m, void *v); }; @@ -62209,7 +62285,7 @@ index 2531811..040d4d4 100644 next_state = Reset; return 0; diff --git a/init/main.c b/init/main.c -index 217ed23..32e5731 100644 +index 217ed23..ec5406f 100644 --- a/init/main.c +++ b/init/main.c @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { } @@ -62238,7 +62314,7 @@ index 217ed23..32e5731 100644 + unsigned int cpu; + struct desc_struct *gdt; + -+ for (cpu = 0; cpu < NR_CPUS; cpu++) { ++ for (cpu = 0; cpu < nr_cpu_ids; cpu++) { + gdt = get_cpu_gdt_table(cpu); + gdt[GDT_ENTRY_KERNEL_DS].type = 3; + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf; @@ -63246,7 +63322,7 @@ index e6e01b9..619f837 100644 if (group_dead) diff --git a/kernel/fork.c b/kernel/fork.c -index da4a6a1..0973380 100644 +index da4a6a1..0483b61 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -280,7 +280,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -63516,16 +63592,20 @@ index da4a6a1..0973380 100644 if (atomic_read(&p->real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && -@@ -1256,6 +1317,8 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1256,6 +1317,12 @@ static struct task_struct *copy_process(unsigned long clone_flags, if (clone_flags & CLONE_THREAD) p->tgid = current->tgid; + gr_copy_label(p); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ p->exec_id = current->exec_id; ++#endif ++ p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; /* * Clear TID on mm_release()? -@@ -1418,6 +1481,8 @@ bad_fork_cleanup_count: +@@ -1418,6 +1485,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -63534,7 +63614,7 @@ index da4a6a1..0973380 100644 return ERR_PTR(retval); } -@@ -1518,6 +1583,8 @@ long do_fork(unsigned long clone_flags, +@@ -1518,6 +1587,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -63543,7 +63623,7 @@ index da4a6a1..0973380 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1627,7 +1694,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1627,7 +1698,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -63552,7 +63632,7 @@ index da4a6a1..0973380 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1716,7 +1783,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1716,7 +1787,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -63945,7 +64025,7 @@ index a4bea97..7a1ae9a 100644 /* * If ret is 0, either ____call_usermodehelper failed and the diff --git a/kernel/kprobes.c b/kernel/kprobes.c -index 52fd049..3def6a8 100644 +index faa39d1..d7ad37e 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_insn_slot(struct kprobe_insn_cache *c) @@ -63966,7 +64046,7 @@ index 52fd049..3def6a8 100644 kfree(kip); } return 1; -@@ -1949,7 +1949,7 @@ static int __init init_kprobes(void) +@@ -1953,7 +1953,7 @@ static int __init init_kprobes(void) { int i, err = 0; unsigned long offset = 0, size = 0; @@ -63975,7 +64055,7 @@ index 52fd049..3def6a8 100644 const char *symbol_name; void *addr; struct kprobe_blackpoint *kb; -@@ -2075,7 +2075,7 @@ static int __kprobes show_kprobe_addr(struct seq_file *pi, void *v) +@@ -2079,7 +2079,7 @@ static int __kprobes show_kprobe_addr(struct seq_file *pi, void *v) const char *sym = NULL; unsigned int i = *(loff_t *) v; unsigned long offset = 0; @@ -64893,7 +64973,7 @@ index b452599..5d68f4e 100644 atomic_set(&pd->refcnt, 0); pd->pinst = pinst; diff --git a/kernel/panic.c b/kernel/panic.c -index b2659360..5972a0f 100644 +index 3458469..342c500 100644 --- a/kernel/panic.c +++ b/kernel/panic.c @@ -78,7 +78,11 @@ NORET_TYPE void panic(const char * fmt, ...) @@ -64909,7 +64989,7 @@ index b2659360..5972a0f 100644 #endif /* -@@ -373,7 +377,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, +@@ -382,7 +386,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, const char *board; printk(KERN_WARNING "------------[ cut here ]------------\n"); @@ -64918,7 +64998,7 @@ index b2659360..5972a0f 100644 board = dmi_get_system_info(DMI_PRODUCT_NAME); if (board) printk(KERN_WARNING "Hardware name: %s\n", board); -@@ -428,7 +432,8 @@ EXPORT_SYMBOL(warn_slowpath_null); +@@ -437,7 +441,8 @@ EXPORT_SYMBOL(warn_slowpath_null); */ void __stack_chk_fail(void) { @@ -65125,7 +65205,7 @@ index d523593..68197a4 100644 register_sysrq_key('o', &sysrq_poweroff_op); return 0; diff --git a/kernel/power/process.c b/kernel/power/process.c -index addbbe5..f9e32e0 100644 +index 3d4b954..11af930 100644 --- a/kernel/power/process.c +++ b/kernel/power/process.c @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_only) @@ -65756,6 +65836,36 @@ index 9feffa4..54058df 100644 rdp->dynticks->dynticks_nesting, rdp->dynticks->dynticks_nmi_nesting, rdp->dynticks_fqs); +diff --git a/kernel/relay.c b/kernel/relay.c +index 226fade..b6f803a 100644 +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -164,10 +164,14 @@ depopulate: + */ + static struct rchan_buf *relay_create_buf(struct rchan *chan) + { +- struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); ++ struct rchan_buf *buf; ++ ++ if (chan->n_subbufs > UINT_MAX / sizeof(size_t *)) ++ return NULL; ++ ++ buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); + if (!buf) + return NULL; +- + buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL); + if (!buf->padding) + goto free_buf; +@@ -574,6 +578,8 @@ struct rchan *relay_open(const char *base_filename, + + if (!(subbuf_size && n_subbufs)) + return NULL; ++ if (subbuf_size > UINT_MAX / n_subbufs) ++ return NULL; + + chan = kzalloc(sizeof(struct rchan), GFP_KERNEL); + if (!chan) diff --git a/kernel/resource.c b/kernel/resource.c index 7640b3a..5879283 100644 --- a/kernel/resource.c @@ -66181,7 +66291,7 @@ index 2c71d91..1021f81 100644 struct tasklet_struct *list; diff --git a/kernel/sys.c b/kernel/sys.c -index 481611f..4665125 100644 +index 481611f..0754d86 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -158,6 +158,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) @@ -66250,29 +66360,7 @@ index 481611f..4665125 100644 if (nsown_capable(CAP_SETUID)) { new->suid = new->uid = uid; if (uid != old->uid) { -@@ -775,9 +797,18 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) - - retval = -EPERM; - if (!nsown_capable(CAP_SETUID)) { -- if (ruid != (uid_t) -1 && ruid != old->uid && -- ruid != old->euid && ruid != old->suid) -- goto error; -+ // if RBAC is enabled, require CAP_SETUID to change -+ // uid to euid (from a suid binary, for instance) -+ // this is a hardening of normal permissions, not -+ // weakening -+ if (gr_acl_is_enabled()) { -+ if (ruid != (uid_t) -1 && ruid != old->uid) -+ goto error; -+ } else { -+ if (ruid != (uid_t) -1 && ruid != old->uid && -+ ruid != old->euid && ruid != old->suid) -+ goto error; -+ } - if (euid != (uid_t) -1 && euid != old->uid && - euid != old->euid && euid != old->suid) - goto error; -@@ -786,6 +817,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) +@@ -786,6 +808,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) goto error; } @@ -66282,29 +66370,7 @@ index 481611f..4665125 100644 if (ruid != (uid_t) -1) { new->uid = ruid; if (ruid != old->uid) { -@@ -839,9 +873,18 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) - - retval = -EPERM; - if (!nsown_capable(CAP_SETGID)) { -- if (rgid != (gid_t) -1 && rgid != old->gid && -- rgid != old->egid && rgid != old->sgid) -- goto error; -+ // if RBAC is enabled, require CAP_SETGID to change -+ // gid to egid (from a sgid binary, for instance) -+ // this is a hardening of normal permissions, not -+ // weakening -+ if (gr_acl_is_enabled()) { -+ if (rgid != (gid_t) -1 && rgid != old->gid) -+ goto error; -+ } else { -+ if (rgid != (gid_t) -1 && rgid != old->gid && -+ rgid != old->egid && rgid != old->sgid) -+ goto error; -+ } - if (egid != (gid_t) -1 && egid != old->gid && - egid != old->egid && egid != old->sgid) - goto error; -@@ -850,6 +893,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) +@@ -850,6 +875,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) goto error; } @@ -66314,7 +66380,7 @@ index 481611f..4665125 100644 if (rgid != (gid_t) -1) new->gid = rgid; if (egid != (gid_t) -1) -@@ -896,6 +942,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) +@@ -896,6 +924,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) old = current_cred(); old_fsuid = old->fsuid; @@ -66324,7 +66390,7 @@ index 481611f..4665125 100644 if (uid == old->uid || uid == old->euid || uid == old->suid || uid == old->fsuid || nsown_capable(CAP_SETUID)) { -@@ -906,6 +955,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) +@@ -906,6 +937,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) } } @@ -66332,7 +66398,7 @@ index 481611f..4665125 100644 abort_creds(new); return old_fsuid; -@@ -932,12 +982,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) +@@ -932,12 +964,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) if (gid == old->gid || gid == old->egid || gid == old->sgid || gid == old->fsgid || nsown_capable(CAP_SETGID)) { @@ -66349,7 +66415,7 @@ index 481611f..4665125 100644 abort_creds(new); return old_fsgid; -@@ -1189,7 +1243,10 @@ static int override_release(char __user *release, int len) +@@ -1189,7 +1225,10 @@ static int override_release(char __user *release, int len) } v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; snprintf(buf, len, "2.6.%u%s", v, rest); @@ -66361,7 +66427,7 @@ index 481611f..4665125 100644 } return ret; } -@@ -1243,19 +1300,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) +@@ -1243,19 +1282,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) return -EFAULT; down_read(&uts_sem); @@ -66386,7 +66452,7 @@ index 481611f..4665125 100644 __OLD_UTS_LEN); error |= __put_user(0, name->machine + __OLD_UTS_LEN); up_read(&uts_sem); -@@ -1720,7 +1777,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, +@@ -1720,7 +1759,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, error = get_dumpable(me->mm); break; case PR_SET_DUMPABLE: @@ -67478,7 +67544,7 @@ index 011b110..b492af2 100644 from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs. diff --git a/mm/filemap.c b/mm/filemap.c -index 90286a4..f441caa 100644 +index 03c5b0e..a01e793 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -1770,7 +1770,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma) @@ -67544,7 +67610,7 @@ index 57d82c6..e9e0552 100644 set_page_address(page, (void *)vaddr); diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index 36b3d98..584cb54 100644 +index 33141f5..e56bef9 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -703,7 +703,7 @@ out: @@ -70726,7 +70792,7 @@ index 83311c9a..fcf8f86 100644 * ksize - get the actual amount of memory allocated for a given object * @objp: Pointer to the object diff --git a/mm/slob.c b/mm/slob.c -index 8105be4..579da9d 100644 +index 8105be4..e045f96 100644 --- a/mm/slob.c +++ b/mm/slob.c @@ -29,7 +29,7 @@ @@ -70917,7 +70983,7 @@ index 8105be4..579da9d 100644 + + type = "<process stack>"; + sp = slob_page(ptr); -+ if (!PageSlab((struct page*)sp)) { ++ if (!PageSlab((struct page *)sp)) { + if (object_is_on_stack(ptr, n) == -1) + goto report; + return; @@ -71314,7 +71380,7 @@ index 1a919f0..1739c9b 100644 static int __init slab_sysfs_init(void) { diff --git a/mm/swap.c b/mm/swap.c -index a91caf7..b887e735 100644 +index 55b266d..a532537 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -31,6 +31,7 @@ |