diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2012-02-27 12:31:24 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-02-27 12:33:06 +0000 |
| commit | 8422fce75240ed1f247148de8170379221c48a8e (patch) | |
| tree | 157ae9bb813feb9491d0eb9baa9955224436a0a9 /main | |
| parent | ea8ed371e272752c9f53c461d5198a1347c47974 (diff) | |
| download | aports-8422fce75240ed1f247148de8170379221c48a8e.tar.bz2 aports-8422fce75240ed1f247148de8170379221c48a8e.tar.xz | |
main/linux-grsec: upgrade to grsecurity-2.9-3.2.7-201202261954 and enable drbd
Diffstat (limited to 'main')
| -rw-r--r-- | main/linux-grsec/APKBUILD | 10 | ||||
| -rw-r--r-- | main/linux-grsec/grsecurity-2.9-3.2.7-201202261954.patch (renamed from main/linux-grsec/grsecurity-2.2.2-3.2.7-201202202005.patch) | 524 | ||||
| -rw-r--r-- | main/linux-grsec/kernelconfig.x86 | 6 | ||||
| -rw-r--r-- | main/linux-grsec/kernelconfig.x86_64 | 6 |
4 files changed, 413 insertions, 133 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 90bf9d1be6..6eba993dcf 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -4,7 +4,7 @@ _flavor=grsec pkgname=linux-${_flavor} pkgver=3.2.7 _kernver=3.2 -pkgrel=0 +pkgrel=1 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2 http://ftp.kernel.org/pub/linux/kernel/v3.0/patch-$pkgver.bz2 - grsecurity-2.2.2-3.2.7-201202202005.patch + grsecurity-2.9-3.2.7-201202261954.patch 0004-arp-flush-arp-cache-on-device-change.patch @@ -141,9 +141,9 @@ dev() { md5sums="7ceb61f87c097fc17509844b71268935 linux-3.2.tar.bz2 899624bffed6a19578613b672cc9483f patch-3.2.7.bz2 -1a1512cc453f2470a42968e015a26eff grsecurity-2.2.2-3.2.7-201202202005.patch +27f2e8898e796ff0301f3193e2ba76b3 grsecurity-2.9-3.2.7-201202261954.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch f3eda7112ef074a4121ec6de943c63ee x86-centaur-enable-cx8-for-via-eden-too.patch 62cc7d7b5ba7ef05b72ff91c0411c189 linux-3.0.x-regression-with-ipv4-routes-having-mtu.patch -339d4dd7f74b87d13adff5d2d2abf86a kernelconfig.x86 -68204744d18679153a2a1e932290f93d kernelconfig.x86_64" +a4e7d46b18ca1495a1605c8520d74ee3 kernelconfig.x86 +147306257d376f27799e9e72a303c80c kernelconfig.x86_64" diff --git a/main/linux-grsec/grsecurity-2.2.2-3.2.7-201202202005.patch b/main/linux-grsec/grsecurity-2.9-3.2.7-201202261954.patch index 816b75a7d9..5978e7ccc7 100644 --- a/main/linux-grsec/grsecurity-2.2.2-3.2.7-201202202005.patch +++ b/main/linux-grsec/grsecurity-2.9-3.2.7-201202261954.patch @@ -186,7 +186,7 @@ index 81c287f..d456d02 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index d1bdc90..e95fe1a 100644 +index d1bdc90..c985d2a 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -212,32 +212,34 @@ index d1bdc90..e95fe1a 100644 $(Q)$(MAKE) $(build)=scripts/basic $(Q)rm -f .tmp_quiet_recordmcount -@@ -564,6 +565,46 @@ else +@@ -564,6 +565,48 @@ else KBUILD_CFLAGS += -O2 endif +ifndef DISABLE_PAX_PLUGINS +ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y) +ifndef DISABLE_PAX_CONSTIFY_PLUGIN -+CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN ++CONSTIFY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN +endif +ifdef CONFIG_PAX_MEMORY_STACKLEAK -+STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN -+STACKLEAK_PLUGIN += -fplugin-arg-stackleak_plugin-track-lowest-sp=100 ++STACKLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN ++STACKLEAK_PLUGIN_CFLAGS += -fplugin-arg-stackleak_plugin-track-lowest-sp=100 +endif +ifdef CONFIG_KALLOCSTAT_PLUGIN -+KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so ++KALLOCSTAT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so +endif +ifdef CONFIG_PAX_KERNEXEC_PLUGIN -+KERNEXEC_PLUGIN := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so -+KERNEXEC_PLUGIN += -fplugin-arg-kernexec_plugin-method=$(CONFIG_PAX_KERNEXEC_PLUGIN_METHOD) ++KERNEXEC_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so ++KERNEXEC_PLUGIN_CFLAGS += -fplugin-arg-kernexec_plugin-method=$(CONFIG_PAX_KERNEXEC_PLUGIN_METHOD) -DKERNEXEC_PLUGIN ++KERNEXEC_PLUGIN_AFLAGS := -DKERNEXEC_PLUGIN +endif +ifdef CONFIG_CHECKER_PLUGIN +ifeq ($(call cc-ifversion, -ge, 0406, y), y) -+CHECKER_PLUGIN := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN ++CHECKER_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN +endif +endif -+GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) $(KERNEXEC_PLUGIN) $(CHECKER_PLUGIN) ++GCC_PLUGINS_CFLAGS := $(CONSTIFY_PLUGIN_CFLAGS) $(STACKLEAK_PLUGIN_CFLAGS) $(KALLOCSTAT_PLUGIN_CFLAGS) $(KERNEXEC_PLUGIN_CFLAGS) $(CHECKER_PLUGIN_CFLAGS) ++GCC_PLUGINS_AFLAGS := $(KERNEXEC_PLUGIN_AFLAGS) +export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN +ifeq ($(KBUILD_EXTMOD),) +gcc-plugins: @@ -259,7 +261,7 @@ index d1bdc90..e95fe1a 100644 include $(srctree)/arch/$(SRCARCH)/Makefile ifneq ($(CONFIG_FRAME_WARN),0) -@@ -708,7 +749,7 @@ export mod_strip_cmd +@@ -708,7 +751,7 @@ export mod_strip_cmd ifeq ($(KBUILD_EXTMOD),) @@ -268,15 +270,16 @@ index d1bdc90..e95fe1a 100644 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ -@@ -932,6 +973,7 @@ vmlinux.o: $(modpost-init) $(vmlinux-main) FORCE +@@ -932,6 +975,8 @@ vmlinux.o: $(modpost-init) $(vmlinux-main) FORCE # The actual objects are generated when descending, # make sure no implicit rule kicks in -+$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): KBUILD_CFLAGS += $(GCC_PLUGINS) ++$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ; # Handle descending into subdirectories listed in $(vmlinux-dirs) -@@ -941,7 +983,7 @@ $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ; +@@ -941,7 +986,7 @@ $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ; # Error messages still appears in the original language PHONY += $(vmlinux-dirs) @@ -285,23 +288,24 @@ index d1bdc90..e95fe1a 100644 $(Q)$(MAKE) $(build)=$@ # Store (new) KERNELRELASE string in include/config/kernel.release -@@ -985,6 +1027,7 @@ prepare0: archprepare FORCE +@@ -985,6 +1030,7 @@ prepare0: archprepare FORCE $(Q)$(MAKE) $(build)=. # All the preparing.. -+prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS),$(KBUILD_CFLAGS)) ++prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS)) prepare: prepare0 # Generate some files -@@ -1086,6 +1129,7 @@ all: modules +@@ -1086,6 +1132,8 @@ all: modules # using awk while concatenating to the final file. PHONY += modules -+modules: KBUILD_CFLAGS += $(GCC_PLUGINS) ++modules: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++modules: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order @$(kecho) ' Building modules, stage 2.'; -@@ -1101,7 +1145,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) +@@ -1101,7 +1149,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin) # Target to prepare building external modules PHONY += modules_prepare @@ -310,7 +314,7 @@ index d1bdc90..e95fe1a 100644 # Target to install modules PHONY += modules_install -@@ -1198,6 +1242,7 @@ distclean: mrproper +@@ -1198,6 +1246,7 @@ distclean: mrproper \( -name '*.orig' -o -name '*.rej' -o -name '*~' \ -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \ -o -name '.*.rej' \ @@ -318,26 +322,29 @@ index d1bdc90..e95fe1a 100644 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \ -type f -print | xargs rm -f -@@ -1358,6 +1403,7 @@ PHONY += $(module-dirs) modules +@@ -1358,6 +1407,8 @@ PHONY += $(module-dirs) modules $(module-dirs): crmodverdir $(objtree)/Module.symvers $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@) -+modules: KBUILD_CFLAGS += $(GCC_PLUGINS) ++modules: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++modules: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) modules: $(module-dirs) @$(kecho) ' Building modules, stage 2.'; $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost -@@ -1484,17 +1530,19 @@ else +@@ -1484,17 +1535,21 @@ else target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@)) endif -%.s: %.c prepare scripts FORCE -+%.s: KBUILD_CFLAGS += $(GCC_PLUGINS) ++%.s: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++%.s: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) +%.s: %.c gcc-plugins prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.i: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -%.o: %.c prepare scripts FORCE -+%.o: KBUILD_CFLAGS += $(GCC_PLUGINS) ++%.o: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++%.o: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) +%.o: %.c gcc-plugins prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.lst: %.c prepare scripts FORCE @@ -350,22 +357,45 @@ index d1bdc90..e95fe1a 100644 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) %.symtypes: %.c prepare scripts FORCE $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@) -@@ -1504,11 +1552,13 @@ endif +@@ -1504,11 +1559,15 @@ endif $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) -%/: prepare scripts FORCE -+%/: KBUILD_CFLAGS += $(GCC_PLUGINS) ++%/: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++%/: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) +%/: gcc-plugins prepare scripts FORCE $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) -%.ko: prepare scripts FORCE -+%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS) ++%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS) ++%.ko: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS) +%.ko: gcc-plugins prepare scripts FORCE $(cmd_crmodverdir) $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) $(@:.ko=.o) +diff --git a/arch/alpha/include/asm/atomic.h b/arch/alpha/include/asm/atomic.h +index 640f909..48b6597 100644 +--- a/arch/alpha/include/asm/atomic.h ++++ b/arch/alpha/include/asm/atomic.h +@@ -250,6 +250,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + #define atomic_dec(v) atomic_sub(1,(v)) + #define atomic64_dec(v) atomic64_sub(1,(v)) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + #define smp_mb__before_atomic_dec() smp_mb() + #define smp_mb__after_atomic_dec() smp_mb() + #define smp_mb__before_atomic_inc() smp_mb() diff --git a/arch/alpha/include/asm/elf.h b/arch/alpha/include/asm/elf.h index da5449e..7418343 100644 --- a/arch/alpha/include/asm/elf.h @@ -615,10 +645,21 @@ index fadd5f8..904e73a 100644 /* Allow reads even for write-only mappings */ if (!(vma->vm_flags & (VM_READ | VM_WRITE))) diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h -index 86976d0..8a57797 100644 +index 86976d0..6610950 100644 --- a/arch/arm/include/asm/atomic.h +++ b/arch/arm/include/asm/atomic.h -@@ -239,6 +239,14 @@ typedef struct { +@@ -15,6 +15,10 @@ + #include <linux/types.h> + #include <asm/system.h> + ++#ifdef CONFIG_GENERIC_ATOMIC64 ++#include <asm-generic/atomic64.h> ++#endif ++ + #define ATOMIC_INIT(i) { (i) } + + #ifdef __KERNEL__ +@@ -239,6 +243,14 @@ typedef struct { u64 __aligned(8) counter; } atomic64_t; @@ -633,6 +674,23 @@ index 86976d0..8a57797 100644 #define ATOMIC64_INIT(i) { (i) } static inline u64 atomic64_read(atomic64_t *v) +@@ -459,6 +471,16 @@ static inline int atomic64_add_unless(atomic64_t *v, u64 a, u64 u) + #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0) + #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + #endif /* !CONFIG_GENERIC_ATOMIC64 */ + #endif + #endif diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h index 0e9ce8d..6ef1e03 100644 --- a/arch/arm/include/asm/elf.h @@ -1119,6 +1177,27 @@ index f7040a1..db9f300 100644 if (exception_trace && printk_ratelimit()) printk("%s%s[%d]: segfault at %08lx pc %08lx " "sp %08lx ecr %lu\n", +diff --git a/arch/frv/include/asm/atomic.h b/arch/frv/include/asm/atomic.h +index 0d8a7d6..d0c9ff5 100644 +--- a/arch/frv/include/asm/atomic.h ++++ b/arch/frv/include/asm/atomic.h +@@ -241,6 +241,16 @@ extern uint32_t __xchg_32(uint32_t i, volatile void *v); + #define atomic64_cmpxchg(v, old, new) (__cmpxchg_64(old, new, &(v)->counter)) + #define atomic64_xchg(v, new) (__xchg_64(new, &(v)->counter)) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u) + { + int c, old; diff --git a/arch/frv/include/asm/kmap_types.h b/arch/frv/include/asm/kmap_types.h index f8e16b2..c73ff79 100644 --- a/arch/frv/include/asm/kmap_types.h @@ -1163,6 +1242,27 @@ index 385fd30..6c3d97e 100644 goto success; addr = vma->vm_end; } +diff --git a/arch/ia64/include/asm/atomic.h b/arch/ia64/include/asm/atomic.h +index 3fad89e..3047da5 100644 +--- a/arch/ia64/include/asm/atomic.h ++++ b/arch/ia64/include/asm/atomic.h +@@ -209,6 +209,16 @@ atomic64_add_negative (__s64 i, atomic64_t *v) + #define atomic64_inc(v) atomic64_add(1, (v)) + #define atomic64_dec(v) atomic64_sub(1, (v)) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + /* Atomic operations are already serializing */ + #define smp_mb__before_atomic_dec() barrier() + #define smp_mb__after_atomic_dec() barrier() diff --git a/arch/ia64/include/asm/elf.h b/arch/ia64/include/asm/elf.h index b5298eb..67c6e62 100644 --- a/arch/ia64/include/asm/elf.h @@ -1502,6 +1602,38 @@ index 82abd15..d95ae5d 100644 prefetchw(to); if (access_ok(VERIFY_READ, from, n)) __copy_user_zeroing(to,from,n); +diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h +index 1d93f81..67794d0 100644 +--- a/arch/mips/include/asm/atomic.h ++++ b/arch/mips/include/asm/atomic.h +@@ -21,6 +21,10 @@ + #include <asm/war.h> + #include <asm/system.h> + ++#ifdef CONFIG_GENERIC_ATOMIC64 ++#include <asm-generic/atomic64.h> ++#endif ++ + #define ATOMIC_INIT(i) { (i) } + + /* +@@ -765,6 +769,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + */ + #define atomic64_add_negative(i, v) (atomic64_add_return(i, (v)) < 0) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + #endif /* CONFIG_64BIT */ + + /* diff --git a/arch/mips/include/asm/elf.h b/arch/mips/include/asm/elf.h index 455c0ac..ad65fbe 100644 --- a/arch/mips/include/asm/elf.h @@ -1720,6 +1852,27 @@ index 302d779..7d35bf8 100644 - - return ret; -} +diff --git a/arch/parisc/include/asm/atomic.h b/arch/parisc/include/asm/atomic.h +index 4054b31..a10c105 100644 +--- a/arch/parisc/include/asm/atomic.h ++++ b/arch/parisc/include/asm/atomic.h +@@ -335,6 +335,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + + #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + #endif /* !CONFIG_64BIT */ + + diff --git a/arch/parisc/include/asm/elf.h b/arch/parisc/include/asm/elf.h index 19f6cb1..6c78cf2 100644 --- a/arch/parisc/include/asm/elf.h @@ -2082,6 +2235,27 @@ index 18162ce..94de376 100644 /* * If for any reason at all we couldn't handle the fault, make +diff --git a/arch/powerpc/include/asm/atomic.h b/arch/powerpc/include/asm/atomic.h +index 02e41b5..ec6e26c 100644 +--- a/arch/powerpc/include/asm/atomic.h ++++ b/arch/powerpc/include/asm/atomic.h +@@ -469,6 +469,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u) + + #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + #endif /* __powerpc64__ */ + + #endif /* __KERNEL__ */ diff --git a/arch/powerpc/include/asm/elf.h b/arch/powerpc/include/asm/elf.h index 3bf9cca..e7457d0 100644 --- a/arch/powerpc/include/asm/elf.h @@ -2909,6 +3083,27 @@ index 73709f7..6b90313 100644 /* If hint, make sure it matches our alignment restrictions */ if (!fixed && addr) { addr = _ALIGN_UP(addr, 1ul << pshift); +diff --git a/arch/s390/include/asm/atomic.h b/arch/s390/include/asm/atomic.h +index 8517d2a..d2738d4 100644 +--- a/arch/s390/include/asm/atomic.h ++++ b/arch/s390/include/asm/atomic.h +@@ -326,6 +326,16 @@ static inline long long atomic64_dec_if_positive(atomic64_t *v) + #define atomic64_dec_and_test(_v) (atomic64_sub_return(1, _v) == 0) + #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + #define smp_mb__before_atomic_dec() smp_mb() + #define smp_mb__after_atomic_dec() smp_mb() + #define smp_mb__before_atomic_inc() smp_mb() diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h index 547f1a6..0b22b53 100644 --- a/arch/s390/include/asm/elf.h @@ -3260,6 +3455,18 @@ index afeb710..d1d1289 100644 bottomup: /* +diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig +index f92602e..27060b2 100644 +--- a/arch/sparc/Kconfig ++++ b/arch/sparc/Kconfig +@@ -31,6 +31,7 @@ config SPARC + + config SPARC32 + def_bool !64BIT ++ select GENERIC_ATOMIC64 + + config SPARC64 + def_bool 64BIT diff --git a/arch/sparc/Makefile b/arch/sparc/Makefile index ad1fb5d..fc5315b 100644 --- a/arch/sparc/Makefile @@ -3273,6 +3480,17 @@ index ad1fb5d..fc5315b 100644 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y) VMLINUX_MAIN += $(drivers-y) $(net-y) +diff --git a/arch/sparc/include/asm/atomic.h b/arch/sparc/include/asm/atomic.h +index 8ff83d8..4a459c2 100644 +--- a/arch/sparc/include/asm/atomic.h ++++ b/arch/sparc/include/asm/atomic.h +@@ -4,5 +4,6 @@ + #include <asm/atomic_64.h> + #else + #include <asm/atomic_32.h> ++#include <asm-generic/atomic64.h> + #endif + #endif diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h index 9f421df..b81fc12 100644 --- a/arch/sparc/include/asm/atomic_64.h @@ -3512,6 +3730,19 @@ index 7df8b7f..4946269 100644 extern unsigned long sparc64_elf_hwcap; #define ELF_HWCAP sparc64_elf_hwcap +diff --git a/arch/sparc/include/asm/page_32.h b/arch/sparc/include/asm/page_32.h +index 156707b..aefa786 100644 +--- a/arch/sparc/include/asm/page_32.h ++++ b/arch/sparc/include/asm/page_32.h +@@ -8,6 +8,8 @@ + #ifndef _SPARC_PAGE_H + #define _SPARC_PAGE_H + ++#include <linux/const.h> ++ + #define PAGE_SHIFT 12 + + #ifndef __ASSEMBLY__ diff --git a/arch/sparc/include/asm/pgtable_32.h b/arch/sparc/include/asm/pgtable_32.h index a790cc6..091ed94 100644 --- a/arch/sparc/include/asm/pgtable_32.h @@ -5487,6 +5718,27 @@ index cbef74e..c38fead 100644 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL)); page_kernel = pgprot_val(SRMMU_PAGE_KERNEL); +diff --git a/arch/tile/include/asm/atomic_64.h b/arch/tile/include/asm/atomic_64.h +index 27fe667..36d474c 100644 +--- a/arch/tile/include/asm/atomic_64.h ++++ b/arch/tile/include/asm/atomic_64.h +@@ -142,6 +142,16 @@ static inline long atomic64_add_unless(atomic64_t *v, long a, long u) + + #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0) + ++#define atomic64_read_unchecked(v) atomic64_read(v) ++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i)) ++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v)) ++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v)) ++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v)) ++#define atomic64_inc_unchecked(v) atomic64_inc(v) ++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v) ++#define atomic64_dec_unchecked(v) atomic64_dec(v) ++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n)) ++ + /* Atomic dec and inc don't implement barrier, so provide them if needed. */ + #define smp_mb__before_atomic_dec() smp_mb() + #define smp_mb__after_atomic_dec() smp_mb() diff --git a/arch/um/Makefile b/arch/um/Makefile index 7730af6..cce5b19 100644 --- a/arch/um/Makefile @@ -7061,7 +7313,7 @@ index f6f5c53..b358b28 100644 set_fs(old_fs); diff --git a/arch/x86/include/asm/alternative-asm.h b/arch/x86/include/asm/alternative-asm.h -index 091508b..e245ff2 100644 +index 091508b..7692c6f 100644 --- a/arch/x86/include/asm/alternative-asm.h +++ b/arch/x86/include/asm/alternative-asm.h @@ -4,10 +4,10 @@ @@ -7081,7 +7333,7 @@ index 091508b..e245ff2 100644 .endm #endif -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN ++#ifdef KERNEXEC_PLUGIN + .macro pax_force_retaddr_bts rip=0 + btsq $63,\rip(%rsp) + .endm @@ -15633,7 +15885,7 @@ index faba577..93b9e71 100644 return single_step_cont(regs, args); break; diff --git a/arch/x86/kernel/kprobes.c b/arch/x86/kernel/kprobes.c -index 7da647d..5d3c4c1 100644 +index 7da647d..56fe348 100644 --- a/arch/x86/kernel/kprobes.c +++ b/arch/x86/kernel/kprobes.c @@ -118,8 +118,11 @@ static void __kprobes __synthesize_relative_insn(void *from, void *to, u8 op) @@ -15723,7 +15975,7 @@ index 7da647d..5d3c4c1 100644 " movq %rax, 152(%rsp)\n" RESTORE_REGS_STRING " popfq\n" -+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN ++#ifdef KERNEXEC_PLUGIN + " btsq $63,(%rsp)\n" +#endif #else @@ -41446,7 +41698,7 @@ index 608c1c3..7d040a8 100644 return rc; } diff --git a/fs/exec.c b/fs/exec.c -index 3625464..7c7ce8b 100644 +index 3625464..04855f9 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,12 +55,28 @@ @@ -41776,7 +42028,7 @@ index 3625464..7c7ce8b 100644 EXPORT_SYMBOL(search_binary_handler); +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP -+atomic64_unchecked_t global_exec_counter = ATOMIC64_INIT(0); ++static atomic64_unchecked_t global_exec_counter = ATOMIC64_INIT(0); +#endif + /* @@ -42559,7 +42811,7 @@ index 0845f84..7b4ebef 100644 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) { diff --git a/fs/fs_struct.c b/fs/fs_struct.c -index 78b519c..212c0d0 100644 +index 78b519c..a8b4979 100644 --- a/fs/fs_struct.c +++ b/fs/fs_struct.c @@ -4,6 +4,7 @@ @@ -42626,7 +42878,14 @@ index 78b519c..212c0d0 100644 spin_unlock(&fs->lock); task_unlock(current); -@@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask); +@@ -164,13 +172,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct); + + int current_umask(void) + { +- return current->fs->umask; ++ return current->fs->umask | gr_acl_umask(); + } + EXPORT_SYMBOL(current_umask); /* to be mentioned only in INIT_TASK */ struct fs_struct init_fs = { @@ -44990,7 +45249,7 @@ index 5d22872..523db20 100644 kfree(link); } diff --git a/fs/open.c b/fs/open.c -index 22c41b5..695cb17 100644 +index 22c41b5..78894cf 100644 --- a/fs/open.c +++ b/fs/open.c @@ -112,6 +112,10 @@ static long do_sys_truncate(const char __user *pathname, loff_t length) @@ -45056,7 +45315,7 @@ index 22c41b5..695cb17 100644 return error; mutex_lock(&inode->i_mutex); + -+ if (!gr_acl_handle_fchmod(path->dentry, path->mnt, mode)) { ++ if (!gr_acl_handle_chmod(path->dentry, path->mnt, &mode)) { + error = -EACCES; + goto out_unlock; + } @@ -45417,7 +45676,7 @@ index 3a1dafd..1456746 100644 +} +#endif diff --git a/fs/proc/base.c b/fs/proc/base.c -index 1ace83d..357b933 100644 +index 1ace83d..f5e575d 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -107,6 +107,22 @@ struct pid_entry { @@ -45557,7 +45816,18 @@ index 1ace83d..357b933 100644 put_task_struct(task); } return allowed; -@@ -797,6 +815,11 @@ static ssize_t mem_rw(struct file *file, char __user *buf, +@@ -786,6 +804,10 @@ static int mem_open(struct inode* inode, struct file* file) + file->f_mode |= FMODE_UNSIGNED_OFFSET; + file->private_data = mm; + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ file->f_version = current->exec_id; ++#endif ++ + return 0; + } + +@@ -797,6 +819,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf, ssize_t copied; char *page; @@ -45565,11 +45835,17 @@ index 1ace83d..357b933 100644 + if (write) + return -EPERM; +#endif ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (file->f_version != current->exec_id) { ++ gr_log_badprocpid("mem"); ++ return 0; ++ } ++#endif + if (!mm) return 0; -@@ -897,6 +920,9 @@ static ssize_t environ_read(struct file *file, char __user *buf, +@@ -897,6 +930,9 @@ static ssize_t environ_read(struct file *file, char __user *buf, if (!task) goto out_no_task; @@ -45579,7 +45855,7 @@ index 1ace83d..357b933 100644 ret = -ENOMEM; page = (char *)__get_free_page(GFP_TEMPORARY); if (!page) -@@ -1519,7 +1545,7 @@ static void *proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd) +@@ -1519,7 +1555,7 @@ static void *proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd) path_put(&nd->path); /* Are we allowed to snoop on the tasks file descriptors? */ @@ -45588,7 +45864,7 @@ index 1ace83d..357b933 100644 goto out; error = PROC_I(inode)->op.proc_get_link(inode, &nd->path); -@@ -1558,8 +1584,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b +@@ -1558,8 +1594,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b struct path path; /* Are we allowed to snoop on the tasks file descriptors? */ @@ -45609,7 +45885,7 @@ index 1ace83d..357b933 100644 error = PROC_I(inode)->op.proc_get_link(inode, &path); if (error) -@@ -1624,7 +1660,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t +@@ -1624,7 +1670,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t rcu_read_lock(); cred = __task_cred(task); inode->i_uid = cred->euid; @@ -45621,7 +45897,7 @@ index 1ace83d..357b933 100644 rcu_read_unlock(); } security_task_to_inode(task, inode); -@@ -1642,6 +1682,9 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) +@@ -1642,6 +1692,9 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) struct inode *inode = dentry->d_inode; struct task_struct *task; const struct cred *cred; @@ -45631,7 +45907,7 @@ index 1ace83d..357b933 100644 generic_fillattr(inode, stat); -@@ -1649,13 +1692,41 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) +@@ -1649,13 +1702,41 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) stat->uid = 0; stat->gid = 0; task = pid_task(proc_pid(inode), PIDTYPE_PID); @@ -45674,7 +45950,7 @@ index 1ace83d..357b933 100644 } rcu_read_unlock(); return 0; -@@ -1692,11 +1763,20 @@ int pid_revalidate(struct dentry *dentry, struct nameidata *nd) +@@ -1692,11 +1773,20 @@ int pid_revalidate(struct dentry *dentry, struct nameidata *nd) if (task) { if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || @@ -45695,7 +45971,7 @@ index 1ace83d..357b933 100644 rcu_read_unlock(); } else { inode->i_uid = 0; -@@ -1814,7 +1894,8 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info) +@@ -1814,7 +1904,8 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info) int fd = proc_fd(inode); if (task) { @@ -45705,7 +45981,7 @@ index 1ace83d..357b933 100644 put_task_struct(task); } if (files) { -@@ -2082,11 +2163,21 @@ static const struct file_operations proc_fd_operations = { +@@ -2082,11 +2173,21 @@ static const struct file_operations proc_fd_operations = { */ static int proc_fd_permission(struct inode *inode, int mask) { @@ -45729,7 +46005,7 @@ index 1ace83d..357b933 100644 return rv; } -@@ -2196,6 +2287,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir, +@@ -2196,6 +2297,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir, if (!task) goto out_no_task; @@ -45739,7 +46015,7 @@ index 1ace83d..357b933 100644 /* * Yes, it does not scale. And it should not. Don't add * new entries into /proc/<tgid>/ without very good reasons. -@@ -2240,6 +2334,9 @@ static int proc_pident_readdir(struct file *filp, +@@ -2240,6 +2344,9 @@ static int proc_pident_readdir(struct file *filp, if (!task) goto out_no_task; @@ -45749,7 +46025,7 @@ index 1ace83d..357b933 100644 ret = 0; i = filp->f_pos; switch (i) { -@@ -2510,7 +2607,7 @@ static void *proc_self_follow_link(struct dentry *dentry, struct nameidata *nd) +@@ -2510,7 +2617,7 @@ static void *proc_self_follow_link(struct dentry *dentry, struct nameidata *nd) static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie) { @@ -45758,7 +46034,7 @@ index 1ace83d..357b933 100644 if (!IS_ERR(s)) __putname(s); } -@@ -2708,7 +2805,7 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2708,7 +2815,7 @@ static const struct pid_entry tgid_base_stuff[] = { REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations), #endif REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations), @@ -45767,7 +46043,7 @@ index 1ace83d..357b933 100644 INF("syscall", S_IRUGO, proc_pid_syscall), #endif INF("cmdline", S_IRUGO, proc_pid_cmdline), -@@ -2733,10 +2830,10 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2733,10 +2840,10 @@ static const struct pid_entry tgid_base_stuff[] = { #ifdef CONFIG_SECURITY DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations), #endif @@ -45780,7 +46056,7 @@ index 1ace83d..357b933 100644 ONE("stack", S_IRUGO, proc_pid_stack), #endif #ifdef CONFIG_SCHEDSTATS -@@ -2770,6 +2867,9 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2770,6 +2877,9 @@ static const struct pid_entry tgid_base_stuff[] = { #ifdef CONFIG_HARDWALL INF("hardwall", S_IRUGO, proc_pid_hardwall), #endif @@ -45790,7 +46066,7 @@ index 1ace83d..357b933 100644 }; static int proc_tgid_base_readdir(struct file * filp, -@@ -2895,7 +2995,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir, +@@ -2895,7 +3005,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir, if (!inode) goto out; @@ -45805,7 +46081,7 @@ index 1ace83d..357b933 100644 inode->i_op = &proc_tgid_base_inode_operations; inode->i_fop = &proc_tgid_base_operations; inode->i_flags|=S_IMMUTABLE; -@@ -2937,7 +3044,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct +@@ -2937,7 +3054,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct if (!task) goto out; @@ -45817,7 +46093,7 @@ index 1ace83d..357b933 100644 put_task_struct(task); out: return result; -@@ -3002,6 +3113,11 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) +@@ -3002,6 +3123,11 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) { unsigned int nr; struct task_struct *reaper; @@ -45829,7 +46105,7 @@ index 1ace83d..357b933 100644 struct tgid_iter iter; struct pid_namespace *ns; -@@ -3025,8 +3141,27 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) +@@ -3025,8 +3151,27 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) for (iter = next_tgid(ns, iter); iter.task; iter.tgid += 1, iter = next_tgid(ns, iter)) { @@ -45858,7 +46134,7 @@ index 1ace83d..357b933 100644 put_task_struct(iter.task); goto out; } -@@ -3054,7 +3189,7 @@ static const struct pid_entry tid_base_stuff[] = { +@@ -3054,7 +3199,7 @@ static const struct pid_entry tid_base_stuff[] = { REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations), #endif REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations), @@ -45867,7 +46143,7 @@ index 1ace83d..357b933 100644 INF("syscall", S_IRUGO, proc_pid_syscall), #endif INF("cmdline", S_IRUGO, proc_pid_cmdline), -@@ -3078,10 +3213,10 @@ static const struct pid_entry tid_base_stuff[] = { +@@ -3078,10 +3223,10 @@ static const struct pid_entry tid_base_stuff[] = { #ifdef CONFIG_SECURITY DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations), #endif @@ -48145,10 +48421,10 @@ index 0000000..41df561 +endmenu diff --git a/grsecurity/Makefile b/grsecurity/Makefile new file mode 100644 -index 0000000..1b9afa9 +index 0000000..496e60d --- /dev/null +++ b/grsecurity/Makefile -@@ -0,0 +1,38 @@ +@@ -0,0 +1,40 @@ +# grsecurity's ACL system was originally written in 2001 by Michael Dalton +# during 2001-2009 it has been completely redesigned by Brad Spengler +# into an RBAC system @@ -48157,7 +48433,9 @@ index 0000000..1b9afa9 +# are copyright Brad Spengler - Open Source Security, Inc., and released +# under the GPL v2 or higher + ++ifndef CONFIG_IA64 +KBUILD_CFLAGS += -Werror ++endif + +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \ + grsec_mount.o grsec_sig.o grsec_sysctl.o \ @@ -48189,10 +48467,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..cf294ac +index 0000000..7715893 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4163 @@ +@@ -0,0 +1,4164 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -50464,17 +50742,18 @@ index 0000000..cf294ac +void +gr_copy_label(struct task_struct *tsk) +{ ++ /* plain copying of fields is already done by dup_task_struct */ + tsk->signal->used_accept = 0; + tsk->acl_sp_role = 0; -+ tsk->acl_role_id = current->acl_role_id; -+ tsk->acl = current->acl; -+ tsk->role = current->role; ++ //tsk->acl_role_id = current->acl_role_id; ++ //tsk->acl = current->acl; ++ //tsk->role = current->role; + tsk->signal->curr_ip = current->signal->curr_ip; + tsk->signal->saved_ip = current->signal->saved_ip; + if (current->exec_file) + get_file(current->exec_file); -+ tsk->exec_file = current->exec_file; -+ tsk->is_writable = current->is_writable; ++ //tsk->exec_file = current->exec_file; ++ //tsk->is_writable = current->is_writable; + if (unlikely(current->signal->used_accept)) { + current->signal->curr_ip = 0; + current->signal->saved_ip = 0; @@ -52576,10 +52855,10 @@ index 0000000..955ddfb + diff --git a/grsecurity/gracl_fs.c b/grsecurity/gracl_fs.c new file mode 100644 -index 0000000..4eda5c3 +index 0000000..88d0e87 --- /dev/null +++ b/grsecurity/gracl_fs.c -@@ -0,0 +1,433 @@ +@@ -0,0 +1,435 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/types.h> @@ -52590,6 +52869,15 @@ index 0000000..4eda5c3 +#include <linux/grinternal.h> +#include <linux/gracl.h> + ++umode_t ++gr_acl_umask(void) ++{ ++ if (unlikely(!gr_acl_is_enabled())) ++ return 0; ++ ++ return current->role->umask; ++} ++ +__u32 +gr_acl_handle_hidden_file(const struct dentry * dentry, + const struct vfsmount * mnt) @@ -52778,25 +53066,18 @@ index 0000000..4eda5c3 +} + +__u32 -+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt, -+ mode_t mode) ++gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt, ++ umode_t *modeptr) +{ ++ umode_t mode; ++ ++ *modeptr &= ~gr_acl_umask(); ++ mode = *modeptr; ++ + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode))) + return 1; + -+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) { -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID, -+ GR_FCHMOD_ACL_MSG); -+ } else { -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG); -+ } -+} -+ -+__u32 -+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt, -+ mode_t mode) -+{ -+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) { ++ if (unlikely(mode & (S_ISUID | S_ISGID))) { + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID, + GR_CHMOD_ACL_MSG); + } else { @@ -54422,10 +54703,10 @@ index 0000000..a2dc675 +} diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c new file mode 100644 -index 0000000..d81a586 +index 0000000..213ad8b --- /dev/null +++ b/grsecurity/grsec_disabled.c -@@ -0,0 +1,439 @@ +@@ -0,0 +1,437 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -54665,15 +54946,8 @@ index 0000000..d81a586 +} + +__u32 -+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt, -+ mode_t mode) -+{ -+ return 1; -+} -+ -+__u32 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt, -+ mode_t mode) ++ umode_t *mode) +{ + return 1; +} @@ -54696,6 +54970,11 @@ index 0000000..d81a586 + return; +} + ++umode_t gr_acl_umask(void) ++{ ++ return 0; ++} ++ +__u32 +gr_acl_handle_mknod(const struct dentry * new_dentry, + const struct dentry * parent_dentry, @@ -58278,10 +58557,10 @@ index 6d18f35..ab71e2c 100644 struct blk_integrity *integrity; diff --git a/include/linux/gracl.h b/include/linux/gracl.h new file mode 100644 -index 0000000..0dc3943 +index 0000000..8a130b6 --- /dev/null +++ b/include/linux/gracl.h -@@ -0,0 +1,317 @@ +@@ -0,0 +1,319 @@ +#ifndef GR_ACL_H +#define GR_ACL_H + @@ -58293,8 +58572,8 @@ index 0000000..0dc3943 + +/* Major status information */ + -+#define GR_VERSION "grsecurity 2.2.2" -+#define GRSECURITY_VERSION 0x2202 ++#define GR_VERSION "grsecurity 2.9" ++#define GRSECURITY_VERSION 0x2900 + +enum { + GR_SHUTDOWN = 0, @@ -58457,6 +58736,8 @@ index 0000000..0dc3943 + uid_t *domain_children; + __u16 domain_child_num; + ++ umode_t umask; ++ + struct acl_subject_label **subj_hash; + __u32 subj_hash_size; +}; @@ -58989,10 +59270,10 @@ index 0000000..da390f1 +#endif diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h new file mode 100644 -index 0000000..8b9ed56 +index 0000000..ae576a1 --- /dev/null +++ b/include/linux/grmsg.h -@@ -0,0 +1,110 @@ +@@ -0,0 +1,109 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " @@ -59036,7 +59317,6 @@ index 0000000..8b9ed56 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by " +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by " +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by " -+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by " +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by " +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by " +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by " @@ -59045,7 +59325,7 @@ index 0000000..8b9ed56 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by " +#define GR_INITF_ACL_MSG "init_variables() failed %s by " +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader" -+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by " ++#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbage by " +#define GR_SHUTS_ACL_MSG "shutdown auth success for " +#define GR_SHUTF_ACL_MSG "shutdown auth failure for " +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for " @@ -59105,7 +59385,7 @@ index 0000000..8b9ed56 +#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..10c8ced +index 0000000..2ccf677 --- /dev/null +++ b/include/linux/grsecurity.h @@ -0,0 +1,229 @@ @@ -59183,6 +59463,8 @@ index 0000000..10c8ced +void gr_handle_ioperm(void); +void gr_handle_iopl(void); + ++umode_t gr_acl_umask(void); ++ +int gr_tpe_allow(const struct file *file); + +void gr_set_chroot_entries(struct task_struct *task, struct path *path); @@ -59237,10 +59519,8 @@ index 0000000..10c8ced + const struct vfsmount *mnt); +__u32 gr_acl_handle_access(const struct dentry *dentry, + const struct vfsmount *mnt, const int fmode); -+__u32 gr_acl_handle_fchmod(const struct dentry *dentry, -+ const struct vfsmount *mnt, mode_t mode); +__u32 gr_acl_handle_chmod(const struct dentry *dentry, -+ const struct vfsmount *mnt, mode_t mode); ++ const struct vfsmount *mnt, umode_t *mode); +__u32 gr_acl_handle_chown(const struct dentry *dentry, + const struct vfsmount *mnt); +__u32 gr_acl_handle_setxattr(const struct dentry *dentry, @@ -63355,7 +63635,7 @@ index e6e01b9..619f837 100644 if (group_dead) diff --git a/kernel/fork.c b/kernel/fork.c -index da4a6a1..0483b61 100644 +index da4a6a1..0973380 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -280,7 +280,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -63625,20 +63905,16 @@ index da4a6a1..0483b61 100644 if (atomic_read(&p->real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && -@@ -1256,6 +1317,12 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1256,6 +1317,8 @@ static struct task_struct *copy_process(unsigned long clone_flags, if (clone_flags & CLONE_THREAD) p->tgid = current->tgid; + gr_copy_label(p); + -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP -+ p->exec_id = current->exec_id; -+#endif -+ p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; /* * Clear TID on mm_release()? -@@ -1418,6 +1485,8 @@ bad_fork_cleanup_count: +@@ -1418,6 +1481,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -63647,7 +63923,7 @@ index da4a6a1..0483b61 100644 return ERR_PTR(retval); } -@@ -1518,6 +1587,8 @@ long do_fork(unsigned long clone_flags, +@@ -1518,6 +1583,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -63656,7 +63932,7 @@ index da4a6a1..0483b61 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1627,7 +1698,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1627,7 +1694,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -63665,7 +63941,7 @@ index da4a6a1..0483b61 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1716,7 +1787,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1716,7 +1783,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -77537,7 +77813,7 @@ index a39edcc..1014050 100644 }; diff --git a/tools/gcc/Makefile b/tools/gcc/Makefile new file mode 100644 -index 0000000..b044b80 +index 0000000..29b6b75 --- /dev/null +++ b/tools/gcc/Makefile @@ -0,0 +1,21 @@ @@ -77545,9 +77821,9 @@ index 0000000..b044b80 +#PLUGIN_SOURCE_FILES := pax_plugin.c +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES)) +GCCPLUGINS_DIR := $(shell $(CC) -print-file-name=plugin) -+#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W ++#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W -std=gnu99 + -+HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include ++HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include -std=gnu99 + +hostlibs-y := constify_plugin.so +hostlibs-$(CONFIG_PAX_MEMORY_STACKLEAK) += stackleak_plugin.so diff --git a/main/linux-grsec/kernelconfig.x86 b/main/linux-grsec/kernelconfig.x86 index d6a674883e..a4f26183ae 100644 --- a/main/linux-grsec/kernelconfig.x86 +++ b/main/linux-grsec/kernelconfig.x86 @@ -1419,7 +1419,8 @@ CONFIG_BLK_DEV_UMEM=m CONFIG_BLK_DEV_LOOP=m CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 CONFIG_BLK_DEV_CRYPTOLOOP=m -# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_DRBD=m +# CONFIG_DRBD_FAULT_INJECTION is not set CONFIG_BLK_DEV_NBD=m CONFIG_BLK_DEV_OSD=m CONFIG_BLK_DEV_SX8=m @@ -5106,7 +5107,7 @@ CONFIG_GRKERNSEC=y CONFIG_GRKERNSEC_CUSTOM=y # -# Address Space Protection +# Memory Protections # CONFIG_GRKERNSEC_KMEM=y # CONFIG_GRKERNSEC_VM86 is not set @@ -5439,5 +5440,6 @@ CONFIG_HAS_DMA=y CONFIG_CHECK_SIGNATURE=y CONFIG_CPU_RMAP=y CONFIG_NLATTR=y +CONFIG_LRU_CACHE=m CONFIG_AVERAGE=y CONFIG_CORDIC=m diff --git a/main/linux-grsec/kernelconfig.x86_64 b/main/linux-grsec/kernelconfig.x86_64 index 21a9dcd891..463a41e851 100644 --- a/main/linux-grsec/kernelconfig.x86_64 +++ b/main/linux-grsec/kernelconfig.x86_64 @@ -1384,7 +1384,8 @@ CONFIG_BLK_DEV_UMEM=m CONFIG_BLK_DEV_LOOP=m CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 CONFIG_BLK_DEV_CRYPTOLOOP=m -# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_DRBD=m +# CONFIG_DRBD_FAULT_INJECTION is not set CONFIG_BLK_DEV_NBD=m CONFIG_BLK_DEV_OSD=m CONFIG_BLK_DEV_SX8=m @@ -5080,7 +5081,7 @@ CONFIG_GRKERNSEC=y CONFIG_GRKERNSEC_CUSTOM=y # -# Address Space Protection +# Memory Protections # CONFIG_GRKERNSEC_KMEM=y # CONFIG_GRKERNSEC_IO is not set @@ -5410,5 +5411,6 @@ CONFIG_HAS_DMA=y CONFIG_CHECK_SIGNATURE=y CONFIG_CPU_RMAP=y CONFIG_NLATTR=y +CONFIG_LRU_CACHE=m CONFIG_AVERAGE=y CONFIG_CORDIC=m |