diff options
-rw-r--r-- | main/linux-grsec/APKBUILD | 10 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.9.8-201306302052.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.8-201306272057.patch) | 115 |
2 files changed, 108 insertions, 17 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index ebbddba2a3..7e148c4015 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -7,7 +7,7 @@ case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; esac -pkgrel=0 +pkgrel=1 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-3.9.8-201306272057.patch + grsecurity-2.9.1-3.9.8-201306302052.patch 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch @@ -150,7 +150,7 @@ dev() { md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz c5f2166686a913abf550bfed8b77df27 patch-3.9.8.xz -53d60133a86b812060b048275f928041 grsecurity-2.9.1-3.9.8-201306272057.patch +647f77555169969b4245c62c0fd0f1ab grsecurity-2.9.1-3.9.8-201306302052.patch a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch @@ -161,7 +161,7 @@ d89089b3c7eb94dd9f65cf8a357fc36d kernelconfig.x86 eb147f09fef5996a488c247790205cd6 kernelconfig.x86_64" sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz 2eda9068e81269467e3c247f3343a146731fc45284b12b4bc546bc44dbb263e7 patch-3.9.8.xz -587022b1fc72157e43011551404c7d664dcc3b6c95b72a853ef2ce721e474057 grsecurity-2.9.1-3.9.8-201306272057.patch +b111346072b7907d3a284f12a08c490cbfe35592537bc59442014c95080c3a33 grsecurity-2.9.1-3.9.8-201306302052.patch 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch @@ -172,7 +172,7 @@ de3c17420664ae4e52826c6e602aade0deeae94f72253f85b3e48771491ed5d6 kernelconfig.x e1cce320f207cc2ba72b9d154c7060c8cbed52c664319dfd21f24e8956d0bf3e kernelconfig.x86_64" sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz 60b7d694d39faf937e7b732eb3117b8442059c5c8857c9d439eec8a87d5bc185505e64062f5ae02c3512acf5af778caf615c35d3499cb8089a4569c05da65b9c patch-3.9.8.xz -4ca36180a1fc325a558acf73ec9fe3808542498a8f808f73b87a9f6b05ff290d5a5ab20ce39c547a18ce37d093a9857f5c77c495796e62fef986dfa301a9e566 grsecurity-2.9.1-3.9.8-201306272057.patch +81912f5c19b8bc891a1ad8ed57bfe91d79c6c301410eb4ef9e58f57caefba2661d9732b306d695e712fd8e7c9b5bbb67659759fade26f4ec853d9cb96d347df9 grsecurity-2.9.1-3.9.8-201306302052.patch 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306272057.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306302052.patch index 3efd0e4c4b..9c80933310 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306272057.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306302052.patch @@ -2312,7 +2312,7 @@ index 60d3b73..d27ee09 100644 EXPORT_SYMBOL(__get_user_1); EXPORT_SYMBOL(__get_user_2); diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S -index 0f82098..3dbd3ee 100644 +index 0f82098..fb3d3d5 100644 --- a/arch/arm/kernel/entry-armv.S +++ b/arch/arm/kernel/entry-armv.S @@ -47,6 +47,87 @@ @@ -2484,7 +2484,7 @@ index 0f82098..3dbd3ee 100644 THUMB( str sp, [ip], #4 ) THUMB( str lr, [ip], #4 ) -#ifdef CONFIG_CPU_USE_DOMAINS -+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) ++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) ldr r6, [r2, #TI_CPU_DOMAIN] #endif set_tls r3, r4, r5 @@ -2493,7 +2493,7 @@ index 0f82098..3dbd3ee 100644 ldr r7, [r7, #TSK_STACK_CANARY] #endif -#ifdef CONFIG_CPU_USE_DOMAINS -+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) ++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF) mcr p15, 0, r6, c3, c0, 0 @ Set domain register #endif mov r5, r0 @@ -50560,7 +50560,7 @@ index 6a16053..2155147 100644 return rc; } diff --git a/fs/exec.c b/fs/exec.c -index 6d56ff2..3bc6638 100644 +index 6d56ff2..f65b4ca 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,8 +55,20 @@ @@ -50862,7 +50862,37 @@ index 6d56ff2..3bc6638 100644 set_fs(old_fs); return result; } -@@ -1250,7 +1325,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm) +@@ -1136,13 +1211,6 @@ void setup_new_exec(struct linux_binprm * bprm) + set_dumpable(current->mm, suid_dumpable); + } + +- /* +- * Flush performance counters when crossing a +- * security domain: +- */ +- if (!get_dumpable(current->mm)) +- perf_event_exit_task(current); +- + /* An exec changes our domain. We are no longer part of the thread + group */ + +@@ -1206,6 +1274,15 @@ void install_exec_creds(struct linux_binprm *bprm) + + commit_creds(bprm->cred); + bprm->cred = NULL; ++ ++ /* ++ * Disable monitoring for regular users ++ * when executing setuid binaries. Must ++ * wait until new credentials are committed ++ * by commit_creds() above ++ */ ++ if (get_dumpable(current->mm) != SUID_DUMP_USER) ++ perf_event_exit_task(current); + /* + * cred_guard_mutex must be held at least to this point to prevent + * ptrace_attach() from altering our determination of the task's +@@ -1250,7 +1327,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -50871,7 +50901,7 @@ index 6d56ff2..3bc6638 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1450,6 +1525,31 @@ int search_binary_handler(struct linux_binprm *bprm) +@@ -1450,6 +1527,31 @@ int search_binary_handler(struct linux_binprm *bprm) EXPORT_SYMBOL(search_binary_handler); @@ -50903,7 +50933,7 @@ index 6d56ff2..3bc6638 100644 /* * sys_execve() executes a new program. */ -@@ -1457,6 +1557,11 @@ static int do_execve_common(const char *filename, +@@ -1457,6 +1559,11 @@ static int do_execve_common(const char *filename, struct user_arg_ptr argv, struct user_arg_ptr envp) { @@ -50915,7 +50945,7 @@ index 6d56ff2..3bc6638 100644 struct linux_binprm *bprm; struct file *file; struct files_struct *displaced; -@@ -1464,6 +1569,8 @@ static int do_execve_common(const char *filename, +@@ -1464,6 +1571,8 @@ static int do_execve_common(const char *filename, int retval; const struct cred *cred = current_cred(); @@ -50924,7 +50954,7 @@ index 6d56ff2..3bc6638 100644 /* * We move the actual failure in case of RLIMIT_NPROC excess from * set*uid() to execve() because too many poorly written programs -@@ -1504,12 +1611,27 @@ static int do_execve_common(const char *filename, +@@ -1504,12 +1613,27 @@ static int do_execve_common(const char *filename, if (IS_ERR(file)) goto out_unmark; @@ -50952,7 +50982,7 @@ index 6d56ff2..3bc6638 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1526,24 +1648,65 @@ static int do_execve_common(const char *filename, +@@ -1526,24 +1650,65 @@ static int do_execve_common(const char *filename, if (retval < 0) goto out; @@ -51022,7 +51052,7 @@ index 6d56ff2..3bc6638 100644 current->fs->in_exec = 0; current->in_execve = 0; acct_update_integrals(current); -@@ -1552,6 +1715,14 @@ static int do_execve_common(const char *filename, +@@ -1552,6 +1717,14 @@ static int do_execve_common(const char *filename, put_files_struct(displaced); return retval; @@ -51037,7 +51067,7 @@ index 6d56ff2..3bc6638 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1700,3 +1871,283 @@ asmlinkage long compat_sys_execve(const char __user * filename, +@@ -1700,3 +1873,283 @@ asmlinkage long compat_sys_execve(const char __user * filename, return error; } #endif @@ -56758,6 +56788,67 @@ index 69d4889..a810bd4 100644 { if (sbi->s_bytesex == BYTESEX_PDP) return PDP_swab((__force __u32)n); +diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c +index de08c92f..732cd63 100644 +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -364,6 +364,24 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir) + */ + return 0; + ++ if (file->f_version == 0) { ++ /* ++ * The file was seek'ed, which means that @file->private_data ++ * is now invalid. This may also be just the first ++ * 'ubifs_readdir()' invocation, in which case ++ * @file->private_data is NULL, and the below code is ++ * basically a no-op. ++ */ ++ kfree(file->private_data); ++ file->private_data = NULL; ++ } ++ ++ /* ++ * 'generic_file_llseek()' unconditionally sets @file->f_version to ++ * zero, and we use this for detecting whether the file was seek'ed. ++ */ ++ file->f_version = 1; ++ + /* File positions 0 and 1 correspond to "." and ".." */ + if (file->f_pos == 0) { + ubifs_assert(!file->private_data); +@@ -438,6 +456,14 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir) + file->f_pos = key_hash_flash(c, &dent->key); + file->private_data = dent; + cond_resched(); ++ ++ if (file->f_version == 0) ++ /* ++ * The file was seek'ed meanwhile, lets return and start ++ * reading direntries from the new position on the next ++ * invocation. ++ */ ++ return 0; + } + + out: +@@ -448,15 +474,13 @@ out: + + kfree(file->private_data); + file->private_data = NULL; ++ /* 2 is a special value indicating that there are no more direntries */ + file->f_pos = 2; + return 0; + } + +-/* If a directory is seeked, we have to free saved readdir() state */ + static loff_t ubifs_dir_llseek(struct file *file, loff_t offset, int whence) + { +- kfree(file->private_data); +- file->private_data = NULL; + return generic_file_llseek(file, offset, whence); + } + diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c index e18b988..f1d4ad0f 100644 --- a/fs/ubifs/io.c |