aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/dahdi-linux-grsec/APKBUILD4
-rw-r--r--main/iscsitarget-grsec/APKBUILD4
-rw-r--r--main/linux-grsec/APKBUILD8
-rw-r--r--main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910312135.patch (renamed from main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910232000.patch)113
-rw-r--r--main/linux-grsec/kernelconfig.x863
-rw-r--r--main/xtables-addons-grsec/APKBUILD4
-rw-r--r--testing/kqemu-grsec/APKBUILD4
7 files changed, 118 insertions, 22 deletions
diff --git a/main/dahdi-linux-grsec/APKBUILD b/main/dahdi-linux-grsec/APKBUILD
index d6320d13ed..eccec0af59 100644
--- a/main/dahdi-linux-grsec/APKBUILD
+++ b/main/dahdi-linux-grsec/APKBUILD
@@ -10,12 +10,14 @@ fi
_kernelver="$pkgver-r$pkgrel"
_abi_release=${pkgver}-${_flavor}
+_kpkgrel=$pkgrel
_realname=dahdi-linux
pkgname=${_realname}-${_flavor}
pkgver=$pkgver
_dahdiver=2.2.0.2
-pkgrel=0
+_mypkgrel=0
+pkgrel=$(( $_kpkgrel + $_mypkgrel ))
pkgdesc="Digium Asterisk Hardware Device Interface drivers $_dahdiver"
url="http://www.asterisk.org"
license="GPL"
diff --git a/main/iscsitarget-grsec/APKBUILD b/main/iscsitarget-grsec/APKBUILD
index 009165e9e7..f2279d12aa 100644
--- a/main/iscsitarget-grsec/APKBUILD
+++ b/main/iscsitarget-grsec/APKBUILD
@@ -9,12 +9,14 @@ fi
_kver=$pkgver
_kernelver=$pkgver-r$pkgrel
_abi_release=$pkgver-${_flavor}
+_kpkgrel=$pkgrel
_iscsiver=1.4.18
pkgname=${_realname}-${_flavor}
pkgver=$_kver
-pkgrel=0
+_mypkgrel=0
+pkgrel=$(($_kpkgrel + $_mypkgrel))
pkgdesc="$_flavor kernel modules for iscsitarget $_iscsiver"
url="http://iscsitarget.sourceforge.net/"
license="GPL-2"
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index f2230adbdb..bf11e38ce5 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=2.6.31.5
_kernver=2.6.31
-pkgrel=0
+pkgrel=1
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH:-x86}}
install=
source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2
ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
- grsecurity-2.1.14-2.6.31.5-200910232000.patch
+ grsecurity-2.1.14-2.6.31.5-200910312135.patch
kernelconfig.x86
"
subpackages="$pkgname-dev linux-firmware:firmware"
@@ -120,5 +120,5 @@ firmware() {
md5sums="84c077a37684e4cbfa67b18154390d8a linux-2.6.31.tar.bz2
6cac5e59d5562b591cdda485941204d5 patch-2.6.31.5.bz2
-6b3813a484429f160dce06d69e2e8d7f grsecurity-2.1.14-2.6.31.5-200910232000.patch
-5fadc584b08c9bc420d61e148139becd kernelconfig.x86"
+284a8a8e0d5d8034684107098488d92a grsecurity-2.1.14-2.6.31.5-200910312135.patch
+94d5ac9701cf3ddd50f654509b8ec6fc kernelconfig.x86"
diff --git a/main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910232000.patch b/main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910312135.patch
index 0079a01ef7..2352119c13 100644
--- a/main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910232000.patch
+++ b/main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910312135.patch
@@ -12411,8 +12411,16 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/tsc.c linux-2.6.31.5/arch/x86/kernel/t
static void __init check_system_tsc_reliable(void)
diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kernel/vm86_32.c
--- linux-2.6.31.5/arch/x86/kernel/vm86_32.c 2009-10-20 20:42:59.020760222 -0400
-+++ linux-2.6.31.5/arch/x86/kernel/vm86_32.c 2009-10-20 20:33:06.209232976 -0400
-@@ -148,7 +148,7 @@ struct pt_regs *save_v86_state(struct ke
++++ linux-2.6.31.5/arch/x86/kernel/vm86_32.c 2009-10-31 21:14:11.351546024 -0400
+@@ -41,6 +41,7 @@
+ #include <linux/ptrace.h>
+ #include <linux/audit.h>
+ #include <linux/stddef.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/io.h>
+@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
do_exit(SIGSEGV);
}
@@ -12421,7 +12429,36 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kern
current->thread.sp0 = current->thread.saved_sp0;
current->thread.sysenter_cs = __KERNEL_CS;
load_sp0(tss, &current->thread);
-@@ -324,7 +324,7 @@ static void do_sys_vm86(struct kernel_vm
+@@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
+ struct task_struct *tsk;
+ int tmp, ret = -EPERM;
+
++#ifdef CONFIG_GRKERNSEC_VM86
++ if (!capable(CAP_SYS_RAWIO)) {
++ gr_handle_vm86();
++ goto out;
++ }
++#endif
++
+ tsk = current;
+ if (tsk->thread.saved_sp0)
+ goto out;
+@@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
+ int tmp, ret;
+ struct vm86plus_struct __user *v86;
+
++#ifdef CONFIG_GRKERNSEC_VM86
++ if (!capable(CAP_SYS_RAWIO)) {
++ gr_handle_vm86();
++ ret = -EPERM;
++ goto out;
++ }
++#endif
++
+ tsk = current;
+ switch (regs->bx) {
+ case VM86_REQUEST_IRQ:
+@@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
tsk->thread.saved_fs = info->regs32->fs;
tsk->thread.saved_gs = get_user_gs(info->regs32);
@@ -12430,7 +12467,7 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kern
tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
if (cpu_has_sep)
tsk->thread.sysenter_cs = 0;
-@@ -529,7 +529,7 @@ static void do_int(struct kernel_vm86_re
+@@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
goto cannot_handle;
if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
goto cannot_handle;
@@ -29281,7 +29318,34 @@ diff -urNp linux-2.6.31.5/fs/sysfs/bin.c linux-2.6.31.5/fs/sysfs/bin.c
.fault = bin_fault,
diff -urNp linux-2.6.31.5/fs/sysfs/file.c linux-2.6.31.5/fs/sysfs/file.c
--- linux-2.6.31.5/fs/sysfs/file.c 2009-10-23 19:50:17.593999889 -0400
-+++ linux-2.6.31.5/fs/sysfs/file.c 2009-10-23 19:50:30.050681672 -0400
++++ linux-2.6.31.5/fs/sysfs/file.c 2009-10-31 21:31:10.194981012 -0400
+@@ -53,7 +53,7 @@ struct sysfs_buffer {
+ size_t count;
+ loff_t pos;
+ char * page;
+- struct sysfs_ops * ops;
++ const struct sysfs_ops * ops;
+ struct mutex mutex;
+ int needs_read_fill;
+ int event;
+@@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
+ {
+ struct sysfs_dirent *attr_sd = dentry->d_fsdata;
+ struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
+- struct sysfs_ops * ops = buffer->ops;
++ const struct sysfs_ops * ops = buffer->ops;
+ int ret = 0;
+ ssize_t count;
+
+@@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
+ {
+ struct sysfs_dirent *attr_sd = dentry->d_fsdata;
+ struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
+- struct sysfs_ops * ops = buffer->ops;
++ const struct sysfs_ops * ops = buffer->ops;
+ int rc;
+
+ /* need attr_sd for attr and ops, its parent for kobj */
@@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
@@ -36515,8 +36579,8 @@ diff -urNp linux-2.6.31.5/grsecurity/grsec_log.c linux-2.6.31.5/grsecurity/grsec
+}
diff -urNp linux-2.6.31.5/grsecurity/grsec_mem.c linux-2.6.31.5/grsecurity/grsec_mem.c
--- linux-2.6.31.5/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.31.5/grsecurity/grsec_mem.c 2009-10-20 20:32:11.219172768 -0400
-@@ -0,0 +1,79 @@
++++ linux-2.6.31.5/grsecurity/grsec_mem.c 2009-10-31 20:59:28.193884281 -0400
+@@ -0,0 +1,85 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
@@ -36596,6 +36660,12 @@ diff -urNp linux-2.6.31.5/grsecurity/grsec_mem.c linux-2.6.31.5/grsecurity/grsec
+ return;
+}
+
++void
++gr_handle_vm86(void)
++{
++ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
++ return;
++}
diff -urNp linux-2.6.31.5/grsecurity/grsec_mount.c linux-2.6.31.5/grsecurity/grsec_mount.c
--- linux-2.6.31.5/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.31.5/grsecurity/grsec_mount.c 2009-10-20 20:32:11.219172768 -0400
@@ -37527,8 +37597,8 @@ diff -urNp linux-2.6.31.5/grsecurity/grsum.c linux-2.6.31.5/grsecurity/grsum.c
+}
diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
--- linux-2.6.31.5/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.31.5/grsecurity/Kconfig 2009-10-20 20:32:11.506703093 -0400
-@@ -0,0 +1,908 @@
++++ linux-2.6.31.5/grsecurity/Kconfig 2009-10-31 21:13:30.960724478 -0400
+@@ -0,0 +1,923 @@
+#
+# grecurity configuration
+#
@@ -37669,6 +37739,7 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
++ select GRKERNSEC_VM86 if (X86_32)
+ select PAX
+ select PAX_RANDUSTACK
+ select PAX_ASLR
@@ -37718,6 +37789,7 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
+ - Prevention of memory exhaustion-based exploits
+ - Hardening of module auto-loading
+ - Ptrace restrictions
++ - Restricted vm86 mode
+
+config GRKERNSEC_CUSTOM
+ bool "Custom"
@@ -37754,6 +37826,19 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
+ It is highly recommended that you say Y here if you meet all the
+ conditions above.
+
++config GRKERNSEC_VM86
++ bool "Restrict VM86 mode"
++ depends on X86_32
++
++ help
++ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
++ make use of a special execution mode on 32bit x86 processors called
++ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
++ video cards and will still work with this option enabled. The purpose
++ of the option is to prevent exploitation of emulation errors in
++ virtualization of vm86 mode like the one discovered in VMWare in 2009.
++ Nearly all users should be able to enable this option.
++
+config GRKERNSEC_IO
+ bool "Disable privileged I/O"
+ depends on X86
@@ -39888,8 +39973,8 @@ diff -urNp linux-2.6.31.5/include/linux/grinternal.h linux-2.6.31.5/include/linu
+#endif
diff -urNp linux-2.6.31.5/include/linux/grmsg.h linux-2.6.31.5/include/linux/grmsg.h
--- linux-2.6.31.5/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.31.5/include/linux/grmsg.h 2009-10-20 20:32:11.510838935 -0400
-@@ -0,0 +1,103 @@
++++ linux-2.6.31.5/include/linux/grmsg.h 2009-10-31 20:53:53.064386497 -0400
+@@ -0,0 +1,104 @@
+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -39993,10 +40078,11 @@ diff -urNp linux-2.6.31.5/include/linux/grmsg.h linux-2.6.31.5/include/linux/grm
+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
+#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
++#define GR_VM86_MSG "denied use of vm86 by "
diff -urNp linux-2.6.31.5/include/linux/grsecurity.h linux-2.6.31.5/include/linux/grsecurity.h
--- linux-2.6.31.5/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.31.5/include/linux/grsecurity.h 2009-10-20 20:32:11.510838935 -0400
-@@ -0,0 +1,197 @@
++++ linux-2.6.31.5/include/linux/grsecurity.h 2009-10-31 21:00:00.773738698 -0400
+@@ -0,0 +1,198 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -40182,6 +40268,7 @@ diff -urNp linux-2.6.31.5/include/linux/grsecurity.h linux-2.6.31.5/include/linu
+
+#ifdef CONFIG_GRKERNSEC
+void gr_log_nonroot_mod_load(const char *modname);
++void gr_handle_vm86(void);
+void gr_handle_mem_write(void);
+void gr_handle_kmem_write(void);
+void gr_handle_open_port(void);
diff --git a/main/linux-grsec/kernelconfig.x86 b/main/linux-grsec/kernelconfig.x86
index 0578066e86..6a77c6d53e 100644
--- a/main/linux-grsec/kernelconfig.x86
+++ b/main/linux-grsec/kernelconfig.x86
@@ -1,7 +1,7 @@
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.31.5
-# Mon Oct 26 17:37:25 2009
+# Mon Nov 2 17:52:49 2009
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
@@ -4191,6 +4191,7 @@ CONFIG_GRKERNSEC_CUSTOM=y
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
+CONFIG_GRKERNSEC_VM86=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_BRUTE is not set
diff --git a/main/xtables-addons-grsec/APKBUILD b/main/xtables-addons-grsec/APKBUILD
index 278d2b21b3..eab9a01149 100644
--- a/main/xtables-addons-grsec/APKBUILD
+++ b/main/xtables-addons-grsec/APKBUILD
@@ -8,11 +8,13 @@ if [ -f ../linux-$_flavor/APKBUILD ]; then
fi
_kernelver=$pkgver-r$pkgrel
_abi_release=$pkgver-${_flavor}
+_kpkgrel=$pkgrel
pkgname=${_realname}-${_flavor}
pkgver=${pkgver}
_realver=1.19
-pkgrel=0
+_mypkgrel=0
+pkgrel=$(($_kpkgrel + $_mypkgrel))
pkgdesc="Iptables extensions kernel modules"
url="http://xtables-addons.sourceforge.net/"
license="GPL"
diff --git a/testing/kqemu-grsec/APKBUILD b/testing/kqemu-grsec/APKBUILD
index b02b8c27e9..66a0ea09dd 100644
--- a/testing/kqemu-grsec/APKBUILD
+++ b/testing/kqemu-grsec/APKBUILD
@@ -8,11 +8,13 @@ if [ -f ../../main/linux-$_flavor/APKBUILD ]; then
fi
_kernelver=$pkgver-r$pkgrel
_abi_release=$pkgver-${_flavor}
+_kpkgrel=$pkgrel
pkgname=${_realname}-${_flavor}
pkgver=$pkgver
_realver=1.4.0pre1
-pkgrel=0
+_mypkgrel=0
+pkgrel=$(($_kpkgrel + $_mypkgrel))
pkgdesc="$_flavor kernel modules for kemu $_realver"
url="http://www.nongnu.org/qemu/"
license="GPL"