diff options
-rw-r--r-- | main/dahdi-linux-grsec/APKBUILD | 4 | ||||
-rw-r--r-- | main/iscsitarget-grsec/APKBUILD | 4 | ||||
-rw-r--r-- | main/linux-grsec/APKBUILD | 8 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910312135.patch (renamed from main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910232000.patch) | 113 | ||||
-rw-r--r-- | main/linux-grsec/kernelconfig.x86 | 3 | ||||
-rw-r--r-- | main/xtables-addons-grsec/APKBUILD | 4 | ||||
-rw-r--r-- | testing/kqemu-grsec/APKBUILD | 4 |
7 files changed, 118 insertions, 22 deletions
diff --git a/main/dahdi-linux-grsec/APKBUILD b/main/dahdi-linux-grsec/APKBUILD index d6320d13ed..eccec0af59 100644 --- a/main/dahdi-linux-grsec/APKBUILD +++ b/main/dahdi-linux-grsec/APKBUILD @@ -10,12 +10,14 @@ fi _kernelver="$pkgver-r$pkgrel" _abi_release=${pkgver}-${_flavor} +_kpkgrel=$pkgrel _realname=dahdi-linux pkgname=${_realname}-${_flavor} pkgver=$pkgver _dahdiver=2.2.0.2 -pkgrel=0 +_mypkgrel=0 +pkgrel=$(( $_kpkgrel + $_mypkgrel )) pkgdesc="Digium Asterisk Hardware Device Interface drivers $_dahdiver" url="http://www.asterisk.org" license="GPL" diff --git a/main/iscsitarget-grsec/APKBUILD b/main/iscsitarget-grsec/APKBUILD index 009165e9e7..f2279d12aa 100644 --- a/main/iscsitarget-grsec/APKBUILD +++ b/main/iscsitarget-grsec/APKBUILD @@ -9,12 +9,14 @@ fi _kver=$pkgver _kernelver=$pkgver-r$pkgrel _abi_release=$pkgver-${_flavor} +_kpkgrel=$pkgrel _iscsiver=1.4.18 pkgname=${_realname}-${_flavor} pkgver=$_kver -pkgrel=0 +_mypkgrel=0 +pkgrel=$(($_kpkgrel + $_mypkgrel)) pkgdesc="$_flavor kernel modules for iscsitarget $_iscsiver" url="http://iscsitarget.sourceforge.net/" license="GPL-2" diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index f2230adbdb..bf11e38ce5 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -4,7 +4,7 @@ _flavor=grsec pkgname=linux-${_flavor} pkgver=2.6.31.5 _kernver=2.6.31 -pkgrel=0 +pkgrel=1 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH:-x86}} install= source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2 ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2 - grsecurity-2.1.14-2.6.31.5-200910232000.patch + grsecurity-2.1.14-2.6.31.5-200910312135.patch kernelconfig.x86 " subpackages="$pkgname-dev linux-firmware:firmware" @@ -120,5 +120,5 @@ firmware() { md5sums="84c077a37684e4cbfa67b18154390d8a linux-2.6.31.tar.bz2 6cac5e59d5562b591cdda485941204d5 patch-2.6.31.5.bz2 -6b3813a484429f160dce06d69e2e8d7f grsecurity-2.1.14-2.6.31.5-200910232000.patch -5fadc584b08c9bc420d61e148139becd kernelconfig.x86" +284a8a8e0d5d8034684107098488d92a grsecurity-2.1.14-2.6.31.5-200910312135.patch +94d5ac9701cf3ddd50f654509b8ec6fc kernelconfig.x86" diff --git a/main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910232000.patch b/main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910312135.patch index 0079a01ef7..2352119c13 100644 --- a/main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910232000.patch +++ b/main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910312135.patch @@ -12411,8 +12411,16 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/tsc.c linux-2.6.31.5/arch/x86/kernel/t static void __init check_system_tsc_reliable(void) diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kernel/vm86_32.c --- linux-2.6.31.5/arch/x86/kernel/vm86_32.c 2009-10-20 20:42:59.020760222 -0400 -+++ linux-2.6.31.5/arch/x86/kernel/vm86_32.c 2009-10-20 20:33:06.209232976 -0400 -@@ -148,7 +148,7 @@ struct pt_regs *save_v86_state(struct ke ++++ linux-2.6.31.5/arch/x86/kernel/vm86_32.c 2009-10-31 21:14:11.351546024 -0400 +@@ -41,6 +41,7 @@ + #include <linux/ptrace.h> + #include <linux/audit.h> + #include <linux/stddef.h> ++#include <linux/grsecurity.h> + + #include <asm/uaccess.h> + #include <asm/io.h> +@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke do_exit(SIGSEGV); } @@ -12421,7 +12429,36 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kern current->thread.sp0 = current->thread.saved_sp0; current->thread.sysenter_cs = __KERNEL_CS; load_sp0(tss, ¤t->thread); -@@ -324,7 +324,7 @@ static void do_sys_vm86(struct kernel_vm +@@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs) + struct task_struct *tsk; + int tmp, ret = -EPERM; + ++#ifdef CONFIG_GRKERNSEC_VM86 ++ if (!capable(CAP_SYS_RAWIO)) { ++ gr_handle_vm86(); ++ goto out; ++ } ++#endif ++ + tsk = current; + if (tsk->thread.saved_sp0) + goto out; +@@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs) + int tmp, ret; + struct vm86plus_struct __user *v86; + ++#ifdef CONFIG_GRKERNSEC_VM86 ++ if (!capable(CAP_SYS_RAWIO)) { ++ gr_handle_vm86(); ++ ret = -EPERM; ++ goto out; ++ } ++#endif ++ + tsk = current; + switch (regs->bx) { + case VM86_REQUEST_IRQ: +@@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm tsk->thread.saved_fs = info->regs32->fs; tsk->thread.saved_gs = get_user_gs(info->regs32); @@ -12430,7 +12467,7 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kern tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0; if (cpu_has_sep) tsk->thread.sysenter_cs = 0; -@@ -529,7 +529,7 @@ static void do_int(struct kernel_vm86_re +@@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re goto cannot_handle; if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored)) goto cannot_handle; @@ -29281,7 +29318,34 @@ diff -urNp linux-2.6.31.5/fs/sysfs/bin.c linux-2.6.31.5/fs/sysfs/bin.c .fault = bin_fault, diff -urNp linux-2.6.31.5/fs/sysfs/file.c linux-2.6.31.5/fs/sysfs/file.c --- linux-2.6.31.5/fs/sysfs/file.c 2009-10-23 19:50:17.593999889 -0400 -+++ linux-2.6.31.5/fs/sysfs/file.c 2009-10-23 19:50:30.050681672 -0400 ++++ linux-2.6.31.5/fs/sysfs/file.c 2009-10-31 21:31:10.194981012 -0400 +@@ -53,7 +53,7 @@ struct sysfs_buffer { + size_t count; + loff_t pos; + char * page; +- struct sysfs_ops * ops; ++ const struct sysfs_ops * ops; + struct mutex mutex; + int needs_read_fill; + int event; +@@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr + { + struct sysfs_dirent *attr_sd = dentry->d_fsdata; + struct kobject *kobj = attr_sd->s_parent->s_dir.kobj; +- struct sysfs_ops * ops = buffer->ops; ++ const struct sysfs_ops * ops = buffer->ops; + int ret = 0; + ssize_t count; + +@@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr + { + struct sysfs_dirent *attr_sd = dentry->d_fsdata; + struct kobject *kobj = attr_sd->s_parent->s_dir.kobj; +- struct sysfs_ops * ops = buffer->ops; ++ const struct sysfs_ops * ops = buffer->ops; + int rc; + + /* need attr_sd for attr and ops, its parent for kobj */ @@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata; struct kobject *kobj = attr_sd->s_parent->s_dir.kobj; @@ -36515,8 +36579,8 @@ diff -urNp linux-2.6.31.5/grsecurity/grsec_log.c linux-2.6.31.5/grsecurity/grsec +} diff -urNp linux-2.6.31.5/grsecurity/grsec_mem.c linux-2.6.31.5/grsecurity/grsec_mem.c --- linux-2.6.31.5/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.31.5/grsecurity/grsec_mem.c 2009-10-20 20:32:11.219172768 -0400 -@@ -0,0 +1,79 @@ ++++ linux-2.6.31.5/grsecurity/grsec_mem.c 2009-10-31 20:59:28.193884281 -0400 +@@ -0,0 +1,85 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -36596,6 +36660,12 @@ diff -urNp linux-2.6.31.5/grsecurity/grsec_mem.c linux-2.6.31.5/grsecurity/grsec + return; +} + ++void ++gr_handle_vm86(void) ++{ ++ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG); ++ return; ++} diff -urNp linux-2.6.31.5/grsecurity/grsec_mount.c linux-2.6.31.5/grsecurity/grsec_mount.c --- linux-2.6.31.5/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.6.31.5/grsecurity/grsec_mount.c 2009-10-20 20:32:11.219172768 -0400 @@ -37527,8 +37597,8 @@ diff -urNp linux-2.6.31.5/grsecurity/grsum.c linux-2.6.31.5/grsecurity/grsum.c +} diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig --- linux-2.6.31.5/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.31.5/grsecurity/Kconfig 2009-10-20 20:32:11.506703093 -0400 -@@ -0,0 +1,908 @@ ++++ linux-2.6.31.5/grsecurity/Kconfig 2009-10-31 21:13:30.960724478 -0400 +@@ -0,0 +1,923 @@ +# +# grecurity configuration +# @@ -37669,6 +37739,7 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig + select GRKERNSEC_AUDIT_MOUNT + select GRKERNSEC_MODHARDEN if (MODULES) + select GRKERNSEC_HARDEN_PTRACE ++ select GRKERNSEC_VM86 if (X86_32) + select PAX + select PAX_RANDUSTACK + select PAX_ASLR @@ -37718,6 +37789,7 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig + - Prevention of memory exhaustion-based exploits + - Hardening of module auto-loading + - Ptrace restrictions ++ - Restricted vm86 mode + +config GRKERNSEC_CUSTOM + bool "Custom" @@ -37754,6 +37826,19 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig + It is highly recommended that you say Y here if you meet all the + conditions above. + ++config GRKERNSEC_VM86 ++ bool "Restrict VM86 mode" ++ depends on X86_32 ++ ++ help ++ If you say Y here, only processes with CAP_SYS_RAWIO will be able to ++ make use of a special execution mode on 32bit x86 processors called ++ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain ++ video cards and will still work with this option enabled. The purpose ++ of the option is to prevent exploitation of emulation errors in ++ virtualization of vm86 mode like the one discovered in VMWare in 2009. ++ Nearly all users should be able to enable this option. ++ +config GRKERNSEC_IO + bool "Disable privileged I/O" + depends on X86 @@ -39888,8 +39973,8 @@ diff -urNp linux-2.6.31.5/include/linux/grinternal.h linux-2.6.31.5/include/linu +#endif diff -urNp linux-2.6.31.5/include/linux/grmsg.h linux-2.6.31.5/include/linux/grmsg.h --- linux-2.6.31.5/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.31.5/include/linux/grmsg.h 2009-10-20 20:32:11.510838935 -0400 -@@ -0,0 +1,103 @@ ++++ linux-2.6.31.5/include/linux/grmsg.h 2009-10-31 20:53:53.064386497 -0400 +@@ -0,0 +1,104 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " @@ -39993,10 +40078,11 @@ diff -urNp linux-2.6.31.5/include/linux/grmsg.h linux-2.6.31.5/include/linux/grm +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for " +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by " +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by " ++#define GR_VM86_MSG "denied use of vm86 by " diff -urNp linux-2.6.31.5/include/linux/grsecurity.h linux-2.6.31.5/include/linux/grsecurity.h --- linux-2.6.31.5/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.31.5/include/linux/grsecurity.h 2009-10-20 20:32:11.510838935 -0400 -@@ -0,0 +1,197 @@ ++++ linux-2.6.31.5/include/linux/grsecurity.h 2009-10-31 21:00:00.773738698 -0400 +@@ -0,0 +1,198 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -40182,6 +40268,7 @@ diff -urNp linux-2.6.31.5/include/linux/grsecurity.h linux-2.6.31.5/include/linu + +#ifdef CONFIG_GRKERNSEC +void gr_log_nonroot_mod_load(const char *modname); ++void gr_handle_vm86(void); +void gr_handle_mem_write(void); +void gr_handle_kmem_write(void); +void gr_handle_open_port(void); diff --git a/main/linux-grsec/kernelconfig.x86 b/main/linux-grsec/kernelconfig.x86 index 0578066e86..6a77c6d53e 100644 --- a/main/linux-grsec/kernelconfig.x86 +++ b/main/linux-grsec/kernelconfig.x86 @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit # Linux kernel version: 2.6.31.5 -# Mon Oct 26 17:37:25 2009 +# Mon Nov 2 17:52:49 2009 # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -4191,6 +4191,7 @@ CONFIG_GRKERNSEC_CUSTOM=y # Address Space Protection # CONFIG_GRKERNSEC_KMEM=y +CONFIG_GRKERNSEC_VM86=y # CONFIG_GRKERNSEC_IO is not set CONFIG_GRKERNSEC_PROC_MEMMAP=y # CONFIG_GRKERNSEC_BRUTE is not set diff --git a/main/xtables-addons-grsec/APKBUILD b/main/xtables-addons-grsec/APKBUILD index 278d2b21b3..eab9a01149 100644 --- a/main/xtables-addons-grsec/APKBUILD +++ b/main/xtables-addons-grsec/APKBUILD @@ -8,11 +8,13 @@ if [ -f ../linux-$_flavor/APKBUILD ]; then fi _kernelver=$pkgver-r$pkgrel _abi_release=$pkgver-${_flavor} +_kpkgrel=$pkgrel pkgname=${_realname}-${_flavor} pkgver=${pkgver} _realver=1.19 -pkgrel=0 +_mypkgrel=0 +pkgrel=$(($_kpkgrel + $_mypkgrel)) pkgdesc="Iptables extensions kernel modules" url="http://xtables-addons.sourceforge.net/" license="GPL" diff --git a/testing/kqemu-grsec/APKBUILD b/testing/kqemu-grsec/APKBUILD index b02b8c27e9..66a0ea09dd 100644 --- a/testing/kqemu-grsec/APKBUILD +++ b/testing/kqemu-grsec/APKBUILD @@ -8,11 +8,13 @@ if [ -f ../../main/linux-$_flavor/APKBUILD ]; then fi _kernelver=$pkgver-r$pkgrel _abi_release=$pkgver-${_flavor} +_kpkgrel=$pkgrel pkgname=${_realname}-${_flavor} pkgver=$pkgver _realver=1.4.0pre1 -pkgrel=0 +_mypkgrel=0 +pkgrel=$(($_kpkgrel + $_mypkgrel)) pkgdesc="$_flavor kernel modules for kemu $_realver" url="http://www.nongnu.org/qemu/" license="GPL" |