aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/linux-grsec/APKBUILD8
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.6.9-201212071641.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.6.9-201212061820.patch)53
-rw-r--r--main/linux-grsec/pax-fpu-regression.patch19
3 files changed, 58 insertions, 22 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index e695bc4573..5d07a7c608 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.6.9
_kernver=3.6
-pkgrel=2
+pkgrel=3
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -14,7 +14,8 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-2.9.1-3.6.9-201212061820.patch
+ grsecurity-2.9.1-3.6.9-201212071641.patch
+ pax-fpu-regression.patch
0004-arp-flush-arp-cache-on-device-change.patch
@@ -140,7 +141,8 @@ dev() {
md5sums="1a1760420eac802c541a20ab51a093d1 linux-3.6.tar.xz
a7c656034599f90dcbc50895b69022aa patch-3.6.9.xz
-5a7ac3d736bda40cd459865a13263e7d grsecurity-2.9.1-3.6.9-201212061820.patch
+6e2dc33e621d993fd921d7dc85b56561 grsecurity-2.9.1-3.6.9-201212071641.patch
+699548fb6e34efc5790390a074b0d50a pax-fpu-regression.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
373db5888708938c6b1baed6da781fcb kernelconfig.x86
190788fb10e79abce9d570d5e87ec3b4 kernelconfig.x86_64"
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.6.9-201212061820.patch b/main/linux-grsec/grsecurity-2.9.1-3.6.9-201212071641.patch
index 0ef6fd60e9..9724617014 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.6.9-201212061820.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.6.9-201212071641.patch
@@ -45262,7 +45262,7 @@ index b2a34a1..162fa69 100644
return rc;
}
diff --git a/fs/exec.c b/fs/exec.c
-index fab2c6d..6a13dff 100644
+index fab2c6d..9b2fad8 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,6 +55,15 @@
@@ -46010,7 +46010,7 @@ index fab2c6d..6a13dff 100644
audit_core_dumps(signr);
+ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
-+ gr_handle_brute_attach(current, cprm.mm_flags);
++ gr_handle_brute_attach(cprm.mm_flags);
+
binfmt = mm->binfmt;
if (!binfmt || !binfmt->core_dump)
@@ -59887,10 +59887,10 @@ index 0000000..f7f29aa
+}
diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
new file mode 100644
-index 0000000..b4ac94c
+index 0000000..5c00416
--- /dev/null
+++ b/grsecurity/grsec_sig.c
-@@ -0,0 +1,209 @@
+@@ -0,0 +1,222 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/delay.h>
@@ -59968,6 +59968,7 @@ index 0000000..b4ac94c
+
+#ifdef CONFIG_GRKERNSEC_BRUTE
+#define GR_USER_BAN_TIME (15 * 60)
++#define GR_DAEMON_BRUTE_TIME (30 * 60)
+
+static int __get_dumpable(unsigned long mm_flags)
+{
@@ -59978,10 +59979,12 @@ index 0000000..b4ac94c
+}
+#endif
+
-+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
++void gr_handle_brute_attach(unsigned long mm_flags)
+{
+#ifdef CONFIG_GRKERNSEC_BRUTE
++ struct task_struct *p = current;
+ kuid_t uid = GLOBAL_ROOT_UID;
++ int daemon = 0;
+
+ if (!grsec_enable_brute)
+ return;
@@ -59989,9 +59992,11 @@ index 0000000..b4ac94c
+ rcu_read_lock();
+ read_lock(&tasklist_lock);
+ read_lock(&grsec_exec_file_lock);
-+ if (p->real_parent && p->real_parent->exec_file == p->exec_file)
++ if (p->real_parent && p->real_parent->exec_file == p->exec_file) {
++ p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME;
+ p->real_parent->brute = 1;
-+ else {
++ daemon = 1;
++ } else {
+ const struct cred *cred = __task_cred(p), *cred2;
+ struct task_struct *tsk, *tsk2;
+
@@ -60024,6 +60029,8 @@ index 0000000..b4ac94c
+ if (!uid_eq(uid, GLOBAL_ROOT_UID))
+ printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n",
+ from_kuid_munged(&init_user_ns, uid), GR_USER_BAN_TIME / 60);
++ else if (daemon)
++ gr_log_noargs(GR_DONT_AUDIT, GR_BRUTE_DAEMON_MSG);
+
+#endif
+ return;
@@ -60032,8 +60039,14 @@ index 0000000..b4ac94c
+void gr_handle_brute_check(void)
+{
+#ifdef CONFIG_GRKERNSEC_BRUTE
-+ if (current->brute)
-+ msleep(30 * 1000);
++ struct task_struct *p = current;
++
++ if (unlikely(p->brute)) {
++ if (!grsec_enable_brute)
++ p->brute = 0;
++ else if (time_before(get_seconds(), p->brute_expires))
++ msleep(30 * 1000);
++ }
+#endif
+ return;
+}
@@ -63091,10 +63104,10 @@ index 0000000..c9292f7
+#endif
diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
new file mode 100644
-index 0000000..54f4e85
+index 0000000..2bd4c8d
--- /dev/null
+++ b/include/linux/grmsg.h
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,111 @@
+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -63205,9 +63218,10 @@ index 0000000..54f4e85
+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
+#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by "
+#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
++#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..187b3ed
+index 0000000..28d8b19
--- /dev/null
+++ b/include/linux/grsecurity.h
@@ -0,0 +1,239 @@
@@ -63246,7 +63260,7 @@ index 0000000..187b3ed
+ } ptr;
+};
+
-+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
++void gr_handle_brute_attach(unsigned long mm_flags);
+void gr_handle_brute_check(void);
+void gr_handle_kernel_exploit(void);
+int gr_process_user_ban(void);
@@ -64691,7 +64705,7 @@ index 3fce545..b4fed6e 100644
static inline void anon_vma_merge(struct vm_area_struct *vma,
struct vm_area_struct *next)
diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 23bddac..5976055 100644
+index 23bddac..e08f087 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -101,6 +101,7 @@ struct bio_list;
@@ -64802,7 +64816,7 @@ index 23bddac..5976055 100644
#ifdef CONFIG_FUTEX
struct robust_list_head __user *robust_list;
#ifdef CONFIG_COMPAT
-@@ -1589,8 +1616,74 @@ struct task_struct {
+@@ -1589,8 +1616,75 @@ struct task_struct {
#ifdef CONFIG_UPROBES
struct uprobe_task *utask;
#endif
@@ -64819,6 +64833,7 @@ index 23bddac..5976055 100644
+ struct acl_subject_label *acl;
+ struct acl_role_label *role;
+ struct file *exec_file;
++ unsigned long brute_expires;
+ u16 acl_role_id;
+ /* is this the task that authenticated to the special role */
+ u8 acl_sp_role;
@@ -64877,7 +64892,7 @@ index 23bddac..5976055 100644
/* Future-safe accessor for struct task_struct's cpus_allowed. */
#define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
-@@ -2125,7 +2218,9 @@ void yield(void);
+@@ -2125,7 +2219,9 @@ void yield(void);
extern struct exec_domain default_exec_domain;
union thread_union {
@@ -64887,7 +64902,7 @@ index 23bddac..5976055 100644
unsigned long stack[THREAD_SIZE/sizeof(long)];
};
-@@ -2158,6 +2253,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2158,6 +2254,7 @@ extern struct pid_namespace init_pid_ns;
*/
extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -64895,7 +64910,7 @@ index 23bddac..5976055 100644
extern struct task_struct *find_task_by_pid_ns(pid_t nr,
struct pid_namespace *ns);
-@@ -2314,7 +2410,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2314,7 +2411,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
extern void exit_itimers(struct signal_struct *);
extern void flush_itimer_signals(void);
@@ -64904,7 +64919,7 @@ index 23bddac..5976055 100644
extern void daemonize(const char *, ...);
extern int allow_signal(int);
-@@ -2515,9 +2611,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2515,9 +2612,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
#endif
diff --git a/main/linux-grsec/pax-fpu-regression.patch b/main/linux-grsec/pax-fpu-regression.patch
new file mode 100644
index 0000000000..7ec5b33740
--- /dev/null
+++ b/main/linux-grsec/pax-fpu-regression.patch
@@ -0,0 +1,19 @@
+diff -u linux-3.6.9-pax/arch/x86/include/asm/fpu-internal.h linux-3.6.9-pax/arch/x86/include/asm/fpu-internal.h
+--- linux-3.6.9-pax/arch/x86/include/asm/fpu-internal.h 2012-11-30 20:11:38.909016648 +0100
++++ linux-3.6.9-pax/arch/x86/include/asm/fpu-internal.h 2012-12-10 00:53:24.196782810 +0100
+@@ -254,7 +254,14 @@
+
+ static inline int fpu_fxrstor_checking(struct fpu *fpu)
+ {
+- return fxrstor_checking(&fpu->state->fxsave);
++ int ret;
++ mm_segment_t fs;
++
++ fs = get_fs();
++ set_fs(KERNEL_DS);
++ ret = fxrstor_checking(&fpu->state->fxsave);
++ set_fs(fs);
++ return ret;
+ }
+
+ static inline int fpu_restore_checking(struct fpu *fpu)