diff options
-rw-r--r-- | main/linux-grsec/APKBUILD | 6 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.2.2-3.2.2-201201302345.patch (renamed from main/linux-grsec/grsecurity-2.2.2-3.2.2-201201290115.patch) | 69 |
2 files changed, 51 insertions, 24 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index f5bc959faa..386393bf11 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -4,7 +4,7 @@ _flavor=grsec pkgname=linux-${_flavor} pkgver=3.2.2 _kernver=3.2 -pkgrel=1 +pkgrel=2 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2 ftp://ftp.kernel.org/pub/linux/kernel/v3.0/patch-$pkgver.bz2 - grsecurity-2.2.2-3.2.2-201201290115.patch + grsecurity-2.2.2-3.2.2-201201302345.patch 0004-arp-flush-arp-cache-on-device-change.patch @@ -141,7 +141,7 @@ dev() { md5sums="7ceb61f87c097fc17509844b71268935 linux-3.2.tar.bz2 e9e53fba37c5e2afa4cdecab234120bd patch-3.2.2.bz2 -55e85afceade7adcc216f26996549f1f grsecurity-2.2.2-3.2.2-201201290115.patch +54c66601d38283f4561acd7cf48f7a0a grsecurity-2.2.2-3.2.2-201201302345.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch f3eda7112ef074a4121ec6de943c63ee x86-centaur-enable-cx8-for-via-eden-too.patch 62cc7d7b5ba7ef05b72ff91c0411c189 linux-3.0.x-regression-with-ipv4-routes-having-mtu.patch diff --git a/main/linux-grsec/grsecurity-2.2.2-3.2.2-201201290115.patch b/main/linux-grsec/grsecurity-2.2.2-3.2.2-201201302345.patch index 407965667a..5a35b2ea25 100644 --- a/main/linux-grsec/grsecurity-2.2.2-3.2.2-201201290115.patch +++ b/main/linux-grsec/grsecurity-2.2.2-3.2.2-201201302345.patch @@ -41403,6 +41403,22 @@ index f7908ae..920a680 100644 dcache_init(); inode_init(); +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c +index f3a257d..715ac0f 100644 +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -261,7 +261,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file); + struct dentry *debugfs_create_dir(const char *name, struct dentry *parent) + { + return debugfs_create_file(name, ++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT ++ S_IFDIR | S_IRWXU, ++#else + S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO, ++#endif + parent, NULL, NULL); + } + EXPORT_SYMBOL_GPL(debugfs_create_dir); diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c index 2a83425..b082cec 100644 --- a/fs/ecryptfs/crypto.c @@ -46894,6 +46910,29 @@ index fa2defa..8601650 100644 ret = -EAGAIN; pipe_unlock(ipipe); +diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c +index 7fdf6a7..e6cd8ad 100644 +--- a/fs/sysfs/dir.c ++++ b/fs/sysfs/dir.c +@@ -642,6 +642,18 @@ static int create_dir(struct kobject *kobj, struct sysfs_dirent *parent_sd, + struct sysfs_dirent *sd; + int rc; + ++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT ++ const char *parent_name = parent_sd->s_name; ++ ++ mode = S_IFDIR | S_IRWXU; ++ ++ if ((!strcmp(parent_name, "") && (!strcmp(name, "devices") || !strcmp(name, "fs"))) || ++ (!strcmp(parent_name, "devices") && !strcmp(name, "system")) || ++ (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") || !strcmp(name, "fuse"))) || ++ (!strcmp(parent_name, "system") && !strcmp(name, "cpu"))) ++ mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; ++#endif ++ + /* allocate */ + sd = sysfs_new_dirent(name, mode, SYSFS_DIR); + if (!sd) diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c index d4e6080b..0e58b99 100644 --- a/fs/sysfs/file.c @@ -46943,22 +46982,6 @@ index d4e6080b..0e58b99 100644 wake_up_interruptible(&od->poll); } -diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c -index e34f0d9..740ea7b 100644 ---- a/fs/sysfs/mount.c -+++ b/fs/sysfs/mount.c -@@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = { - .s_name = "", - .s_count = ATOMIC_INIT(1), - .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT), -+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT -+ .s_mode = S_IFDIR | S_IRWXU, -+#else - .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO, -+#endif - .s_ino = 1, - }; - diff --git a/fs/sysfs/symlink.c b/fs/sysfs/symlink.c index a7ac78f..02158e1 100644 --- a/fs/sysfs/symlink.c @@ -47167,10 +47190,10 @@ index ce9268a..ee98d0b 100644 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..ab77366 +index 0000000..dfd3d34 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1065 @@ +@@ -0,0 +1,1069 @@ +# +# grecurity configuration +# @@ -47641,15 +47664,19 @@ index 0000000..ab77366 + depends on SYSFS + help + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and -+ any filesystem normally mounted under it (e.g. debugfs) will only -+ be accessible by root. These filesystems generally provide access ++ any filesystem normally mounted under it (e.g. debugfs) will be ++ mostly accessible only by root. These filesystems generally provide access + to hardware and debug information that isn't appropriate for unprivileged + users of the system. Sysfs and debugfs have also become a large source + of new vulnerabilities, ranging from infoleaks to local compromise. + There has been very little oversight with an eye toward security involved + in adding new exporters of information to these filesystems, so their + use is discouraged. -+ This option is equivalent to a chmod 0700 of the mount paths. ++ For reasons of compatibility, a few directories have been whitelisted ++ for access by non-root users: ++ /sys/fs/selinux ++ /sys/fs/fuse ++ /sys/devices/system/cpu + +config GRKERNSEC_ROFS + bool "Runtime read-only mount protection" |