aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/linux-grsec/APKBUILD6
-rw-r--r--main/linux-grsec/grsecurity-2.2.2-3.2.2-201201302345.patch (renamed from main/linux-grsec/grsecurity-2.2.2-3.2.2-201201290115.patch)69
2 files changed, 51 insertions, 24 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index f5bc959faa..386393bf11 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=3.2.2
_kernver=3.2
-pkgrel=1
+pkgrel=2
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2
ftp://ftp.kernel.org/pub/linux/kernel/v3.0/patch-$pkgver.bz2
- grsecurity-2.2.2-3.2.2-201201290115.patch
+ grsecurity-2.2.2-3.2.2-201201302345.patch
0004-arp-flush-arp-cache-on-device-change.patch
@@ -141,7 +141,7 @@ dev() {
md5sums="7ceb61f87c097fc17509844b71268935 linux-3.2.tar.bz2
e9e53fba37c5e2afa4cdecab234120bd patch-3.2.2.bz2
-55e85afceade7adcc216f26996549f1f grsecurity-2.2.2-3.2.2-201201290115.patch
+54c66601d38283f4561acd7cf48f7a0a grsecurity-2.2.2-3.2.2-201201302345.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
f3eda7112ef074a4121ec6de943c63ee x86-centaur-enable-cx8-for-via-eden-too.patch
62cc7d7b5ba7ef05b72ff91c0411c189 linux-3.0.x-regression-with-ipv4-routes-having-mtu.patch
diff --git a/main/linux-grsec/grsecurity-2.2.2-3.2.2-201201290115.patch b/main/linux-grsec/grsecurity-2.2.2-3.2.2-201201302345.patch
index 407965667a..5a35b2ea25 100644
--- a/main/linux-grsec/grsecurity-2.2.2-3.2.2-201201290115.patch
+++ b/main/linux-grsec/grsecurity-2.2.2-3.2.2-201201302345.patch
@@ -41403,6 +41403,22 @@ index f7908ae..920a680 100644
dcache_init();
inode_init();
+diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
+index f3a257d..715ac0f 100644
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -261,7 +261,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
+ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
+ {
+ return debugfs_create_file(name,
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++ S_IFDIR | S_IRWXU,
++#else
+ S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
++#endif
+ parent, NULL, NULL);
+ }
+ EXPORT_SYMBOL_GPL(debugfs_create_dir);
diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
index 2a83425..b082cec 100644
--- a/fs/ecryptfs/crypto.c
@@ -46894,6 +46910,29 @@ index fa2defa..8601650 100644
ret = -EAGAIN;
pipe_unlock(ipipe);
+diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
+index 7fdf6a7..e6cd8ad 100644
+--- a/fs/sysfs/dir.c
++++ b/fs/sysfs/dir.c
+@@ -642,6 +642,18 @@ static int create_dir(struct kobject *kobj, struct sysfs_dirent *parent_sd,
+ struct sysfs_dirent *sd;
+ int rc;
+
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++ const char *parent_name = parent_sd->s_name;
++
++ mode = S_IFDIR | S_IRWXU;
++
++ if ((!strcmp(parent_name, "") && (!strcmp(name, "devices") || !strcmp(name, "fs"))) ||
++ (!strcmp(parent_name, "devices") && !strcmp(name, "system")) ||
++ (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") || !strcmp(name, "fuse"))) ||
++ (!strcmp(parent_name, "system") && !strcmp(name, "cpu")))
++ mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
++#endif
++
+ /* allocate */
+ sd = sysfs_new_dirent(name, mode, SYSFS_DIR);
+ if (!sd)
diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
index d4e6080b..0e58b99 100644
--- a/fs/sysfs/file.c
@@ -46943,22 +46982,6 @@ index d4e6080b..0e58b99 100644
wake_up_interruptible(&od->poll);
}
-diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
-index e34f0d9..740ea7b 100644
---- a/fs/sysfs/mount.c
-+++ b/fs/sysfs/mount.c
-@@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
- .s_name = "",
- .s_count = ATOMIC_INIT(1),
- .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
-+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
-+ .s_mode = S_IFDIR | S_IRWXU,
-+#else
- .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
-+#endif
- .s_ino = 1,
- };
-
diff --git a/fs/sysfs/symlink.c b/fs/sysfs/symlink.c
index a7ac78f..02158e1 100644
--- a/fs/sysfs/symlink.c
@@ -47167,10 +47190,10 @@ index ce9268a..ee98d0b 100644
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..ab77366
+index 0000000..dfd3d34
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1065 @@
+@@ -0,0 +1,1069 @@
+#
+# grecurity configuration
+#
@@ -47641,15 +47664,19 @@ index 0000000..ab77366
+ depends on SYSFS
+ help
+ If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
-+ any filesystem normally mounted under it (e.g. debugfs) will only
-+ be accessible by root. These filesystems generally provide access
++ any filesystem normally mounted under it (e.g. debugfs) will be
++ mostly accessible only by root. These filesystems generally provide access
+ to hardware and debug information that isn't appropriate for unprivileged
+ users of the system. Sysfs and debugfs have also become a large source
+ of new vulnerabilities, ranging from infoleaks to local compromise.
+ There has been very little oversight with an eye toward security involved
+ in adding new exporters of information to these filesystems, so their
+ use is discouraged.
-+ This option is equivalent to a chmod 0700 of the mount paths.
++ For reasons of compatibility, a few directories have been whitelisted
++ for access by non-root users:
++ /sys/fs/selinux
++ /sys/fs/fuse
++ /sys/devices/system/cpu
+
+config GRKERNSEC_ROFS
+ bool "Runtime read-only mount protection"