diff options
Diffstat (limited to 'main/linux-grsec')
-rw-r--r-- | main/linux-grsec/APKBUILD | 6 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.2.2-3.0.4-201109261052.patch (renamed from main/linux-grsec/grsecurity-2.2.2-3.0.4-201109190917.patch) | 117 |
2 files changed, 88 insertions, 35 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 77438b0742..b4f4cd5ef7 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -4,7 +4,7 @@ _flavor=grsec pkgname=linux-${_flavor} pkgver=3.0.4 _kernver=3.0 -pkgrel=6 +pkgrel=7 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2 ftp://ftp.kernel.org/pub/linux/kernel/v3.0/patch-$pkgver.bz2 - grsecurity-2.2.2-3.0.4-201109190917.patch + grsecurity-2.2.2-3.0.4-201109261052.patch 0004-arp-flush-arp-cache-on-device-change.patch @@ -138,7 +138,7 @@ dev() { md5sums="398e95866794def22b12dfbc15ce89c0 linux-3.0.tar.bz2 62ca5f3caed233617127b2b3b7a87d15 patch-3.0.4.bz2 -475c1129df5aca0d82587640b878109d grsecurity-2.2.2-3.0.4-201109190917.patch +a7729608516e45657d47a0a458117ca1 grsecurity-2.2.2-3.0.4-201109261052.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch 9a2c88b20d296158cdcd01f843898415 kernelconfig.x86 6957efc9f017c59b05aa0a2e4167255e kernelconfig.x86_64" diff --git a/main/linux-grsec/grsecurity-2.2.2-3.0.4-201109190917.patch b/main/linux-grsec/grsecurity-2.2.2-3.0.4-201109261052.patch index ec88fda16b..cce98cf9ed 100644 --- a/main/linux-grsec/grsecurity-2.2.2-3.0.4-201109190917.patch +++ b/main/linux-grsec/grsecurity-2.2.2-3.0.4-201109261052.patch @@ -50694,8 +50694,8 @@ diff -urNp linux-3.0.4/grsecurity/grsec_chroot.c linux-3.0.4/grsecurity/grsec_ch +} diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_disabled.c --- linux-3.0.4/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/grsecurity/grsec_disabled.c 2011-08-23 21:48:14.000000000 -0400 -@@ -0,0 +1,447 @@ ++++ linux-3.0.4/grsecurity/grsec_disabled.c 2011-09-24 08:13:01.000000000 -0400 +@@ -0,0 +1,433 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -50863,18 +50863,6 @@ diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_ + return 0; +} + -+int -+gr_is_capable(const int cap) -+{ -+ return 1; -+} -+ -+int -+gr_is_capable_nolog(const int cap) -+{ -+ return 1; -+} -+ +void +gr_handle_alertkill(struct task_struct *task) +{ @@ -51135,8 +51123,6 @@ diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_ + return dentry->d_inode->i_sb->s_dev; +} + -+EXPORT_SYMBOL(gr_is_capable); -+EXPORT_SYMBOL(gr_is_capable_nolog); +EXPORT_SYMBOL(gr_learn_resource); +EXPORT_SYMBOL(gr_set_kernel_label); +#ifdef CONFIG_SECURITY @@ -51669,8 +51655,8 @@ diff -urNp linux-3.0.4/grsecurity/grsec_link.c linux-3.0.4/grsecurity/grsec_link +} diff -urNp linux-3.0.4/grsecurity/grsec_log.c linux-3.0.4/grsecurity/grsec_log.c --- linux-3.0.4/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/grsecurity/grsec_log.c 2011-09-14 23:17:55.000000000 -0400 -@@ -0,0 +1,313 @@ ++++ linux-3.0.4/grsecurity/grsec_log.c 2011-09-26 10:46:21.000000000 -0400 +@@ -0,0 +1,315 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -51723,6 +51709,7 @@ diff -urNp linux-3.0.4/grsecurity/grsec_log.c linux-3.0.4/grsecurity/grsec_log.c + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT; + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt; + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf; ++#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0) + unsigned long curr_secs = get_seconds(); + + if (audit == GR_DO_AUDIT) @@ -51731,18 +51718,19 @@ diff -urNp linux-3.0.4/grsecurity/grsec_log.c linux-3.0.4/grsecurity/grsec_log.c + if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) { + grsec_alert_wtime = curr_secs; + grsec_alert_fyet = 0; -+ } else if (time_before(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) { -+ if (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST) { -+ grsec_alert_fyet++; -+ } else if (grsec_alert_fyet && grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) { -+ grsec_alert_wtime = curr_secs; -+ grsec_alert_fyet++; -+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); -+ return FLOODING; -+ } -+ } else return FLOODING; ++ } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME) ++ && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { ++ grsec_alert_fyet++; ++ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) { ++ grsec_alert_wtime = curr_secs; ++ grsec_alert_fyet++; ++ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); ++ return FLOODING; ++ } ++ else return FLOODING; + +set_fmt: ++#endif + memset(buf, 0, PAGE_SIZE); + if (current->signal->curr_ip && gr_acl_is_enabled()) { + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) "); @@ -55798,7 +55786,7 @@ diff -urNp linux-3.0.4/include/linux/grdefs.h linux-3.0.4/include/linux/grdefs.h +#endif diff -urNp linux-3.0.4/include/linux/grinternal.h linux-3.0.4/include/linux/grinternal.h --- linux-3.0.4/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/include/linux/grinternal.h 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/include/linux/grinternal.h 2011-09-24 08:43:45.000000000 -0400 @@ -0,0 +1,219 @@ +#ifndef __GRINTERNAL_H +#define __GRINTERNAL_H @@ -55924,7 +55912,7 @@ diff -urNp linux-3.0.4/include/linux/grinternal.h linux-3.0.4/include/linux/grin + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \ + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \ + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \ -+ CAP_TO_MASK(CAP_IPC_OWNER) , 0 }} ++ CAP_TO_MASK(CAP_IPC_OWNER) , CAP_TO_MASK(CAP_SYSLOG) }} + +#define security_learn(normal_msg,args...) \ +({ \ @@ -67520,7 +67508,16 @@ diff -urNp linux-3.0.4/mm/slob.c linux-3.0.4/mm/slob.c diff -urNp linux-3.0.4/mm/slub.c linux-3.0.4/mm/slub.c --- linux-3.0.4/mm/slub.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/mm/slub.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/mm/slub.c 2011-09-25 22:15:40.000000000 -0400 +@@ -200,7 +200,7 @@ struct track { + + enum track_item { TRACK_ALLOC, TRACK_FREE }; + +-#ifdef CONFIG_SYSFS ++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD) + static int sysfs_slab_add(struct kmem_cache *); + static int sysfs_slab_alias(struct kmem_cache *, const char *); + static void sysfs_slab_remove(struct kmem_cache *); @@ -442,7 +442,7 @@ static void print_track(const char *s, s if (!t->addr) return; @@ -67671,6 +67668,30 @@ diff -urNp linux-3.0.4/mm/slub.c linux-3.0.4/mm/slub.c goto err; } up_write(&slub_lock); +@@ -3545,7 +3586,7 @@ void *__kmalloc_node_track_caller(size_t + } + #endif + +-#ifdef CONFIG_SYSFS ++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD) + static int count_inuse(struct page *page) + { + return page->inuse; +@@ -3935,12 +3976,12 @@ static void resiliency_test(void) + validate_slab_cache(kmalloc_caches[9]); + } + #else +-#ifdef CONFIG_SYSFS ++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD) + static void resiliency_test(void) {}; + #endif + #endif + +-#ifdef CONFIG_SYSFS ++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD) + enum slab_stat_type { + SL_ALL, /* All slabs */ + SL_PARTIAL, /* Only partially allocated slabs */ @@ -4150,7 +4191,7 @@ SLAB_ATTR_RO(ctor); static ssize_t aliases_show(struct kmem_cache *s, char *buf) @@ -67680,7 +67701,39 @@ diff -urNp linux-3.0.4/mm/slub.c linux-3.0.4/mm/slub.c } SLAB_ATTR_RO(aliases); -@@ -4894,7 +4935,13 @@ static const struct file_operations proc +@@ -4662,6 +4703,7 @@ static char *create_unique_id(struct kme + return name; + } + ++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD) + static int sysfs_slab_add(struct kmem_cache *s) + { + int err; +@@ -4724,6 +4766,7 @@ static void sysfs_slab_remove(struct kme + kobject_del(&s->kobj); + kobject_put(&s->kobj); + } ++#endif + + /* + * Need to buffer aliases during bootup until sysfs becomes +@@ -4737,6 +4780,7 @@ struct saved_alias { + + static struct saved_alias *alias_list; + ++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD) + static int sysfs_slab_alias(struct kmem_cache *s, const char *name) + { + struct saved_alias *al; +@@ -4759,6 +4803,7 @@ static int sysfs_slab_alias(struct kmem_ + alias_list = al; + return 0; + } ++#endif + + static int __init slab_sysfs_init(void) + { +@@ -4894,7 +4939,13 @@ static const struct file_operations proc static int __init slab_proc_init(void) { |