aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
Diffstat (limited to 'main')
-rw-r--r--main/linux-grsec/APKBUILD6
-rw-r--r--main/linux-grsec/grsecurity-2.2.0-2.6.35.8-201011062054.patch (renamed from main/linux-grsec/grsecurity-2.2.0-2.6.35.8-201011022021.patch)181
2 files changed, 154 insertions, 33 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index e35a10474a..ed87edb3be 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=2.6.35.8
_kernver=2.6.35
-pkgrel=2
+pkgrel=3
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH:-x86}}
install=
source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2
ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
- grsecurity-2.2.0-2.6.35.8-201011022021.patch
+ grsecurity-2.2.0-2.6.35.8-201011062054.patch
0004-arp-flush-arp-cache-on-device-change.patch
r8169-fix-rx-checksum-offload.patch
r8169-add-gro-support.patch
@@ -141,7 +141,7 @@ firmware() {
md5sums="091abeb4684ce03d1d936851618687b6 linux-2.6.35.tar.bz2
198e4e72ea9cc7f9f25bb5881167aa2e patch-2.6.35.8.bz2
-ec3743cf416ebdc47dbc088aaf33e8e8 grsecurity-2.2.0-2.6.35.8-201011022021.patch
+d5832cb57522a666a80227f68b771552 grsecurity-2.2.0-2.6.35.8-201011062054.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
0ccecafd4123dcad0b0cd7787553d734 r8169-fix-rx-checksum-offload.patch
139b39da44ecb577275be53d7d365949 r8169-add-gro-support.patch
diff --git a/main/linux-grsec/grsecurity-2.2.0-2.6.35.8-201011022021.patch b/main/linux-grsec/grsecurity-2.2.0-2.6.35.8-201011062054.patch
index ed9ad022f8..d04f44fbc8 100644
--- a/main/linux-grsec/grsecurity-2.2.0-2.6.35.8-201011022021.patch
+++ b/main/linux-grsec/grsecurity-2.2.0-2.6.35.8-201011062054.patch
@@ -32714,7 +32714,7 @@ diff -urNp linux-2.6.35.8/fs/ocfs2/symlink.c linux-2.6.35.8/fs/ocfs2/symlink.c
}
diff -urNp linux-2.6.35.8/fs/open.c linux-2.6.35.8/fs/open.c
--- linux-2.6.35.8/fs/open.c 2010-08-26 19:47:12.000000000 -0400
-+++ linux-2.6.35.8/fs/open.c 2010-09-17 20:12:37.000000000 -0400
++++ linux-2.6.35.8/fs/open.c 2010-11-06 20:35:42.000000000 -0400
@@ -42,6 +42,9 @@ int do_truncate(struct dentry *dentry, l
if (length < 0)
return -EINVAL;
@@ -32777,38 +32777,44 @@ diff -urNp linux-2.6.35.8/fs/open.c linux-2.6.35.8/fs/open.c
error = 0;
dput_and_out:
path_put(&path);
-@@ -453,6 +479,12 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
+@@ -453,12 +479,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
err = mnt_want_write_file(file);
if (err)
goto out_putf;
+
+ mutex_lock(&inode->i_mutex);
++
+ if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
+ err = -EACCES;
-+ goto out_drop_write;
++ goto out_unlock;
+ }
+
- mutex_lock(&inode->i_mutex);
err = security_path_chmod(dentry, file->f_vfsmnt, mode);
if (err)
-@@ -464,6 +496,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
+ goto out_unlock;
+ if (mode == (mode_t) -1)
+ mode = inode->i_mode;
++
++ if (gr_handle_chroot_chmod(dentry, file->f_path.mnt, mode)) {
++ err = -EACCES;
++ goto out_unlock;
++ }
++
+ newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
+ newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
err = notify_change(dentry, &newattrs);
- out_unlock:
- mutex_unlock(&inode->i_mutex);
-+out_drop_write:
- mnt_drop_write(file->f_path.mnt);
- out_putf:
- fput(file);
-@@ -486,17 +519,30 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
+@@ -486,12 +525,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
error = mnt_want_write(path.mnt);
if (error)
goto dput_and_out;
+
+ mutex_lock(&inode->i_mutex);
++
+ if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
+ error = -EACCES;
-+ goto out_drop_write;
++ goto out_unlock;
+ }
+
- mutex_lock(&inode->i_mutex);
error = security_path_chmod(path.dentry, path.mnt, mode);
if (error)
goto out_unlock;
@@ -32823,13 +32829,7 @@ diff -urNp linux-2.6.35.8/fs/open.c linux-2.6.35.8/fs/open.c
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
error = notify_change(path.dentry, &newattrs);
- out_unlock:
- mutex_unlock(&inode->i_mutex);
-+out_drop_write:
- mnt_drop_write(path.mnt);
- dput_and_out:
- path_put(&path);
-@@ -515,6 +561,9 @@ static int chown_common(struct path *pat
+@@ -515,6 +567,9 @@ static int chown_common(struct path *pat
int error;
struct iattr newattrs;
@@ -55003,6 +55003,28 @@ diff -urNp linux-2.6.35.8/net/ipv4/ip_fragment.c linux-2.6.35.8/net/ipv4/ip_frag
qp->rid = end;
rc = qp->q.fragments && (end - start) > max;
+diff -urNp linux-2.6.35.8/net/ipv4/netfilter/arp_tables.c linux-2.6.35.8/net/ipv4/netfilter/arp_tables.c
+--- linux-2.6.35.8/net/ipv4/netfilter/arp_tables.c 2010-09-20 17:33:09.000000000 -0400
++++ linux-2.6.35.8/net/ipv4/netfilter/arp_tables.c 2010-11-06 18:42:54.000000000 -0400
+@@ -926,6 +926,7 @@ static int get_info(struct net *net, voi
+ private = &tmp;
+ }
+ #endif
++ memset(&info, 0, sizeof(info));
+ info.valid_hooks = t->valid_hooks;
+ memcpy(info.hook_entry, private->hook_entry,
+ sizeof(info.hook_entry));
+diff -urNp linux-2.6.35.8/net/ipv4/netfilter/ip_tables.c linux-2.6.35.8/net/ipv4/netfilter/ip_tables.c
+--- linux-2.6.35.8/net/ipv4/netfilter/ip_tables.c 2010-09-20 17:33:09.000000000 -0400
++++ linux-2.6.35.8/net/ipv4/netfilter/ip_tables.c 2010-11-06 18:42:54.000000000 -0400
+@@ -1120,6 +1120,7 @@ static int get_info(struct net *net, voi
+ private = &tmp;
+ }
+ #endif
++ memset(&info, 0, sizeof(info));
+ info.valid_hooks = t->valid_hooks;
+ memcpy(info.hook_entry, private->hook_entry,
+ sizeof(info.hook_entry));
diff -urNp linux-2.6.35.8/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.35.8/net/ipv4/netfilter/nf_nat_snmp_basic.c
--- linux-2.6.35.8/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.8/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-09-17 20:12:09.000000000 -0400
@@ -55288,9 +55310,20 @@ diff -urNp linux-2.6.35.8/net/ipv6/exthdrs.c linux-2.6.35.8/net/ipv6/exthdrs.c
};
int ipv6_parse_hopopts(struct sk_buff *skb)
+diff -urNp linux-2.6.35.8/net/ipv6/netfilter/ip6_tables.c linux-2.6.35.8/net/ipv6/netfilter/ip6_tables.c
+--- linux-2.6.35.8/net/ipv6/netfilter/ip6_tables.c 2010-09-20 17:33:09.000000000 -0400
++++ linux-2.6.35.8/net/ipv6/netfilter/ip6_tables.c 2010-11-06 18:42:54.000000000 -0400
+@@ -1135,6 +1135,7 @@ static int get_info(struct net *net, voi
+ private = &tmp;
+ }
+ #endif
++ memset(&info, 0, sizeof(info));
+ info.valid_hooks = t->valid_hooks;
+ memcpy(info.hook_entry, private->hook_entry,
+ sizeof(info.hook_entry));
diff -urNp linux-2.6.35.8/net/ipv6/raw.c linux-2.6.35.8/net/ipv6/raw.c
--- linux-2.6.35.8/net/ipv6/raw.c 2010-08-26 19:47:12.000000000 -0400
-+++ linux-2.6.35.8/net/ipv6/raw.c 2010-09-17 20:12:09.000000000 -0400
++++ linux-2.6.35.8/net/ipv6/raw.c 2010-11-06 18:42:54.000000000 -0400
@@ -601,7 +601,7 @@ out:
return err;
}
@@ -55300,9 +55333,24 @@ diff -urNp linux-2.6.35.8/net/ipv6/raw.c linux-2.6.35.8/net/ipv6/raw.c
struct flowi *fl, struct rt6_info *rt,
unsigned int flags)
{
+@@ -1247,7 +1247,13 @@ static void raw6_sock_seq_show(struct se
+ 0, 0L, 0,
+ sock_i_uid(sp), 0,
+ sock_i_ino(sp),
+- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
++ atomic_read(&sp->sk_refcnt),
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ NULL,
++#else
++ sp,
++#endif
++ atomic_read(&sp->sk_drops));
+ }
+
+ static int raw6_seq_show(struct seq_file *seq, void *v)
diff -urNp linux-2.6.35.8/net/ipv6/tcp_ipv6.c linux-2.6.35.8/net/ipv6/tcp_ipv6.c
--- linux-2.6.35.8/net/ipv6/tcp_ipv6.c 2010-08-26 19:47:12.000000000 -0400
-+++ linux-2.6.35.8/net/ipv6/tcp_ipv6.c 2010-09-17 20:23:25.000000000 -0400
++++ linux-2.6.35.8/net/ipv6/tcp_ipv6.c 2010-11-06 18:42:54.000000000 -0400
@@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
}
#endif
@@ -55358,9 +55406,53 @@ diff -urNp linux-2.6.35.8/net/ipv6/tcp_ipv6.c linux-2.6.35.8/net/ipv6/tcp_ipv6.c
tcp_v6_send_reset(NULL, skb);
}
+@@ -2001,7 +2020,13 @@ static void get_openreq6(struct seq_file
+ uid,
+ 0, /* non standard timer */
+ 0, /* open_requests have no inode */
+- 0, req);
++ 0,
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ NULL
++#else
++ req
++#endif
++ );
+ }
+
+ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
+@@ -2051,7 +2076,12 @@ static void get_tcp6_sock(struct seq_fil
+ sock_i_uid(sp),
+ icsk->icsk_probes_out,
+ sock_i_ino(sp),
+- atomic_read(&sp->sk_refcnt), sp,
++ atomic_read(&sp->sk_refcnt),
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ NULL,
++#else
++ sp,
++#endif
+ jiffies_to_clock_t(icsk->icsk_rto),
+ jiffies_to_clock_t(icsk->icsk_ack.ato),
+ (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
+@@ -2086,7 +2116,13 @@ static void get_timewait6_sock(struct se
+ dest->s6_addr32[2], dest->s6_addr32[3], destp,
+ tw->tw_substate, 0, 0,
+ 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
+- atomic_read(&tw->tw_refcnt), tw);
++ atomic_read(&tw->tw_refcnt),
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ NULL
++#else
++ tw
++#endif
++ );
+ }
+
+ static int tcp6_seq_show(struct seq_file *seq, void *v)
diff -urNp linux-2.6.35.8/net/ipv6/udp.c linux-2.6.35.8/net/ipv6/udp.c
--- linux-2.6.35.8/net/ipv6/udp.c 2010-09-26 17:32:11.000000000 -0400
-+++ linux-2.6.35.8/net/ipv6/udp.c 2010-09-26 17:32:51.000000000 -0400
++++ linux-2.6.35.8/net/ipv6/udp.c 2010-11-06 18:42:54.000000000 -0400
@@ -50,6 +50,10 @@
#include <linux/seq_file.h>
#include "udp_impl.h"
@@ -55382,6 +55474,20 @@ diff -urNp linux-2.6.35.8/net/ipv6/udp.c linux-2.6.35.8/net/ipv6/udp.c
icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
kfree_skb(skb);
+@@ -1404,7 +1411,12 @@ static void udp6_sock_seq_show(struct se
+ 0, 0L, 0,
+ sock_i_uid(sp), 0,
+ sock_i_ino(sp),
+- atomic_read(&sp->sk_refcnt), sp,
++ atomic_read(&sp->sk_refcnt),
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ NULL,
++#else
++ sp,
++#endif
+ atomic_read(&sp->sk_drops));
+ }
+
diff -urNp linux-2.6.35.8/net/irda/ircomm/ircomm_tty.c linux-2.6.35.8/net/irda/ircomm/ircomm_tty.c
--- linux-2.6.35.8/net/irda/ircomm/ircomm_tty.c 2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.8/net/irda/ircomm/ircomm_tty.c 2010-09-17 20:12:09.000000000 -0400
@@ -56280,24 +56386,39 @@ diff -urNp linux-2.6.35.8/net/wireless/wext-core.c linux-2.6.35.8/net/wireless/w
iwp->length += essid_compat;
diff -urNp linux-2.6.35.8/net/x25/x25_facilities.c linux-2.6.35.8/net/x25/x25_facilities.c
--- linux-2.6.35.8/net/x25/x25_facilities.c 2010-08-26 19:47:12.000000000 -0400
-+++ linux-2.6.35.8/net/x25/x25_facilities.c 2010-11-02 19:50:35.000000000 -0400
-@@ -134,14 +134,14 @@ int x25_parse_facilities(struct sk_buff
++++ linux-2.6.35.8/net/x25/x25_facilities.c 2010-11-06 18:42:54.000000000 -0400
+@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff
case X25_FAC_CLASS_D:
switch (*p) {
case X25_FAC_CALLING_AE:
- if (p[1] > X25_MAX_DTE_FACIL_LEN)
-+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] == 0)
- break;
+- break;
++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++ return 0;
dte_facs->calling_len = p[2];
memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
*vc_fac_mask |= X25_MASK_CALLING_AE;
break;
case X25_FAC_CALLED_AE:
- if (p[1] > X25_MAX_DTE_FACIL_LEN)
-+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] == 0)
- break;
+- break;
++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
++ return 0;
dte_facs->called_len = p[2];
memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
+ *vc_fac_mask |= X25_MASK_CALLED_AE;
+diff -urNp linux-2.6.35.8/net/x25/x25_in.c linux-2.6.35.8/net/x25/x25_in.c
+--- linux-2.6.35.8/net/x25/x25_in.c 2010-08-26 19:47:12.000000000 -0400
++++ linux-2.6.35.8/net/x25/x25_in.c 2010-11-06 18:43:41.000000000 -0400
+@@ -119,6 +119,8 @@ static int x25_state1_machine(struct soc
+ &x25->vc_facil_mask);
+ if (len > 0)
+ skb_pull(skb, len);
++ else
++ return -1;
+ /*
+ * Copy any Call User Data.
+ */
diff -urNp linux-2.6.35.8/net/xfrm/xfrm_policy.c linux-2.6.35.8/net/xfrm/xfrm_policy.c
--- linux-2.6.35.8/net/xfrm/xfrm_policy.c 2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.8/net/xfrm/xfrm_policy.c 2010-09-17 20:12:09.000000000 -0400