diff options
Diffstat (limited to 'main')
-rw-r--r-- | main/linux-grsec/APKBUILD | 6 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.2.0-2.6.35.8-201011062054.patch (renamed from main/linux-grsec/grsecurity-2.2.0-2.6.35.8-201011022021.patch) | 181 |
2 files changed, 154 insertions, 33 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index e35a10474a..ed87edb3be 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -4,7 +4,7 @@ _flavor=grsec pkgname=linux-${_flavor} pkgver=2.6.35.8 _kernver=2.6.35 -pkgrel=2 +pkgrel=3 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH:-x86}} install= source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2 ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2 - grsecurity-2.2.0-2.6.35.8-201011022021.patch + grsecurity-2.2.0-2.6.35.8-201011062054.patch 0004-arp-flush-arp-cache-on-device-change.patch r8169-fix-rx-checksum-offload.patch r8169-add-gro-support.patch @@ -141,7 +141,7 @@ firmware() { md5sums="091abeb4684ce03d1d936851618687b6 linux-2.6.35.tar.bz2 198e4e72ea9cc7f9f25bb5881167aa2e patch-2.6.35.8.bz2 -ec3743cf416ebdc47dbc088aaf33e8e8 grsecurity-2.2.0-2.6.35.8-201011022021.patch +d5832cb57522a666a80227f68b771552 grsecurity-2.2.0-2.6.35.8-201011062054.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch 0ccecafd4123dcad0b0cd7787553d734 r8169-fix-rx-checksum-offload.patch 139b39da44ecb577275be53d7d365949 r8169-add-gro-support.patch diff --git a/main/linux-grsec/grsecurity-2.2.0-2.6.35.8-201011022021.patch b/main/linux-grsec/grsecurity-2.2.0-2.6.35.8-201011062054.patch index ed9ad022f8..d04f44fbc8 100644 --- a/main/linux-grsec/grsecurity-2.2.0-2.6.35.8-201011022021.patch +++ b/main/linux-grsec/grsecurity-2.2.0-2.6.35.8-201011062054.patch @@ -32714,7 +32714,7 @@ diff -urNp linux-2.6.35.8/fs/ocfs2/symlink.c linux-2.6.35.8/fs/ocfs2/symlink.c } diff -urNp linux-2.6.35.8/fs/open.c linux-2.6.35.8/fs/open.c --- linux-2.6.35.8/fs/open.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.8/fs/open.c 2010-09-17 20:12:37.000000000 -0400 ++++ linux-2.6.35.8/fs/open.c 2010-11-06 20:35:42.000000000 -0400 @@ -42,6 +42,9 @@ int do_truncate(struct dentry *dentry, l if (length < 0) return -EINVAL; @@ -32777,38 +32777,44 @@ diff -urNp linux-2.6.35.8/fs/open.c linux-2.6.35.8/fs/open.c error = 0; dput_and_out: path_put(&path); -@@ -453,6 +479,12 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd +@@ -453,12 +479,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd err = mnt_want_write_file(file); if (err) goto out_putf; + + mutex_lock(&inode->i_mutex); ++ + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) { + err = -EACCES; -+ goto out_drop_write; ++ goto out_unlock; + } + - mutex_lock(&inode->i_mutex); err = security_path_chmod(dentry, file->f_vfsmnt, mode); if (err) -@@ -464,6 +496,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd + goto out_unlock; + if (mode == (mode_t) -1) + mode = inode->i_mode; ++ ++ if (gr_handle_chroot_chmod(dentry, file->f_path.mnt, mode)) { ++ err = -EACCES; ++ goto out_unlock; ++ } ++ + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); + newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; err = notify_change(dentry, &newattrs); - out_unlock: - mutex_unlock(&inode->i_mutex); -+out_drop_write: - mnt_drop_write(file->f_path.mnt); - out_putf: - fput(file); -@@ -486,17 +519,30 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons +@@ -486,12 +525,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons error = mnt_want_write(path.mnt); if (error) goto dput_and_out; + + mutex_lock(&inode->i_mutex); ++ + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) { + error = -EACCES; -+ goto out_drop_write; ++ goto out_unlock; + } + - mutex_lock(&inode->i_mutex); error = security_path_chmod(path.dentry, path.mnt, mode); if (error) goto out_unlock; @@ -32823,13 +32829,7 @@ diff -urNp linux-2.6.35.8/fs/open.c linux-2.6.35.8/fs/open.c newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; error = notify_change(path.dentry, &newattrs); - out_unlock: - mutex_unlock(&inode->i_mutex); -+out_drop_write: - mnt_drop_write(path.mnt); - dput_and_out: - path_put(&path); -@@ -515,6 +561,9 @@ static int chown_common(struct path *pat +@@ -515,6 +567,9 @@ static int chown_common(struct path *pat int error; struct iattr newattrs; @@ -55003,6 +55003,28 @@ diff -urNp linux-2.6.35.8/net/ipv4/ip_fragment.c linux-2.6.35.8/net/ipv4/ip_frag qp->rid = end; rc = qp->q.fragments && (end - start) > max; +diff -urNp linux-2.6.35.8/net/ipv4/netfilter/arp_tables.c linux-2.6.35.8/net/ipv4/netfilter/arp_tables.c +--- linux-2.6.35.8/net/ipv4/netfilter/arp_tables.c 2010-09-20 17:33:09.000000000 -0400 ++++ linux-2.6.35.8/net/ipv4/netfilter/arp_tables.c 2010-11-06 18:42:54.000000000 -0400 +@@ -926,6 +926,7 @@ static int get_info(struct net *net, voi + private = &tmp; + } + #endif ++ memset(&info, 0, sizeof(info)); + info.valid_hooks = t->valid_hooks; + memcpy(info.hook_entry, private->hook_entry, + sizeof(info.hook_entry)); +diff -urNp linux-2.6.35.8/net/ipv4/netfilter/ip_tables.c linux-2.6.35.8/net/ipv4/netfilter/ip_tables.c +--- linux-2.6.35.8/net/ipv4/netfilter/ip_tables.c 2010-09-20 17:33:09.000000000 -0400 ++++ linux-2.6.35.8/net/ipv4/netfilter/ip_tables.c 2010-11-06 18:42:54.000000000 -0400 +@@ -1120,6 +1120,7 @@ static int get_info(struct net *net, voi + private = &tmp; + } + #endif ++ memset(&info, 0, sizeof(info)); + info.valid_hooks = t->valid_hooks; + memcpy(info.hook_entry, private->hook_entry, + sizeof(info.hook_entry)); diff -urNp linux-2.6.35.8/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.35.8/net/ipv4/netfilter/nf_nat_snmp_basic.c --- linux-2.6.35.8/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.8/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-09-17 20:12:09.000000000 -0400 @@ -55288,9 +55310,20 @@ diff -urNp linux-2.6.35.8/net/ipv6/exthdrs.c linux-2.6.35.8/net/ipv6/exthdrs.c }; int ipv6_parse_hopopts(struct sk_buff *skb) +diff -urNp linux-2.6.35.8/net/ipv6/netfilter/ip6_tables.c linux-2.6.35.8/net/ipv6/netfilter/ip6_tables.c +--- linux-2.6.35.8/net/ipv6/netfilter/ip6_tables.c 2010-09-20 17:33:09.000000000 -0400 ++++ linux-2.6.35.8/net/ipv6/netfilter/ip6_tables.c 2010-11-06 18:42:54.000000000 -0400 +@@ -1135,6 +1135,7 @@ static int get_info(struct net *net, voi + private = &tmp; + } + #endif ++ memset(&info, 0, sizeof(info)); + info.valid_hooks = t->valid_hooks; + memcpy(info.hook_entry, private->hook_entry, + sizeof(info.hook_entry)); diff -urNp linux-2.6.35.8/net/ipv6/raw.c linux-2.6.35.8/net/ipv6/raw.c --- linux-2.6.35.8/net/ipv6/raw.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.8/net/ipv6/raw.c 2010-09-17 20:12:09.000000000 -0400 ++++ linux-2.6.35.8/net/ipv6/raw.c 2010-11-06 18:42:54.000000000 -0400 @@ -601,7 +601,7 @@ out: return err; } @@ -55300,9 +55333,24 @@ diff -urNp linux-2.6.35.8/net/ipv6/raw.c linux-2.6.35.8/net/ipv6/raw.c struct flowi *fl, struct rt6_info *rt, unsigned int flags) { +@@ -1247,7 +1247,13 @@ static void raw6_sock_seq_show(struct se + 0, 0L, 0, + sock_i_uid(sp), 0, + sock_i_ino(sp), +- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops)); ++ atomic_read(&sp->sk_refcnt), ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ NULL, ++#else ++ sp, ++#endif ++ atomic_read(&sp->sk_drops)); + } + + static int raw6_seq_show(struct seq_file *seq, void *v) diff -urNp linux-2.6.35.8/net/ipv6/tcp_ipv6.c linux-2.6.35.8/net/ipv6/tcp_ipv6.c --- linux-2.6.35.8/net/ipv6/tcp_ipv6.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.8/net/ipv6/tcp_ipv6.c 2010-09-17 20:23:25.000000000 -0400 ++++ linux-2.6.35.8/net/ipv6/tcp_ipv6.c 2010-11-06 18:42:54.000000000 -0400 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5 } #endif @@ -55358,9 +55406,53 @@ diff -urNp linux-2.6.35.8/net/ipv6/tcp_ipv6.c linux-2.6.35.8/net/ipv6/tcp_ipv6.c tcp_v6_send_reset(NULL, skb); } +@@ -2001,7 +2020,13 @@ static void get_openreq6(struct seq_file + uid, + 0, /* non standard timer */ + 0, /* open_requests have no inode */ +- 0, req); ++ 0, ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ NULL ++#else ++ req ++#endif ++ ); + } + + static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i) +@@ -2051,7 +2076,12 @@ static void get_tcp6_sock(struct seq_fil + sock_i_uid(sp), + icsk->icsk_probes_out, + sock_i_ino(sp), +- atomic_read(&sp->sk_refcnt), sp, ++ atomic_read(&sp->sk_refcnt), ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ NULL, ++#else ++ sp, ++#endif + jiffies_to_clock_t(icsk->icsk_rto), + jiffies_to_clock_t(icsk->icsk_ack.ato), + (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong, +@@ -2086,7 +2116,13 @@ static void get_timewait6_sock(struct se + dest->s6_addr32[2], dest->s6_addr32[3], destp, + tw->tw_substate, 0, 0, + 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0, +- atomic_read(&tw->tw_refcnt), tw); ++ atomic_read(&tw->tw_refcnt), ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ NULL ++#else ++ tw ++#endif ++ ); + } + + static int tcp6_seq_show(struct seq_file *seq, void *v) diff -urNp linux-2.6.35.8/net/ipv6/udp.c linux-2.6.35.8/net/ipv6/udp.c --- linux-2.6.35.8/net/ipv6/udp.c 2010-09-26 17:32:11.000000000 -0400 -+++ linux-2.6.35.8/net/ipv6/udp.c 2010-09-26 17:32:51.000000000 -0400 ++++ linux-2.6.35.8/net/ipv6/udp.c 2010-11-06 18:42:54.000000000 -0400 @@ -50,6 +50,10 @@ #include <linux/seq_file.h> #include "udp_impl.h" @@ -55382,6 +55474,20 @@ diff -urNp linux-2.6.35.8/net/ipv6/udp.c linux-2.6.35.8/net/ipv6/udp.c icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0); kfree_skb(skb); +@@ -1404,7 +1411,12 @@ static void udp6_sock_seq_show(struct se + 0, 0L, 0, + sock_i_uid(sp), 0, + sock_i_ino(sp), +- atomic_read(&sp->sk_refcnt), sp, ++ atomic_read(&sp->sk_refcnt), ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ NULL, ++#else ++ sp, ++#endif + atomic_read(&sp->sk_drops)); + } + diff -urNp linux-2.6.35.8/net/irda/ircomm/ircomm_tty.c linux-2.6.35.8/net/irda/ircomm/ircomm_tty.c --- linux-2.6.35.8/net/irda/ircomm/ircomm_tty.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.8/net/irda/ircomm/ircomm_tty.c 2010-09-17 20:12:09.000000000 -0400 @@ -56280,24 +56386,39 @@ diff -urNp linux-2.6.35.8/net/wireless/wext-core.c linux-2.6.35.8/net/wireless/w iwp->length += essid_compat; diff -urNp linux-2.6.35.8/net/x25/x25_facilities.c linux-2.6.35.8/net/x25/x25_facilities.c --- linux-2.6.35.8/net/x25/x25_facilities.c 2010-08-26 19:47:12.000000000 -0400 -+++ linux-2.6.35.8/net/x25/x25_facilities.c 2010-11-02 19:50:35.000000000 -0400 -@@ -134,14 +134,14 @@ int x25_parse_facilities(struct sk_buff ++++ linux-2.6.35.8/net/x25/x25_facilities.c 2010-11-06 18:42:54.000000000 -0400 +@@ -134,15 +134,15 @@ int x25_parse_facilities(struct sk_buff case X25_FAC_CLASS_D: switch (*p) { case X25_FAC_CALLING_AE: - if (p[1] > X25_MAX_DTE_FACIL_LEN) -+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] == 0) - break; +- break; ++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1) ++ return 0; dte_facs->calling_len = p[2]; memcpy(dte_facs->calling_ae, &p[3], p[1] - 1); *vc_fac_mask |= X25_MASK_CALLING_AE; break; case X25_FAC_CALLED_AE: - if (p[1] > X25_MAX_DTE_FACIL_LEN) -+ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] == 0) - break; +- break; ++ if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1) ++ return 0; dte_facs->called_len = p[2]; memcpy(dte_facs->called_ae, &p[3], p[1] - 1); + *vc_fac_mask |= X25_MASK_CALLED_AE; +diff -urNp linux-2.6.35.8/net/x25/x25_in.c linux-2.6.35.8/net/x25/x25_in.c +--- linux-2.6.35.8/net/x25/x25_in.c 2010-08-26 19:47:12.000000000 -0400 ++++ linux-2.6.35.8/net/x25/x25_in.c 2010-11-06 18:43:41.000000000 -0400 +@@ -119,6 +119,8 @@ static int x25_state1_machine(struct soc + &x25->vc_facil_mask); + if (len > 0) + skb_pull(skb, len); ++ else ++ return -1; + /* + * Copy any Call User Data. + */ diff -urNp linux-2.6.35.8/net/xfrm/xfrm_policy.c linux-2.6.35.8/net/xfrm/xfrm_policy.c --- linux-2.6.35.8/net/xfrm/xfrm_policy.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.8/net/xfrm/xfrm_policy.c 2010-09-17 20:12:09.000000000 -0400 |