diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2012-02-15 07:04:16 -0500 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2012-02-15 07:04:16 -0500 |
commit | 0c427750f850809ea4f388f175957326ab23d611 (patch) | |
tree | 7053cfc264cac2229644090429667270c110e665 | |
parent | Grsec/PaX: 2.2.2-2.6.32.56-201202071726 + 2.2.2-3.2.5-201202081924 (diff) | |
download | hardened-patchset-20120213.tar.gz hardened-patchset-20120213.tar.bz2 hardened-patchset-20120213.zip |
Grsec/PaX: 2.2.2-2.6.32.57-201202131842 + 2.2.2-3.2.6-20120213182420120213
-rw-r--r-- | 2.6.32/0000_README | 6 | ||||
-rw-r--r-- | 2.6.32/1056_linux-2.6.32.57.patch | 612 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.2.2-2.6.32.57-201202131842.patch (renamed from 2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202071726.patch) | 611 | ||||
-rw-r--r-- | 3.2.6/0000_README (renamed from 3.2.5/0000_README) | 10 | ||||
-rw-r--r-- | 3.2.6/4420_grsecurity-2.2.2-3.2.6-201202131824.patch (renamed from 3.2.5/4420_grsecurity-2.2.2-3.2.5-201202081924.patch) | 746 | ||||
-rw-r--r-- | 3.2.6/4425_grsec_enable_xtpax.patch (renamed from 3.2.5/4425_grsec_enable_xtpax.patch) | 0 | ||||
-rw-r--r-- | 3.2.6/4430_grsec-remove-localversion-grsec.patch (renamed from 3.2.5/4430_grsec-remove-localversion-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.2.6/4435_grsec-mute-warnings.patch (renamed from 3.2.5/4435_grsec-mute-warnings.patch) | 0 | ||||
-rw-r--r-- | 3.2.6/4440_grsec-remove-protected-paths.patch (renamed from 3.2.5/4440_grsec-remove-protected-paths.patch) | 0 | ||||
-rw-r--r-- | 3.2.6/4445_grsec-pax-without-grsec.patch (renamed from 3.2.5/4445_grsec-pax-without-grsec.patch) | 0 | ||||
-rw-r--r-- | 3.2.6/4450_grsec-kconfig-default-gids.patch (renamed from 3.2.5/4450_grsec-kconfig-default-gids.patch) | 0 | ||||
-rw-r--r-- | 3.2.6/4455_grsec-kconfig-gentoo.patch (renamed from 3.2.5/4455_grsec-kconfig-gentoo.patch) | 0 | ||||
-rw-r--r-- | 3.2.6/4460-grsec-kconfig-proc-user.patch (renamed from 3.2.5/4460-grsec-kconfig-proc-user.patch) | 0 | ||||
-rw-r--r-- | 3.2.6/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 3.2.5/4465_selinux-avc_audit-log-curr_ip.patch) | 0 | ||||
-rw-r--r-- | 3.2.6/4470_disable-compat_vdso.patch (renamed from 3.2.5/4470_disable-compat_vdso.patch) | 0 |
15 files changed, 1429 insertions, 556 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 4def10d..d1d1d12 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -18,7 +18,11 @@ Patch: 1055_linux-2.6.32.56.patch From: http://www.kernel.org Desc: Linux 2.6.32.56 -Patch: 4420_grsecurity-2.2.2-2.6.32.56-201202071726.patch +Patch: 1056_linux-2.6.32.57.patch +From: http://www.kernel.org +Desc: Linux 2.6.32.57 + +Patch: 4420_grsecurity-2.2.2-2.6.32.57-201202131842.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/1056_linux-2.6.32.57.patch b/2.6.32/1056_linux-2.6.32.57.patch new file mode 100644 index 0000000..b2075af --- /dev/null +++ b/2.6.32/1056_linux-2.6.32.57.patch @@ -0,0 +1,612 @@ +diff --git a/drivers/gpu/drm/i915/intel_tv.c b/drivers/gpu/drm/i915/intel_tv.c +index 5b28b4e..d156b25 100644 +--- a/drivers/gpu/drm/i915/intel_tv.c ++++ b/drivers/gpu/drm/i915/intel_tv.c +@@ -415,7 +415,7 @@ static const struct tv_mode tv_modes[] = { + { + .name = "NTSC-M", + .clock = 108000, +- .refresh = 29970, ++ .refresh = 59940, + .oversample = TV_OVERSAMPLE_8X, + .component_only = 0, + /* 525 Lines, 60 Fields, 15.734KHz line, Sub-Carrier 3.580MHz */ +@@ -458,7 +458,7 @@ static const struct tv_mode tv_modes[] = { + { + .name = "NTSC-443", + .clock = 108000, +- .refresh = 29970, ++ .refresh = 59940, + .oversample = TV_OVERSAMPLE_8X, + .component_only = 0, + /* 525 Lines, 60 Fields, 15.734KHz line, Sub-Carrier 4.43MHz */ +@@ -500,7 +500,7 @@ static const struct tv_mode tv_modes[] = { + { + .name = "NTSC-J", + .clock = 108000, +- .refresh = 29970, ++ .refresh = 59940, + .oversample = TV_OVERSAMPLE_8X, + .component_only = 0, + +@@ -543,7 +543,7 @@ static const struct tv_mode tv_modes[] = { + { + .name = "PAL-M", + .clock = 108000, +- .refresh = 29970, ++ .refresh = 59940, + .oversample = TV_OVERSAMPLE_8X, + .component_only = 0, + +@@ -587,7 +587,7 @@ static const struct tv_mode tv_modes[] = { + /* 625 Lines, 50 Fields, 15.625KHz line, Sub-Carrier 4.434MHz */ + .name = "PAL-N", + .clock = 108000, +- .refresh = 25000, ++ .refresh = 50000, + .oversample = TV_OVERSAMPLE_8X, + .component_only = 0, + +@@ -632,7 +632,7 @@ static const struct tv_mode tv_modes[] = { + /* 625 Lines, 50 Fields, 15.625KHz line, Sub-Carrier 4.434MHz */ + .name = "PAL", + .clock = 108000, +- .refresh = 25000, ++ .refresh = 50000, + .oversample = TV_OVERSAMPLE_8X, + .component_only = 0, + +@@ -819,7 +819,7 @@ static const struct tv_mode tv_modes[] = { + { + .name = "1080i@50Hz", + .clock = 148800, +- .refresh = 25000, ++ .refresh = 50000, + .oversample = TV_OVERSAMPLE_2X, + .component_only = 1, + +@@ -845,7 +845,7 @@ static const struct tv_mode tv_modes[] = { + { + .name = "1080i@60Hz", + .clock = 148800, +- .refresh = 30000, ++ .refresh = 60000, + .oversample = TV_OVERSAMPLE_2X, + .component_only = 1, + +diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c +index 19e68ab..c0206dc 100644 +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -252,12 +252,9 @@ int mlx4_ib_process_mad(struct ib_device *ibdev, int mad_flags, u8 port_num, + return IB_MAD_RESULT_SUCCESS; + + /* +- * Don't process SMInfo queries or vendor-specific +- * MADs -- the SMA can't handle them. ++ * Don't process SMInfo queries -- the SMA can't handle them. + */ +- if (in_mad->mad_hdr.attr_id == IB_SMP_ATTR_SM_INFO || +- ((in_mad->mad_hdr.attr_id & IB_SMP_ATTR_VENDOR_MASK) == +- IB_SMP_ATTR_VENDOR_MASK)) ++ if (in_mad->mad_hdr.attr_id == IB_SMP_ATTR_SM_INFO) + return IB_MAD_RESULT_SUCCESS; + } else if (in_mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_PERF_MGMT || + in_mad->mad_hdr.mgmt_class == MLX4_IB_VENDOR_CLASS1 || +diff --git a/drivers/misc/cb710/core.c b/drivers/misc/cb710/core.c +index b14eab0..e43777e 100644 +--- a/drivers/misc/cb710/core.c ++++ b/drivers/misc/cb710/core.c +@@ -244,6 +244,7 @@ static int __devinit cb710_probe(struct pci_dev *pdev, + if (err) + return err; + ++ spin_lock_init(&chip->irq_lock); + chip->pdev = pdev; + chip->iobase = pcim_iomap_table(pdev)[0]; + +diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c +index 99010d4..b9b37ff 100644 +--- a/drivers/staging/android/binder.c ++++ b/drivers/staging/android/binder.c +@@ -36,6 +36,7 @@ + + static DEFINE_MUTEX(binder_lock); + static DEFINE_MUTEX(binder_deferred_lock); ++static DEFINE_MUTEX(binder_mmap_lock); + + static HLIST_HEAD(binder_procs); + static HLIST_HEAD(binder_deferred_list); +@@ -614,6 +615,11 @@ static int binder_update_page_range(struct binder_proc *proc, int allocate, + if (mm) { + down_write(&mm->mmap_sem); + vma = proc->vma; ++ if (vma && mm != vma->vm_mm) { ++ pr_err("binder: %d: vma mm and task mm mismatch\n", ++ proc->pid); ++ vma = NULL; ++ } + } + + if (allocate == 0) +@@ -2741,7 +2747,6 @@ static void binder_vma_open(struct vm_area_struct *vma) + proc->pid, vma->vm_start, vma->vm_end, + (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, + (unsigned long)pgprot_val(vma->vm_page_prot)); +- dump_stack(); + } + + static void binder_vma_close(struct vm_area_struct *vma) +@@ -2785,6 +2790,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) + } + vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; + ++ mutex_lock(&binder_mmap_lock); + if (proc->buffer) { + ret = -EBUSY; + failure_string = "already mapped"; +@@ -2799,6 +2805,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) + } + proc->buffer = area->addr; + proc->user_buffer_offset = vma->vm_start - (uintptr_t)proc->buffer; ++ mutex_unlock(&binder_mmap_lock); + + #ifdef CONFIG_CPU_CACHE_VIPT + if (cache_is_vipt_aliasing()) { +@@ -2831,7 +2838,7 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) + binder_insert_free_buffer(proc, buffer); + proc->free_async_space = proc->buffer_size / 2; + barrier(); +- proc->files = get_files_struct(current); ++ proc->files = get_files_struct(proc->tsk); + proc->vma = vma; + + /*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n", +@@ -2842,10 +2849,12 @@ err_alloc_small_buf_failed: + kfree(proc->pages); + proc->pages = NULL; + err_alloc_pages_failed: ++ mutex_lock(&binder_mmap_lock); + vfree(proc->buffer); + proc->buffer = NULL; + err_get_vm_area_failed: + err_already_mapped: ++ mutex_unlock(&binder_mmap_lock); + err_bad_arg: + printk(KERN_ERR "binder_mmap: %d %lx-%lx %s failed %d\n", + proc->pid, vma->vm_start, vma->vm_end, failure_string, ret); +diff --git a/drivers/staging/asus_oled/asus_oled.c b/drivers/staging/asus_oled/asus_oled.c +index 8a05725..ea99f05 100644 +--- a/drivers/staging/asus_oled/asus_oled.c ++++ b/drivers/staging/asus_oled/asus_oled.c +@@ -349,7 +349,14 @@ static void send_data(struct asus_oled_dev *odev) + + static int append_values(struct asus_oled_dev *odev, uint8_t val, size_t count) + { +- while (count-- > 0 && val) { ++ odev->last_val = val; ++ ++ if (val == 0) { ++ odev->buf_offs += count; ++ return 0; ++ } ++ ++ while (count-- > 0) { + size_t x = odev->buf_offs % odev->width; + size_t y = odev->buf_offs / odev->width; + size_t i; +@@ -400,7 +407,6 @@ static int append_values(struct asus_oled_dev *odev, uint8_t val, size_t count) + ; + } + +- odev->last_val = val; + odev->buf_offs++; + } + +diff --git a/drivers/usb/gadget/f_loopback.c b/drivers/usb/gadget/f_loopback.c +index 6cb29d3..8b4dbfc 100644 +--- a/drivers/usb/gadget/f_loopback.c ++++ b/drivers/usb/gadget/f_loopback.c +@@ -373,7 +373,7 @@ int __init loopback_add(struct usb_composite_dev *cdev, bool autoresume) + + /* support autoresume for remote wakeup testing */ + if (autoresume) +- sourcesink_driver.bmAttributes |= USB_CONFIG_ATT_WAKEUP; ++ loopback_driver.bmAttributes |= USB_CONFIG_ATT_WAKEUP; + + /* support OTG systems */ + if (gadget_is_otg(cdev->gadget)) { +diff --git a/drivers/usb/host/pci-quirks.c b/drivers/usb/host/pci-quirks.c +index eae8b18..8213f79 100644 +--- a/drivers/usb/host/pci-quirks.c ++++ b/drivers/usb/host/pci-quirks.c +@@ -498,6 +498,12 @@ hc_init: + + static void __devinit quirk_usb_early_handoff(struct pci_dev *pdev) + { ++ /* Skip Netlogic mips SoC's internal PCI USB controller. ++ * This device does not need/support EHCI/OHCI handoff ++ */ ++ if (pdev->vendor == 0x184e) /* vendor Netlogic */ ++ return; ++ + if (pdev->class == PCI_CLASS_SERIAL_USB_UHCI) + quirk_usb_handoff_uhci(pdev); + else if (pdev->class == PCI_CLASS_SERIAL_USB_OHCI) +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 85d630e..0a1ccaa 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -840,6 +840,7 @@ static struct usb_device_id id_table_combined [] = { + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LOGBOOKML_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) }, + { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 212fc41..7bc0abd 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1192,3 +1192,10 @@ + */ + /* ZigBee controller */ + #define FTDI_RF_R106 0x8A28 ++ ++/* ++ * Product: HCP HIT GPRS modem ++ * Manufacturer: HCP d.o.o. ++ * ATI command output: Cinterion MC55i ++ */ ++#define FTDI_CINTERION_MC55I_PID 0xA951 +diff --git a/drivers/video/atmel_lcdfb.c b/drivers/video/atmel_lcdfb.c +index d5e8010..8c5e432 100644 +--- a/drivers/video/atmel_lcdfb.c ++++ b/drivers/video/atmel_lcdfb.c +@@ -1052,7 +1052,7 @@ static int atmel_lcdfb_suspend(struct platform_device *pdev, pm_message_t mesg) + */ + lcdc_writel(sinfo, ATMEL_LCDC_IDR, ~0UL); + +- sinfo->saved_lcdcon = lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL); ++ sinfo->saved_lcdcon = lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_CTR); + lcdc_writel(sinfo, ATMEL_LCDC_CONTRAST_CTR, 0); + if (sinfo->atmel_lcdfb_power_control) + sinfo->atmel_lcdfb_power_control(0); +diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c +index 6b78546..0404659 100644 +--- a/fs/ecryptfs/read_write.c ++++ b/fs/ecryptfs/read_write.c +@@ -134,7 +134,7 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset, + pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT); + size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK); + size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); +- size_t total_remaining_bytes = ((offset + size) - pos); ++ loff_t total_remaining_bytes = ((offset + size) - pos); + + if (fatal_signal_pending(current)) { + rc = -EINTR; +@@ -145,7 +145,7 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset, + num_bytes = total_remaining_bytes; + if (pos < offset) { + /* remaining zeros to write, up to destination offset */ +- size_t total_remaining_zeros = (offset - pos); ++ loff_t total_remaining_zeros = (offset - pos); + + if (num_bytes > total_remaining_zeros) + num_bytes = total_remaining_zeros; +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index eb4421b..3c759df 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1067,6 +1067,7 @@ static int nfs4_open_recover(struct nfs4_opendata *opendata, struct nfs4_state * + clear_bit(NFS_DELEGATED_STATE, &state->flags); + smp_rmb(); + if (state->n_rdwr != 0) { ++ clear_bit(NFS_O_RDWR_STATE, &state->flags); + ret = nfs4_open_recover_helper(opendata, FMODE_READ|FMODE_WRITE, &newstate); + if (ret != 0) + return ret; +@@ -1074,6 +1075,7 @@ static int nfs4_open_recover(struct nfs4_opendata *opendata, struct nfs4_state * + return -ESTALE; + } + if (state->n_wronly != 0) { ++ clear_bit(NFS_O_WRONLY_STATE, &state->flags); + ret = nfs4_open_recover_helper(opendata, FMODE_WRITE, &newstate); + if (ret != 0) + return ret; +@@ -1081,6 +1083,7 @@ static int nfs4_open_recover(struct nfs4_opendata *opendata, struct nfs4_state * + return -ESTALE; + } + if (state->n_rdonly != 0) { ++ clear_bit(NFS_O_RDONLY_STATE, &state->flags); + ret = nfs4_open_recover_helper(opendata, FMODE_READ, &newstate); + if (ret != 0) + return ret; +@@ -1490,7 +1493,7 @@ static int _nfs4_open_expired(struct nfs_open_context *ctx, struct nfs4_state *s + return ret; + } + +-static inline int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state) ++static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state) + { + struct nfs_server *server = NFS_SERVER(state->inode); + struct nfs4_exception exception = { }; +@@ -1498,10 +1501,16 @@ static inline int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4 + + do { + err = _nfs4_open_expired(ctx, state); +- if (err != -NFS4ERR_DELAY) +- break; +- nfs4_handle_exception(server, err, &exception); ++ switch (err) { ++ default: ++ goto out; ++ case -NFS4ERR_GRACE: ++ case -NFS4ERR_DELAY: ++ nfs4_handle_exception(server, err, &exception); ++ err = 0; ++ } + } while (exception.retry); ++out: + return err; + } + +@@ -4111,10 +4120,16 @@ static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request + if (test_bit(NFS_DELEGATED_STATE, &state->flags) != 0) + return 0; + err = _nfs4_do_setlk(state, F_SETLK, request, 0); +- if (err != -NFS4ERR_DELAY) +- break; +- nfs4_handle_exception(server, err, &exception); ++ switch (err) { ++ default: ++ goto out; ++ case -NFS4ERR_GRACE: ++ case -NFS4ERR_DELAY: ++ nfs4_handle_exception(server, err, &exception); ++ err = 0; ++ } + } while (exception.retry); ++out: + return err; + } + +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 2fd5287..2a7f163 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1051,15 +1051,19 @@ static void nfs4_state_end_reclaim_nograce(struct nfs_client *clp) + clear_bit(NFS4CLNT_RECLAIM_NOGRACE, &clp->cl_state); + } + +-static void nfs4_recovery_handle_error(struct nfs_client *clp, int error) ++static int nfs4_recovery_handle_error(struct nfs_client *clp, int error) + { + switch (error) { + case -NFS4ERR_CB_PATH_DOWN: + nfs_handle_cb_pathdown(clp); +- break; ++ return 0; ++ case -NFS4ERR_NO_GRACE: ++ nfs4_state_end_reclaim_reboot(clp); ++ return 0; + case -NFS4ERR_STALE_CLIENTID: + case -NFS4ERR_LEASE_MOVED: + set_bit(NFS4CLNT_LEASE_EXPIRED, &clp->cl_state); ++ nfs4_state_end_reclaim_reboot(clp); + nfs4_state_start_reclaim_reboot(clp); + break; + case -NFS4ERR_EXPIRED: +@@ -1074,6 +1078,7 @@ static void nfs4_recovery_handle_error(struct nfs_client *clp, int error) + case -NFS4ERR_SEQ_MISORDERED: + set_bit(NFS4CLNT_SESSION_SETUP, &clp->cl_state); + } ++ return error; + } + + static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recovery_ops *ops) +@@ -1093,8 +1098,7 @@ restart: + if (status < 0) { + set_bit(ops->owner_flag_bit, &sp->so_flags); + nfs4_put_state_owner(sp); +- nfs4_recovery_handle_error(clp, status); +- return status; ++ return nfs4_recovery_handle_error(clp, status); + } + nfs4_put_state_owner(sp); + goto restart; +@@ -1124,8 +1128,7 @@ static int nfs4_check_lease(struct nfs_client *clp) + status = ops->renew_lease(clp, cred); + put_rpccred(cred); + out: +- nfs4_recovery_handle_error(clp, status); +- return status; ++ return nfs4_recovery_handle_error(clp, status); + } + + static int nfs4_reclaim_lease(struct nfs_client *clp) +@@ -1263,7 +1266,7 @@ static void nfs4_state_manager(struct nfs_client *clp) + } + } + /* First recover reboot state... */ +- if (test_and_clear_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state)) { ++ if (test_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state)) { + status = nfs4_do_reclaim(clp, + nfs4_reboot_recovery_ops[clp->cl_minorversion]); + if (status == -NFS4ERR_STALE_CLIENTID) +@@ -1309,8 +1312,6 @@ static void nfs4_state_manager(struct nfs_client *clp) + out_error: + printk(KERN_WARNING "Error: state manager failed on NFSv4 server %s" + " with error %d\n", clp->cl_hostname, -status); +- if (test_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state)) +- nfs4_state_end_reclaim_reboot(clp); + nfs4_clear_state_manager_bit(clp); + } + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 1e4543c..ee6b3af 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1791,6 +1791,12 @@ static void udf_open_lvid(struct super_block *sb) + le16_to_cpu(lvid->descTag.descCRCLength))); + + lvid->descTag.tagChecksum = udf_tag_checksum(&lvid->descTag); ++ /* ++ * We set buffer uptodate unconditionally here to avoid spurious ++ * warnings from mark_buffer_dirty() when previous EIO has marked ++ * the buffer as !uptodate ++ */ ++ set_buffer_uptodate(bh); + mark_buffer_dirty(bh); + sbi->s_lvid_dirty = 0; + } +diff --git a/include/net/sock.h b/include/net/sock.h +index 9f96394..78adf52 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1354,20 +1354,7 @@ extern void sk_stop_timer(struct sock *sk, struct timer_list* timer); + + extern int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb); + +-static inline int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) +-{ +- /* Cast skb->rcvbuf to unsigned... It's pointless, but reduces +- number of warnings when compiling with -W --ANK +- */ +- if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >= +- (unsigned)sk->sk_rcvbuf) +- return -ENOMEM; +- skb_set_owner_r(skb, sk); +- skb_queue_tail(&sk->sk_error_queue, skb); +- if (!sock_flag(sk, SOCK_DEAD)) +- sk->sk_data_ready(sk, skb->len); +- return 0; +-} ++extern int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb); + + /* + * Recover an error report and clear atomically +diff --git a/mm/filemap_xip.c b/mm/filemap_xip.c +index 1888b2d..e395030 100644 +--- a/mm/filemap_xip.c ++++ b/mm/filemap_xip.c +@@ -262,7 +262,12 @@ found: + xip_pfn); + if (err == -ENOMEM) + return VM_FAULT_OOM; +- BUG_ON(err); ++ /* ++ * err == -EBUSY is fine, we've raced against another thread ++ * that faulted-in the same page ++ */ ++ if (err != -EBUSY) ++ BUG_ON(err); + return VM_FAULT_NOPAGE; + } else { + int err, ret = VM_FAULT_OOM; +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index a807f8c..025f924 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2977,6 +2977,34 @@ int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer) + } + EXPORT_SYMBOL_GPL(skb_cow_data); + ++static void sock_rmem_free(struct sk_buff *skb) ++{ ++ struct sock *sk = skb->sk; ++ ++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc); ++} ++ ++/* ++ * Note: We dont mem charge error packets (no sk_forward_alloc changes) ++ */ ++int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) ++{ ++ if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >= ++ (unsigned)sk->sk_rcvbuf) ++ return -ENOMEM; ++ ++ skb_orphan(skb); ++ skb->sk = sk; ++ skb->destructor = sock_rmem_free; ++ atomic_add(skb->truesize, &sk->sk_rmem_alloc); ++ ++ skb_queue_tail(&sk->sk_error_queue, skb); ++ if (!sock_flag(sk, SOCK_DEAD)) ++ sk->sk_data_ready(sk, skb->len); ++ return 0; ++} ++EXPORT_SYMBOL(sock_queue_err_skb); ++ + void skb_tstamp_tx(struct sk_buff *orig_skb, + struct skb_shared_hwtstamps *hwtstamps) + { +@@ -3008,7 +3036,9 @@ void skb_tstamp_tx(struct sk_buff *orig_skb, + memset(serr, 0, sizeof(*serr)); + serr->ee.ee_errno = ENOMSG; + serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING; ++ + err = sock_queue_err_skb(sk, skb); ++ + if (err) + kfree_skb(skb); + } +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 0ac8833..8e28770 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -440,9 +440,9 @@ void __udp4_lib_err(struct sk_buff *skb, u32 info, struct udp_table *udptable) + if (!inet->recverr) { + if (!harderr || sk->sk_state != TCP_ESTABLISHED) + goto out; +- } else { ++ } else + ip_icmp_error(sk, skb, err, uh->dest, info, (u8 *)(uh+1)); +- } ++ + sk->sk_err = err; + sk->sk_error_report(sk); + out: +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index 683c99d..d37f07c 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -563,8 +563,6 @@ static int xs_udp_send_request(struct rpc_task *task) + /* Still some bytes left; set up for a retry later. */ + status = -EAGAIN; + } +- if (!transport->sock) +- goto out; + + switch (status) { + case -ENOTSOCK: +@@ -584,7 +582,7 @@ static int xs_udp_send_request(struct rpc_task *task) + * prompts ECONNREFUSED. */ + clear_bit(SOCK_ASYNC_NOSPACE, &transport->sock->flags); + } +-out: ++ + return status; + } + +@@ -666,8 +664,6 @@ static int xs_tcp_send_request(struct rpc_task *task) + status = -EAGAIN; + break; + } +- if (!transport->sock) +- goto out; + + switch (status) { + case -ENOTSOCK: +@@ -687,7 +683,7 @@ static int xs_tcp_send_request(struct rpc_task *task) + case -ENOTCONN: + clear_bit(SOCK_ASYNC_NOSPACE, &transport->sock->flags); + } +-out: ++ + return status; + } + diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202071726.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.57-201202131842.patch index f29243f..89f6faf 100644 --- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202071726.patch +++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.57-201202131842.patch @@ -185,7 +185,7 @@ index c840e7d..f4c451c 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 81ad738..cbdaeb0 100644 +index 3377650..76aacb3 100644 --- a/Makefile +++ b/Makefile @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -3840,7 +3840,7 @@ index 43c0aca..42c045b 100644 comment "Code generation options" diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h -index e885442..5e6c303 100644 +index e885442..e3a2817 100644 --- a/arch/s390/include/asm/elf.h +++ b/arch/s390/include/asm/elf.h @@ -164,6 +164,13 @@ extern unsigned int vdso_enabled; @@ -3850,8 +3850,8 @@ index e885442..5e6c303 100644 +#ifdef CONFIG_PAX_ASLR +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL) + -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 ) -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 ) ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26) ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26) +#endif + /* This yields a mask that user programs can use to figure out what @@ -15635,7 +15635,7 @@ index c097e7d..c689cf4 100644 /* * End of kprobes section diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S -index 34a56a9..4aa5c8b 100644 +index 34a56a9..87790b4 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -53,6 +53,8 @@ @@ -16162,7 +16162,15 @@ index 34a56a9..4aa5c8b 100644 je retint_restore_args movl $_TIF_ALLWORK_MASK,%edi /* edi: mask to check */ -@@ -674,7 +972,7 @@ int_restore_rest: +@@ -624,6 +922,7 @@ GLOBAL(int_with_check) + andl %edi,%edx + jnz int_careful + andl $~TS_COMPAT,TI_status(%rcx) ++ pax_erase_kstack + jmp retint_swapgs + + /* Either reschedule or signal or syscall exit tracking needed. */ +@@ -674,7 +973,7 @@ int_restore_rest: TRACE_IRQS_OFF jmp int_with_check CFI_ENDPROC @@ -16171,7 +16179,7 @@ index 34a56a9..4aa5c8b 100644 /* * Certain special system calls that need to save a complete full stack frame. -@@ -690,7 +988,7 @@ ENTRY(\label) +@@ -690,7 +989,7 @@ ENTRY(\label) call \func jmp ptregscall_common CFI_ENDPROC @@ -16180,7 +16188,7 @@ index 34a56a9..4aa5c8b 100644 .endm PTREGSCALL stub_clone, sys_clone, %r8 -@@ -708,9 +1006,10 @@ ENTRY(ptregscall_common) +@@ -708,9 +1007,10 @@ ENTRY(ptregscall_common) movq_cfi_restore R12+8, r12 movq_cfi_restore RBP+8, rbp movq_cfi_restore RBX+8, rbx @@ -16192,7 +16200,7 @@ index 34a56a9..4aa5c8b 100644 ENTRY(stub_execve) CFI_STARTPROC -@@ -726,7 +1025,7 @@ ENTRY(stub_execve) +@@ -726,7 +1026,7 @@ ENTRY(stub_execve) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -16201,7 +16209,7 @@ index 34a56a9..4aa5c8b 100644 /* * sigreturn is special because it needs to restore all registers on return. -@@ -744,7 +1043,7 @@ ENTRY(stub_rt_sigreturn) +@@ -744,7 +1044,7 @@ ENTRY(stub_rt_sigreturn) RESTORE_REST jmp int_ret_from_sys_call CFI_ENDPROC @@ -16210,7 +16218,7 @@ index 34a56a9..4aa5c8b 100644 /* * Build the entry stubs and pointer table with some assembler magic. -@@ -780,7 +1079,7 @@ vector=vector+1 +@@ -780,7 +1080,7 @@ vector=vector+1 2: jmp common_interrupt .endr CFI_ENDPROC @@ -16219,7 +16227,7 @@ index 34a56a9..4aa5c8b 100644 .previous END(interrupt) -@@ -800,6 +1099,16 @@ END(interrupt) +@@ -800,6 +1100,16 @@ END(interrupt) CFI_ADJUST_CFA_OFFSET 10*8 call save_args PARTIAL_FRAME 0 @@ -16236,7 +16244,7 @@ index 34a56a9..4aa5c8b 100644 call \func .endm -@@ -822,7 +1131,7 @@ ret_from_intr: +@@ -822,7 +1132,7 @@ ret_from_intr: CFI_ADJUST_CFA_OFFSET -8 exit_intr: GET_THREAD_INFO(%rcx) @@ -16245,12 +16253,11 @@ index 34a56a9..4aa5c8b 100644 je retint_kernel /* Interrupt came from user space */ -@@ -844,12 +1153,16 @@ retint_swapgs: /* return to user-space */ +@@ -844,12 +1154,15 @@ retint_swapgs: /* return to user-space */ * The iretq could re-enable interrupts: */ DISABLE_INTERRUPTS(CLBR_ANY) + pax_exit_kernel_user -+ pax_erase_kstack TRACE_IRQS_IRETQ SWAPGS jmp restore_args @@ -23821,7 +23828,7 @@ index 61b41ca..5fef66a 100644 extern u32 pnp_bios_is_utter_crap; pnp_bios_is_utter_crap = 1; diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c -index 8ac0d76..87899a4 100644 +index 8ac0d76..ca501e2 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -11,10 +11,19 @@ @@ -23926,7 +23933,7 @@ index 8ac0d76..87899a4 100644 spin_lock_irqsave(&pgd_lock, flags); + +#ifdef CONFIG_PAX_PER_CPU_PGD -+ for (cpu = 0; cpu < NR_CPUS; ++cpu) { ++ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { + pgd_t *pgd = get_cpu_pgd(cpu); +#else list_for_each_entry(page, &pgd_list, lru) { @@ -23967,7 +23974,7 @@ index 8ac0d76..87899a4 100644 spin_lock_irqsave(&pgd_lock, flags); + +#ifdef CONFIG_PAX_PER_CPU_PGD -+ for (cpu = 0; cpu < NR_CPUS; ++cpu) { ++ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { + pgd_t *pgd = pgd_offset_cpu(cpu, address); +#else list_for_each_entry(page, &pgd_list, lru) { @@ -24831,7 +24838,7 @@ index f46c340..6ff9a26 100644 } if (mm->get_unmapped_area == arch_get_unmapped_area) diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c -index 73ffd55..ad78676 100644 +index 73ffd55..f61c2a7 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -69,11 +69,7 @@ static void __init find_early_table_space(unsigned long end, int use_pse, @@ -24900,7 +24907,7 @@ index 73ffd55..ad78676 100644 + limit = (limit - 1UL) >> PAGE_SHIFT; + + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE); -+ for (cpu = 0; cpu < NR_CPUS; cpu++) { ++ for (cpu = 0; cpu < nr_cpu_ids; cpu++) { + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC); + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S); + } @@ -25576,7 +25583,7 @@ index e1d1069..2251ff3 100644 struct split_state { diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c -index dd38bfb..8c12306 100644 +index dd38bfb..b72c63e 100644 --- a/arch/x86/mm/pageattr.c +++ b/arch/x86/mm/pageattr.c @@ -261,16 +261,17 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address, @@ -25632,7 +25639,7 @@ index dd38bfb..8c12306 100644 +#endif +#ifdef CONFIG_PAX_PER_CPU_PGD -+ for (cpu = 0; cpu < NR_CPUS; ++cpu) { ++ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) { + pgd_t *pgd = get_cpu_pgd(cpu); +#else list_for_each_entry(page, &pgd_list, lru) { @@ -25756,7 +25763,7 @@ index df3d5c8..c2223e1 100644 p += get_opcode(p, &opcode); for (i = 0; i < ARRAY_SIZE(imm_wop); i++) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c -index e0e6fad..6b90017 100644 +index e0e6fad..c56b495 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -83,9 +83,52 @@ static inline void pgd_list_del(pgd_t *pgd) @@ -25795,7 +25802,7 @@ index e0e6fad..6b90017 100644 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn) +#define pxd_free(mm, pud) pud_free((mm), (pud)) +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud)) -+#define pyd_offset(mm ,address) pgd_offset((mm), (address)) ++#define pyd_offset(mm, address) pgd_offset((mm), (address)) +#define PYD_SIZE PGDIR_SIZE +#else +#define pxd_t pmd_t @@ -25803,7 +25810,7 @@ index e0e6fad..6b90017 100644 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn) +#define pxd_free(mm, pud) pmd_free((mm), (pud)) +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud)) -+#define pyd_offset(mm ,address) pud_offset((mm), (address)) ++#define pyd_offset(mm, address) pud_offset((mm), (address)) +#define PYD_SIZE PUD_SIZE +#endif + @@ -26233,7 +26240,7 @@ index b889d82..5a58a0a 100644 .write = pci_olpc_write, }; diff --git a/arch/x86/pci/pcbios.c b/arch/x86/pci/pcbios.c -index 1c975cc..ffd0536 100644 +index 1c975cc..b8e16c2 100644 --- a/arch/x86/pci/pcbios.c +++ b/arch/x86/pci/pcbios.c @@ -56,50 +56,93 @@ union bios32 { @@ -26314,7 +26321,7 @@ index 1c975cc..ffd0536 100644 + flags |= 8; + } + -+ for (cpu = 0; cpu < NR_CPUS; cpu++) { ++ for (cpu = 0; cpu < nr_cpu_ids; cpu++) { + gdt = get_cpu_gdt_table(cpu); + pack_descriptor(&d, address, length, 0x9b, flags); + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S); @@ -35733,6 +35740,19 @@ index adb1e8c..21b590b 100644 #define name iocpar.name #define bname iocpar.bname #define iocts iocpar.iocts +diff --git a/drivers/isdn/i4l/isdn_net.c b/drivers/isdn/i4l/isdn_net.c +index 90b56ed..5ed3305 100644 +--- a/drivers/isdn/i4l/isdn_net.c ++++ b/drivers/isdn/i4l/isdn_net.c +@@ -1902,7 +1902,7 @@ static int isdn_net_header(struct sk_buff *skb, struct net_device *dev, + { + isdn_net_local *lp = netdev_priv(dev); + unsigned char *p; +- ushort len = 0; ++ int len = 0; + + switch (lp->p_encap) { + case ISDN_NET_ENCAP_ETHER: diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c index bf7997a..cf091db 100644 --- a/drivers/isdn/icn/icn.c @@ -41575,10 +41595,10 @@ index b76f246..7f41af7 100644 static u8 *buf; diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c -index 99010d4..6bad87b 100644 +index b9b37ff..19dfa23 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c -@@ -2756,7 +2756,7 @@ static void binder_vma_close(struct vm_area_struct *vma) +@@ -2761,7 +2761,7 @@ static void binder_vma_close(struct vm_area_struct *vma) binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES); } @@ -42663,7 +42683,7 @@ index 0370399..6627c94 100644 .store = wlp_wss_attr_store, }; diff --git a/drivers/video/atmel_lcdfb.c b/drivers/video/atmel_lcdfb.c -index d5e8010..5687b56 100644 +index 8c5e432..5ee90ea 100644 --- a/drivers/video/atmel_lcdfb.c +++ b/drivers/video/atmel_lcdfb.c @@ -110,7 +110,7 @@ static int atmel_bl_get_brightness(struct backlight_device *bl) @@ -46284,7 +46304,7 @@ index 0133b5a..b3baa9f 100644 fd_offset + ex.a_text); up_write(¤t->mm->mmap_sem); diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index 1ed37ba..b9c035f 100644 +index 1ed37ba..de82ab7 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -31,6 +31,7 @@ @@ -46417,7 +46437,7 @@ index 1ed37ba..b9c035f 100644 error = -ENOMEM; goto out_close; } -@@ -532,6 +558,348 @@ out: +@@ -532,6 +558,351 @@ out: return error; } @@ -46606,6 +46626,7 @@ index 1ed37ba..b9c035f 100644 + return ~0UL; +} + ++#ifdef CONFIG_PAX_XATTR_PAX_FLAGS +static unsigned long pax_parse_xattr_pax_softmode(unsigned long pax_flags_softmode) +{ + unsigned long pax_flags = 0UL; @@ -46687,6 +46708,7 @@ index 1ed37ba..b9c035f 100644 + + return pax_flags; +} ++#endif + +static unsigned long pax_parse_xattr_pax(struct file * const file) +{ @@ -46735,6 +46757,7 @@ index 1ed37ba..b9c035f 100644 +#else + return ~0UL; +#endif ++ +} + +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_XATTR_PAX_FLAGS) @@ -46766,7 +46789,7 @@ index 1ed37ba..b9c035f 100644 /* * These are the functions used to load ELF style executables and shared * libraries. There is no binary dependent code anywhere else. -@@ -548,6 +916,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) +@@ -548,6 +919,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top) { unsigned int random_variable = 0; @@ -46778,7 +46801,7 @@ index 1ed37ba..b9c035f 100644 if ((current->flags & PF_RANDOMIZE) && !(current->personality & ADDR_NO_RANDOMIZE)) { random_variable = get_random_int() & STACK_RND_MASK; -@@ -566,7 +939,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -566,7 +942,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) unsigned long load_addr = 0, load_bias = 0; int load_addr_set = 0; char * elf_interpreter = NULL; @@ -46787,7 +46810,7 @@ index 1ed37ba..b9c035f 100644 struct elf_phdr *elf_ppnt, *elf_phdata; unsigned long elf_bss, elf_brk; int retval, i; -@@ -576,11 +949,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -576,11 +952,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) unsigned long start_code, end_code, start_data, end_data; unsigned long reloc_func_desc = 0; int executable_stack = EXSTACK_DEFAULT; @@ -46800,7 +46823,7 @@ index 1ed37ba..b9c035f 100644 loc = kmalloc(sizeof(*loc), GFP_KERNEL); if (!loc) { -@@ -718,11 +1091,80 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -718,11 +1094,80 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) /* OK, This is the point of no return */ current->flags &= ~PF_FORKNOEXEC; @@ -46882,7 +46905,7 @@ index 1ed37ba..b9c035f 100644 if (elf_read_implies_exec(loc->elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; -@@ -800,10 +1242,27 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -800,10 +1245,27 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) * might try to exec. This is because the brk will * follow the loader, and is not movable. */ #ifdef CONFIG_X86 @@ -46911,7 +46934,7 @@ index 1ed37ba..b9c035f 100644 } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, -@@ -836,9 +1295,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -836,9 +1298,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) * allowed task size. Note that p_filesz must always be * <= p_memsz so it is only necessary to check p_memsz. */ @@ -46924,7 +46947,7 @@ index 1ed37ba..b9c035f 100644 /* set_brk can never work. Avoid overflows. */ send_sig(SIGKILL, current, 0); retval = -EINVAL; -@@ -866,6 +1325,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -866,6 +1328,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) start_data += load_bias; end_data += load_bias; @@ -46936,7 +46959,7 @@ index 1ed37ba..b9c035f 100644 /* Calling set_brk effectively mmaps the pages that we need * for the bss and break sections. We must do this before * mapping in the interpreter, to make sure it doesn't wind -@@ -877,9 +1341,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) +@@ -877,9 +1344,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) goto out_free_dentry; } if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { @@ -46951,7 +46974,7 @@ index 1ed37ba..b9c035f 100644 } if (elf_interpreter) { -@@ -1112,8 +1578,10 @@ static int dump_seek(struct file *file, loff_t off) +@@ -1112,8 +1581,10 @@ static int dump_seek(struct file *file, loff_t off) unsigned long n = off; if (n > PAGE_SIZE) n = PAGE_SIZE; @@ -46963,7 +46986,7 @@ index 1ed37ba..b9c035f 100644 off -= n; } free_page((unsigned long)buf); -@@ -1125,7 +1593,7 @@ static int dump_seek(struct file *file, loff_t off) +@@ -1125,7 +1596,7 @@ static int dump_seek(struct file *file, loff_t off) * Decide what to dump of a segment, part, all or none. */ static unsigned long vma_dump_size(struct vm_area_struct *vma, @@ -46972,7 +46995,7 @@ index 1ed37ba..b9c035f 100644 { #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type)) -@@ -1159,7 +1627,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, +@@ -1159,7 +1630,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma, if (vma->vm_file == NULL) return 0; @@ -46981,7 +47004,7 @@ index 1ed37ba..b9c035f 100644 goto whole; /* -@@ -1255,8 +1723,11 @@ static int writenote(struct memelfnote *men, struct file *file, +@@ -1255,8 +1726,11 @@ static int writenote(struct memelfnote *men, struct file *file, #undef DUMP_WRITE #define DUMP_WRITE(addr, nr) \ @@ -46994,7 +47017,7 @@ index 1ed37ba..b9c035f 100644 static void fill_elf_header(struct elfhdr *elf, int segs, u16 machine, u32 flags, u8 osabi) -@@ -1385,9 +1856,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) +@@ -1385,9 +1859,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm) { elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv; int i = 0; @@ -47006,7 +47029,7 @@ index 1ed37ba..b9c035f 100644 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv); } -@@ -1973,7 +2444,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un +@@ -1973,7 +2447,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un phdr.p_offset = offset; phdr.p_vaddr = vma->vm_start; phdr.p_paddr = 0; @@ -47015,7 +47038,7 @@ index 1ed37ba..b9c035f 100644 phdr.p_memsz = vma->vm_end - vma->vm_start; offset += phdr.p_filesz; phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0; -@@ -2006,7 +2477,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un +@@ -2006,7 +2480,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un unsigned long addr; unsigned long end; @@ -47024,7 +47047,7 @@ index 1ed37ba..b9c035f 100644 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) { struct page *page; -@@ -2015,6 +2486,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un +@@ -2015,6 +2489,7 @@ static int elf_core_dump(long signr, struct pt_regs *regs, struct file *file, un page = get_dump_page(addr); if (page) { void *kaddr = kmap(page); @@ -47032,7 +47055,7 @@ index 1ed37ba..b9c035f 100644 stop = ((size += PAGE_SIZE) > limit) || !dump_write(file, kaddr, PAGE_SIZE); kunmap(page); -@@ -2042,6 +2514,97 @@ out: +@@ -2042,6 +2517,97 @@ out: #endif /* USE_ELF_CORE_DUMP */ @@ -48385,35 +48408,8 @@ index 88ba4d4..073f003 100644 set_fs(old_fs); if (rc < 0) goto out_free; -diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c -index 6b78546..7ba3260 100644 ---- a/fs/ecryptfs/read_write.c -+++ b/fs/ecryptfs/read_write.c -@@ -134,7 +134,12 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset, - pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT); - size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK); - size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); -- size_t total_remaining_bytes = ((offset + size) - pos); -+ loff_t total_remaining_bytes = ((offset + size) - pos); -+ -+ if (fatal_signal_pending(current)) { -+ rc = -EINTR; -+ break; -+ } - - if (fatal_signal_pending(current)) { - rc = -EINTR; -@@ -145,7 +150,7 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset, - num_bytes = total_remaining_bytes; - if (pos < offset) { - /* remaining zeros to write, up to destination offset */ -- size_t total_remaining_zeros = (offset - pos); -+ loff_t total_remaining_zeros = (offset - pos); - - if (num_bytes > total_remaining_zeros) - num_bytes = total_remaining_zeros; diff --git a/fs/exec.c b/fs/exec.c -index 86fafc6..5033350 100644 +index 86fafc6..47ffa63 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -56,12 +56,28 @@ @@ -48589,7 +48585,68 @@ index 86fafc6..5033350 100644 set_fs(old_fs); return result; } -@@ -1152,7 +1185,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) +@@ -985,6 +1018,21 @@ void set_task_comm(struct task_struct *tsk, char *buf) + perf_event_comm(tsk); + } + ++static void filename_to_taskname(char *tcomm, const char *fn, unsigned int len) ++{ ++ int i, ch; ++ ++ /* Copies the binary name from after last slash */ ++ for (i = 0; (ch = *(fn++)) != '\0';) { ++ if (ch == '/') ++ i = 0; /* overwrite what we wrote */ ++ else ++ if (i < len - 1) ++ tcomm[i++] = ch; ++ } ++ tcomm[i] = '\0'; ++} ++ + int flush_old_exec(struct linux_binprm * bprm) + { + int retval; +@@ -999,6 +1047,7 @@ int flush_old_exec(struct linux_binprm * bprm) + + set_mm_exe_file(bprm->mm, bprm->file); + ++ filename_to_taskname(bprm->tcomm, bprm->filename, sizeof(bprm->tcomm)); + /* + * Release all of the old mmap stuff + */ +@@ -1023,10 +1072,6 @@ EXPORT_SYMBOL(flush_old_exec); + + void setup_new_exec(struct linux_binprm * bprm) + { +- int i, ch; +- char * name; +- char tcomm[sizeof(current->comm)]; +- + arch_pick_mmap_layout(current->mm); + + /* This is the point of no return */ +@@ -1037,18 +1082,7 @@ void setup_new_exec(struct linux_binprm * bprm) + else + set_dumpable(current->mm, suid_dumpable); + +- name = bprm->filename; +- +- /* Copies the binary name from after last slash */ +- for (i=0; (ch = *(name++)) != '\0';) { +- if (ch == '/') +- i = 0; /* overwrite what we wrote */ +- else +- if (i < (sizeof(tcomm) - 1)) +- tcomm[i++] = ch; +- } +- tcomm[i] = '\0'; +- set_task_comm(current, tcomm); ++ set_task_comm(current, bprm->tcomm); + + /* Set the new mm task size. We have to do that late because it may + * depend on TIF_32BIT which is only updated in flush_thread() on +@@ -1152,7 +1186,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -48598,7 +48655,18 @@ index 86fafc6..5033350 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1347,11 +1380,35 @@ int do_execve(char * filename, +@@ -1339,6 +1373,10 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) + + EXPORT_SYMBOL(search_binary_handler); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++atomic64_unchecked_t global_exec_counter = ATOMIC64_INIT(0); ++#endif ++ + /* + * sys_execve() executes a new program. + */ +@@ -1347,11 +1385,35 @@ int do_execve(char * filename, char __user *__user *envp, struct pt_regs * regs) { @@ -48634,7 +48702,7 @@ index 86fafc6..5033350 100644 retval = unshare_files(&displaced); if (retval) -@@ -1377,12 +1434,27 @@ int do_execve(char * filename, +@@ -1377,12 +1439,27 @@ int do_execve(char * filename, if (IS_ERR(file)) goto out_unmark; @@ -48662,7 +48730,7 @@ index 86fafc6..5033350 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1412,10 +1484,41 @@ int do_execve(char * filename, +@@ -1412,12 +1489,47 @@ int do_execve(char * filename, if (retval < 0) goto out; @@ -48704,8 +48772,14 @@ index 86fafc6..5033350 100644 +#endif /* execve succeeded */ ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ current->exec_id = atomic64_inc_return_unchecked(&global_exec_counter); ++#endif ++ current->fs->in_exec = 0; -@@ -1426,6 +1529,14 @@ int do_execve(char * filename, + current->in_execve = 0; + acct_update_integrals(current); +@@ -1426,6 +1538,14 @@ int do_execve(char * filename, put_files_struct(displaced); return retval; @@ -48720,7 +48794,7 @@ index 86fafc6..5033350 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1591,6 +1702,220 @@ out: +@@ -1591,6 +1711,220 @@ out: return ispipe; } @@ -48941,7 +49015,7 @@ index 86fafc6..5033350 100644 static int zap_process(struct task_struct *start) { struct task_struct *t; -@@ -1793,17 +2118,17 @@ static void wait_for_dump_helpers(struct file *file) +@@ -1793,17 +2127,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -48964,7 +49038,7 @@ index 86fafc6..5033350 100644 pipe_unlock(pipe); } -@@ -1826,10 +2151,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -1826,10 +2160,13 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) char **helper_argv = NULL; int helper_argc = 0; int dump_count = 0; @@ -48979,7 +49053,7 @@ index 86fafc6..5033350 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -1874,6 +2202,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -1874,6 +2211,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) */ clear_thread_flag(TIF_SIGPENDING); @@ -48988,7 +49062,7 @@ index 86fafc6..5033350 100644 /* * lock_kernel() because format_corename() is controlled by sysctl, which * uses lock_kernel() -@@ -1908,7 +2238,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -1908,7 +2247,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) goto fail_unlock; } @@ -48997,7 +49071,7 @@ index 86fafc6..5033350 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -1972,7 +2302,7 @@ close_fail: +@@ -1972,7 +2311,7 @@ close_fail: filp_close(file, NULL); fail_dropcount: if (dump_count) @@ -52634,7 +52708,7 @@ index 50f8f06..c5755df 100644 help Various /proc files exist to monitor process memory utilization: diff --git a/fs/proc/array.c b/fs/proc/array.c -index c5ef152..1363194 100644 +index c5ef152..24a1b87 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -60,6 +60,7 @@ @@ -52692,7 +52766,7 @@ index c5ef152..1363194 100644 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task, int whole) { -@@ -358,9 +389,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -358,9 +389,18 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, cputime_t cutime, cstime, utime, stime; cputime_t cgtime, gtime; unsigned long rsslim = 0; @@ -52702,10 +52776,17 @@ index c5ef152..1363194 100644 + pax_track_stack(); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("stat"); ++ return 0; ++ } ++#endif ++ state = *get_task_state(task); vsize = eip = esp = 0; permitted = ptrace_may_access(task, PTRACE_MODE_READ); -@@ -433,6 +466,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -433,6 +473,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, gtime = task_gtime(task); } @@ -52725,7 +52806,7 @@ index c5ef152..1363194 100644 /* scale priority and nice values from timeslices to -20..20 */ /* to make it look like a "normal" Unix priority/nice value */ priority = task_prio(task); -@@ -473,9 +519,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -473,9 +526,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, vsize, mm ? get_mm_rss(mm) : 0, rsslim, @@ -52741,7 +52822,21 @@ index c5ef152..1363194 100644 esp, eip, /* The signal information here is obsolete. -@@ -528,3 +580,18 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, +@@ -519,6 +578,13 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, + int size = 0, resident = 0, shared = 0, text = 0, lib = 0, data = 0; + struct mm_struct *mm = get_task_mm(task); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("statm"); ++ return 0; ++ } ++#endif ++ + if (mm) { + size = task_statm(mm, &shared, &text, &data, &resident); + mmput(mm); +@@ -528,3 +594,18 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, return 0; } @@ -53603,10 +53698,18 @@ index b080b79..d957e63 100644 } diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 3b7b82a..7dbb571 100644 +index 3b7b82a..4b420b0 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c -@@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) +@@ -8,6 +8,7 @@ + #include <linux/mempolicy.h> + #include <linux/swap.h> + #include <linux/swapops.h> ++#include <linux/grsecurity.h> + + #include <asm/elf.h> + #include <asm/uaccess.h> +@@ -46,15 +47,26 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) "VmStk:\t%8lu kB\n" "VmExe:\t%8lu kB\n" "VmLib:\t%8lu kB\n" @@ -53636,7 +53739,7 @@ index 3b7b82a..7dbb571 100644 } unsigned long task_vsize(struct mm_struct *mm) -@@ -175,7 +186,8 @@ static void m_stop(struct seq_file *m, void *v) +@@ -175,7 +187,8 @@ static void m_stop(struct seq_file *m, void *v) struct proc_maps_private *priv = m->private; struct vm_area_struct *vma = v; @@ -53646,7 +53749,7 @@ index 3b7b82a..7dbb571 100644 if (priv->task) put_task_struct(priv->task); } -@@ -199,6 +211,12 @@ static int do_maps_open(struct inode *inode, struct file *file, +@@ -199,6 +212,12 @@ static int do_maps_open(struct inode *inode, struct file *file, return ret; } @@ -53659,7 +53762,7 @@ index 3b7b82a..7dbb571 100644 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) { struct mm_struct *mm = vma->vm_mm; -@@ -206,7 +224,6 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -206,7 +225,6 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) int flags = vma->vm_flags; unsigned long ino = 0; unsigned long long pgoff = 0; @@ -53667,7 +53770,7 @@ index 3b7b82a..7dbb571 100644 dev_t dev = 0; int len; -@@ -217,20 +234,23 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -217,20 +235,23 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT; } @@ -53698,7 +53801,7 @@ index 3b7b82a..7dbb571 100644 MAJOR(dev), MINOR(dev), ino, &len); /* -@@ -239,7 +259,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -239,7 +260,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) */ if (file) { pad_len_spaces(m, len); @@ -53707,7 +53810,7 @@ index 3b7b82a..7dbb571 100644 } else { const char *name = arch_vma_name(vma); if (!name) { -@@ -247,8 +267,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -247,8 +268,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) { name = "[heap]"; @@ -53719,9 +53822,30 @@ index 3b7b82a..7dbb571 100644 name = "[stack]"; } } else { -@@ -391,9 +412,16 @@ static int show_smap(struct seq_file *m, void *v) +@@ -269,6 +291,13 @@ static int show_map(struct seq_file *m, void *v) + struct proc_maps_private *priv = m->private; + struct task_struct *task = priv->task; + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("maps"); ++ return 0; ++ } ++#endif ++ + show_map_vma(m, vma); + + if (m->count < m->size) /* vma is copied successfully */ +@@ -390,10 +419,23 @@ static int show_smap(struct seq_file *m, void *v) + .private = &mss, }; ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("smaps"); ++ return 0; ++ } ++#endif memset(&mss, 0, sizeof mss); - mss.vma = vma; - if (vma->vm_mm && !is_vm_hugetlb_page(vma)) @@ -53739,7 +53863,7 @@ index 3b7b82a..7dbb571 100644 show_map_vma(m, vma); -@@ -409,7 +437,11 @@ static int show_smap(struct seq_file *m, void *v) +@@ -409,7 +451,11 @@ static int show_smap(struct seq_file *m, void *v) "Swap: %8lu kB\n" "KernelPageSize: %8lu kB\n" "MMUPageSize: %8lu kB\n", @@ -54110,10 +54234,20 @@ index fd38ce2..f5381b8 100644 return -EINVAL; diff --git a/fs/seq_file.c b/fs/seq_file.c -index eae7d9d..679f099 100644 +index eae7d9d..12c71e3 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c -@@ -76,7 +76,8 @@ static int traverse(struct seq_file *m, loff_t offset) +@@ -40,6 +40,9 @@ int seq_open(struct file *file, const struct seq_operations *op) + memset(p, 0, sizeof(*p)); + mutex_init(&p->lock); + p->op = op; ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ p->exec_id = current->exec_id; ++#endif + + /* + * Wrappers around seq_open(e.g. swaps_open) need to be +@@ -76,7 +79,8 @@ static int traverse(struct seq_file *m, loff_t offset) return 0; } if (!m->buf) { @@ -54123,7 +54257,7 @@ index eae7d9d..679f099 100644 if (!m->buf) return -ENOMEM; } -@@ -116,7 +117,8 @@ static int traverse(struct seq_file *m, loff_t offset) +@@ -116,7 +120,8 @@ static int traverse(struct seq_file *m, loff_t offset) Eoverflow: m->op->stop(m, p); kfree(m->buf); @@ -54133,7 +54267,7 @@ index eae7d9d..679f099 100644 return !m->buf ? -ENOMEM : -EAGAIN; } -@@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) +@@ -169,7 +174,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) m->version = file->f_version; /* grab buffer if we didn't have one */ if (!m->buf) { @@ -54143,7 +54277,7 @@ index eae7d9d..679f099 100644 if (!m->buf) goto Enomem; } -@@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) +@@ -210,7 +216,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) goto Fill; m->op->stop(m, p); kfree(m->buf); @@ -54153,7 +54287,7 @@ index eae7d9d..679f099 100644 if (!m->buf) goto Enomem; m->count = 0; -@@ -551,7 +555,7 @@ static void single_stop(struct seq_file *p, void *v) +@@ -551,7 +558,7 @@ static void single_stop(struct seq_file *p, void *v) int single_open(struct file *file, int (*show)(struct seq_file *, void *), void *data) { @@ -54778,10 +54912,10 @@ index 8f32f50..b6a41e8 100644 link[pathlen] = '\0'; diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..8cac8cb +index 0000000..9ac9020 --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1068 @@ +@@ -0,0 +1,1072 @@ +# +# grecurity configuration +# @@ -55052,6 +55186,10 @@ index 0000000..8cac8cb + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will + give no information about the addresses of its mappings if + PaX features that rely on random addresses are enabled on the task. ++ In addition to sanitizing this information and disabling other ++ dangerous sources of information, this option causes reads of sensitive ++ /proc/<pid> entries where the file descriptor was opened in a different ++ task than the one performing the read. Such attempts are logged. + If you use PaX it is greatly recommended that you say Y here as it + closes up a hole that makes the full ASLR useless for suid + binaries. @@ -55852,10 +55990,10 @@ index 0000000..8cac8cb +endmenu diff --git a/grsecurity/Makefile b/grsecurity/Makefile new file mode 100644 -index 0000000..be9ae3a +index 0000000..1b9afa9 --- /dev/null +++ b/grsecurity/Makefile -@@ -0,0 +1,36 @@ +@@ -0,0 +1,38 @@ +# grsecurity's ACL system was originally written in 2001 by Michael Dalton +# during 2001-2009 it has been completely redesigned by Brad Spengler +# into an RBAC system @@ -55864,6 +56002,8 @@ index 0000000..be9ae3a +# are copyright Brad Spengler - Open Source Security, Inc., and released +# under the GPL v2 or higher + ++KBUILD_CFLAGS += -Werror ++ +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \ + grsec_mount.o grsec_sig.o grsec_sysctl.o \ + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o @@ -55894,10 +56034,10 @@ index 0000000..be9ae3a +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..71cb167 +index 0000000..78e83d8 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4140 @@ +@@ -0,0 +1,4148 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -58351,6 +58491,8 @@ index 0000000..71cb167 + } +} + ++extern int gr_acl_is_capable(const int cap); ++ +void +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid) +{ @@ -58372,6 +58514,12 @@ index 0000000..71cb167 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL)) + role = lookup_acl_role_label(task, uid, gid); + ++ /* don't change the role if we're not a privileged process */ ++ if (role && task->role != role && ++ (((role->roletype & GR_ROLE_USER) && gr_acl_is_capable(CAP_SETUID)) || ++ ((role->roletype & GR_ROLE_GROUP) && gr_acl_is_capable(CAP_SETGID)))) ++ return; ++ + /* perform subject lookup in possibly new role + we can use this result below in the case where role == task->role + */ @@ -63500,10 +63648,10 @@ index 0000000..a45d2e9 +} diff --git a/grsecurity/grsec_mem.c b/grsecurity/grsec_mem.c new file mode 100644 -index 0000000..6c0416b +index 0000000..f536303 --- /dev/null +++ b/grsecurity/grsec_mem.c -@@ -0,0 +1,33 @@ +@@ -0,0 +1,40 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -63537,6 +63685,13 @@ index 0000000..6c0416b + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG); + return; +} ++ ++void ++gr_log_badprocpid(const char *entry) ++{ ++ gr_log_str(GR_DONT_AUDIT, GR_BADPROCPID_MSG, entry); ++ return; ++} diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c new file mode 100644 index 0000000..2131422 @@ -65723,10 +65878,27 @@ index 0f5f578..8c4f884 100644 extern void backlight_force_update(struct backlight_device *bd, enum backlight_update_reason reason); diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h -index a3d802e..482f69c 100644 +index a3d802e..93a2ef4 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h -@@ -83,6 +83,7 @@ struct linux_binfmt { +@@ -18,7 +18,7 @@ struct pt_regs; + #define BINPRM_BUF_SIZE 128 + + #ifdef __KERNEL__ +-#include <linux/list.h> ++#include <linux/sched.h> + + #define CORENAME_MAX_SIZE 128 + +@@ -58,6 +58,7 @@ struct linux_binprm{ + unsigned interp_flags; + unsigned interp_data; + unsigned long loader, exec; ++ char tcomm[TASK_COMM_LEN]; + }; + + extern void acct_arg_size(struct linux_binprm *bprm, unsigned long pages); +@@ -83,6 +84,7 @@ struct linux_binfmt { int (*load_binary)(struct linux_binprm *, struct pt_regs * regs); int (*load_shlib)(struct file *); int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit); @@ -67139,10 +67311,10 @@ index 0000000..3826b91 +#endif diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h new file mode 100644 -index 0000000..7f62b30 +index 0000000..8b9ed56 --- /dev/null +++ b/include/linux/grmsg.h -@@ -0,0 +1,109 @@ +@@ -0,0 +1,110 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " @@ -67252,12 +67424,13 @@ index 0000000..7f62b30 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by " +#define GR_PTRACE_READEXEC_MSG "denied ptrace of unreadable binary %.950s by " +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by " ++#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..c597c46 +index 0000000..bb1e366 --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,217 @@ +@@ -0,0 +1,219 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -67464,6 +67637,8 @@ index 0000000..c597c46 +void gr_handle_vm86(void); +void gr_handle_mem_readwrite(u64 from, u64 to); + ++void gr_log_badprocpid(const char *entry); ++ +extern int grsec_enable_dmesg; +extern int grsec_disable_privio; +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK @@ -68612,7 +68787,7 @@ index 3392c59..a746428 100644 #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE) /** diff --git a/include/linux/sched.h b/include/linux/sched.h -index 71849bf..0ad2f74 100644 +index 71849bf..03ceae8 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -101,6 +101,7 @@ struct bio; @@ -68739,13 +68914,16 @@ index 71849bf..0ad2f74 100644 struct io_context *io_context; unsigned long ptrace_message; -@@ -1519,6 +1544,24 @@ struct task_struct { +@@ -1519,6 +1544,27 @@ struct task_struct { unsigned long default_timer_slack_ns; struct list_head *scm_work_list; + +#ifdef CONFIG_GRKERNSEC + /* grsecurity */ ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ long long exec_id; ++#endif +#ifdef CONFIG_GRKERNSEC_SETXID + const struct cred *delayed_cred; +#endif @@ -68764,7 +68942,7 @@ index 71849bf..0ad2f74 100644 #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored adress in ret_stack */ int curr_ret_stack; -@@ -1542,6 +1585,57 @@ struct task_struct { +@@ -1542,6 +1588,57 @@ struct task_struct { #endif /* CONFIG_TRACING */ }; @@ -68822,7 +69000,7 @@ index 71849bf..0ad2f74 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed) -@@ -1740,7 +1834,7 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t * +@@ -1740,7 +1837,7 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t * #define PF_DUMPCORE 0x00000200 /* dumped core */ #define PF_SIGNALED 0x00000400 /* killed by a signal */ #define PF_MEMALLOC 0x00000800 /* Allocating memory */ @@ -68831,7 +69009,7 @@ index 71849bf..0ad2f74 100644 #define PF_USED_MATH 0x00002000 /* if unset the fpu must be initialized before use */ #define PF_FREEZING 0x00004000 /* freeze in progress. do not account to load */ #define PF_NOFREEZE 0x00008000 /* this thread should not be frozen */ -@@ -1978,7 +2072,9 @@ void yield(void); +@@ -1978,7 +2075,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -68841,7 +69019,7 @@ index 71849bf..0ad2f74 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2011,6 +2107,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2011,6 +2110,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -68849,7 +69027,7 @@ index 71849bf..0ad2f74 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2155,7 +2252,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2155,7 +2255,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -68858,7 +69036,7 @@ index 71849bf..0ad2f74 100644 extern void daemonize(const char *, ...); extern int allow_signal(int); -@@ -2284,13 +2381,17 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2284,13 +2384,17 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -68952,10 +69130,20 @@ index d40d23f..d739b08 100644 static inline int security_settime(struct timespec *ts, struct timezone *tz) diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h -index 8366d8f..2307490 100644 +index 8366d8f..898f3c6 100644 --- a/include/linux/seq_file.h +++ b/include/linux/seq_file.h -@@ -32,6 +32,7 @@ struct seq_operations { +@@ -23,6 +23,9 @@ struct seq_file { + u64 version; + struct mutex lock; + const struct seq_operations *op; ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ long long exec_id; ++#endif + void *private; + }; + +@@ -32,6 +35,7 @@ struct seq_operations { void * (*next) (struct seq_file *m, void *v, loff_t *pos); int (*show) (struct seq_file *m, void *v); }; @@ -70107,7 +70295,7 @@ index d97f689..f3b90ab 100644 #endif /* _NET_SECURE_SEQ */ diff --git a/include/net/sock.h b/include/net/sock.h -index 9f96394..76fc9c7 100644 +index 78adf52..99afd29 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -272,7 +272,7 @@ struct sock { @@ -70712,7 +70900,7 @@ index 1fd59b8..a01b079 100644 next_state = Reset; return 0; diff --git a/init/main.c b/init/main.c -index 1eb4bd5..da8c6f5 100644 +index 1eb4bd5..fea5bbe 100644 --- a/init/main.c +++ b/init/main.c @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void) { } @@ -70740,7 +70928,7 @@ index 1eb4bd5..da8c6f5 100644 + unsigned int cpu; + struct desc_struct *gdt; + -+ for (cpu = 0; cpu < NR_CPUS; cpu++) { ++ for (cpu = 0; cpu < nr_cpu_ids; cpu++) { + gdt = get_cpu_gdt_table(cpu); + gdt[GDT_ENTRY_KERNEL_DS].type = 3; + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf; @@ -71797,7 +71985,7 @@ index 0f8fae3..9344a56 100644 get_task_struct(p); read_unlock(&tasklist_lock); diff --git a/kernel/fork.c b/kernel/fork.c -index 4bde56f..29a9bab 100644 +index 4bde56f..a07de53 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -253,7 +253,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -71895,16 +72083,20 @@ index 4bde56f..29a9bab 100644 retval = copy_creds(p, clone_flags); if (retval < 0) -@@ -1183,6 +1214,8 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1183,6 +1214,12 @@ static struct task_struct *copy_process(unsigned long clone_flags, goto bad_fork_free_pid; } + gr_copy_label(p); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ p->exec_id = current->exec_id; ++#endif ++ p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; /* * Clear TID on mm_release()? -@@ -1333,6 +1366,8 @@ bad_fork_cleanup_count: +@@ -1333,6 +1370,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -71913,7 +72105,7 @@ index 4bde56f..29a9bab 100644 return ERR_PTR(retval); } -@@ -1426,6 +1461,8 @@ long do_fork(unsigned long clone_flags, +@@ -1426,6 +1465,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -71922,7 +72114,7 @@ index 4bde56f..29a9bab 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1558,7 +1595,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1558,7 +1599,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -71931,7 +72123,7 @@ index 4bde56f..29a9bab 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1681,7 +1718,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1681,7 +1722,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; write_lock(&fs->lock); current->fs = new_fs; @@ -74535,10 +74727,36 @@ index c03edf7..ac1b341 100644 rcu_read_unlock_special(t); } diff --git a/kernel/relay.c b/kernel/relay.c -index 760c262..a9fd241 100644 +index 760c262..908e9ee 100644 --- a/kernel/relay.c +++ b/kernel/relay.c -@@ -1222,7 +1222,7 @@ static int subbuf_splice_actor(struct file *in, +@@ -171,10 +171,14 @@ depopulate: + */ + static struct rchan_buf *relay_create_buf(struct rchan *chan) + { +- struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); ++ struct rchan_buf *buf; ++ ++ if (chan->n_subbufs > UINT_MAX / sizeof(size_t *)) ++ return NULL; ++ ++ buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); + if (!buf) + return NULL; +- + buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL); + if (!buf->padding) + goto free_buf; +@@ -581,6 +585,8 @@ struct rchan *relay_open(const char *base_filename, + + if (!(subbuf_size && n_subbufs)) + return NULL; ++ if (subbuf_size > UINT_MAX / n_subbufs) ++ return NULL; + + chan = kzalloc(sizeof(struct rchan), GFP_KERNEL); + if (!chan) +@@ -1222,7 +1228,7 @@ static int subbuf_splice_actor(struct file *in, unsigned int flags, int *nonpad_ret) { @@ -74547,7 +74765,7 @@ index 760c262..a9fd241 100644 struct rchan_buf *rbuf = in->private_data; unsigned int subbuf_size = rbuf->chan->subbuf_size; uint64_t pos = (uint64_t) *ppos; -@@ -1241,6 +1241,9 @@ static int subbuf_splice_actor(struct file *in, +@@ -1241,6 +1247,9 @@ static int subbuf_splice_actor(struct file *in, .ops = &relay_pipe_buf_ops, .spd_release = relay_page_release, }; @@ -75028,7 +75246,7 @@ index 04a0252..580c512 100644 struct tasklet_struct *list; diff --git a/kernel/sys.c b/kernel/sys.c -index e9512b1..8a10cb3 100644 +index e9512b1..f07185f 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -133,6 +133,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) @@ -75150,29 +75368,7 @@ index e9512b1..8a10cb3 100644 if (capable(CAP_SETUID)) { new->suid = new->uid = uid; if (uid != old->uid) { -@@ -721,9 +750,18 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) - - retval = -EPERM; - if (!capable(CAP_SETUID)) { -- if (ruid != (uid_t) -1 && ruid != old->uid && -- ruid != old->euid && ruid != old->suid) -- goto error; -+ // if RBAC is enabled, require CAP_SETUID to change -+ // uid to euid (from a suid binary, for instance) -+ // this is a hardening of normal permissions, not -+ // weakening -+ if (gr_acl_is_enabled()) { -+ if (ruid != (uid_t) -1 && ruid != old->uid) -+ goto error; -+ } else { -+ if (ruid != (uid_t) -1 && ruid != old->uid && -+ ruid != old->euid && ruid != old->suid) -+ goto error; -+ } - if (euid != (uid_t) -1 && euid != old->uid && - euid != old->euid && euid != old->suid) - goto error; -@@ -732,6 +770,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) +@@ -732,6 +761,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) goto error; } @@ -75182,29 +75378,7 @@ index e9512b1..8a10cb3 100644 if (ruid != (uid_t) -1) { new->uid = ruid; if (ruid != old->uid) { -@@ -789,9 +830,18 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) - - retval = -EPERM; - if (!capable(CAP_SETGID)) { -- if (rgid != (gid_t) -1 && rgid != old->gid && -- rgid != old->egid && rgid != old->sgid) -- goto error; -+ // if RBAC is enabled, require CAP_SETGID to change -+ // gid to egid (from a sgid binary, for instance) -+ // this is a hardening of normal permissions, not -+ // weakening -+ if (gr_acl_is_enabled()) { -+ if (rgid != (gid_t) -1 && rgid != old->gid) -+ goto error; -+ } else { -+ if (rgid != (gid_t) -1 && rgid != old->gid && -+ rgid != old->egid && rgid != old->sgid) -+ goto error; -+ } - if (egid != (gid_t) -1 && egid != old->gid && - egid != old->egid && egid != old->sgid) - goto error; -@@ -800,6 +850,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) +@@ -800,6 +832,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) goto error; } @@ -75214,7 +75388,7 @@ index e9512b1..8a10cb3 100644 if (rgid != (gid_t) -1) new->gid = rgid; if (egid != (gid_t) -1) -@@ -849,6 +902,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) +@@ -849,6 +884,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0) goto error; @@ -75224,7 +75398,7 @@ index e9512b1..8a10cb3 100644 if (uid == old->uid || uid == old->euid || uid == old->suid || uid == old->fsuid || capable(CAP_SETUID)) { -@@ -889,6 +945,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) +@@ -889,6 +927,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) if (gid == old->gid || gid == old->egid || gid == old->sgid || gid == old->fsgid || capable(CAP_SETGID)) { @@ -75234,7 +75408,7 @@ index e9512b1..8a10cb3 100644 if (gid != old_fsgid) { new->fsgid = gid; goto change_okay; -@@ -1454,7 +1513,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, +@@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, error = get_dumpable(me->mm); break; case PR_SET_DUMPABLE: @@ -77260,7 +77434,7 @@ index 6c836d3..48f3264 100644 * Make sure the vDSO gets into every core dump. * Dumping its contents makes post-mortem fully interpretable later diff --git a/mm/mempolicy.c b/mm/mempolicy.c -index 3c6e3e2..ad9871c 100644 +index 3c6e3e2..b1ddbb8 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -573,6 +573,10 @@ static int mbind_range(struct vm_area_struct *vma, unsigned long start, @@ -77334,7 +77508,42 @@ index 3c6e3e2..ad9871c 100644 rcu_read_unlock(); err = -EPERM; goto out; -@@ -2396,7 +2428,7 @@ int show_numa_map(struct seq_file *m, void *v) +@@ -2367,6 +2399,12 @@ static inline void check_huge_range(struct vm_area_struct *vma, + } + #endif + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \ ++ (_mm->pax_flags & MF_PAX_RANDMMAP || \ ++ _mm->pax_flags & MF_PAX_SEGMEXEC)) ++#endif ++ + /* + * Display pages allocated per node and memory policy via /proc. + */ +@@ -2381,6 +2419,13 @@ int show_numa_map(struct seq_file *m, void *v) + int n; + char buffer[50]; + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("numa_maps"); ++ return 0; ++ } ++#endif ++ + if (!mm) + return 0; + +@@ -2392,11 +2437,15 @@ int show_numa_map(struct seq_file *m, void *v) + mpol_to_str(buffer, sizeof(buffer), pol, 0); + mpol_cond_put(pol); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ seq_printf(m, "%08lx %s", PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : vma->vm_start, buffer); ++#else + seq_printf(m, "%08lx %s", vma->vm_start, buffer); ++#endif if (file) { seq_printf(m, " file="); @@ -79413,7 +79622,7 @@ index c8d466a..909e01e 100644 * ksize - get the actual amount of memory allocated for a given object * @objp: Pointer to the object diff --git a/mm/slob.c b/mm/slob.c -index 837ebd6..4712174 100644 +index 837ebd6..0bd23bc 100644 --- a/mm/slob.c +++ b/mm/slob.c @@ -29,7 +29,7 @@ @@ -79604,7 +79813,7 @@ index 837ebd6..4712174 100644 + + type = "<process stack>"; + sp = slob_page(ptr); -+ if (!PageSlab((struct page*)sp)) { ++ if (!PageSlab((struct page *)sp)) { + if (object_is_on_stack(ptr, n) == -1) + goto report; + return; @@ -80893,7 +81102,7 @@ index 45329d7..626aaa6 100644 } #endif diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index a807f8c..65f906f 100644 +index 025f924..70a71c4 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -1544,6 +1544,8 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset, @@ -81546,7 +81755,7 @@ index 57d5501..a9ed13a 100644 /* Has it gone just too far? */ tcp_write_err(sk); diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 0ac8833..58d8c43 100644 +index 8e28770..72105c8 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -86,6 +86,7 @@ diff --git a/3.2.5/0000_README b/3.2.6/0000_README index 9573972..0295121 100644 --- a/3.2.5/0000_README +++ b/3.2.6/0000_README @@ -2,15 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 1002_linux-3.2.3.patch -From: http://www.kernel.org -Desc: Linux 3.2.3 - -Patch: 1003_linux-3.2.4.patch -From: http://www.kernel.org -Desc: Linux 3.2.4 - -Patch: 4420_grsecurity-2.2.2-3.2.5-201202081924.patch +Patch: 4420_grsecurity-2.2.2-3.2.6-201202131824.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.5/4420_grsecurity-2.2.2-3.2.5-201202081924.patch b/3.2.6/4420_grsecurity-2.2.2-3.2.6-201202131824.patch index 85ac90f..2ac6312 100644 --- a/3.2.5/4420_grsecurity-2.2.2-3.2.5-201202081924.patch +++ b/3.2.6/4420_grsecurity-2.2.2-3.2.6-201202131824.patch @@ -186,7 +186,7 @@ index 81c287f..d456d02 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index e9dd0ff..e4c0733 100644 +index 47fe496..c50bd2a 100644 --- a/Makefile +++ b/Makefile @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -28138,7 +28138,7 @@ index c9339f4..f5e1b9d 100644 int front_offset; } drm_i810_private_t; diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c -index 004b048..7588eba 100644 +index b2e3c97..58cf079 100644 --- a/drivers/gpu/drm/i915/i915_debugfs.c +++ b/drivers/gpu/drm/i915/i915_debugfs.c @@ -499,7 +499,7 @@ static int i915_interrupt_info(struct seq_file *m, void *data) @@ -28160,7 +28160,7 @@ index 004b048..7588eba 100644 mutex_unlock(&dev->struct_mutex); diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c -index a9ae374..43c1e9e 100644 +index c4da951..3c59c5c 100644 --- a/drivers/gpu/drm/i915/i915_dma.c +++ b/drivers/gpu/drm/i915/i915_dma.c @@ -1172,7 +1172,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev) @@ -28173,7 +28173,7 @@ index a9ae374..43c1e9e 100644 return can_switch; } diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h -index 554bef7..d24791c 100644 +index ae294a0..1755461 100644 --- a/drivers/gpu/drm/i915/i915_drv.h +++ b/drivers/gpu/drm/i915/i915_drv.h @@ -229,7 +229,7 @@ struct drm_i915_display_funcs { @@ -28185,7 +28185,7 @@ index 554bef7..d24791c 100644 struct intel_device_info { u8 gen; -@@ -312,7 +312,7 @@ typedef struct drm_i915_private { +@@ -318,7 +318,7 @@ typedef struct drm_i915_private { int current_page; int page_flipping; @@ -28194,7 +28194,7 @@ index 554bef7..d24791c 100644 /* protects the irq masks */ spinlock_t irq_lock; -@@ -887,7 +887,7 @@ struct drm_i915_gem_object { +@@ -893,7 +893,7 @@ struct drm_i915_gem_object { * will be page flipped away on the next vblank. When it * reaches 0, dev_priv->pending_flip_queue will be woken up. */ @@ -28203,7 +28203,7 @@ index 554bef7..d24791c 100644 }; #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base) -@@ -1267,7 +1267,7 @@ extern int intel_setup_gmbus(struct drm_device *dev); +@@ -1273,7 +1273,7 @@ extern int intel_setup_gmbus(struct drm_device *dev); extern void intel_teardown_gmbus(struct drm_device *dev); extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed); extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit); @@ -28238,7 +28238,7 @@ index b9da890..cad1d98 100644 for (i = 0; i < count; i++) { char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c -index b40004b..7c53a75 100644 +index d47a53b..61154c2 100644 --- a/drivers/gpu/drm/i915/i915_irq.c +++ b/drivers/gpu/drm/i915/i915_irq.c @@ -475,7 +475,7 @@ static irqreturn_t ivybridge_irq_handler(DRM_IRQ_ARGS) @@ -28268,7 +28268,7 @@ index b40004b..7c53a75 100644 iir = I915_READ(IIR); -@@ -1743,7 +1743,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) +@@ -1750,7 +1750,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev) { drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; @@ -28277,7 +28277,7 @@ index b40004b..7c53a75 100644 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func); INIT_WORK(&dev_priv->error_work, i915_error_work_func); -@@ -1931,7 +1931,7 @@ static void i915_driver_irq_preinstall(struct drm_device * dev) +@@ -1938,7 +1938,7 @@ static void i915_driver_irq_preinstall(struct drm_device * dev) drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private; int pipe; @@ -28492,7 +28492,7 @@ index 2f6daae..c9d7b9e 100644 } diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c -index 5f0bc57..eb9fac8 100644 +index 7ce3fde..cb3ea04 100644 --- a/drivers/gpu/drm/nouveau/nouveau_gem.c +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c @@ -314,7 +314,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv, @@ -28656,7 +28656,7 @@ index 8227e76..ce0b195 100644 /* * Asic structures diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c -index 9b39145..389b93b 100644 +index 9231564..78b00fd 100644 --- a/drivers/gpu/drm/radeon/radeon_device.c +++ b/drivers/gpu/drm/radeon/radeon_device.c @@ -687,7 +687,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev) @@ -30775,6 +30775,19 @@ index a3bd163..8956575 100644 typedef struct _diva_os_xdi_adapter { struct list_head link; +diff --git a/drivers/isdn/i4l/isdn_net.c b/drivers/isdn/i4l/isdn_net.c +index 2339d73..802ab87 100644 +--- a/drivers/isdn/i4l/isdn_net.c ++++ b/drivers/isdn/i4l/isdn_net.c +@@ -1901,7 +1901,7 @@ static int isdn_net_header(struct sk_buff *skb, struct net_device *dev, + { + isdn_net_local *lp = netdev_priv(dev); + unsigned char *p; +- ushort len = 0; ++ int len = 0; + + switch (lp->p_encap) { + case ISDN_NET_ENCAP_ETHER: diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c index 1f355bb..43f1fea 100644 --- a/drivers/isdn/icn/icn.c @@ -35306,7 +35319,7 @@ index ed147c4..94fc3c6 100644 /* core tmem accessor functions */ diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c -index 8599545..7761358 100644 +index 0c1d5c73..88e90a8 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -1364,7 +1364,7 @@ static int iscsit_handle_data_out(struct iscsi_conn *conn, unsigned char *buf) @@ -35350,7 +35363,7 @@ index 6845228..df77141 100644 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count); diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c -index e87d0eb..856cbcc 100644 +index 861628e..659ae80 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -1343,7 +1343,7 @@ struct se_device *transport_add_device_to_core_hba( @@ -35392,7 +35405,7 @@ index e87d0eb..856cbcc 100644 cmd->t_task_list_num) atomic_set(&cmd->t_transport_sent, 1); -@@ -4260,7 +4260,7 @@ bool transport_wait_for_tasks(struct se_cmd *cmd) +@@ -4273,7 +4273,7 @@ bool transport_wait_for_tasks(struct se_cmd *cmd) atomic_set(&cmd->transport_lun_stop, 0); } if (!atomic_read(&cmd->t_transport_active) || @@ -35401,7 +35414,7 @@ index e87d0eb..856cbcc 100644 spin_unlock_irqrestore(&cmd->t_state_lock, flags); return false; } -@@ -4509,7 +4509,7 @@ int transport_check_aborted_status(struct se_cmd *cmd, int send_status) +@@ -4522,7 +4522,7 @@ int transport_check_aborted_status(struct se_cmd *cmd, int send_status) { int ret = 0; @@ -35410,7 +35423,7 @@ index e87d0eb..856cbcc 100644 if (!send_status || (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS)) return 1; -@@ -4546,7 +4546,7 @@ void transport_send_task_abort(struct se_cmd *cmd) +@@ -4559,7 +4559,7 @@ void transport_send_task_abort(struct se_cmd *cmd) */ if (cmd->data_direction == DMA_TO_DEVICE) { if (cmd->se_tfo->write_pending_status(cmd) != 0) { @@ -35879,7 +35892,7 @@ index a605549..6bd3c96 100644 } diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c -index 5e096f4..0da1363 100644 +index 65447c5..0526f0a 100644 --- a/drivers/tty/vt/vt_ioctl.c +++ b/drivers/tty/vt/vt_ioctl.c @@ -207,9 +207,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm, struct kbd_str @@ -41406,7 +41419,7 @@ index 0dc5a3d..d3cdeea 100644 i += packet_length_size; if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c -index 54eb14c..e51b453 100644 +index 608c1c3..7d040a8 100644 --- a/fs/ecryptfs/read_write.c +++ b/fs/ecryptfs/read_write.c @@ -48,7 +48,7 @@ int ecryptfs_write_lower(struct inode *ecryptfs_inode, char *data, @@ -41418,30 +41431,7 @@ index 54eb14c..e51b453 100644 set_fs(fs_save); mark_inode_dirty_sync(ecryptfs_inode); return rc; -@@ -130,7 +130,12 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset, - pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT); - size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK); - size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); -- size_t total_remaining_bytes = ((offset + size) - pos); -+ loff_t total_remaining_bytes = ((offset + size) - pos); -+ -+ if (fatal_signal_pending(current)) { -+ rc = -EINTR; -+ break; -+ } - - if (fatal_signal_pending(current)) { - rc = -EINTR; -@@ -141,7 +146,7 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset, - num_bytes = total_remaining_bytes; - if (pos < offset) { - /* remaining zeros to write, up to destination offset */ -- size_t total_remaining_zeros = (offset - pos); -+ loff_t total_remaining_zeros = (offset - pos); - - if (num_bytes > total_remaining_zeros) - num_bytes = total_remaining_zeros; -@@ -244,7 +249,7 @@ int ecryptfs_read_lower(char *data, loff_t offset, size_t size, +@@ -244,7 +244,7 @@ int ecryptfs_read_lower(char *data, loff_t offset, size_t size, return -EIO; fs_save = get_fs(); set_fs(get_ds()); @@ -41451,7 +41441,7 @@ index 54eb14c..e51b453 100644 return rc; } diff --git a/fs/exec.c b/fs/exec.c -index 3625464..fac01f4 100644 +index 3625464..7949233 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -55,12 +55,28 @@ @@ -41688,7 +41678,68 @@ index 3625464..fac01f4 100644 set_fs(old_fs); return result; } -@@ -1247,7 +1268,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) +@@ -1067,6 +1088,21 @@ void set_task_comm(struct task_struct *tsk, char *buf) + perf_event_comm(tsk); + } + ++static void filename_to_taskname(char *tcomm, const char *fn, unsigned int len) ++{ ++ int i, ch; ++ ++ /* Copies the binary name from after last slash */ ++ for (i = 0; (ch = *(fn++)) != '\0';) { ++ if (ch == '/') ++ i = 0; /* overwrite what we wrote */ ++ else ++ if (i < len - 1) ++ tcomm[i++] = ch; ++ } ++ tcomm[i] = '\0'; ++} ++ + int flush_old_exec(struct linux_binprm * bprm) + { + int retval; +@@ -1081,6 +1117,7 @@ int flush_old_exec(struct linux_binprm * bprm) + + set_mm_exe_file(bprm->mm, bprm->file); + ++ filename_to_taskname(bprm->tcomm, bprm->filename, sizeof(bprm->tcomm)); + /* + * Release all of the old mmap stuff + */ +@@ -1112,10 +1149,6 @@ EXPORT_SYMBOL(would_dump); + + void setup_new_exec(struct linux_binprm * bprm) + { +- int i, ch; +- const char *name; +- char tcomm[sizeof(current->comm)]; +- + arch_pick_mmap_layout(current->mm); + + /* This is the point of no return */ +@@ -1126,18 +1159,7 @@ void setup_new_exec(struct linux_binprm * bprm) + else + set_dumpable(current->mm, suid_dumpable); + +- name = bprm->filename; +- +- /* Copies the binary name from after last slash */ +- for (i=0; (ch = *(name++)) != '\0';) { +- if (ch == '/') +- i = 0; /* overwrite what we wrote */ +- else +- if (i < (sizeof(tcomm) - 1)) +- tcomm[i++] = ch; +- } +- tcomm[i] = '\0'; +- set_task_comm(current, tcomm); ++ set_task_comm(current, bprm->tcomm); + + /* Set the new mm task size. We have to do that late because it may + * depend on TIF_32BIT which is only updated in flush_thread() on +@@ -1247,7 +1269,7 @@ int check_unsafe_exec(struct linux_binprm *bprm) } rcu_read_unlock(); @@ -41697,7 +41748,18 @@ index 3625464..fac01f4 100644 bprm->unsafe |= LSM_UNSAFE_SHARE; } else { res = -EAGAIN; -@@ -1450,6 +1471,11 @@ static int do_execve_common(const char *filename, +@@ -1442,6 +1464,10 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs) + + EXPORT_SYMBOL(search_binary_handler); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++atomic64_unchecked_t global_exec_counter = ATOMIC64_INIT(0); ++#endif ++ + /* + * sys_execve() executes a new program. + */ +@@ -1450,6 +1476,11 @@ static int do_execve_common(const char *filename, struct user_arg_ptr envp, struct pt_regs *regs) { @@ -41709,7 +41771,7 @@ index 3625464..fac01f4 100644 struct linux_binprm *bprm; struct file *file; struct files_struct *displaced; -@@ -1457,6 +1483,8 @@ static int do_execve_common(const char *filename, +@@ -1457,6 +1488,8 @@ static int do_execve_common(const char *filename, int retval; const struct cred *cred = current_cred(); @@ -41718,7 +41780,7 @@ index 3625464..fac01f4 100644 /* * We move the actual failure in case of RLIMIT_NPROC excess from * set*uid() to execve() because too many poorly written programs -@@ -1497,12 +1525,27 @@ static int do_execve_common(const char *filename, +@@ -1497,12 +1530,27 @@ static int do_execve_common(const char *filename, if (IS_ERR(file)) goto out_unmark; @@ -41746,7 +41808,7 @@ index 3625464..fac01f4 100644 retval = bprm_mm_init(bprm); if (retval) goto out_file; -@@ -1532,9 +1575,40 @@ static int do_execve_common(const char *filename, +@@ -1532,11 +1580,46 @@ static int do_execve_common(const char *filename, if (retval < 0) goto out; @@ -41787,8 +41849,14 @@ index 3625464..fac01f4 100644 +#endif /* execve succeeded */ ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ current->exec_id = atomic64_inc_return_unchecked(&global_exec_counter); ++#endif ++ current->fs->in_exec = 0; -@@ -1545,6 +1619,14 @@ static int do_execve_common(const char *filename, + current->in_execve = 0; + acct_update_integrals(current); +@@ -1545,6 +1628,14 @@ static int do_execve_common(const char *filename, put_files_struct(displaced); return retval; @@ -41803,7 +41871,7 @@ index 3625464..fac01f4 100644 out: if (bprm->mm) { acct_arg_size(bprm, 0); -@@ -1618,7 +1700,7 @@ static int expand_corename(struct core_name *cn) +@@ -1618,7 +1709,7 @@ static int expand_corename(struct core_name *cn) { char *old_corename = cn->corename; @@ -41812,7 +41880,7 @@ index 3625464..fac01f4 100644 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL); if (!cn->corename) { -@@ -1715,7 +1797,7 @@ static int format_corename(struct core_name *cn, long signr) +@@ -1715,7 +1806,7 @@ static int format_corename(struct core_name *cn, long signr) int pid_in_pattern = 0; int err = 0; @@ -41821,7 +41889,7 @@ index 3625464..fac01f4 100644 cn->corename = kmalloc(cn->size, GFP_KERNEL); cn->used = 0; -@@ -1812,6 +1894,218 @@ out: +@@ -1812,6 +1903,218 @@ out: return ispipe; } @@ -42040,7 +42108,7 @@ index 3625464..fac01f4 100644 static int zap_process(struct task_struct *start, int exit_code) { struct task_struct *t; -@@ -2023,17 +2317,17 @@ static void wait_for_dump_helpers(struct file *file) +@@ -2023,17 +2326,17 @@ static void wait_for_dump_helpers(struct file *file) pipe = file->f_path.dentry->d_inode->i_pipe; pipe_lock(pipe); @@ -42063,7 +42131,7 @@ index 3625464..fac01f4 100644 pipe_unlock(pipe); } -@@ -2094,7 +2388,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2094,7 +2397,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) int retval = 0; int flag = 0; int ispipe; @@ -42072,7 +42140,7 @@ index 3625464..fac01f4 100644 struct coredump_params cprm = { .signr = signr, .regs = regs, -@@ -2109,6 +2403,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2109,6 +2412,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) audit_core_dumps(signr); @@ -42082,7 +42150,7 @@ index 3625464..fac01f4 100644 binfmt = mm->binfmt; if (!binfmt || !binfmt->core_dump) goto fail; -@@ -2176,7 +2473,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2176,7 +2482,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } cprm.limit = RLIM_INFINITY; @@ -42091,7 +42159,7 @@ index 3625464..fac01f4 100644 if (core_pipe_limit && (core_pipe_limit < dump_count)) { printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n", task_tgid_vnr(current), current->comm); -@@ -2203,6 +2500,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) +@@ -2203,6 +2509,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) } else { struct inode *inode; @@ -42100,7 +42168,7 @@ index 3625464..fac01f4 100644 if (cprm.limit < binfmt->min_coredump) goto fail_unlock; -@@ -2246,7 +2545,7 @@ close_fail: +@@ -2246,7 +2554,7 @@ close_fail: filp_close(cprm.file, NULL); fail_dropcount: if (ispipe) @@ -42109,7 +42177,7 @@ index 3625464..fac01f4 100644 fail_unlock: kfree(cn.corename); fail_corename: -@@ -2265,7 +2564,7 @@ fail: +@@ -2265,7 +2573,7 @@ fail: */ int dump_write(struct file *file, const void *addr, int nr) { @@ -45184,7 +45252,7 @@ index 15af622..0e9f4467 100644 help Various /proc files exist to monitor process memory utilization: diff --git a/fs/proc/array.c b/fs/proc/array.c -index 3a1dafd..d41fc37 100644 +index 3a1dafd..1456746 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -60,6 +60,7 @@ @@ -45242,7 +45310,21 @@ index 3a1dafd..d41fc37 100644 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task, int whole) { -@@ -449,6 +480,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -378,6 +409,13 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + char tcomm[sizeof(task->comm)]; + unsigned long flags; + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("stat"); ++ return 0; ++ } ++#endif ++ + state = *get_task_state(task); + vsize = eip = esp = 0; + permitted = ptrace_may_access(task, PTRACE_MODE_READ); +@@ -449,6 +487,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, gtime = task->gtime; } @@ -45262,7 +45344,7 @@ index 3a1dafd..d41fc37 100644 /* scale priority and nice values from timeslices to -20..20 */ /* to make it look like a "normal" Unix priority/nice value */ priority = task_prio(task); -@@ -489,9 +533,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, +@@ -489,9 +540,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, vsize, mm ? get_mm_rss(mm) : 0, rsslim, @@ -45278,7 +45360,21 @@ index 3a1dafd..d41fc37 100644 esp, eip, /* The signal information here is obsolete. -@@ -544,3 +594,18 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, +@@ -535,6 +592,13 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, + unsigned long size = 0, resident = 0, shared = 0, text = 0, data = 0; + struct mm_struct *mm = get_task_mm(task); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("statm"); ++ return 0; ++ } ++#endif ++ + if (mm) { + size = task_statm(mm, &shared, &text, &data, &resident); + mmput(mm); +@@ -544,3 +608,18 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, return 0; } @@ -45298,7 +45394,7 @@ index 3a1dafd..d41fc37 100644 +} +#endif diff --git a/fs/proc/base.c b/fs/proc/base.c -index 1fc1dca..357b933 100644 +index 1ace83d..357b933 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -107,6 +107,22 @@ struct pid_entry { @@ -45438,164 +45534,19 @@ index 1fc1dca..357b933 100644 put_task_struct(task); } return allowed; -@@ -775,6 +793,13 @@ static int mem_open(struct inode* inode, struct file* file) - if (IS_ERR(mm)) - return PTR_ERR(mm); - -+ if (mm) { -+ /* ensure this mm_struct can't be freed */ -+ atomic_inc(&mm->mm_count); -+ /* but do not pin its memory */ -+ mmput(mm); -+ } -+ - /* OK to pass negative loff_t, we can catch out-of-range */ - file->f_mode |= FMODE_UNSIGNED_OFFSET; - file->private_data = mm; -@@ -782,57 +807,18 @@ static int mem_open(struct inode* inode, struct file* file) - return 0; - } - --static ssize_t mem_read(struct file * file, char __user * buf, -- size_t count, loff_t *ppos) -+static ssize_t mem_rw(struct file *file, char __user *buf, -+ size_t count, loff_t *ppos, int write) - { -- int ret; -- char *page; -- unsigned long src = *ppos; - struct mm_struct *mm = file->private_data; -- -- if (!mm) -- return 0; -- -- page = (char *)__get_free_page(GFP_TEMPORARY); -- if (!page) -- return -ENOMEM; -- -- ret = 0; -- -- while (count > 0) { -- int this_len, retval; -- -- this_len = (count > PAGE_SIZE) ? PAGE_SIZE : count; -- retval = access_remote_vm(mm, src, page, this_len, 0); -- if (!retval) { -- if (!ret) -- ret = -EIO; -- break; -- } -- -- if (copy_to_user(buf, page, retval)) { -- ret = -EFAULT; -- break; -- } -- -- ret += retval; -- src += retval; -- buf += retval; -- count -= retval; -- } -- *ppos = src; -- -- free_page((unsigned long) page); -- return ret; --} -- --static ssize_t mem_write(struct file * file, const char __user *buf, -- size_t count, loff_t *ppos) --{ -- int copied; -+ unsigned long addr = *ppos; -+ ssize_t copied; +@@ -797,6 +815,11 @@ static ssize_t mem_rw(struct file *file, char __user *buf, + ssize_t copied; char *page; -- unsigned long dst = *ppos; -- struct mm_struct *mm = file->private_data; -+ + +#ifdef CONFIG_GRKERNSEC + if (write) + return -EPERM; +#endif - ++ if (!mm) return 0; -@@ -842,31 +828,54 @@ static ssize_t mem_write(struct file * file, const char __user *buf, - return -ENOMEM; - - copied = 0; -+ if (!atomic_inc_not_zero(&mm->mm_users)) -+ goto free; -+ - while (count > 0) { -- int this_len, retval; -+ int this_len = min_t(int, count, PAGE_SIZE); - -- this_len = (count > PAGE_SIZE) ? PAGE_SIZE : count; -- if (copy_from_user(page, buf, this_len)) { -+ if (write && copy_from_user(page, buf, this_len)) { - copied = -EFAULT; - break; - } -- retval = access_remote_vm(mm, dst, page, this_len, 1); -- if (!retval) { -+ -+ this_len = access_remote_vm(mm, addr, page, this_len, write); -+ if (!this_len) { - if (!copied) - copied = -EIO; - break; - } -- copied += retval; -- buf += retval; -- dst += retval; -- count -= retval; -+ -+ if (!write && copy_to_user(buf, page, this_len)) { -+ copied = -EFAULT; -+ break; -+ } -+ -+ buf += this_len; -+ addr += this_len; -+ copied += this_len; -+ count -= this_len; - } -- *ppos = dst; -+ *ppos = addr; - -+ mmput(mm); -+free: - free_page((unsigned long) page); - return copied; - } - -+static ssize_t mem_read(struct file *file, char __user *buf, -+ size_t count, loff_t *ppos) -+{ -+ return mem_rw(file, buf, count, ppos, 0); -+} -+ -+static ssize_t mem_write(struct file *file, const char __user *buf, -+ size_t count, loff_t *ppos) -+{ -+ return mem_rw(file, (char __user*)buf, count, ppos, 1); -+} -+ - loff_t mem_lseek(struct file *file, loff_t offset, int orig) - { - switch (orig) { -@@ -886,8 +895,8 @@ loff_t mem_lseek(struct file *file, loff_t offset, int orig) - static int mem_release(struct inode *inode, struct file *file) - { - struct mm_struct *mm = file->private_data; -- -- mmput(mm); -+ if (mm) -+ mmdrop(mm); - return 0; - } -@@ -911,6 +920,9 @@ static ssize_t environ_read(struct file *file, char __user *buf, +@@ -897,6 +920,9 @@ static ssize_t environ_read(struct file *file, char __user *buf, if (!task) goto out_no_task; @@ -45605,7 +45556,7 @@ index 1fc1dca..357b933 100644 ret = -ENOMEM; page = (char *)__get_free_page(GFP_TEMPORARY); if (!page) -@@ -1533,7 +1545,7 @@ static void *proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd) +@@ -1519,7 +1545,7 @@ static void *proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd) path_put(&nd->path); /* Are we allowed to snoop on the tasks file descriptors? */ @@ -45614,7 +45565,7 @@ index 1fc1dca..357b933 100644 goto out; error = PROC_I(inode)->op.proc_get_link(inode, &nd->path); -@@ -1572,8 +1584,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b +@@ -1558,8 +1584,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b struct path path; /* Are we allowed to snoop on the tasks file descriptors? */ @@ -45635,7 +45586,7 @@ index 1fc1dca..357b933 100644 error = PROC_I(inode)->op.proc_get_link(inode, &path); if (error) -@@ -1638,7 +1660,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t +@@ -1624,7 +1660,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t rcu_read_lock(); cred = __task_cred(task); inode->i_uid = cred->euid; @@ -45647,7 +45598,7 @@ index 1fc1dca..357b933 100644 rcu_read_unlock(); } security_task_to_inode(task, inode); -@@ -1656,6 +1682,9 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) +@@ -1642,6 +1682,9 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) struct inode *inode = dentry->d_inode; struct task_struct *task; const struct cred *cred; @@ -45657,7 +45608,7 @@ index 1fc1dca..357b933 100644 generic_fillattr(inode, stat); -@@ -1663,13 +1692,41 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) +@@ -1649,13 +1692,41 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) stat->uid = 0; stat->gid = 0; task = pid_task(proc_pid(inode), PIDTYPE_PID); @@ -45700,7 +45651,7 @@ index 1fc1dca..357b933 100644 } rcu_read_unlock(); return 0; -@@ -1706,11 +1763,20 @@ int pid_revalidate(struct dentry *dentry, struct nameidata *nd) +@@ -1692,11 +1763,20 @@ int pid_revalidate(struct dentry *dentry, struct nameidata *nd) if (task) { if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || @@ -45721,7 +45672,7 @@ index 1fc1dca..357b933 100644 rcu_read_unlock(); } else { inode->i_uid = 0; -@@ -1828,7 +1894,8 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info) +@@ -1814,7 +1894,8 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info) int fd = proc_fd(inode); if (task) { @@ -45731,7 +45682,7 @@ index 1fc1dca..357b933 100644 put_task_struct(task); } if (files) { -@@ -2096,11 +2163,21 @@ static const struct file_operations proc_fd_operations = { +@@ -2082,11 +2163,21 @@ static const struct file_operations proc_fd_operations = { */ static int proc_fd_permission(struct inode *inode, int mask) { @@ -45755,7 +45706,7 @@ index 1fc1dca..357b933 100644 return rv; } -@@ -2210,6 +2287,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir, +@@ -2196,6 +2287,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir, if (!task) goto out_no_task; @@ -45765,7 +45716,7 @@ index 1fc1dca..357b933 100644 /* * Yes, it does not scale. And it should not. Don't add * new entries into /proc/<tgid>/ without very good reasons. -@@ -2254,6 +2334,9 @@ static int proc_pident_readdir(struct file *filp, +@@ -2240,6 +2334,9 @@ static int proc_pident_readdir(struct file *filp, if (!task) goto out_no_task; @@ -45775,7 +45726,7 @@ index 1fc1dca..357b933 100644 ret = 0; i = filp->f_pos; switch (i) { -@@ -2524,7 +2607,7 @@ static void *proc_self_follow_link(struct dentry *dentry, struct nameidata *nd) +@@ -2510,7 +2607,7 @@ static void *proc_self_follow_link(struct dentry *dentry, struct nameidata *nd) static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie) { @@ -45784,7 +45735,7 @@ index 1fc1dca..357b933 100644 if (!IS_ERR(s)) __putname(s); } -@@ -2722,7 +2805,7 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2708,7 +2805,7 @@ static const struct pid_entry tgid_base_stuff[] = { REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations), #endif REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations), @@ -45793,7 +45744,7 @@ index 1fc1dca..357b933 100644 INF("syscall", S_IRUGO, proc_pid_syscall), #endif INF("cmdline", S_IRUGO, proc_pid_cmdline), -@@ -2747,10 +2830,10 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2733,10 +2830,10 @@ static const struct pid_entry tgid_base_stuff[] = { #ifdef CONFIG_SECURITY DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations), #endif @@ -45806,7 +45757,7 @@ index 1fc1dca..357b933 100644 ONE("stack", S_IRUGO, proc_pid_stack), #endif #ifdef CONFIG_SCHEDSTATS -@@ -2784,6 +2867,9 @@ static const struct pid_entry tgid_base_stuff[] = { +@@ -2770,6 +2867,9 @@ static const struct pid_entry tgid_base_stuff[] = { #ifdef CONFIG_HARDWALL INF("hardwall", S_IRUGO, proc_pid_hardwall), #endif @@ -45816,7 +45767,7 @@ index 1fc1dca..357b933 100644 }; static int proc_tgid_base_readdir(struct file * filp, -@@ -2909,7 +2995,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir, +@@ -2895,7 +2995,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir, if (!inode) goto out; @@ -45831,7 +45782,7 @@ index 1fc1dca..357b933 100644 inode->i_op = &proc_tgid_base_inode_operations; inode->i_fop = &proc_tgid_base_operations; inode->i_flags|=S_IMMUTABLE; -@@ -2951,7 +3044,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct +@@ -2937,7 +3044,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct if (!task) goto out; @@ -45843,7 +45794,7 @@ index 1fc1dca..357b933 100644 put_task_struct(task); out: return result; -@@ -3016,6 +3113,11 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) +@@ -3002,6 +3113,11 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) { unsigned int nr; struct task_struct *reaper; @@ -45855,7 +45806,7 @@ index 1fc1dca..357b933 100644 struct tgid_iter iter; struct pid_namespace *ns; -@@ -3039,8 +3141,27 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) +@@ -3025,8 +3141,27 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) for (iter = next_tgid(ns, iter); iter.task; iter.tgid += 1, iter = next_tgid(ns, iter)) { @@ -45884,7 +45835,7 @@ index 1fc1dca..357b933 100644 put_task_struct(iter.task); goto out; } -@@ -3068,7 +3189,7 @@ static const struct pid_entry tid_base_stuff[] = { +@@ -3054,7 +3189,7 @@ static const struct pid_entry tid_base_stuff[] = { REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations), #endif REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations), @@ -45893,7 +45844,7 @@ index 1fc1dca..357b933 100644 INF("syscall", S_IRUGO, proc_pid_syscall), #endif INF("cmdline", S_IRUGO, proc_pid_cmdline), -@@ -3092,10 +3213,10 @@ static const struct pid_entry tid_base_stuff[] = { +@@ -3078,10 +3213,10 @@ static const struct pid_entry tid_base_stuff[] = { #ifdef CONFIG_SECURITY DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations), #endif @@ -46226,10 +46177,18 @@ index 03102d9..4ae347e 100644 } diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c -index 7dcd2a2..d1d9cb6 100644 +index 7dcd2a2..b2f410e 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c -@@ -52,8 +52,13 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) +@@ -11,6 +11,7 @@ + #include <linux/rmap.h> + #include <linux/swap.h> + #include <linux/swapops.h> ++#include <linux/grsecurity.h> + + #include <asm/elf.h> + #include <asm/uaccess.h> +@@ -52,8 +53,13 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) "VmExe:\t%8lu kB\n" "VmLib:\t%8lu kB\n" "VmPTE:\t%8lu kB\n" @@ -46245,7 +46204,7 @@ index 7dcd2a2..d1d9cb6 100644 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10), mm->locked_vm << (PAGE_SHIFT-10), mm->pinned_vm << (PAGE_SHIFT-10), -@@ -62,7 +67,13 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) +@@ -62,7 +68,13 @@ void task_mem(struct seq_file *m, struct mm_struct *mm) data << (PAGE_SHIFT-10), mm->stack_vm << (PAGE_SHIFT-10), text, lib, (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10, @@ -46260,7 +46219,7 @@ index 7dcd2a2..d1d9cb6 100644 } unsigned long task_vsize(struct mm_struct *mm) -@@ -209,6 +220,12 @@ static int do_maps_open(struct inode *inode, struct file *file, +@@ -209,6 +221,12 @@ static int do_maps_open(struct inode *inode, struct file *file, return ret; } @@ -46273,7 +46232,7 @@ index 7dcd2a2..d1d9cb6 100644 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) { struct mm_struct *mm = vma->vm_mm; -@@ -227,13 +244,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -227,13 +245,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT; } @@ -46292,7 +46251,7 @@ index 7dcd2a2..d1d9cb6 100644 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n", start, -@@ -242,7 +259,11 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -242,7 +260,11 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) flags & VM_WRITE ? 'w' : '-', flags & VM_EXEC ? 'x' : '-', flags & VM_MAYSHARE ? 's' : 'p', @@ -46304,7 +46263,7 @@ index 7dcd2a2..d1d9cb6 100644 MAJOR(dev), MINOR(dev), ino, &len); /* -@@ -251,7 +272,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -251,7 +273,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) */ if (file) { pad_len_spaces(m, len); @@ -46313,7 +46272,7 @@ index 7dcd2a2..d1d9cb6 100644 } else { const char *name = arch_vma_name(vma); if (!name) { -@@ -259,8 +280,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) +@@ -259,8 +281,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) { name = "[heap]"; @@ -46325,9 +46284,30 @@ index 7dcd2a2..d1d9cb6 100644 name = "[stack]"; } } else { -@@ -435,11 +457,16 @@ static int show_smap(struct seq_file *m, void *v) +@@ -281,6 +304,13 @@ static int show_map(struct seq_file *m, void *v) + struct proc_maps_private *priv = m->private; + struct task_struct *task = priv->task; + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("maps"); ++ return 0; ++ } ++#endif ++ + show_map_vma(m, vma); + + if (m->count < m->size) /* vma is copied successfully */ +@@ -434,12 +464,23 @@ static int show_smap(struct seq_file *m, void *v) + .private = &mss, }; ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("smaps"); ++ return 0; ++ } ++#endif memset(&mss, 0, sizeof mss); - mss.vma = vma; - /* mmap_sem is held in m_start */ @@ -46347,7 +46327,7 @@ index 7dcd2a2..d1d9cb6 100644 show_map_vma(m, vma); seq_printf(m, -@@ -457,7 +484,11 @@ static int show_smap(struct seq_file *m, void *v) +@@ -457,7 +498,11 @@ static int show_smap(struct seq_file *m, void *v) "KernelPageSize: %8lu kB\n" "MMUPageSize: %8lu kB\n" "Locked: %8lu kB\n", @@ -46359,7 +46339,29 @@ index 7dcd2a2..d1d9cb6 100644 mss.resident >> 10, (unsigned long)(mss.pss >> (10 + PSS_SHIFT)), mss.shared_clean >> 10, -@@ -1036,7 +1067,7 @@ static int show_numa_map(struct seq_file *m, void *v) +@@ -1015,6 +1060,13 @@ static int show_numa_map(struct seq_file *m, void *v) + int n; + char buffer[50]; + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ if (current->exec_id != m->exec_id) { ++ gr_log_badprocpid("numa_maps"); ++ return 0; ++ } ++#endif ++ + if (!mm) + return 0; + +@@ -1032,11 +1084,15 @@ static int show_numa_map(struct seq_file *m, void *v) + mpol_to_str(buffer, sizeof(buffer), pol, 0); + mpol_cond_put(pol); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ seq_printf(m, "%08lx %s", PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : vma->vm_start, buffer); ++#else + seq_printf(m, "%08lx %s", vma->vm_start, buffer); ++#endif if (file) { seq_printf(m, " file="); @@ -46561,10 +46563,20 @@ index d33418f..2a5345e 100644 return -EINVAL; diff --git a/fs/seq_file.c b/fs/seq_file.c -index dba43c3..a99fb63 100644 +index dba43c3..1dfaf14 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c -@@ -76,7 +76,8 @@ static int traverse(struct seq_file *m, loff_t offset) +@@ -40,6 +40,9 @@ int seq_open(struct file *file, const struct seq_operations *op) + memset(p, 0, sizeof(*p)); + mutex_init(&p->lock); + p->op = op; ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ p->exec_id = current->exec_id; ++#endif + + /* + * Wrappers around seq_open(e.g. swaps_open) need to be +@@ -76,7 +79,8 @@ static int traverse(struct seq_file *m, loff_t offset) return 0; } if (!m->buf) { @@ -46574,7 +46586,7 @@ index dba43c3..a99fb63 100644 if (!m->buf) return -ENOMEM; } -@@ -116,7 +117,8 @@ static int traverse(struct seq_file *m, loff_t offset) +@@ -116,7 +120,8 @@ static int traverse(struct seq_file *m, loff_t offset) Eoverflow: m->op->stop(m, p); kfree(m->buf); @@ -46584,7 +46596,7 @@ index dba43c3..a99fb63 100644 return !m->buf ? -ENOMEM : -EAGAIN; } -@@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) +@@ -169,7 +174,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) m->version = file->f_version; /* grab buffer if we didn't have one */ if (!m->buf) { @@ -46594,7 +46606,7 @@ index dba43c3..a99fb63 100644 if (!m->buf) goto Enomem; } -@@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) +@@ -210,7 +216,8 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) goto Fill; m->op->stop(m, p); kfree(m->buf); @@ -46604,7 +46616,7 @@ index dba43c3..a99fb63 100644 if (!m->buf) goto Enomem; m->count = 0; -@@ -549,7 +553,7 @@ static void single_stop(struct seq_file *p, void *v) +@@ -549,7 +556,7 @@ static void single_stop(struct seq_file *p, void *v) int single_open(struct file *file, int (*show)(struct seq_file *, void *), void *data) { @@ -47021,10 +47033,10 @@ index 23ce927..e274cc1 100644 kfree(s); diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig new file mode 100644 -index 0000000..dfd3d34 +index 0000000..8faa28b --- /dev/null +++ b/grsecurity/Kconfig -@@ -0,0 +1,1069 @@ +@@ -0,0 +1,1073 @@ +# +# grecurity configuration +# @@ -47295,6 +47307,10 @@ index 0000000..dfd3d34 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will + give no information about the addresses of its mappings if + PaX features that rely on random addresses are enabled on the task. ++ In addition to sanitizing this information and disabling other ++ dangerous sources of information, this option causes reads of sensitive ++ /proc/<pid> entries where the file descriptor was opened in a different ++ task than the one performing the read. Such attempts are logged. + If you use PaX it is greatly recommended that you say Y here as it + closes up a hole that makes the full ASLR useless for suid + binaries. @@ -48096,10 +48112,10 @@ index 0000000..dfd3d34 +endmenu diff --git a/grsecurity/Makefile b/grsecurity/Makefile new file mode 100644 -index 0000000..be9ae3a +index 0000000..1b9afa9 --- /dev/null +++ b/grsecurity/Makefile -@@ -0,0 +1,36 @@ +@@ -0,0 +1,38 @@ +# grsecurity's ACL system was originally written in 2001 by Michael Dalton +# during 2001-2009 it has been completely redesigned by Brad Spengler +# into an RBAC system @@ -48108,6 +48124,8 @@ index 0000000..be9ae3a +# are copyright Brad Spengler - Open Source Security, Inc., and released +# under the GPL v2 or higher + ++KBUILD_CFLAGS += -Werror ++ +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \ + grsec_mount.o grsec_sig.o grsec_sysctl.o \ + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o @@ -48138,10 +48156,10 @@ index 0000000..be9ae3a +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..d3b423d +index 0000000..6e989da --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4155 @@ +@@ -0,0 +1,4163 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -50610,6 +50628,8 @@ index 0000000..d3b423d + } +} + ++extern int gr_acl_is_capable(const int cap); ++ +void +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid) +{ @@ -50631,6 +50651,12 @@ index 0000000..d3b423d + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL)) + role = lookup_acl_role_label(task, uid, gid); + ++ /* don't change the role if we're not a privileged process */ ++ if (role && task->role != role && ++ (((role->roletype & GR_ROLE_USER) && gr_acl_is_capable(CAP_SETUID)) || ++ ((role->roletype & GR_ROLE_GROUP) && gr_acl_is_capable(CAP_SETGID)))) ++ return; ++ + /* perform subject lookup in possibly new role + we can use this result below in the case where role == task->role + */ @@ -55679,10 +55705,10 @@ index 0000000..a45d2e9 +} diff --git a/grsecurity/grsec_mem.c b/grsecurity/grsec_mem.c new file mode 100644 -index 0000000..6c0416b +index 0000000..f536303 --- /dev/null +++ b/grsecurity/grsec_mem.c -@@ -0,0 +1,33 @@ +@@ -0,0 +1,40 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -55716,6 +55742,13 @@ index 0000000..6c0416b + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG); + return; +} ++ ++void ++gr_log_badprocpid(const char *entry) ++{ ++ gr_log_str(GR_DONT_AUDIT, GR_BADPROCPID_MSG, entry); ++ return; ++} diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c new file mode 100644 index 0000000..2131422 @@ -57578,10 +57611,27 @@ index 49a83ca..df96b54 100644 #undef __HANDLE_ITEM }; diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h -index fd88a39..f4d0bad 100644 +index fd88a39..8a801b4 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h -@@ -88,6 +88,7 @@ struct linux_binfmt { +@@ -18,7 +18,7 @@ struct pt_regs; + #define BINPRM_BUF_SIZE 128 + + #ifdef __KERNEL__ +-#include <linux/list.h> ++#include <linux/sched.h> + + #define CORENAME_MAX_SIZE 128 + +@@ -58,6 +58,7 @@ struct linux_binprm { + unsigned interp_flags; + unsigned interp_data; + unsigned long loader, exec; ++ char tcomm[TASK_COMM_LEN]; + }; + + #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0 +@@ -88,6 +89,7 @@ struct linux_binfmt { int (*load_binary)(struct linux_binprm *, struct pt_regs * regs); int (*load_shlib)(struct file *); int (*core_dump)(struct coredump_params *cprm); @@ -58906,10 +58956,10 @@ index 0000000..da390f1 +#endif diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h new file mode 100644 -index 0000000..7f62b30 +index 0000000..8b9ed56 --- /dev/null +++ b/include/linux/grmsg.h -@@ -0,0 +1,109 @@ +@@ -0,0 +1,110 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " @@ -59019,12 +59069,13 @@ index 0000000..7f62b30 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by " +#define GR_PTRACE_READEXEC_MSG "denied ptrace of unreadable binary %.950s by " +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by " ++#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..cb9f1c1 +index 0000000..10c8ced --- /dev/null +++ b/include/linux/grsecurity.h -@@ -0,0 +1,227 @@ +@@ -0,0 +1,229 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -59241,6 +59292,8 @@ index 0000000..cb9f1c1 +void gr_handle_vm86(void); +void gr_handle_mem_readwrite(u64 from, u64 to); + ++void gr_log_badprocpid(const char *entry); ++ +extern int grsec_enable_dmesg; +extern int grsec_disable_privio; +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK @@ -60321,7 +60374,7 @@ index 2148b12..519b820 100644 static inline void anon_vma_merge(struct vm_area_struct *vma, diff --git a/include/linux/sched.h b/include/linux/sched.h -index 1c4f3e9..f29cbeb 100644 +index 1c4f3e9..dafcd27 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -101,6 +101,7 @@ struct bio_list; @@ -60430,13 +60483,16 @@ index 1c4f3e9..f29cbeb 100644 #ifdef CONFIG_DEBUG_MUTEXES /* mutex deadlock detection */ struct mutex_waiter *blocked_on; -@@ -1540,6 +1566,24 @@ struct task_struct { +@@ -1540,6 +1566,27 @@ struct task_struct { unsigned long default_timer_slack_ns; struct list_head *scm_work_list; + +#ifdef CONFIG_GRKERNSEC + /* grsecurity */ ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ long long exec_id; ++#endif +#ifdef CONFIG_GRKERNSEC_SETXID + const struct cred *delayed_cred; +#endif @@ -60455,7 +60511,7 @@ index 1c4f3e9..f29cbeb 100644 #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack */ int curr_ret_stack; -@@ -1574,6 +1618,51 @@ struct task_struct { +@@ -1574,6 +1621,51 @@ struct task_struct { #endif }; @@ -60507,7 +60563,7 @@ index 1c4f3e9..f29cbeb 100644 /* Future-safe accessor for struct task_struct's cpus_allowed. */ #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed) -@@ -2081,7 +2170,9 @@ void yield(void); +@@ -2081,7 +2173,9 @@ void yield(void); extern struct exec_domain default_exec_domain; union thread_union { @@ -60517,7 +60573,7 @@ index 1c4f3e9..f29cbeb 100644 unsigned long stack[THREAD_SIZE/sizeof(long)]; }; -@@ -2114,6 +2205,7 @@ extern struct pid_namespace init_pid_ns; +@@ -2114,6 +2208,7 @@ extern struct pid_namespace init_pid_ns; */ extern struct task_struct *find_task_by_vpid(pid_t nr); @@ -60525,7 +60581,7 @@ index 1c4f3e9..f29cbeb 100644 extern struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns); -@@ -2235,6 +2327,12 @@ static inline void mmdrop(struct mm_struct * mm) +@@ -2235,6 +2330,12 @@ static inline void mmdrop(struct mm_struct * mm) extern void mmput(struct mm_struct *); /* Grab a reference to a task's mm, if it is not already going away */ extern struct mm_struct *get_task_mm(struct task_struct *task); @@ -60538,7 +60594,7 @@ index 1c4f3e9..f29cbeb 100644 /* Remove the current tasks stale references to the old mm_struct */ extern void mm_release(struct task_struct *, struct mm_struct *); /* Allocate a new mm structure and copy contents from tsk->mm */ -@@ -2251,7 +2349,7 @@ extern void __cleanup_sighand(struct sighand_struct *); +@@ -2251,7 +2352,7 @@ extern void __cleanup_sighand(struct sighand_struct *); extern void exit_itimers(struct signal_struct *); extern void flush_itimer_signals(void); @@ -60547,7 +60603,7 @@ index 1c4f3e9..f29cbeb 100644 extern void daemonize(const char *, ...); extern int allow_signal(int); -@@ -2416,13 +2514,17 @@ static inline unsigned long *end_of_stack(struct task_struct *p) +@@ -2416,13 +2517,17 @@ static inline unsigned long *end_of_stack(struct task_struct *p) #endif @@ -60594,10 +60650,20 @@ index e8c619d..e0cbd1c 100644 /* Maximum number of letters for an LSM name string */ diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h -index 0b69a46..e9e5538 100644 +index 0b69a46..4796016 100644 --- a/include/linux/seq_file.h +++ b/include/linux/seq_file.h -@@ -33,6 +33,7 @@ struct seq_operations { +@@ -24,6 +24,9 @@ struct seq_file { + struct mutex lock; + const struct seq_operations *op; + int poll_event; ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ long long exec_id; ++#endif + void *private; + }; + +@@ -33,6 +36,7 @@ struct seq_operations { void * (*next) (struct seq_file *m, void *v, loff_t *pos); int (*show) (struct seq_file *m, void *v); }; @@ -63256,7 +63322,7 @@ index e6e01b9..619f837 100644 if (group_dead) diff --git a/kernel/fork.c b/kernel/fork.c -index da4a6a1..0973380 100644 +index da4a6a1..0483b61 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -280,7 +280,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig) @@ -63526,16 +63592,20 @@ index da4a6a1..0973380 100644 if (atomic_read(&p->real_cred->user->processes) >= task_rlimit(p, RLIMIT_NPROC)) { if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && -@@ -1256,6 +1317,8 @@ static struct task_struct *copy_process(unsigned long clone_flags, +@@ -1256,6 +1317,12 @@ static struct task_struct *copy_process(unsigned long clone_flags, if (clone_flags & CLONE_THREAD) p->tgid = current->tgid; + gr_copy_label(p); + ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP ++ p->exec_id = current->exec_id; ++#endif ++ p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; /* * Clear TID on mm_release()? -@@ -1418,6 +1481,8 @@ bad_fork_cleanup_count: +@@ -1418,6 +1485,8 @@ bad_fork_cleanup_count: bad_fork_free: free_task(p); fork_out: @@ -63544,7 +63614,7 @@ index da4a6a1..0973380 100644 return ERR_PTR(retval); } -@@ -1518,6 +1583,8 @@ long do_fork(unsigned long clone_flags, +@@ -1518,6 +1587,8 @@ long do_fork(unsigned long clone_flags, if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, parent_tidptr); @@ -63553,7 +63623,7 @@ index da4a6a1..0973380 100644 if (clone_flags & CLONE_VFORK) { p->vfork_done = &vfork; init_completion(&vfork); -@@ -1627,7 +1694,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) +@@ -1627,7 +1698,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp) return 0; /* don't need lock here; in the worst case we'll do useless copy */ @@ -63562,7 +63632,7 @@ index da4a6a1..0973380 100644 return 0; *new_fsp = copy_fs_struct(fs); -@@ -1716,7 +1783,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -1716,7 +1787,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; @@ -63955,7 +64025,7 @@ index a4bea97..7a1ae9a 100644 /* * If ret is 0, either ____call_usermodehelper failed and the diff --git a/kernel/kprobes.c b/kernel/kprobes.c -index 52fd049..3def6a8 100644 +index faa39d1..d7ad37e 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_insn_slot(struct kprobe_insn_cache *c) @@ -63976,7 +64046,7 @@ index 52fd049..3def6a8 100644 kfree(kip); } return 1; -@@ -1949,7 +1949,7 @@ static int __init init_kprobes(void) +@@ -1953,7 +1953,7 @@ static int __init init_kprobes(void) { int i, err = 0; unsigned long offset = 0, size = 0; @@ -63985,7 +64055,7 @@ index 52fd049..3def6a8 100644 const char *symbol_name; void *addr; struct kprobe_blackpoint *kb; -@@ -2075,7 +2075,7 @@ static int __kprobes show_kprobe_addr(struct seq_file *pi, void *v) +@@ -2079,7 +2079,7 @@ static int __kprobes show_kprobe_addr(struct seq_file *pi, void *v) const char *sym = NULL; unsigned int i = *(loff_t *) v; unsigned long offset = 0; @@ -64903,7 +64973,7 @@ index b452599..5d68f4e 100644 atomic_set(&pd->refcnt, 0); pd->pinst = pinst; diff --git a/kernel/panic.c b/kernel/panic.c -index b2659360..5972a0f 100644 +index 3458469..342c500 100644 --- a/kernel/panic.c +++ b/kernel/panic.c @@ -78,7 +78,11 @@ NORET_TYPE void panic(const char * fmt, ...) @@ -64919,7 +64989,7 @@ index b2659360..5972a0f 100644 #endif /* -@@ -373,7 +377,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, +@@ -382,7 +386,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller, const char *board; printk(KERN_WARNING "------------[ cut here ]------------\n"); @@ -64928,7 +64998,7 @@ index b2659360..5972a0f 100644 board = dmi_get_system_info(DMI_PRODUCT_NAME); if (board) printk(KERN_WARNING "Hardware name: %s\n", board); -@@ -428,7 +432,8 @@ EXPORT_SYMBOL(warn_slowpath_null); +@@ -437,7 +441,8 @@ EXPORT_SYMBOL(warn_slowpath_null); */ void __stack_chk_fail(void) { @@ -65135,7 +65205,7 @@ index d523593..68197a4 100644 register_sysrq_key('o', &sysrq_poweroff_op); return 0; diff --git a/kernel/power/process.c b/kernel/power/process.c -index addbbe5..f9e32e0 100644 +index 3d4b954..11af930 100644 --- a/kernel/power/process.c +++ b/kernel/power/process.c @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_only) @@ -65766,6 +65836,36 @@ index 9feffa4..54058df 100644 rdp->dynticks->dynticks_nesting, rdp->dynticks->dynticks_nmi_nesting, rdp->dynticks_fqs); +diff --git a/kernel/relay.c b/kernel/relay.c +index 226fade..b6f803a 100644 +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -164,10 +164,14 @@ depopulate: + */ + static struct rchan_buf *relay_create_buf(struct rchan *chan) + { +- struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); ++ struct rchan_buf *buf; ++ ++ if (chan->n_subbufs > UINT_MAX / sizeof(size_t *)) ++ return NULL; ++ ++ buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); + if (!buf) + return NULL; +- + buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL); + if (!buf->padding) + goto free_buf; +@@ -574,6 +578,8 @@ struct rchan *relay_open(const char *base_filename, + + if (!(subbuf_size && n_subbufs)) + return NULL; ++ if (subbuf_size > UINT_MAX / n_subbufs) ++ return NULL; + + chan = kzalloc(sizeof(struct rchan), GFP_KERNEL); + if (!chan) diff --git a/kernel/resource.c b/kernel/resource.c index 7640b3a..5879283 100644 --- a/kernel/resource.c @@ -66191,7 +66291,7 @@ index 2c71d91..1021f81 100644 struct tasklet_struct *list; diff --git a/kernel/sys.c b/kernel/sys.c -index 481611f..4665125 100644 +index 481611f..0754d86 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -158,6 +158,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error) @@ -66260,29 +66360,7 @@ index 481611f..4665125 100644 if (nsown_capable(CAP_SETUID)) { new->suid = new->uid = uid; if (uid != old->uid) { -@@ -775,9 +797,18 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) - - retval = -EPERM; - if (!nsown_capable(CAP_SETUID)) { -- if (ruid != (uid_t) -1 && ruid != old->uid && -- ruid != old->euid && ruid != old->suid) -- goto error; -+ // if RBAC is enabled, require CAP_SETUID to change -+ // uid to euid (from a suid binary, for instance) -+ // this is a hardening of normal permissions, not -+ // weakening -+ if (gr_acl_is_enabled()) { -+ if (ruid != (uid_t) -1 && ruid != old->uid) -+ goto error; -+ } else { -+ if (ruid != (uid_t) -1 && ruid != old->uid && -+ ruid != old->euid && ruid != old->suid) -+ goto error; -+ } - if (euid != (uid_t) -1 && euid != old->uid && - euid != old->euid && euid != old->suid) - goto error; -@@ -786,6 +817,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) +@@ -786,6 +808,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) goto error; } @@ -66292,29 +66370,7 @@ index 481611f..4665125 100644 if (ruid != (uid_t) -1) { new->uid = ruid; if (ruid != old->uid) { -@@ -839,9 +873,18 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) - - retval = -EPERM; - if (!nsown_capable(CAP_SETGID)) { -- if (rgid != (gid_t) -1 && rgid != old->gid && -- rgid != old->egid && rgid != old->sgid) -- goto error; -+ // if RBAC is enabled, require CAP_SETGID to change -+ // gid to egid (from a sgid binary, for instance) -+ // this is a hardening of normal permissions, not -+ // weakening -+ if (gr_acl_is_enabled()) { -+ if (rgid != (gid_t) -1 && rgid != old->gid) -+ goto error; -+ } else { -+ if (rgid != (gid_t) -1 && rgid != old->gid && -+ rgid != old->egid && rgid != old->sgid) -+ goto error; -+ } - if (egid != (gid_t) -1 && egid != old->gid && - egid != old->egid && egid != old->sgid) - goto error; -@@ -850,6 +893,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) +@@ -850,6 +875,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) goto error; } @@ -66324,7 +66380,7 @@ index 481611f..4665125 100644 if (rgid != (gid_t) -1) new->gid = rgid; if (egid != (gid_t) -1) -@@ -896,6 +942,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) +@@ -896,6 +924,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) old = current_cred(); old_fsuid = old->fsuid; @@ -66334,7 +66390,7 @@ index 481611f..4665125 100644 if (uid == old->uid || uid == old->euid || uid == old->suid || uid == old->fsuid || nsown_capable(CAP_SETUID)) { -@@ -906,6 +955,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) +@@ -906,6 +937,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) } } @@ -66342,7 +66398,7 @@ index 481611f..4665125 100644 abort_creds(new); return old_fsuid; -@@ -932,12 +982,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) +@@ -932,12 +964,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) if (gid == old->gid || gid == old->egid || gid == old->sgid || gid == old->fsgid || nsown_capable(CAP_SETGID)) { @@ -66359,7 +66415,7 @@ index 481611f..4665125 100644 abort_creds(new); return old_fsgid; -@@ -1189,7 +1243,10 @@ static int override_release(char __user *release, int len) +@@ -1189,7 +1225,10 @@ static int override_release(char __user *release, int len) } v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; snprintf(buf, len, "2.6.%u%s", v, rest); @@ -66371,7 +66427,7 @@ index 481611f..4665125 100644 } return ret; } -@@ -1243,19 +1300,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) +@@ -1243,19 +1282,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) return -EFAULT; down_read(&uts_sem); @@ -66396,7 +66452,7 @@ index 481611f..4665125 100644 __OLD_UTS_LEN); error |= __put_user(0, name->machine + __OLD_UTS_LEN); up_read(&uts_sem); -@@ -1720,7 +1777,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, +@@ -1720,7 +1759,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, error = get_dumpable(me->mm); break; case PR_SET_DUMPABLE: @@ -67488,7 +67544,7 @@ index 011b110..b492af2 100644 from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs. diff --git a/mm/filemap.c b/mm/filemap.c -index 90286a4..f441caa 100644 +index 03c5b0e..a01e793 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -1770,7 +1770,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma) @@ -67554,7 +67610,7 @@ index 57d82c6..e9e0552 100644 set_page_address(page, (void *)vaddr); diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index 36b3d98..584cb54 100644 +index 33141f5..e56bef9 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -703,7 +703,7 @@ out: @@ -71324,7 +71380,7 @@ index 1a919f0..1739c9b 100644 static int __init slab_sysfs_init(void) { diff --git a/mm/swap.c b/mm/swap.c -index a91caf7..b887e735 100644 +index 55b266d..a532537 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -31,6 +31,7 @@ diff --git a/3.2.5/4425_grsec_enable_xtpax.patch b/3.2.6/4425_grsec_enable_xtpax.patch index 9735ecf..9735ecf 100644 --- a/3.2.5/4425_grsec_enable_xtpax.patch +++ b/3.2.6/4425_grsec_enable_xtpax.patch diff --git a/3.2.5/4430_grsec-remove-localversion-grsec.patch b/3.2.6/4430_grsec-remove-localversion-grsec.patch index 31cf878..31cf878 100644 --- a/3.2.5/4430_grsec-remove-localversion-grsec.patch +++ b/3.2.6/4430_grsec-remove-localversion-grsec.patch diff --git a/3.2.5/4435_grsec-mute-warnings.patch b/3.2.6/4435_grsec-mute-warnings.patch index e85abd6..e85abd6 100644 --- a/3.2.5/4435_grsec-mute-warnings.patch +++ b/3.2.6/4435_grsec-mute-warnings.patch diff --git a/3.2.5/4440_grsec-remove-protected-paths.patch b/3.2.6/4440_grsec-remove-protected-paths.patch index 4afb3e2..4afb3e2 100644 --- a/3.2.5/4440_grsec-remove-protected-paths.patch +++ b/3.2.6/4440_grsec-remove-protected-paths.patch diff --git a/3.2.5/4445_grsec-pax-without-grsec.patch b/3.2.6/4445_grsec-pax-without-grsec.patch index 9992f51..9992f51 100644 --- a/3.2.5/4445_grsec-pax-without-grsec.patch +++ b/3.2.6/4445_grsec-pax-without-grsec.patch diff --git a/3.2.5/4450_grsec-kconfig-default-gids.patch b/3.2.6/4450_grsec-kconfig-default-gids.patch index 0807a4e..0807a4e 100644 --- a/3.2.5/4450_grsec-kconfig-default-gids.patch +++ b/3.2.6/4450_grsec-kconfig-default-gids.patch diff --git a/3.2.5/4455_grsec-kconfig-gentoo.patch b/3.2.6/4455_grsec-kconfig-gentoo.patch index 587b7d9..587b7d9 100644 --- a/3.2.5/4455_grsec-kconfig-gentoo.patch +++ b/3.2.6/4455_grsec-kconfig-gentoo.patch diff --git a/3.2.5/4460-grsec-kconfig-proc-user.patch b/3.2.6/4460-grsec-kconfig-proc-user.patch index 72b894a..72b894a 100644 --- a/3.2.5/4460-grsec-kconfig-proc-user.patch +++ b/3.2.6/4460-grsec-kconfig-proc-user.patch diff --git a/3.2.5/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.6/4465_selinux-avc_audit-log-curr_ip.patch index 7c9894c..7c9894c 100644 --- a/3.2.5/4465_selinux-avc_audit-log-curr_ip.patch +++ b/3.2.6/4465_selinux-avc_audit-log-curr_ip.patch diff --git a/3.2.5/4470_disable-compat_vdso.patch b/3.2.6/4470_disable-compat_vdso.patch index 4742d01..4742d01 100644 --- a/3.2.5/4470_disable-compat_vdso.patch +++ b/3.2.6/4470_disable-compat_vdso.patch |