Grsec/PaX: 3.0-{3.2.55,3.13.6}-20140319222820140319

author: Anthony G. Basile <blueness@gentoo.org> 2014-03-20 09:47:33 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2014-03-20 09:47:33 -0400
commit: f272a817905cb0b69974160972aef87eaabb197e (patch)
tree: 263a224189e224fc88ddcb37f0de78e24317ca10
parent: Grsec/PaX: 3.0-{3.2.55,3.13.6}-201403172032 (diff)
download: hardened-patchset-f272a817905cb0b69974160972aef87eaabb197e.tar.gz
hardened-patchset-f272a817905cb0b69974160972aef87eaabb197e.tar.bz2
hardened-patchset-f272a817905cb0b69974160972aef87eaabb197e.zip
8 files changed, 258 insertions, 36 deletions
diff --git a/3.13.6/0000_README b/3.13.6/0000_README
index 4b2085f..e099035 100644
--- a/3.13.6/0000_README
+++ b/3.13.6/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.13.6-201403172032.patch
+Patch:	4420_grsecurity-3.0-3.13.6-201403192228.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.13.6/4420_grsecurity-3.0-3.13.6-201403172032.patch b/3.13.6/4420_grsecurity-3.0-3.13.6-201403192228.patch
index 6142d59..fb3fba9 100644
--- a/3.13.6/4420_grsecurity-3.0-3.13.6-201403172032.patch
+++ b/3.13.6/4420_grsecurity-3.0-3.13.6-201403192228.patch
@@ -6416,6 +6416,64 @@ index c1f6afa..38cc6e9 100644
 +#define arch_align_stack(x) ((x) & ~0xfUL)
  
  #endif /* _ASM_EXEC_H */
+diff --git a/arch/mips/include/asm/ftrace.h b/arch/mips/include/asm/ftrace.h
+index ce35c9a..434321c 100644
+--- a/arch/mips/include/asm/ftrace.h
++++ b/arch/mips/include/asm/ftrace.h
+@@ -22,12 +22,12 @@ extern void _mcount(void);
+ #define safe_load(load, src, dst, error)		\
+ do {							\
+ 	asm volatile (					\
+-		"1: " load " %[" STR(dst) "], 0(%[" STR(src) "])\n"\
+-		"   li %[" STR(error) "], 0\n"		\
++		"1: " load " %[dest], 0(%[source])\n"	\
++		"   li %[err], 0\n"			\
+ 		"2:\n"					\
+ 							\
+ 		".section .fixup, \"ax\"\n"		\
+-		"3: li %[" STR(error) "], 1\n"		\
++		"3: li %[err], 1\n"			\
+ 		"   j 2b\n"				\
+ 		".previous\n"				\
+ 							\
+@@ -35,8 +35,8 @@ do {							\
+ 		STR(PTR) "\t1b, 3b\n\t"			\
+ 		".previous\n"				\
+ 							\
+-		: [dst] "=&r" (dst), [error] "=r" (error)\
+-		: [src] "r" (src)			\
++		: [dest] "=&r" (dst), [err] "=r" (error)\
++		: [source] "r" (src)			\
+ 		: "memory"				\
+ 	);						\
+ } while (0)
+@@ -44,12 +44,12 @@ do {							\
+ #define safe_store(store, src, dst, error)	\
+ do {						\
+ 	asm volatile (				\
+-		"1: " store " %[" STR(src) "], 0(%[" STR(dst) "])\n"\
+-		"   li %[" STR(error) "], 0\n"	\
++		"1: " store " %[source], 0(%[dest])\n"\
++		"   li %[err], 0\n"		\
+ 		"2:\n"				\
+ 						\
+ 		".section .fixup, \"ax\"\n"	\
+-		"3: li %[" STR(error) "], 1\n"	\
++		"3: li %[err], 1\n"		\
+ 		"   j 2b\n"			\
+ 		".previous\n"			\
+ 						\
+@@ -57,8 +57,8 @@ do {						\
+ 		STR(PTR) "\t1b, 3b\n\t"		\
+ 		".previous\n"			\
+ 						\
+-		: [error] "=r" (error)		\
+-		: [dst] "r" (dst), [src] "r" (src)\
++		: [err] "=r" (error)		\
++		: [dest] "r" (dst), [source] "r" (src)\
+ 		: "memory"			\
+ 	);					\
+ } while (0)
 diff --git a/arch/mips/include/asm/hw_irq.h b/arch/mips/include/asm/hw_irq.h
 index 9e8ef59..1139d6b 100644
 --- a/arch/mips/include/asm/hw_irq.h
@@ -6549,6 +6607,20 @@ index b336037..5b874cc 100644
  #endif
  
  /*
+diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
+index 008324d..f67c239 100644
+--- a/arch/mips/include/asm/pgtable.h
++++ b/arch/mips/include/asm/pgtable.h
+@@ -20,6 +20,9 @@
+ #include <asm/io.h>
+ #include <asm/pgtable-bits.h>
+ 
++#define ktla_ktva(addr)		(addr)
++#define ktva_ktla(addr)		(addr)
++
+ struct mm_struct;
+ struct vm_area_struct;
+ 
 diff --git a/arch/mips/include/asm/smtc_proc.h b/arch/mips/include/asm/smtc_proc.h
 index 25da651..ae2a259 100644
 --- a/arch/mips/include/asm/smtc_proc.h
@@ -6561,6 +6633,49 @@ index 25da651..ae2a259 100644
 +extern atomic_unchecked_t smtc_fpu_recoveries;
  
  #endif /* __ASM_SMTC_PROC_H */
+diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
+index 81c8913..81d8432 100644
+--- a/arch/mips/include/asm/syscall.h
++++ b/arch/mips/include/asm/syscall.h
+@@ -29,7 +29,7 @@ static inline long syscall_get_nr(struct task_struct *task,
+ static inline unsigned long mips_get_syscall_arg(unsigned long *arg,
+ 	struct task_struct *task, struct pt_regs *regs, unsigned int n)
+ {
+-	unsigned long usp = regs->regs[29];
++	unsigned long usp __maybe_unused = regs->regs[29];
+ 
+ 	switch (n) {
+ 	case 0: case 1: case 2: case 3:
+@@ -39,14 +39,14 @@ static inline unsigned long mips_get_syscall_arg(unsigned long *arg,
+ 
+ #ifdef CONFIG_32BIT
+ 	case 4: case 5: case 6: case 7:
+-		return get_user(*arg, (int *)usp + 4 * n);
++		return get_user(*arg, (int *)usp + n);
+ #endif
+ 
+ #ifdef CONFIG_64BIT
+ 	case 4: case 5: case 6: case 7:
+ #ifdef CONFIG_MIPS32_O32
+ 		if (test_thread_flag(TIF_32BIT_REGS))
+-			return get_user(*arg, (int *)usp + 4 * n);
++			return get_user(*arg, (int *)usp + n);
+ 		else
+ #endif
+ 			*arg = regs->regs[4 + n];
+@@ -83,11 +83,10 @@ static inline void syscall_get_arguments(struct task_struct *task,
+ 					 unsigned int i, unsigned int n,
+ 					 unsigned long *args)
+ {
+-	unsigned long arg;
+ 	int ret;
+ 
+ 	while (n--)
+-		ret |= mips_get_syscall_arg(&arg, task, regs, i++);
++		ret |= mips_get_syscall_arg(args++, task, regs, i++);
+ 
+ 	/*
+ 	 * No way to communicate an error because this is a void function.
 diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
 index 4f58ef6..5e7081b 100644
 --- a/arch/mips/include/asm/thread_info.h
@@ -6636,6 +6751,24 @@ index 202e581..689ca79 100644
  #include <asm/processor.h>
  
  /*
+diff --git a/arch/mips/kernel/ftrace.c b/arch/mips/kernel/ftrace.c
+index 185ba25..374ed74 100644
+--- a/arch/mips/kernel/ftrace.c
++++ b/arch/mips/kernel/ftrace.c
+@@ -111,11 +111,10 @@ static int ftrace_modify_code_2(unsigned long ip, unsigned int new_code1,
+ 	safe_store_code(new_code1, ip, faulted);
+ 	if (unlikely(faulted))
+ 		return -EFAULT;
+-	ip += 4;
+-	safe_store_code(new_code2, ip, faulted);
++	safe_store_code(new_code2, ip + 4, faulted);
+ 	if (unlikely(faulted))
+ 		return -EFAULT;
+-	flush_icache_range(ip, ip + 8); /* original ip + 12 */
++	flush_icache_range(ip, ip + 8);
+ 	return 0;
+ }
+ #endif
 diff --git a/arch/mips/kernel/i8259.c b/arch/mips/kernel/i8259.c
 index 2b91fe8..fe4f6b4 100644
 --- a/arch/mips/kernel/i8259.c
@@ -9409,6 +9542,19 @@ index bcfe063..b333142 100644
  
  static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr)
  {
+diff --git a/arch/sparc/include/asm/pgtable.h b/arch/sparc/include/asm/pgtable.h
+index 59ba6f6..4518128 100644
+--- a/arch/sparc/include/asm/pgtable.h
++++ b/arch/sparc/include/asm/pgtable.h
+@@ -5,4 +5,8 @@
+ #else
+ #include <asm/pgtable_32.h>
+ #endif
++
++#define ktla_ktva(addr)		(addr)
++#define ktva_ktla(addr)		(addr)
++
+ #endif
 diff --git a/arch/sparc/include/asm/pgtable_32.h b/arch/sparc/include/asm/pgtable_32.h
 index 502f632..da1917f 100644
 --- a/arch/sparc/include/asm/pgtable_32.h
@@ -65824,10 +65970,10 @@ index 0000000..5307c8a
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..364a9d7
+index 0000000..e56396f
 --- /dev/null
 +++ b/grsecurity/gracl.c
-@@ -0,0 +1,2678 @@
+@@ -0,0 +1,2679 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -65856,6 +66002,7 @@ index 0000000..364a9d7
 +#include <linux/lglock.h>
 +#include <linux/hugetlb.h>
 +#include <linux/posix-timers.h>
++#include <linux/prefetch.h>
 +#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
 +#include <linux/magic.h>
 +#include <linux/pagemap.h>
@@ -99433,7 +99580,7 @@ index 4f26ee4..6a9d7c3 100644
  	if (ipvs->sync_state & IP_VS_STATE_MASTER)
  		ip_vs_sync_conn(net, cp, pkts);
 diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
-index 35be035..dad174b 100644
+index 35be035..50f8834 100644
 --- a/net/netfilter/ipvs/ip_vs_ctl.c
 +++ b/net/netfilter/ipvs/ip_vs_ctl.c
 @@ -794,7 +794,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
@@ -99490,6 +99637,15 @@ index 35be035..dad174b 100644
  			 IP_VS_CONN_F_FWD_MASK)) ||
  	    nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
  			atomic_read(&dest->weight)) ||
+@@ -3580,7 +3580,7 @@ out:
+ }
+ 
+ 
+-static const struct genl_ops ip_vs_genl_ops[] __read_mostly = {
++static const struct genl_ops ip_vs_genl_ops[] = {
+ 	{
+ 		.cmd	= IPVS_CMD_NEW_SERVICE,
+ 		.flags	= GENL_ADMIN_PERM,
 @@ -3697,7 +3697,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
  {
  	int idx;
diff --git a/3.13.6/4450_grsec-kconfig-default-gids.patch b/3.13.6/4450_grsec-kconfig-default-gids.patch
index 88f1f9b..abff221 100644
--- a/3.13.6/4450_grsec-kconfig-default-gids.patch
+++ b/3.13.6/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2012-10-13 09:51:35.000000000 -0400
 +++ b/grsecurity/Kconfig	2012-10-13 09:52:32.000000000 -0400
-@@ -657,7 +657,7 @@
+@@ -661,7 +661,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
  	depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  
  config GRKERNSEC_EXECLOG
  	bool "Exec logging"
-@@ -888,7 +888,7 @@
+@@ -892,7 +892,7 @@
  config GRKERNSEC_TPE_UNTRUSTED_GID
  	int "GID for TPE-untrusted users"
  	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *enabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -897,7 +897,7 @@
+@@ -901,7 +901,7 @@
  config GRKERNSEC_TPE_TRUSTED_GID
  	int "GID for TPE-trusted users"
  	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -990,7 +990,7 @@
+@@ -994,7 +994,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -1011,7 +1011,7 @@
+@@ -1015,7 +1015,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -1029,7 +1029,7 @@
+@@ -1033,7 +1033,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.13.6/4465_selinux-avc_audit-log-curr_ip.patch b/3.13.6/4465_selinux-avc_audit-log-curr_ip.patch
index 0648169..6caf9de 100644
--- a/3.13.6/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.13.6/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400
-@@ -1124,6 +1124,27 @@
+@@ -1128,6 +1128,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
  
diff --git a/3.2.55/0000_README b/3.2.55/0000_README
index f880076..3b0b54e 100644
--- a/3.2.55/0000_README
+++ b/3.2.55/0000_README
@@ -138,7 +138,7 @@ Patch:	1054_linux-3.2.55.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.55
 
-Patch:	4420_grsecurity-3.0-3.2.55-201403172027.patch
+Patch:	4420_grsecurity-3.0-3.2.55-201403192223.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.55/4420_grsecurity-3.0-3.2.55-201403172027.patch b/3.2.55/4420_grsecurity-3.0-3.2.55-201403192223.patch
index 5cd450a..1ab434c 100644
--- a/3.2.55/4420_grsecurity-3.0-3.2.55-201403172027.patch
+++ b/3.2.55/4420_grsecurity-3.0-3.2.55-201403192223.patch
@@ -3742,19 +3742,6 @@ index d46f1da..d72dc10 100644
  	help
  	  kexec is a system call that implements the ability to shutdown your
  	  current kernel, and to start another kernel.  It is like a reboot
-diff --git a/arch/mips/cavium-octeon/dma-octeon.c b/arch/mips/cavium-octeon/dma-octeon.c
-index ea4feba..1960ddd 100644
---- a/arch/mips/cavium-octeon/dma-octeon.c
-+++ b/arch/mips/cavium-octeon/dma-octeon.c
-@@ -189,7 +189,7 @@ static void octeon_dma_free_coherent(struct device *dev, size_t size,
- 	if (dma_release_from_coherent(dev, order, vaddr))
- 		return;
- 
--	swiotlb_free_coherent(dev, size, vaddr, dma_handle);
-+	swiotlb_free_coherent(dev, size, vaddr, dma_handle, attrs);
- }
- 
- static dma_addr_t octeon_unity_phys_to_dma(struct device *dev, phys_addr_t paddr)
 diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
 index 1d93f81..67794d0 100644
 --- a/arch/mips/include/asm/atomic.h
@@ -3842,6 +3829,57 @@ index 9e8ef59..1139d6b 100644
  
  /*
   * interrupt-retrigger: NOP for now. This may not be appropriate for all
+diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h
+index 94fde8d..d5825cf 100644
+--- a/arch/mips/include/asm/local.h
++++ b/arch/mips/include/asm/local.h
+@@ -12,15 +12,25 @@ typedef struct
+ 	atomic_long_t a;
+ } local_t;
+ 
++typedef struct {
++	atomic_long_unchecked_t a;
++} local_unchecked_t;
++
+ #define LOCAL_INIT(i)	{ ATOMIC_LONG_INIT(i) }
+ 
+ #define local_read(l)	atomic_long_read(&(l)->a)
++#define local_read_unchecked(l)	atomic_long_read_unchecked(&(l)->a)
+ #define local_set(l, i)	atomic_long_set(&(l)->a, (i))
++#define local_set_unchecked(l, i)	atomic_long_set_unchecked(&(l)->a, (i))
+ 
+ #define local_add(i, l)	atomic_long_add((i), (&(l)->a))
++#define local_add_unchecked(i, l)	atomic_long_add_unchecked((i), (&(l)->a))
+ #define local_sub(i, l)	atomic_long_sub((i), (&(l)->a))
++#define local_sub_unchecked(i, l)	atomic_long_sub_unchecked((i), (&(l)->a))
+ #define local_inc(l)	atomic_long_inc(&(l)->a)
++#define local_inc_unchecked(l)	atomic_long_inc_unchecked(&(l)->a)
+ #define local_dec(l)	atomic_long_dec(&(l)->a)
++#define local_dec_unchecked(l)	atomic_long_dec_unchecked(&(l)->a)
+ 
+ /*
+  * Same as above, but return the result value
+@@ -69,6 +79,7 @@ static __inline__ long local_add_return(long i, local_t * l)
+ 
+ 	return result;
+ }
++#define local_add_return_unchecked(i, l) atomic_long_add_return_unchecked((i), (&(l)->a))
+ 
+ static __inline__ long local_sub_return(long i, local_t * l)
+ {
+@@ -114,9 +125,12 @@ static __inline__ long local_sub_return(long i, local_t * l)
+ 
+ 	return result;
+ }
++#define local_sub_return_unchecked(i, l) atomic_long_sub_return_unchecked((i), (&(l)->a))
+ 
+ #define local_cmpxchg(l, o, n) \
+ 	((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
++#define local_cmpxchg_unchecked(l, o, n) \
++	((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
+ #define local_xchg(l, n) (atomic_long_xchg((&(l)->a), (n)))
+ 
+ /**
 diff --git a/arch/mips/include/asm/page.h b/arch/mips/include/asm/page.h
 index e59cd1a..8e329d6 100644
 --- a/arch/mips/include/asm/page.h
@@ -3871,6 +3909,20 @@ index 881d18b..cea38bc 100644
  #endif
  
  /*
+diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
+index b2202a6..6780030 100644
+--- a/arch/mips/include/asm/pgtable.h
++++ b/arch/mips/include/asm/pgtable.h
+@@ -18,6 +18,9 @@
+ #include <asm/io.h>
+ #include <asm/pgtable-bits.h>
+ 
++#define ktla_ktva(addr)		(addr)
++#define ktva_ktla(addr)		(addr)
++
+ struct mm_struct;
+ struct vm_area_struct;
+ 
 diff --git a/arch/mips/include/asm/system.h b/arch/mips/include/asm/system.h
 index 6018c80..7c37203 100644
 --- a/arch/mips/include/asm/system.h
@@ -7022,6 +7074,19 @@ index 40b2d7a..22a665b 100644
  
  static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr)
  {
+diff --git a/arch/sparc/include/asm/pgtable.h b/arch/sparc/include/asm/pgtable.h
+index 59ba6f6..4518128 100644
+--- a/arch/sparc/include/asm/pgtable.h
++++ b/arch/sparc/include/asm/pgtable.h
+@@ -5,4 +5,8 @@
+ #else
+ #include <asm/pgtable_32.h>
+ #endif
++
++#define ktla_ktva(addr)		(addr)
++#define ktva_ktla(addr)		(addr)
++
+ #endif
 diff --git a/arch/sparc/include/asm/pgtable_32.h b/arch/sparc/include/asm/pgtable_32.h
 index a790cc6..091ed94 100644
 --- a/arch/sparc/include/asm/pgtable_32.h
@@ -58531,7 +58596,7 @@ index f590b11..414cf4b 100644
  static int __init init_hppfs(void)
  {
 diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
-index 0aa424a..c5563a6 100644
+index 0aa424a..0725236 100644
 --- a/fs/hugetlbfs/inode.c
 +++ b/fs/hugetlbfs/inode.c
 @@ -134,6 +134,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
@@ -58555,7 +58620,7 @@ index 0aa424a..c5563a6 100644
  		vma = find_vma(mm, addr);
 -		if (TASK_SIZE - len >= addr &&
 -		    (!vma || addr + len <= vma->vm_start))
-+		if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
++		if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, &addr, len, offset))
  			return addr;
  	}
  
@@ -64336,10 +64401,10 @@ index 0000000..5307c8a
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..8532ed2
+index 0000000..0069a59
 --- /dev/null
 +++ b/grsecurity/gracl.c
-@@ -0,0 +1,2826 @@
+@@ -0,0 +1,2827 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -64366,6 +64431,7 @@ index 0000000..8532ed2
 +#include <linux/fdtable.h>
 +#include <linux/percpu.h>
 +#include <linux/posix-timers.h>
++#include <linux/prefetch.h>
 +#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
 +#include <linux/magic.h>
 +#include <linux/pagemap.h>
diff --git a/3.2.55/4450_grsec-kconfig-default-gids.patch b/3.2.55/4450_grsec-kconfig-default-gids.patch
index 4f345d6..2c2c6ec 100644
--- a/3.2.55/4450_grsec-kconfig-default-gids.patch
+++ b/3.2.55/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2012-10-13 09:51:35.000000000 -0400
 +++ b/grsecurity/Kconfig	2012-10-13 09:52:32.000000000 -0400
-@@ -643,7 +643,7 @@
+@@ -647,7 +647,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
  	depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  
  config GRKERNSEC_EXECLOG
  	bool "Exec logging"
-@@ -874,7 +874,7 @@
+@@ -878,7 +878,7 @@
  config GRKERNSEC_TPE_UNTRUSTED_GID
  	int "GID for TPE-untrusted users"
  	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *enabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -883,7 +883,7 @@
+@@ -887,7 +887,7 @@
  config GRKERNSEC_TPE_TRUSTED_GID
  	int "GID for TPE-trusted users"
  	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -976,7 +976,7 @@
+@@ -980,7 +980,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -997,7 +997,7 @@
+@@ -1001,7 +1001,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -1015,7 +1015,7 @@
+@@ -1019,7 +1019,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.2.55/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.55/4465_selinux-avc_audit-log-curr_ip.patch
index 0545d51..610fb07 100644
--- a/3.2.55/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.2.55/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400
-@@ -1110,6 +1110,27 @@
+@@ -1114,6 +1114,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
author	Anthony G. Basile <blueness@gentoo.org>	2014-03-20 09:47:33 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2014-03-20 09:47:33 -0400
commit	f272a817905cb0b69974160972aef87eaabb197e (patch)
tree	263a224189e224fc88ddcb37f0de78e24317ca10
parent	Grsec/PaX: 3.0-{3.2.55,3.13.6}-201403172032 (diff)
download	hardened-patchset-f272a817905cb0b69974160972aef87eaabb197e.tar.gz hardened-patchset-f272a817905cb0b69974160972aef87eaabb197e.tar.bz2 hardened-patchset-f272a817905cb0b69974160972aef87eaabb197e.zip