diff options
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109240842.patch (renamed from 2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch) | 29 | ||||
-rw-r--r-- | 2.6.32/4437-grsec-kconfig-proc-user.patch | 4 | ||||
-rw-r--r-- | 2.6.32/4440_selinux-avc_audit-log-curr_ip.patch | 2 | ||||
-rw-r--r-- | 3.0.4/0000_README | 2 | ||||
-rw-r--r-- | 3.0.4/4420_grsecurity-2.2.2-3.0.4-201109240842.patch (renamed from 3.0.4/4420_grsecurity-2.2.2-3.0.4-201109190917.patch) | 57 | ||||
-rw-r--r-- | 3.0.4/4425_grsec-pax-without-grsec.patch | 2 | ||||
-rw-r--r-- | 3.0.4/4437-grsec-kconfig-proc-user.patch | 4 | ||||
-rw-r--r-- | 3.0.4/4440_selinux-avc_audit-log-curr_ip.patch | 2 |
9 files changed, 59 insertions, 45 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 8013d69..e3aa423 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch +Patch: 4420_grsecurity-2.2.2-2.6.32.46-201109240842.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109240842.patch index bcff015..0d9b6ae 100644 --- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch +++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109240842.patch @@ -55474,8 +55474,8 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_chroot.c linux-2.6.32.46/grsecurity/ +} diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurity/grsec_disabled.c --- linux-2.6.32.46/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.46/grsecurity/grsec_disabled.c 2011-04-17 15:56:46.000000000 -0400 -@@ -0,0 +1,447 @@ ++++ linux-2.6.32.46/grsecurity/grsec_disabled.c 2011-09-24 08:13:29.000000000 -0400 +@@ -0,0 +1,433 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -55643,18 +55643,6 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurit + return 0; +} + -+int -+gr_is_capable(const int cap) -+{ -+ return 1; -+} -+ -+int -+gr_is_capable_nolog(const int cap) -+{ -+ return 1; -+} -+ +void +gr_handle_alertkill(struct task_struct *task) +{ @@ -55915,8 +55903,6 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurit + return dentry->d_inode->i_sb->s_dev; +} + -+EXPORT_SYMBOL(gr_is_capable); -+EXPORT_SYMBOL(gr_is_capable_nolog); +EXPORT_SYMBOL(gr_learn_resource); +EXPORT_SYMBOL(gr_set_kernel_label); +#ifdef CONFIG_SECURITY @@ -73067,7 +73053,16 @@ diff -urNp linux-2.6.32.46/mm/slob.c linux-2.6.32.46/mm/slob.c diff -urNp linux-2.6.32.46/mm/slub.c linux-2.6.32.46/mm/slub.c --- linux-2.6.32.46/mm/slub.c 2011-03-27 14:31:47.000000000 -0400 -+++ linux-2.6.32.46/mm/slub.c 2011-04-17 15:56:46.000000000 -0400 ++++ linux-2.6.32.46/mm/slub.c 2011-09-24 08:36:34.000000000 -0400 +@@ -201,7 +201,7 @@ struct track { + + enum track_item { TRACK_ALLOC, TRACK_FREE }; + +-#ifdef CONFIG_SLUB_DEBUG ++#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD) + static int sysfs_slab_add(struct kmem_cache *); + static int sysfs_slab_alias(struct kmem_cache *, const char *); + static void sysfs_slab_remove(struct kmem_cache *); @@ -410,7 +410,7 @@ static void print_track(const char *s, s if (!t->addr) return; diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4437-grsec-kconfig-proc-user.patch index 34d8596..368d10c 100644 --- a/2.6.32/4437-grsec-kconfig-proc-user.patch +++ b/2.6.32/4437-grsec-kconfig-proc-user.patch @@ -6,7 +6,7 @@ in a different way to avoid bug #366019. This patch should eventually go upstre diff -Naur linux-2.6.32-hardened-r54.orig//grsecurity/Kconfig linux-2.6.32-hardened-r54/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-06-29 07:46:02.000000000 -0400 +++ b/grsecurity/Kconfig 2011-06-29 07:47:20.000000000 -0400 -@@ -668,7 +668,7 @@ +@@ -665,7 +665,7 @@ config GRKERNSEC_PROC_USER bool "Restrict /proc to user only" @@ -15,7 +15,7 @@ diff -Naur linux-2.6.32-hardened-r54.orig//grsecurity/Kconfig linux-2.6.32-harde help If you say Y here, non-root users will only be able to view their own processes, and restricts them from viewing network-related information, -@@ -676,7 +676,7 @@ +@@ -673,7 +673,7 @@ config GRKERNSEC_PROC_USERGROUP bool "Allow special group" diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch index b582401..003d903 100644 --- a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch +++ b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-hardened-r44/grsecurity/Kconfig --- linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400 +++ linux-2.6.32-hardened-r44/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400 -@@ -1267,6 +1267,27 @@ +@@ -1264,6 +1264,27 @@ menu "Logging Options" depends on GRKERNSEC diff --git a/3.0.4/0000_README b/3.0.4/0000_README index a44f871..6cdadcb 100644 --- a/3.0.4/0000_README +++ b/3.0.4/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.2-3.0.4-201109190917.patch +Patch: 4420_grsecurity-2.2.2-3.0.4-201109240842.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109190917.patch b/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109240842.patch index ec88fda..5e86d2b 100644 --- a/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109190917.patch +++ b/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109240842.patch @@ -50694,8 +50694,8 @@ diff -urNp linux-3.0.4/grsecurity/grsec_chroot.c linux-3.0.4/grsecurity/grsec_ch +} diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_disabled.c --- linux-3.0.4/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/grsecurity/grsec_disabled.c 2011-08-23 21:48:14.000000000 -0400 -@@ -0,0 +1,447 @@ ++++ linux-3.0.4/grsecurity/grsec_disabled.c 2011-09-24 08:13:01.000000000 -0400 +@@ -0,0 +1,433 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -50863,18 +50863,6 @@ diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_ + return 0; +} + -+int -+gr_is_capable(const int cap) -+{ -+ return 1; -+} -+ -+int -+gr_is_capable_nolog(const int cap) -+{ -+ return 1; -+} -+ +void +gr_handle_alertkill(struct task_struct *task) +{ @@ -51135,8 +51123,6 @@ diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_ + return dentry->d_inode->i_sb->s_dev; +} + -+EXPORT_SYMBOL(gr_is_capable); -+EXPORT_SYMBOL(gr_is_capable_nolog); +EXPORT_SYMBOL(gr_learn_resource); +EXPORT_SYMBOL(gr_set_kernel_label); +#ifdef CONFIG_SECURITY @@ -55798,7 +55784,7 @@ diff -urNp linux-3.0.4/include/linux/grdefs.h linux-3.0.4/include/linux/grdefs.h +#endif diff -urNp linux-3.0.4/include/linux/grinternal.h linux-3.0.4/include/linux/grinternal.h --- linux-3.0.4/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-3.0.4/include/linux/grinternal.h 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/include/linux/grinternal.h 2011-09-24 08:43:45.000000000 -0400 @@ -0,0 +1,219 @@ +#ifndef __GRINTERNAL_H +#define __GRINTERNAL_H @@ -55924,7 +55910,7 @@ diff -urNp linux-3.0.4/include/linux/grinternal.h linux-3.0.4/include/linux/grin + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \ + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \ + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \ -+ CAP_TO_MASK(CAP_IPC_OWNER) , 0 }} ++ CAP_TO_MASK(CAP_IPC_OWNER) , CAP_TO_MASK(CAP_SYSLOG) }} + +#define security_learn(normal_msg,args...) \ +({ \ @@ -67520,7 +67506,16 @@ diff -urNp linux-3.0.4/mm/slob.c linux-3.0.4/mm/slob.c diff -urNp linux-3.0.4/mm/slub.c linux-3.0.4/mm/slub.c --- linux-3.0.4/mm/slub.c 2011-07-21 22:17:23.000000000 -0400 -+++ linux-3.0.4/mm/slub.c 2011-08-23 21:48:14.000000000 -0400 ++++ linux-3.0.4/mm/slub.c 2011-09-24 08:37:26.000000000 -0400 +@@ -200,7 +200,7 @@ struct track { + + enum track_item { TRACK_ALLOC, TRACK_FREE }; + +-#ifdef CONFIG_SYSFS ++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD) + static int sysfs_slab_add(struct kmem_cache *); + static int sysfs_slab_alias(struct kmem_cache *, const char *); + static void sysfs_slab_remove(struct kmem_cache *); @@ -442,7 +442,7 @@ static void print_track(const char *s, s if (!t->addr) return; @@ -67671,6 +67666,30 @@ diff -urNp linux-3.0.4/mm/slub.c linux-3.0.4/mm/slub.c goto err; } up_write(&slub_lock); +@@ -3545,7 +3586,7 @@ void *__kmalloc_node_track_caller(size_t + } + #endif + +-#ifdef CONFIG_SYSFS ++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD) + static int count_inuse(struct page *page) + { + return page->inuse; +@@ -3935,12 +3976,12 @@ static void resiliency_test(void) + validate_slab_cache(kmalloc_caches[9]); + } + #else +-#ifdef CONFIG_SYSFS ++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD) + static void resiliency_test(void) {}; + #endif + #endif + +-#ifdef CONFIG_SYSFS ++#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD) + enum slab_stat_type { + SL_ALL, /* All slabs */ + SL_PARTIAL, /* Only partially allocated slabs */ @@ -4150,7 +4191,7 @@ SLAB_ATTR_RO(ctor); static ssize_t aliases_show(struct kmem_cache *s, char *buf) diff --git a/3.0.4/4425_grsec-pax-without-grsec.patch b/3.0.4/4425_grsec-pax-without-grsec.patch index cdc33f2..41be0d0 100644 --- a/3.0.4/4425_grsec-pax-without-grsec.patch +++ b/3.0.4/4425_grsec-pax-without-grsec.patch @@ -77,7 +77,7 @@ diff -Naur a/fs/exec.c b/fs/exec.c diff -Naur a/security/Kconfig b/security/Kconfig --- a/security/Kconfig 2011-04-17 19:05:03.000000000 -0400 +++ b/security/Kconfig 2011-04-17 19:20:30.000000000 -0400 -@@ -26,7 +26,7 @@ +@@ -29,7 +29,7 @@ config PAX bool "Enable various PaX features" diff --git a/3.0.4/4437-grsec-kconfig-proc-user.patch b/3.0.4/4437-grsec-kconfig-proc-user.patch index 4e5acda..c588683 100644 --- a/3.0.4/4437-grsec-kconfig-proc-user.patch +++ b/3.0.4/4437-grsec-kconfig-proc-user.patch @@ -6,7 +6,7 @@ in a different way to avoid bug #366019. This patch should eventually go upstre diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig --- a/grsecurity/Kconfig 2011-06-29 10:02:56.000000000 -0400 +++ b/grsecurity/Kconfig 2011-06-29 10:08:07.000000000 -0400 -@@ -669,7 +669,7 @@ +@@ -666,7 +666,7 @@ config GRKERNSEC_PROC_USER bool "Restrict /proc to user only" @@ -15,7 +15,7 @@ diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-harden help If you say Y here, non-root users will only be able to view their own processes, and restricts them from viewing network-related information, -@@ -677,7 +677,7 @@ +@@ -674,7 +674,7 @@ config GRKERNSEC_PROC_USERGROUP bool "Allow special group" diff --git a/3.0.4/4440_selinux-avc_audit-log-curr_ip.patch b/3.0.4/4440_selinux-avc_audit-log-curr_ip.patch index 3a991fb..0fd5d2d 100644 --- a/3.0.4/4440_selinux-avc_audit-log-curr_ip.patch +++ b/3.0.4/4440_selinux-avc_audit-log-curr_ip.patch @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardened-r1/grsecurity/Kconfig --- linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400 +++ linux-2.6.38-hardened-r1/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400 -@@ -1268,6 +1268,27 @@ +@@ -1265,6 +1265,27 @@ menu "Logging Options" depends on GRKERNSEC |