commit: 8625ea5b47f8eb2b6e622750fc667ce13bd199b0 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Sun Sep 20 19:18:42 2015 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Sun Sep 20 19:18:42 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=8625ea5b
grsecurity-3.1-4.1.7-201509201149 4.1.7/0000_README | 2 +- ...> 4420_grsecurity-3.1-4.1.7-201509201149.patch} | 33 ++++++++++++---------- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/4.1.7/0000_README b/4.1.7/0000_README index a82b514..29c7482 100644 --- a/4.1.7/0000_README +++ b/4.1.7/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.1.7-201509131604.patch +Patch: 4420_grsecurity-3.1-4.1.7-201509201149.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.1.7/4420_grsecurity-3.1-4.1.7-201509131604.patch b/4.1.7/4420_grsecurity-3.1-4.1.7-201509201149.patch similarity index 99% rename from 4.1.7/4420_grsecurity-3.1-4.1.7-201509131604.patch rename to 4.1.7/4420_grsecurity-3.1-4.1.7-201509201149.patch index eb11268..4694239 100644 --- a/4.1.7/4420_grsecurity-3.1-4.1.7-201509131604.patch +++ b/4.1.7/4420_grsecurity-3.1-4.1.7-201509201149.patch @@ -72155,7 +72155,7 @@ index 4c55668..eeae150 100644 fd_offset + ex.a_text); if (error != N_DATADDR(ex)) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c -index cd46e41..244f778 100644 +index cd46e41..d67c3df 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -35,6 +35,7 @@ @@ -72998,7 +72998,7 @@ index cd46e41..244f778 100644 + if (dyn.d_tag == DT_NULL) + break; + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) { -+ gr_log_textrel(vma); ++ gr_log_textrel(vma, is_textrel_rw); + if (is_textrel_rw) + vma->vm_flags |= VM_MAYWRITE; + else @@ -91727,10 +91727,10 @@ index 0000000..8ef2b75 +} diff --git a/grsecurity/grsec_log.c b/grsecurity/grsec_log.c new file mode 100644 -index 0000000..dbe0a6b +index 0000000..0eac5aa --- /dev/null +++ b/grsecurity/grsec_log.c -@@ -0,0 +1,341 @@ +@@ -0,0 +1,342 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/file.h> @@ -91968,10 +91968,11 @@ index 0000000..dbe0a6b + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1); + break; + case GR_TEXTREL: ++ str1 = va_arg(ap, char *); + file = va_arg(ap, struct file *); + ulong1 = va_arg(ap, unsigned long); + ulong2 = va_arg(ap, unsigned long); -+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2); ++ gr_log_middle_varargs(audit, msg, str1, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2); + break; + case GR_PTRACE: + task = va_arg(ap, struct task_struct *); @@ -92199,10 +92200,10 @@ index 0000000..fe02bf4 +} diff --git a/grsecurity/grsec_pax.c b/grsecurity/grsec_pax.c new file mode 100644 -index 0000000..6ee9d50 +index 0000000..2ad7b96 --- /dev/null +++ b/grsecurity/grsec_pax.c -@@ -0,0 +1,45 @@ +@@ -0,0 +1,47 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -92211,11 +92212,13 @@ index 0000000..6ee9d50 +#include <linux/grsecurity.h> + +void -+gr_log_textrel(struct vm_area_struct * vma) ++gr_log_textrel(struct vm_area_struct * vma, bool is_textrel_rw) +{ +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG + if (grsec_enable_log_rwxmaps) -+ gr_log_textrel_ulong_ulong(GR_DONT_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff); ++ gr_log_textrel_ulong_ulong(GR_DONT_AUDIT, GR_TEXTREL_AUDIT_MSG, ++ is_textrel_rw ? "executable to writable" : "writable to executable", ++ vma->vm_file, vma->vm_start, vma->vm_pgoff); +#endif + return; +} @@ -96465,7 +96468,7 @@ index 0000000..be66033 +#endif diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h new file mode 100644 -index 0000000..fb1de5d +index 0000000..6245f9e --- /dev/null +++ b/include/linux/grinternal.h @@ -0,0 +1,230 @@ @@ -96682,7 +96685,7 @@ index 0000000..fb1de5d +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str) +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2) +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str) -+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2) ++#define gr_log_textrel_ulong_ulong(audit, msg, str, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, str, file, ulong1, ulong2) +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task) +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2) +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str) @@ -96701,7 +96704,7 @@ index 0000000..fb1de5d +#endif diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h new file mode 100644 -index 0000000..26ef560 +index 0000000..3092b3c --- /dev/null +++ b/include/linux/grmsg.h @@ -0,0 +1,118 @@ @@ -96811,7 +96814,7 @@ index 0000000..26ef560 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for " +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by " +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by " -+#define GR_TEXTREL_AUDIT_MSG "denied text relocation in %.950s, VMA:0x%08lx 0x%08lx by " ++#define GR_TEXTREL_AUDIT_MSG "allowed %s text relocation transition in %.950s, VMA:0x%08lx 0x%08lx by " +#define GR_PTGNUSTACK_MSG "denied marking stack executable as requested by PT_GNU_STACK marking in %.950s by " +#define GR_VM86_MSG "denied use of vm86 by " +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by " @@ -96825,7 +96828,7 @@ index 0000000..26ef560 +#define GR_MSRWRITE_MSG "denied write to CPU MSR by " diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h new file mode 100644 -index 0000000..085a746 +index 0000000..ae28a25 --- /dev/null +++ b/include/linux/grsecurity.h @@ -0,0 +1,247 @@ @@ -96916,7 +96919,7 @@ index 0000000..085a746 +void gr_log_remount(const char *devname, const int retval); +void gr_log_unmount(const char *devname, const int retval); +void gr_log_mount(const char *from, struct path *to, const int retval); -+void gr_log_textrel(struct vm_area_struct *vma); ++void gr_log_textrel(struct vm_area_struct *vma, bool is_textrel_rw); +void gr_log_ptgnustack(struct file *file); +void gr_log_rwxmmap(struct file *file); +void gr_log_rwxmprotect(struct vm_area_struct *vma);
