commit: 626340b17d84dea8bf5f882750f594207fd5119c Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Tue Jul 26 06:55:48 2016 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Tue Jul 26 06:55:48 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=626340b1
grsecurity-3.1-4.6.4-201607242014 4.6.4/0000_README | 2 +- ...> 4420_grsecurity-3.1-4.6.4-201607242014.patch} | 81 ++++++++++++++-------- 2 files changed, 53 insertions(+), 30 deletions(-) diff --git a/4.6.4/0000_README b/4.6.4/0000_README index 0a9f680..81410da 100644 --- a/4.6.4/0000_README +++ b/4.6.4/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.6.4-201607192040.patch +Patch: 4420_grsecurity-3.1-4.6.4-201607242014.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch b/4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch similarity index 99% rename from 4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch rename to 4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch index 4b02b21..f7868ce 100644 --- a/4.6.4/4420_grsecurity-3.1-4.6.4-201607192040.patch +++ b/4.6.4/4420_grsecurity-3.1-4.6.4-201607242014.patch @@ -877,7 +877,7 @@ index a876743..fe2a193 100644 Counts number of I and D TLB Misses and exports them via Debugfs The counters can be cleared via Debugfs as well diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig -index cdfa6c2..aba8354 100644 +index cdfa6c2..f39881d 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -53,6 +53,7 @@ config ARM @@ -888,7 +888,15 @@ index cdfa6c2..aba8354 100644 select HAVE_GENERIC_DMA_COHERENT select HAVE_HW_BREAKPOINT if (PERF_EVENTS && (CPU_V6 || CPU_V6K || CPU_V7)) select HAVE_IDE if PCI || ISA || PCMCIA -@@ -1629,6 +1630,7 @@ config HIGHPTE +@@ -1561,6 +1562,7 @@ config AEABI + config OABI_COMPAT + bool "Allow old ABI binaries to run with this kernel (EXPERIMENTAL)" + depends on AEABI && !THUMB2_KERNEL ++ depends on !GRKERNSEC + help + This option preserves the old syscall interface along with the + new (ARM EABI) one. It also provides a compatibility layer to +@@ -1629,6 +1631,7 @@ config HIGHPTE config CPU_SW_DOMAIN_PAN bool "Enable use of CPU domains to implement privileged no-access" depends on MMU && !ARM_LPAE @@ -896,7 +904,7 @@ index cdfa6c2..aba8354 100644 default y help Increase kernel security by ensuring that normal kernel accesses -@@ -1705,7 +1707,7 @@ config ALIGNMENT_TRAP +@@ -1705,7 +1708,7 @@ config ALIGNMENT_TRAP config UACCESS_WITH_MEMCPY bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()" @@ -905,7 +913,7 @@ index cdfa6c2..aba8354 100644 default y if CPU_FEROCEON help Implement faster copy_to_user and clear_user methods for CPU -@@ -1960,6 +1962,7 @@ config KEXEC +@@ -1960,6 +1963,7 @@ config KEXEC depends on (!SMP || PM_SLEEP_SMP) depends on !CPU_V7M select KEXEC_CORE @@ -913,7 +921,7 @@ index cdfa6c2..aba8354 100644 help kexec is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot -@@ -2004,7 +2007,7 @@ config EFI_STUB +@@ -2004,7 +2008,7 @@ config EFI_STUB config EFI bool "UEFI runtime support" @@ -23850,7 +23858,7 @@ index c3496619..3f3a7dc 100644 asmlinkage void smp_deferred_error_interrupt(void); #endif diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h -index 2e7513d..73d9d20 100644 +index 2e7513d..792107f 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -7,6 +7,7 @@ @@ -23887,7 +23895,7 @@ index 2e7513d..73d9d20 100644 + unsigned long __size = size; \ + unsigned long __addr = (unsigned long)addr; \ + bool __ret_ao = __range_not_ok(__addr, __size, user_addr_max()) == 0;\ -+ if (__ret_ao && __size) { \ ++ if (__ret_ao && __size < 256 * PAGE_SIZE) { \ + unsigned long __addr_ao = __addr & PAGE_MASK; \ + unsigned long __end_ao = __addr + __size - 1; \ + if (unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \ @@ -28460,7 +28468,7 @@ index e565e0e..fdfeb45 100644 } memcpy(&code, ideal_nops[NOP_ATOMIC5], JUMP_LABEL_NOP_SIZE); diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c -index 2da6ee9..4cbe3af 100644 +index 2da6ee9..fc0ca78 100644 --- a/arch/x86/kernel/kgdb.c +++ b/arch/x86/kernel/kgdb.c @@ -228,7 +228,10 @@ static void kgdb_correct_hw_break(void) @@ -28518,7 +28526,7 @@ index 2da6ee9..4cbe3af 100644 text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE); - err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE); -+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE); ++ err = probe_kernel_read(opc, (const void *)ktla_ktva(bpt->bpt_addr), BREAK_INSTR_SIZE); if (err) return err; if (memcmp(opc, arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE)) @@ -28527,7 +28535,7 @@ index 2da6ee9..4cbe3af 100644 goto knl_write; text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE); - err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE); -+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE); ++ err = probe_kernel_read(opc, (const void *)ktla_ktva(bpt->bpt_addr), BREAK_INSTR_SIZE); if (err || memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE)) goto knl_write; return err; @@ -124075,10 +124083,10 @@ index 0000000..696d76d +} diff --git a/grsecurity/gracl_res.c b/grsecurity/gracl_res.c new file mode 100644 -index 0000000..39645c9 +index 0000000..dfba8fd --- /dev/null +++ b/grsecurity/gracl_res.c -@@ -0,0 +1,68 @@ +@@ -0,0 +1,74 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/gracl.h> @@ -124118,6 +124126,14 @@ index 0000000..39645c9 + if (unlikely(!restab_log[res])) + return; + ++ /* ++ * not really security relevant, too much userland code shared ++ * from pulseaudio that blindly attempts to violate limits in a loop, ++ * resulting in log spam ++ */ ++ if (res == RLIMIT_NICE) ++ return; ++ + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME) + rlim = task_rlimit_max(task, res); + else @@ -124136,8 +124152,6 @@ index 0000000..39645c9 + else if (res == RLIMIT_MEMLOCK && + cap_raised(cred->cap_effective, CAP_IPC_LOCK)) + goto out_rcu_unlock; -+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE)) -+ goto out_rcu_unlock; + rcu_read_unlock(); + + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim); @@ -144283,7 +144297,7 @@ index 2c5e3a8..301fb1a 100644 return -ENOSYS; } diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 725587f..750f909 100644 +index 725587f..c7834cc 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -95,7 +95,6 @@ @@ -144440,7 +144454,7 @@ index 725587f..750f909 100644 - .proc_handler = proc_dointvec_minmax_sysadmin, + .proc_handler = proc_dointvec_minmax_secure_sysadmin, +#ifdef CONFIG_GRKERNSEC_HIDESYM -+ .extra1 = &two, ++ .extra1 = &one, +#else .extra1 = &zero, +#endif @@ -146874,7 +146888,7 @@ index 4f5b1dd..7cab418 100644 +} +EXPORT_SYMBOL(copy_to_user_overflow); diff --git a/lib/vsprintf.c b/lib/vsprintf.c -index ccb664b..058e2978 100644 +index ccb664b..be065a5 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -16,6 +16,9 @@ @@ -146902,7 +146916,7 @@ index ccb664b..058e2978 100644 -int kptr_restrict __read_mostly; +#ifdef CONFIG_GRKERNSEC_HIDESYM -+int kptr_restrict __read_only = 2; ++int kptr_restrict __read_only = 1; +#else +int kptr_restrict __read_only; +#endif @@ -146959,7 +146973,17 @@ index ccb664b..058e2978 100644 case 'K': switch (kptr_restrict) { case 0: -@@ -1724,6 +1743,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, +@@ -1691,6 +1710,9 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, + */ + cred = current_cred(); + if (!has_capability_noaudit(current, CAP_SYSLOG) || ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++ !has_capability_noaudit(current, CAP_SYS_ADMIN) || ++#endif + !uid_eq(cred->euid, cred->uid) || + !gid_eq(cred->egid, cred->gid)) + ptr = NULL; +@@ -1724,6 +1746,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, case 'G': return flags_string(buf, end, ptr, fmt); } @@ -146982,7 +147006,7 @@ index ccb664b..058e2978 100644 spec.flags |= SMALL; if (spec.field_width == -1) { spec.field_width = default_width; -@@ -2424,11 +2459,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) +@@ -2424,11 +2462,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) typeof(type) value; \ if (sizeof(type) == 8) { \ args = PTR_ALIGN(args, sizeof(u32)); \ @@ -146997,7 +147021,7 @@ index ccb664b..058e2978 100644 } \ args += sizeof(type); \ value; \ -@@ -2491,7 +2526,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) +@@ -2491,7 +2529,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf) case FORMAT_TYPE_STR: { const char *str_arg = args; args += strlen(str_arg) + 1; @@ -163915,10 +163939,10 @@ index 0000000..ffe60f6 +} diff --git a/scripts/gcc-plugins/constify_plugin.c b/scripts/gcc-plugins/constify_plugin.c new file mode 100644 -index 0000000..1a56d17 +index 0000000..b769ccf --- /dev/null +++ b/scripts/gcc-plugins/constify_plugin.c -@@ -0,0 +1,583 @@ +@@ -0,0 +1,582 @@ +/* + * Copyright 2011 by Emese Revfy <[email protected]> + * Copyright 2011-2016 by PaX Team <[email protected]> @@ -163944,7 +163968,7 @@ index 0000000..1a56d17 +static bool enabled = true; + +static struct plugin_info const_plugin_info = { -+ .version = "201606280200", ++ .version = "201607241840", + .help = "disable\tturn off constification\n", +}; + @@ -164069,10 +164093,8 @@ index 0000000..1a56d17 + continue; + if (!constified(ptrtype)) + continue; -+ if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type)) { -+ TREE_TYPE(field) = copy_node(TREE_TYPE(field)); -+ TREE_TYPE(TREE_TYPE(field)) = build_qualified_type(type, TYPE_QUALS(ptrtype) & ~TYPE_QUAL_CONST); -+ } ++ if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type)) ++ TREE_TYPE(field) = build_pointer_type(build_qualified_type(type, TYPE_QUALS(ptrtype) & ~TYPE_QUAL_CONST)); + continue; + } + if (TREE_CODE(fieldtype) != RECORD_TYPE && TREE_CODE(fieldtype) != UNION_TYPE) @@ -164190,6 +164212,7 @@ index 0000000..1a56d17 + +static void constify_type(tree type) +{ ++ gcc_assert(type == TYPE_MAIN_VARIANT(type)); + TYPE_READONLY(type) = 1; + C_TYPE_FIELDS_READONLY(type) = 1; + TYPE_CONSTIFY_VISITED(type) = 1; @@ -214202,7 +214225,7 @@ index 3a9b66c..2b38b21 100644 unsigned long flags; diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c -index 9106d8e..e7e2e3c 100644 +index 9106d8e..e7e2e3ca 100644 --- a/sound/core/pcm_native.c +++ b/sound/core/pcm_native.c @@ -3014,11 +3014,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream,
