This is the patch. linuxnopax is kernel 3.4.1 with rsbac patch implemented and PaX broken when fail patching (excluded rejections and orig files), linux 3.4.1 is handheld solved rejections patched PaX and rsbac.
Surely I broken things and maybe one 5 years child would do a better job than me, can you tell me your opinion? are there broken things? On 01/12/12 21:37, Anthony G. Basile wrote: > On 11/22/2012 12:49 PM, Javier Juan Martínez Cabezón wrote: >> >> >> Hi all, I saw that in the last ebuild (3.4.1), PaX is in >> UNIPATCH_EXCLUDE. What have you Planned about this?. >> >> I also knew the existence of a base rsbac_policy based hardened gentoo >> subproject? is there anything written about it? >> >> Thanks for all. >> > > When last I tried to apply the pax patches on top of rsbac, they did not > go. People kept saying the did, but they did not without hacking. If > you want to provide me with an rsbac patchset and pax patchset that are > compat I will try again. > >
diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/0000_README linux-3.4.1/0000_README --- linuxnopax-3.4.1/0000_README 1970-01-01 01:00:00.000000000 +0100 +++ linux-3.4.1/0000_README 2012-08-29 21:46:21.000000000 +0200 @@ -0,0 +1,12 @@ +README +----------------------------------------------------------------------------- + +Individual Patch Descriptions: +----------------------------------------------------------------------------- +Patch: 4500_patch-linux-3.4.1-rsbac-1.4.6.diff +From: Amon Ott <[email protected]> +Desc: RSBAC patch from http://www.rsbac.org/ + +Patch: 4520_pax-linux-3.4-test7.patch +From: pipacs <[email protected]> +Desc: http://grsecurity.net/test.php diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/fs/aio.c linux-3.4.1/fs/aio.c --- linuxnopax-3.4.1/fs/aio.c 2012-12-03 17:36:16.000000000 +0100 +++ linux-3.4.1/fs/aio.c 2012-08-29 22:08:45.000000000 +0200 @@ -1440,21 +1440,26 @@ static ssize_t aio_fsync(struct kiocb *i static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat) { ssize_t ret; + struct iovec iovstack; #ifdef CONFIG_COMPAT if (compat) ret = compat_rw_copy_check_uvector(type, (struct compat_iovec __user *)kiocb->ki_buf, - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec, - &kiocb->ki_iovec, 1); +kiocb->ki_nbytes, 1, &iovstack, &kiocb->ki_iovec, 1); + else #endif ret = rw_copy_check_uvector(type, (struct iovec __user *)kiocb->ki_buf, - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec, + kiocb->ki_nbytes, 1, &iovstack, &kiocb->ki_iovec, 1); if (ret < 0) goto out; + if (kiocb->ki_iovec == &iovstack) { + kiocb->ki_inline_vec = iovstack; + kiocb->ki_iovec = &kiocb->ki_inline_vec; + } ret = rw_verify_area(type, kiocb->ki_filp, &kiocb->ki_pos, ret); if (ret < 0) diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/fs/namei.c linux-3.4.1/fs/namei.c --- linuxnopax-3.4.1/fs/namei.c 2012-12-03 17:36:16.000000000 +0100 +++ linux-3.4.1/fs/namei.c 2012-08-29 23:23:38.000000000 +0200 @@ -4198,8 +4198,15 @@ int vfs_readlink(struct dentry *dentry, } else #endif - if (copy_to_user(buffer, link, len)) - len = -EFAULT; + + if (len < sizeof(tmpbuf)) { + memcpy(tmpbuf, link, len); + newlink = tmpbuf; + } else + newlink = link; + + if (copy_to_user(buffer, newlink, len)) + len = -EFAULT; out: return len; } diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/fs/pipe.c linux-3.4.1/fs/pipe.c --- linuxnopax-3.4.1/fs/pipe.c 2012-12-03 17:36:16.000000000 +0100 +++ linux-3.4.1/fs/pipe.c 2012-08-29 23:19:39.000000000 +0200 @@ -816,19 +816,15 @@ static int pipe_release(struct inode *inode, int decr, int decw) { struct pipe_inode_info *pipe; - mutex_lock(&inode->i_mutex); pipe = inode->i_pipe; - pipe->readers -= decr; - pipe->writers -= decw; - - if (!pipe->readers && !pipe->writers) { - + atomic_sub(decr, &pipe->readers); + atomic_sub(decw, &pipe->writers); + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) { #ifdef CONFIG_RSBAC - union rsbac_target_id_t rsbac_target_id; + union rsbac_target_id_t rsbac_target_id; #endif - - free_pipe_info(inode); + free_pipe_info(inode); #ifdef CONFIG_RSBAC rsbac_pr_debug(aef, "calling ACI remove_target()\n"); @@ -836,7 +832,7 @@ pipe_release(struct inode *inode, int de rsbac_target_id.ipc.id.id_nr = inode->i_ino; rsbac_remove_target(T_IPC, rsbac_target_id); #endif - + } else { wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP); kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/init/do_mounts.c linux-3.4.1/init/do_mounts.c --- linuxnopax-3.4.1/init/do_mounts.c 2012-12-03 17:36:16.000000000 +0100 +++ linux-3.4.1/init/do_mounts.c 2012-08-29 22:00:26.000000000 +0200 @@ -563,8 +563,8 @@ void __init prepare_namespace(void) mount_root(); out: devtmpfs_mount("dev"); - sys_mount(".", "/", NULL, MS_MOVE, NULL); - sys_chroot((const char __user __force *)"."); + sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL); + sys_chroot((const char __force_user *)"."); #ifdef CONFIG_RSBAC #ifdef CONFIG_RSBAC_INIT_DELAY diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/mm/mempolicy.c linux-3.4.1/mm/mempolicy.c --- linuxnopax-3.4.1/mm/mempolicy.c 2012-12-03 17:36:16.000000000 +0100 +++ linux-3.4.1/mm/mempolicy.c 2012-08-29 21:55:27.000000000 +0200 @@ -1109,6 +1109,17 @@ static long do_mbind(unsigned long start if (end < start) return -EINVAL; + +#ifdef CONFIG_PAX_SEGMEXEC + if (mm->pax_flags & MF_PAX_SEGMEXEC) { + if (end > SEGMEXEC_TASK_SIZE) + return -EINVAL; + } else +#endif + + if (end > TASK_SIZE) + return -EINVAL; + if (end == start) return 0; diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/mm/mprotect.c linux-3.4.1/mm/mprotect.c --- linuxnopax-3.4.1/mm/mprotect.c 2012-12-03 17:36:16.000000000 +0100 +++ linux-3.4.1/mm/mprotect.c 2012-08-29 21:51:37.000000000 +0200 @@ -28,7 +28,11 @@ #include <asm/cacheflush.h> #include <asm/tlbflush.h> #include <rsbac/hooks.h> - +#ifdef CONFIG_PAX_MPROTECT +#include <linux/elf.h> +#include <linux/binfmts.h> +#endif +#include <asm/mmu_context.h> #ifndef pgprot_modify static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot) {
