Grsec/PaX: 3.0-{3.2.54,3.13.1}-20140205234920140205

author: Anthony G. Basile <blueness@gentoo.org> 2014-02-06 10:59:53 -0500
committer: Anthony G. Basile <blueness@gentoo.org> 2014-02-06 10:59:53 -0500
commit: 66e4ef4c51573a6f46e1badfc5a349a26118c6ca (patch)
tree: 5ebd72a3cbfacb5750c041a8d28e7619dcbc1600
parent: Grsec/PaX: 3.0-3.13.1-201401301657 (diff)
download: hardened-patchset-66e4ef4c51573a6f46e1badfc5a349a26118c6ca.tar.gz
hardened-patchset-66e4ef4c51573a6f46e1badfc5a349a26118c6ca.tar.bz2
hardened-patchset-66e4ef4c51573a6f46e1badfc5a349a26118c6ca.zip
4 files changed, 363 insertions, 122 deletions
diff --git a/3.13.1/0000_README b/3.13.1/0000_README
index a830d5a..6b35ea7 100644
--- a/3.13.1/0000_README
+++ b/3.13.1/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.13.1-201401301657.patch
+Patch:	4420_grsecurity-3.0-3.13.1-201402052349.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.13.1/4420_grsecurity-3.0-3.13.1-201401301657.patch b/3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch
index 08da283..ee1465f 100644
--- a/3.13.1/4420_grsecurity-3.0-3.13.1-201401301657.patch
+++ b/3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch
@@ -287,7 +287,7 @@ index b9e9bd8..bf49b92 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index de4cda9..d1183df 100644
+index de4cda9..e5ec62c 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -345,7 +345,7 @@ index de4cda9..d1183df 100644
 +RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-seed=$(GRKERNSEC_RANDSTRUCT_SEED)
 +RANDSTRUCT_HASHED_SEED := $(shell cat "$(srctree)/tools/gcc/randstruct.hashed_seed")
 +RANDSTRUCT_PLUGIN_CFLAGS += -DRANDSTRUCT_HASHED_SEED="\"$(RANDSTRUCT_HASHED_SEED)\""
-+ifdef CONFIG_GRKERNSEC_RANDSTRUCT
++ifdef CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE
 +RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-performance-mode
 +endif
 +endif
@@ -64110,10 +64110,10 @@ index 104455b..764c512 100644
  		kfree(s);
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..c2c7f17
+index 0000000..01d5523
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1146 @@
+@@ -0,0 +1,1147 @@
 +#
 +# grecurity configuration
 +#
@@ -64330,6 +64330,7 @@ index 0000000..c2c7f17
 +	bool "Randomize layout of sensitive kernel structures"
 +	default y if GRKERNSEC_CONFIG_AUTO
 +	select GRKERNSEC_HIDESYM
++	select MODVERSIONS if MODULES
 +	help
 +	  If you say Y here, the layouts of a number of sensitive kernel
 +	  structures (task, fs, cred, etc) and all structures composed entirely
@@ -65262,17 +65263,27 @@ index 0000000..c2c7f17
 +endmenu
 diff --git a/grsecurity/Makefile b/grsecurity/Makefile
 new file mode 100644
-index 0000000..d1344d2
+index 0000000..8a0354c
 --- /dev/null
 +++ b/grsecurity/Makefile
-@@ -0,0 +1,43 @@
-+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
-+# during 2001-2009 it has been completely redesigned by Brad Spengler
-+# into an RBAC system
+@@ -0,0 +1,53 @@
++# grsecurity – access control and security hardening for Linux
++# All code in this directory and various hooks located throughout the Linux kernel are
++# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc.
++# http://www.grsecurity.net spender@grsecurity.net
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License version 2
++# as published by the Free Software Foundation.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
 +#
-+# All code in this directory and various hooks inserted throughout the kernel
-+# are copyright Brad Spengler - Open Source Security, Inc., and released 
-+# under the GPL v2
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 +
 +KBUILD_CFLAGS += -Werror
 +
@@ -85488,7 +85499,7 @@ index 1d96dd0..994ff19 100644
  
  	default:
 diff --git a/kernel/module.c b/kernel/module.c
-index f5a3b1e..1f5578b 100644
+index f5a3b1e..97ebb15 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
 @@ -61,6 +61,7 @@
@@ -85554,7 +85565,37 @@ index f5a3b1e..1f5578b 100644
  }
  
  static struct module_attribute modinfo_initsize =
-@@ -1286,7 +1288,7 @@ resolve_symbol_wait(struct module *mod,
+@@ -1165,12 +1167,29 @@ static int check_version(Elf_Shdr *sechdrs,
+ 		goto bad_version;
+ 	}
+ 
++#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
++	/*
++	 * avoid potentially printing jibberish on attempted load
++	 * of a module randomized with a different seed
++	 */
++	pr_warn("no symbol version for %s\n", symname);
++#else
+ 	pr_warn("%s: no symbol version for %s\n", mod->name, symname);
++#endif
+ 	return 0;
+ 
+ bad_version:
++#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
++	/*
++	 * avoid potentially printing jibberish on attempted load
++	 * of a module randomized with a different seed
++	 */
++	printk("attempted module disagrees about version of symbol %s\n",
++	       symname);
++#else
+ 	printk("%s: disagrees about version of symbol %s\n",
+ 	       mod->name, symname);
++#endif
+ 	return 0;
+ }
+ 
+@@ -1286,7 +1305,7 @@ resolve_symbol_wait(struct module *mod,
   */
  #ifdef CONFIG_SYSFS
  
@@ -85563,7 +85604,7 @@ index f5a3b1e..1f5578b 100644
  static inline bool sect_empty(const Elf_Shdr *sect)
  {
  	return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
-@@ -1426,7 +1428,7 @@ static void add_notes_attrs(struct module *mod, const struct load_info *info)
+@@ -1426,7 +1445,7 @@ static void add_notes_attrs(struct module *mod, const struct load_info *info)
  {
  	unsigned int notes, loaded, i;
  	struct module_notes_attrs *notes_attrs;
@@ -85572,7 +85613,7 @@ index f5a3b1e..1f5578b 100644
  
  	/* failed to create section attributes, so can't create notes */
  	if (!mod->sect_attrs)
-@@ -1538,7 +1540,7 @@ static void del_usage_links(struct module *mod)
+@@ -1538,7 +1557,7 @@ static void del_usage_links(struct module *mod)
  static int module_add_modinfo_attrs(struct module *mod)
  {
  	struct module_attribute *attr;
@@ -85581,7 +85622,7 @@ index f5a3b1e..1f5578b 100644
  	int error = 0;
  	int i;
  
-@@ -1759,21 +1761,21 @@ static void set_section_ro_nx(void *base,
+@@ -1759,21 +1778,21 @@ static void set_section_ro_nx(void *base,
  
  static void unset_module_core_ro_nx(struct module *mod)
  {
@@ -85611,7 +85652,7 @@ index f5a3b1e..1f5578b 100644
  		set_memory_rw);
  }
  
-@@ -1786,14 +1788,14 @@ void set_all_modules_text_rw(void)
+@@ -1786,14 +1805,14 @@ void set_all_modules_text_rw(void)
  	list_for_each_entry_rcu(mod, &modules, list) {
  		if (mod->state == MODULE_STATE_UNFORMED)
  			continue;
@@ -85632,7 +85673,7 @@ index f5a3b1e..1f5578b 100644
  						set_memory_rw);
  		}
  	}
-@@ -1809,14 +1811,14 @@ void set_all_modules_text_ro(void)
+@@ -1809,14 +1828,14 @@ void set_all_modules_text_ro(void)
  	list_for_each_entry_rcu(mod, &modules, list) {
  		if (mod->state == MODULE_STATE_UNFORMED)
  			continue;
@@ -85653,7 +85694,7 @@ index f5a3b1e..1f5578b 100644
  						set_memory_ro);
  		}
  	}
-@@ -1867,16 +1869,19 @@ static void free_module(struct module *mod)
+@@ -1867,16 +1886,19 @@ static void free_module(struct module *mod)
  
  	/* This may be NULL, but that's OK */
  	unset_module_init_ro_nx(mod);
@@ -85676,7 +85717,7 @@ index f5a3b1e..1f5578b 100644
  
  #ifdef CONFIG_MPU
  	update_protections(current->mm);
-@@ -1945,9 +1950,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
+@@ -1945,9 +1967,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
  	int ret = 0;
  	const struct kernel_symbol *ksym;
  
@@ -85708,7 +85749,7 @@ index f5a3b1e..1f5578b 100644
  		switch (sym[i].st_shndx) {
  		case SHN_COMMON:
  			/* We compiled with -fno-common.  These are not
-@@ -1968,7 +1995,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
+@@ -1968,7 +2012,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
  			ksym = resolve_symbol_wait(mod, info, name);
  			/* Ok if resolved.  */
  			if (ksym && !IS_ERR(ksym)) {
@@ -85718,7 +85759,7 @@ index f5a3b1e..1f5578b 100644
  				break;
  			}
  
-@@ -1987,11 +2016,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
+@@ -1987,11 +2033,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
  				secbase = (unsigned long)mod_percpu(mod);
  			else
  				secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
@@ -85739,7 +85780,7 @@ index f5a3b1e..1f5578b 100644
  	return ret;
  }
  
-@@ -2075,22 +2113,12 @@ static void layout_sections(struct module *mod, struct load_info *info)
+@@ -2075,22 +2130,12 @@ static void layout_sections(struct module *mod, struct load_info *info)
  			    || s->sh_entsize != ~0UL
  			    || strstarts(sname, ".init"))
  				continue;
@@ -85766,7 +85807,7 @@ index f5a3b1e..1f5578b 100644
  	}
  
  	pr_debug("Init section allocation order:\n");
-@@ -2104,23 +2132,13 @@ static void layout_sections(struct module *mod, struct load_info *info)
+@@ -2104,23 +2149,13 @@ static void layout_sections(struct module *mod, struct load_info *info)
  			    || s->sh_entsize != ~0UL
  			    || !strstarts(sname, ".init"))
  				continue;
@@ -85795,7 +85836,7 @@ index f5a3b1e..1f5578b 100644
  	}
  }
  
-@@ -2293,7 +2311,7 @@ static void layout_symtab(struct module *mod, struct load_info *info)
+@@ -2293,7 +2328,7 @@ static void layout_symtab(struct module *mod, struct load_info *info)
  
  	/* Put symbol section at end of init part of module. */
  	symsect->sh_flags |= SHF_ALLOC;
@@ -85804,7 +85845,7 @@ index f5a3b1e..1f5578b 100644
  					 info->index.sym) | INIT_OFFSET_MASK;
  	pr_debug("\t%s\n", info->secstrings + symsect->sh_name);
  
-@@ -2310,13 +2328,13 @@ static void layout_symtab(struct module *mod, struct load_info *info)
+@@ -2310,13 +2345,13 @@ static void layout_symtab(struct module *mod, struct load_info *info)
  	}
  
  	/* Append room for core symbols at end of core part. */
@@ -85822,7 +85863,7 @@ index f5a3b1e..1f5578b 100644
  					 info->index.str) | INIT_OFFSET_MASK;
  	pr_debug("\t%s\n", info->secstrings + strsect->sh_name);
  }
-@@ -2334,12 +2352,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
+@@ -2334,12 +2369,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
  	/* Make sure we get permanent strtab: don't use info->strtab. */
  	mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
  
@@ -85839,7 +85880,7 @@ index f5a3b1e..1f5578b 100644
  	src = mod->symtab;
  	for (ndst = i = 0; i < mod->num_symtab; i++) {
  		if (i == 0 ||
-@@ -2351,6 +2371,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
+@@ -2351,6 +2388,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
  		}
  	}
  	mod->core_num_syms = ndst;
@@ -85848,7 +85889,7 @@ index f5a3b1e..1f5578b 100644
  }
  #else
  static inline void layout_symtab(struct module *mod, struct load_info *info)
-@@ -2384,17 +2406,33 @@ void * __weak module_alloc(unsigned long size)
+@@ -2384,17 +2423,33 @@ void * __weak module_alloc(unsigned long size)
  	return vmalloc_exec(size);
  }
  
@@ -85887,7 +85928,23 @@ index f5a3b1e..1f5578b 100644
  		mutex_unlock(&module_mutex);
  	}
  	return ret;
-@@ -2667,8 +2705,14 @@ static struct module *setup_load_info(struct load_info *info, int flags)
+@@ -2651,7 +2706,15 @@ static struct module *setup_load_info(struct load_info *info, int flags)
+ 	mod = (void *)info->sechdrs[info->index.mod].sh_addr;
+ 
+ 	if (info->index.sym == 0) {
++#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
++		/*
++		 * avoid potentially printing jibberish on attempted load
++		 * of a module randomized with a different seed
++		 */
++		pr_warn("module has no symbols (stripped?)\n");
++#else
+ 		pr_warn("%s: module has no symbols (stripped?)\n", mod->name);
++#endif
+ 		return ERR_PTR(-ENOEXEC);
+ 	}
+ 
+@@ -2667,8 +2730,14 @@ static struct module *setup_load_info(struct load_info *info, int flags)
  static int check_modinfo(struct module *mod, struct load_info *info, int flags)
  {
  	const char *modmagic = get_modinfo(info, "vermagic");
@@ -85902,7 +85959,7 @@ index f5a3b1e..1f5578b 100644
  	if (flags & MODULE_INIT_IGNORE_VERMAGIC)
  		modmagic = NULL;
  
-@@ -2693,7 +2737,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
+@@ -2693,7 +2762,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
  	}
  
  	/* Set up license info based on the info section */
@@ -85911,7 +85968,7 @@ index f5a3b1e..1f5578b 100644
  
  	return 0;
  }
-@@ -2787,7 +2831,7 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2787,7 +2856,7 @@ static int move_module(struct module *mod, struct load_info *info)
  	void *ptr;
  
  	/* Do the allocs. */
@@ -85920,7 +85977,7 @@ index f5a3b1e..1f5578b 100644
  	/*
  	 * The pointer to this block is stored in the module structure
  	 * which is inside the block. Just mark it as not being a
-@@ -2797,11 +2841,11 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2797,11 +2866,11 @@ static int move_module(struct module *mod, struct load_info *info)
  	if (!ptr)
  		return -ENOMEM;
  
@@ -85936,7 +85993,7 @@ index f5a3b1e..1f5578b 100644
  		/*
  		 * The pointer to this block is stored in the module structure
  		 * which is inside the block. This block doesn't need to be
-@@ -2810,13 +2854,45 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2810,13 +2879,45 @@ static int move_module(struct module *mod, struct load_info *info)
  		 */
  		kmemleak_ignore(ptr);
  		if (!ptr) {
@@ -85986,7 +86043,7 @@ index f5a3b1e..1f5578b 100644
  
  	/* Transfer each section which specifies SHF_ALLOC */
  	pr_debug("final section addresses:\n");
-@@ -2827,16 +2903,45 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2827,16 +2928,45 @@ static int move_module(struct module *mod, struct load_info *info)
  		if (!(shdr->sh_flags & SHF_ALLOC))
  			continue;
  
@@ -86039,7 +86096,7 @@ index f5a3b1e..1f5578b 100644
  		pr_debug("\t0x%lx %s\n",
  			 (long)shdr->sh_addr, info->secstrings + shdr->sh_name);
  	}
-@@ -2893,12 +2998,12 @@ static void flush_module_icache(const struct module *mod)
+@@ -2893,12 +3023,12 @@ static void flush_module_icache(const struct module *mod)
  	 * Do it before processing of module parameters, so the module
  	 * can provide parameter accessor functions of its own.
  	 */
@@ -86058,7 +86115,7 @@ index f5a3b1e..1f5578b 100644
  
  	set_fs(old_fs);
  }
-@@ -2955,8 +3060,10 @@ static struct module *layout_and_allocate(struct load_info *info, int flags)
+@@ -2955,8 +3085,10 @@ static struct module *layout_and_allocate(struct load_info *info, int flags)
  static void module_deallocate(struct module *mod, struct load_info *info)
  {
  	percpu_modfree(mod);
@@ -86071,7 +86128,7 @@ index f5a3b1e..1f5578b 100644
  }
  
  int __weak module_finalize(const Elf_Ehdr *hdr,
-@@ -2969,7 +3076,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
+@@ -2969,7 +3101,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
  static int post_relocation(struct module *mod, const struct load_info *info)
  {
  	/* Sort exception table now relocations are done. */
@@ -86081,7 +86138,7 @@ index f5a3b1e..1f5578b 100644
  
  	/* Copy relocated percpu area over. */
  	percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr,
-@@ -3023,16 +3132,16 @@ static int do_init_module(struct module *mod)
+@@ -3023,16 +3157,16 @@ static int do_init_module(struct module *mod)
  			MODULE_STATE_COMING, mod);
  
  	/* Set RO and NX regions for core */
@@ -86106,7 +86163,7 @@ index f5a3b1e..1f5578b 100644
  
  	do_mod_ctors(mod);
  	/* Start the module */
-@@ -3093,11 +3202,12 @@ static int do_init_module(struct module *mod)
+@@ -3093,11 +3227,12 @@ static int do_init_module(struct module *mod)
  	mod->strtab = mod->core_strtab;
  #endif
  	unset_module_init_ro_nx(mod);
@@ -86124,7 +86181,7 @@ index f5a3b1e..1f5578b 100644
  	mutex_unlock(&module_mutex);
  	wake_up_all(&module_wq);
  
-@@ -3240,9 +3350,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3240,9 +3375,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
  	if (err)
  		goto free_unload;
  
@@ -86163,7 +86220,7 @@ index f5a3b1e..1f5578b 100644
  	/* Fix up syms, so that st_value is a pointer to location. */
  	err = simplify_symbols(mod, info);
  	if (err < 0)
-@@ -3258,13 +3397,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3258,13 +3422,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
  
  	flush_module_icache(mod);
  
@@ -86177,7 +86234,7 @@ index f5a3b1e..1f5578b 100644
  	dynamic_debug_setup(info->debug, info->num_debug);
  
  	/* Finally it's fully formed, ready to start executing. */
-@@ -3299,11 +3431,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3299,11 +3456,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
   ddebug_cleanup:
  	dynamic_debug_remove(info->debug);
  	synchronize_sched();
@@ -86190,7 +86247,7 @@ index f5a3b1e..1f5578b 100644
   free_unload:
  	module_unload_free(mod);
   unlink_mod:
-@@ -3386,10 +3517,16 @@ static const char *get_ksymbol(struct module *mod,
+@@ -3386,10 +3542,16 @@ static const char *get_ksymbol(struct module *mod,
  	unsigned long nextval;
  
  	/* At worse, next value is at end of module */
@@ -86210,7 +86267,7 @@ index f5a3b1e..1f5578b 100644
  
  	/* Scan for closest preceding symbol, and next symbol. (ELF
  	   starts real symbols at 1). */
-@@ -3640,7 +3777,7 @@ static int m_show(struct seq_file *m, void *p)
+@@ -3640,7 +3802,7 @@ static int m_show(struct seq_file *m, void *p)
  		return 0;
  
  	seq_printf(m, "%s %u",
@@ -86219,7 +86276,7 @@ index f5a3b1e..1f5578b 100644
  	print_unload_info(m, mod);
  
  	/* Informative for users. */
-@@ -3649,7 +3786,7 @@ static int m_show(struct seq_file *m, void *p)
+@@ -3649,7 +3811,7 @@ static int m_show(struct seq_file *m, void *p)
  		   mod->state == MODULE_STATE_COMING ? "Loading":
  		   "Live");
  	/* Used by oprofile and other similar tools. */
@@ -86228,7 +86285,7 @@ index f5a3b1e..1f5578b 100644
  
  	/* Taints info */
  	if (mod->taints)
-@@ -3685,7 +3822,17 @@ static const struct file_operations proc_modules_operations = {
+@@ -3685,7 +3847,17 @@ static const struct file_operations proc_modules_operations = {
  
  static int __init proc_modules_init(void)
  {
@@ -86246,7 +86303,7 @@ index f5a3b1e..1f5578b 100644
  	return 0;
  }
  module_init(proc_modules_init);
-@@ -3746,14 +3893,14 @@ struct module *__module_address(unsigned long addr)
+@@ -3746,14 +3918,14 @@ struct module *__module_address(unsigned long addr)
  {
  	struct module *mod;
  
@@ -86264,7 +86321,7 @@ index f5a3b1e..1f5578b 100644
  			return mod;
  	}
  	return NULL;
-@@ -3788,11 +3935,20 @@ bool is_module_text_address(unsigned long addr)
+@@ -3788,11 +3960,20 @@ bool is_module_text_address(unsigned long addr)
   */
  struct module *__module_text_address(unsigned long addr)
  {
@@ -101223,7 +101280,7 @@ index 0000000..5e0222d
 +fi
 diff --git a/scripts/gen-random-seed.sh b/scripts/gen-random-seed.sh
 new file mode 100644
-index 0000000..17b3162
+index 0000000..27e0f4a
 --- /dev/null
 +++ b/scripts/gen-random-seed.sh
 @@ -0,0 +1,8 @@
@@ -101232,8 +101289,8 @@ index 0000000..17b3162
 +if [ ! -f 'tools/gcc/randstruct.seed' ]; then
 +	SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'`
 +	echo "$SEED" > tools/gcc/randstruct.seed
++	cat tools/gcc/randstruct.seed | sha256sum | cut -d" " -f1 | tr -d "\n" > tools/gcc/randstruct.hashed_seed
 +fi
-+cat tools/gcc/randstruct.seed | sha256sum | cut -d" " -f1 | tr -d "\n" > tools/gcc/randstruct.hashed_seed
 +cat tools/gcc/randstruct.seed
 diff --git a/scripts/headers_install.sh b/scripts/headers_install.sh
 index 5de5660..d3deb89 100644
@@ -101518,10 +101575,10 @@ index 8fac3fd..32ff38d 100644
  	unsigned int secindex_strings;
  
 diff --git a/security/Kconfig b/security/Kconfig
-index e9c6ac7..9551ea7 100644
+index e9c6ac7..0ebde711 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,958 @@
+@@ -4,6 +4,959 @@
  
  menu "Security options"
  
@@ -101556,6 +101613,7 @@ index e9c6ac7..9551ea7 100644
 +	select PROC_FS
 +	select STOP_MACHINE
 +	select TTY
++	select DEBUG_KERNEL
 +	select DEBUG_LIST
 +	help
 +	  If you say Y here, you will be able to configure many features
@@ -102480,7 +102538,7 @@ index e9c6ac7..9551ea7 100644
  source security/keys/Kconfig
  
  config SECURITY_DMESG_RESTRICT
-@@ -103,7 +1055,7 @@ config INTEL_TXT
+@@ -103,7 +1056,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX
@@ -105700,7 +105758,7 @@ index 0000000..dd73713
 +}
 diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c
 new file mode 100644
-index 0000000..f04b680
+index 0000000..592b923
 --- /dev/null
 +++ b/tools/gcc/latent_entropy_plugin.c
 @@ -0,0 +1,325 @@
@@ -106023,7 +106081,7 @@ index 0000000..f04b680
 +	}
 +
 +	register_callback(plugin_name, PLUGIN_INFO, NULL, &latent_entropy_plugin_info);
-+	register_callback ("start_unit", PLUGIN_START_UNIT, &start_unit_callback, NULL);
++	register_callback(plugin_name, PLUGIN_START_UNIT, &start_unit_callback, NULL);
 +	register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &latent_entropy_pass_info);
 +	register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
 +
@@ -106031,10 +106089,10 @@ index 0000000..f04b680
 +}
 diff --git a/tools/gcc/randomize_layout_plugin.c b/tools/gcc/randomize_layout_plugin.c
 new file mode 100644
-index 0000000..4aceb10
+index 0000000..8ed761c6
 --- /dev/null
 +++ b/tools/gcc/randomize_layout_plugin.c
-@@ -0,0 +1,746 @@
+@@ -0,0 +1,914 @@
 +/*
 + * Copyright 2014 by Open Source Security, Inc., Brad Spengler <spender@grsecurity.net>
 + *                   and PaX Team <pageexec@freemail.hu>
@@ -106058,7 +106116,7 @@ index 0000000..4aceb10
 +static int performance_mode;
 +
 +static struct plugin_info randomize_layout_plugin_info = {
-+	.version	= "201401251240",
++	.version	= "201402011940",
 +	.help		= "disable\t\t\tdo not activate plugin\n"
 +			  "seed\t\t\tprovide a required 64-byte seed in hex format\n"
 +			  "performance-mode\tenable cacheline-aware layout randomization\n"
@@ -106333,6 +106391,7 @@ index 0000000..4aceb10
 +	unsigned long i;
 +	tree list;
 +	tree variant;
++	expanded_location xloc;
 +
 +	if (TYPE_FIELDS(type) == NULL_TREE)
 +		return 0;
@@ -106348,6 +106407,12 @@ index 0000000..4aceb10
 +	    lookup_attribute("no_randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type))))
 +		return 0;
 +
++	/* throw out any structs in uapi */
++	xloc = expand_location(DECL_SOURCE_LOCATION(TYPE_FIELDS(type)));
++
++	if (strstr(xloc.file, "/uapi/"))
++		error(G_("attempted to randomize userland API struct %s"), ORIG_TYPE_NAME(type));
++
 +	for (field = TYPE_FIELDS(type), i = 0; field; field = TREE_CHAIN(field), i++) {
 +		gcc_assert(TREE_CODE(field) == FIELD_DECL);
 +		newtree[i] = field;
@@ -106460,6 +106525,28 @@ index 0000000..4aceb10
 +#endif
 +}
 +
++static void finish_decl(void *event_data, void *data)
++{
++	tree decl = (tree)event_data;
++	tree type;
++
++	if (decl == NULL_TREE || decl == error_mark_node)
++		return;
++
++	type = TREE_TYPE(decl);
++
++	if (TREE_CODE(decl) != VAR_DECL)
++		return;
++
++	if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
++		return;
++
++	if (!lookup_attribute("randomize_performed", TYPE_ATTRIBUTES(type)))
++		return;
++
++	relayout_decl(decl);
++}
++
 +static void finish_type(void *event_data, void *data)
 +{
 +	tree type = (tree)event_data;
@@ -106555,6 +106642,138 @@ index 0000000..4aceb10
 +	register_attribute(&randomize_performed_attr);
 +}
 +
++static void check_bad_casts_in_constructor(tree var, tree init)
++{
++	unsigned HOST_WIDE_INT idx;
++	tree field, val;
++	tree field_type, val_type;
++
++	FOR_EACH_CONSTRUCTOR_ELT(CONSTRUCTOR_ELTS(init), idx, field, val) {
++		if (TREE_CODE(val) == CONSTRUCTOR) {
++			check_bad_casts_in_constructor(var, val);
++			continue;
++		}
++
++		field_type = TREE_TYPE(field);
++		val_type = TREE_TYPE(val);
++
++		if (TREE_CODE(field_type) != POINTER_TYPE || TREE_CODE(val_type) != POINTER_TYPE)
++			continue;
++
++		if (field_type == val_type)
++			continue;
++
++		field_type = TYPE_MAIN_VARIANT(strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(field_type))));
++		val_type = TYPE_MAIN_VARIANT(strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(val_type))));
++
++		if (field_type == void_type_node)
++			continue;
++		if (field_type == val_type)
++			continue;
++		if (TREE_CODE(val_type) != RECORD_TYPE)
++			continue;
++
++		if (!lookup_attribute("randomize_performed", TYPE_ATTRIBUTES(val_type)))
++			continue;
++		inform(DECL_SOURCE_LOCATION(var), "found mismatched struct pointer types: %qT and %qT\n", TYPE_MAIN_VARIANT(field_type), TYPE_MAIN_VARIANT(val_type));
++	}
++}
++
++/* derived from the constify plugin */
++static void check_global_variables(void *event_data, void *data)
++{
++	struct varpool_node *node;
++	tree init;
++
++#if BUILDING_GCC_VERSION <= 4007
++	for (node = varpool_nodes; node; node = node->next) {
++		tree var = node->decl;
++#else
++	FOR_EACH_VARIABLE(node) {
++		tree var = node->symbol.decl;
++#endif
++		init = DECL_INITIAL(var);
++		if (init == NULL_TREE)
++			continue;
++
++		if (TREE_CODE(init) != CONSTRUCTOR)
++			continue;
++
++		check_bad_casts_in_constructor(var, init);
++	}
++}
++
++static bool dominated_by_is_err(const_tree rhs, basic_block bb)
++{
++	basic_block dom;
++	gimple dom_stmt;
++	gimple call_stmt;
++	const_tree dom_lhs;
++	const_tree poss_is_err_cond;
++	const_tree poss_is_err_func;
++	const_tree is_err_arg;
++
++	dom = get_immediate_dominator(CDI_DOMINATORS, bb);
++	if (!dom)
++		return false;
++
++	dom_stmt = last_stmt(dom);
++	if (!dom_stmt)
++		return false;
++
++	if (gimple_code(dom_stmt) != GIMPLE_COND)
++		return false;
++
++	if (gimple_cond_code(dom_stmt) != NE_EXPR)
++		return false;
++
++	if (!integer_zerop(gimple_cond_rhs(dom_stmt)))
++		return false;
++
++	poss_is_err_cond = gimple_cond_lhs(dom_stmt);
++
++	if (TREE_CODE(poss_is_err_cond) != SSA_NAME)
++		return false;
++
++	call_stmt = SSA_NAME_DEF_STMT(poss_is_err_cond);
++
++	if (gimple_code(call_stmt) != GIMPLE_CALL)
++		return false;
++
++	dom_lhs = gimple_get_lhs(call_stmt);
++	poss_is_err_func = gimple_call_fndecl(call_stmt);
++	if (!poss_is_err_func)
++		return false;
++	if (dom_lhs != poss_is_err_cond)
++		return false;
++	if (strcmp(DECL_NAME_POINTER(poss_is_err_func), "IS_ERR"))
++		return false;
++
++	is_err_arg = gimple_call_arg(call_stmt, 0);
++	if (!is_err_arg)
++		return false;
++
++	if (is_err_arg != rhs)
++		return false;
++
++	return true;
++}
++
++static void handle_local_var_initializers(void)
++{
++	tree var;
++	unsigned int i;
++
++	FOR_EACH_LOCAL_DECL(cfun, i, var) {
++		tree init = DECL_INITIAL(var);
++		if (!init)
++			continue;
++		if (TREE_CODE(init) != CONSTRUCTOR)
++			continue;
++		check_bad_casts_in_constructor(var, init);
++	}
++}
++
 +/*
 + * iterate over all statements to find "bad" casts:
 + * those where the address of the start of a structure is cast
@@ -106565,7 +106784,9 @@ index 0000000..4aceb10
 +{
 +	basic_block bb;
 +
-+	FOR_ALL_BB(bb) {
++	handle_local_var_initializers();
++
++	FOR_ALL_BB_FN(bb, cfun) {
 +		gimple_stmt_iterator gsi;
 +
 +		for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
@@ -106612,13 +106833,16 @@ index 0000000..4aceb10
 +			    TREE_CODE(lhs_type) != POINTER_TYPE)
 +				continue;
 +
-+			ptr_lhs_type = strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(lhs_type)));
-+			ptr_rhs_type = strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(rhs_type)));
++			ptr_lhs_type = TYPE_MAIN_VARIANT(strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(lhs_type))));
++			ptr_rhs_type = TYPE_MAIN_VARIANT(strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(rhs_type))));
 +
-+			if (TREE_CODE(ptr_lhs_type) != RECORD_TYPE)
++			if (ptr_rhs_type == void_type_node)
 +				continue;
 +
-+			if (ptr_rhs_type == void_type_node)
++			if (ptr_lhs_type == void_type_node)
++				continue;
++
++			if (dominated_by_is_err(rhs1, bb))
 +				continue;
 +
 +			if (TREE_CODE(ptr_rhs_type) != RECORD_TYPE) {
@@ -106641,7 +106865,7 @@ index 0000000..4aceb10
 +				if (TREE_CODE(op0) != VAR_DECL)
 +					continue;
 +
-+				op0_type = strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(op0)));
++				op0_type = TYPE_MAIN_VARIANT(strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(op0))));
 +				if (op0_type == ptr_lhs_type)
 +					continue;
 +
@@ -106692,7 +106916,7 @@ index 0000000..4aceb10
 +		.properties_provided	= 0,
 +		.properties_destroyed	= 0,
 +		.todo_flags_start	= 0,
-+		.todo_flags_finish	= TODO_dump_func | TODO_verify_ssa | TODO_verify_stmts | TODO_remove_unused_locals | TODO_update_ssa_no_phi | TODO_cleanup_cfg | TODO_ggc_collect | TODO_verify_flow
++		.todo_flags_finish	= TODO_dump_func
 +#if BUILDING_GCC_VERSION < 4009
 +	}
 +#endif
@@ -106774,8 +106998,10 @@ index 0000000..4aceb10
 +
 +	register_callback(plugin_name, PLUGIN_INFO, NULL, &randomize_layout_plugin_info);
 +	if (enable) {
++		register_callback(plugin_name, PLUGIN_ALL_IPA_PASSES_START, check_global_variables, NULL);
 +		register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &randomize_layout_bad_cast_info);
 +		register_callback(plugin_name, PLUGIN_FINISH_TYPE, finish_type, NULL);
++		register_callback(plugin_name, PLUGIN_FINISH_DECL, finish_decl, NULL);
 +	}
 +	register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
 +
@@ -112486,7 +112712,7 @@ index 0000000..0c980be
 +nvme_trans_standard_inquiry_page_65526 nvme_trans_standard_inquiry_page 4 65526 NULL
 diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c
 new file mode 100644
-index 0000000..94aa56d
+index 0000000..4a637ab
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin.c
 @@ -0,0 +1,4040 @@
@@ -116520,7 +116746,7 @@ index 0000000..94aa56d
 +
 +	register_callback(plugin_name, PLUGIN_INFO, NULL, &size_overflow_plugin_info);
 +	if (enable) {
-+		register_callback("start_unit", PLUGIN_START_UNIT, &start_unit_callback, NULL);
++		register_callback(plugin_name, PLUGIN_START_UNIT, &start_unit_callback, NULL);
 +		register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &insert_size_overflow_asm_pass_info);
 +//		register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &dump_before_pass_info);
 +		register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &ipa_pass_info);
diff --git a/3.2.54/0000_README b/3.2.54/0000_README
index 1673fee..18647c3 100644
--- a/3.2.54/0000_README
+++ b/3.2.54/0000_README
@@ -134,7 +134,7 @@ Patch:	1053_linux-3.2.54.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.54
 
-Patch:	4420_grsecurity-3.0-3.2.54-201401281850.patch
+Patch:	4420_grsecurity-3.0-3.2.54-201402052347.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.54/4420_grsecurity-3.0-3.2.54-201401281850.patch b/3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch
index 70f1c6f..fa55d46 100644
--- a/3.2.54/4420_grsecurity-3.0-3.2.54-201401281850.patch
+++ b/3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch
@@ -33948,7 +33948,7 @@ index da3cfee..a5a6606 100644
  
  	*ppos = i;
 diff --git a/drivers/char/random.c b/drivers/char/random.c
-index c244f0e..3f6ae58 100644
+index c244f0e..4276f28 100644
 --- a/drivers/char/random.c
 +++ b/drivers/char/random.c
 @@ -255,10 +255,8 @@
@@ -33964,7 +33964,7 @@ index c244f0e..3f6ae58 100644
  
  #include <asm/processor.h>
  #include <asm/uaccess.h>
-@@ -266,129 +264,151 @@
+@@ -266,129 +264,153 @@
  #include <asm/irq_regs.h>
  #include <asm/io.h>
  
@@ -33991,6 +33991,8 @@ index c244f0e..3f6ae58 100644
 +#endif
 +#define SEC_XFER_SIZE		512
 +#define EXTRACT_SIZE		10
++
++#define DEBUG_RANDOM_BOOT 0
  
  #define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long))
  
@@ -34194,7 +34196,7 @@ index c244f0e..3f6ae58 100644
  /*
   * Static global variables
   */
-@@ -396,21 +416,6 @@ static DECLARE_WAIT_QUEUE_HEAD(random_read_wait);
+@@ -396,21 +418,6 @@ static DECLARE_WAIT_QUEUE_HEAD(random_read_wait);
  static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
  static struct fasync_struct *fasync;
  
@@ -34216,7 +34218,7 @@ index c244f0e..3f6ae58 100644
  /**********************************************************************
   *
   * OS independent entropy store.   Here are the functions which handle
-@@ -421,22 +426,26 @@ module_param(debug, bool, 0644);
+@@ -421,22 +428,26 @@ module_param(debug, bool, 0644);
  struct entropy_store;
  struct entropy_store {
  	/* read-only data: */
@@ -34247,7 +34249,7 @@ index c244f0e..3f6ae58 100644
  static __u32 input_pool_data[INPUT_POOL_WORDS];
  static __u32 blocking_pool_data[OUTPUT_POOL_WORDS];
  static __u32 nonblocking_pool_data[OUTPUT_POOL_WORDS];
-@@ -445,7 +454,7 @@ static struct entropy_store input_pool = {
+@@ -445,7 +456,7 @@ static struct entropy_store input_pool = {
  	.poolinfo = &poolinfo_table[0],
  	.name = "input",
  	.limit = 1,
@@ -34256,7 +34258,7 @@ index c244f0e..3f6ae58 100644
  	.pool = input_pool_data
  };
  
-@@ -454,16 +463,20 @@ static struct entropy_store blocking_pool = {
+@@ -454,16 +465,20 @@ static struct entropy_store blocking_pool = {
  	.name = "blocking",
  	.limit = 1,
  	.pull = &input_pool,
@@ -34281,7 +34283,7 @@ index c244f0e..3f6ae58 100644
  };
  
  static __u32 const twist_table[8] = {
-@@ -480,8 +493,8 @@ static __u32 const twist_table[8] = {
+@@ -480,8 +495,8 @@ static __u32 const twist_table[8] = {
   * it's cheap to do so and helps slightly in the expected case where
   * the entropy is concentrated in the low-order bits.
   */
@@ -34292,7 +34294,7 @@ index c244f0e..3f6ae58 100644
  {
  	unsigned long i, j, tap1, tap2, tap3, tap4, tap5;
  	int input_rotate;
-@@ -501,7 +514,7 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
+@@ -501,7 +516,7 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
  
  	/* mix one byte at a time to simplify size handling and churn faster */
  	while (nbytes--) {
@@ -34301,7 +34303,7 @@ index c244f0e..3f6ae58 100644
  		i = (i - 1) & wordmask;
  
  		/* XOR in the various taps */
-@@ -521,11 +534,11 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
+@@ -521,11 +536,11 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
  		 * rotation, so that successive passes spread the
  		 * input bits across the pool evenly.
  		 */
@@ -34316,7 +34318,7 @@ index c244f0e..3f6ae58 100644
  	smp_wmb();
  
  	if (out)
-@@ -533,13 +546,21 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
+@@ -533,13 +548,21 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
  			((__u32 *)out)[j] = r->pool[(i - j) & wordmask];
  }
  
@@ -34340,7 +34342,7 @@ index c244f0e..3f6ae58 100644
  	spin_unlock_irqrestore(&r->lock, flags);
  }
  
-@@ -556,58 +577,151 @@ struct fast_pool {
+@@ -556,58 +579,151 @@ struct fast_pool {
   * collector.  It's hardcoded for an 128 bit pool and assumes that any
   * locks that might be needed are taken by the caller.
   */
@@ -34516,7 +34518,7 @@ index c244f0e..3f6ae58 100644
  /*********************************************************************
   *
   * Entropy input management
-@@ -621,42 +735,7 @@ struct timer_rand_state {
+@@ -621,42 +737,7 @@ struct timer_rand_state {
  	unsigned dont_count_entropy:1;
  };
  
@@ -34560,7 +34562,7 @@ index c244f0e..3f6ae58 100644
  
  /*
   * Add device- or boot-specific data to the input and nonblocking
-@@ -669,15 +748,22 @@ static void set_timer_rand_state(unsigned int irq,
+@@ -669,15 +750,22 @@ static void set_timer_rand_state(unsigned int irq,
  void add_device_randomness(const void *buf, unsigned int size)
  {
  	unsigned long time = random_get_entropy() ^ jiffies;
@@ -34588,7 +34590,7 @@ index c244f0e..3f6ae58 100644
  
  /*
   * This function adds entropy to the entropy "pool" by using timing
-@@ -691,6 +777,7 @@ static struct timer_rand_state input_timer_state;
+@@ -691,6 +779,7 @@ static struct timer_rand_state input_timer_state;
   */
  static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
  {
@@ -34596,7 +34598,7 @@ index c244f0e..3f6ae58 100644
  	struct {
  		long jiffies;
  		unsigned cycles;
-@@ -699,15 +786,12 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
+@@ -699,15 +788,12 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
  	long delta, delta2, delta3;
  
  	preempt_disable();
@@ -34614,7 +34616,7 @@ index c244f0e..3f6ae58 100644
  
  	/*
  	 * Calculate number of bits of randomness we probably added.
-@@ -741,10 +825,8 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
+@@ -741,10 +827,8 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
  		 * Round down by 1 bit on general principles,
  		 * and limit entropy entimate to 12 bits.
  		 */
@@ -34626,7 +34628,7 @@ index c244f0e..3f6ae58 100644
  	preempt_enable();
  }
  
-@@ -757,10 +839,10 @@ void add_input_randomness(unsigned int type, unsigned int code,
+@@ -757,10 +841,10 @@ void add_input_randomness(unsigned int type, unsigned int code,
  	if (value == last_value)
  		return;
  
@@ -34638,7 +34640,7 @@ index c244f0e..3f6ae58 100644
  }
  EXPORT_SYMBOL_GPL(add_input_randomness);
  
-@@ -772,20 +854,21 @@ void add_interrupt_randomness(int irq, int irq_flags)
+@@ -772,20 +856,21 @@ void add_interrupt_randomness(int irq, int irq_flags)
  	struct fast_pool	*fast_pool = &__get_cpu_var(irq_randomness);
  	struct pt_regs		*regs = get_irq_regs();
  	unsigned long		now = jiffies;
@@ -34671,7 +34673,7 @@ index c244f0e..3f6ae58 100644
  		return;
  
  	fast_pool->last = now;
-@@ -814,10 +897,8 @@ void add_disk_randomness(struct gendisk *disk)
+@@ -814,10 +899,8 @@ void add_disk_randomness(struct gendisk *disk)
  	if (!disk || !disk->random)
  		return;
  	/* first major is 1, so we get >= 0x200 here */
@@ -34683,7 +34685,7 @@ index c244f0e..3f6ae58 100644
  }
  #endif
  
-@@ -835,104 +916,127 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+@@ -835,104 +918,127 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
   * from the primary pool to the secondary extraction pool. We make
   * sure we pull enough for a 'catastrophic reseed'.
   */
@@ -34877,7 +34879,7 @@ index c244f0e..3f6ae58 100644
  	spin_lock_irqsave(&r->lock, flags);
  	for (i = 0; i < r->poolinfo->poolwords; i += 16)
  		sha_transform(hash.w, (__u8 *)(r->pool + i), workspace);
-@@ -966,27 +1070,43 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+@@ -966,27 +1072,43 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
  	hash.w[1] ^= hash.w[4];
  	hash.w[2] ^= rol32(hash.w[2], 16);
  
@@ -34932,7 +34934,7 @@ index c244f0e..3f6ae58 100644
  	xfer_secondary_pool(r, nbytes);
  	nbytes = account(r, nbytes, min, reserved);
  
-@@ -994,8 +1114,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+@@ -994,8 +1116,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
  		extract_buf(r, tmp);
  
  		if (fips_enabled) {
@@ -34941,7 +34943,7 @@ index c244f0e..3f6ae58 100644
  			spin_lock_irqsave(&r->lock, flags);
  			if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
  				panic("Hardware RNG duplicated output!\n");
-@@ -1015,12 +1133,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+@@ -1015,12 +1135,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
  	return ret;
  }
  
@@ -34959,7 +34961,7 @@ index c244f0e..3f6ae58 100644
  	xfer_secondary_pool(r, nbytes);
  	nbytes = account(r, nbytes, 0, 0);
  
-@@ -1036,7 +1159,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -1036,7 +1161,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
  
  		extract_buf(r, tmp);
  		i = min_t(int, nbytes, EXTRACT_SIZE);
@@ -34968,7 +34970,7 @@ index c244f0e..3f6ae58 100644
  			ret = -EFAULT;
  			break;
  		}
-@@ -1055,11 +1178,18 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -1055,11 +1180,20 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
  /*
   * This function is the exported kernel interface.  It returns some
   * number of good random numbers, suitable for key generation, seeding
@@ -34980,16 +34982,18 @@ index c244f0e..3f6ae58 100644
   */
  void get_random_bytes(void *buf, int nbytes)
  {
++#if DEBUG_RANDOM_BOOT > 0
 +	if (unlikely(nonblocking_pool.initialized == 0))
 +		printk(KERN_NOTICE "random: %pF get_random_bytes called "
 +		       "with %d bits of entropy available\n",
 +		       (void *) _RET_IP_,
 +		       nonblocking_pool.entropy_total);
++#endif
 +	trace_get_random_bytes(nbytes, _RET_IP_);
  	extract_entropy(&nonblocking_pool, buf, nbytes, 0, 0);
  }
  EXPORT_SYMBOL(get_random_bytes);
-@@ -1078,6 +1208,7 @@ void get_random_bytes_arch(void *buf, int nbytes)
+@@ -1078,6 +1212,7 @@ void get_random_bytes_arch(void *buf, int nbytes)
  {
  	char *p = buf;
  
@@ -34997,7 +35001,7 @@ index c244f0e..3f6ae58 100644
  	while (nbytes) {
  		unsigned long v;
  		int chunk = min(nbytes, (int)sizeof(unsigned long));
-@@ -1111,12 +1242,11 @@ static void init_std_data(struct entropy_store *r)
+@@ -1111,12 +1246,11 @@ static void init_std_data(struct entropy_store *r)
  	ktime_t now = ktime_get_real();
  	unsigned long rv;
  
@@ -35013,7 +35017,7 @@ index c244f0e..3f6ae58 100644
  		mix_pool_bytes(r, &rv, sizeof(rv), NULL);
  	}
  	mix_pool_bytes(r, utsname(), sizeof(*(utsname())), NULL);
-@@ -1139,25 +1269,7 @@ static int rand_initialize(void)
+@@ -1139,25 +1273,7 @@ static int rand_initialize(void)
  	init_std_data(&nonblocking_pool);
  	return 0;
  }
@@ -35040,7 +35044,7 @@ index c244f0e..3f6ae58 100644
  
  #ifdef CONFIG_BLOCK
  void rand_initialize_disk(struct gendisk *disk)
-@@ -1169,71 +1281,59 @@ void rand_initialize_disk(struct gendisk *disk)
+@@ -1169,71 +1285,59 @@ void rand_initialize_disk(struct gendisk *disk)
  	 * source.
  	 */
  	state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
@@ -35148,7 +35152,7 @@ index c244f0e..3f6ae58 100644
  }
  
  static unsigned int
-@@ -1244,9 +1344,9 @@ random_poll(struct file *file, poll_table * wait)
+@@ -1244,9 +1348,9 @@ random_poll(struct file *file, poll_table * wait)
  	poll_wait(file, &random_read_wait, wait);
  	poll_wait(file, &random_write_wait, wait);
  	mask = 0;
@@ -35160,7 +35164,7 @@ index c244f0e..3f6ae58 100644
  		mask |= POLLOUT | POLLWRNORM;
  	return mask;
  }
-@@ -1297,7 +1397,8 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
+@@ -1297,7 +1401,8 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
  	switch (cmd) {
  	case RNDGETENTCNT:
  		/* inherently racy, no point locking */
@@ -35170,7 +35174,7 @@ index c244f0e..3f6ae58 100644
  			return -EFAULT;
  		return 0;
  	case RNDADDTOENTCNT:
-@@ -1305,7 +1406,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
+@@ -1305,7 +1410,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
  			return -EPERM;
  		if (get_user(ent_count, p))
  			return -EFAULT;
@@ -35179,7 +35183,7 @@ index c244f0e..3f6ae58 100644
  		return 0;
  	case RNDADDENTROPY:
  		if (!capable(CAP_SYS_ADMIN))
-@@ -1320,14 +1421,19 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
+@@ -1320,14 +1425,19 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
  				    size);
  		if (retval < 0)
  			return retval;
@@ -35202,7 +35206,7 @@ index c244f0e..3f6ae58 100644
  		return 0;
  	default:
  		return -EINVAL;
-@@ -1387,23 +1493,23 @@ EXPORT_SYMBOL(generate_random_uuid);
+@@ -1387,23 +1497,23 @@ EXPORT_SYMBOL(generate_random_uuid);
  #include <linux/sysctl.h>
  
  static int min_read_thresh = 8, min_write_thresh;
@@ -35233,7 +35237,7 @@ index c244f0e..3f6ae58 100644
  	unsigned char buf[64], tmp_uuid[16], *uuid;
  
  	uuid = table->data;
-@@ -1427,8 +1533,26 @@ static int proc_do_uuid(ctl_table *table, int write,
+@@ -1427,8 +1537,26 @@ static int proc_do_uuid(ctl_table *table, int write,
  	return proc_dostring(&fake_table, write, buffer, lenp, ppos);
  }
  
@@ -35261,7 +35265,7 @@ index c244f0e..3f6ae58 100644
  	{
  		.procname	= "poolsize",
  		.data		= &sysctl_poolsize,
-@@ -1440,12 +1564,12 @@ ctl_table random_table[] = {
+@@ -1440,12 +1568,12 @@ ctl_table random_table[] = {
  		.procname	= "entropy_avail",
  		.maxlen		= sizeof(int),
  		.mode		= 0444,
@@ -35276,7 +35280,7 @@ index c244f0e..3f6ae58 100644
  		.maxlen		= sizeof(int),
  		.mode		= 0644,
  		.proc_handler	= proc_dointvec_minmax,
-@@ -1454,7 +1578,7 @@ ctl_table random_table[] = {
+@@ -1454,7 +1582,7 @@ ctl_table random_table[] = {
  	},
  	{
  		.procname	= "write_wakeup_threshold",
@@ -35285,7 +35289,7 @@ index c244f0e..3f6ae58 100644
  		.maxlen		= sizeof(int),
  		.mode		= 0644,
  		.proc_handler	= proc_dointvec_minmax,
-@@ -1462,6 +1586,13 @@ ctl_table random_table[] = {
+@@ -1462,6 +1590,13 @@ ctl_table random_table[] = {
  		.extra2		= &max_write_thresh,
  	},
  	{
@@ -35299,7 +35303,7 @@ index c244f0e..3f6ae58 100644
  		.procname	= "boot_id",
  		.data		= &sysctl_bootid,
  		.maxlen		= 16,
-@@ -1492,7 +1623,7 @@ int random_int_secret_init(void)
+@@ -1492,7 +1627,7 @@ int random_int_secret_init(void)
   * value is not cryptographically secure but for several uses the cost of
   * depleting entropy is too high
   */
@@ -35308,7 +35312,7 @@ index c244f0e..3f6ae58 100644
  unsigned int get_random_int(void)
  {
  	__u32 *hash;
-@@ -1510,6 +1641,7 @@ unsigned int get_random_int(void)
+@@ -1510,6 +1645,7 @@ unsigned int get_random_int(void)
  
  	return ret;
  }
@@ -62838,17 +62842,27 @@ index 0000000..c4717f9
 +endmenu
 diff --git a/grsecurity/Makefile b/grsecurity/Makefile
 new file mode 100644
-index 0000000..65d159f
+index 0000000..5cb186f
 --- /dev/null
 +++ b/grsecurity/Makefile
-@@ -0,0 +1,43 @@
-+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
-+# during 2001-2009 it has been completely redesigned by Brad Spengler
-+# into an RBAC system
+@@ -0,0 +1,53 @@
++# grsecurity – access control and security hardening for Linux
++# All code in this directory and various hooks located throughout the Linux kernel are
++# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc.
++# http://www.grsecurity.net spender@grsecurity.net
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License version 2
++# as published by the Free Software Foundation.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
 +#
-+# All code in this directory and various hooks inserted throughout the kernel
-+# are copyright Brad Spengler - Open Source Security, Inc., and released 
-+# under the GPL v2
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 +
 +KBUILD_CFLAGS += -Werror
 +
@@ -102107,10 +102121,10 @@ index 38f6617..e70b72b 100755
  
  exuberant()
 diff --git a/security/Kconfig b/security/Kconfig
-index 51bd5a0..62953d6 100644
+index 51bd5a0..8c5f2ab 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,953 @@
+@@ -4,6 +4,954 @@
  
  menu "Security options"
  
@@ -102144,6 +102158,7 @@ index 51bd5a0..62953d6 100644
 +	select CRYPTO_SHA256
 +	select PROC_FS
 +	select STOP_MACHINE
++	select DEBUG_KERNEL
 +	select DEBUG_LIST
 +	help
 +	  If you say Y here, you will be able to configure many features
@@ -103064,7 +103079,7 @@ index 51bd5a0..62953d6 100644
  config KEYS
  	bool "Enable access key retention support"
  	help
-@@ -169,7 +1116,7 @@ config INTEL_TXT
+@@ -169,7 +1117,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX
author	Anthony G. Basile <blueness@gentoo.org>	2014-02-06 10:59:53 -0500
committer	Anthony G. Basile <blueness@gentoo.org>	2014-02-06 10:59:53 -0500
commit	66e4ef4c51573a6f46e1badfc5a349a26118c6ca (patch)
tree	5ebd72a3cbfacb5750c041a8d28e7619dcbc1600
parent	Grsec/PaX: 3.0-3.13.1-201401301657 (diff)
download	hardened-patchset-66e4ef4c51573a6f46e1badfc5a349a26118c6ca.tar.gz hardened-patchset-66e4ef4c51573a6f46e1badfc5a349a26118c6ca.tar.bz2 hardened-patchset-66e4ef4c51573a6f46e1badfc5a349a26118c6ca.zip