diff options
| -rw-r--r-- | 2.6.32/0000_README | 2 | ||||
| -rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201209101829.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201209062129.patch) | 99 | ||||
| -rw-r--r-- | 3.2.28/0000_README | 2 | ||||
| -rw-r--r-- | 3.2.28/4420_grsecurity-2.9.1-3.2.28-201209101830.patch (renamed from 3.2.28/4420_grsecurity-2.9.1-3.2.28-201209062131.patch) | 59 | ||||
| -rw-r--r-- | 3.5.3/0000_README | 2 | ||||
| -rw-r--r-- | 3.5.3/4420_grsecurity-2.9.1-3.5.3-201209101830.patch (renamed from 3.5.3/4420_grsecurity-2.9.1-3.5.3-201209062131.patch) | 81 |
6 files changed, 146 insertions, 99 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 6210bbc..186798a 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -30,7 +30,7 @@ Patch: 1058_linux-2.6.32.59.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.59-201209062129.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.59-201209101829.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201209062129.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201209101829.patch index 89a32c4..83e390b 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201209062129.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201209101829.patch @@ -72484,7 +72484,7 @@ index ec88ff3..b843a82 100644 cache->c_bucket_bits = bucket_bits; #ifdef MB_CACHE_INDEXES_COUNT diff --git a/fs/namei.c b/fs/namei.c -index b0afbd4..e3fc8f4 100644 +index b0afbd4..e6236df 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -224,6 +224,14 @@ int generic_permission(struct inode *inode, int mask, @@ -72540,13 +72540,13 @@ index b0afbd4..e3fc8f4 100644 dentry->d_inode->i_op->put_link(dentry, nd, cookie); } + -+ if (!error && !(nd->flags & LOOKUP_PARENT) && gr_handle_symlink_owner(path, nd->path.dentry->d_inode)) ++ if (!error && (nd->flags & LOOKUP_SYMLINKOWN) && gr_handle_symlink_owner(path, nd->path.dentry->d_inode)) + error = -EACCES; + path_put(path); return error; -@@ -669,6 +674,13 @@ static inline int do_follow_link(struct path *path, struct nameidata *nd) +@@ -669,9 +674,17 @@ static inline int do_follow_link(struct path *path, struct nameidata *nd) err = security_inode_follow_link(path->dentry, nd); if (err) goto loop; @@ -72560,7 +72560,11 @@ index b0afbd4..e3fc8f4 100644 current->link_count++; current->total_link_count++; nd->depth++; -@@ -1016,11 +1028,19 @@ return_reval: ++ nd->flags |= LOOKUP_SYMLINKOWN; + err = __do_follow_link(path, nd); + current->link_count--; + nd->depth--; +@@ -1016,11 +1029,19 @@ return_reval: break; } return_base: @@ -72580,7 +72584,7 @@ index b0afbd4..e3fc8f4 100644 path_put(&nd->path); return_err: return err; -@@ -1091,13 +1111,20 @@ static int do_path_lookup(int dfd, const char *name, +@@ -1091,13 +1112,20 @@ static int do_path_lookup(int dfd, const char *name, int retval = path_init(dfd, name, flags, nd); if (!retval) retval = path_walk(name, nd); @@ -72604,7 +72608,7 @@ index b0afbd4..e3fc8f4 100644 return retval; } -@@ -1576,6 +1603,20 @@ int may_open(struct path *path, int acc_mode, int flag) +@@ -1576,6 +1604,20 @@ int may_open(struct path *path, int acc_mode, int flag) if (error) goto err_out; @@ -72625,7 +72629,7 @@ index b0afbd4..e3fc8f4 100644 if (flag & O_TRUNC) { error = get_write_access(inode); if (error) -@@ -1620,6 +1661,17 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, +@@ -1620,6 +1662,17 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, { int error; struct dentry *dir = nd->path.dentry; @@ -72643,7 +72647,7 @@ index b0afbd4..e3fc8f4 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); -@@ -1627,6 +1679,8 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, +@@ -1627,6 +1680,8 @@ static int __open_namei_create(struct nameidata *nd, struct path *path, if (error) goto out_unlock; error = vfs_create(dir->d_inode, path->dentry, mode, nd); @@ -72652,7 +72656,7 @@ index b0afbd4..e3fc8f4 100644 out_unlock: mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); -@@ -1684,6 +1738,7 @@ struct file *do_filp_open(int dfd, const char *pathname, +@@ -1684,6 +1739,7 @@ struct file *do_filp_open(int dfd, const char *pathname, struct nameidata nd; int error; struct path path; @@ -72660,7 +72664,7 @@ index b0afbd4..e3fc8f4 100644 struct dentry *dir; int count = 0; int will_write; -@@ -1709,6 +1764,22 @@ struct file *do_filp_open(int dfd, const char *pathname, +@@ -1709,6 +1765,22 @@ struct file *do_filp_open(int dfd, const char *pathname, &nd, flag); if (error) return ERR_PTR(error); @@ -72683,7 +72687,7 @@ index b0afbd4..e3fc8f4 100644 goto ok; } -@@ -1795,6 +1866,19 @@ do_last: +@@ -1795,6 +1867,19 @@ do_last: /* * It already exists. */ @@ -72703,7 +72707,7 @@ index b0afbd4..e3fc8f4 100644 mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path.dentry); -@@ -1887,6 +1971,13 @@ do_link: +@@ -1887,6 +1972,14 @@ do_link: error = security_inode_follow_link(path.dentry, &nd); if (error) goto exit_dput; @@ -72714,10 +72718,11 @@ index b0afbd4..e3fc8f4 100644 + goto exit_dput; + } + ++ nd.flags &= ~LOOKUP_SYMLINKOWN; error = __do_follow_link(&path, &nd); if (error) { /* Does someone understand code flow here? Or it is only -@@ -1915,9 +2006,15 @@ do_link: +@@ -1915,9 +2008,24 @@ do_link: } dir = nd.path.dentry; mutex_lock(&dir->d_inode->i_mutex); @@ -72726,14 +72731,23 @@ index b0afbd4..e3fc8f4 100644 path.dentry = lookup_hash(&nd); path.mnt = nd.path.mnt; __putname(nd.last.name); -+ if (!IS_ERR(path.dentry) && gr_handle_symlink_owner(&link_path, path.dentry->d_inode)) { -+ error = -EACCES; -+ goto exit_mutex_unlock; ++ ++ /* if the last path component resolved by the symlink exists, then check ownership against that ++ if it doesn't, we're trying to create it, check ownership against its directory ++ */ ++ if (!IS_ERR(path.dentry) && !IS_ERR(nd.intent.open.file)) { ++ if (path.dentry->d_inode && gr_handle_symlink_owner(&link_path, path.dentry->d_inode)) { ++ error = -EACCES; ++ goto exit_mutex_unlock; ++ } else if (!path.dentry->d_inode && gr_handle_symlink_owner(&link_path, dir->d_inode)) { ++ error = -EACCES; ++ goto exit_mutex_unlock; ++ } + } goto do_last; } -@@ -1984,6 +2081,10 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir) +@@ -1984,6 +2092,10 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir) } return dentry; eexist: @@ -72744,7 +72758,7 @@ index b0afbd4..e3fc8f4 100644 dput(dentry); dentry = ERR_PTR(-EEXIST); fail: -@@ -2061,6 +2162,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2061,6 +2173,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, error = may_mknod(mode); if (error) goto out_dput; @@ -72762,7 +72776,7 @@ index b0afbd4..e3fc8f4 100644 error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2081,6 +2193,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2081,6 +2204,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, } out_drop_write: mnt_drop_write(nd.path.mnt); @@ -72772,7 +72786,7 @@ index b0afbd4..e3fc8f4 100644 out_dput: dput(dentry); out_unlock: -@@ -2134,6 +2249,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) +@@ -2134,6 +2260,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) if (IS_ERR(dentry)) goto out_unlock; @@ -72784,7 +72798,7 @@ index b0afbd4..e3fc8f4 100644 if (!IS_POSIXACL(nd.path.dentry->d_inode)) mode &= ~current_umask(); error = mnt_want_write(nd.path.mnt); -@@ -2145,6 +2265,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) +@@ -2145,6 +2276,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode); out_drop_write: mnt_drop_write(nd.path.mnt); @@ -72795,7 +72809,7 @@ index b0afbd4..e3fc8f4 100644 out_dput: dput(dentry); out_unlock: -@@ -2226,6 +2350,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2226,6 +2361,8 @@ static long do_rmdir(int dfd, const char __user *pathname) char * name; struct dentry *dentry; struct nameidata nd; @@ -72804,7 +72818,7 @@ index b0afbd4..e3fc8f4 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2250,6 +2376,17 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2250,6 +2387,17 @@ static long do_rmdir(int dfd, const char __user *pathname) error = PTR_ERR(dentry); if (IS_ERR(dentry)) goto exit2; @@ -72822,7 +72836,7 @@ index b0afbd4..e3fc8f4 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2257,6 +2394,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2257,6 +2405,8 @@ static long do_rmdir(int dfd, const char __user *pathname) if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -72831,7 +72845,7 @@ index b0afbd4..e3fc8f4 100644 exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2318,6 +2457,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2318,6 +2468,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -72840,7 +72854,7 @@ index b0afbd4..e3fc8f4 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2337,8 +2478,19 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2337,8 +2489,19 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (nd.last.name[nd.last.len]) goto slashes; inode = dentry->d_inode; @@ -72861,7 +72875,7 @@ index b0afbd4..e3fc8f4 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2346,6 +2498,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2346,6 +2509,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -72870,7 +72884,7 @@ index b0afbd4..e3fc8f4 100644 exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -2424,6 +2578,11 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2424,6 +2589,11 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, if (IS_ERR(dentry)) goto out_unlock; @@ -72882,7 +72896,7 @@ index b0afbd4..e3fc8f4 100644 error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2431,6 +2590,8 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2431,6 +2601,8 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, if (error) goto out_drop_write; error = vfs_symlink(nd.path.dentry->d_inode, dentry, from); @@ -72891,7 +72905,7 @@ index b0afbd4..e3fc8f4 100644 out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2524,6 +2685,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2524,6 +2696,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out_unlock; @@ -72912,7 +72926,7 @@ index b0afbd4..e3fc8f4 100644 error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; -@@ -2531,6 +2706,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2531,6 +2717,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if (error) goto out_drop_write; error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry); @@ -72921,7 +72935,7 @@ index b0afbd4..e3fc8f4 100644 out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: -@@ -2708,6 +2885,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -2708,6 +2896,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, char *to; int error; @@ -72930,7 +72944,7 @@ index b0afbd4..e3fc8f4 100644 error = user_path_parent(olddfd, oldname, &oldnd, &from); if (error) goto exit; -@@ -2764,6 +2943,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -2764,6 +2954,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, if (new_dentry == trap) goto exit5; @@ -72943,7 +72957,7 @@ index b0afbd4..e3fc8f4 100644 error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -2773,6 +2958,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -2773,6 +2969,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -72953,7 +72967,7 @@ index b0afbd4..e3fc8f4 100644 exit6: mnt_drop_write(oldnd.path.mnt); exit5: -@@ -2798,6 +2986,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -2798,6 +2997,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -72962,7 +72976,7 @@ index b0afbd4..e3fc8f4 100644 int len; len = PTR_ERR(link); -@@ -2807,7 +2997,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -2807,7 +3008,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; @@ -90173,7 +90187,7 @@ index 878cab4..c92cb3e 100644 #ifdef CONFIG_DEBUG_MUTEXES const char *name; diff --git a/include/linux/namei.h b/include/linux/namei.h -index ec0f607..d19e675 100644 +index ec0f607..fa088ac4 100644 --- a/include/linux/namei.h +++ b/include/linux/namei.h @@ -22,7 +22,7 @@ struct nameidata { @@ -90185,7 +90199,16 @@ index ec0f607..d19e675 100644 /* Intent data */ union { -@@ -84,12 +84,12 @@ extern int follow_up(struct path *); +@@ -49,6 +49,8 @@ enum {LAST_NORM, LAST_ROOT, LAST_DOT, LAST_DOTDOT, LAST_BIND}; + #define LOOKUP_CONTINUE 4 + #define LOOKUP_PARENT 16 + #define LOOKUP_REVAL 64 ++#define LOOKUP_SYMLINKOWN 128 ++ + /* + * Intent data + */ +@@ -84,12 +86,12 @@ extern int follow_up(struct path *); extern struct dentry *lock_rename(struct dentry *, struct dentry *); extern void unlock_rename(struct dentry *, struct dentry *); diff --git a/3.2.28/0000_README b/3.2.28/0000_README index 839467e..d624bbd 100644 --- a/3.2.28/0000_README +++ b/3.2.28/0000_README @@ -30,7 +30,7 @@ Patch: 1027_linux-3.2.28.patch From: http://www.kernel.org Desc: Linux 3.2.28 -Patch: 4420_grsecurity-2.9.1-3.2.28-201209062131.patch +Patch: 4420_grsecurity-2.9.1-3.2.28-201209101830.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.28/4420_grsecurity-2.9.1-3.2.28-201209062131.patch b/3.2.28/4420_grsecurity-2.9.1-3.2.28-201209101830.patch index 22eeec5..e92d98d 100644 --- a/3.2.28/4420_grsecurity-2.9.1-3.2.28-201209062131.patch +++ b/3.2.28/4420_grsecurity-2.9.1-3.2.28-201209101830.patch @@ -47613,7 +47613,7 @@ index fcc50ab..c3dacf2 100644 lock_flocks(); diff --git a/fs/namei.c b/fs/namei.c -index 9680cef..8af5ce7 100644 +index 9680cef..1abcb10 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -279,16 +279,32 @@ int generic_permission(struct inode *inode, int mask) @@ -47851,11 +47851,16 @@ index 9680cef..8af5ce7 100644 audit_inode(pathname, nd->path.dentry); goto ok; } -@@ -2180,6 +2278,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2180,6 +2278,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode) { int mode = op->mode; + ++ if (link && gr_handle_symlink_owner(link, dir->d_inode)) { ++ error = -EACCES; ++ goto exit_mutex_unlock; ++ } ++ + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, path->mnt, open_flag, acc_mode, mode)) { + error = -EACCES; + goto exit_mutex_unlock; @@ -47864,7 +47869,7 @@ index 9680cef..8af5ce7 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2203,6 +2307,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2203,6 +2312,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = vfs_create(dir->d_inode, dentry, mode, nd); if (error) goto exit_mutex_unlock; @@ -47873,7 +47878,7 @@ index 9680cef..8af5ce7 100644 mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); nd->path.dentry = dentry; -@@ -2212,6 +2318,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2212,6 +2323,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path, /* * It already exists. */ @@ -47893,7 +47898,7 @@ index 9680cef..8af5ce7 100644 mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path->dentry); -@@ -2230,11 +2349,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2230,11 +2354,17 @@ static struct file *do_last(struct nameidata *nd, struct path *path, if (!path->dentry->d_inode) goto exit_dput; @@ -47912,7 +47917,7 @@ index 9680cef..8af5ce7 100644 /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ error = complete_walk(nd); if (error) -@@ -2242,6 +2367,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, +@@ -2242,6 +2372,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path, error = -EISDIR; if (S_ISDIR(nd->inode->i_mode)) goto exit; @@ -47925,7 +47930,7 @@ index 9680cef..8af5ce7 100644 ok: if (!S_ISREG(nd->inode->i_mode)) will_truncate = 0; -@@ -2314,7 +2445,7 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2314,7 +2450,7 @@ static struct file *path_openat(int dfd, const char *pathname, if (unlikely(error)) goto out_filp; @@ -47934,7 +47939,7 @@ index 9680cef..8af5ce7 100644 while (unlikely(!filp)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -2329,8 +2460,9 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2329,8 +2465,9 @@ static struct file *path_openat(int dfd, const char *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) filp = ERR_PTR(error); @@ -47946,7 +47951,7 @@ index 9680cef..8af5ce7 100644 put_link(nd, &link, cookie); } out: -@@ -2424,6 +2556,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path +@@ -2424,6 +2561,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path *path = nd.path; return dentry; eexist: @@ -47958,7 +47963,7 @@ index 9680cef..8af5ce7 100644 dput(dentry); dentry = ERR_PTR(-EEXIST); fail: -@@ -2446,6 +2583,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat +@@ -2446,6 +2588,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat } EXPORT_SYMBOL(user_path_create); @@ -47979,7 +47984,7 @@ index 9680cef..8af5ce7 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -2513,6 +2664,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2513,6 +2669,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -47997,7 +48002,7 @@ index 9680cef..8af5ce7 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out_drop_write; -@@ -2530,6 +2692,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, +@@ -2530,6 +2697,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, int, mode, } out_drop_write: mnt_drop_write(path.mnt); @@ -48007,7 +48012,7 @@ index 9680cef..8af5ce7 100644 out_dput: dput(dentry); mutex_unlock(&path.dentry->d_inode->i_mutex); -@@ -2579,12 +2744,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) +@@ -2579,12 +2749,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, int, mode) error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -48029,7 +48034,7 @@ index 9680cef..8af5ce7 100644 out_dput: dput(dentry); mutex_unlock(&path.dentry->d_inode->i_mutex); -@@ -2664,6 +2838,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2664,6 +2843,8 @@ static long do_rmdir(int dfd, const char __user *pathname) char * name; struct dentry *dentry; struct nameidata nd; @@ -48038,7 +48043,7 @@ index 9680cef..8af5ce7 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2692,6 +2868,15 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2692,6 +2873,15 @@ static long do_rmdir(int dfd, const char __user *pathname) error = -ENOENT; goto exit3; } @@ -48054,7 +48059,7 @@ index 9680cef..8af5ce7 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2699,6 +2884,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2699,6 +2889,8 @@ static long do_rmdir(int dfd, const char __user *pathname) if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -48063,7 +48068,7 @@ index 9680cef..8af5ce7 100644 exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2761,6 +2948,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2761,6 +2953,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -48072,7 +48077,7 @@ index 9680cef..8af5ce7 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2783,6 +2972,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2783,6 +2977,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (!inode) goto slashes; ihold(inode); @@ -48089,7 +48094,7 @@ index 9680cef..8af5ce7 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2790,6 +2989,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2790,6 +2994,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -48098,7 +48103,7 @@ index 9680cef..8af5ce7 100644 exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -2865,10 +3066,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -2865,10 +3071,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -48117,7 +48122,7 @@ index 9680cef..8af5ce7 100644 out_drop_write: mnt_drop_write(path.mnt); out_dput: -@@ -2940,6 +3149,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2940,6 +3154,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, { struct dentry *new_dentry; struct path old_path, new_path; @@ -48125,7 +48130,7 @@ index 9680cef..8af5ce7 100644 int how = 0; int error; -@@ -2963,7 +3173,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2963,7 +3178,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if (error) return error; @@ -48134,7 +48139,7 @@ index 9680cef..8af5ce7 100644 error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out; -@@ -2974,13 +3184,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -2974,13 +3189,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, error = mnt_want_write(new_path.mnt); if (error) goto out_dput; @@ -48165,7 +48170,7 @@ index 9680cef..8af5ce7 100644 dput(new_dentry); mutex_unlock(&new_path.dentry->d_inode->i_mutex); path_put(&new_path); -@@ -3208,6 +3435,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3208,6 +3440,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, if (new_dentry == trap) goto exit5; @@ -48178,7 +48183,7 @@ index 9680cef..8af5ce7 100644 error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -3217,6 +3450,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3217,6 +3455,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -48188,7 +48193,7 @@ index 9680cef..8af5ce7 100644 exit6: mnt_drop_write(oldnd.path.mnt); exit5: -@@ -3242,6 +3478,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -3242,6 +3483,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -48197,7 +48202,7 @@ index 9680cef..8af5ce7 100644 int len; len = PTR_ERR(link); -@@ -3251,7 +3489,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -3251,7 +3494,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; diff --git a/3.5.3/0000_README b/3.5.3/0000_README index a299929..410199b 100644 --- a/3.5.3/0000_README +++ b/3.5.3/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.5.3-201209062131.patch +Patch: 4420_grsecurity-2.9.1-3.5.3-201209101830.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.5.3/4420_grsecurity-2.9.1-3.5.3-201209062131.patch b/3.5.3/4420_grsecurity-2.9.1-3.5.3-201209101830.patch index 07e504b..4e23b0e 100644 --- a/3.5.3/4420_grsecurity-2.9.1-3.5.3-201209062131.patch +++ b/3.5.3/4420_grsecurity-2.9.1-3.5.3-201209101830.patch @@ -23418,7 +23418,7 @@ index e5b130b..6690d31 100644 +} +EXPORT_SYMBOL(copy_to_user_overflow); diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c -index 903ec1e..af8e064 100644 +index 903ec1e..c4166b2 100644 --- a/arch/x86/mm/extable.c +++ b/arch/x86/mm/extable.c @@ -6,12 +6,24 @@ @@ -23428,7 +23428,7 @@ index 903ec1e..af8e064 100644 - return (unsigned long)&x->insn + x->insn; + unsigned long reloc = 0; + -+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32) ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) + reloc = ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; +#endif + @@ -23440,7 +23440,7 @@ index 903ec1e..af8e064 100644 - return (unsigned long)&x->fixup + x->fixup; + unsigned long reloc = 0; + -+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32) ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) + reloc = ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; +#endif + @@ -23457,6 +23457,20 @@ index 903ec1e..af8e064 100644 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp; extern u32 pnp_bios_is_utter_crap; pnp_bios_is_utter_crap = 1; +@@ -145,6 +157,13 @@ void sort_extable(struct exception_table_entry *start, + i += 4; + p->fixup -= i; + i += 4; ++ ++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC) ++ BUILD_BUG_ON(!IS_ENABLED(CONFIG_BUILDTIME_EXTABLE_SORT)); ++ p->insn -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; ++ p->fixup -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR; ++#endif ++ + } + } + diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index 76dcd9d..e9dffde 100644 --- a/arch/x86/mm/fault.c @@ -47156,7 +47170,7 @@ index 82c3533..34e929c 100644 lock_flocks(); diff --git a/fs/namei.c b/fs/namei.c -index 7d69419..10c6af6 100644 +index 7d69419..c7a09f0 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -265,16 +265,32 @@ int generic_permission(struct inode *inode, int mask) @@ -47355,11 +47369,16 @@ index 7d69419..10c6af6 100644 audit_inode(pathname, dir); goto ok; } -@@ -2285,6 +2364,12 @@ retry_lookup: +@@ -2285,6 +2364,17 @@ retry_lookup: /* Negative dentry, just create the file */ if (!dentry->d_inode) { umode_t mode = op->mode; + ++ if (link && gr_handle_symlink_owner(link, dir->d_inode)) { ++ error = -EACCES; ++ goto exit_mutex_unlock; ++ } ++ + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, path->mnt, open_flag, acc_mode, mode)) { + error = -EACCES; + goto exit_mutex_unlock; @@ -47368,7 +47387,7 @@ index 7d69419..10c6af6 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -2308,6 +2393,8 @@ retry_lookup: +@@ -2308,6 +2398,8 @@ retry_lookup: error = vfs_create(dir->d_inode, dentry, mode, nd); if (error) goto exit_mutex_unlock; @@ -47377,7 +47396,7 @@ index 7d69419..10c6af6 100644 mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); nd->path.dentry = dentry; -@@ -2317,6 +2404,23 @@ retry_lookup: +@@ -2317,6 +2409,23 @@ retry_lookup: /* * It already exists. */ @@ -47401,7 +47420,7 @@ index 7d69419..10c6af6 100644 mutex_unlock(&dir->d_inode->i_mutex); audit_inode(pathname, path->dentry); -@@ -2349,6 +2453,11 @@ finish_lookup: +@@ -2349,6 +2458,11 @@ finish_lookup: } } BUG_ON(inode != path->dentry->d_inode); @@ -47413,7 +47432,7 @@ index 7d69419..10c6af6 100644 return NULL; } -@@ -2358,7 +2467,6 @@ finish_lookup: +@@ -2358,7 +2472,6 @@ finish_lookup: save_parent.dentry = nd->path.dentry; save_parent.mnt = mntget(path->mnt); nd->path.dentry = path->dentry; @@ -47421,7 +47440,7 @@ index 7d69419..10c6af6 100644 } nd->inode = inode; /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */ -@@ -2367,6 +2475,21 @@ finish_lookup: +@@ -2367,6 +2480,21 @@ finish_lookup: path_put(&save_parent); return ERR_PTR(error); } @@ -47443,7 +47462,7 @@ index 7d69419..10c6af6 100644 error = -EISDIR; if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode)) goto exit; -@@ -2461,7 +2584,7 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2461,7 +2589,7 @@ static struct file *path_openat(int dfd, const char *pathname, if (unlikely(error)) goto out_filp; @@ -47452,7 +47471,7 @@ index 7d69419..10c6af6 100644 while (unlikely(!filp)) { /* trailing symlink */ struct path link = path; void *cookie; -@@ -2476,8 +2599,9 @@ static struct file *path_openat(int dfd, const char *pathname, +@@ -2476,8 +2604,9 @@ static struct file *path_openat(int dfd, const char *pathname, error = follow_link(&link, nd, &cookie); if (unlikely(error)) filp = ERR_PTR(error); @@ -47464,7 +47483,7 @@ index 7d69419..10c6af6 100644 put_link(nd, &link, cookie); } out: -@@ -2577,6 +2701,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path +@@ -2577,6 +2706,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path *path = nd.path; return dentry; eexist: @@ -47476,7 +47495,7 @@ index 7d69419..10c6af6 100644 dput(dentry); dentry = ERR_PTR(-EEXIST); fail: -@@ -2599,6 +2728,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat +@@ -2599,6 +2733,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat } EXPORT_SYMBOL(user_path_create); @@ -47497,7 +47516,7 @@ index 7d69419..10c6af6 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -2665,6 +2808,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, +@@ -2665,6 +2813,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -47515,7 +47534,7 @@ index 7d69419..10c6af6 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out_drop_write; -@@ -2682,6 +2836,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, +@@ -2682,6 +2841,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode, } out_drop_write: mnt_drop_write(path.mnt); @@ -47525,7 +47544,7 @@ index 7d69419..10c6af6 100644 out_dput: dput(dentry); mutex_unlock(&path.dentry->d_inode->i_mutex); -@@ -2735,12 +2892,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode) +@@ -2735,12 +2897,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode) error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -47547,7 +47566,7 @@ index 7d69419..10c6af6 100644 out_dput: dput(dentry); mutex_unlock(&path.dentry->d_inode->i_mutex); -@@ -2820,6 +2986,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2820,6 +2991,8 @@ static long do_rmdir(int dfd, const char __user *pathname) char * name; struct dentry *dentry; struct nameidata nd; @@ -47556,7 +47575,7 @@ index 7d69419..10c6af6 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2848,6 +3016,15 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2848,6 +3021,15 @@ static long do_rmdir(int dfd, const char __user *pathname) error = -ENOENT; goto exit3; } @@ -47572,7 +47591,7 @@ index 7d69419..10c6af6 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit3; -@@ -2855,6 +3032,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -2855,6 +3037,8 @@ static long do_rmdir(int dfd, const char __user *pathname) if (error) goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); @@ -47581,7 +47600,7 @@ index 7d69419..10c6af6 100644 exit4: mnt_drop_write(nd.path.mnt); exit3: -@@ -2917,6 +3096,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2917,6 +3101,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) struct dentry *dentry; struct nameidata nd; struct inode *inode = NULL; @@ -47590,7 +47609,7 @@ index 7d69419..10c6af6 100644 error = user_path_parent(dfd, pathname, &nd, &name); if (error) -@@ -2939,6 +3120,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2939,6 +3125,16 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (!inode) goto slashes; ihold(inode); @@ -47607,7 +47626,7 @@ index 7d69419..10c6af6 100644 error = mnt_want_write(nd.path.mnt); if (error) goto exit2; -@@ -2946,6 +3137,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -2946,6 +3142,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) if (error) goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); @@ -47616,7 +47635,7 @@ index 7d69419..10c6af6 100644 exit3: mnt_drop_write(nd.path.mnt); exit2: -@@ -3021,10 +3214,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, +@@ -3021,10 +3219,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname, error = mnt_want_write(path.mnt); if (error) goto out_dput; @@ -47635,7 +47654,7 @@ index 7d69419..10c6af6 100644 out_drop_write: mnt_drop_write(path.mnt); out_dput: -@@ -3099,6 +3300,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3099,6 +3305,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, { struct dentry *new_dentry; struct path old_path, new_path; @@ -47643,7 +47662,7 @@ index 7d69419..10c6af6 100644 int how = 0; int error; -@@ -3122,7 +3324,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3122,7 +3329,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, if (error) return error; @@ -47652,7 +47671,7 @@ index 7d69419..10c6af6 100644 error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out; -@@ -3133,13 +3335,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -3133,13 +3340,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, error = mnt_want_write(new_path.mnt); if (error) goto out_dput; @@ -47683,7 +47702,7 @@ index 7d69419..10c6af6 100644 dput(new_dentry); mutex_unlock(&new_path.dentry->d_inode->i_mutex); path_put(&new_path); -@@ -3373,6 +3592,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3373,6 +3597,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, if (new_dentry == trap) goto exit5; @@ -47696,7 +47715,7 @@ index 7d69419..10c6af6 100644 error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; -@@ -3382,6 +3607,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, +@@ -3382,6 +3612,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname, goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); @@ -47706,7 +47725,7 @@ index 7d69419..10c6af6 100644 exit6: mnt_drop_write(oldnd.path.mnt); exit5: -@@ -3407,6 +3635,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna +@@ -3407,6 +3640,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) { @@ -47715,7 +47734,7 @@ index 7d69419..10c6af6 100644 int len; len = PTR_ERR(link); -@@ -3416,7 +3646,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c +@@ -3416,7 +3651,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c len = strlen(link); if (len > (unsigned) buflen) len = buflen; |