I've put updated patches on
http://molly.corsac.net/~corsac/debian/kernel-grsec/patches/ (kernel is
built but not uploaded to packages/ since it's quite huge, will do that
at one point. Patches are attached to that mail too.
The first one (add-grsecurity-featureset) is against the debian kernel
svn tree and add the featureset, while the second (debian-grsecurity) is
against the grsecurity upstream patch and adapts it to the current
debian kernel sources (removes the stuff already backported by the
kernel team etc.).
I expect it to be really smaller for 2.6.37.
Patch and build procedure is:
mkdir kernel-grsec
cd kernel-grsec
svn co svn://svn.debian.org/svn/kernel/dists/sid/linux-2.6
cd linux-2.6
curl http://molly.corsac.net/~corsac/debian/kernel-grsec/patches/add-grsecurity-featureset.patch |patch
cd debian/patches/features/all/grsec
wget http://grsecurity.net/stable/grsecurity-2.2.1-2.6.32.27-201101021130.patch
cp grsecurity-2.2.1-2.6.32.27-201101021130{,+debian}.patch
curl http://molly.corsac.net/~corsac/debian/kernel-grsec/patches/debian-grsecurity.patch |patch grsecurity-2.2.1-2.6.32.27-201101021130+debian.patch
cd ../../../../../..
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.32.tar.bz2
cd linux-2.6
python debian/bin/genorig.py ../linux-2.6.32.tar.bz2
debian/rules debian/control-real
dpkg-buildpackage -us -uc (or fakeroot make -f debian/rules.gen binary-arch_amd64_grsec_amd64 or the variant you need)
See the kernel handbook (http://kernel-handbook.alioth.debian.org/) for
more info, and remember to check the various stuff you download,
sha1sums for the patches are:
e0a7d38f93a7857f2caceb13cac56eebb4b79530 add-grsecurity-featureset.patch
20c7c213f36f1a99a381d5fca563d9c22236e172 debian-grsecurity.patch
Comments welcome.
Regards,
--
Yves-Alexis Perez
ANSSI/ACE/LAM
Index: debian/patches/series/30-extra
===================================================================
--- debian/patches/series/30-extra (revision 16770)
+++ debian/patches/series/30-extra (working copy)
@@ -22,3 +22,5 @@
+ features/all/xen/radeon-ttm-PCIe-Use-dma_addr-if-TTM-has-set-it.patch featureset=xen
+ features/all/xen/nouveau-ttm-PCIe-Use-dma_addr-if-TTM-has-set-it.patch featureset=xen
+ features/all/xen/radeon-PCIe-Use-the-correct-index-field.patch featureset=xen
+
++ features/all/grsec/grsecurity-2.2.1-2.6.32.27-201101021130+debian.patch featureset=grsec
Index: debian/changelog
===================================================================
--- debian/changelog (revision 16770)
+++ debian/changelog (working copy)
@@ -22,6 +22,9 @@
* r8169: Change RTL8111D/RTL8168D initialisation and firmware loading to
match upstream version (for #564628)
+ [ Yves-Alexis Perez ]
+ * Add a grsecurity featureset.
+
[ maximilian attems ]
* [openvz] Reenable NF_CONNTRACK_IPV6. (closes: #580507)
* cifs: fix another memleak, in cifs_root_iget.
Index: debian/config/i386/grsec/defines
===================================================================
--- debian/config/i386/grsec/defines (revision 0)
+++ debian/config/i386/grsec/defines (revision 0)
@@ -0,0 +1,9 @@
+[base]
+flavours:
+ 686
+ amd64
+
+[grsec]
+flavours:
+ i386
+ amd64
Index: debian/config/i386/defines
===================================================================
--- debian/config/i386/defines (revision 16770)
+++ debian/config/i386/defines (working copy)
@@ -7,6 +7,7 @@
openvz
vserver
xen
+ grsec
flavours:
486
686
Index: debian/config/featureset-grsec/config
===================================================================
--- debian/config/featureset-grsec/config (revision 0)
+++ debian/config/featureset-grsec/config (revision 0)
@@ -0,0 +1,144 @@
+#
+# Grsecurity
+#
+CONFIG_GRKERNSEC=y
+# CONFIG_GRKERNSEC_LOW is not set
+# CONFIG_GRKERNSEC_MEDIUM is not set
+CONFIG_GRKERNSEC_HIGH=y
+# CONFIG_GRKERNSEC_CUSTOM is not set
+
+#
+# Address Space Protection
+#
+CONFIG_GRKERNSEC_KMEM=y
+CONFIG_GRKERNSEC_IO=y
+CONFIG_GRKERNSEC_PROC_MEMMAP=y
+CONFIG_GRKERNSEC_BRUTE=y
+CONFIG_GRKERNSEC_MODHARDEN=y
+CONFIG_GRKERNSEC_HIDESYM=y
+
+#
+# Role Based Access Control Options
+#
+# CONFIG_GRKERNSEC_NO_RBAC is not set
+CONFIG_GRKERNSEC_ACL_HIDEKERN=y
+CONFIG_GRKERNSEC_ACL_MAXTRIES=3
+CONFIG_GRKERNSEC_ACL_TIMEOUT=30
+
+#
+# Filesystem Protections
+#
+CONFIG_GRKERNSEC_PROC=y
+CONFIG_GRKERNSEC_PROC_USER=y
+CONFIG_GRKERNSEC_PROC_USERGROUP=y
+CONFIG_GRKERNSEC_PROC_GID=64044
+CONFIG_GRKERNSEC_PROC_ADD=y
+CONFIG_GRKERNSEC_LINK=y
+CONFIG_GRKERNSEC_FIFO=y
+CONFIG_GRKERNSEC_ROFS=y
+CONFIG_GRKERNSEC_CHROOT=y
+CONFIG_GRKERNSEC_CHROOT_MOUNT=y
+CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
+CONFIG_GRKERNSEC_CHROOT_PIVOT=y
+CONFIG_GRKERNSEC_CHROOT_CHDIR=y
+CONFIG_GRKERNSEC_CHROOT_CHMOD=y
+CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
+CONFIG_GRKERNSEC_CHROOT_MKNOD=y
+CONFIG_GRKERNSEC_CHROOT_SHMAT=y
+CONFIG_GRKERNSEC_CHROOT_UNIX=y
+CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
+CONFIG_GRKERNSEC_CHROOT_NICE=y
+CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
+CONFIG_GRKERNSEC_CHROOT_CAPS=y
+
+#
+# Kernel Auditing
+#
+# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
+# CONFIG_GRKERNSEC_EXECLOG is not set
+CONFIG_GRKERNSEC_RESLOG=y
+CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
+CONFIG_GRKERNSEC_AUDIT_PTRACE=y
+# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
+CONFIG_GRKERNSEC_AUDIT_MOUNT=y
+CONFIG_GRKERNSEC_SIGNAL=y
+CONFIG_GRKERNSEC_FORKFAIL=y
+CONFIG_GRKERNSEC_TIME=y
+CONFIG_GRKERNSEC_PROC_IPADDR=y
+# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
+
+#
+# Executable Protections
+#
+CONFIG_GRKERNSEC_EXECVE=y
+CONFIG_GRKERNSEC_DMESG=y
+CONFIG_GRKERNSEC_HARDEN_PTRACE=y
+CONFIG_GRKERNSEC_TPE=y
+CONFIG_GRKERNSEC_TPE_ALL=y
+CONFIG_GRKERNSEC_TPE_INVERT=y
+CONFIG_GRKERNSEC_TPE_GID=64040
+
+#
+# Network Protections
+#
+CONFIG_GRKERNSEC_RANDNET=y
+CONFIG_GRKERNSEC_BLACKHOLE=y
+CONFIG_GRKERNSEC_SOCKET=y
+CONFIG_GRKERNSEC_SOCKET_ALL=y
+CONFIG_GRKERNSEC_SOCKET_ALL_GID=64041
+CONFIG_GRKERNSEC_SOCKET_CLIENT=y
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=64042
+CONFIG_GRKERNSEC_SOCKET_SERVER=y
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID=64043
+
+#
+# Sysctl support
+#
+CONFIG_GRKERNSEC_SYSCTL=y
+CONFIG_GRKERNSEC_SYSCTL_DISTRO=y
+CONFIG_GRKERNSEC_SYSCTL_ON=y
+
+#
+# Logging Options
+#
+CONFIG_GRKERNSEC_FLOODTIME=10
+CONFIG_GRKERNSEC_FLOODBURST=4
+
+#
+# PaX
+#
+CONFIG_TASK_SIZE_MAX_SHIFT=47
+CONFIG_PAX=y
+
+#
+# PaX Control
+#
+CONFIG_PAX_SOFTMODE=y
+CONFIG_PAX_EI_PAX=y
+CONFIG_PAX_PT_PAX_FLAGS=y
+# CONFIG_PAX_NO_ACL_FLAGS is not set
+CONFIG_PAX_HAVE_ACL_FLAGS=y
+# CONFIG_PAX_HOOK_ACL_FLAGS is not set
+
+#
+# Non-executable pages
+#
+CONFIG_PAX_NOEXEC=y
+CONFIG_PAX_PAGEEXEC=y
+# CONFIG_PAX_EMUTRAMP is not set
+CONFIG_PAX_MPROTECT=y
+CONFIG_PAX_ELFRELOCS=y
+
+#
+# Address Space Layout Randomization
+#
+CONFIG_PAX_ASLR=y
+CONFIG_PAX_RANDUSTACK=y
+CONFIG_PAX_RANDMMAP=y
+
+#
+# Miscellaneous hardening features
+#
+CONFIG_PAX_MEMORY_SANITIZE=y
+CONFIG_PAX_REFCOUNT=y
+CONFIG_PAX_USERCOPY=y
Index: debian/config/featureset-grsec/defines
===================================================================
--- debian/config/featureset-grsec/defines (revision 0)
+++ debian/config/featureset-grsec/defines (revision 0)
@@ -0,0 +1,8 @@
+[description]
+part-long-grsec: This kernel includes support for Grsecurity and PaX security hardening features
+part-short-grsec: Grsecurity and PaX protection
+parts: grsec
+
+[image]
+depends: linux-grsec-base,, paxctl
+recommends: gradm2
Index: debian/config/amd64/grsec/defines
===================================================================
--- debian/config/amd64/grsec/defines (revision 0)
+++ debian/config/amd64/grsec/defines (revision 0)
@@ -0,0 +1,4 @@
+[base]
+flavours:
+ amd64
+
Index: debian/config/amd64/defines
===================================================================
--- debian/config/amd64/defines (revision 16770)
+++ debian/config/amd64/defines (working copy)
@@ -7,6 +7,7 @@
openvz
vserver
xen
+ grsec
flavours:
amd64
kernel-arch: x86
Index: debian/config/defines
===================================================================
--- debian/config/defines (revision 16770)
+++ debian/config/defines (working copy)
@@ -25,6 +25,7 @@
openvz
vserver
xen
+ grsec
[featureset-openvz_base]
enabled: true
@@ -39,6 +40,9 @@
part-long-xen: This kernel also runs on a Xen hypervisor.
It supports only unprivileged (domU) operation.
+[featureset-grsec_base]
+enabled: true
+
[image]
initramfs-generators: initramfs-tools initramfs-fallback
type: plain
--- debian/patches/features/all/grsec/grsecurity-2.2.1-2.6.32.27-201101021130.patch 2011-01-02 17:39:51.000000000 +0100
+++ debian/patches/features/all/grsec/grsecurity-2.2.1-2.6.32.27-201101021130+debian.patch 2011-01-03 14:52:27.726032031 +0100
@@ -20471,15 +20471,15 @@ diff -urNp linux-2.6.32.27/arch/x86/vdso
diff -urNp linux-2.6.32.27/arch/x86/xen/enlighten.c linux-2.6.32.27/arch/x86/xen/enlighten.c
--- linux-2.6.32.27/arch/x86/xen/enlighten.c 2010-12-09 18:13:03.000000000 -0500
+++ linux-2.6.32.27/arch/x86/xen/enlighten.c 2010-12-31 14:46:53.000000000 -0500
-@@ -71,8 +71,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
+@@ -76,8 +76,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
struct shared_info xen_dummy_shared_info;
-void *xen_initial_gdt;
-
- /*
- * Point at some empty memory to start with. We map the real shared_info
- * page as soon as fixmap is up and running.
+ __read_mostly int xen_have_vector_callback;
+ EXPORT_SYMBOL_GPL(xen_have_vector_callback);
+
@@ -548,7 +546,7 @@ static void xen_write_idt_entry(gate_des
preempt_disable();
@@ -22648,6 +22648,7 @@ diff -urNp linux-2.6.32.27/drivers/ata/s
.inherits = &svia_base_ops,
.freeze = svia_noop_freeze,
.prereset = vt6420_prereset,
+ .bmdma_start = vt6420_bmdma_start,
};
-static struct ata_port_operations vt6421_pata_ops = {
@@ -23783,15 +23784,6 @@ diff -urNp linux-2.6.32.27/drivers/block
.show = kobj_pkt_show,
.store = kobj_pkt_store
};
-@@ -2408,7 +2408,7 @@ static void pkt_release_dev(struct pktcd
- pkt_shrink_pktlist(pd);
- }
-
--static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)
-+static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
- {
- if (dev_minor >= MAX_WRITERS)
- return NULL;
diff -urNp linux-2.6.32.27/drivers/char/agp/frontend.c linux-2.6.32.27/drivers/char/agp/frontend.c
--- linux-2.6.32.27/drivers/char/agp/frontend.c 2010-08-13 16:24:37.000000000 -0400
+++ linux-2.6.32.27/drivers/char/agp/frontend.c 2010-12-31 14:46:53.000000000 -0500
@@ -25151,9 +25143,9 @@ diff -urNp linux-2.6.32.27/drivers/gpu/d
diff -urNp linux-2.6.32.27/drivers/gpu/drm/drm_drv.c linux-2.6.32.27/drivers/gpu/drm/drm_drv.c
--- linux-2.6.32.27/drivers/gpu/drm/drm_drv.c 2010-08-29 21:08:20.000000000 -0400
+++ linux-2.6.32.27/drivers/gpu/drm/drm_drv.c 2010-12-31 14:46:53.000000000 -0500
-@@ -417,7 +417,7 @@ int drm_ioctl(struct inode *inode, struc
- char *kdata = NULL;
+@@ -448,7 +448,7 @@ long drm_ioctl(struct file *filp,
+ dev = file_priv->minor->dev;
atomic_inc(&dev->ioctl_count);
- atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
@@ -25401,9 +25393,9 @@ diff -urNp linux-2.6.32.27/drivers/gpu/d
diff -urNp linux-2.6.32.27/drivers/gpu/drm/i915/i915_drv.c linux-2.6.32.27/drivers/gpu/drm/i915/i915_drv.c
--- linux-2.6.32.27/drivers/gpu/drm/i915/i915_drv.c 2010-08-13 16:24:37.000000000 -0400
+++ linux-2.6.32.27/drivers/gpu/drm/i915/i915_drv.c 2010-12-31 14:46:53.000000000 -0500
-@@ -285,7 +285,7 @@ i915_pci_resume(struct pci_dev *pdev)
- return i915_resume(dev);
- }
+@@ -471,7 +471,7 @@ const struct dev_pm_ops i915_pm_ops = {
+ .restore = i915_pm_resume,
+ };
-static struct vm_operations_struct i915_gem_vm_ops = {
+static const struct vm_operations_struct i915_gem_vm_ops = {
@@ -25471,15 +25463,16 @@ diff -urNp linux-2.6.32.27/drivers/gpu/d
uint16_t devices;
int connector_type;
struct radeon_i2c_bus_rec ddc_bus;
+ struct radeon_hpd hpd;
-};
+} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
bool radeon_get_atom_connector_info_from_supported_devices_table(struct
drm_device
-@@ -535,7 +535,6 @@ bool radeon_get_atom_connector_info_from
+@@ -690,7 +690,6 @@ bool radeon_get_atom_connector_info_from
uint8_t dac;
union atom_supported_devices *supported_devices;
- int i, j;
+ int i, j, max_device;
- struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
@@ -25487,9 +25480,9 @@ diff -urNp linux-2.6.32.27/drivers/gpu/d
diff -urNp linux-2.6.32.27/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.32.27/drivers/gpu/drm/radeon/radeon_display.c
--- linux-2.6.32.27/drivers/gpu/drm/radeon/radeon_display.c 2010-08-13 16:24:37.000000000 -0400
+++ linux-2.6.32.27/drivers/gpu/drm/radeon/radeon_display.c 2010-12-31 14:46:53.000000000 -0500
-@@ -482,7 +482,7 @@ void radeon_compute_pll(struct radeon_pl
+@@ -552,7 +552,7 @@ void radeon_compute_pll(struct radeon_pl
- if (flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
+ if (pll->flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
error = freq - current_freq;
- error = error < 0 ? 0xffffffff : error;
+ error = (int32_t)error < 0 ? 0xffffffff : error;
@@ -31795,50 +31788,6 @@ diff -urNp linux-2.6.32.27/fs/compat.c l
goto out;
if (!file->f_op)
goto out;
-@@ -1353,6 +1371,10 @@ static int compat_count(compat_uptr_t __
- argv++;
- if (i++ >= max)
- return -E2BIG;
-+
-+ if (fatal_signal_pending(current))
-+ return -ERESTARTNOHAND;
-+ cond_resched();
- }
- }
- return i;
-@@ -1394,6 +1416,12 @@ static int compat_copy_strings(int argc,
- while (len > 0) {
- int offset, bytes_to_copy;
-
-+ if (fatal_signal_pending(current)) {
-+ ret = -ERESTARTNOHAND;
-+ goto out;
-+ }
-+ cond_resched();
-+
- offset = pos % PAGE_SIZE;
- if (offset == 0)
- offset = PAGE_SIZE;
-@@ -1410,17 +1438,8 @@ static int compat_copy_strings(int argc,
- if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
- struct page *page;
-
--#ifdef CONFIG_STACK_GROWSUP
-- ret = expand_stack_downwards(bprm->vma, pos);
-- if (ret < 0) {
-- /* We've exceed the stack rlimit. */
-- ret = -E2BIG;
-- goto out;
-- }
--#endif
-- ret = get_user_pages(current, bprm->mm, pos,
-- 1, 1, 1, &page, NULL);
-- if (ret <= 0) {
-+ page = get_arg_page(bprm, pos, 1);
-+ if (!page) {
- /* We've exceed the stack rlimit. */
- ret = -E2BIG;
- goto out;
@@ -1463,6 +1482,11 @@ int compat_do_execve(char * filename,
compat_uptr_t __user *envp,
struct pt_regs * regs)
@@ -31908,7 +31857,7 @@ diff -urNp linux-2.6.32.27/fs/compat.c l
/* execve succeeded */
current->fs->in_exec = 0;
-@@ -1541,9 +1604,19 @@ int compat_do_execve(char * filename,
+@@ -1603,8 +1603,17 @@ int compat_do_execve(char * filename,
put_files_struct(displaced);
return retval;
@@ -31921,14 +31870,11 @@ diff -urNp linux-2.6.32.27/fs/compat.c l
+#endif
+
out:
-- if (bprm->mm)
-+ if (bprm->mm) {
+ if (bprm->mm) {
+ acct_arg_size(bprm, 0);
mmput(bprm->mm);
-+ }
+ }
- out_file:
- if (bprm->file) {
diff -urNp linux-2.6.32.27/fs/compat_ioctl.c linux-2.6.32.27/fs/compat_ioctl.c
--- linux-2.6.32.27/fs/compat_ioctl.c 2010-08-13 16:24:37.000000000 -0400
+++ linux-2.6.32.27/fs/compat_ioctl.c 2010-12-31 14:46:53.000000000 -0500
@@ -32007,7 +31953,7 @@ diff -urNp linux-2.6.32.27/fs/ecryptfs/i
goto out_free;
diff -urNp linux-2.6.32.27/fs/exec.c linux-2.6.32.27/fs/exec.c
--- linux-2.6.32.27/fs/exec.c 2010-10-31 16:44:11.000000000 -0400
-+++ linux-2.6.32.27/fs/exec.c 2010-12-31 14:46:53.000000000 -0500
++++ linux-2.6.32.27/fs/exec.c 2010-12-09 18:12:51.000000000 -0500
@@ -56,12 +56,24 @@
#include <linux/fsnotify.h>
#include <linux/fs_struct.h>
@@ -32042,27 +31988,33 @@ diff -urNp linux-2.6.32.27/fs/exec.c lin
MAY_READ | MAY_EXEC | MAY_OPEN);
putname(tmp);
error = PTR_ERR(file);
-@@ -159,28 +171,35 @@ out:
+@@ -171,18 +171,17 @@ out:
#ifdef CONFIG_MMU
--static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+-static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages,
+- unsigned long old_pages)
+void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
-+{
-+ struct mm_struct *mm = current->mm;
+ {
+ struct mm_struct *mm = current->mm;
+- long diff = (long)(pages - old_pages);
+ long diff = (long)(pages - bprm->vma_pages);
-+
-+ if (!mm || !diff)
-+ return;
-+
+
+ if (!mm || !diff)
+ return;
+
+- down_write(&mm->mmap_sem);
+- mm->total_vm += diff;
+- up_write(&mm->mmap_sem);
+ bprm->vma_pages = pages;
+
+ add_mm_counter(mm, anon_rss, diff);
-+}
-+
-+struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
- int write)
- {
+ }
+
+ struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+@@ -191,25 +190,17 @@ struct page *get_arg_page(struct linux_b
+ unsigned long old_vma_pages =
+ (bprm->vma->vm_end - bprm->vma->vm_start) / PAGE_SIZE;
struct page *page;
- int ret;
@@ -32085,11 +32037,11 @@ diff -urNp linux-2.6.32.27/fs/exec.c lin
unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
struct rlimit *rlim;
+- acct_arg_size(bprm, size / PAGE_SIZE, old_vma_pages);
+ acct_arg_size(bprm, size / PAGE_SIZE);
-+
+
/*
* We've historically supported up to 32 pages (ARG_MAX)
- * of argument strings even with small stacks
@@ -246,7 +265,17 @@ static int __bprm_mm_init(struct linux_b
vma->vm_end = STACK_TOP_MAX;
vma->vm_start = vma->vm_end - PAGE_SIZE;
@@ -32121,19 +32073,16 @@ diff -urNp linux-2.6.32.27/fs/exec.c lin
return 0;
err:
up_write(&mm->mmap_sem);
-@@ -269,7 +304,11 @@ static bool valid_arg_len(struct linux_b
+@@ -315,8 +306,7 @@ static bool valid_arg_len(struct linux_b
#else
--static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+-static void acct_arg_size(struct linux_binprm *bprm, unsigned long pages,
+- unsigned long old_pages)
+void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
-+{
-+}
-+
-+struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
- int write)
{
- struct page *page;
+ }
+
@@ -484,7 +523,7 @@ int copy_strings_kernel(int argc,char **
int r;
mm_segment_t oldfs = get_fs();
@@ -32332,7 +32281,7 @@ diff -urNp linux-2.6.32.27/fs/exec.c lin
/* execve succeeded */
current->fs->in_exec = 0;
-@@ -1402,9 +1503,19 @@ int do_execve(char * filename,
+@@ -1515,8 +1505,17 @@ int do_execve(char * filename,
put_files_struct(displaced);
return retval;
@@ -32345,14 +32294,11 @@ diff -urNp linux-2.6.32.27/fs/exec.c lin
+#endif
+
out:
-- if (bprm->mm)
-+ if (bprm->mm) {
+ if (bprm->mm) {
+ acct_arg_size(bprm, 0);
- mmput (bprm->mm);
-+ }
+ mmput(bprm->mm);
+ }
- out_file:
- if (bprm->file) {
@@ -1565,6 +1676,217 @@ out:
return ispipe;
}
@@ -46609,16 +46555,13 @@ diff -urNp linux-2.6.32.27/include/linux
#else
# define MAX_ARG_PAGES 32
struct page *page[MAX_ARG_PAGES];
-@@ -59,6 +60,10 @@ struct linux_binprm{
+@@ -60,6 +60,7 @@ struct linux_binprm{
unsigned long loader, exec;
};
+extern void acct_arg_size(struct linux_binprm *bprm, unsigned long pages);
-+extern struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
-+ int write);
-+
- #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
- #define BINPRM_FLAGS_ENFORCE_NONDUMP (1 << BINPRM_FLAGS_ENFORCE_NONDUMP_BIT)
+ extern struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+ int write);
@@ -78,6 +83,7 @@ struct linux_binfmt {
int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
@@ -48579,9 +48522,9 @@ diff -urNp linux-2.6.32.27/include/linux
#endif
+
+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
- };
-
- struct core_thread {
+ #ifndef __GENKSYMS__
+ struct vm_area_struct *vm_prev;
+ #endif
@@ -287,6 +289,24 @@ struct mm_struct {
#ifdef CONFIG_MMU_NOTIFIER
struct mmu_notifier_mm *mmu_notifier_mm;
@@ -49006,7 +48949,7 @@ diff -urNp linux-2.6.32.27/include/linux
extern unsigned long
arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
unsigned long, unsigned long);
-@@ -666,6 +669,16 @@ struct signal_struct {
+@@ -666,6 +666,16 @@ struct signal_struct {
struct tty_audit_buf *tty_audit_buf;
#endif
@@ -49021,8 +48964,8 @@ diff -urNp linux-2.6.32.27/include/linux
+#endif
+
int oom_adj; /* OOM kill score adjustment (bit shift) */
- };
+ #ifndef __GENKSYMS__
@@ -1223,7 +1236,7 @@ struct rcu_node;
struct task_struct {
@@ -50730,21 +50673,6 @@ diff -urNp linux-2.6.32.27/kernel/exit.c
static void exit_mm(struct task_struct * tsk);
static void __unhash_process(struct task_struct *p)
-@@ -92,6 +96,14 @@ static void __exit_signal(struct task_st
- posix_cpu_timers_exit_group(tsk);
- else {
- /*
-+ * This can only happen if the caller is de_thread().
-+ * FIXME: this is the temporary hack, we should teach
-+ * posix-cpu-timers to handle this case correctly.
-+ */
-+ if (unlikely(has_group_leader_pid(tsk)))
-+ posix_cpu_timers_exit_group(tsk);
-+
-+ /*
- * If there is any task waiting for the group exit
- * then notify it:
- */
@@ -167,6 +179,8 @@ void release_task(struct task_struct * p
struct task_struct *leader;
int zap_leader;
@@ -53659,11 +53587,6 @@ diff -urNp linux-2.6.32.27/lib/vsprintf.
break;
}
-diff -urNp linux-2.6.32.27/localversion-grsec linux-2.6.32.27/localversion-grsec
---- linux-2.6.32.27/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.27/localversion-grsec 2010-12-31 14:46:53.000000000 -0500
-@@ -0,0 +1 @@
-+-grsec
diff -urNp linux-2.6.32.27/Makefile linux-2.6.32.27/Makefile
--- linux-2.6.32.27/Makefile 2010-12-09 18:13:03.000000000 -0500
+++ linux-2.6.32.27/Makefile 2010-12-31 14:46:53.000000000 -0500
@@ -57750,18 +57673,6 @@ diff -urNp linux-2.6.32.27/net/ipv4/netf
if (*octets == NULL) {
if (net_ratelimit())
printk("OOM in bsalg (%d)\n", __LINE__);
-diff -urNp linux-2.6.32.27/net/ipv4/tcp.c linux-2.6.32.27/net/ipv4/tcp.c
---- linux-2.6.32.27/net/ipv4/tcp.c 2010-12-09 18:13:03.000000000 -0500
-+++ linux-2.6.32.27/net/ipv4/tcp.c 2010-12-31 14:46:53.000000000 -0500
-@@ -2117,7 +2117,7 @@ static int do_tcp_setsockopt(struct sock
- /* Values greater than interface MTU won't take effect. However
- * at the point when this call is done we typically don't yet
- * know which interface is going to be used */
-- if (val < 8 || val > MAX_TCP_WINDOW) {
-+ if (val < 64 || val > MAX_TCP_WINDOW) {
- err = -EINVAL;
- break;
- }
diff -urNp linux-2.6.32.27/net/ipv4/tcp_ipv4.c linux-2.6.32.27/net/ipv4/tcp_ipv4.c
--- linux-2.6.32.27/net/ipv4/tcp_ipv4.c 2010-08-13 16:24:37.000000000 -0400
+++ linux-2.6.32.27/net/ipv4/tcp_ipv4.c 2010-12-31 14:46:53.000000000 -0500
@@ -58201,42 +58112,6 @@ diff -urNp linux-2.6.32.27/net/ipv6/udp.
atomic_read(&sp->sk_drops));
}
-diff -urNp linux-2.6.32.27/net/irda/af_irda.c linux-2.6.32.27/net/irda/af_irda.c
---- linux-2.6.32.27/net/irda/af_irda.c 2010-09-26 17:26:06.000000000 -0400
-+++ linux-2.6.32.27/net/irda/af_irda.c 2010-12-31 15:16:57.000000000 -0500
-@@ -2164,6 +2164,15 @@ static int irda_getsockopt(struct socket
-
- switch (optname) {
- case IRLMP_ENUMDEVICES:
-+
-+ /* Offset to first device entry */
-+ offset = sizeof(struct irda_device_list) - sizeof(struct irda_device_info);
-+
-+ if (len < offset) {
-+ err = -EINVAL;
-+ goto out;
-+ }
-+
- /* Ask lmp for the current discovery log */
- discoveries = irlmp_get_discoveries(&list.len, self->mask.word,
- self->nslots);
-@@ -2173,15 +2182,9 @@ static int irda_getsockopt(struct socket
- err = 0;
-
- /* Write total list length back to client */
-- if (copy_to_user(optval, &list,
-- sizeof(struct irda_device_list) -
-- sizeof(struct irda_device_info)))
-+ if (copy_to_user(optval, &list, offset))
- err = -EFAULT;
-
-- /* Offset to first device entry */
-- offset = sizeof(struct irda_device_list) -
-- sizeof(struct irda_device_info);
--
- /* Copy the list itself - watch for overflow */
- if(list.len > 2048)
- {
diff -urNp linux-2.6.32.27/net/irda/ircomm/ircomm_tty.c linux-2.6.32.27/net/irda/ircomm/ircomm_tty.c
--- linux-2.6.32.27/net/irda/ircomm/ircomm_tty.c 2010-08-13 16:24:37.000000000 -0400
+++ linux-2.6.32.27/net/irda/ircomm/ircomm_tty.c 2010-12-31 14:46:53.000000000 -0500
@@ -58748,32 +58623,6 @@ diff -urNp linux-2.6.32.27/net/rds/Kconf
---help---
The RDS (Reliable Datagram Sockets) protocol provides reliable,
sequenced delivery of datagrams over Infiniband, iWARP,
-diff -urNp linux-2.6.32.27/net/sctp/auth.c linux-2.6.32.27/net/sctp/auth.c
---- linux-2.6.32.27/net/sctp/auth.c 2010-08-13 16:24:37.000000000 -0400
-+++ linux-2.6.32.27/net/sctp/auth.c 2010-12-31 14:46:53.000000000 -0500
-@@ -542,16 +542,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hma
- id = ntohs(hmacs->hmac_ids[i]);
-
- /* Check the id is in the supported range */
-- if (id > SCTP_AUTH_HMAC_ID_MAX)
-+ if (id > SCTP_AUTH_HMAC_ID_MAX) {
-+ id = 0;
- continue;
-+ }
-
- /* See is we support the id. Supported IDs have name and
- * length fields set, so that we can allocated and use
- * them. We can safely just check for name, for without the
- * name, we can't allocate the TFM.
- */
-- if (!sctp_hmac_list[id].hmac_name)
-+ if (!sctp_hmac_list[id].hmac_name) {
-+ id = 0;
- continue;
-+ }
-
- break;
- }
diff -urNp linux-2.6.32.27/net/sctp/proc.c linux-2.6.32.27/net/sctp/proc.c
--- linux-2.6.32.27/net/sctp/proc.c 2010-08-13 16:24:37.000000000 -0400
+++ linux-2.6.32.27/net/sctp/proc.c 2010-12-31 14:46:53.000000000 -0500
Attachment:
signature.asc
Description: This is a digitally signed message part