*-grsec: upgrade to 2.1.14-2.6.31.5-200910312135

b13b2953 · Natanael Copa · b1a81c6d · b13b2953 · b13b2953 · b13b2953
Commit b13b2953 authored Nov 02, 2009 by Natanael Copa
7 changed files
--- a/main/dahdi-linux-grsec/APKBUILD
+++ b/main/dahdi-linux-grsec/APKBUILD
@@ -10,12 +10,14 @@ fi

 _kernelver="$pkgver-r$pkgrel"
 _abi_release=${pkgver}-${_flavor}
+_kpkgrel=$pkgrel
 _realname=dahdi-linux

 pkgname=${_realname}-${_flavor}
 pkgver=$pkgver
 _dahdiver=2.2.0.2
-pkgrel=0
+_mypkgrel=0
+pkgrel=$(( $_kpkgrel + $_mypkgrel ))
 pkgdesc="Digium Asterisk Hardware Device Interface drivers $_dahdiver"
 url="http://www.asterisk.org"
 license="GPL"

--- a/main/iscsitarget-grsec/APKBUILD
+++ b/main/iscsitarget-grsec/APKBUILD
@@ -9,12 +9,14 @@ fi
 _kver=$pkgver
 _kernelver=$pkgver-r$pkgrel
 _abi_release=$pkgver-${_flavor}
+_kpkgrel=$pkgrel

 _iscsiver=1.4.18

 pkgname=${_realname}-${_flavor}
 pkgver=$_kver
-pkgrel=0
+_mypkgrel=0
+pkgrel=$(($_kpkgrel + $_mypkgrel))
 pkgdesc="$_flavor kernel modules for iscsitarget $_iscsiver"
 url="http://iscsitarget.sourceforge.net/"
 license="GPL-2"

--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=2.6.31.5
 _kernver=2.6.31
-pkgrel=0
+pkgrel=1
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH:-x86}}
 install=
 source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2
 	ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
-	grsecurity-2.1.14-2.6.31.5-200910232000.patch
+	grsecurity-2.1.14-2.6.31.5-200910312135.patch
 	kernelconfig.x86
 	"
 subpackages="$pkgname-dev linux-firmware:firmware"
@@ -120,5 +120,5 @@ firmware() {

 md5sums="84c077a37684e4cbfa67b18154390d8a  linux-2.6.31.tar.bz2
 6cac5e59d5562b591cdda485941204d5  patch-2.6.31.5.bz2
-6b3813a484429f160dce06d69e2e8d7f  grsecurity-2.1.14-2.6.31.5-200910232000.patch
-5fadc584b08c9bc420d61e148139becd  kernelconfig.x86"
+284a8a8e0d5d8034684107098488d92a  grsecurity-2.1.14-2.6.31.5-200910312135.patch
+94d5ac9701cf3ddd50f654509b8ec6fc  kernelconfig.x86"
--- a/main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910232000.patch
+++ b/main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910232000.patch
@@ -12411,8 +12411,16 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/tsc.c linux-2.6.31.5/arch/x86/kernel/t
 static void __init check_system_tsc_reliable(void)
 diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kernel/vm86_32.c
 --- linux-2.6.31.5/arch/x86/kernel/vm86_32.c	2009-10-20 20:42:59.020760222 -0400
-+++ linux-2.6.31.5/arch/x86/kernel/vm86_32.c	2009-10-20 20:33:06.209232976 -0400
-@@ -148,7 +148,7 @@ struct pt_regs *save_v86_state(struct ke
+++ linux-2.6.31.5/arch/x86/kernel/vm86_32.c	2009-10-31 21:14:11.351546024 -0400
+@@ -41,6 +41,7 @@
+ #include <linux/ptrace.h>
+ #include <linux/audit.h>
+ #include <linux/stddef.h>
+#include <linux/grsecurity.h>
+ 
+ #include <asm/uaccess.h>
+ #include <asm/io.h>
+@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
 		do_exit(SIGSEGV);
 	}
 
@@ -12421,7 +12429,36 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kern
 	current->thread.sp0 = current->thread.saved_sp0;
 	current->thread.sysenter_cs = __KERNEL_CS;
 	load_sp0(tss, &current->thread);
-@@ -324,7 +324,7 @@ static void do_sys_vm86(struct kernel_vm
+@@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
+ 	struct task_struct *tsk;
+ 	int tmp, ret = -EPERM;
+ 
+#ifdef CONFIG_GRKERNSEC_VM86
+	if (!capable(CAP_SYS_RAWIO)) {
+		gr_handle_vm86();
+		goto out;
+	}
+#endif
+
+ 	tsk = current;
+ 	if (tsk->thread.saved_sp0)
+ 		goto out;
+@@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
+ 	int tmp, ret;
+ 	struct vm86plus_struct __user *v86;
+ 
+#ifdef CONFIG_GRKERNSEC_VM86
+	if (!capable(CAP_SYS_RAWIO)) {
+		gr_handle_vm86();
+		ret = -EPERM;
+		goto out;
+	}
+#endif
+
+ 	tsk = current;
+ 	switch (regs->bx) {
+ 	case VM86_REQUEST_IRQ:
+@@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
 	tsk->thread.saved_fs = info->regs32->fs;
 	tsk->thread.saved_gs = get_user_gs(info->regs32);
 
@@ -12430,7 +12467,7 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kern
 	tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
 	if (cpu_has_sep)
 		tsk->thread.sysenter_cs = 0;
-@@ -529,7 +529,7 @@ static void do_int(struct kernel_vm86_re
+@@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
 		goto cannot_handle;
 	if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
 		goto cannot_handle;
@@ -29281,7 +29318,34 @@ diff -urNp linux-2.6.31.5/fs/sysfs/bin.c linux-2.6.31.5/fs/sysfs/bin.c
 	.fault		= bin_fault,
 diff -urNp linux-2.6.31.5/fs/sysfs/file.c linux-2.6.31.5/fs/sysfs/file.c
 --- linux-2.6.31.5/fs/sysfs/file.c	2009-10-23 19:50:17.593999889 -0400
-+++ linux-2.6.31.5/fs/sysfs/file.c	2009-10-23 19:50:30.050681672 -0400
+++ linux-2.6.31.5/fs/sysfs/file.c	2009-10-31 21:31:10.194981012 -0400
+@@ -53,7 +53,7 @@ struct sysfs_buffer {
+ 	size_t			count;
+ 	loff_t			pos;
+ 	char			* page;
+-	struct sysfs_ops	* ops;
+	const struct sysfs_ops	* ops;
+ 	struct mutex		mutex;
+ 	int			needs_read_fill;
+ 	int			event;
+@@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
+ {
+ 	struct sysfs_dirent *attr_sd = dentry->d_fsdata;
+ 	struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
+-	struct sysfs_ops * ops = buffer->ops;
+	const struct sysfs_ops * ops = buffer->ops;
+ 	int ret = 0;
+ 	ssize_t count;
+ 
+@@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
+ {
+ 	struct sysfs_dirent *attr_sd = dentry->d_fsdata;
+ 	struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
+-	struct sysfs_ops * ops = buffer->ops;
+	const struct sysfs_ops * ops = buffer->ops;
+ 	int rc;
+ 
+ 	/* need attr_sd for attr and ops, its parent for kobj */
 @@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode 
 	struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
 	struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
@@ -36515,8 +36579,8 @@ diff -urNp linux-2.6.31.5/grsecurity/grsec_log.c linux-2.6.31.5/grsecurity/grsec
 +}
 diff -urNp linux-2.6.31.5/grsecurity/grsec_mem.c linux-2.6.31.5/grsecurity/grsec_mem.c
 --- linux-2.6.31.5/grsecurity/grsec_mem.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.31.5/grsecurity/grsec_mem.c	2009-10-20 20:32:11.219172768 -0400
-@@ -0,0 +1,79 @@
+++ linux-2.6.31.5/grsecurity/grsec_mem.c	2009-10-31 20:59:28.193884281 -0400
+@@ -0,0 +1,85 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mm.h>
@@ -36596,6 +36660,12 @@ diff -urNp linux-2.6.31.5/grsecurity/grsec_mem.c linux-2.6.31.5/grsecurity/grsec
 +        return;
 +}
 +
+void
+gr_handle_vm86(void)
+{
+	gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
+	return;
+}
 diff -urNp linux-2.6.31.5/grsecurity/grsec_mount.c linux-2.6.31.5/grsecurity/grsec_mount.c
 --- linux-2.6.31.5/grsecurity/grsec_mount.c	1969-12-31 19:00:00.000000000 -0500
 +++ linux-2.6.31.5/grsecurity/grsec_mount.c	2009-10-20 20:32:11.219172768 -0400
@@ -37527,8 +37597,8 @@ diff -urNp linux-2.6.31.5/grsecurity/grsum.c linux-2.6.31.5/grsecurity/grsum.c
 +}
 diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
 --- linux-2.6.31.5/grsecurity/Kconfig	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.31.5/grsecurity/Kconfig	2009-10-20 20:32:11.506703093 -0400
-@@ -0,0 +1,908 @@
+++ linux-2.6.31.5/grsecurity/Kconfig	2009-10-31 21:13:30.960724478 -0400
+@@ -0,0 +1,923 @@
 +#
 +# grecurity configuration
 +#
@@ -37669,6 +37739,7 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
 +	select GRKERNSEC_AUDIT_MOUNT
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
+	select GRKERNSEC_VM86 if (X86_32)
 +	select PAX
 +	select PAX_RANDUSTACK
 +	select PAX_ASLR
@@ -37718,6 +37789,7 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
 +	  - Prevention of memory exhaustion-based exploits
 +	  - Hardening of module auto-loading
 +	  - Ptrace restrictions
+	  - Restricted vm86 mode
 +
 +config GRKERNSEC_CUSTOM
 +	bool "Custom"
@@ -37754,6 +37826,19 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
 +	  It is highly recommended that you say Y here if you meet all the
 +	  conditions above.
 +
+config GRKERNSEC_VM86
+	bool "Restrict VM86 mode"
+	depends on X86_32
+
+	help
+	  If you say Y here, only processes with CAP_SYS_RAWIO will be able to
+	  make use of a special execution mode on 32bit x86 processors called
+	  Virtual 8086 (VM86) mode.  XFree86 may need vm86 mode for certain
+	  video cards and will still work with this option enabled.  The purpose
+	  of the option is to prevent exploitation of emulation errors in
+	  virtualization of vm86 mode like the one discovered in VMWare in 2009.
+	  Nearly all users should be able to enable this option.
+
 +config GRKERNSEC_IO
 +	bool "Disable privileged I/O"
 +	depends on X86
@@ -39888,8 +39973,8 @@ diff -urNp linux-2.6.31.5/include/linux/grinternal.h linux-2.6.31.5/include/linu
 +#endif
 diff -urNp linux-2.6.31.5/include/linux/grmsg.h linux-2.6.31.5/include/linux/grmsg.h
 --- linux-2.6.31.5/include/linux/grmsg.h	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.31.5/include/linux/grmsg.h	2009-10-20 20:32:11.510838935 -0400
-@@ -0,0 +1,103 @@
+++ linux-2.6.31.5/include/linux/grmsg.h	2009-10-31 20:53:53.064386497 -0400
+@@ -0,0 +1,104 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -39993,10 +40078,11 @@ diff -urNp linux-2.6.31.5/include/linux/grmsg.h linux-2.6.31.5/include/linux/grm
 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
+#define GR_VM86_MSG "denied use of vm86 by "
 diff -urNp linux-2.6.31.5/include/linux/grsecurity.h linux-2.6.31.5/include/linux/grsecurity.h
 --- linux-2.6.31.5/include/linux/grsecurity.h	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.31.5/include/linux/grsecurity.h	2009-10-20 20:32:11.510838935 -0400
-@@ -0,0 +1,197 @@
+++ linux-2.6.31.5/include/linux/grsecurity.h	2009-10-31 21:00:00.773738698 -0400
+@@ -0,0 +1,198 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -40182,6 +40268,7 @@ diff -urNp linux-2.6.31.5/include/linux/grsecurity.h linux-2.6.31.5/include/linu
 +
 +#ifdef CONFIG_GRKERNSEC
 +void gr_log_nonroot_mod_load(const char *modname);
+void gr_handle_vm86(void);
 +void gr_handle_mem_write(void);
 +void gr_handle_kmem_write(void);
 +void gr_handle_open_port(void);
--- a/main/linux-grsec/kernelconfig.x86
+++ b/main/linux-grsec/kernelconfig.x86
 #
 # Automatically generated make config: don't edit
 # Linux kernel version: 2.6.31.5
-# Mon Oct 26 17:37:25 2009
+# Mon Nov  2 17:52:49 2009
 #
 # CONFIG_64BIT is not set
 CONFIG_X86_32=y
@@ -4191,6 +4191,7 @@ CONFIG_GRKERNSEC_CUSTOM=y
 # Address Space Protection
 #
 CONFIG_GRKERNSEC_KMEM=y
+CONFIG_GRKERNSEC_VM86=y
 # CONFIG_GRKERNSEC_IO is not set
 CONFIG_GRKERNSEC_PROC_MEMMAP=y
 # CONFIG_GRKERNSEC_BRUTE is not set

--- a/main/xtables-addons-grsec/APKBUILD
+++ b/main/xtables-addons-grsec/APKBUILD
@@ -8,11 +8,13 @@ if [ -f ../linux-$_flavor/APKBUILD ]; then
 fi
 _kernelver=$pkgver-r$pkgrel
 _abi_release=$pkgver-${_flavor}
+_kpkgrel=$pkgrel

 pkgname=${_realname}-${_flavor}
 pkgver=${pkgver}
 _realver=1.19
-pkgrel=0
+_mypkgrel=0
+pkgrel=$(($_kpkgrel + $_mypkgrel))
 pkgdesc="Iptables extensions kernel modules"
 url="http://xtables-addons.sourceforge.net/"
 license="GPL"

--- a/testing/kqemu-grsec/APKBUILD
+++ b/testing/kqemu-grsec/APKBUILD
@@ -8,11 +8,13 @@ if [ -f ../../main/linux-$_flavor/APKBUILD ]; then
 fi
 _kernelver=$pkgver-r$pkgrel
 _abi_release=$pkgver-${_flavor}
+_kpkgrel=$pkgrel

 pkgname=${_realname}-${_flavor}
 pkgver=$pkgver
 _realver=1.4.0pre1
-pkgrel=0
+_mypkgrel=0
+pkgrel=$(($_kpkgrel + $_mypkgrel))
 pkgdesc="$_flavor kernel modules for kemu $_realver"
 url="http://www.nongnu.org/qemu/"
 license="GPL"