Commit b13b2953 authored by Natanael Copa's avatar Natanael Copa

*-grsec: upgrade to 2.1.14-2.6.31.5-200910312135

parent b1a81c6d
......@@ -10,12 +10,14 @@ fi
_kernelver="$pkgver-r$pkgrel"
_abi_release=${pkgver}-${_flavor}
_kpkgrel=$pkgrel
_realname=dahdi-linux
pkgname=${_realname}-${_flavor}
pkgver=$pkgver
_dahdiver=2.2.0.2
pkgrel=0
_mypkgrel=0
pkgrel=$(( $_kpkgrel + $_mypkgrel ))
pkgdesc="Digium Asterisk Hardware Device Interface drivers $_dahdiver"
url="http://www.asterisk.org"
license="GPL"
......
......@@ -9,12 +9,14 @@ fi
_kver=$pkgver
_kernelver=$pkgver-r$pkgrel
_abi_release=$pkgver-${_flavor}
_kpkgrel=$pkgrel
_iscsiver=1.4.18
pkgname=${_realname}-${_flavor}
pkgver=$_kver
pkgrel=0
_mypkgrel=0
pkgrel=$(($_kpkgrel + $_mypkgrel))
pkgdesc="$_flavor kernel modules for iscsitarget $_iscsiver"
url="http://iscsitarget.sourceforge.net/"
license="GPL-2"
......
......@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=2.6.31.5
_kernver=2.6.31
pkgrel=0
pkgrel=1
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
......@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH:-x86}}
install=
source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2
ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
grsecurity-2.1.14-2.6.31.5-200910232000.patch
grsecurity-2.1.14-2.6.31.5-200910312135.patch
kernelconfig.x86
"
subpackages="$pkgname-dev linux-firmware:firmware"
......@@ -120,5 +120,5 @@ firmware() {
md5sums="84c077a37684e4cbfa67b18154390d8a linux-2.6.31.tar.bz2
6cac5e59d5562b591cdda485941204d5 patch-2.6.31.5.bz2
6b3813a484429f160dce06d69e2e8d7f grsecurity-2.1.14-2.6.31.5-200910232000.patch
5fadc584b08c9bc420d61e148139becd kernelconfig.x86"
284a8a8e0d5d8034684107098488d92a grsecurity-2.1.14-2.6.31.5-200910312135.patch
94d5ac9701cf3ddd50f654509b8ec6fc kernelconfig.x86"
......@@ -12411,8 +12411,16 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/tsc.c linux-2.6.31.5/arch/x86/kernel/t
static void __init check_system_tsc_reliable(void)
diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kernel/vm86_32.c
--- linux-2.6.31.5/arch/x86/kernel/vm86_32.c 2009-10-20 20:42:59.020760222 -0400
+++ linux-2.6.31.5/arch/x86/kernel/vm86_32.c 2009-10-20 20:33:06.209232976 -0400
@@ -148,7 +148,7 @@ struct pt_regs *save_v86_state(struct ke
+++ linux-2.6.31.5/arch/x86/kernel/vm86_32.c 2009-10-31 21:14:11.351546024 -0400
@@ -41,6 +41,7 @@
#include <linux/ptrace.h>
#include <linux/audit.h>
#include <linux/stddef.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/io.h>
@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
do_exit(SIGSEGV);
}
......@@ -12421,7 +12429,36 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kern
current->thread.sp0 = current->thread.saved_sp0;
current->thread.sysenter_cs = __KERNEL_CS;
load_sp0(tss, &current->thread);
@@ -324,7 +324,7 @@ static void do_sys_vm86(struct kernel_vm
@@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
struct task_struct *tsk;
int tmp, ret = -EPERM;
+#ifdef CONFIG_GRKERNSEC_VM86
+ if (!capable(CAP_SYS_RAWIO)) {
+ gr_handle_vm86();
+ goto out;
+ }
+#endif
+
tsk = current;
if (tsk->thread.saved_sp0)
goto out;
@@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
int tmp, ret;
struct vm86plus_struct __user *v86;
+#ifdef CONFIG_GRKERNSEC_VM86
+ if (!capable(CAP_SYS_RAWIO)) {
+ gr_handle_vm86();
+ ret = -EPERM;
+ goto out;
+ }
+#endif
+
tsk = current;
switch (regs->bx) {
case VM86_REQUEST_IRQ:
@@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
tsk->thread.saved_fs = info->regs32->fs;
tsk->thread.saved_gs = get_user_gs(info->regs32);
......@@ -12430,7 +12467,7 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kern
tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
if (cpu_has_sep)
tsk->thread.sysenter_cs = 0;
@@ -529,7 +529,7 @@ static void do_int(struct kernel_vm86_re
@@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
goto cannot_handle;
if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
goto cannot_handle;
......@@ -29281,7 +29318,34 @@ diff -urNp linux-2.6.31.5/fs/sysfs/bin.c linux-2.6.31.5/fs/sysfs/bin.c
.fault = bin_fault,
diff -urNp linux-2.6.31.5/fs/sysfs/file.c linux-2.6.31.5/fs/sysfs/file.c
--- linux-2.6.31.5/fs/sysfs/file.c 2009-10-23 19:50:17.593999889 -0400
+++ linux-2.6.31.5/fs/sysfs/file.c 2009-10-23 19:50:30.050681672 -0400
+++ linux-2.6.31.5/fs/sysfs/file.c 2009-10-31 21:31:10.194981012 -0400
@@ -53,7 +53,7 @@ struct sysfs_buffer {
size_t count;
loff_t pos;
char * page;
- struct sysfs_ops * ops;
+ const struct sysfs_ops * ops;
struct mutex mutex;
int needs_read_fill;
int event;
@@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
{
struct sysfs_dirent *attr_sd = dentry->d_fsdata;
struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
- struct sysfs_ops * ops = buffer->ops;
+ const struct sysfs_ops * ops = buffer->ops;
int ret = 0;
ssize_t count;
@@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
{
struct sysfs_dirent *attr_sd = dentry->d_fsdata;
struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
- struct sysfs_ops * ops = buffer->ops;
+ const struct sysfs_ops * ops = buffer->ops;
int rc;
/* need attr_sd for attr and ops, its parent for kobj */
@@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
......@@ -36515,8 +36579,8 @@ diff -urNp linux-2.6.31.5/grsecurity/grsec_log.c linux-2.6.31.5/grsecurity/grsec
+}
diff -urNp linux-2.6.31.5/grsecurity/grsec_mem.c linux-2.6.31.5/grsecurity/grsec_mem.c
--- linux-2.6.31.5/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.31.5/grsecurity/grsec_mem.c 2009-10-20 20:32:11.219172768 -0400
@@ -0,0 +1,79 @@
+++ linux-2.6.31.5/grsecurity/grsec_mem.c 2009-10-31 20:59:28.193884281 -0400
@@ -0,0 +1,85 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
......@@ -36596,6 +36660,12 @@ diff -urNp linux-2.6.31.5/grsecurity/grsec_mem.c linux-2.6.31.5/grsecurity/grsec
+ return;
+}
+
+void
+gr_handle_vm86(void)
+{
+ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
+ return;
+}
diff -urNp linux-2.6.31.5/grsecurity/grsec_mount.c linux-2.6.31.5/grsecurity/grsec_mount.c
--- linux-2.6.31.5/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.31.5/grsecurity/grsec_mount.c 2009-10-20 20:32:11.219172768 -0400
......@@ -37527,8 +37597,8 @@ diff -urNp linux-2.6.31.5/grsecurity/grsum.c linux-2.6.31.5/grsecurity/grsum.c
+}
diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
--- linux-2.6.31.5/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.31.5/grsecurity/Kconfig 2009-10-20 20:32:11.506703093 -0400
@@ -0,0 +1,908 @@
+++ linux-2.6.31.5/grsecurity/Kconfig 2009-10-31 21:13:30.960724478 -0400
@@ -0,0 +1,923 @@
+#
+# grecurity configuration
+#
......@@ -37669,6 +37739,7 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
+ select GRKERNSEC_VM86 if (X86_32)
+ select PAX
+ select PAX_RANDUSTACK
+ select PAX_ASLR
......@@ -37718,6 +37789,7 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
+ - Prevention of memory exhaustion-based exploits
+ - Hardening of module auto-loading
+ - Ptrace restrictions
+ - Restricted vm86 mode
+
+config GRKERNSEC_CUSTOM
+ bool "Custom"
......@@ -37754,6 +37826,19 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
+ It is highly recommended that you say Y here if you meet all the
+ conditions above.
+
+config GRKERNSEC_VM86
+ bool "Restrict VM86 mode"
+ depends on X86_32
+
+ help
+ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
+ make use of a special execution mode on 32bit x86 processors called
+ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
+ video cards and will still work with this option enabled. The purpose
+ of the option is to prevent exploitation of emulation errors in
+ virtualization of vm86 mode like the one discovered in VMWare in 2009.
+ Nearly all users should be able to enable this option.
+
+config GRKERNSEC_IO
+ bool "Disable privileged I/O"
+ depends on X86
......@@ -39888,8 +39973,8 @@ diff -urNp linux-2.6.31.5/include/linux/grinternal.h linux-2.6.31.5/include/linu
+#endif
diff -urNp linux-2.6.31.5/include/linux/grmsg.h linux-2.6.31.5/include/linux/grmsg.h
--- linux-2.6.31.5/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.31.5/include/linux/grmsg.h 2009-10-20 20:32:11.510838935 -0400
@@ -0,0 +1,103 @@
+++ linux-2.6.31.5/include/linux/grmsg.h 2009-10-31 20:53:53.064386497 -0400
@@ -0,0 +1,104 @@
+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
......@@ -39993,10 +40078,11 @@ diff -urNp linux-2.6.31.5/include/linux/grmsg.h linux-2.6.31.5/include/linux/grm
+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
+#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
+#define GR_VM86_MSG "denied use of vm86 by "
diff -urNp linux-2.6.31.5/include/linux/grsecurity.h linux-2.6.31.5/include/linux/grsecurity.h
--- linux-2.6.31.5/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.31.5/include/linux/grsecurity.h 2009-10-20 20:32:11.510838935 -0400
@@ -0,0 +1,197 @@
+++ linux-2.6.31.5/include/linux/grsecurity.h 2009-10-31 21:00:00.773738698 -0400
@@ -0,0 +1,198 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
......@@ -40182,6 +40268,7 @@ diff -urNp linux-2.6.31.5/include/linux/grsecurity.h linux-2.6.31.5/include/linu
+
+#ifdef CONFIG_GRKERNSEC
+void gr_log_nonroot_mod_load(const char *modname);
+void gr_handle_vm86(void);
+void gr_handle_mem_write(void);
+void gr_handle_kmem_write(void);
+void gr_handle_open_port(void);
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.31.5
# Mon Oct 26 17:37:25 2009
# Mon Nov 2 17:52:49 2009
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
......@@ -4191,6 +4191,7 @@ CONFIG_GRKERNSEC_CUSTOM=y
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_VM86=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_BRUTE is not set
......
......@@ -8,11 +8,13 @@ if [ -f ../linux-$_flavor/APKBUILD ]; then
fi
_kernelver=$pkgver-r$pkgrel
_abi_release=$pkgver-${_flavor}
_kpkgrel=$pkgrel
pkgname=${_realname}-${_flavor}
pkgver=${pkgver}
_realver=1.19
pkgrel=0
_mypkgrel=0
pkgrel=$(($_kpkgrel + $_mypkgrel))
pkgdesc="Iptables extensions kernel modules"
url="http://xtables-addons.sourceforge.net/"
license="GPL"
......
......@@ -8,11 +8,13 @@ if [ -f ../../main/linux-$_flavor/APKBUILD ]; then
fi
_kernelver=$pkgver-r$pkgrel
_abi_release=$pkgver-${_flavor}
_kpkgrel=$pkgrel
pkgname=${_realname}-${_flavor}
pkgver=$pkgver
_realver=1.4.0pre1
pkgrel=0
_mypkgrel=0
pkgrel=$(($_kpkgrel + $_mypkgrel))
pkgdesc="$_flavor kernel modules for kemu $_realver"
url="http://www.nongnu.org/qemu/"
license="GPL"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment