Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
aports
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
650
Issues
650
List
Boards
Labels
Service Desk
Milestones
Merge Requests
215
Merge Requests
215
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
alpine
aports
Commits
b13b2953
Commit
b13b2953
authored
Nov 02, 2009
by
Natanael Copa
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
*-grsec: upgrade to 2.1.14-2.6.31.5-200910312135
parent
b1a81c6d
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
118 additions
and
22 deletions
+118
-22
main/dahdi-linux-grsec/APKBUILD
main/dahdi-linux-grsec/APKBUILD
+3
-1
main/iscsitarget-grsec/APKBUILD
main/iscsitarget-grsec/APKBUILD
+3
-1
main/linux-grsec/APKBUILD
main/linux-grsec/APKBUILD
+4
-4
main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910312135.patch
...linux-grsec/grsecurity-2.1.14-2.6.31.5-200910312135.patch
+100
-13
main/linux-grsec/kernelconfig.x86
main/linux-grsec/kernelconfig.x86
+2
-1
main/xtables-addons-grsec/APKBUILD
main/xtables-addons-grsec/APKBUILD
+3
-1
testing/kqemu-grsec/APKBUILD
testing/kqemu-grsec/APKBUILD
+3
-1
No files found.
main/dahdi-linux-grsec/APKBUILD
View file @
b13b2953
...
...
@@ -10,12 +10,14 @@ fi
_kernelver
=
"
$pkgver
-r
$pkgrel
"
_abi_release
=
${
pkgver
}
-
${
_flavor
}
_kpkgrel
=
$pkgrel
_realname
=
dahdi-linux
pkgname
=
${
_realname
}
-
${
_flavor
}
pkgver
=
$pkgver
_dahdiver
=
2.2.0.2
pkgrel
=
0
_mypkgrel
=
0
pkgrel
=
$((
$_kpkgrel
+
$_mypkgrel
))
pkgdesc
=
"Digium Asterisk Hardware Device Interface drivers
$_dahdiver
"
url
=
"http://www.asterisk.org"
license
=
"GPL"
...
...
main/iscsitarget-grsec/APKBUILD
View file @
b13b2953
...
...
@@ -9,12 +9,14 @@ fi
_kver
=
$pkgver
_kernelver
=
$pkgver
-r
$pkgrel
_abi_release
=
$pkgver
-
${
_flavor
}
_kpkgrel
=
$pkgrel
_iscsiver
=
1.4.18
pkgname
=
${
_realname
}
-
${
_flavor
}
pkgver
=
$_kver
pkgrel
=
0
_mypkgrel
=
0
pkgrel
=
$((
$_kpkgrel
+
$_mypkgrel
))
pkgdesc
=
"
$_flavor
kernel modules for iscsitarget
$_iscsiver
"
url
=
"http://iscsitarget.sourceforge.net/"
license
=
"GPL-2"
...
...
main/linux-grsec/APKBUILD
View file @
b13b2953
...
...
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname
=
linux-
${
_flavor
}
pkgver
=
2.6.31.5
_kernver
=
2.6.31
pkgrel
=
0
pkgrel
=
1
pkgdesc
=
"Linux kernel with grsecurity"
url
=
http://grsecurity.net
depends
=
"mkinitfs linux-firmware"
...
...
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH:-x86}}
install
=
source
=
"ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-
$_kernver
.tar.bz2
ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-
$pkgver
.bz2
grsecurity-2.1.14-2.6.31.5-200910
232000
.patch
grsecurity-2.1.14-2.6.31.5-200910
312135
.patch
kernelconfig.x86
"
subpackages
=
"
$pkgname
-dev linux-firmware:firmware"
...
...
@@ -120,5 +120,5 @@ firmware() {
md5sums
=
"84c077a37684e4cbfa67b18154390d8a linux-2.6.31.tar.bz2
6cac5e59d5562b591cdda485941204d5 patch-2.6.31.5.bz2
6b3813a484429f160dce06d69e2e8d7f grsecurity-2.1.14-2.6.31.5-200910232000
.patch
5fadc584b08c9bc420d61e148139becd
kernelconfig.x86"
284a8a8e0d5d8034684107098488d92a grsecurity-2.1.14-2.6.31.5-200910312135
.patch
94d5ac9701cf3ddd50f654509b8ec6fc
kernelconfig.x86"
main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910
232000
.patch
→
main/linux-grsec/grsecurity-2.1.14-2.6.31.5-200910
312135
.patch
View file @
b13b2953
...
...
@@ -12411,8 +12411,16 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/tsc.c linux-2.6.31.5/arch/x86/kernel/t
static void __init check_system_tsc_reliable(void)
diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kernel/vm86_32.c
--- linux-2.6.31.5/arch/x86/kernel/vm86_32.c 2009-10-20 20:42:59.020760222 -0400
+++ linux-2.6.31.5/arch/x86/kernel/vm86_32.c 2009-10-20 20:33:06.209232976 -0400
@@ -148,7 +148,7 @@ struct pt_regs *save_v86_state(struct ke
+++ linux-2.6.31.5/arch/x86/kernel/vm86_32.c 2009-10-31 21:14:11.351546024 -0400
@@ -41,6 +41,7 @@
#include <linux/ptrace.h>
#include <linux/audit.h>
#include <linux/stddef.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/io.h>
@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
do_exit(SIGSEGV);
}
...
...
@@ -12421,7 +12429,36 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kern
current->thread.sp0 = current->thread.saved_sp0;
current->thread.sysenter_cs = __KERNEL_CS;
load_sp0(tss, ¤t->thread);
@@ -324,7 +324,7 @@ static void do_sys_vm86(struct kernel_vm
@@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
struct task_struct *tsk;
int tmp, ret = -EPERM;
+#ifdef CONFIG_GRKERNSEC_VM86
+ if (!capable(CAP_SYS_RAWIO)) {
+ gr_handle_vm86();
+ goto out;
+ }
+#endif
+
tsk = current;
if (tsk->thread.saved_sp0)
goto out;
@@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
int tmp, ret;
struct vm86plus_struct __user *v86;
+#ifdef CONFIG_GRKERNSEC_VM86
+ if (!capable(CAP_SYS_RAWIO)) {
+ gr_handle_vm86();
+ ret = -EPERM;
+ goto out;
+ }
+#endif
+
tsk = current;
switch (regs->bx) {
case VM86_REQUEST_IRQ:
@@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
tsk->thread.saved_fs = info->regs32->fs;
tsk->thread.saved_gs = get_user_gs(info->regs32);
...
...
@@ -12430,7 +12467,7 @@ diff -urNp linux-2.6.31.5/arch/x86/kernel/vm86_32.c linux-2.6.31.5/arch/x86/kern
tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
if (cpu_has_sep)
tsk->thread.sysenter_cs = 0;
@@ -529,7 +5
29
,7 @@ static void do_int(struct kernel_vm86_re
@@ -529,7 +5
45
,7 @@ static void do_int(struct kernel_vm86_re
goto cannot_handle;
if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
goto cannot_handle;
...
...
@@ -29281,7 +29318,34 @@ diff -urNp linux-2.6.31.5/fs/sysfs/bin.c linux-2.6.31.5/fs/sysfs/bin.c
.fault = bin_fault,
diff -urNp linux-2.6.31.5/fs/sysfs/file.c linux-2.6.31.5/fs/sysfs/file.c
--- linux-2.6.31.5/fs/sysfs/file.c 2009-10-23 19:50:17.593999889 -0400
+++ linux-2.6.31.5/fs/sysfs/file.c 2009-10-23 19:50:30.050681672 -0400
+++ linux-2.6.31.5/fs/sysfs/file.c 2009-10-31 21:31:10.194981012 -0400
@@ -53,7 +53,7 @@ struct sysfs_buffer {
size_t count;
loff_t pos;
char * page;
- struct sysfs_ops * ops;
+ const struct sysfs_ops * ops;
struct mutex mutex;
int needs_read_fill;
int event;
@@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
{
struct sysfs_dirent *attr_sd = dentry->d_fsdata;
struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
- struct sysfs_ops * ops = buffer->ops;
+ const struct sysfs_ops * ops = buffer->ops;
int ret = 0;
ssize_t count;
@@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
{
struct sysfs_dirent *attr_sd = dentry->d_fsdata;
struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
- struct sysfs_ops * ops = buffer->ops;
+ const struct sysfs_ops * ops = buffer->ops;
int rc;
/* need attr_sd for attr and ops, its parent for kobj */
@@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
...
...
@@ -36515,8 +36579,8 @@ diff -urNp linux-2.6.31.5/grsecurity/grsec_log.c linux-2.6.31.5/grsecurity/grsec
+}
diff -urNp linux-2.6.31.5/grsecurity/grsec_mem.c linux-2.6.31.5/grsecurity/grsec_mem.c
--- linux-2.6.31.5/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.31.5/grsecurity/grsec_mem.c 2009-10-
20 20:32:11.219172768
-0400
@@ -0,0 +1,
79
@@
+++ linux-2.6.31.5/grsecurity/grsec_mem.c 2009-10-
31 20:59:28.193884281
-0400
@@ -0,0 +1,
85
@@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
...
...
@@ -36596,6 +36660,12 @@ diff -urNp linux-2.6.31.5/grsecurity/grsec_mem.c linux-2.6.31.5/grsecurity/grsec
+ return;
+}
+
+void
+gr_handle_vm86(void)
+{
+ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
+ return;
+}
diff -urNp linux-2.6.31.5/grsecurity/grsec_mount.c linux-2.6.31.5/grsecurity/grsec_mount.c
--- linux-2.6.31.5/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.31.5/grsecurity/grsec_mount.c 2009-10-20 20:32:11.219172768 -0400
...
...
@@ -37527,8 +37597,8 @@ diff -urNp linux-2.6.31.5/grsecurity/grsum.c linux-2.6.31.5/grsecurity/grsum.c
+}
diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
--- linux-2.6.31.5/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.31.5/grsecurity/Kconfig 2009-10-
20 20:32:11.506703093
-0400
@@ -0,0 +1,9
08
@@
+++ linux-2.6.31.5/grsecurity/Kconfig 2009-10-
31 21:13:30.960724478
-0400
@@ -0,0 +1,9
23
@@
+#
+# grecurity configuration
+#
...
...
@@ -37669,6 +37739,7 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
+ select GRKERNSEC_AUDIT_MOUNT
+ select GRKERNSEC_MODHARDEN if (MODULES)
+ select GRKERNSEC_HARDEN_PTRACE
+ select GRKERNSEC_VM86 if (X86_32)
+ select PAX
+ select PAX_RANDUSTACK
+ select PAX_ASLR
...
...
@@ -37718,6 +37789,7 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
+ - Prevention of memory exhaustion-based exploits
+ - Hardening of module auto-loading
+ - Ptrace restrictions
+ - Restricted vm86 mode
+
+config GRKERNSEC_CUSTOM
+ bool "Custom"
...
...
@@ -37754,6 +37826,19 @@ diff -urNp linux-2.6.31.5/grsecurity/Kconfig linux-2.6.31.5/grsecurity/Kconfig
+ It is highly recommended that you say Y here if you meet all the
+ conditions above.
+
+config GRKERNSEC_VM86
+ bool "Restrict VM86 mode"
+ depends on X86_32
+
+ help
+ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
+ make use of a special execution mode on 32bit x86 processors called
+ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
+ video cards and will still work with this option enabled. The purpose
+ of the option is to prevent exploitation of emulation errors in
+ virtualization of vm86 mode like the one discovered in VMWare in 2009.
+ Nearly all users should be able to enable this option.
+
+config GRKERNSEC_IO
+ bool "Disable privileged I/O"
+ depends on X86
...
...
@@ -39888,8 +39973,8 @@ diff -urNp linux-2.6.31.5/include/linux/grinternal.h linux-2.6.31.5/include/linu
+#endif
diff -urNp linux-2.6.31.5/include/linux/grmsg.h linux-2.6.31.5/include/linux/grmsg.h
--- linux-2.6.31.5/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.31.5/include/linux/grmsg.h 2009-10-
20 20:32:11.510838935
-0400
@@ -0,0 +1,10
3
@@
+++ linux-2.6.31.5/include/linux/grmsg.h 2009-10-
31 20:53:53.064386497
-0400
@@ -0,0 +1,10
4
@@
+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
...
...
@@ -39993,10 +40078,11 @@ diff -urNp linux-2.6.31.5/include/linux/grmsg.h linux-2.6.31.5/include/linux/grm
+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
+#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
+#define GR_VM86_MSG "denied use of vm86 by "
diff -urNp linux-2.6.31.5/include/linux/grsecurity.h linux-2.6.31.5/include/linux/grsecurity.h
--- linux-2.6.31.5/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.31.5/include/linux/grsecurity.h 2009-10-
20 20:32:11.510838935
-0400
@@ -0,0 +1,19
7
@@
+++ linux-2.6.31.5/include/linux/grsecurity.h 2009-10-
31 21:00:00.773738698
-0400
@@ -0,0 +1,19
8
@@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
...
...
@@ -40182,6 +40268,7 @@ diff -urNp linux-2.6.31.5/include/linux/grsecurity.h linux-2.6.31.5/include/linu
+
+#ifdef CONFIG_GRKERNSEC
+void gr_log_nonroot_mod_load(const char *modname);
+void gr_handle_vm86(void);
+void gr_handle_mem_write(void);
+void gr_handle_kmem_write(void);
+void gr_handle_open_port(void);
main/linux-grsec/kernelconfig.x86
View file @
b13b2953
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.31.5
# Mon
Oct 26 17:37:25
2009
# Mon
Nov 2 17:52:49
2009
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
...
...
@@ -4191,6 +4191,7 @@ CONFIG_GRKERNSEC_CUSTOM=y
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_VM86=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_BRUTE is not set
...
...
main/xtables-addons-grsec/APKBUILD
View file @
b13b2953
...
...
@@ -8,11 +8,13 @@ if [ -f ../linux-$_flavor/APKBUILD ]; then
fi
_kernelver
=
$pkgver
-r
$pkgrel
_abi_release
=
$pkgver
-
${
_flavor
}
_kpkgrel
=
$pkgrel
pkgname
=
${
_realname
}
-
${
_flavor
}
pkgver
=
${
pkgver
}
_realver
=
1.19
pkgrel
=
0
_mypkgrel
=
0
pkgrel
=
$((
$_kpkgrel
+
$_mypkgrel
))
pkgdesc
=
"Iptables extensions kernel modules"
url
=
"http://xtables-addons.sourceforge.net/"
license
=
"GPL"
...
...
testing/kqemu-grsec/APKBUILD
View file @
b13b2953
...
...
@@ -8,11 +8,13 @@ if [ -f ../../main/linux-$_flavor/APKBUILD ]; then
fi
_kernelver
=
$pkgver
-r
$pkgrel
_abi_release
=
$pkgver
-
${
_flavor
}
_kpkgrel
=
$pkgrel
pkgname
=
${
_realname
}
-
${
_flavor
}
pkgver
=
$pkgver
_realver
=
1.4.0pre1
pkgrel
=
0
_mypkgrel
=
0
pkgrel
=
$((
$_kpkgrel
+
$_mypkgrel
))
pkgdesc
=
"
$_flavor
kernel modules for kemu
$_realver
"
url
=
"http://www.nongnu.org/qemu/"
license
=
"GPL"
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment