diff options
author | Anthony G. Basile <basile@opensource.dyc.edu> | 2011-02-13 12:03:56 -0500 |
---|---|---|
committer | Anthony G. Basile <basile@opensource.dyc.edu> | 2011-02-13 12:03:56 -0500 |
commit | 65c697fdf79d5963e55e40a17b1f148164143416 (patch) | |
tree | 3394f90043bc52c36c4b4def179a5a8c30be0033 | |
parent | Update Grsec/PaX (diff) | |
download | hardened-patchset-65c697fdf79d5963e55e40a17b1f148164143416.tar.gz hardened-patchset-65c697fdf79d5963e55e40a17b1f148164143416.tar.bz2 hardened-patchset-65c697fdf79d5963e55e40a17b1f148164143416.zip |
Update Grsec/PaX20110212
2.2.1-2.6.32.28-201102121148
2.2.1-2.6.37-201102121148
-rw-r--r-- | 2.6.32/0000_README | 2 | ||||
-rw-r--r-- | 2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch (renamed from 2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch) | 290 | ||||
-rw-r--r-- | 2.6.37/0000_README | 2 | ||||
-rw-r--r-- | 2.6.37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch (renamed from 2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch) | 392 |
4 files changed, 523 insertions, 163 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index d19cb36..c1feb8d 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch +Patch: 4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch b/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch index 578be36..b1b6990 100644 --- a/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch +++ b/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch @@ -8043,7 +8043,7 @@ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mman.h linux-2.6.32.28/arch/x86/ #endif /* _ASM_X86_MMAN_H */ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mmu_context.h linux-2.6.32.28/arch/x86/include/asm/mmu_context.h --- linux-2.6.32.28/arch/x86/include/asm/mmu_context.h 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/arch/x86/include/asm/mmu_context.h 2010-12-31 14:46:53.000000000 -0500 ++++ linux-2.6.32.28/arch/x86/include/asm/mmu_context.h 2011-02-12 11:05:01.000000000 -0500 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) @@ -8075,8 +8075,8 @@ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mmu_context.h linux-2.6.32.28/ar +#endif if (likely(prev != next)) { - /* stop flush ipis for the previous mm */ - cpumask_clear_cpu(cpu, mm_cpumask(prev)); +- /* stop flush ipis for the previous mm */ +- cpumask_clear_cpu(cpu, mm_cpumask(prev)); #ifdef CONFIG_SMP +#ifdef CONFIG_X86_32 + tlbstate = percpu_read(cpu_tlbstate.state); @@ -8096,6 +8096,8 @@ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mmu_context.h linux-2.6.32.28/ar +#else load_cr3(next->pgd); +#endif ++ /* stop flush ipis for the previous mm */ ++ cpumask_clear_cpu(cpu, mm_cpumask(prev)); /* * load the LDT, if the LDT is different: @@ -32254,7 +32256,7 @@ diff -urNp linux-2.6.32.28/fs/ecryptfs/inode.c linux-2.6.32.28/fs/ecryptfs/inode goto out_free; diff -urNp linux-2.6.32.28/fs/exec.c linux-2.6.32.28/fs/exec.c --- linux-2.6.32.28/fs/exec.c 2011-01-11 23:55:35.000000000 -0500 -+++ linux-2.6.32.28/fs/exec.c 2011-01-11 23:56:03.000000000 -0500 ++++ linux-2.6.32.28/fs/exec.c 2011-02-12 11:21:23.000000000 -0500 @@ -56,12 +56,24 @@ #include <linux/fsnotify.h> #include <linux/fs_struct.h> @@ -32839,7 +32841,7 @@ diff -urNp linux-2.6.32.28/fs/exec.c linux-2.6.32.28/fs/exec.c */ clear_thread_flag(TIF_SIGPENDING); -+ if (signr == SIGKILL || signr == SIGILL) ++ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL) + gr_handle_brute_attach(current); + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1); + @@ -51234,7 +51236,24 @@ diff -urNp linux-2.6.32.28/kernel/cpu.c linux-2.6.32.28/kernel/cpu.c * Should always be manipulated under cpu_add_remove_lock diff -urNp linux-2.6.32.28/kernel/cred.c linux-2.6.32.28/kernel/cred.c --- linux-2.6.32.28/kernel/cred.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/kernel/cred.c 2010-12-31 14:46:53.000000000 -0500 ++++ linux-2.6.32.28/kernel/cred.c 2011-02-12 10:44:11.000000000 -0500 +@@ -231,13 +231,13 @@ struct cred *cred_alloc_blank(void) + #endif + + atomic_set(&new->usage, 1); ++#ifdef CONFIG_DEBUG_CREDENTIALS ++ new->magic = CRED_MAGIC; ++#endif + + if (security_cred_alloc_blank(new, GFP_KERNEL) < 0) + goto error; + +-#ifdef CONFIG_DEBUG_CREDENTIALS +- new->magic = CRED_MAGIC; +-#endif + return new; + + error: @@ -520,6 +520,8 @@ int commit_creds(struct cred *new) get_cred(new); /* we will require a ref for the subj creds too */ @@ -51244,6 +51263,37 @@ diff -urNp linux-2.6.32.28/kernel/cred.c linux-2.6.32.28/kernel/cred.c /* dumpability changes */ if (old->euid != new->euid || old->egid != new->egid || +@@ -696,6 +698,8 @@ struct cred *prepare_kernel_cred(struct + validate_creds(old); + + *new = *old; ++ atomic_set(&new->usage, 1); ++ set_cred_subscribers(new, 0); + get_uid(new->user); + get_group_info(new->group_info); + +@@ -713,8 +717,6 @@ struct cred *prepare_kernel_cred(struct + if (security_prepare_creds(new, old, GFP_KERNEL) < 0) + goto error; + +- atomic_set(&new->usage, 1); +- set_cred_subscribers(new, 0); + put_cred(old); + validate_creds(new); + return new; +@@ -787,7 +789,11 @@ bool creds_are_invalid(const struct cred + if (cred->magic != CRED_MAGIC) + return true; + #ifdef CONFIG_SECURITY_SELINUX +- if (selinux_is_enabled()) { ++ /* ++ * cred->security == NULL if security_cred_alloc_blank() or ++ * security_prepare_creds() returned an error. ++ */ ++ if (selinux_is_enabled() && cred->security) { + if ((unsigned long) cred->security < PAGE_SIZE) + return true; + if ((*(u32 *)cred->security & 0xffffff00) == diff -urNp linux-2.6.32.28/kernel/exit.c linux-2.6.32.28/kernel/exit.c --- linux-2.6.32.28/kernel/exit.c 2011-01-11 23:55:35.000000000 -0500 +++ linux-2.6.32.28/kernel/exit.c 2010-12-31 14:46:53.000000000 -0500 @@ -51816,8 +51866,8 @@ diff -urNp linux-2.6.32.28/kernel/kgdb.c linux-2.6.32.28/kernel/kgdb.c diff -urNp linux-2.6.32.28/kernel/kmod.c linux-2.6.32.28/kernel/kmod.c --- linux-2.6.32.28/kernel/kmod.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/kernel/kmod.c 2010-12-31 14:46:53.000000000 -0500 -@@ -90,6 +90,18 @@ int __request_module(bool wait, const ch ++++ linux-2.6.32.28/kernel/kmod.c 2011-02-12 10:58:19.000000000 -0500 +@@ -90,6 +90,28 @@ int __request_module(bool wait, const ch if (ret >= MODULE_NAME_LEN) return -ENAMETOOLONG; @@ -51828,7 +51878,17 @@ diff -urNp linux-2.6.32.28/kernel/kmod.c linux-2.6.32.28/kernel/kmod.c + auto-loaded + */ + if (current_uid()) { -+ gr_log_nonroot_mod_load(module_name); ++#if !defined(CONFIG_IPV6) && !defined(CONFIG_IPV6_MODULE) ++ /* There are known knowns. These are things we know ++ that we know. There are known unknowns. That is to say, ++ there are things that we know we don't know. But there are ++ also unknown unknowns. There are things we don't know ++ we don't know. ++ This here is a known unknown. ++ */ ++ if (strcmp(module_name, "net-pf-10")) ++#endif ++ gr_log_nonroot_mod_load(module_name); + return -EPERM; + } +#endif @@ -52015,7 +52075,7 @@ diff -urNp linux-2.6.32.28/kernel/lockdep_proc.c linux-2.6.32.28/kernel/lockdep_ if (!name) { diff -urNp linux-2.6.32.28/kernel/module.c linux-2.6.32.28/kernel/module.c --- linux-2.6.32.28/kernel/module.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/kernel/module.c 2010-12-31 14:46:53.000000000 -0500 ++++ linux-2.6.32.28/kernel/module.c 2011-02-02 20:27:32.000000000 -0500 @@ -89,7 +89,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq static BLOCKING_NOTIFIER_HEAD(module_notify_list); @@ -52053,6 +52113,15 @@ diff -urNp linux-2.6.32.28/kernel/module.c linux-2.6.32.28/kernel/module.c printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n", name, align, PAGE_SIZE); align = PAGE_SIZE; +@@ -1158,7 +1159,7 @@ static const struct kernel_symbol *resol + * /sys/module/foo/sections stuff + * J. Corbet <corbet@lwn.net> + */ +-#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) ++#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_HIDESYM) + + static inline bool sect_empty(const Elf_Shdr *sect) + { @@ -1545,7 +1546,8 @@ static void free_module(struct module *m destroy_params(mod->kp, mod->num_kp); @@ -52784,7 +52853,7 @@ diff -urNp linux-2.6.32.28/kernel/printk.c linux-2.6.32.28/kernel/printk.c return error; diff -urNp linux-2.6.32.28/kernel/ptrace.c linux-2.6.32.28/kernel/ptrace.c --- linux-2.6.32.28/kernel/ptrace.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/kernel/ptrace.c 2011-01-01 00:19:08.000000000 -0500 ++++ linux-2.6.32.28/kernel/ptrace.c 2011-02-12 10:37:47.000000000 -0500 @@ -141,7 +141,7 @@ int __ptrace_may_access(struct task_stru cred->gid != tcred->egid || cred->gid != tcred->sgid || @@ -52812,6 +52881,15 @@ diff -urNp linux-2.6.32.28/kernel/ptrace.c linux-2.6.32.28/kernel/ptrace.c task->ptrace |= PT_PTRACE_CAP; __ptrace_link(task, current); +@@ -314,7 +314,7 @@ int ptrace_detach(struct task_struct *ch + child->exit_code = data; + dead = __ptrace_detach(current, child); + if (!child->exit_state) +- wake_up_process(child); ++ wake_up_state(child, TASK_TRACED | TASK_STOPPED); + } + write_unlock_irq(&tasklist_lock); + @@ -532,18 +532,18 @@ int ptrace_request(struct task_struct *c ret = ptrace_setoptions(child, data); break; @@ -53036,7 +53114,7 @@ diff -urNp linux-2.6.32.28/kernel/sched.c linux-2.6.32.28/kernel/sched.c return; diff -urNp linux-2.6.32.28/kernel/signal.c linux-2.6.32.28/kernel/signal.c --- linux-2.6.32.28/kernel/signal.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/kernel/signal.c 2010-12-31 14:46:53.000000000 -0500 ++++ linux-2.6.32.28/kernel/signal.c 2011-02-12 11:22:46.000000000 -0500 @@ -41,12 +41,12 @@ static struct kmem_cache *sigqueue_cachep; @@ -53099,17 +53177,34 @@ diff -urNp linux-2.6.32.28/kernel/signal.c linux-2.6.32.28/kernel/signal.c specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t) { return send_signal(sig, info, t, 0); -@@ -1022,6 +1028,9 @@ force_sig_info(int sig, struct siginfo * +@@ -1005,6 +1011,7 @@ force_sig_info(int sig, struct siginfo * + unsigned long int flags; + int ret, blocked, ignored; + struct k_sigaction *action; ++ int is_unhandled = 0; + + spin_lock_irqsave(&t->sighand->siglock, flags); + action = &t->sighand->action[sig-1]; +@@ -1019,9 +1026,18 @@ force_sig_info(int sig, struct siginfo * + } + if (action->sa.sa_handler == SIG_DFL) + t->signal->flags &= ~SIGNAL_UNKILLABLE; ++ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL) ++ is_unhandled = 1; ret = specific_send_sig_info(sig, info, t); spin_unlock_irqrestore(&t->sighand->siglock, flags); -+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t); -+ gr_handle_crash(t, sig); ++ /* only deal with unhandled signals, java etc trigger SIGSEGV during ++ normal operation */ ++ if (is_unhandled) { ++ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t); ++ gr_handle_crash(t, sig); ++ } + return ret; } -@@ -1081,8 +1090,11 @@ int group_send_sig_info(int sig, struct +@@ -1081,8 +1097,11 @@ int group_send_sig_info(int sig, struct { int ret = check_kill_permission(sig, info, p); @@ -55257,7 +55352,7 @@ diff -urNp linux-2.6.32.28/mm/mlock.c linux-2.6.32.28/mm/mlock.c ret = do_mlockall(flags); diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c --- linux-2.6.32.28/mm/mmap.c 2011-01-11 23:55:35.000000000 -0500 -+++ linux-2.6.32.28/mm/mmap.c 2010-12-31 14:46:53.000000000 -0500 ++++ linux-2.6.32.28/mm/mmap.c 2011-02-12 11:38:46.000000000 -0500 @@ -45,6 +45,16 @@ #define arch_rebalance_pgtables(addr, len) (addr) #endif @@ -55479,12 +55574,13 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c if (addr & ~PAGE_MASK) return addr; -@@ -969,6 +1046,31 @@ unsigned long do_mmap_pgoff(struct file +@@ -969,6 +1046,36 @@ unsigned long do_mmap_pgoff(struct file vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; +#ifdef CONFIG_PAX_MPROTECT + if (mm->pax_flags & MF_PAX_MPROTECT) { ++#ifndef CONFIG_PAX_MPROTECT_COMPAT + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) { + gr_log_rwxmmap(file); + @@ -55498,6 +55594,10 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c + + if (!(vm_flags & VM_EXEC)) + vm_flags &= ~VM_MAYEXEC; ++#else ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC) ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC); ++#endif + else + vm_flags &= ~VM_MAYWRITE; + } @@ -55511,7 +55611,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -980,6 +1082,7 @@ unsigned long do_mmap_pgoff(struct file +@@ -980,6 +1087,7 @@ unsigned long do_mmap_pgoff(struct file locked += mm->locked_vm; lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; lock_limit >>= PAGE_SHIFT; @@ -55519,7 +55619,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1053,6 +1156,9 @@ unsigned long do_mmap_pgoff(struct file +@@ -1053,6 +1161,9 @@ unsigned long do_mmap_pgoff(struct file if (error) return error; @@ -55529,7 +55629,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c return mmap_region(file, addr, len, flags, vm_flags, pgoff); } EXPORT_SYMBOL(do_mmap_pgoff); -@@ -1065,10 +1171,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); +@@ -1065,10 +1176,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); */ int vma_wants_writenotify(struct vm_area_struct *vma) { @@ -55542,7 +55642,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1117,14 +1223,24 @@ unsigned long mmap_region(struct file *f +@@ -1117,14 +1228,24 @@ unsigned long mmap_region(struct file *f unsigned long charged = 0; struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; @@ -55569,7 +55669,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c } /* Check against address space limit. */ -@@ -1173,6 +1289,16 @@ munmap_back: +@@ -1173,6 +1294,16 @@ munmap_back: goto unacct_error; } @@ -55586,7 +55686,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1195,6 +1321,19 @@ munmap_back: +@@ -1195,6 +1326,19 @@ munmap_back: error = file->f_op->mmap(file, vma); if (error) goto unmap_and_free_vma; @@ -55606,7 +55706,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c if (vm_flags & VM_EXECUTABLE) added_exe_file_vma(mm); -@@ -1218,6 +1357,11 @@ munmap_back: +@@ -1218,6 +1362,11 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file = vma->vm_file; @@ -55618,7 +55718,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* Once vma denies write, undo our temporary denial count */ if (correct_wcount) atomic_inc(&inode->i_writecount); -@@ -1226,6 +1370,7 @@ out: +@@ -1226,6 +1375,7 @@ out: mm->total_vm += len >> PAGE_SHIFT; vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); @@ -55626,7 +55726,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c if (vm_flags & VM_LOCKED) { /* * makes pages present; downgrades, drops, reacquires mmap_sem -@@ -1248,6 +1393,12 @@ unmap_and_free_vma: +@@ -1248,6 +1398,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged = 0; free_vma: @@ -55639,7 +55739,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1255,6 +1406,33 @@ unacct_error: +@@ -1255,6 +1411,33 @@ unacct_error: return error; } @@ -55673,7 +55773,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* Get an address range which is currently unmapped. * For shmat() with addr=0. * -@@ -1281,18 +1459,23 @@ arch_get_unmapped_area(struct file *filp +@@ -1281,18 +1464,23 @@ arch_get_unmapped_area(struct file *filp if (flags & MAP_FIXED) return addr; @@ -55704,7 +55804,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c } full_search: -@@ -1303,34 +1486,40 @@ full_search: +@@ -1303,34 +1491,40 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -55756,7 +55856,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c mm->free_area_cache = addr; mm->cached_hole_size = ~0UL; } -@@ -1348,7 +1537,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1348,7 +1542,7 @@ arch_get_unmapped_area_topdown(struct fi { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; @@ -55765,7 +55865,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1357,13 +1546,18 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1357,13 +1551,18 @@ arch_get_unmapped_area_topdown(struct fi if (flags & MAP_FIXED) return addr; @@ -55788,7 +55888,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c } /* check if free_area_cache is useful for us */ -@@ -1378,7 +1572,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1378,7 +1577,7 @@ arch_get_unmapped_area_topdown(struct fi /* make sure it can fit in the remaining address space */ if (addr > len) { vma = find_vma(mm, addr-len); @@ -55797,7 +55897,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -1395,7 +1589,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1395,7 +1594,7 @@ arch_get_unmapped_area_topdown(struct fi * return with success: */ vma = find_vma(mm, addr); @@ -55806,7 +55906,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); -@@ -1414,13 +1608,21 @@ bottomup: +@@ -1414,13 +1613,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -55830,7 +55930,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c mm->cached_hole_size = ~0UL; return addr; -@@ -1429,6 +1631,12 @@ bottomup: +@@ -1429,6 +1636,12 @@ bottomup: void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -55843,7 +55943,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* * Is this a new hole at the highest possible address? */ -@@ -1436,8 +1644,10 @@ void arch_unmap_area_topdown(struct mm_s +@@ -1436,8 +1649,10 @@ void arch_unmap_area_topdown(struct mm_s mm->free_area_cache = addr; /* dont allow allocations above current base */ @@ -55855,7 +55955,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c } unsigned long -@@ -1545,6 +1755,27 @@ out: +@@ -1545,6 +1760,27 @@ out: return prev ? prev->vm_next : vma; } @@ -55883,7 +55983,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* * Verify that the stack growth is acceptable and * update accounting. This is shared with both the -@@ -1561,6 +1792,7 @@ static int acct_stack_growth(struct vm_a +@@ -1561,6 +1797,7 @@ static int acct_stack_growth(struct vm_a return -ENOMEM; /* Stack limit test */ @@ -55891,7 +55991,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c if (size > rlim[RLIMIT_STACK].rlim_cur) return -ENOMEM; -@@ -1570,6 +1802,7 @@ static int acct_stack_growth(struct vm_a +@@ -1570,6 +1807,7 @@ static int acct_stack_growth(struct vm_a unsigned long limit; locked = mm->locked_vm + grow; limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT; @@ -55899,7 +55999,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1600,37 +1833,48 @@ static int acct_stack_growth(struct vm_a +@@ -1600,37 +1838,48 @@ static int acct_stack_growth(struct vm_a * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -55957,7 +56057,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c unsigned long size, grow; size = address - vma->vm_start; -@@ -1640,6 +1884,8 @@ int expand_upwards(struct vm_area_struct +@@ -1640,6 +1889,8 @@ int expand_upwards(struct vm_area_struct if (!error) vma->vm_end = address; } @@ -55966,7 +56066,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c anon_vma_unlock(vma); return error; } -@@ -1652,6 +1898,8 @@ static int expand_downwards(struct vm_ar +@@ -1652,6 +1903,8 @@ static int expand_downwards(struct vm_ar unsigned long address) { int error; @@ -55975,7 +56075,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* * We must make sure the anon_vma is allocated -@@ -1665,6 +1913,15 @@ static int expand_downwards(struct vm_ar +@@ -1665,6 +1918,15 @@ static int expand_downwards(struct vm_ar if (error) return error; @@ -55991,7 +56091,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c anon_vma_lock(vma); /* -@@ -1674,9 +1931,17 @@ static int expand_downwards(struct vm_ar +@@ -1674,9 +1936,17 @@ static int expand_downwards(struct vm_ar */ /* Somebody else might have raced and expanded it already */ @@ -56010,7 +56110,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -1684,9 +1949,20 @@ static int expand_downwards(struct vm_ar +@@ -1684,9 +1954,20 @@ static int expand_downwards(struct vm_ar if (!error) { vma->vm_start = address; vma->vm_pgoff -= grow; @@ -56031,7 +56131,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c return error; } -@@ -1762,6 +2038,13 @@ static void remove_vma_list(struct mm_st +@@ -1762,6 +2043,13 @@ static void remove_vma_list(struct mm_st do { long nrpages = vma_pages(vma); @@ -56045,7 +56145,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c mm->total_vm -= nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); vma = remove_vma(vma); -@@ -1807,6 +2090,16 @@ detach_vmas_to_be_unmapped(struct mm_str +@@ -1807,6 +2095,16 @@ detach_vmas_to_be_unmapped(struct mm_str insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -56062,7 +56162,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -1834,10 +2127,25 @@ int split_vma(struct mm_struct * mm, str +@@ -1834,10 +2132,25 @@ int split_vma(struct mm_struct * mm, str struct mempolicy *pol; struct vm_area_struct *new; @@ -56088,7 +56188,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -1845,6 +2153,16 @@ int split_vma(struct mm_struct * mm, str +@@ -1845,6 +2158,16 @@ int split_vma(struct mm_struct * mm, str if (!new) return -ENOMEM; @@ -56105,7 +56205,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -1855,8 +2173,29 @@ int split_vma(struct mm_struct * mm, str +@@ -1855,8 +2178,29 @@ int split_vma(struct mm_struct * mm, str new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -56135,7 +56235,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c kmem_cache_free(vm_area_cachep, new); return PTR_ERR(pol); } -@@ -1877,6 +2216,28 @@ int split_vma(struct mm_struct * mm, str +@@ -1877,6 +2221,28 @@ int split_vma(struct mm_struct * mm, str else vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -56164,13 +56264,13 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c return 0; } -@@ -1885,11 +2246,30 @@ int split_vma(struct mm_struct * mm, str +@@ -1885,11 +2251,30 @@ int split_vma(struct mm_struct * mm, str * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ +#ifdef CONFIG_PAX_SEGMEXEC - int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) - { ++int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) ++{ + int ret = __do_munmap(mm, start, len); + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC)) + return ret; @@ -56180,9 +56280,9 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c + +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +#else -+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) + int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +#endif -+{ + { unsigned long end; struct vm_area_struct *vma, *prev, *last; @@ -56195,7 +56295,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -1953,6 +2333,8 @@ int do_munmap(struct mm_struct *mm, unsi +@@ -1953,6 +2338,8 @@ int do_munmap(struct mm_struct *mm, unsi /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -56204,7 +56304,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c return 0; } -@@ -1965,22 +2347,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a +@@ -1965,22 +2352,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a profile_munmap(addr); @@ -56233,7 +56333,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -1994,6 +2372,7 @@ unsigned long do_brk(unsigned long addr, +@@ -1994,6 +2377,7 @@ unsigned long do_brk(unsigned long addr, struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -56241,7 +56341,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c len = PAGE_ALIGN(len); if (!len) -@@ -2005,16 +2384,30 @@ unsigned long do_brk(unsigned long addr, +@@ -2005,16 +2389,30 @@ unsigned long do_brk(unsigned long addr, flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -56273,7 +56373,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c locked += mm->locked_vm; lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; lock_limit >>= PAGE_SHIFT; -@@ -2031,22 +2424,22 @@ unsigned long do_brk(unsigned long addr, +@@ -2031,22 +2429,22 @@ unsigned long do_brk(unsigned long addr, /* * Clear old maps. this also does some error checking for us */ @@ -56300,7 +56400,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2060,7 +2453,7 @@ unsigned long do_brk(unsigned long addr, +@@ -2060,7 +2458,7 @@ unsigned long do_brk(unsigned long addr, */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -56309,7 +56409,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c return -ENOMEM; } -@@ -2072,11 +2465,12 @@ unsigned long do_brk(unsigned long addr, +@@ -2072,11 +2470,12 @@ unsigned long do_brk(unsigned long addr, vma->vm_page_prot = vm_get_page_prot(flags); vma_link(mm, vma, prev, rb_link, rb_parent); out: @@ -56324,7 +56424,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c return addr; } -@@ -2123,8 +2517,10 @@ void exit_mmap(struct mm_struct *mm) +@@ -2123,8 +2522,10 @@ void exit_mmap(struct mm_struct *mm) * Walk the list again, actually closing and freeing it, * with preemption enabled, without holding any MM locks. */ @@ -56336,7 +56436,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); } -@@ -2138,6 +2534,10 @@ int insert_vm_struct(struct mm_struct * +@@ -2138,6 +2539,10 @@ int insert_vm_struct(struct mm_struct * struct vm_area_struct * __vma, * prev; struct rb_node ** rb_link, * rb_parent; @@ -56347,7 +56447,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2160,7 +2560,22 @@ int insert_vm_struct(struct mm_struct * +@@ -2160,7 +2565,22 @@ int insert_vm_struct(struct mm_struct * if ((vma->vm_flags & VM_ACCOUNT) && security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -56370,7 +56470,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c return 0; } -@@ -2178,6 +2593,8 @@ struct vm_area_struct *copy_vma(struct v +@@ -2178,6 +2598,8 @@ struct vm_area_struct *copy_vma(struct v struct rb_node **rb_link, *rb_parent; struct mempolicy *pol; @@ -56379,7 +56479,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2221,6 +2638,35 @@ struct vm_area_struct *copy_vma(struct v +@@ -2221,6 +2643,35 @@ struct vm_area_struct *copy_vma(struct v return new_vma; } @@ -56415,7 +56515,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c /* * Return true if the calling process may expand its vm space by the passed * number of pages -@@ -2231,7 +2677,7 @@ int may_expand_vm(struct mm_struct *mm, +@@ -2231,7 +2682,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long lim; lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT; @@ -56424,16 +56524,21 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c if (cur + npages > lim) return 0; return 1; -@@ -2301,6 +2747,17 @@ int install_special_mapping(struct mm_st +@@ -2301,6 +2752,22 @@ int install_special_mapping(struct mm_st vma->vm_start = addr; vma->vm_end = addr + len; +#ifdef CONFIG_PAX_MPROTECT + if (mm->pax_flags & MF_PAX_MPROTECT) { ++#ifndef CONFIG_PAX_MPROTECT_COMPAT + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) + return -EPERM; + if (!(vm_flags & VM_EXEC)) + vm_flags &= ~VM_MAYEXEC; ++#else ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC) ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC); ++#endif + else + vm_flags &= ~VM_MAYWRITE; + } @@ -60064,8 +60169,8 @@ diff -urNp linux-2.6.32.28/security/integrity/ima/ima_queue.c linux-2.6.32.28/se return 0; diff -urNp linux-2.6.32.28/security/Kconfig linux-2.6.32.28/security/Kconfig --- linux-2.6.32.28/security/Kconfig 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/security/Kconfig 2011-01-04 17:43:17.000000000 -0500 -@@ -4,6 +4,509 @@ ++++ linux-2.6.32.28/security/Kconfig 2011-02-12 11:33:55.000000000 -0500 +@@ -4,6 +4,527 @@ menu "Security options" @@ -60311,6 +60416,24 @@ diff -urNp linux-2.6.32.28/security/Kconfig linux-2.6.32.28/security/Kconfig + NOTE: you can use the 'chpax' or 'paxctl' utilities to control + this feature on a per file basis. + ++config PAX_MPROTECT_COMPAT ++ bool "Use legacy/compat protection demoting (read help)" ++ depends on PAX_MPROTECT ++ default n ++ help ++ The current implementation of PAX_MPROTECT denies RWX allocations/mprotects ++ by sending the proper error code to the application. For some broken ++ userland, this can cause problems with Python or other applications. The ++ current implementation however allows for applications like clamav to ++ detect if JIT compilation/execution is allowed and to fall back gracefully ++ to an interpreter-based mode if it does not. While we encourage everyone ++ to use the current implementation as-is and push upstream to fix broken ++ userland (note that the RWX logging option can assist with this), in some ++ environments this may not be possible. Having to disable MPROTECT ++ completely on certain binaries reduces the security benefit of PaX, ++ so this option is provided for those environments to revert to the old ++ behavior. ++ +config PAX_ELFRELOCS + bool "Allow ELF text relocations (read help)" + depends on PAX_MPROTECT @@ -60575,7 +60698,7 @@ diff -urNp linux-2.6.32.28/security/Kconfig linux-2.6.32.28/security/Kconfig config KEYS bool "Enable access key retention support" help -@@ -146,7 +649,7 @@ config INTEL_TXT +@@ -146,7 +667,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -60638,7 +60761,7 @@ diff -urNp linux-2.6.32.28/security/security.c linux-2.6.32.28/security/security printk(KERN_DEBUG "%s could not verify " diff -urNp linux-2.6.32.28/security/selinux/hooks.c linux-2.6.32.28/security/selinux/hooks.c --- linux-2.6.32.28/security/selinux/hooks.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/security/selinux/hooks.c 2010-12-31 14:46:53.000000000 -0500 ++++ linux-2.6.32.28/security/selinux/hooks.c 2011-02-12 11:03:00.000000000 -0500 @@ -131,7 +131,7 @@ int selinux_enabled = 1; * Minimal support for a secondary security module, * just to allow the use of the capability module. @@ -60648,7 +60771,20 @@ diff -urNp linux-2.6.32.28/security/selinux/hooks.c linux-2.6.32.28/security/sel /* Lists of inode and superblock security structures initialized before the policy was loaded. */ -@@ -5450,7 +5450,7 @@ static int selinux_key_getsecurity(struc +@@ -3259,7 +3259,11 @@ static void selinux_cred_free(struct cre + { + struct task_security_struct *tsec = cred->security; + +- BUG_ON((unsigned long) cred->security < PAGE_SIZE); ++ /* ++ * cred->security == NULL if security_cred_alloc_blank() or ++ * security_prepare_creds() returned an error. ++ */ ++ BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); + cred->security = (void *) 0x7UL; + kfree(tsec); + } +@@ -5450,7 +5454,7 @@ static int selinux_key_getsecurity(struc #endif @@ -60657,7 +60793,7 @@ diff -urNp linux-2.6.32.28/security/selinux/hooks.c linux-2.6.32.28/security/sel .name = "selinux", .ptrace_access_check = selinux_ptrace_access_check, -@@ -5834,7 +5834,9 @@ int selinux_disable(void) +@@ -5834,7 +5838,9 @@ int selinux_disable(void) avc_disable(); /* Reset security_ops to the secondary module, dummy or capability. */ diff --git a/2.6.37/0000_README b/2.6.37/0000_README index 2c6b512..16e7e24 100644 --- a/2.6.37/0000_README +++ b/2.6.37/0000_README @@ -3,7 +3,7 @@ README Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch 4420_grsecurity-2.2.1-2.6.37-201101272240.patch +Patch: 4420_grsecurity-2.2.1-2.6.37-201102121148.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch b/2.6.37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch index 053126a..e66397d 100644 --- a/2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch +++ b/2.6.37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch @@ -8049,7 +8049,7 @@ diff -urNp linux-2.6.37/arch/x86/include/asm/mman.h linux-2.6.37/arch/x86/includ #endif /* _ASM_X86_MMAN_H */ diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_context.h linux-2.6.37/arch/x86/include/asm/mmu_context.h --- linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-01-17 02:41:00.000000000 -0500 ++++ linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-02-12 11:04:35.000000000 -0500 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) @@ -8081,8 +8081,8 @@ diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_context.h linux-2.6.37/arch/x86 +#endif if (likely(prev != next)) { - /* stop flush ipis for the previous mm */ - cpumask_clear_cpu(cpu, mm_cpumask(prev)); +- /* stop flush ipis for the previous mm */ +- cpumask_clear_cpu(cpu, mm_cpumask(prev)); #ifdef CONFIG_SMP +#ifdef CONFIG_X86_32 + tlbstate = percpu_read(cpu_tlbstate.state); @@ -8102,6 +8102,8 @@ diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_context.h linux-2.6.37/arch/x86 +#else load_cr3(next->pgd); +#endif ++ /* stop flush ipis for the previous mm */ ++ cpumask_clear_cpu(cpu, mm_cpumask(prev)); /* * load the LDT, if the LDT is different: @@ -27044,6 +27046,26 @@ diff -urNp linux-2.6.37/drivers/pci/pcie/portdrv_pci.c linux-2.6.37/drivers/pci/ }; MODULE_DEVICE_TABLE(pci, port_pci_ids); +diff -urNp linux-2.6.37/drivers/pci/pci-sysfs.c linux-2.6.37/drivers/pci/pci-sysfs.c +--- linux-2.6.37/drivers/pci/pci-sysfs.c 2011-01-04 19:50:19.000000000 -0500 ++++ linux-2.6.37/drivers/pci/pci-sysfs.c 2011-02-12 10:32:55.000000000 -0500 +@@ -23,6 +23,7 @@ + #include <linux/mm.h> + #include <linux/fs.h> + #include <linux/capability.h> ++#include <linux/security.h> + #include <linux/pci-aspm.h> + #include <linux/slab.h> + #include "pci.h" +@@ -368,7 +369,7 @@ pci_read_config(struct file *filp, struc + u8 *data = (u8*) buf; + + /* Several chips lock up trying to read undefined config space */ +- if (cap_raised(filp->f_cred->cap_effective, CAP_SYS_ADMIN)) { ++ if (security_capable(filp->f_cred, CAP_SYS_ADMIN)) { + size = dev->cfg_size; + } else if (dev->hdr_type == PCI_HEADER_TYPE_CARDBUS) { + size = 128; diff -urNp linux-2.6.37/drivers/pci/probe.c linux-2.6.37/drivers/pci/probe.c --- linux-2.6.37/drivers/pci/probe.c 2011-01-04 19:50:19.000000000 -0500 +++ linux-2.6.37/drivers/pci/probe.c 2011-01-17 02:41:01.000000000 -0500 @@ -30248,6 +30270,40 @@ diff -urNp linux-2.6.37/fs/btrfs/inode.c linux-2.6.37/fs/btrfs/inode.c .fill_delalloc = run_delalloc_range, .submit_bio_hook = btrfs_submit_bio_hook, .merge_bio_hook = btrfs_merge_bio_hook, +diff -urNp linux-2.6.37/fs/btrfs/ioctl.c linux-2.6.37/fs/btrfs/ioctl.c +--- linux-2.6.37/fs/btrfs/ioctl.c 2011-01-04 19:50:19.000000000 -0500 ++++ linux-2.6.37/fs/btrfs/ioctl.c 2011-02-12 10:29:31.000000000 -0500 +@@ -2087,7 +2087,7 @@ long btrfs_ioctl_space_info(struct btrfs + int num_types = 4; + int alloc_size; + int ret = 0; +- int slot_count = 0; ++ u64 slot_count = 0; + int i, c; + + if (copy_from_user(&space_args, +@@ -2126,7 +2126,7 @@ long btrfs_ioctl_space_info(struct btrfs + goto out; + } + +- slot_count = min_t(int, space_args.space_slots, slot_count); ++ slot_count = min_t(u64, space_args.space_slots, slot_count); + + alloc_size = sizeof(*dest) * slot_count; + +@@ -2146,6 +2146,12 @@ long btrfs_ioctl_space_info(struct btrfs + for (i = 0; i < num_types; i++) { + struct btrfs_space_info *tmp; + ++ /* Don't copy in more than we allocated */ ++ if (!slot_count) ++ break; ++ ++ slot_count--; ++ + info = NULL; + rcu_read_lock(); + list_for_each_entry_rcu(tmp, &root->fs_info->space_info, diff -urNp linux-2.6.37/fs/btrfs/relocation.c linux-2.6.37/fs/btrfs/relocation.c --- linux-2.6.37/fs/btrfs/relocation.c 2011-01-04 19:50:19.000000000 -0500 +++ linux-2.6.37/fs/btrfs/relocation.c 2011-01-17 02:41:01.000000000 -0500 @@ -30668,7 +30724,7 @@ diff -urNp linux-2.6.37/fs/ecryptfs/miscdev.c linux-2.6.37/fs/ecryptfs/miscdev.c if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff -urNp linux-2.6.37/fs/exec.c linux-2.6.37/fs/exec.c --- linux-2.6.37/fs/exec.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/fs/exec.c 2011-01-17 02:41:01.000000000 -0500 ++++ linux-2.6.37/fs/exec.c 2011-02-12 11:21:04.000000000 -0500 @@ -55,12 +55,24 @@ #include <linux/fs_struct.h> #include <linux/pipe_fs_i.h> @@ -31194,7 +31250,7 @@ diff -urNp linux-2.6.37/fs/exec.c linux-2.6.37/fs/exec.c goto fail_corename; } -+ if (signr == SIGKILL || signr == SIGILL) ++ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL) + gr_handle_brute_attach(current); + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1); + @@ -47851,7 +47907,7 @@ diff -urNp linux-2.6.37/include/linux/screen_info.h linux-2.6.37/include/linux/s #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */ diff -urNp linux-2.6.37/include/linux/security.h linux-2.6.37/include/linux/security.h --- linux-2.6.37/include/linux/security.h 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/include/linux/security.h 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/include/linux/security.h 2011-02-12 10:34:03.000000000 -0500 @@ -35,6 +35,7 @@ #include <linux/key.h> #include <linux/xfrm.h> @@ -47860,6 +47916,27 @@ diff -urNp linux-2.6.37/include/linux/security.h linux-2.6.37/include/linux/secu #include <net/flow.h> /* Maximum number of letters for an LSM name string */ +@@ -1664,7 +1665,7 @@ int security_capset(struct cred *new, co + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted); +-int security_capable(int cap); ++int security_capable(const struct cred *cred, int cap); + int security_real_capable(struct task_struct *tsk, int cap); + int security_real_capable_noaudit(struct task_struct *tsk, int cap); + int security_sysctl(struct ctl_table *table, int op); +@@ -1857,9 +1858,9 @@ static inline int security_capset(struct + return cap_capset(new, old, effective, inheritable, permitted); + } + +-static inline int security_capable(int cap) ++static inline int security_capable(const struct cred *cred, int cap) + { +- return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT); ++ return cap_capable(current, cred, cap, SECURITY_CAP_AUDIT); + } + + static inline int security_real_capable(struct task_struct *tsk, int cap) diff -urNp linux-2.6.37/include/linux/shm.h linux-2.6.37/include/linux/shm.h --- linux-2.6.37/include/linux/shm.h 2011-01-04 19:50:19.000000000 -0500 +++ linux-2.6.37/include/linux/shm.h 2011-01-17 02:41:02.000000000 -0500 @@ -49247,7 +49324,7 @@ diff -urNp linux-2.6.37/kernel/acct.c linux-2.6.37/kernel/acct.c set_fs(fs); diff -urNp linux-2.6.37/kernel/capability.c linux-2.6.37/kernel/capability.c --- linux-2.6.37/kernel/capability.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/kernel/capability.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/kernel/capability.c 2011-02-12 11:48:20.000000000 -0500 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_ * before modification is attempted and the application * fails. @@ -49263,7 +49340,7 @@ diff -urNp linux-2.6.37/kernel/capability.c linux-2.6.37/kernel/capability.c } - if (security_capable(cap) == 0) { -+ if (security_capable(cap) == 0 && gr_is_capable(cap)) { ++ if (security_capable(current_cred(), cap) == 0 && gr_is_capable(cap)) { current->flags |= PF_SUPERPRIV; return 1; } @@ -49277,7 +49354,7 @@ diff -urNp linux-2.6.37/kernel/capability.c linux-2.6.37/kernel/capability.c + BUG(); + } + -+ if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) { ++ if (security_capable(current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) { + current->flags |= PF_SUPERPRIV; + return 1; + } @@ -49322,7 +49399,24 @@ diff -urNp linux-2.6.37/kernel/configs.c linux-2.6.37/kernel/configs.c diff -urNp linux-2.6.37/kernel/cred.c linux-2.6.37/kernel/cred.c --- linux-2.6.37/kernel/cred.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/kernel/cred.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/kernel/cred.c 2011-02-12 11:03:34.000000000 -0500 +@@ -252,13 +252,13 @@ struct cred *cred_alloc_blank(void) + #endif + + atomic_set(&new->usage, 1); ++#ifdef CONFIG_DEBUG_CREDENTIALS ++ new->magic = CRED_MAGIC; ++#endif + + if (security_cred_alloc_blank(new, GFP_KERNEL) < 0) + goto error; + +-#ifdef CONFIG_DEBUG_CREDENTIALS +- new->magic = CRED_MAGIC; +-#endif + return new; + + error: @@ -483,6 +483,8 @@ int commit_creds(struct cred *new) get_cred(new); /* we will require a ref for the subj creds too */ @@ -49332,6 +49426,37 @@ diff -urNp linux-2.6.37/kernel/cred.c linux-2.6.37/kernel/cred.c /* dumpability changes */ if (old->euid != new->euid || old->egid != new->egid || +@@ -657,6 +659,8 @@ struct cred *prepare_kernel_cred(struct + validate_creds(old); + + *new = *old; ++ atomic_set(&new->usage, 1); ++ set_cred_subscribers(new, 0); + get_uid(new->user); + get_group_info(new->group_info); + +@@ -674,8 +678,6 @@ struct cred *prepare_kernel_cred(struct + if (security_prepare_creds(new, old, GFP_KERNEL) < 0) + goto error; + +- atomic_set(&new->usage, 1); +- set_cred_subscribers(new, 0); + put_cred(old); + validate_creds(new); + return new; +@@ -748,7 +750,11 @@ bool creds_are_invalid(const struct cred + if (cred->magic != CRED_MAGIC) + return true; + #ifdef CONFIG_SECURITY_SELINUX +- if (selinux_is_enabled()) { ++ /* ++ * cred->security == NULL if security_cred_alloc_blank() or ++ * security_prepare_creds() returned an error. ++ */ ++ if (selinux_is_enabled() && cred->security) { + if ((unsigned long) cred->security < PAGE_SIZE) + return true; + if ((*(u32 *)cred->security & 0xffffff00) == diff -urNp linux-2.6.37/kernel/debug/debug_core.c linux-2.6.37/kernel/debug/debug_core.c --- linux-2.6.37/kernel/debug/debug_core.c 2011-01-04 19:50:19.000000000 -0500 +++ linux-2.6.37/kernel/debug/debug_core.c 2011-01-17 02:41:02.000000000 -0500 @@ -50099,8 +50224,8 @@ diff -urNp linux-2.6.37/kernel/kallsyms.c linux-2.6.37/kernel/kallsyms.c reset_iter(iter, 0); diff -urNp linux-2.6.37/kernel/kmod.c linux-2.6.37/kernel/kmod.c --- linux-2.6.37/kernel/kmod.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/kernel/kmod.c 2011-01-17 02:41:02.000000000 -0500 -@@ -90,6 +90,18 @@ int __request_module(bool wait, const ch ++++ linux-2.6.37/kernel/kmod.c 2011-02-12 10:56:18.000000000 -0500 +@@ -90,6 +90,28 @@ int __request_module(bool wait, const ch if (ret) return ret; @@ -50111,7 +50236,17 @@ diff -urNp linux-2.6.37/kernel/kmod.c linux-2.6.37/kernel/kmod.c + auto-loaded + */ + if (current_uid()) { -+ gr_log_nonroot_mod_load(module_name); ++#if !defined(CONFIG_IPV6) && !defined(CONFIG_IPV6_MODULE) ++ /* There are known knowns. These are things we know ++ that we know. There are known unknowns. That is to say, ++ there are things that we know we don't know. But there are ++ also unknown unknowns. There are things we don't know ++ we don't know. ++ This here is a known unknown. ++ */ ++ if (strcmp(module_name, "net-pf-10")) ++#endif ++ gr_log_nonroot_mod_load(module_name); + return -EPERM; + } +#endif @@ -50203,7 +50338,7 @@ diff -urNp linux-2.6.37/kernel/lockdep_proc.c linux-2.6.37/kernel/lockdep_proc.c if (!name) { diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c --- linux-2.6.37/kernel/module.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/kernel/module.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/kernel/module.c 2011-02-02 20:28:40.000000000 -0500 @@ -97,7 +97,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not /* Bounds of module allocation, for speeding __module_address. @@ -50241,6 +50376,15 @@ diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n", mod->name, align, PAGE_SIZE); align = PAGE_SIZE; +@@ -1122,7 +1123,7 @@ resolve_symbol_wait(struct module *mod, + */ + #ifdef CONFIG_SYSFS + +-#ifdef CONFIG_KALLSYMS ++#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM) + static inline bool sect_empty(const Elf_Shdr *sect) + { + return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0; @@ -1566,15 +1567,18 @@ static void free_module(struct module *m destroy_params(mod->kp, mod->num_kp); @@ -50461,10 +50605,8 @@ diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c + if (!ptr) { + module_free(mod, mod->module_init_rw); + module_free(mod, mod->module_core_rw); - return -ENOMEM; - } -- memset(ptr, 0, mod->init_size); -- mod->module_init = ptr; ++ return -ENOMEM; ++ } + + pax_open_kernel(); + memset(ptr, 0, mod->core_size_rx); @@ -50477,8 +50619,10 @@ diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c + module_free_exec(mod, mod->module_core_rx); + module_free(mod, mod->module_init_rw); + module_free(mod, mod->module_core_rw); -+ return -ENOMEM; -+ } + return -ENOMEM; + } +- memset(ptr, 0, mod->init_size); +- mod->module_init = ptr; + + pax_open_kernel(); + memset(ptr, 0, mod->init_size_rx); @@ -50893,7 +51037,7 @@ diff -urNp linux-2.6.37/kernel/printk.c linux-2.6.37/kernel/printk.c * at open time. diff -urNp linux-2.6.37/kernel/ptrace.c linux-2.6.37/kernel/ptrace.c --- linux-2.6.37/kernel/ptrace.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/kernel/ptrace.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/kernel/ptrace.c 2011-02-12 10:37:18.000000000 -0500 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru cred->gid != tcred->egid || cred->gid != tcred->sgid || @@ -50921,6 +51065,15 @@ diff -urNp linux-2.6.37/kernel/ptrace.c linux-2.6.37/kernel/ptrace.c task->ptrace |= PT_PTRACE_CAP; __ptrace_link(task, current); +@@ -313,7 +313,7 @@ int ptrace_detach(struct task_struct *ch + child->exit_code = data; + dead = __ptrace_detach(current, child); + if (!child->exit_state) +- wake_up_process(child); ++ wake_up_state(child, TASK_TRACED | TASK_STOPPED); + } + write_unlock_irq(&tasklist_lock); + @@ -369,7 +369,7 @@ int ptrace_readdata(struct task_struct * break; return -EIO; @@ -51105,7 +51258,7 @@ diff -urNp linux-2.6.37/kernel/sched_fair.c linux-2.6.37/kernel/sched_fair.c struct rq *this_rq = cpu_rq(this_cpu); diff -urNp linux-2.6.37/kernel/signal.c linux-2.6.37/kernel/signal.c --- linux-2.6.37/kernel/signal.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/kernel/signal.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/kernel/signal.c 2011-02-12 11:22:39.000000000 -0500 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache int print_fatal_signals __read_mostly; @@ -51168,17 +51321,34 @@ diff -urNp linux-2.6.37/kernel/signal.c linux-2.6.37/kernel/signal.c specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t) { return send_signal(sig, info, t, 0); -@@ -1079,6 +1085,9 @@ force_sig_info(int sig, struct siginfo * +@@ -1062,6 +1068,7 @@ force_sig_info(int sig, struct siginfo * + unsigned long int flags; + int ret, blocked, ignored; + struct k_sigaction *action; ++ int is_unhandled = 0; + + spin_lock_irqsave(&t->sighand->siglock, flags); + action = &t->sighand->action[sig-1]; +@@ -1076,9 +1083,18 @@ force_sig_info(int sig, struct siginfo * + } + if (action->sa.sa_handler == SIG_DFL) + t->signal->flags &= ~SIGNAL_UNKILLABLE; ++ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL) ++ is_unhandled = 1; ret = specific_send_sig_info(sig, info, t); spin_unlock_irqrestore(&t->sighand->siglock, flags); -+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t); -+ gr_handle_crash(t, sig); ++ /* only deal with unhandled signals, java etc trigger SIGSEGV during ++ normal operation */ ++ if (is_unhandled) { ++ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t); ++ gr_handle_crash(t, sig); ++ } + return ret; } -@@ -1137,8 +1146,11 @@ int group_send_sig_info(int sig, struct +@@ -1137,8 +1153,11 @@ int group_send_sig_info(int sig, struct ret = check_kill_permission(sig, info, p); rcu_read_unlock(); @@ -53219,7 +53389,7 @@ diff -urNp linux-2.6.37/mm/mlock.c linux-2.6.37/mm/mlock.c ret = do_mlockall(flags); diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c --- linux-2.6.37/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/mm/mmap.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/mm/mmap.c 2011-02-12 11:36:29.000000000 -0500 @@ -45,6 +45,16 @@ #define arch_rebalance_pgtables(addr, len) (addr) #endif @@ -53442,12 +53612,13 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c if (addr & ~PAGE_MASK) return addr; -@@ -1016,6 +1093,31 @@ unsigned long do_mmap_pgoff(struct file +@@ -1016,6 +1093,36 @@ unsigned long do_mmap_pgoff(struct file vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; +#ifdef CONFIG_PAX_MPROTECT + if (mm->pax_flags & MF_PAX_MPROTECT) { ++#ifndef CONFIG_PAX_MPROTECT_COMPAT + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) { + gr_log_rwxmmap(file); + @@ -53461,6 +53632,10 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c + + if (!(vm_flags & VM_EXEC)) + vm_flags &= ~VM_MAYEXEC; ++#else ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC) ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC); ++#endif + else + vm_flags &= ~VM_MAYWRITE; + } @@ -53474,7 +53649,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -1027,6 +1129,7 @@ unsigned long do_mmap_pgoff(struct file +@@ -1027,6 +1134,7 @@ unsigned long do_mmap_pgoff(struct file locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; @@ -53482,7 +53657,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1097,6 +1200,9 @@ unsigned long do_mmap_pgoff(struct file +@@ -1097,6 +1205,9 @@ unsigned long do_mmap_pgoff(struct file if (error) return error; @@ -53492,7 +53667,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c return mmap_region(file, addr, len, flags, vm_flags, pgoff); } EXPORT_SYMBOL(do_mmap_pgoff); -@@ -1174,10 +1280,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar +@@ -1174,10 +1285,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar */ int vma_wants_writenotify(struct vm_area_struct *vma) { @@ -53505,7 +53680,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c return 0; /* The backer wishes to know when pages are first written to? */ -@@ -1226,14 +1332,24 @@ unsigned long mmap_region(struct file *f +@@ -1226,14 +1337,24 @@ unsigned long mmap_region(struct file *f unsigned long charged = 0; struct inode *inode = file ? file->f_path.dentry->d_inode : NULL; @@ -53532,7 +53707,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c } /* Check against address space limit. */ -@@ -1282,6 +1398,16 @@ munmap_back: +@@ -1282,6 +1403,16 @@ munmap_back: goto unacct_error; } @@ -53549,7 +53724,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c vma->vm_mm = mm; vma->vm_start = addr; vma->vm_end = addr + len; -@@ -1305,6 +1431,19 @@ munmap_back: +@@ -1305,6 +1436,19 @@ munmap_back: error = file->f_op->mmap(file, vma); if (error) goto unmap_and_free_vma; @@ -53569,7 +53744,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c if (vm_flags & VM_EXECUTABLE) added_exe_file_vma(mm); -@@ -1340,6 +1479,11 @@ munmap_back: +@@ -1340,6 +1484,11 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file = vma->vm_file; @@ -53581,7 +53756,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* Once vma denies write, undo our temporary denial count */ if (correct_wcount) atomic_inc(&inode->i_writecount); -@@ -1348,6 +1492,7 @@ out: +@@ -1348,6 +1497,7 @@ out: mm->total_vm += len >> PAGE_SHIFT; vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); @@ -53589,7 +53764,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c if (vm_flags & VM_LOCKED) { if (!mlock_vma_pages_range(vma, addr, addr + len)) mm->locked_vm += (len >> PAGE_SHIFT); -@@ -1365,6 +1510,12 @@ unmap_and_free_vma: +@@ -1365,6 +1515,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged = 0; free_vma: @@ -53602,7 +53777,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1372,6 +1523,33 @@ unacct_error: +@@ -1372,6 +1528,33 @@ unacct_error: return error; } @@ -53636,7 +53811,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* Get an address range which is currently unmapped. * For shmat() with addr=0. * -@@ -1398,18 +1576,23 @@ arch_get_unmapped_area(struct file *filp +@@ -1398,18 +1581,23 @@ arch_get_unmapped_area(struct file *filp if (flags & MAP_FIXED) return addr; @@ -53667,7 +53842,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c } full_search: -@@ -1420,34 +1603,40 @@ full_search: +@@ -1420,34 +1608,40 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -53719,7 +53894,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c mm->free_area_cache = addr; mm->cached_hole_size = ~0UL; } -@@ -1465,7 +1654,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1465,7 +1659,7 @@ arch_get_unmapped_area_topdown(struct fi { struct vm_area_struct *vma; struct mm_struct *mm = current->mm; @@ -53728,7 +53903,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1474,13 +1663,18 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1474,13 +1668,18 @@ arch_get_unmapped_area_topdown(struct fi if (flags & MAP_FIXED) return addr; @@ -53751,7 +53926,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c } /* check if free_area_cache is useful for us */ -@@ -1495,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1495,7 +1694,7 @@ arch_get_unmapped_area_topdown(struct fi /* make sure it can fit in the remaining address space */ if (addr > len) { vma = find_vma(mm, addr-len); @@ -53760,7 +53935,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* remember the address as a hint for next time */ return (mm->free_area_cache = addr-len); } -@@ -1512,7 +1706,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1512,7 +1711,7 @@ arch_get_unmapped_area_topdown(struct fi * return with success: */ vma = find_vma(mm, addr); @@ -53769,7 +53944,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* remember the address as a hint for next time */ return (mm->free_area_cache = addr); -@@ -1531,13 +1725,21 @@ bottomup: +@@ -1531,13 +1730,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -53793,7 +53968,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c mm->cached_hole_size = ~0UL; return addr; -@@ -1546,6 +1748,12 @@ bottomup: +@@ -1546,6 +1753,12 @@ bottomup: void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -53806,7 +53981,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* * Is this a new hole at the highest possible address? */ -@@ -1553,8 +1761,10 @@ void arch_unmap_area_topdown(struct mm_s +@@ -1553,8 +1766,10 @@ void arch_unmap_area_topdown(struct mm_s mm->free_area_cache = addr; /* dont allow allocations above current base */ @@ -53818,7 +53993,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c } unsigned long -@@ -1662,6 +1872,28 @@ out: +@@ -1662,6 +1877,28 @@ out: return prev ? prev->vm_next : vma; } @@ -53847,7 +54022,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* * Verify that the stack growth is acceptable and * update accounting. This is shared with both the -@@ -1678,6 +1910,7 @@ static int acct_stack_growth(struct vm_a +@@ -1678,6 +1915,7 @@ static int acct_stack_growth(struct vm_a return -ENOMEM; /* Stack limit test */ @@ -53855,7 +54030,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) return -ENOMEM; -@@ -1688,6 +1921,7 @@ static int acct_stack_growth(struct vm_a +@@ -1688,6 +1926,7 @@ static int acct_stack_growth(struct vm_a locked = mm->locked_vm + grow; limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>= PAGE_SHIFT; @@ -53863,7 +54038,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1718,37 +1952,48 @@ static int acct_stack_growth(struct vm_a +@@ -1718,37 +1957,48 @@ static int acct_stack_growth(struct vm_a * PA-RISC uses this for its stack; IA64 for its Register Backing Store. * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -53921,7 +54096,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c unsigned long size, grow; size = address - vma->vm_start; -@@ -1760,6 +2005,8 @@ int expand_upwards(struct vm_area_struct +@@ -1760,6 +2010,8 @@ int expand_upwards(struct vm_area_struct perf_event_mmap(vma); } } @@ -53930,7 +54105,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c vma_unlock_anon_vma(vma); return error; } -@@ -1772,6 +2019,8 @@ static int expand_downwards(struct vm_ar +@@ -1772,6 +2024,8 @@ static int expand_downwards(struct vm_ar unsigned long address) { int error; @@ -53939,7 +54114,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* * We must make sure the anon_vma is allocated -@@ -1785,6 +2034,15 @@ static int expand_downwards(struct vm_ar +@@ -1785,6 +2039,15 @@ static int expand_downwards(struct vm_ar if (error) return error; @@ -53955,7 +54130,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c vma_lock_anon_vma(vma); /* -@@ -1794,9 +2052,17 @@ static int expand_downwards(struct vm_ar +@@ -1794,9 +2057,17 @@ static int expand_downwards(struct vm_ar */ /* Somebody else might have raced and expanded it already */ @@ -53974,7 +54149,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c size = vma->vm_end - address; grow = (vma->vm_start - address) >> PAGE_SHIFT; -@@ -1804,10 +2070,21 @@ static int expand_downwards(struct vm_ar +@@ -1804,10 +2075,21 @@ static int expand_downwards(struct vm_ar if (!error) { vma->vm_start = address; vma->vm_pgoff -= grow; @@ -53996,7 +54171,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c return error; } -@@ -1881,6 +2158,13 @@ static void remove_vma_list(struct mm_st +@@ -1881,6 +2163,13 @@ static void remove_vma_list(struct mm_st do { long nrpages = vma_pages(vma); @@ -54010,7 +54185,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c mm->total_vm -= nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); vma = remove_vma(vma); -@@ -1926,6 +2210,16 @@ detach_vmas_to_be_unmapped(struct mm_str +@@ -1926,6 +2215,16 @@ detach_vmas_to_be_unmapped(struct mm_str insertion_point = (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev = NULL; do { @@ -54027,7 +54202,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma = vma; -@@ -1954,14 +2248,33 @@ static int __split_vma(struct mm_struct +@@ -1954,14 +2253,33 @@ static int __split_vma(struct mm_struct struct vm_area_struct *new; int err = -ENOMEM; @@ -54061,7 +54236,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* most fields are the same, copy all, and then fixup */ *new = *vma; -@@ -1974,6 +2287,22 @@ static int __split_vma(struct mm_struct +@@ -1974,6 +2292,22 @@ static int __split_vma(struct mm_struct new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT); } @@ -54084,7 +54259,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c pol = mpol_dup(vma_policy(vma)); if (IS_ERR(pol)) { err = PTR_ERR(pol); -@@ -1999,6 +2328,42 @@ static int __split_vma(struct mm_struct +@@ -1999,6 +2333,42 @@ static int __split_vma(struct mm_struct else err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); @@ -54127,7 +54302,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* Success. */ if (!err) return 0; -@@ -2011,10 +2376,18 @@ static int __split_vma(struct mm_struct +@@ -2011,10 +2381,18 @@ static int __split_vma(struct mm_struct removed_exe_file_vma(mm); fput(new->vm_file); } @@ -54147,7 +54322,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c kmem_cache_free(vm_area_cachep, new); out_err: return err; -@@ -2027,6 +2400,15 @@ static int __split_vma(struct mm_struct +@@ -2027,6 +2405,15 @@ static int __split_vma(struct mm_struct int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -54163,7 +54338,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c if (mm->map_count >= sysctl_max_map_count) return -ENOMEM; -@@ -2038,11 +2420,30 @@ int split_vma(struct mm_struct *mm, stru +@@ -2038,11 +2425,30 @@ int split_vma(struct mm_struct *mm, stru * work. This now handles partial unmappings. * Jeremy Fitzhardinge <jeremy@goop.org> */ @@ -54194,7 +54369,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start) return -EINVAL; -@@ -2116,6 +2517,8 @@ int do_munmap(struct mm_struct *mm, unsi +@@ -2116,6 +2522,8 @@ int do_munmap(struct mm_struct *mm, unsi /* Fix up all other VM information */ remove_vma_list(mm, vma); @@ -54203,7 +54378,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c return 0; } -@@ -2128,22 +2531,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a +@@ -2128,22 +2536,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a profile_munmap(addr); @@ -54232,7 +54407,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2157,6 +2556,7 @@ unsigned long do_brk(unsigned long addr, +@@ -2157,6 +2561,7 @@ unsigned long do_brk(unsigned long addr, struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff = addr >> PAGE_SHIFT; int error; @@ -54240,7 +54415,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c len = PAGE_ALIGN(len); if (!len) -@@ -2168,16 +2568,30 @@ unsigned long do_brk(unsigned long addr, +@@ -2168,16 +2573,30 @@ unsigned long do_brk(unsigned long addr, flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; @@ -54272,7 +54447,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c locked += mm->locked_vm; lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; -@@ -2194,22 +2608,22 @@ unsigned long do_brk(unsigned long addr, +@@ -2194,22 +2613,22 @@ unsigned long do_brk(unsigned long addr, /* * Clear old maps. this also does some error checking for us */ @@ -54299,7 +54474,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ -@@ -2223,7 +2637,7 @@ unsigned long do_brk(unsigned long addr, +@@ -2223,7 +2642,7 @@ unsigned long do_brk(unsigned long addr, */ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -54308,7 +54483,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c return -ENOMEM; } -@@ -2237,11 +2651,12 @@ unsigned long do_brk(unsigned long addr, +@@ -2237,11 +2656,12 @@ unsigned long do_brk(unsigned long addr, vma_link(mm, vma, prev, rb_link, rb_parent); out: perf_event_mmap(vma); @@ -54323,7 +54498,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c return addr; } -@@ -2288,8 +2703,10 @@ void exit_mmap(struct mm_struct *mm) +@@ -2288,8 +2708,10 @@ void exit_mmap(struct mm_struct *mm) * Walk the list again, actually closing and freeing it, * with preemption enabled, without holding any MM locks. */ @@ -54335,7 +54510,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); } -@@ -2303,6 +2720,13 @@ int insert_vm_struct(struct mm_struct * +@@ -2303,6 +2725,13 @@ int insert_vm_struct(struct mm_struct * struct vm_area_struct * __vma, * prev; struct rb_node ** rb_link, * rb_parent; @@ -54349,7 +54524,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2325,7 +2749,22 @@ int insert_vm_struct(struct mm_struct * +@@ -2325,7 +2754,22 @@ int insert_vm_struct(struct mm_struct * if ((vma->vm_flags & VM_ACCOUNT) && security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -54372,7 +54547,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c return 0; } -@@ -2343,6 +2782,8 @@ struct vm_area_struct *copy_vma(struct v +@@ -2343,6 +2787,8 @@ struct vm_area_struct *copy_vma(struct v struct rb_node **rb_link, *rb_parent; struct mempolicy *pol; @@ -54381,7 +54556,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2392,6 +2833,39 @@ struct vm_area_struct *copy_vma(struct v +@@ -2392,6 +2838,39 @@ struct vm_area_struct *copy_vma(struct v kmem_cache_free(vm_area_cachep, new_vma); return NULL; } @@ -54421,7 +54596,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c /* * Return true if the calling process may expand its vm space by the passed -@@ -2403,7 +2877,7 @@ int may_expand_vm(struct mm_struct *mm, +@@ -2403,7 +2882,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long lim; lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT; @@ -54430,16 +54605,21 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c if (cur + npages > lim) return 0; return 1; -@@ -2474,6 +2948,17 @@ int install_special_mapping(struct mm_st +@@ -2474,6 +2953,22 @@ int install_special_mapping(struct mm_st vma->vm_start = addr; vma->vm_end = addr + len; +#ifdef CONFIG_PAX_MPROTECT + if (mm->pax_flags & MF_PAX_MPROTECT) { ++#ifndef CONFIG_PAX_MPROTECT_COMPAT + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) + return -EPERM; + if (!(vm_flags & VM_EXEC)) + vm_flags &= ~VM_MAYEXEC; ++#else ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC) ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC); ++#endif + else + vm_flags &= ~VM_MAYWRITE; + } @@ -57966,8 +58146,8 @@ diff -urNp linux-2.6.37/security/integrity/ima/ima_queue.c linux-2.6.37/security return 0; diff -urNp linux-2.6.37/security/Kconfig linux-2.6.37/security/Kconfig --- linux-2.6.37/security/Kconfig 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/security/Kconfig 2011-01-17 02:41:02.000000000 -0500 -@@ -4,6 +4,509 @@ ++++ linux-2.6.37/security/Kconfig 2011-02-12 11:32:56.000000000 -0500 +@@ -4,6 +4,527 @@ menu "Security options" @@ -58213,6 +58393,24 @@ diff -urNp linux-2.6.37/security/Kconfig linux-2.6.37/security/Kconfig + NOTE: you can use the 'chpax' or 'paxctl' utilities to control + this feature on a per file basis. + ++config PAX_MPROTECT_COMPAT ++ bool "Use legacy/compat protection demoting (read help)" ++ depends on PAX_MPROTECT ++ default n ++ help ++ The current implementation of PAX_MPROTECT denies RWX allocations/mprotects ++ by sending the proper error code to the application. For some broken ++ userland, this can cause problems with Python or other applications. The ++ current implementation however allows for applications like clamav to ++ detect if JIT compilation/execution is allowed and to fall back gracefully ++ to an interpreter-based mode if it does not. While we encourage everyone ++ to use the current implementation as-is and push upstream to fix broken ++ userland (note that the RWX logging option can assist with this), in some ++ environments this may not be possible. Having to disable MPROTECT ++ completely on certain binaries reduces the security benefit of PaX, ++ so this option is provided for those environments to revert to the old ++ behavior. ++ +config PAX_ELFRELOCS + bool "Allow ELF text relocations (read help)" + depends on PAX_MPROTECT @@ -58477,7 +58675,7 @@ diff -urNp linux-2.6.37/security/Kconfig linux-2.6.37/security/Kconfig config KEYS bool "Enable access key retention support" help -@@ -136,7 +639,7 @@ config INTEL_TXT +@@ -136,7 +657,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -58507,7 +58705,7 @@ diff -urNp linux-2.6.37/security/min_addr.c linux-2.6.37/security/min_addr.c /* diff -urNp linux-2.6.37/security/security.c linux-2.6.37/security/security.c --- linux-2.6.37/security/security.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/security/security.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/security/security.c 2011-02-12 10:36:34.000000000 -0500 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI /* things that live in capability.c */ extern void __init security_fixup_ops(struct security_operations *ops); @@ -58529,9 +58727,22 @@ diff -urNp linux-2.6.37/security/security.c linux-2.6.37/security/security.c } /* Save user chosen LSM */ +@@ -154,10 +156,9 @@ int security_capset(struct cred *new, co + effective, inheritable, permitted); + } + +-int security_capable(int cap) ++int security_capable(const struct cred *cred, int cap) + { +- return security_ops->capable(current, current_cred(), cap, +- SECURITY_CAP_AUDIT); ++ return security_ops->capable(current, cred, cap, SECURITY_CAP_AUDIT); + } + + int security_real_capable(struct task_struct *tsk, int cap) diff -urNp linux-2.6.37/security/selinux/hooks.c linux-2.6.37/security/selinux/hooks.c --- linux-2.6.37/security/selinux/hooks.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/security/selinux/hooks.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/security/selinux/hooks.c 2011-02-12 11:02:14.000000000 -0500 @@ -90,7 +90,6 @@ #define NUM_SEL_MNT_OPTS 5 @@ -58540,7 +58751,20 @@ diff -urNp linux-2.6.37/security/selinux/hooks.c linux-2.6.37/security/selinux/h /* SECMARK reference count */ atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); -@@ -5388,7 +5387,7 @@ static int selinux_key_getsecurity(struc +@@ -3195,7 +3194,11 @@ static void selinux_cred_free(struct cre + { + struct task_security_struct *tsec = cred->security; + +- BUG_ON((unsigned long) cred->security < PAGE_SIZE); ++ /* ++ * cred->security == NULL if security_cred_alloc_blank() or ++ * security_prepare_creds() returned an error. ++ */ ++ BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); + cred->security = (void *) 0x7UL; + kfree(tsec); + } +@@ -5388,7 +5391,7 @@ static int selinux_key_getsecurity(struc #endif |