diff options
Diffstat (limited to '2.6.38/4425_grsec-pax-without-grsec.patch')
-rw-r--r-- | 2.6.38/4425_grsec-pax-without-grsec.patch | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/2.6.38/4425_grsec-pax-without-grsec.patch b/2.6.38/4425_grsec-pax-without-grsec.patch new file mode 100644 index 0000000..e0d6119 --- /dev/null +++ b/2.6.38/4425_grsec-pax-without-grsec.patch @@ -0,0 +1,92 @@ +From: Jory Pratt <anarchy@gentoo.org> +Updated patch for kernel 2.6.32 + +The credits/description from the original version of this patch remain accurate +and are included below. +-- +From: Gordon Malm <gengor@gentoo.org> + +Allow PaX options to be selected without first selecting CONFIG_GRKERNSEC. + +This patch has been updated to keep current with newer kernel versions. +The original version of this patch contained no credits/description. + +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -647,10 +647,12 @@ + + #ifdef CONFIG_PAX_KERNEXEC + if (init_mm.start_code <= address && address < init_mm.end_code) { ++#ifdef CONFIG_GRKERNSEC + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); + else ++#endif + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", + current->comm, task_pid_nr(current), current_uid(), current_euid()); + } +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1837,9 +1837,11 @@ + } + up_read(&mm->mmap_sem); + } ++#ifdef CONFIG_GRKERNSEC + if (tsk->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset); + else ++#endif + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset); + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, " + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk), +@@ -1854,10 +1856,12 @@ + #ifdef CONFIG_PAX_REFCOUNT + void pax_report_refcount_overflow(struct pt_regs *regs) + { ++#ifdef CONFIG_GRKERNSEC + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid()); + else ++#endif + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", + current->comm, task_pid_nr(current), current_uid(), current_euid()); + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs)); +@@ -1917,10 +1921,12 @@ + + void pax_report_leak_to_user(const void *ptr, unsigned long len) + { ++#ifdef CONFIG_GRKERNSEC + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n", + ¤t->signal->curr_ip, ptr, len); + else ++#endif + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len); + dump_stack(); + do_group_exit(SIGKILL); +@@ -1928,10 +1934,12 @@ + + void pax_report_overflow_from_user(const void *ptr, unsigned long len) + { ++#ifdef CONFIG_GRKERNSEC + if (current->signal->curr_ip) + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n", + ¤t->signal->curr_ip, ptr, len); + else ++#endif + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len); + dump_stack(); + do_group_exit(SIGKILL); +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -26,7 +26,7 @@ + + config PAX + bool "Enable various PaX features" +- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) ++ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86) + help + This allows you to enable various PaX features. PaX adds + intrusion prevention mechanisms to the kernel that reduce |