* [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.2.30/, 3.5.5/
@ 2012-10-09 3:08 Anthony G. Basile
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2012-10-09 3:08 UTC (permalink / raw
To: gentoo-commits
commit: f3b586a8eabe83219c8eefb0ed30dcd725aa5efc
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 9 03:07:16 2012 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Oct 9 03:07:16 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=f3b586a8
Grsec/PaX: 2.9.1-{2.6.32.59,3.2.30,3.5.5}-201210070828
---
2.6.32/0000_README | 2 +-
..._grsecurity-2.9.1-2.6.32.59-201210070827.patch} | 126 +++++++++++++-------
3.2.30/0000_README | 2 +-
...420_grsecurity-2.9.1-3.2.30-201210070828.patch} | 130 +++++++++++++-------
3.5.5/0000_README | 2 +-
...4420_grsecurity-2.9.1-3.5.5-201210070828.patch} | 128 +++++++++++++-------
6 files changed, 258 insertions(+), 132 deletions(-)
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 2cf0326..42845f1 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -30,7 +30,7 @@ Patch: 1058_linux-2.6.32.59.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.59
-Patch: 4420_grsecurity-2.9.1-2.6.32.59-201210022016.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.59-201210070827.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201210022016.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201210070827.patch
similarity index 99%
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201210022016.patch
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201210070827.patch
index 675d03a..d90002f 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201210022016.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201210070827.patch
@@ -189,10 +189,20 @@ index e1efc40..3569a2f 100644
zconf.hash.c
+zoffset.h
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index c840e7d..30f0efe 100644
+index c840e7d..0f7d099 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
-@@ -856,6 +856,12 @@ and is between 256 and 4096 characters. It is defined in the file
+@@ -806,6 +806,9 @@ and is between 256 and 4096 characters. It is defined in the file
+ gpt [EFI] Forces disk with valid GPT signature but
+ invalid Protective MBR to be treated as GPT.
+
++ grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to
++ ignore grsecurity's /proc restrictions
++
+ gvp11= [HW,SCSI]
+
+ hashdist= [KNL,NUMA] Large hashes allocated during boot
+@@ -856,6 +859,12 @@ and is between 256 and 4096 characters. It is defined in the file
If specified, z/VM IUCV HVC accepts connections
from listed z/VM user IDs only.
@@ -205,7 +215,7 @@ index c840e7d..30f0efe 100644
i2c_bus= [HW] Override the default board specific I2C bus speed
or register an additional I2C bus that is not
registered from board initialization code.
-@@ -1725,6 +1731,11 @@ and is between 256 and 4096 characters. It is defined in the file
+@@ -1725,6 +1734,11 @@ and is between 256 and 4096 characters. It is defined in the file
noresidual [PPC] Don't use residual data on PReP machines.
@@ -217,7 +227,7 @@ index c840e7d..30f0efe 100644
noresume [SWSUSP] Disables resume and restores original swap
space.
-@@ -1837,6 +1848,13 @@ and is between 256 and 4096 characters. It is defined in the file
+@@ -1837,6 +1851,13 @@ and is between 256 and 4096 characters. It is defined in the file
the specified number of seconds. This is to be used if
your oopses keep scrolling off the screen.
@@ -74831,7 +74841,7 @@ index c5ef152..28c94f7 100644
+}
+#endif
diff --git a/fs/proc/base.c b/fs/proc/base.c
-index 67f7dc0..071d058 100644
+index 67f7dc0..a6663de 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -102,6 +102,22 @@ struct pid_entry {
@@ -75106,7 +75116,7 @@ index 67f7dc0..071d058 100644
cred = __task_cred(task);
inode->i_uid = cred->euid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_gid = grsec_proc_gid;
+#else
inode->i_gid = cred->egid;
+#endif
@@ -75138,7 +75148,7 @@ index 67f7dc0..071d058 100644
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ if (!tmpcred->uid || (tmpcred->uid == cred->uid)
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++ || in_group_p(grsec_proc_gid)
+#endif
+ ) {
+#endif
@@ -75152,7 +75162,7 @@ index 67f7dc0..071d058 100644
- cred = __task_cred(task);
stat->uid = cred->euid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++ stat->gid = grsec_proc_gid;
+#else
stat->gid = cred->egid;
+#endif
@@ -75180,7 +75190,7 @@ index 67f7dc0..071d058 100644
cred = __task_cred(task);
inode->i_uid = cred->euid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_gid = grsec_proc_gid;
+#else
inode->i_gid = cred->egid;
+#endif
@@ -75348,7 +75358,7 @@ index 67f7dc0..071d058 100644
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_gid = grsec_proc_gid;
+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
+#else
inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
@@ -75392,7 +75402,7 @@ index 67f7dc0..071d058 100644
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ || (tmpcred->uid && (itercred->uid != tmpcred->uid)
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++ && !in_group_p(grsec_proc_gid)
+#endif
+ )
+#endif
@@ -75464,7 +75474,7 @@ index 59ee7da..469b4b6 100644
}
module_init(proc_devices_init);
diff --git a/fs/proc/inode.c b/fs/proc/inode.c
-index d78ade3..81767f9 100644
+index d78ade3..6820c1b 100644
--- a/fs/proc/inode.c
+++ b/fs/proc/inode.c
@@ -18,12 +18,19 @@
@@ -75506,7 +75516,7 @@ index d78ade3..81767f9 100644
inode->i_mode = de->mode;
inode->i_uid = de->uid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_gid = grsec_proc_gid;
+#else
inode->i_gid = de->gid;
+#endif
@@ -75683,7 +75693,7 @@ index 9fe7d7e..cdb62c9 100644
seq_putc(m, '\n');
diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
-index 04d1270..25e1173 100644
+index 04d1270..ca49aa3 100644
--- a/fs/proc/proc_net.c
+++ b/fs/proc/proc_net.c
@@ -104,6 +104,17 @@ static struct net *get_proc_task_net(struct inode *dir)
@@ -75698,7 +75708,7 @@ index 04d1270..25e1173 100644
+ if (cred->fsuid)
+ return net;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
++ if (cred->fsuid && !in_group_p(grsec_proc_gid))
+ return net;
+#endif
@@ -77237,10 +77247,10 @@ index 8f32f50..5db8d65 100644
link[pathlen] = '\0';
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..bbbfa1c
+index 0000000..5012f34
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,940 @@
+@@ -0,0 +1,946 @@
+#
+# grecurity configuration
+#
@@ -77487,7 +77497,8 @@ index 0000000..bbbfa1c
+ able to view all processes and network-related information. If you've
+ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
+ remain hidden. This option is useful if you want to run identd as
-+ a non-root user.
++ a non-root user. The group you select may also be chosen at boot time
++ via "grsec_proc_gid=" on the kernel commandline.
+
+config GRKERNSEC_PROC_GID
+ int "GID for special group"
@@ -77976,7 +77987,12 @@ index 0000000..bbbfa1c
+ entry will default to on for backward-compatibility.
+
+config GRKERNSEC_TPE_GID
-+ int "GID for untrusted users"
++ int
++ default GRKERNSEC_TPE_UNTRUSTED_GID if (GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT)
++ default GRKERNSEC_TPE_TRUSTED_GID if (GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT)
++
++config GRKERNSEC_TPE_UNTRUSTED_GID
++ int "GID for TPE-untrusted users"
+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
+ default 1005
+ help
@@ -77984,8 +78000,8 @@ index 0000000..bbbfa1c
+ *enabled* for. If the sysctl option is enabled, a sysctl option
+ with name "tpe_gid" is created.
+
-+config GRKERNSEC_TPE_GID
-+ int "GID for trusted users"
++config GRKERNSEC_TPE_TRUSTED_GID
++ int "GID for TPE-trusted users"
+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
+ default 1005
+ help
@@ -78227,7 +78243,7 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..af10280
+index 0000000..7724cb1
--- /dev/null
+++ b/grsecurity/gracl.c
@@ -0,0 +1,4175 @@
@@ -82289,7 +82305,7 @@ index 0000000..af10280
+ if (cred->uid != 0)
+ ret = -EACCES;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
++ if (cred->uid != 0 && !groups_search(cred->group_info, grsec_proc_gid))
+ ret = -EACCES;
+#endif
+#endif
@@ -89879,10 +89895,10 @@ index 0000000..ac88734
+#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..29ccfc4
+index 0000000..d44d8a6
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,220 @@
+@@ -0,0 +1,225 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -90094,6 +90110,11 @@ index 0000000..29ccfc4
+
+extern int grsec_enable_dmesg;
+extern int grsec_disable_privio;
++
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++extern int grsec_proc_gid;
++#endif
++
+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
+extern int grsec_enable_chroot_findtask;
+#endif
@@ -93906,7 +93927,7 @@ index 1fd59b8..a01b079 100644
next_state = Reset;
return 0;
diff --git a/init/main.c b/init/main.c
-index 1eb4bd5..da072fc 100644
+index 1eb4bd5..a2cb48e 100644
--- a/init/main.c
+++ b/init/main.c
@@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void) { }
@@ -93917,10 +93938,20 @@ index 1eb4bd5..da072fc 100644
enum system_states system_state __read_mostly;
EXPORT_SYMBOL(system_state);
-@@ -183,6 +184,51 @@ static int __init set_reset_devices(char *str)
+@@ -183,6 +184,61 @@ static int __init set_reset_devices(char *str)
__setup("reset_devices", set_reset_devices);
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++int grsec_proc_gid = CONFIG_GRKERNSEC_PROC_GID;
++static int __init setup_grsec_proc_gid(char *str)
++{
++ grsec_proc_gid = (int)simple_strtol(str, NULL, 0);
++ return 1;
++}
++__setup("grsec_proc_gid=", setup_grsec_proc_gid);
++#endif
++
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+extern char pax_enter_kernel_user[];
+extern char pax_exit_kernel_user[];
@@ -93969,7 +94000,7 @@ index 1eb4bd5..da072fc 100644
static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
static const char *panic_later, *panic_param;
-@@ -705,52 +751,53 @@ int initcall_debug;
+@@ -705,52 +761,53 @@ int initcall_debug;
core_param(initcall_debug, initcall_debug, bool, 0644);
static char msgbuf[64];
@@ -94039,7 +94070,7 @@ index 1eb4bd5..da072fc 100644
}
-@@ -760,9 +807,15 @@ static void __init do_initcalls(void)
+@@ -760,9 +817,15 @@ static void __init do_initcalls(void)
{
initcall_t *call;
@@ -94056,7 +94087,7 @@ index 1eb4bd5..da072fc 100644
/* Make sure there is no pending stuff from the initcall sequence */
flush_scheduled_work();
}
-@@ -790,8 +843,14 @@ static void __init do_pre_smp_initcalls(void)
+@@ -790,8 +853,14 @@ static void __init do_pre_smp_initcalls(void)
{
initcall_t *call;
@@ -94072,7 +94103,7 @@ index 1eb4bd5..da072fc 100644
}
static void run_init_process(char *init_filename)
-@@ -893,11 +952,13 @@ static int __init kernel_init(void * unused)
+@@ -893,11 +962,13 @@ static int __init kernel_init(void * unused)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -95425,7 +95456,7 @@ index fb98c9f..f8c336d 100644
futex_cmpxchg_enabled = 1;
diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
-index 2357165..eb25501 100644
+index 2357165..eb25501b 100644
--- a/kernel/futex_compat.c
+++ b/kernel/futex_compat.c
@@ -10,6 +10,7 @@
@@ -109644,10 +109675,10 @@ index d52f7a0..b66cdd9 100755
rm -f tags
xtags ctags
diff --git a/security/Kconfig b/security/Kconfig
-index fb363cd..19e2105 100644
+index fb363cd..0e9112e 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,879 @@
+@@ -4,6 +4,890 @@
menu "Security options"
@@ -109843,18 +109874,29 @@ index fb363cd..19e2105 100644
+ Setting this GID determines which group will be exempted from
+ grsecurity's /proc restrictions, allowing users of the specified
+ group to view network statistics and the existence of other users'
-+ processes on the system.
++ processes on the system. This GID may also be chosen at boot time
++ via "grsec_proc_gid=" on the kernel commandline.
+
-+config GRKERNSEC_TPE_GID
-+ int "GID for untrusted users"
-+ depends on GRKERNSEC_CONFIG_SERVER
-+ default 1005
-+ help
++config GRKERNSEC_TPE_UNTRUSTED_GID
++ int "GID for TPE-untrusted users"
++ depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
++ default 1005
++ help
+ Setting this GID determines which group untrusted users should
+ be added to. These users will be placed under grsecurity's Trusted Path
+ Execution mechanism, preventing them from executing their own binaries.
+ The users will only be able to execute binaries in directories owned and
-+ writable only by the root user.
++ writable only by the root user. If the sysctl option is enabled, a sysctl
++ option with name "tpe_gid" is created.
++
++config GRKERNSEC_TPE_TRUSTED_GID
++ int "GID for TPE-trusted users"
++ depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
++ default 1005
++ help
++ Setting this GID determines what group TPE restrictions will be
++ *disabled* for. If the sysctl option is enabled, a sysctl option
++ with name "tpe_gid" is created.
+
+config GRKERNSEC_SYMLINKOWN_GID
+ int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
@@ -110527,7 +110569,7 @@ index fb363cd..19e2105 100644
config KEYS
bool "Enable access key retention support"
help
-@@ -146,7 +1019,7 @@ config INTEL_TXT
+@@ -146,7 +1030,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
diff --git a/3.2.30/0000_README b/3.2.30/0000_README
index b35474f..69b9c98 100644
--- a/3.2.30/0000_README
+++ b/3.2.30/0000_README
@@ -38,7 +38,7 @@ Patch: 1029_linux-3.2.30.patch
From: http://www.kernel.org
Desc: Linux 3.2.30
-Patch: 4420_grsecurity-2.9.1-3.2.30-201210022019.patch
+Patch: 4420_grsecurity-2.9.1-3.2.30-201210070828.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.30/4420_grsecurity-2.9.1-3.2.30-201210022019.patch b/3.2.30/4420_grsecurity-2.9.1-3.2.30-201210070828.patch
similarity index 99%
rename from 3.2.30/4420_grsecurity-2.9.1-3.2.30-201210022019.patch
rename to 3.2.30/4420_grsecurity-2.9.1-3.2.30-201210070828.patch
index 7913a68..431e878 100644
--- a/3.2.30/4420_grsecurity-2.9.1-3.2.30-201210022019.patch
+++ b/3.2.30/4420_grsecurity-2.9.1-3.2.30-201210070828.patch
@@ -194,10 +194,20 @@ index dfa6fc6..65f7dbe 100644
+zconf.lex.c
zoffset.h
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 81c287f..d456d02 100644
+index 81c287f..8c5ad74 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
-@@ -1935,6 +1935,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+@@ -848,6 +848,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+ gpt [EFI] Forces disk with valid GPT signature but
+ invalid Protective MBR to be treated as GPT.
+
++ grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to
++ ignore grsecurity's /proc restrictions
++
+ hashdist= [KNL,NUMA] Large hashes allocated during boot
+ are distributed across NUMA nodes. Defaults on
+ for 64-bit NUMA, off otherwise.
+@@ -1935,6 +1938,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
the specified number of seconds. This is to be used if
your oopses keep scrolling off the screen.
@@ -49395,7 +49405,7 @@ index 3a1dafd..dbcf51d 100644
+}
+#endif
diff --git a/fs/proc/base.c b/fs/proc/base.c
-index 1ace83d..afa2ac0 100644
+index 1ace83d..a2bc635 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -107,6 +107,22 @@ struct pid_entry {
@@ -49738,7 +49748,7 @@ index 1ace83d..afa2ac0 100644
cred = __task_cred(task);
inode->i_uid = cred->euid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_gid = grsec_proc_gid;
+#else
inode->i_gid = cred->egid;
+#endif
@@ -49770,7 +49780,7 @@ index 1ace83d..afa2ac0 100644
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ if (!tmpcred->uid || (tmpcred->uid == cred->uid)
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++ || in_group_p(grsec_proc_gid)
+#endif
+ ) {
+#endif
@@ -49784,7 +49794,7 @@ index 1ace83d..afa2ac0 100644
- cred = __task_cred(task);
stat->uid = cred->euid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++ stat->gid = grsec_proc_gid;
+#else
stat->gid = cred->egid;
+#endif
@@ -49812,7 +49822,7 @@ index 1ace83d..afa2ac0 100644
cred = __task_cred(task);
inode->i_uid = cred->euid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_gid = grsec_proc_gid;
+#else
inode->i_gid = cred->egid;
+#endif
@@ -49921,7 +49931,7 @@ index 1ace83d..afa2ac0 100644
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_gid = grsec_proc_gid;
+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
+#else
inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
@@ -49965,7 +49975,7 @@ index 1ace83d..afa2ac0 100644
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ || (tmpcred->uid && (itercred->uid != tmpcred->uid)
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++ && !in_group_p(grsec_proc_gid)
+#endif
+ )
+#endif
@@ -50037,7 +50047,7 @@ index b143471..bb105e5 100644
}
module_init(proc_devices_init);
diff --git a/fs/proc/inode.c b/fs/proc/inode.c
-index 7737c54..7172574 100644
+index 7737c54..d155c87 100644
--- a/fs/proc/inode.c
+++ b/fs/proc/inode.c
@@ -18,12 +18,18 @@
@@ -50078,7 +50088,7 @@ index 7737c54..7172574 100644
inode->i_mode = de->mode;
inode->i_uid = de->uid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_gid = grsec_proc_gid;
+#else
inode->i_gid = de->gid;
+#endif
@@ -50197,7 +50207,7 @@ index b1822dd..df622cb 100644
seq_putc(m, '\n');
diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
-index f738024..876984a 100644
+index f738024..8e3f141 100644
--- a/fs/proc/proc_net.c
+++ b/fs/proc/proc_net.c
@@ -105,6 +105,17 @@ static struct net *get_proc_task_net(struct inode *dir)
@@ -50212,7 +50222,7 @@ index f738024..876984a 100644
+ if (cred->fsuid)
+ return net;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
++ if (cred->fsuid && !in_group_p(grsec_proc_gid))
+ return net;
+#endif
@@ -51257,10 +51267,10 @@ index 87323f1..dab9d00 100644
ip = issum ? mp->m_rsumip : mp->m_rbmip;
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..cb7b8ea
+index 0000000..ae8456d
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,941 @@
+@@ -0,0 +1,947 @@
+#
+# grecurity configuration
+#
@@ -51505,10 +51515,11 @@ index 0000000..cb7b8ea
+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
+ help
+ If you say Y here, you will be able to select a group that will be
-+ able to view all processes and network-related information. If you've
-+ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
-+ remain hidden. This option is useful if you want to run identd as
-+ a non-root user.
++ able to view all processes and network-related information. If you've
++ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
++ remain hidden. This option is useful if you want to run identd as
++ a non-root user. The group you select may also be chosen at boot time
++ via "grsec_proc_gid=" on the kernel commandline.
+
+config GRKERNSEC_PROC_GID
+ int "GID for special group"
@@ -51997,7 +52008,12 @@ index 0000000..cb7b8ea
+ entry will default to on for backward-compatibility.
+
+config GRKERNSEC_TPE_GID
-+ int "GID for untrusted users"
++ int
++ default GRKERNSEC_TPE_UNTRUSTED_GID if (GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT)
++ default GRKERNSEC_TPE_TRUSTED_GID if (GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT)
++
++config GRKERNSEC_TPE_UNTRUSTED_GID
++ int "GID for TPE-untrusted users"
+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
+ default 1005
+ help
@@ -52005,8 +52021,8 @@ index 0000000..cb7b8ea
+ *enabled* for. If the sysctl option is enabled, a sysctl option
+ with name "tpe_gid" is created.
+
-+config GRKERNSEC_TPE_GID
-+ int "GID for trusted users"
++config GRKERNSEC_TPE_TRUSTED_GID
++ int "GID for TPE-trusted users"
+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
+ default 1005
+ help
@@ -52248,7 +52264,7 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..929fd63
+index 0000000..34026bb
--- /dev/null
+++ b/grsecurity/gracl.c
@@ -0,0 +1,4190 @@
@@ -56325,7 +56341,7 @@ index 0000000..929fd63
+ if (cred->uid != 0)
+ ret = -EACCES;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
++ if (cred->uid != 0 && !groups_search(cred->group_info, grsec_proc_gid))
+ ret = -EACCES;
+#endif
+#endif
@@ -63389,10 +63405,10 @@ index 0000000..54f4e85
+#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..12bf493
+index 0000000..c14f3fb
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,230 @@
+@@ -0,0 +1,235 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -63614,6 +63630,11 @@ index 0000000..12bf493
+
+extern int grsec_enable_dmesg;
+extern int grsec_disable_privio;
++
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++extern int grsec_proc_gid;
++#endif
++
+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
+extern int grsec_enable_chroot_findtask;
+#endif
@@ -67033,7 +67054,7 @@ index 2531811..040d4d4 100644
next_state = Reset;
return 0;
diff --git a/init/main.c b/init/main.c
-index cb08fea2..b51973d 100644
+index cb08fea2..a290416 100644
--- a/init/main.c
+++ b/init/main.c
@@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { }
@@ -67045,10 +67066,20 @@ index cb08fea2..b51973d 100644
/*
* Debug helper: via this flag we know that we are in 'early bootup code'
* where only the boot processor is running with IRQ disabled. This means
-@@ -149,6 +151,51 @@ static int __init set_reset_devices(char *str)
+@@ -149,6 +151,61 @@ static int __init set_reset_devices(char *str)
__setup("reset_devices", set_reset_devices);
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++int grsec_proc_gid = CONFIG_GRKERNSEC_PROC_GID;
++static int __init setup_grsec_proc_gid(char *str)
++{
++ grsec_proc_gid = (int)simple_strtol(str, NULL, 0);
++ return 1;
++}
++__setup("grsec_proc_gid=", setup_grsec_proc_gid);
++#endif
++
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+extern char pax_enter_kernel_user[];
+extern char pax_exit_kernel_user[];
@@ -67097,7 +67128,7 @@ index cb08fea2..b51973d 100644
static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
static const char *panic_later, *panic_param;
-@@ -678,6 +725,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -678,6 +735,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
{
int count = preempt_count();
int ret;
@@ -67105,7 +67136,7 @@ index cb08fea2..b51973d 100644
if (initcall_debug)
ret = do_one_initcall_debug(fn);
-@@ -690,15 +738,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -690,15 +748,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
sprintf(msgbuf, "error code %d ", ret);
if (preempt_count() != count) {
@@ -67125,7 +67156,7 @@ index cb08fea2..b51973d 100644
}
return ret;
-@@ -711,8 +759,14 @@ static void __init do_initcalls(void)
+@@ -711,8 +769,14 @@ static void __init do_initcalls(void)
{
initcall_t *fn;
@@ -67141,7 +67172,7 @@ index cb08fea2..b51973d 100644
}
/*
-@@ -738,8 +792,14 @@ static void __init do_pre_smp_initcalls(void)
+@@ -738,8 +802,14 @@ static void __init do_pre_smp_initcalls(void)
{
initcall_t *fn;
@@ -67157,7 +67188,7 @@ index cb08fea2..b51973d 100644
}
static void run_init_process(const char *init_filename)
-@@ -821,7 +881,7 @@ static int __init kernel_init(void * unused)
+@@ -821,7 +891,7 @@ static int __init kernel_init(void * unused)
do_basic_setup();
/* Open the /dev/console on the rootfs, this should never fail */
@@ -67166,7 +67197,7 @@ index cb08fea2..b51973d 100644
printk(KERN_WARNING "Warning: unable to open an initial console.\n");
(void) sys_dup(0);
-@@ -834,11 +894,13 @@ static int __init kernel_init(void * unused)
+@@ -834,11 +904,13 @@ static int __init kernel_init(void * unused)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -81971,10 +82002,10 @@ index 38f6617..e70b72b 100755
exuberant()
diff --git a/security/Kconfig b/security/Kconfig
-index 51bd5a0..560318a 100644
+index 51bd5a0..77d3608 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,885 @@
+@@ -4,6 +4,896 @@
menu "Security options"
@@ -82170,18 +82201,29 @@ index 51bd5a0..560318a 100644
+ Setting this GID determines which group will be exempted from
+ grsecurity's /proc restrictions, allowing users of the specified
+ group to view network statistics and the existence of other users'
-+ processes on the system.
++ processes on the system. This GID may also be chosen at boot time
++ via "grsec_proc_gid=" on the kernel commandline.
+
-+config GRKERNSEC_TPE_GID
-+ int "GID for untrusted users"
-+ depends on GRKERNSEC_CONFIG_SERVER
-+ default 1005
-+ help
++config GRKERNSEC_TPE_UNTRUSTED_GID
++ int "GID for TPE-untrusted users"
++ depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
++ default 1005
++ help
+ Setting this GID determines which group untrusted users should
+ be added to. These users will be placed under grsecurity's Trusted Path
+ Execution mechanism, preventing them from executing their own binaries.
+ The users will only be able to execute binaries in directories owned and
-+ writable only by the root user.
++ writable only by the root user. If the sysctl option is enabled, a sysctl
++ option with name "tpe_gid" is created.
++
++config GRKERNSEC_TPE_TRUSTED_GID
++ int "GID for TPE-trusted users"
++ depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
++ default 1005
++ help
++ Setting this GID determines what group TPE restrictions will be
++ *disabled* for. If the sysctl option is enabled, a sysctl option
++ with name "tpe_gid" is created.
+
+config GRKERNSEC_SYMLINKOWN_GID
+ int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
@@ -82860,7 +82902,7 @@ index 51bd5a0..560318a 100644
config KEYS
bool "Enable access key retention support"
help
-@@ -169,7 +1048,7 @@ config INTEL_TXT
+@@ -169,7 +1059,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
diff --git a/3.5.5/0000_README b/3.5.5/0000_README
index dcb4431..95939b8 100644
--- a/3.5.5/0000_README
+++ b/3.5.5/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9.1-3.5.5-201210022020.patch
+Patch: 4420_grsecurity-2.9.1-3.5.5-201210070828.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.5.5/4420_grsecurity-2.9.1-3.5.5-201210022020.patch b/3.5.5/4420_grsecurity-2.9.1-3.5.5-201210070828.patch
similarity index 99%
rename from 3.5.5/4420_grsecurity-2.9.1-3.5.5-201210022020.patch
rename to 3.5.5/4420_grsecurity-2.9.1-3.5.5-201210070828.patch
index 3e664a6..5345b72 100644
--- a/3.5.5/4420_grsecurity-2.9.1-3.5.5-201210022020.patch
+++ b/3.5.5/4420_grsecurity-2.9.1-3.5.5-201210070828.patch
@@ -224,10 +224,20 @@ index b4a898f..cd023f2 100644
+zconf.lex.c
zoffset.h
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index a92c5eb..7530459 100644
+index a92c5eb..b91d3d5 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
-@@ -2051,6 +2051,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+@@ -905,6 +905,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+ gpt [EFI] Forces disk with valid GPT signature but
+ invalid Protective MBR to be treated as GPT.
+
++ grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to
++ ignore grsecurity's /proc restrictions
++
+ hashdist= [KNL,NUMA] Large hashes allocated during boot
+ are distributed across NUMA nodes. Defaults on
+ for 64-bit NUMA, off otherwise.
+@@ -2051,6 +2054,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
the specified number of seconds. This is to be used if
your oopses keep scrolling off the screen.
@@ -48920,7 +48930,7 @@ index c1c207c..01ce725 100644
static struct pid *
get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos)
diff --git a/fs/proc/base.c b/fs/proc/base.c
-index 437195f..cd2210d 100644
+index 437195f..e1b6a2d 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -110,6 +110,14 @@ struct pid_entry {
@@ -49040,7 +49050,7 @@ index 437195f..cd2210d 100644
+
+ if (!tmpcred->uid || (tmpcred->uid == cred->uid)
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++ || in_group_p(grsec_proc_gid)
+#endif
+ ) {
+ rcu_read_unlock();
@@ -49203,7 +49213,7 @@ index 437195f..cd2210d 100644
cred = __task_cred(task);
inode->i_uid = cred->euid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_gid = grsec_proc_gid;
+#else
inode->i_gid = cred->egid;
+#endif
@@ -49223,7 +49233,7 @@ index 437195f..cd2210d 100644
cred = __task_cred(task);
stat->uid = cred->euid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++ stat->gid = grsec_proc_gid;
+#else
stat->gid = cred->egid;
+#endif
@@ -49244,7 +49254,7 @@ index 437195f..cd2210d 100644
cred = __task_cred(task);
inode->i_uid = cred->euid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_gid = grsec_proc_gid;
+#else
inode->i_gid = cred->egid;
+#endif
@@ -49353,7 +49363,7 @@ index 437195f..cd2210d 100644
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_gid = grsec_proc_gid;
+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
+#else
inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
@@ -49437,7 +49447,7 @@ index b143471..bb105e5 100644
}
module_init(proc_devices_init);
diff --git a/fs/proc/inode.c b/fs/proc/inode.c
-index 7ac817b..abab1a5 100644
+index 7ac817b..c5c9eb0 100644
--- a/fs/proc/inode.c
+++ b/fs/proc/inode.c
@@ -21,11 +21,17 @@
@@ -49477,7 +49487,7 @@ index 7ac817b..abab1a5 100644
inode->i_mode = de->mode;
inode->i_uid = de->uid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_gid = grsec_proc_gid;
+#else
inode->i_gid = de->gid;
+#endif
@@ -49587,7 +49597,7 @@ index b1822dd..df622cb 100644
seq_putc(m, '\n');
diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
-index 06e1cc1..177cd98 100644
+index 06e1cc1..aa6fbbf 100644
--- a/fs/proc/proc_net.c
+++ b/fs/proc/proc_net.c
@@ -105,6 +105,17 @@ static struct net *get_proc_task_net(struct inode *dir)
@@ -49602,7 +49612,7 @@ index 06e1cc1..177cd98 100644
+ if (cred->fsuid)
+ return net;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
++ if (cred->fsuid && !in_group_p(grsec_proc_gid))
+ return net;
+#endif
@@ -50689,10 +50699,10 @@ index 92d4331..ca28a4b 100644
ip = issum ? mp->m_rsumip : mp->m_rbmip;
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..4d533f1
+index 0000000..d38b430
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,941 @@
+@@ -0,0 +1,947 @@
+#
+# grecurity configuration
+#
@@ -50937,10 +50947,11 @@ index 0000000..4d533f1
+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
+ help
+ If you say Y here, you will be able to select a group that will be
-+ able to view all processes and network-related information. If you've
-+ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
-+ remain hidden. This option is useful if you want to run identd as
-+ a non-root user.
++ able to view all processes and network-related information. If you've
++ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
++ remain hidden. This option is useful if you want to run identd as
++ a non-root user. The group you select may also be chosen at boot time
++ via "grsec_proc_gid=" on the kernel commandline.
+
+config GRKERNSEC_PROC_GID
+ int "GID for special group"
@@ -51429,7 +51440,12 @@ index 0000000..4d533f1
+ entry will default to on for backward-compatibility.
+
+config GRKERNSEC_TPE_GID
-+ int "GID for untrusted users"
++ int
++ default GRKERNSEC_TPE_UNTRUSTED_GID if (GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT)
++ default GRKERNSEC_TPE_TRUSTED_GID if (GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT)
++
++config GRKERNSEC_TPE_UNTRUSTED_GID
++ int "GID for TPE-untrusted users"
+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
+ default 1005
+ help
@@ -51437,8 +51453,8 @@ index 0000000..4d533f1
+ *enabled* for. If the sysctl option is enabled, a sysctl option
+ with name "tpe_gid" is created.
+
-+config GRKERNSEC_TPE_GID
-+ int "GID for trusted users"
++config GRKERNSEC_TPE_TRUSTED_GID
++ int "GID for TPE-trusted users"
+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
+ default 1005
+ help
@@ -51680,7 +51696,7 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..1561617
+index 0000000..07cd799
--- /dev/null
+++ b/grsecurity/gracl.c
@@ -0,0 +1,4017 @@
@@ -55584,7 +55600,7 @@ index 0000000..1561617
+ if (!uid_eq(cred->uid, GLOBAL_ROOT_UID))
+ ret = -EACCES;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (!uid_eq(cred->uid, GLOBAL_ROOT_UID) && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
++ if (!uid_eq(cred->uid, GLOBAL_ROOT_UID) && !groups_search(cred->group_info, grsec_proc_gid))
+ ret = -EACCES;
+#endif
+#endif
@@ -62676,10 +62692,10 @@ index 0000000..54f4e85
+#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..38bfb04
+index 0000000..f9b9a21
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,233 @@
+@@ -0,0 +1,238 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -62904,6 +62920,11 @@ index 0000000..38bfb04
+
+extern int grsec_enable_dmesg;
+extern int grsec_disable_privio;
++
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++extern int grsec_proc_gid;
++#endif
++
+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
+extern int grsec_enable_chroot_findtask;
+#endif
@@ -66163,7 +66184,7 @@ index 84c6bf1..8899338 100644
next_state = Reset;
return 0;
diff --git a/init/main.c b/init/main.c
-index b5cc0a7..8e67244 100644
+index b5cc0a7..ed8e21f 100644
--- a/init/main.c
+++ b/init/main.c
@@ -95,6 +95,8 @@ static inline void mark_rodata_ro(void) { }
@@ -66175,10 +66196,20 @@ index b5cc0a7..8e67244 100644
/*
* Debug helper: via this flag we know that we are in 'early bootup code'
* where only the boot processor is running with IRQ disabled. This means
-@@ -148,6 +150,51 @@ static int __init set_reset_devices(char *str)
+@@ -148,6 +150,61 @@ static int __init set_reset_devices(char *str)
__setup("reset_devices", set_reset_devices);
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++int grsec_proc_gid = CONFIG_GRKERNSEC_PROC_GID;
++static int __init setup_grsec_proc_gid(char *str)
++{
++ grsec_proc_gid = (int)simple_strtol(str, NULL, 0);
++ return 1;
++}
++__setup("grsec_proc_gid=", setup_grsec_proc_gid);
++#endif
++
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+extern char pax_enter_kernel_user[];
+extern char pax_exit_kernel_user[];
@@ -66227,7 +66258,7 @@ index b5cc0a7..8e67244 100644
static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
static const char *panic_later, *panic_param;
-@@ -674,6 +721,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -674,6 +731,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
{
int count = preempt_count();
int ret;
@@ -66235,7 +66266,7 @@ index b5cc0a7..8e67244 100644
if (initcall_debug)
ret = do_one_initcall_debug(fn);
-@@ -686,15 +734,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -686,15 +744,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
sprintf(msgbuf, "error code %d ", ret);
if (preempt_count() != count) {
@@ -66255,7 +66286,7 @@ index b5cc0a7..8e67244 100644
}
return ret;
-@@ -747,8 +795,14 @@ static void __init do_initcall_level(int level)
+@@ -747,8 +805,14 @@ static void __init do_initcall_level(int level)
level, level,
&repair_env_string);
@@ -66271,7 +66302,7 @@ index b5cc0a7..8e67244 100644
}
static void __init do_initcalls(void)
-@@ -782,8 +836,14 @@ static void __init do_pre_smp_initcalls(void)
+@@ -782,8 +846,14 @@ static void __init do_pre_smp_initcalls(void)
{
initcall_t *fn;
@@ -66287,7 +66318,7 @@ index b5cc0a7..8e67244 100644
}
static void run_init_process(const char *init_filename)
-@@ -865,7 +925,7 @@ static int __init kernel_init(void * unused)
+@@ -865,7 +935,7 @@ static int __init kernel_init(void * unused)
do_basic_setup();
/* Open the /dev/console on the rootfs, this should never fail */
@@ -66296,7 +66327,7 @@ index b5cc0a7..8e67244 100644
printk(KERN_WARNING "Warning: unable to open an initial console.\n");
(void) sys_dup(0);
-@@ -878,11 +938,13 @@ static int __init kernel_init(void * unused)
+@@ -878,11 +948,13 @@ static int __init kernel_init(void * unused)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -80505,10 +80536,10 @@ index 5c11312..72742b5 100644
write_hex_cnt = 0;
for (i = 0; i < logo_clutsize; i++) {
diff --git a/security/Kconfig b/security/Kconfig
-index e9c6ac7..5ff1ad1 100644
+index e9c6ac7..e7feb0d 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,885 @@
+@@ -4,6 +4,896 @@
menu "Security options"
@@ -80704,18 +80735,29 @@ index e9c6ac7..5ff1ad1 100644
+ Setting this GID determines which group will be exempted from
+ grsecurity's /proc restrictions, allowing users of the specified
+ group to view network statistics and the existence of other users'
-+ processes on the system.
++ processes on the system. This GID may also be chosen at boot time
++ via "grsec_proc_gid=" on the kernel commandline.
+
-+config GRKERNSEC_TPE_GID
-+ int "GID for untrusted users"
-+ depends on GRKERNSEC_CONFIG_SERVER
-+ default 1005
-+ help
++config GRKERNSEC_TPE_UNTRUSTED_GID
++ int "GID for TPE-untrusted users"
++ depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
++ default 1005
++ help
+ Setting this GID determines which group untrusted users should
+ be added to. These users will be placed under grsecurity's Trusted Path
+ Execution mechanism, preventing them from executing their own binaries.
+ The users will only be able to execute binaries in directories owned and
-+ writable only by the root user.
++ writable only by the root user. If the sysctl option is enabled, a sysctl
++ option with name "tpe_gid" is created.
++
++config GRKERNSEC_TPE_TRUSTED_GID
++ int "GID for TPE-trusted users"
++ depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
++ default 1005
++ help
++ Setting this GID determines what group TPE restrictions will be
++ *disabled* for. If the sysctl option is enabled, a sysctl option
++ with name "tpe_gid" is created.
+
+config GRKERNSEC_SYMLINKOWN_GID
+ int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
@@ -81394,7 +81436,7 @@ index e9c6ac7..5ff1ad1 100644
source security/keys/Kconfig
config SECURITY_DMESG_RESTRICT
-@@ -103,7 +982,7 @@ config INTEL_TXT
+@@ -103,7 +993,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2012-10-09 3:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-09 3:08 [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.2.30/, 3.5.5/ Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox