* [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.54/, 3.13.1/
@ 2014-02-06 15:59 Anthony G. Basile
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2014-02-06 15:59 UTC (permalink / raw
To: gentoo-commits
commit: 66e4ef4c51573a6f46e1badfc5a349a26118c6ca
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Feb 6 15:59:53 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Feb 6 15:59:53 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=66e4ef4c
Grsec/PaX: 3.0-{3.2.54,3.13.1}-201402052349
---
3.13.1/0000_README | 2 +-
... 4420_grsecurity-3.0-3.13.1-201402052349.patch} | 364 +++++++++++++++++----
3.2.54/0000_README | 2 +-
... 4420_grsecurity-3.0-3.2.54-201402052347.patch} | 117 ++++---
4 files changed, 363 insertions(+), 122 deletions(-)
diff --git a/3.13.1/0000_README b/3.13.1/0000_README
index a830d5a..6b35ea7 100644
--- a/3.13.1/0000_README
+++ b/3.13.1/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.13.1-201401301657.patch
+Patch: 4420_grsecurity-3.0-3.13.1-201402052349.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.13.1/4420_grsecurity-3.0-3.13.1-201401301657.patch b/3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch
similarity index 99%
rename from 3.13.1/4420_grsecurity-3.0-3.13.1-201401301657.patch
rename to 3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch
index 08da283..ee1465f 100644
--- a/3.13.1/4420_grsecurity-3.0-3.13.1-201401301657.patch
+++ b/3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch
@@ -287,7 +287,7 @@ index b9e9bd8..bf49b92 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index de4cda9..d1183df 100644
+index de4cda9..e5ec62c 100644
--- a/Makefile
+++ b/Makefile
@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -345,7 +345,7 @@ index de4cda9..d1183df 100644
+RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-seed=$(GRKERNSEC_RANDSTRUCT_SEED)
+RANDSTRUCT_HASHED_SEED := $(shell cat "$(srctree)/tools/gcc/randstruct.hashed_seed")
+RANDSTRUCT_PLUGIN_CFLAGS += -DRANDSTRUCT_HASHED_SEED="\"$(RANDSTRUCT_HASHED_SEED)\""
-+ifdef CONFIG_GRKERNSEC_RANDSTRUCT
++ifdef CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE
+RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-performance-mode
+endif
+endif
@@ -64110,10 +64110,10 @@ index 104455b..764c512 100644
kfree(s);
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..c2c7f17
+index 0000000..01d5523
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1146 @@
+@@ -0,0 +1,1147 @@
+#
+# grecurity configuration
+#
@@ -64330,6 +64330,7 @@ index 0000000..c2c7f17
+ bool "Randomize layout of sensitive kernel structures"
+ default y if GRKERNSEC_CONFIG_AUTO
+ select GRKERNSEC_HIDESYM
++ select MODVERSIONS if MODULES
+ help
+ If you say Y here, the layouts of a number of sensitive kernel
+ structures (task, fs, cred, etc) and all structures composed entirely
@@ -65262,17 +65263,27 @@ index 0000000..c2c7f17
+endmenu
diff --git a/grsecurity/Makefile b/grsecurity/Makefile
new file mode 100644
-index 0000000..d1344d2
+index 0000000..8a0354c
--- /dev/null
+++ b/grsecurity/Makefile
-@@ -0,0 +1,43 @@
-+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
-+# during 2001-2009 it has been completely redesigned by Brad Spengler
-+# into an RBAC system
+@@ -0,0 +1,53 @@
++# grsecurity – access control and security hardening for Linux
++# All code in this directory and various hooks located throughout the Linux kernel are
++# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc.
++# http://www.grsecurity.net spender@grsecurity.net
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License version 2
++# as published by the Free Software Foundation.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
+#
-+# All code in this directory and various hooks inserted throughout the kernel
-+# are copyright Brad Spengler - Open Source Security, Inc., and released
-+# under the GPL v2
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+KBUILD_CFLAGS += -Werror
+
@@ -85488,7 +85499,7 @@ index 1d96dd0..994ff19 100644
default:
diff --git a/kernel/module.c b/kernel/module.c
-index f5a3b1e..1f5578b 100644
+index f5a3b1e..97ebb15 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -61,6 +61,7 @@
@@ -85554,7 +85565,37 @@ index f5a3b1e..1f5578b 100644
}
static struct module_attribute modinfo_initsize =
-@@ -1286,7 +1288,7 @@ resolve_symbol_wait(struct module *mod,
+@@ -1165,12 +1167,29 @@ static int check_version(Elf_Shdr *sechdrs,
+ goto bad_version;
+ }
+
++#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
++ /*
++ * avoid potentially printing jibberish on attempted load
++ * of a module randomized with a different seed
++ */
++ pr_warn("no symbol version for %s\n", symname);
++#else
+ pr_warn("%s: no symbol version for %s\n", mod->name, symname);
++#endif
+ return 0;
+
+ bad_version:
++#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
++ /*
++ * avoid potentially printing jibberish on attempted load
++ * of a module randomized with a different seed
++ */
++ printk("attempted module disagrees about version of symbol %s\n",
++ symname);
++#else
+ printk("%s: disagrees about version of symbol %s\n",
+ mod->name, symname);
++#endif
+ return 0;
+ }
+
+@@ -1286,7 +1305,7 @@ resolve_symbol_wait(struct module *mod,
*/
#ifdef CONFIG_SYSFS
@@ -85563,7 +85604,7 @@ index f5a3b1e..1f5578b 100644
static inline bool sect_empty(const Elf_Shdr *sect)
{
return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
-@@ -1426,7 +1428,7 @@ static void add_notes_attrs(struct module *mod, const struct load_info *info)
+@@ -1426,7 +1445,7 @@ static void add_notes_attrs(struct module *mod, const struct load_info *info)
{
unsigned int notes, loaded, i;
struct module_notes_attrs *notes_attrs;
@@ -85572,7 +85613,7 @@ index f5a3b1e..1f5578b 100644
/* failed to create section attributes, so can't create notes */
if (!mod->sect_attrs)
-@@ -1538,7 +1540,7 @@ static void del_usage_links(struct module *mod)
+@@ -1538,7 +1557,7 @@ static void del_usage_links(struct module *mod)
static int module_add_modinfo_attrs(struct module *mod)
{
struct module_attribute *attr;
@@ -85581,7 +85622,7 @@ index f5a3b1e..1f5578b 100644
int error = 0;
int i;
-@@ -1759,21 +1761,21 @@ static void set_section_ro_nx(void *base,
+@@ -1759,21 +1778,21 @@ static void set_section_ro_nx(void *base,
static void unset_module_core_ro_nx(struct module *mod)
{
@@ -85611,7 +85652,7 @@ index f5a3b1e..1f5578b 100644
set_memory_rw);
}
-@@ -1786,14 +1788,14 @@ void set_all_modules_text_rw(void)
+@@ -1786,14 +1805,14 @@ void set_all_modules_text_rw(void)
list_for_each_entry_rcu(mod, &modules, list) {
if (mod->state == MODULE_STATE_UNFORMED)
continue;
@@ -85632,7 +85673,7 @@ index f5a3b1e..1f5578b 100644
set_memory_rw);
}
}
-@@ -1809,14 +1811,14 @@ void set_all_modules_text_ro(void)
+@@ -1809,14 +1828,14 @@ void set_all_modules_text_ro(void)
list_for_each_entry_rcu(mod, &modules, list) {
if (mod->state == MODULE_STATE_UNFORMED)
continue;
@@ -85653,7 +85694,7 @@ index f5a3b1e..1f5578b 100644
set_memory_ro);
}
}
-@@ -1867,16 +1869,19 @@ static void free_module(struct module *mod)
+@@ -1867,16 +1886,19 @@ static void free_module(struct module *mod)
/* This may be NULL, but that's OK */
unset_module_init_ro_nx(mod);
@@ -85676,7 +85717,7 @@ index f5a3b1e..1f5578b 100644
#ifdef CONFIG_MPU
update_protections(current->mm);
-@@ -1945,9 +1950,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
+@@ -1945,9 +1967,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
int ret = 0;
const struct kernel_symbol *ksym;
@@ -85708,7 +85749,7 @@ index f5a3b1e..1f5578b 100644
switch (sym[i].st_shndx) {
case SHN_COMMON:
/* We compiled with -fno-common. These are not
-@@ -1968,7 +1995,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
+@@ -1968,7 +2012,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
ksym = resolve_symbol_wait(mod, info, name);
/* Ok if resolved. */
if (ksym && !IS_ERR(ksym)) {
@@ -85718,7 +85759,7 @@ index f5a3b1e..1f5578b 100644
break;
}
-@@ -1987,11 +2016,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
+@@ -1987,11 +2033,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
secbase = (unsigned long)mod_percpu(mod);
else
secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
@@ -85739,7 +85780,7 @@ index f5a3b1e..1f5578b 100644
return ret;
}
-@@ -2075,22 +2113,12 @@ static void layout_sections(struct module *mod, struct load_info *info)
+@@ -2075,22 +2130,12 @@ static void layout_sections(struct module *mod, struct load_info *info)
|| s->sh_entsize != ~0UL
|| strstarts(sname, ".init"))
continue;
@@ -85766,7 +85807,7 @@ index f5a3b1e..1f5578b 100644
}
pr_debug("Init section allocation order:\n");
-@@ -2104,23 +2132,13 @@ static void layout_sections(struct module *mod, struct load_info *info)
+@@ -2104,23 +2149,13 @@ static void layout_sections(struct module *mod, struct load_info *info)
|| s->sh_entsize != ~0UL
|| !strstarts(sname, ".init"))
continue;
@@ -85795,7 +85836,7 @@ index f5a3b1e..1f5578b 100644
}
}
-@@ -2293,7 +2311,7 @@ static void layout_symtab(struct module *mod, struct load_info *info)
+@@ -2293,7 +2328,7 @@ static void layout_symtab(struct module *mod, struct load_info *info)
/* Put symbol section at end of init part of module. */
symsect->sh_flags |= SHF_ALLOC;
@@ -85804,7 +85845,7 @@ index f5a3b1e..1f5578b 100644
info->index.sym) | INIT_OFFSET_MASK;
pr_debug("\t%s\n", info->secstrings + symsect->sh_name);
-@@ -2310,13 +2328,13 @@ static void layout_symtab(struct module *mod, struct load_info *info)
+@@ -2310,13 +2345,13 @@ static void layout_symtab(struct module *mod, struct load_info *info)
}
/* Append room for core symbols at end of core part. */
@@ -85822,7 +85863,7 @@ index f5a3b1e..1f5578b 100644
info->index.str) | INIT_OFFSET_MASK;
pr_debug("\t%s\n", info->secstrings + strsect->sh_name);
}
-@@ -2334,12 +2352,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
+@@ -2334,12 +2369,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
/* Make sure we get permanent strtab: don't use info->strtab. */
mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
@@ -85839,7 +85880,7 @@ index f5a3b1e..1f5578b 100644
src = mod->symtab;
for (ndst = i = 0; i < mod->num_symtab; i++) {
if (i == 0 ||
-@@ -2351,6 +2371,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
+@@ -2351,6 +2388,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
}
}
mod->core_num_syms = ndst;
@@ -85848,7 +85889,7 @@ index f5a3b1e..1f5578b 100644
}
#else
static inline void layout_symtab(struct module *mod, struct load_info *info)
-@@ -2384,17 +2406,33 @@ void * __weak module_alloc(unsigned long size)
+@@ -2384,17 +2423,33 @@ void * __weak module_alloc(unsigned long size)
return vmalloc_exec(size);
}
@@ -85887,7 +85928,23 @@ index f5a3b1e..1f5578b 100644
mutex_unlock(&module_mutex);
}
return ret;
-@@ -2667,8 +2705,14 @@ static struct module *setup_load_info(struct load_info *info, int flags)
+@@ -2651,7 +2706,15 @@ static struct module *setup_load_info(struct load_info *info, int flags)
+ mod = (void *)info->sechdrs[info->index.mod].sh_addr;
+
+ if (info->index.sym == 0) {
++#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
++ /*
++ * avoid potentially printing jibberish on attempted load
++ * of a module randomized with a different seed
++ */
++ pr_warn("module has no symbols (stripped?)\n");
++#else
+ pr_warn("%s: module has no symbols (stripped?)\n", mod->name);
++#endif
+ return ERR_PTR(-ENOEXEC);
+ }
+
+@@ -2667,8 +2730,14 @@ static struct module *setup_load_info(struct load_info *info, int flags)
static int check_modinfo(struct module *mod, struct load_info *info, int flags)
{
const char *modmagic = get_modinfo(info, "vermagic");
@@ -85902,7 +85959,7 @@ index f5a3b1e..1f5578b 100644
if (flags & MODULE_INIT_IGNORE_VERMAGIC)
modmagic = NULL;
-@@ -2693,7 +2737,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
+@@ -2693,7 +2762,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
}
/* Set up license info based on the info section */
@@ -85911,7 +85968,7 @@ index f5a3b1e..1f5578b 100644
return 0;
}
-@@ -2787,7 +2831,7 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2787,7 +2856,7 @@ static int move_module(struct module *mod, struct load_info *info)
void *ptr;
/* Do the allocs. */
@@ -85920,7 +85977,7 @@ index f5a3b1e..1f5578b 100644
/*
* The pointer to this block is stored in the module structure
* which is inside the block. Just mark it as not being a
-@@ -2797,11 +2841,11 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2797,11 +2866,11 @@ static int move_module(struct module *mod, struct load_info *info)
if (!ptr)
return -ENOMEM;
@@ -85936,7 +85993,7 @@ index f5a3b1e..1f5578b 100644
/*
* The pointer to this block is stored in the module structure
* which is inside the block. This block doesn't need to be
-@@ -2810,13 +2854,45 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2810,13 +2879,45 @@ static int move_module(struct module *mod, struct load_info *info)
*/
kmemleak_ignore(ptr);
if (!ptr) {
@@ -85986,7 +86043,7 @@ index f5a3b1e..1f5578b 100644
/* Transfer each section which specifies SHF_ALLOC */
pr_debug("final section addresses:\n");
-@@ -2827,16 +2903,45 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2827,16 +2928,45 @@ static int move_module(struct module *mod, struct load_info *info)
if (!(shdr->sh_flags & SHF_ALLOC))
continue;
@@ -86039,7 +86096,7 @@ index f5a3b1e..1f5578b 100644
pr_debug("\t0x%lx %s\n",
(long)shdr->sh_addr, info->secstrings + shdr->sh_name);
}
-@@ -2893,12 +2998,12 @@ static void flush_module_icache(const struct module *mod)
+@@ -2893,12 +3023,12 @@ static void flush_module_icache(const struct module *mod)
* Do it before processing of module parameters, so the module
* can provide parameter accessor functions of its own.
*/
@@ -86058,7 +86115,7 @@ index f5a3b1e..1f5578b 100644
set_fs(old_fs);
}
-@@ -2955,8 +3060,10 @@ static struct module *layout_and_allocate(struct load_info *info, int flags)
+@@ -2955,8 +3085,10 @@ static struct module *layout_and_allocate(struct load_info *info, int flags)
static void module_deallocate(struct module *mod, struct load_info *info)
{
percpu_modfree(mod);
@@ -86071,7 +86128,7 @@ index f5a3b1e..1f5578b 100644
}
int __weak module_finalize(const Elf_Ehdr *hdr,
-@@ -2969,7 +3076,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
+@@ -2969,7 +3101,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
static int post_relocation(struct module *mod, const struct load_info *info)
{
/* Sort exception table now relocations are done. */
@@ -86081,7 +86138,7 @@ index f5a3b1e..1f5578b 100644
/* Copy relocated percpu area over. */
percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr,
-@@ -3023,16 +3132,16 @@ static int do_init_module(struct module *mod)
+@@ -3023,16 +3157,16 @@ static int do_init_module(struct module *mod)
MODULE_STATE_COMING, mod);
/* Set RO and NX regions for core */
@@ -86106,7 +86163,7 @@ index f5a3b1e..1f5578b 100644
do_mod_ctors(mod);
/* Start the module */
-@@ -3093,11 +3202,12 @@ static int do_init_module(struct module *mod)
+@@ -3093,11 +3227,12 @@ static int do_init_module(struct module *mod)
mod->strtab = mod->core_strtab;
#endif
unset_module_init_ro_nx(mod);
@@ -86124,7 +86181,7 @@ index f5a3b1e..1f5578b 100644
mutex_unlock(&module_mutex);
wake_up_all(&module_wq);
-@@ -3240,9 +3350,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3240,9 +3375,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
if (err)
goto free_unload;
@@ -86163,7 +86220,7 @@ index f5a3b1e..1f5578b 100644
/* Fix up syms, so that st_value is a pointer to location. */
err = simplify_symbols(mod, info);
if (err < 0)
-@@ -3258,13 +3397,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3258,13 +3422,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
flush_module_icache(mod);
@@ -86177,7 +86234,7 @@ index f5a3b1e..1f5578b 100644
dynamic_debug_setup(info->debug, info->num_debug);
/* Finally it's fully formed, ready to start executing. */
-@@ -3299,11 +3431,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3299,11 +3456,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
ddebug_cleanup:
dynamic_debug_remove(info->debug);
synchronize_sched();
@@ -86190,7 +86247,7 @@ index f5a3b1e..1f5578b 100644
free_unload:
module_unload_free(mod);
unlink_mod:
-@@ -3386,10 +3517,16 @@ static const char *get_ksymbol(struct module *mod,
+@@ -3386,10 +3542,16 @@ static const char *get_ksymbol(struct module *mod,
unsigned long nextval;
/* At worse, next value is at end of module */
@@ -86210,7 +86267,7 @@ index f5a3b1e..1f5578b 100644
/* Scan for closest preceding symbol, and next symbol. (ELF
starts real symbols at 1). */
-@@ -3640,7 +3777,7 @@ static int m_show(struct seq_file *m, void *p)
+@@ -3640,7 +3802,7 @@ static int m_show(struct seq_file *m, void *p)
return 0;
seq_printf(m, "%s %u",
@@ -86219,7 +86276,7 @@ index f5a3b1e..1f5578b 100644
print_unload_info(m, mod);
/* Informative for users. */
-@@ -3649,7 +3786,7 @@ static int m_show(struct seq_file *m, void *p)
+@@ -3649,7 +3811,7 @@ static int m_show(struct seq_file *m, void *p)
mod->state == MODULE_STATE_COMING ? "Loading":
"Live");
/* Used by oprofile and other similar tools. */
@@ -86228,7 +86285,7 @@ index f5a3b1e..1f5578b 100644
/* Taints info */
if (mod->taints)
-@@ -3685,7 +3822,17 @@ static const struct file_operations proc_modules_operations = {
+@@ -3685,7 +3847,17 @@ static const struct file_operations proc_modules_operations = {
static int __init proc_modules_init(void)
{
@@ -86246,7 +86303,7 @@ index f5a3b1e..1f5578b 100644
return 0;
}
module_init(proc_modules_init);
-@@ -3746,14 +3893,14 @@ struct module *__module_address(unsigned long addr)
+@@ -3746,14 +3918,14 @@ struct module *__module_address(unsigned long addr)
{
struct module *mod;
@@ -86264,7 +86321,7 @@ index f5a3b1e..1f5578b 100644
return mod;
}
return NULL;
-@@ -3788,11 +3935,20 @@ bool is_module_text_address(unsigned long addr)
+@@ -3788,11 +3960,20 @@ bool is_module_text_address(unsigned long addr)
*/
struct module *__module_text_address(unsigned long addr)
{
@@ -101223,7 +101280,7 @@ index 0000000..5e0222d
+fi
diff --git a/scripts/gen-random-seed.sh b/scripts/gen-random-seed.sh
new file mode 100644
-index 0000000..17b3162
+index 0000000..27e0f4a
--- /dev/null
+++ b/scripts/gen-random-seed.sh
@@ -0,0 +1,8 @@
@@ -101232,8 +101289,8 @@ index 0000000..17b3162
+if [ ! -f 'tools/gcc/randstruct.seed' ]; then
+ SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'`
+ echo "$SEED" > tools/gcc/randstruct.seed
++ cat tools/gcc/randstruct.seed | sha256sum | cut -d" " -f1 | tr -d "\n" > tools/gcc/randstruct.hashed_seed
+fi
-+cat tools/gcc/randstruct.seed | sha256sum | cut -d" " -f1 | tr -d "\n" > tools/gcc/randstruct.hashed_seed
+cat tools/gcc/randstruct.seed
diff --git a/scripts/headers_install.sh b/scripts/headers_install.sh
index 5de5660..d3deb89 100644
@@ -101518,10 +101575,10 @@ index 8fac3fd..32ff38d 100644
unsigned int secindex_strings;
diff --git a/security/Kconfig b/security/Kconfig
-index e9c6ac7..9551ea7 100644
+index e9c6ac7..0ebde711 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,958 @@
+@@ -4,6 +4,959 @@
menu "Security options"
@@ -101556,6 +101613,7 @@ index e9c6ac7..9551ea7 100644
+ select PROC_FS
+ select STOP_MACHINE
+ select TTY
++ select DEBUG_KERNEL
+ select DEBUG_LIST
+ help
+ If you say Y here, you will be able to configure many features
@@ -102480,7 +102538,7 @@ index e9c6ac7..9551ea7 100644
source security/keys/Kconfig
config SECURITY_DMESG_RESTRICT
-@@ -103,7 +1055,7 @@ config INTEL_TXT
+@@ -103,7 +1056,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
@@ -105700,7 +105758,7 @@ index 0000000..dd73713
+}
diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c
new file mode 100644
-index 0000000..f04b680
+index 0000000..592b923
--- /dev/null
+++ b/tools/gcc/latent_entropy_plugin.c
@@ -0,0 +1,325 @@
@@ -106023,7 +106081,7 @@ index 0000000..f04b680
+ }
+
+ register_callback(plugin_name, PLUGIN_INFO, NULL, &latent_entropy_plugin_info);
-+ register_callback ("start_unit", PLUGIN_START_UNIT, &start_unit_callback, NULL);
++ register_callback(plugin_name, PLUGIN_START_UNIT, &start_unit_callback, NULL);
+ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &latent_entropy_pass_info);
+ register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
+
@@ -106031,10 +106089,10 @@ index 0000000..f04b680
+}
diff --git a/tools/gcc/randomize_layout_plugin.c b/tools/gcc/randomize_layout_plugin.c
new file mode 100644
-index 0000000..4aceb10
+index 0000000..8ed761c6
--- /dev/null
+++ b/tools/gcc/randomize_layout_plugin.c
-@@ -0,0 +1,746 @@
+@@ -0,0 +1,914 @@
+/*
+ * Copyright 2014 by Open Source Security, Inc., Brad Spengler <spender@grsecurity.net>
+ * and PaX Team <pageexec@freemail.hu>
@@ -106058,7 +106116,7 @@ index 0000000..4aceb10
+static int performance_mode;
+
+static struct plugin_info randomize_layout_plugin_info = {
-+ .version = "201401251240",
++ .version = "201402011940",
+ .help = "disable\t\t\tdo not activate plugin\n"
+ "seed\t\t\tprovide a required 64-byte seed in hex format\n"
+ "performance-mode\tenable cacheline-aware layout randomization\n"
@@ -106333,6 +106391,7 @@ index 0000000..4aceb10
+ unsigned long i;
+ tree list;
+ tree variant;
++ expanded_location xloc;
+
+ if (TYPE_FIELDS(type) == NULL_TREE)
+ return 0;
@@ -106348,6 +106407,12 @@ index 0000000..4aceb10
+ lookup_attribute("no_randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type))))
+ return 0;
+
++ /* throw out any structs in uapi */
++ xloc = expand_location(DECL_SOURCE_LOCATION(TYPE_FIELDS(type)));
++
++ if (strstr(xloc.file, "/uapi/"))
++ error(G_("attempted to randomize userland API struct %s"), ORIG_TYPE_NAME(type));
++
+ for (field = TYPE_FIELDS(type), i = 0; field; field = TREE_CHAIN(field), i++) {
+ gcc_assert(TREE_CODE(field) == FIELD_DECL);
+ newtree[i] = field;
@@ -106460,6 +106525,28 @@ index 0000000..4aceb10
+#endif
+}
+
++static void finish_decl(void *event_data, void *data)
++{
++ tree decl = (tree)event_data;
++ tree type;
++
++ if (decl == NULL_TREE || decl == error_mark_node)
++ return;
++
++ type = TREE_TYPE(decl);
++
++ if (TREE_CODE(decl) != VAR_DECL)
++ return;
++
++ if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
++ return;
++
++ if (!lookup_attribute("randomize_performed", TYPE_ATTRIBUTES(type)))
++ return;
++
++ relayout_decl(decl);
++}
++
+static void finish_type(void *event_data, void *data)
+{
+ tree type = (tree)event_data;
@@ -106555,6 +106642,138 @@ index 0000000..4aceb10
+ register_attribute(&randomize_performed_attr);
+}
+
++static void check_bad_casts_in_constructor(tree var, tree init)
++{
++ unsigned HOST_WIDE_INT idx;
++ tree field, val;
++ tree field_type, val_type;
++
++ FOR_EACH_CONSTRUCTOR_ELT(CONSTRUCTOR_ELTS(init), idx, field, val) {
++ if (TREE_CODE(val) == CONSTRUCTOR) {
++ check_bad_casts_in_constructor(var, val);
++ continue;
++ }
++
++ field_type = TREE_TYPE(field);
++ val_type = TREE_TYPE(val);
++
++ if (TREE_CODE(field_type) != POINTER_TYPE || TREE_CODE(val_type) != POINTER_TYPE)
++ continue;
++
++ if (field_type == val_type)
++ continue;
++
++ field_type = TYPE_MAIN_VARIANT(strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(field_type))));
++ val_type = TYPE_MAIN_VARIANT(strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(val_type))));
++
++ if (field_type == void_type_node)
++ continue;
++ if (field_type == val_type)
++ continue;
++ if (TREE_CODE(val_type) != RECORD_TYPE)
++ continue;
++
++ if (!lookup_attribute("randomize_performed", TYPE_ATTRIBUTES(val_type)))
++ continue;
++ inform(DECL_SOURCE_LOCATION(var), "found mismatched struct pointer types: %qT and %qT\n", TYPE_MAIN_VARIANT(field_type), TYPE_MAIN_VARIANT(val_type));
++ }
++}
++
++/* derived from the constify plugin */
++static void check_global_variables(void *event_data, void *data)
++{
++ struct varpool_node *node;
++ tree init;
++
++#if BUILDING_GCC_VERSION <= 4007
++ for (node = varpool_nodes; node; node = node->next) {
++ tree var = node->decl;
++#else
++ FOR_EACH_VARIABLE(node) {
++ tree var = node->symbol.decl;
++#endif
++ init = DECL_INITIAL(var);
++ if (init == NULL_TREE)
++ continue;
++
++ if (TREE_CODE(init) != CONSTRUCTOR)
++ continue;
++
++ check_bad_casts_in_constructor(var, init);
++ }
++}
++
++static bool dominated_by_is_err(const_tree rhs, basic_block bb)
++{
++ basic_block dom;
++ gimple dom_stmt;
++ gimple call_stmt;
++ const_tree dom_lhs;
++ const_tree poss_is_err_cond;
++ const_tree poss_is_err_func;
++ const_tree is_err_arg;
++
++ dom = get_immediate_dominator(CDI_DOMINATORS, bb);
++ if (!dom)
++ return false;
++
++ dom_stmt = last_stmt(dom);
++ if (!dom_stmt)
++ return false;
++
++ if (gimple_code(dom_stmt) != GIMPLE_COND)
++ return false;
++
++ if (gimple_cond_code(dom_stmt) != NE_EXPR)
++ return false;
++
++ if (!integer_zerop(gimple_cond_rhs(dom_stmt)))
++ return false;
++
++ poss_is_err_cond = gimple_cond_lhs(dom_stmt);
++
++ if (TREE_CODE(poss_is_err_cond) != SSA_NAME)
++ return false;
++
++ call_stmt = SSA_NAME_DEF_STMT(poss_is_err_cond);
++
++ if (gimple_code(call_stmt) != GIMPLE_CALL)
++ return false;
++
++ dom_lhs = gimple_get_lhs(call_stmt);
++ poss_is_err_func = gimple_call_fndecl(call_stmt);
++ if (!poss_is_err_func)
++ return false;
++ if (dom_lhs != poss_is_err_cond)
++ return false;
++ if (strcmp(DECL_NAME_POINTER(poss_is_err_func), "IS_ERR"))
++ return false;
++
++ is_err_arg = gimple_call_arg(call_stmt, 0);
++ if (!is_err_arg)
++ return false;
++
++ if (is_err_arg != rhs)
++ return false;
++
++ return true;
++}
++
++static void handle_local_var_initializers(void)
++{
++ tree var;
++ unsigned int i;
++
++ FOR_EACH_LOCAL_DECL(cfun, i, var) {
++ tree init = DECL_INITIAL(var);
++ if (!init)
++ continue;
++ if (TREE_CODE(init) != CONSTRUCTOR)
++ continue;
++ check_bad_casts_in_constructor(var, init);
++ }
++}
++
+/*
+ * iterate over all statements to find "bad" casts:
+ * those where the address of the start of a structure is cast
@@ -106565,7 +106784,9 @@ index 0000000..4aceb10
+{
+ basic_block bb;
+
-+ FOR_ALL_BB(bb) {
++ handle_local_var_initializers();
++
++ FOR_ALL_BB_FN(bb, cfun) {
+ gimple_stmt_iterator gsi;
+
+ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
@@ -106612,13 +106833,16 @@ index 0000000..4aceb10
+ TREE_CODE(lhs_type) != POINTER_TYPE)
+ continue;
+
-+ ptr_lhs_type = strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(lhs_type)));
-+ ptr_rhs_type = strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(rhs_type)));
++ ptr_lhs_type = TYPE_MAIN_VARIANT(strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(lhs_type))));
++ ptr_rhs_type = TYPE_MAIN_VARIANT(strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(rhs_type))));
+
-+ if (TREE_CODE(ptr_lhs_type) != RECORD_TYPE)
++ if (ptr_rhs_type == void_type_node)
+ continue;
+
-+ if (ptr_rhs_type == void_type_node)
++ if (ptr_lhs_type == void_type_node)
++ continue;
++
++ if (dominated_by_is_err(rhs1, bb))
+ continue;
+
+ if (TREE_CODE(ptr_rhs_type) != RECORD_TYPE) {
@@ -106641,7 +106865,7 @@ index 0000000..4aceb10
+ if (TREE_CODE(op0) != VAR_DECL)
+ continue;
+
-+ op0_type = strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(op0)));
++ op0_type = TYPE_MAIN_VARIANT(strip_array_types(TYPE_MAIN_VARIANT(TREE_TYPE(op0))));
+ if (op0_type == ptr_lhs_type)
+ continue;
+
@@ -106692,7 +106916,7 @@ index 0000000..4aceb10
+ .properties_provided = 0,
+ .properties_destroyed = 0,
+ .todo_flags_start = 0,
-+ .todo_flags_finish = TODO_dump_func | TODO_verify_ssa | TODO_verify_stmts | TODO_remove_unused_locals | TODO_update_ssa_no_phi | TODO_cleanup_cfg | TODO_ggc_collect | TODO_verify_flow
++ .todo_flags_finish = TODO_dump_func
+#if BUILDING_GCC_VERSION < 4009
+ }
+#endif
@@ -106774,8 +106998,10 @@ index 0000000..4aceb10
+
+ register_callback(plugin_name, PLUGIN_INFO, NULL, &randomize_layout_plugin_info);
+ if (enable) {
++ register_callback(plugin_name, PLUGIN_ALL_IPA_PASSES_START, check_global_variables, NULL);
+ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &randomize_layout_bad_cast_info);
+ register_callback(plugin_name, PLUGIN_FINISH_TYPE, finish_type, NULL);
++ register_callback(plugin_name, PLUGIN_FINISH_DECL, finish_decl, NULL);
+ }
+ register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
+
@@ -112486,7 +112712,7 @@ index 0000000..0c980be
+nvme_trans_standard_inquiry_page_65526 nvme_trans_standard_inquiry_page 4 65526 NULL
diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c
new file mode 100644
-index 0000000..94aa56d
+index 0000000..4a637ab
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin.c
@@ -0,0 +1,4040 @@
@@ -116520,7 +116746,7 @@ index 0000000..94aa56d
+
+ register_callback(plugin_name, PLUGIN_INFO, NULL, &size_overflow_plugin_info);
+ if (enable) {
-+ register_callback("start_unit", PLUGIN_START_UNIT, &start_unit_callback, NULL);
++ register_callback(plugin_name, PLUGIN_START_UNIT, &start_unit_callback, NULL);
+ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &insert_size_overflow_asm_pass_info);
+// register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &dump_before_pass_info);
+ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &ipa_pass_info);
diff --git a/3.2.54/0000_README b/3.2.54/0000_README
index 1673fee..18647c3 100644
--- a/3.2.54/0000_README
+++ b/3.2.54/0000_README
@@ -134,7 +134,7 @@ Patch: 1053_linux-3.2.54.patch
From: http://www.kernel.org
Desc: Linux 3.2.54
-Patch: 4420_grsecurity-3.0-3.2.54-201401281850.patch
+Patch: 4420_grsecurity-3.0-3.2.54-201402052347.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.54/4420_grsecurity-3.0-3.2.54-201401281850.patch b/3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch
similarity index 99%
rename from 3.2.54/4420_grsecurity-3.0-3.2.54-201401281850.patch
rename to 3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch
index 70f1c6f..fa55d46 100644
--- a/3.2.54/4420_grsecurity-3.0-3.2.54-201401281850.patch
+++ b/3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch
@@ -33948,7 +33948,7 @@ index da3cfee..a5a6606 100644
*ppos = i;
diff --git a/drivers/char/random.c b/drivers/char/random.c
-index c244f0e..3f6ae58 100644
+index c244f0e..4276f28 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -255,10 +255,8 @@
@@ -33964,7 +33964,7 @@ index c244f0e..3f6ae58 100644
#include <asm/processor.h>
#include <asm/uaccess.h>
-@@ -266,129 +264,151 @@
+@@ -266,129 +264,153 @@
#include <asm/irq_regs.h>
#include <asm/io.h>
@@ -33991,6 +33991,8 @@ index c244f0e..3f6ae58 100644
+#endif
+#define SEC_XFER_SIZE 512
+#define EXTRACT_SIZE 10
++
++#define DEBUG_RANDOM_BOOT 0
#define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long))
@@ -34194,7 +34196,7 @@ index c244f0e..3f6ae58 100644
/*
* Static global variables
*/
-@@ -396,21 +416,6 @@ static DECLARE_WAIT_QUEUE_HEAD(random_read_wait);
+@@ -396,21 +418,6 @@ static DECLARE_WAIT_QUEUE_HEAD(random_read_wait);
static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
static struct fasync_struct *fasync;
@@ -34216,7 +34218,7 @@ index c244f0e..3f6ae58 100644
/**********************************************************************
*
* OS independent entropy store. Here are the functions which handle
-@@ -421,22 +426,26 @@ module_param(debug, bool, 0644);
+@@ -421,22 +428,26 @@ module_param(debug, bool, 0644);
struct entropy_store;
struct entropy_store {
/* read-only data: */
@@ -34247,7 +34249,7 @@ index c244f0e..3f6ae58 100644
static __u32 input_pool_data[INPUT_POOL_WORDS];
static __u32 blocking_pool_data[OUTPUT_POOL_WORDS];
static __u32 nonblocking_pool_data[OUTPUT_POOL_WORDS];
-@@ -445,7 +454,7 @@ static struct entropy_store input_pool = {
+@@ -445,7 +456,7 @@ static struct entropy_store input_pool = {
.poolinfo = &poolinfo_table[0],
.name = "input",
.limit = 1,
@@ -34256,7 +34258,7 @@ index c244f0e..3f6ae58 100644
.pool = input_pool_data
};
-@@ -454,16 +463,20 @@ static struct entropy_store blocking_pool = {
+@@ -454,16 +465,20 @@ static struct entropy_store blocking_pool = {
.name = "blocking",
.limit = 1,
.pull = &input_pool,
@@ -34281,7 +34283,7 @@ index c244f0e..3f6ae58 100644
};
static __u32 const twist_table[8] = {
-@@ -480,8 +493,8 @@ static __u32 const twist_table[8] = {
+@@ -480,8 +495,8 @@ static __u32 const twist_table[8] = {
* it's cheap to do so and helps slightly in the expected case where
* the entropy is concentrated in the low-order bits.
*/
@@ -34292,7 +34294,7 @@ index c244f0e..3f6ae58 100644
{
unsigned long i, j, tap1, tap2, tap3, tap4, tap5;
int input_rotate;
-@@ -501,7 +514,7 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
+@@ -501,7 +516,7 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
/* mix one byte at a time to simplify size handling and churn faster */
while (nbytes--) {
@@ -34301,7 +34303,7 @@ index c244f0e..3f6ae58 100644
i = (i - 1) & wordmask;
/* XOR in the various taps */
-@@ -521,11 +534,11 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
+@@ -521,11 +536,11 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
* rotation, so that successive passes spread the
* input bits across the pool evenly.
*/
@@ -34316,7 +34318,7 @@ index c244f0e..3f6ae58 100644
smp_wmb();
if (out)
-@@ -533,13 +546,21 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
+@@ -533,13 +548,21 @@ static void __mix_pool_bytes(struct entropy_store *r, const void *in,
((__u32 *)out)[j] = r->pool[(i - j) & wordmask];
}
@@ -34340,7 +34342,7 @@ index c244f0e..3f6ae58 100644
spin_unlock_irqrestore(&r->lock, flags);
}
-@@ -556,58 +577,151 @@ struct fast_pool {
+@@ -556,58 +579,151 @@ struct fast_pool {
* collector. It's hardcoded for an 128 bit pool and assumes that any
* locks that might be needed are taken by the caller.
*/
@@ -34516,7 +34518,7 @@ index c244f0e..3f6ae58 100644
/*********************************************************************
*
* Entropy input management
-@@ -621,42 +735,7 @@ struct timer_rand_state {
+@@ -621,42 +737,7 @@ struct timer_rand_state {
unsigned dont_count_entropy:1;
};
@@ -34560,7 +34562,7 @@ index c244f0e..3f6ae58 100644
/*
* Add device- or boot-specific data to the input and nonblocking
-@@ -669,15 +748,22 @@ static void set_timer_rand_state(unsigned int irq,
+@@ -669,15 +750,22 @@ static void set_timer_rand_state(unsigned int irq,
void add_device_randomness(const void *buf, unsigned int size)
{
unsigned long time = random_get_entropy() ^ jiffies;
@@ -34588,7 +34590,7 @@ index c244f0e..3f6ae58 100644
/*
* This function adds entropy to the entropy "pool" by using timing
-@@ -691,6 +777,7 @@ static struct timer_rand_state input_timer_state;
+@@ -691,6 +779,7 @@ static struct timer_rand_state input_timer_state;
*/
static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
{
@@ -34596,7 +34598,7 @@ index c244f0e..3f6ae58 100644
struct {
long jiffies;
unsigned cycles;
-@@ -699,15 +786,12 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
+@@ -699,15 +788,12 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
long delta, delta2, delta3;
preempt_disable();
@@ -34614,7 +34616,7 @@ index c244f0e..3f6ae58 100644
/*
* Calculate number of bits of randomness we probably added.
-@@ -741,10 +825,8 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
+@@ -741,10 +827,8 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
* Round down by 1 bit on general principles,
* and limit entropy entimate to 12 bits.
*/
@@ -34626,7 +34628,7 @@ index c244f0e..3f6ae58 100644
preempt_enable();
}
-@@ -757,10 +839,10 @@ void add_input_randomness(unsigned int type, unsigned int code,
+@@ -757,10 +841,10 @@ void add_input_randomness(unsigned int type, unsigned int code,
if (value == last_value)
return;
@@ -34638,7 +34640,7 @@ index c244f0e..3f6ae58 100644
}
EXPORT_SYMBOL_GPL(add_input_randomness);
-@@ -772,20 +854,21 @@ void add_interrupt_randomness(int irq, int irq_flags)
+@@ -772,20 +856,21 @@ void add_interrupt_randomness(int irq, int irq_flags)
struct fast_pool *fast_pool = &__get_cpu_var(irq_randomness);
struct pt_regs *regs = get_irq_regs();
unsigned long now = jiffies;
@@ -34671,7 +34673,7 @@ index c244f0e..3f6ae58 100644
return;
fast_pool->last = now;
-@@ -814,10 +897,8 @@ void add_disk_randomness(struct gendisk *disk)
+@@ -814,10 +899,8 @@ void add_disk_randomness(struct gendisk *disk)
if (!disk || !disk->random)
return;
/* first major is 1, so we get >= 0x200 here */
@@ -34683,7 +34685,7 @@ index c244f0e..3f6ae58 100644
}
#endif
-@@ -835,104 +916,127 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+@@ -835,104 +918,127 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
* from the primary pool to the secondary extraction pool. We make
* sure we pull enough for a 'catastrophic reseed'.
*/
@@ -34877,7 +34879,7 @@ index c244f0e..3f6ae58 100644
spin_lock_irqsave(&r->lock, flags);
for (i = 0; i < r->poolinfo->poolwords; i += 16)
sha_transform(hash.w, (__u8 *)(r->pool + i), workspace);
-@@ -966,27 +1070,43 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+@@ -966,27 +1072,43 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
hash.w[1] ^= hash.w[4];
hash.w[2] ^= rol32(hash.w[2], 16);
@@ -34932,7 +34934,7 @@ index c244f0e..3f6ae58 100644
xfer_secondary_pool(r, nbytes);
nbytes = account(r, nbytes, min, reserved);
-@@ -994,8 +1114,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+@@ -994,8 +1116,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
extract_buf(r, tmp);
if (fips_enabled) {
@@ -34941,7 +34943,7 @@ index c244f0e..3f6ae58 100644
spin_lock_irqsave(&r->lock, flags);
if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
panic("Hardware RNG duplicated output!\n");
-@@ -1015,12 +1133,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+@@ -1015,12 +1135,17 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
return ret;
}
@@ -34959,7 +34961,7 @@ index c244f0e..3f6ae58 100644
xfer_secondary_pool(r, nbytes);
nbytes = account(r, nbytes, 0, 0);
-@@ -1036,7 +1159,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -1036,7 +1161,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
extract_buf(r, tmp);
i = min_t(int, nbytes, EXTRACT_SIZE);
@@ -34968,7 +34970,7 @@ index c244f0e..3f6ae58 100644
ret = -EFAULT;
break;
}
-@@ -1055,11 +1178,18 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -1055,11 +1180,20 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
/*
* This function is the exported kernel interface. It returns some
* number of good random numbers, suitable for key generation, seeding
@@ -34980,16 +34982,18 @@ index c244f0e..3f6ae58 100644
*/
void get_random_bytes(void *buf, int nbytes)
{
++#if DEBUG_RANDOM_BOOT > 0
+ if (unlikely(nonblocking_pool.initialized == 0))
+ printk(KERN_NOTICE "random: %pF get_random_bytes called "
+ "with %d bits of entropy available\n",
+ (void *) _RET_IP_,
+ nonblocking_pool.entropy_total);
++#endif
+ trace_get_random_bytes(nbytes, _RET_IP_);
extract_entropy(&nonblocking_pool, buf, nbytes, 0, 0);
}
EXPORT_SYMBOL(get_random_bytes);
-@@ -1078,6 +1208,7 @@ void get_random_bytes_arch(void *buf, int nbytes)
+@@ -1078,6 +1212,7 @@ void get_random_bytes_arch(void *buf, int nbytes)
{
char *p = buf;
@@ -34997,7 +35001,7 @@ index c244f0e..3f6ae58 100644
while (nbytes) {
unsigned long v;
int chunk = min(nbytes, (int)sizeof(unsigned long));
-@@ -1111,12 +1242,11 @@ static void init_std_data(struct entropy_store *r)
+@@ -1111,12 +1246,11 @@ static void init_std_data(struct entropy_store *r)
ktime_t now = ktime_get_real();
unsigned long rv;
@@ -35013,7 +35017,7 @@ index c244f0e..3f6ae58 100644
mix_pool_bytes(r, &rv, sizeof(rv), NULL);
}
mix_pool_bytes(r, utsname(), sizeof(*(utsname())), NULL);
-@@ -1139,25 +1269,7 @@ static int rand_initialize(void)
+@@ -1139,25 +1273,7 @@ static int rand_initialize(void)
init_std_data(&nonblocking_pool);
return 0;
}
@@ -35040,7 +35044,7 @@ index c244f0e..3f6ae58 100644
#ifdef CONFIG_BLOCK
void rand_initialize_disk(struct gendisk *disk)
-@@ -1169,71 +1281,59 @@ void rand_initialize_disk(struct gendisk *disk)
+@@ -1169,71 +1285,59 @@ void rand_initialize_disk(struct gendisk *disk)
* source.
*/
state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
@@ -35148,7 +35152,7 @@ index c244f0e..3f6ae58 100644
}
static unsigned int
-@@ -1244,9 +1344,9 @@ random_poll(struct file *file, poll_table * wait)
+@@ -1244,9 +1348,9 @@ random_poll(struct file *file, poll_table * wait)
poll_wait(file, &random_read_wait, wait);
poll_wait(file, &random_write_wait, wait);
mask = 0;
@@ -35160,7 +35164,7 @@ index c244f0e..3f6ae58 100644
mask |= POLLOUT | POLLWRNORM;
return mask;
}
-@@ -1297,7 +1397,8 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
+@@ -1297,7 +1401,8 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
switch (cmd) {
case RNDGETENTCNT:
/* inherently racy, no point locking */
@@ -35170,7 +35174,7 @@ index c244f0e..3f6ae58 100644
return -EFAULT;
return 0;
case RNDADDTOENTCNT:
-@@ -1305,7 +1406,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
+@@ -1305,7 +1410,7 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
return -EPERM;
if (get_user(ent_count, p))
return -EFAULT;
@@ -35179,7 +35183,7 @@ index c244f0e..3f6ae58 100644
return 0;
case RNDADDENTROPY:
if (!capable(CAP_SYS_ADMIN))
-@@ -1320,14 +1421,19 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
+@@ -1320,14 +1425,19 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
size);
if (retval < 0)
return retval;
@@ -35202,7 +35206,7 @@ index c244f0e..3f6ae58 100644
return 0;
default:
return -EINVAL;
-@@ -1387,23 +1493,23 @@ EXPORT_SYMBOL(generate_random_uuid);
+@@ -1387,23 +1497,23 @@ EXPORT_SYMBOL(generate_random_uuid);
#include <linux/sysctl.h>
static int min_read_thresh = 8, min_write_thresh;
@@ -35233,7 +35237,7 @@ index c244f0e..3f6ae58 100644
unsigned char buf[64], tmp_uuid[16], *uuid;
uuid = table->data;
-@@ -1427,8 +1533,26 @@ static int proc_do_uuid(ctl_table *table, int write,
+@@ -1427,8 +1537,26 @@ static int proc_do_uuid(ctl_table *table, int write,
return proc_dostring(&fake_table, write, buffer, lenp, ppos);
}
@@ -35261,7 +35265,7 @@ index c244f0e..3f6ae58 100644
{
.procname = "poolsize",
.data = &sysctl_poolsize,
-@@ -1440,12 +1564,12 @@ ctl_table random_table[] = {
+@@ -1440,12 +1568,12 @@ ctl_table random_table[] = {
.procname = "entropy_avail",
.maxlen = sizeof(int),
.mode = 0444,
@@ -35276,7 +35280,7 @@ index c244f0e..3f6ae58 100644
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
-@@ -1454,7 +1578,7 @@ ctl_table random_table[] = {
+@@ -1454,7 +1582,7 @@ ctl_table random_table[] = {
},
{
.procname = "write_wakeup_threshold",
@@ -35285,7 +35289,7 @@ index c244f0e..3f6ae58 100644
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
-@@ -1462,6 +1586,13 @@ ctl_table random_table[] = {
+@@ -1462,6 +1590,13 @@ ctl_table random_table[] = {
.extra2 = &max_write_thresh,
},
{
@@ -35299,7 +35303,7 @@ index c244f0e..3f6ae58 100644
.procname = "boot_id",
.data = &sysctl_bootid,
.maxlen = 16,
-@@ -1492,7 +1623,7 @@ int random_int_secret_init(void)
+@@ -1492,7 +1627,7 @@ int random_int_secret_init(void)
* value is not cryptographically secure but for several uses the cost of
* depleting entropy is too high
*/
@@ -35308,7 +35312,7 @@ index c244f0e..3f6ae58 100644
unsigned int get_random_int(void)
{
__u32 *hash;
-@@ -1510,6 +1641,7 @@ unsigned int get_random_int(void)
+@@ -1510,6 +1645,7 @@ unsigned int get_random_int(void)
return ret;
}
@@ -62838,17 +62842,27 @@ index 0000000..c4717f9
+endmenu
diff --git a/grsecurity/Makefile b/grsecurity/Makefile
new file mode 100644
-index 0000000..65d159f
+index 0000000..5cb186f
--- /dev/null
+++ b/grsecurity/Makefile
-@@ -0,0 +1,43 @@
-+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
-+# during 2001-2009 it has been completely redesigned by Brad Spengler
-+# into an RBAC system
+@@ -0,0 +1,53 @@
++# grsecurity – access control and security hardening for Linux
++# All code in this directory and various hooks located throughout the Linux kernel are
++# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc.
++# http://www.grsecurity.net spender@grsecurity.net
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License version 2
++# as published by the Free Software Foundation.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
+#
-+# All code in this directory and various hooks inserted throughout the kernel
-+# are copyright Brad Spengler - Open Source Security, Inc., and released
-+# under the GPL v2
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+KBUILD_CFLAGS += -Werror
+
@@ -102107,10 +102121,10 @@ index 38f6617..e70b72b 100755
exuberant()
diff --git a/security/Kconfig b/security/Kconfig
-index 51bd5a0..62953d6 100644
+index 51bd5a0..8c5f2ab 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,953 @@
+@@ -4,6 +4,954 @@
menu "Security options"
@@ -102144,6 +102158,7 @@ index 51bd5a0..62953d6 100644
+ select CRYPTO_SHA256
+ select PROC_FS
+ select STOP_MACHINE
++ select DEBUG_KERNEL
+ select DEBUG_LIST
+ help
+ If you say Y here, you will be able to configure many features
@@ -103064,7 +103079,7 @@ index 51bd5a0..62953d6 100644
config KEYS
bool "Enable access key retention support"
help
-@@ -169,7 +1116,7 @@ config INTEL_TXT
+@@ -169,7 +1117,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2014-02-06 15:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-06 15:59 [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.54/, 3.13.1/ Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox