From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PofNK-0002Aj-Ak for garchives@archives.gentoo.org; Sun, 13 Feb 2011 17:04:45 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 65F96E0863; Sun, 13 Feb 2011 17:04:35 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id D2E5BE08D4 for ; Sun, 13 Feb 2011 17:04:34 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E45DF1B4207 for ; Sun, 13 Feb 2011 17:04:33 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id 539DB8006A for ; Sun, 13 Feb 2011 17:04:33 +0000 (UTC) From: "Anthony G. Basile" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" Message-ID: <65c697fdf79d5963e55e40a17b1f148164143416.blueness@gentoo> Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 2.6.37/, 2.6.32/ X-VCS-Repository: proj/hardened-patchset X-VCS-Files: 2.6.32/0000_README 2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch 2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch 2.6.37/0000_README 2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch 2.6.37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch X-VCS-Directories: 2.6.37/ 2.6.32/ X-VCS-Committer: blueness X-VCS-Committer-Name: Anthony G. Basile X-VCS-Revision: 65c697fdf79d5963e55e40a17b1f148164143416 Date: Sun, 13 Feb 2011 17:04:33 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 3295e22a36f5d0e59af5ef7552d4d640 commit: 65c697fdf79d5963e55e40a17b1f148164143416 Author: Anthony G. Basile opensource dyc edu= > AuthorDate: Sun Feb 13 17:03:56 2011 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Sun Feb 13 17:03:56 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-patc= hset.git;a=3Dcommit;h=3D65c697fd Update Grsec/PaX 2.2.1-2.6.32.28-201102121148 2.2.1-2.6.37-201102121148 --- 2.6.32/0000_README | 2 +- ..._grsecurity-2.2.1-2.6.32.28-201102121148.patch} | 290 +++++++++++---= - 2.6.37/0000_README | 2 +- ...420_grsecurity-2.2.1-2.6.37-201102121148.patch} | 392 ++++++++++++++= +----- 4 files changed, 523 insertions(+), 163 deletions(-) diff --git a/2.6.32/0000_README b/2.6.32/0000_README index d19cb36..c1feb8d 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -3,7 +3,7 @@ README =20 Individual Patch Descriptions: ------------------------------------------------------------------------= ----- -Patch: 4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch +Patch: 4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity =20 diff --git a/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch b/= 2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch similarity index 99% rename from 2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch rename to 2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch index 578be36..b1b6990 100644 --- a/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201101272313.patch +++ b/2.6.32/4420_grsecurity-2.2.1-2.6.32.28-201102121148.patch @@ -8043,7 +8043,7 @@ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mma= n.h linux-2.6.32.28/arch/x86/ #endif /* _ASM_X86_MMAN_H */ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mmu_context.h linux-2.6.= 32.28/arch/x86/include/asm/mmu_context.h --- linux-2.6.32.28/arch/x86/include/asm/mmu_context.h 2010-08-13 16:24:= 37.000000000 -0400 -+++ linux-2.6.32.28/arch/x86/include/asm/mmu_context.h 2010-12-31 14:46:= 53.000000000 -0500 ++++ linux-2.6.32.28/arch/x86/include/asm/mmu_context.h 2011-02-12 11:05:= 01.000000000 -0500 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m =20 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_str= uct *tsk) @@ -8075,8 +8075,8 @@ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mmu= _context.h linux-2.6.32.28/ar +#endif =20 if (likely(prev !=3D next)) { - /* stop flush ipis for the previous mm */ - cpumask_clear_cpu(cpu, mm_cpumask(prev)); +- /* stop flush ipis for the previous mm */ +- cpumask_clear_cpu(cpu, mm_cpumask(prev)); #ifdef CONFIG_SMP +#ifdef CONFIG_X86_32 + tlbstate =3D percpu_read(cpu_tlbstate.state); @@ -8096,6 +8096,8 @@ diff -urNp linux-2.6.32.28/arch/x86/include/asm/mmu= _context.h linux-2.6.32.28/ar +#else load_cr3(next->pgd); +#endif ++ /* stop flush ipis for the previous mm */ ++ cpumask_clear_cpu(cpu, mm_cpumask(prev)); =20 /* * load the LDT, if the LDT is different: @@ -32254,7 +32256,7 @@ diff -urNp linux-2.6.32.28/fs/ecryptfs/inode.c li= nux-2.6.32.28/fs/ecryptfs/inode goto out_free; diff -urNp linux-2.6.32.28/fs/exec.c linux-2.6.32.28/fs/exec.c --- linux-2.6.32.28/fs/exec.c 2011-01-11 23:55:35.000000000 -0500 -+++ linux-2.6.32.28/fs/exec.c 2011-01-11 23:56:03.000000000 -0500 ++++ linux-2.6.32.28/fs/exec.c 2011-02-12 11:21:23.000000000 -0500 @@ -56,12 +56,24 @@ #include #include @@ -32839,7 +32841,7 @@ diff -urNp linux-2.6.32.28/fs/exec.c linux-2.6.32= .28/fs/exec.c */ clear_thread_flag(TIF_SIGPENDING); =20 -+ if (signr =3D=3D SIGKILL || signr =3D=3D SIGILL) ++ if (signr =3D=3D SIGSEGV || signr =3D=3D SIGBUS || signr =3D=3D SIGKIL= L || signr =3D=3D SIGILL) + gr_handle_brute_attach(current); + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1); + @@ -51234,7 +51236,24 @@ diff -urNp linux-2.6.32.28/kernel/cpu.c linux-2.= 6.32.28/kernel/cpu.c * Should always be manipulated under cpu_add_remove_lock diff -urNp linux-2.6.32.28/kernel/cred.c linux-2.6.32.28/kernel/cred.c --- linux-2.6.32.28/kernel/cred.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/kernel/cred.c 2010-12-31 14:46:53.000000000 -0500 ++++ linux-2.6.32.28/kernel/cred.c 2011-02-12 10:44:11.000000000 -0500 +@@ -231,13 +231,13 @@ struct cred *cred_alloc_blank(void) + #endif +=20 + atomic_set(&new->usage, 1); ++#ifdef CONFIG_DEBUG_CREDENTIALS ++ new->magic =3D CRED_MAGIC; ++#endif +=20 + if (security_cred_alloc_blank(new, GFP_KERNEL) < 0) + goto error; +=20 +-#ifdef CONFIG_DEBUG_CREDENTIALS +- new->magic =3D CRED_MAGIC; +-#endif + return new; +=20 + error: @@ -520,6 +520,8 @@ int commit_creds(struct cred *new) =20 get_cred(new); /* we will require a ref for the subj creds too */ @@ -51244,6 +51263,37 @@ diff -urNp linux-2.6.32.28/kernel/cred.c linux-2= .6.32.28/kernel/cred.c /* dumpability changes */ if (old->euid !=3D new->euid || old->egid !=3D new->egid || +@@ -696,6 +698,8 @@ struct cred *prepare_kernel_cred(struct=20 + validate_creds(old); +=20 + *new =3D *old; ++ atomic_set(&new->usage, 1); ++ set_cred_subscribers(new, 0); + get_uid(new->user); + get_group_info(new->group_info); +=20 +@@ -713,8 +717,6 @@ struct cred *prepare_kernel_cred(struct=20 + if (security_prepare_creds(new, old, GFP_KERNEL) < 0) + goto error; +=20 +- atomic_set(&new->usage, 1); +- set_cred_subscribers(new, 0); + put_cred(old); + validate_creds(new); + return new; +@@ -787,7 +789,11 @@ bool creds_are_invalid(const struct cred + if (cred->magic !=3D CRED_MAGIC) + return true; + #ifdef CONFIG_SECURITY_SELINUX +- if (selinux_is_enabled()) { ++ /* ++ * cred->security =3D=3D NULL if security_cred_alloc_blank() or ++ * security_prepare_creds() returned an error. ++ */ ++ if (selinux_is_enabled() && cred->security) { + if ((unsigned long) cred->security < PAGE_SIZE) + return true; + if ((*(u32 *)cred->security & 0xffffff00) =3D=3D diff -urNp linux-2.6.32.28/kernel/exit.c linux-2.6.32.28/kernel/exit.c --- linux-2.6.32.28/kernel/exit.c 2011-01-11 23:55:35.000000000 -0500 +++ linux-2.6.32.28/kernel/exit.c 2010-12-31 14:46:53.000000000 -0500 @@ -51816,8 +51866,8 @@ diff -urNp linux-2.6.32.28/kernel/kgdb.c linux-2.= 6.32.28/kernel/kgdb.c =20 diff -urNp linux-2.6.32.28/kernel/kmod.c linux-2.6.32.28/kernel/kmod.c --- linux-2.6.32.28/kernel/kmod.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/kernel/kmod.c 2010-12-31 14:46:53.000000000 -0500 -@@ -90,6 +90,18 @@ int __request_module(bool wait, const ch ++++ linux-2.6.32.28/kernel/kmod.c 2011-02-12 10:58:19.000000000 -0500 +@@ -90,6 +90,28 @@ int __request_module(bool wait, const ch if (ret >=3D MODULE_NAME_LEN) return -ENAMETOOLONG; =20 @@ -51828,7 +51878,17 @@ diff -urNp linux-2.6.32.28/kernel/kmod.c linux-2= .6.32.28/kernel/kmod.c + auto-loaded + */ + if (current_uid()) { -+ gr_log_nonroot_mod_load(module_name); ++#if !defined(CONFIG_IPV6) && !defined(CONFIG_IPV6_MODULE) ++ /* There are known knowns. These are things we know ++ that we know. There are known unknowns. That is to say, ++ there are things that we know we don't know. But there are ++ also unknown unknowns. There are things we don't know ++ we don't know. ++ This here is a known unknown. ++ */ ++ if (strcmp(module_name, "net-pf-10")) ++#endif ++ gr_log_nonroot_mod_load(module_name); + return -EPERM; + } +#endif @@ -52015,7 +52075,7 @@ diff -urNp linux-2.6.32.28/kernel/lockdep_proc.c = linux-2.6.32.28/kernel/lockdep_ if (!name) { diff -urNp linux-2.6.32.28/kernel/module.c linux-2.6.32.28/kernel/module= .c --- linux-2.6.32.28/kernel/module.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/kernel/module.c 2010-12-31 14:46:53.000000000 -0500 ++++ linux-2.6.32.28/kernel/module.c 2011-02-02 20:27:32.000000000 -0500 @@ -89,7 +89,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq static BLOCKING_NOTIFIER_HEAD(module_notify_list); =20 @@ -52053,6 +52113,15 @@ diff -urNp linux-2.6.32.28/kernel/module.c linux= -2.6.32.28/kernel/module.c printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n", name, align, PAGE_SIZE); align =3D PAGE_SIZE; +@@ -1158,7 +1159,7 @@ static const struct kernel_symbol *resol + * /sys/module/foo/sections stuff + * J. Corbet + */ +-#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) ++#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) && !defined(CONFI= G_GRKERNSEC_HIDESYM) +=20 + static inline bool sect_empty(const Elf_Shdr *sect) + { @@ -1545,7 +1546,8 @@ static void free_module(struct module *m destroy_params(mod->kp, mod->num_kp); =20 @@ -52784,7 +52853,7 @@ diff -urNp linux-2.6.32.28/kernel/printk.c linux-= 2.6.32.28/kernel/printk.c return error; diff -urNp linux-2.6.32.28/kernel/ptrace.c linux-2.6.32.28/kernel/ptrace= .c --- linux-2.6.32.28/kernel/ptrace.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/kernel/ptrace.c 2011-01-01 00:19:08.000000000 -0500 ++++ linux-2.6.32.28/kernel/ptrace.c 2011-02-12 10:37:47.000000000 -0500 @@ -141,7 +141,7 @@ int __ptrace_may_access(struct task_stru cred->gid !=3D tcred->egid || cred->gid !=3D tcred->sgid || @@ -52812,6 +52881,15 @@ diff -urNp linux-2.6.32.28/kernel/ptrace.c linux= -2.6.32.28/kernel/ptrace.c task->ptrace |=3D PT_PTRACE_CAP; =20 __ptrace_link(task, current); +@@ -314,7 +314,7 @@ int ptrace_detach(struct task_struct *ch + child->exit_code =3D data; + dead =3D __ptrace_detach(current, child); + if (!child->exit_state) +- wake_up_process(child); ++ wake_up_state(child, TASK_TRACED | TASK_STOPPED); + } + write_unlock_irq(&tasklist_lock); +=20 @@ -532,18 +532,18 @@ int ptrace_request(struct task_struct *c ret =3D ptrace_setoptions(child, data); break; @@ -53036,7 +53114,7 @@ diff -urNp linux-2.6.32.28/kernel/sched.c linux-2= .6.32.28/kernel/sched.c return; diff -urNp linux-2.6.32.28/kernel/signal.c linux-2.6.32.28/kernel/signal= .c --- linux-2.6.32.28/kernel/signal.c 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/kernel/signal.c 2010-12-31 14:46:53.000000000 -0500 ++++ linux-2.6.32.28/kernel/signal.c 2011-02-12 11:22:46.000000000 -0500 @@ -41,12 +41,12 @@ =20 static struct kmem_cache *sigqueue_cachep; @@ -53099,17 +53177,34 @@ diff -urNp linux-2.6.32.28/kernel/signal.c linu= x-2.6.32.28/kernel/signal.c specific_send_sig_info(int sig, struct siginfo *info, struct task_struc= t *t) { return send_signal(sig, info, t, 0); -@@ -1022,6 +1028,9 @@ force_sig_info(int sig, struct siginfo * +@@ -1005,6 +1011,7 @@ force_sig_info(int sig, struct siginfo * + unsigned long int flags; + int ret, blocked, ignored; + struct k_sigaction *action; ++ int is_unhandled =3D 0; +=20 + spin_lock_irqsave(&t->sighand->siglock, flags); + action =3D &t->sighand->action[sig-1]; +@@ -1019,9 +1026,18 @@ force_sig_info(int sig, struct siginfo * + } + if (action->sa.sa_handler =3D=3D SIG_DFL) + t->signal->flags &=3D ~SIGNAL_UNKILLABLE; ++ if (action->sa.sa_handler =3D=3D SIG_IGN || action->sa.sa_handler =3D=3D= SIG_DFL) ++ is_unhandled =3D 1; ret =3D specific_send_sig_info(sig, info, t); spin_unlock_irqrestore(&t->sighand->siglock, flags); =20 -+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t); -+ gr_handle_crash(t, sig); ++ /* only deal with unhandled signals, java etc trigger SIGSEGV during ++ normal operation */ ++ if (is_unhandled) { ++ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t); ++ gr_handle_crash(t, sig); ++ } + return ret; } =20 -@@ -1081,8 +1090,11 @@ int group_send_sig_info(int sig, struct=20 +@@ -1081,8 +1097,11 @@ int group_send_sig_info(int sig, struct=20 { int ret =3D check_kill_permission(sig, info, p); =20 @@ -55257,7 +55352,7 @@ diff -urNp linux-2.6.32.28/mm/mlock.c linux-2.6.3= 2.28/mm/mlock.c ret =3D do_mlockall(flags); diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32.28/mm/mmap.c --- linux-2.6.32.28/mm/mmap.c 2011-01-11 23:55:35.000000000 -0500 -+++ linux-2.6.32.28/mm/mmap.c 2010-12-31 14:46:53.000000000 -0500 ++++ linux-2.6.32.28/mm/mmap.c 2011-02-12 11:38:46.000000000 -0500 @@ -45,6 +45,16 @@ #define arch_rebalance_pgtables(addr, len) (addr) #endif @@ -55479,12 +55574,13 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.= 32.28/mm/mmap.c if (addr & ~PAGE_MASK) return addr; =20 -@@ -969,6 +1046,31 @@ unsigned long do_mmap_pgoff(struct file=20 +@@ -969,6 +1046,36 @@ unsigned long do_mmap_pgoff(struct file=20 vm_flags =3D calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; =20 +#ifdef CONFIG_PAX_MPROTECT + if (mm->pax_flags & MF_PAX_MPROTECT) { ++#ifndef CONFIG_PAX_MPROTECT_COMPAT + if ((vm_flags & (VM_WRITE | VM_EXEC)) =3D=3D (VM_WRITE | VM_EXEC)) { + gr_log_rwxmmap(file); + @@ -55498,6 +55594,10 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.3= 2.28/mm/mmap.c + + if (!(vm_flags & VM_EXEC)) + vm_flags &=3D ~VM_MAYEXEC; ++#else ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) !=3D VM_EXEC) ++ vm_flags &=3D ~(VM_EXEC | VM_MAYEXEC); ++#endif + else + vm_flags &=3D ~VM_MAYWRITE; + } @@ -55511,7 +55611,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -980,6 +1082,7 @@ unsigned long do_mmap_pgoff(struct file=20 +@@ -980,6 +1087,7 @@ unsigned long do_mmap_pgoff(struct file=20 locked +=3D mm->locked_vm; lock_limit =3D current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; lock_limit >>=3D PAGE_SHIFT; @@ -55519,7 +55619,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1053,6 +1156,9 @@ unsigned long do_mmap_pgoff(struct file=20 +@@ -1053,6 +1161,9 @@ unsigned long do_mmap_pgoff(struct file=20 if (error) return error; =20 @@ -55529,7 +55629,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c return mmap_region(file, addr, len, flags, vm_flags, pgoff); } EXPORT_SYMBOL(do_mmap_pgoff); -@@ -1065,10 +1171,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); +@@ -1065,10 +1176,10 @@ EXPORT_SYMBOL(do_mmap_pgoff); */ int vma_wants_writenotify(struct vm_area_struct *vma) { @@ -55542,7 +55642,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c return 0; =20 /* The backer wishes to know when pages are first written to? */ -@@ -1117,14 +1223,24 @@ unsigned long mmap_region(struct file *f +@@ -1117,14 +1228,24 @@ unsigned long mmap_region(struct file *f unsigned long charged =3D 0; struct inode *inode =3D file ? file->f_path.dentry->d_inode : NULL; =20 @@ -55569,7 +55669,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c } =20 /* Check against address space limit. */ -@@ -1173,6 +1289,16 @@ munmap_back: +@@ -1173,6 +1294,16 @@ munmap_back: goto unacct_error; } =20 @@ -55586,7 +55686,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c vma->vm_mm =3D mm; vma->vm_start =3D addr; vma->vm_end =3D addr + len; -@@ -1195,6 +1321,19 @@ munmap_back: +@@ -1195,6 +1326,19 @@ munmap_back: error =3D file->f_op->mmap(file, vma); if (error) goto unmap_and_free_vma; @@ -55606,7 +55706,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c if (vm_flags & VM_EXECUTABLE) added_exe_file_vma(mm); =20 -@@ -1218,6 +1357,11 @@ munmap_back: +@@ -1218,6 +1362,11 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file =3D vma->vm_file; =20 @@ -55618,7 +55718,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c /* Once vma denies write, undo our temporary denial count */ if (correct_wcount) atomic_inc(&inode->i_writecount); -@@ -1226,6 +1370,7 @@ out: +@@ -1226,6 +1375,7 @@ out: =20 mm->total_vm +=3D len >> PAGE_SHIFT; vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); @@ -55626,7 +55726,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c if (vm_flags & VM_LOCKED) { /* * makes pages present; downgrades, drops, reacquires mmap_sem -@@ -1248,6 +1393,12 @@ unmap_and_free_vma: +@@ -1248,6 +1398,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged =3D 0; free_vma: @@ -55639,7 +55739,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1255,6 +1406,33 @@ unacct_error: +@@ -1255,6 +1411,33 @@ unacct_error: return error; } =20 @@ -55673,7 +55773,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c /* Get an address range which is currently unmapped. * For shmat() with addr=3D0. * -@@ -1281,18 +1459,23 @@ arch_get_unmapped_area(struct file *filp +@@ -1281,18 +1464,23 @@ arch_get_unmapped_area(struct file *filp if (flags & MAP_FIXED) return addr; =20 @@ -55704,7 +55804,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c } =20 full_search: -@@ -1303,34 +1486,40 @@ full_search: +@@ -1303,34 +1491,40 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -55756,7 +55856,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c mm->free_area_cache =3D addr; mm->cached_hole_size =3D ~0UL; } -@@ -1348,7 +1537,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1348,7 +1542,7 @@ arch_get_unmapped_area_topdown(struct fi { struct vm_area_struct *vma; struct mm_struct *mm =3D current->mm; @@ -55765,7 +55865,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c =20 /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1357,13 +1546,18 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1357,13 +1551,18 @@ arch_get_unmapped_area_topdown(struct fi if (flags & MAP_FIXED) return addr; =20 @@ -55788,7 +55888,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c } =20 /* check if free_area_cache is useful for us */ -@@ -1378,7 +1572,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1378,7 +1577,7 @@ arch_get_unmapped_area_topdown(struct fi /* make sure it can fit in the remaining address space */ if (addr > len) { vma =3D find_vma(mm, addr-len); @@ -55797,7 +55897,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c /* remember the address as a hint for next time */ return (mm->free_area_cache =3D addr-len); } -@@ -1395,7 +1589,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1395,7 +1594,7 @@ arch_get_unmapped_area_topdown(struct fi * return with success: */ vma =3D find_vma(mm, addr); @@ -55806,7 +55906,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c /* remember the address as a hint for next time */ return (mm->free_area_cache =3D addr); =20 -@@ -1414,13 +1608,21 @@ bottomup: +@@ -1414,13 +1613,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -55830,7 +55930,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c mm->cached_hole_size =3D ~0UL; =20 return addr; -@@ -1429,6 +1631,12 @@ bottomup: +@@ -1429,6 +1636,12 @@ bottomup: =20 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -55843,7 +55943,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c /* * Is this a new hole at the highest possible address? */ -@@ -1436,8 +1644,10 @@ void arch_unmap_area_topdown(struct mm_s +@@ -1436,8 +1649,10 @@ void arch_unmap_area_topdown(struct mm_s mm->free_area_cache =3D addr; =20 /* dont allow allocations above current base */ @@ -55855,7 +55955,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c } =20 unsigned long -@@ -1545,6 +1755,27 @@ out: +@@ -1545,6 +1760,27 @@ out: return prev ? prev->vm_next : vma; } =20 @@ -55883,7 +55983,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c /* * Verify that the stack growth is acceptable and * update accounting. This is shared with both the -@@ -1561,6 +1792,7 @@ static int acct_stack_growth(struct vm_a +@@ -1561,6 +1797,7 @@ static int acct_stack_growth(struct vm_a return -ENOMEM; =20 /* Stack limit test */ @@ -55891,7 +55991,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c if (size > rlim[RLIMIT_STACK].rlim_cur) return -ENOMEM; =20 -@@ -1570,6 +1802,7 @@ static int acct_stack_growth(struct vm_a +@@ -1570,6 +1807,7 @@ static int acct_stack_growth(struct vm_a unsigned long limit; locked =3D mm->locked_vm + grow; limit =3D rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT; @@ -55899,7 +55999,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1600,37 +1833,48 @@ static int acct_stack_growth(struct vm_a +@@ -1600,37 +1838,48 @@ static int acct_stack_growth(struct vm_a * PA-RISC uses this for its stack; IA64 for its Register Backing Store= . * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -55957,7 +56057,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c unsigned long size, grow; =20 size =3D address - vma->vm_start; -@@ -1640,6 +1884,8 @@ int expand_upwards(struct vm_area_struct +@@ -1640,6 +1889,8 @@ int expand_upwards(struct vm_area_struct if (!error) vma->vm_end =3D address; } @@ -55966,7 +56066,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c anon_vma_unlock(vma); return error; } -@@ -1652,6 +1898,8 @@ static int expand_downwards(struct vm_ar +@@ -1652,6 +1903,8 @@ static int expand_downwards(struct vm_ar unsigned long address) { int error; @@ -55975,7 +56075,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c =20 /* * We must make sure the anon_vma is allocated -@@ -1665,6 +1913,15 @@ static int expand_downwards(struct vm_ar +@@ -1665,6 +1918,15 @@ static int expand_downwards(struct vm_ar if (error) return error; =20 @@ -55991,7 +56091,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c anon_vma_lock(vma); =20 /* -@@ -1674,9 +1931,17 @@ static int expand_downwards(struct vm_ar +@@ -1674,9 +1936,17 @@ static int expand_downwards(struct vm_ar */ =20 /* Somebody else might have raced and expanded it already */ @@ -56010,7 +56110,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c size =3D vma->vm_end - address; grow =3D (vma->vm_start - address) >> PAGE_SHIFT; =20 -@@ -1684,9 +1949,20 @@ static int expand_downwards(struct vm_ar +@@ -1684,9 +1954,20 @@ static int expand_downwards(struct vm_ar if (!error) { vma->vm_start =3D address; vma->vm_pgoff -=3D grow; @@ -56031,7 +56131,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c return error; } =20 -@@ -1762,6 +2038,13 @@ static void remove_vma_list(struct mm_st +@@ -1762,6 +2043,13 @@ static void remove_vma_list(struct mm_st do { long nrpages =3D vma_pages(vma); =20 @@ -56045,7 +56145,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c mm->total_vm -=3D nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); vma =3D remove_vma(vma); -@@ -1807,6 +2090,16 @@ detach_vmas_to_be_unmapped(struct mm_str +@@ -1807,6 +2095,16 @@ detach_vmas_to_be_unmapped(struct mm_str insertion_point =3D (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev =3D NULL; do { @@ -56062,7 +56162,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma =3D vma; -@@ -1834,10 +2127,25 @@ int split_vma(struct mm_struct * mm, str +@@ -1834,10 +2132,25 @@ int split_vma(struct mm_struct * mm, str struct mempolicy *pol; struct vm_area_struct *new; =20 @@ -56088,7 +56188,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c if (mm->map_count >=3D sysctl_max_map_count) return -ENOMEM; =20 -@@ -1845,6 +2153,16 @@ int split_vma(struct mm_struct * mm, str +@@ -1845,6 +2158,16 @@ int split_vma(struct mm_struct * mm, str if (!new) return -ENOMEM; =20 @@ -56105,7 +56205,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c /* most fields are the same, copy all, and then fixup */ *new =3D *vma; =20 -@@ -1855,8 +2173,29 @@ int split_vma(struct mm_struct * mm, str +@@ -1855,8 +2178,29 @@ int split_vma(struct mm_struct * mm, str new->vm_pgoff +=3D ((addr - vma->vm_start) >> PAGE_SHIFT); } =20 @@ -56135,7 +56235,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c kmem_cache_free(vm_area_cachep, new); return PTR_ERR(pol); } -@@ -1877,6 +2216,28 @@ int split_vma(struct mm_struct * mm, str +@@ -1877,6 +2221,28 @@ int split_vma(struct mm_struct * mm, str else vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); =20 @@ -56164,13 +56264,13 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.= 32.28/mm/mmap.c return 0; } =20 -@@ -1885,11 +2246,30 @@ int split_vma(struct mm_struct * mm, str +@@ -1885,11 +2251,30 @@ int split_vma(struct mm_struct * mm, str * work. This now handles partial unmappings. * Jeremy Fitzhardinge */ +#ifdef CONFIG_PAX_SEGMEXEC - int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) - { ++int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) ++{ + int ret =3D __do_munmap(mm, start, len); + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC)) + return ret; @@ -56180,9 +56280,9 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c + +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +#else -+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) + int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) +#endif -+{ + { unsigned long end; struct vm_area_struct *vma, *prev, *last; =20 @@ -56195,7 +56295,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start= ) return -EINVAL; =20 -@@ -1953,6 +2333,8 @@ int do_munmap(struct mm_struct *mm, unsi +@@ -1953,6 +2338,8 @@ int do_munmap(struct mm_struct *mm, unsi /* Fix up all other VM information */ remove_vma_list(mm, vma); =20 @@ -56204,7 +56304,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c return 0; } =20 -@@ -1965,22 +2347,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a +@@ -1965,22 +2352,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a =20 profile_munmap(addr); =20 @@ -56233,7 +56333,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -1994,6 +2372,7 @@ unsigned long do_brk(unsigned long addr, +@@ -1994,6 +2377,7 @@ unsigned long do_brk(unsigned long addr, struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff =3D addr >> PAGE_SHIFT; int error; @@ -56241,7 +56341,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c =20 len =3D PAGE_ALIGN(len); if (!len) -@@ -2005,16 +2384,30 @@ unsigned long do_brk(unsigned long addr, +@@ -2005,16 +2389,30 @@ unsigned long do_brk(unsigned long addr, =20 flags =3D VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; =20 @@ -56273,7 +56373,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c locked +=3D mm->locked_vm; lock_limit =3D current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur; lock_limit >>=3D PAGE_SHIFT; -@@ -2031,22 +2424,22 @@ unsigned long do_brk(unsigned long addr, +@@ -2031,22 +2429,22 @@ unsigned long do_brk(unsigned long addr, /* * Clear old maps. this also does some error checking for us */ @@ -56300,7 +56400,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c return -ENOMEM; =20 /* Can we just expand an old private anonymous mapping? */ -@@ -2060,7 +2453,7 @@ unsigned long do_brk(unsigned long addr, +@@ -2060,7 +2458,7 @@ unsigned long do_brk(unsigned long addr, */ vma =3D kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -56309,7 +56409,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c return -ENOMEM; } =20 -@@ -2072,11 +2465,12 @@ unsigned long do_brk(unsigned long addr, +@@ -2072,11 +2470,12 @@ unsigned long do_brk(unsigned long addr, vma->vm_page_prot =3D vm_get_page_prot(flags); vma_link(mm, vma, prev, rb_link, rb_parent); out: @@ -56324,7 +56424,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c return addr; } =20 -@@ -2123,8 +2517,10 @@ void exit_mmap(struct mm_struct *mm) +@@ -2123,8 +2522,10 @@ void exit_mmap(struct mm_struct *mm) * Walk the list again, actually closing and freeing it, * with preemption enabled, without holding any MM locks. */ @@ -56336,7 +56436,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c =20 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); } -@@ -2138,6 +2534,10 @@ int insert_vm_struct(struct mm_struct *=20 +@@ -2138,6 +2539,10 @@ int insert_vm_struct(struct mm_struct *=20 struct vm_area_struct * __vma, * prev; struct rb_node ** rb_link, * rb_parent; =20 @@ -56347,7 +56447,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2160,7 +2560,22 @@ int insert_vm_struct(struct mm_struct *=20 +@@ -2160,7 +2565,22 @@ int insert_vm_struct(struct mm_struct *=20 if ((vma->vm_flags & VM_ACCOUNT) && security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -56370,7 +56470,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c return 0; } =20 -@@ -2178,6 +2593,8 @@ struct vm_area_struct *copy_vma(struct v +@@ -2178,6 +2598,8 @@ struct vm_area_struct *copy_vma(struct v struct rb_node **rb_link, *rb_parent; struct mempolicy *pol; =20 @@ -56379,7 +56479,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2221,6 +2638,35 @@ struct vm_area_struct *copy_vma(struct v +@@ -2221,6 +2643,35 @@ struct vm_area_struct *copy_vma(struct v return new_vma; } =20 @@ -56415,7 +56515,7 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.32= .28/mm/mmap.c /* * Return true if the calling process may expand its vm space by the pa= ssed * number of pages -@@ -2231,7 +2677,7 @@ int may_expand_vm(struct mm_struct *mm,=20 +@@ -2231,7 +2682,7 @@ int may_expand_vm(struct mm_struct *mm,=20 unsigned long lim; =20 lim =3D current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT; @@ -56424,16 +56524,21 @@ diff -urNp linux-2.6.32.28/mm/mmap.c linux-2.6.= 32.28/mm/mmap.c if (cur + npages > lim) return 0; return 1; -@@ -2301,6 +2747,17 @@ int install_special_mapping(struct mm_st +@@ -2301,6 +2752,22 @@ int install_special_mapping(struct mm_st vma->vm_start =3D addr; vma->vm_end =3D addr + len; =20 +#ifdef CONFIG_PAX_MPROTECT + if (mm->pax_flags & MF_PAX_MPROTECT) { ++#ifndef CONFIG_PAX_MPROTECT_COMPAT + if ((vm_flags & (VM_WRITE | VM_EXEC)) =3D=3D (VM_WRITE | VM_EXEC)) + return -EPERM; + if (!(vm_flags & VM_EXEC)) + vm_flags &=3D ~VM_MAYEXEC; ++#else ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) !=3D VM_EXEC) ++ vm_flags &=3D ~(VM_EXEC | VM_MAYEXEC); ++#endif + else + vm_flags &=3D ~VM_MAYWRITE; + } @@ -60064,8 +60169,8 @@ diff -urNp linux-2.6.32.28/security/integrity/ima= /ima_queue.c linux-2.6.32.28/se return 0; diff -urNp linux-2.6.32.28/security/Kconfig linux-2.6.32.28/security/Kco= nfig --- linux-2.6.32.28/security/Kconfig 2010-08-13 16:24:37.000000000 -0400 -+++ linux-2.6.32.28/security/Kconfig 2011-01-04 17:43:17.000000000 -0500 -@@ -4,6 +4,509 @@ ++++ linux-2.6.32.28/security/Kconfig 2011-02-12 11:33:55.000000000 -0500 +@@ -4,6 +4,527 @@ =20 menu "Security options" =20 @@ -60311,6 +60416,24 @@ diff -urNp linux-2.6.32.28/security/Kconfig linu= x-2.6.32.28/security/Kconfig + NOTE: you can use the 'chpax' or 'paxctl' utilities to control + this feature on a per file basis. + ++config PAX_MPROTECT_COMPAT ++ bool "Use legacy/compat protection demoting (read help)" ++ depends on PAX_MPROTECT ++ default n ++ help ++ The current implementation of PAX_MPROTECT denies RWX allocations/mp= rotects ++ by sending the proper error code to the application. For some broke= n ++ userland, this can cause problems with Python or other applications.= The ++ current implementation however allows for applications like clamav t= o ++ detect if JIT compilation/execution is allowed and to fall back grac= efully ++ to an interpreter-based mode if it does not. While we encourage eve= ryone ++ to use the current implementation as-is and push upstream to fix bro= ken ++ userland (note that the RWX logging option can assist with this), in= some ++ environments this may not be possible. Having to disable MPROTECT ++ completely on certain binaries reduces the security benefit of PaX, ++ so this option is provided for those environments to revert to the o= ld ++ behavior. ++ +config PAX_ELFRELOCS + bool "Allow ELF text relocations (read help)" + depends on PAX_MPROTECT @@ -60575,7 +60698,7 @@ diff -urNp linux-2.6.32.28/security/Kconfig linux= -2.6.32.28/security/Kconfig config KEYS bool "Enable access key retention support" help -@@ -146,7 +649,7 @@ config INTEL_TXT +@@ -146,7 +667,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -60638,7 +60761,7 @@ diff -urNp linux-2.6.32.28/security/security.c li= nux-2.6.32.28/security/security printk(KERN_DEBUG "%s could not verify " diff -urNp linux-2.6.32.28/security/selinux/hooks.c linux-2.6.32.28/secu= rity/selinux/hooks.c --- linux-2.6.32.28/security/selinux/hooks.c 2010-08-13 16:24:37.0000000= 00 -0400 -+++ linux-2.6.32.28/security/selinux/hooks.c 2010-12-31 14:46:53.0000000= 00 -0500 ++++ linux-2.6.32.28/security/selinux/hooks.c 2011-02-12 11:03:00.0000000= 00 -0500 @@ -131,7 +131,7 @@ int selinux_enabled =3D 1; * Minimal support for a secondary security module, * just to allow the use of the capability module. @@ -60648,7 +60771,20 @@ diff -urNp linux-2.6.32.28/security/selinux/hook= s.c linux-2.6.32.28/security/sel =20 /* Lists of inode and superblock security structures initialized before the policy was loaded. */ -@@ -5450,7 +5450,7 @@ static int selinux_key_getsecurity(struc +@@ -3259,7 +3259,11 @@ static void selinux_cred_free(struct cre + { + struct task_security_struct *tsec =3D cred->security; +=20 +- BUG_ON((unsigned long) cred->security < PAGE_SIZE); ++ /* ++ * cred->security =3D=3D NULL if security_cred_alloc_blank() or ++ * security_prepare_creds() returned an error. ++ */ ++ BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); + cred->security =3D (void *) 0x7UL; + kfree(tsec); + } +@@ -5450,7 +5454,7 @@ static int selinux_key_getsecurity(struc =20 #endif =20 @@ -60657,7 +60793,7 @@ diff -urNp linux-2.6.32.28/security/selinux/hooks= .c linux-2.6.32.28/security/sel .name =3D "selinux", =20 .ptrace_access_check =3D selinux_ptrace_access_check, -@@ -5834,7 +5834,9 @@ int selinux_disable(void) +@@ -5834,7 +5838,9 @@ int selinux_disable(void) avc_disable(); =20 /* Reset security_ops to the secondary module, dummy or capability. */ diff --git a/2.6.37/0000_README b/2.6.37/0000_README index 2c6b512..16e7e24 100644 --- a/2.6.37/0000_README +++ b/2.6.37/0000_README @@ -3,7 +3,7 @@ README =20 Individual Patch Descriptions: ------------------------------------------------------------------------= ----- -Patch 4420_grsecurity-2.2.1-2.6.37-201101272240.patch +Patch: 4420_grsecurity-2.2.1-2.6.37-201102121148.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity =20 diff --git a/2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch b/2.6= .37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch similarity index 99% rename from 2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch rename to 2.6.37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch index 053126a..e66397d 100644 --- a/2.6.37/4420_grsecurity-2.2.1-2.6.37-201101272240.patch +++ b/2.6.37/4420_grsecurity-2.2.1-2.6.37-201102121148.patch @@ -8049,7 +8049,7 @@ diff -urNp linux-2.6.37/arch/x86/include/asm/mman.h= linux-2.6.37/arch/x86/includ #endif /* _ASM_X86_MMAN_H */ diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_context.h linux-2.6.37/= arch/x86/include/asm/mmu_context.h --- linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-01-04 19:50:19.= 000000000 -0500 -+++ linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-01-17 02:41:00.= 000000000 -0500 ++++ linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-02-12 11:04:35.= 000000000 -0500 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m =20 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_str= uct *tsk) @@ -8081,8 +8081,8 @@ diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_co= ntext.h linux-2.6.37/arch/x86 +#endif =20 if (likely(prev !=3D next)) { - /* stop flush ipis for the previous mm */ - cpumask_clear_cpu(cpu, mm_cpumask(prev)); +- /* stop flush ipis for the previous mm */ +- cpumask_clear_cpu(cpu, mm_cpumask(prev)); #ifdef CONFIG_SMP +#ifdef CONFIG_X86_32 + tlbstate =3D percpu_read(cpu_tlbstate.state); @@ -8102,6 +8102,8 @@ diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_co= ntext.h linux-2.6.37/arch/x86 +#else load_cr3(next->pgd); +#endif ++ /* stop flush ipis for the previous mm */ ++ cpumask_clear_cpu(cpu, mm_cpumask(prev)); =20 /* * load the LDT, if the LDT is different: @@ -27044,6 +27046,26 @@ diff -urNp linux-2.6.37/drivers/pci/pcie/portdrv= _pci.c linux-2.6.37/drivers/pci/ }; MODULE_DEVICE_TABLE(pci, port_pci_ids); =20 +diff -urNp linux-2.6.37/drivers/pci/pci-sysfs.c linux-2.6.37/drivers/pci= /pci-sysfs.c +--- linux-2.6.37/drivers/pci/pci-sysfs.c 2011-01-04 19:50:19.000000000 -= 0500 ++++ linux-2.6.37/drivers/pci/pci-sysfs.c 2011-02-12 10:32:55.000000000 -= 0500 +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include "pci.h" +@@ -368,7 +369,7 @@ pci_read_config(struct file *filp, struc + u8 *data =3D (u8*) buf; +=20 + /* Several chips lock up trying to read undefined config space */ +- if (cap_raised(filp->f_cred->cap_effective, CAP_SYS_ADMIN)) { ++ if (security_capable(filp->f_cred, CAP_SYS_ADMIN)) { + size =3D dev->cfg_size; + } else if (dev->hdr_type =3D=3D PCI_HEADER_TYPE_CARDBUS) { + size =3D 128; diff -urNp linux-2.6.37/drivers/pci/probe.c linux-2.6.37/drivers/pci/pro= be.c --- linux-2.6.37/drivers/pci/probe.c 2011-01-04 19:50:19.000000000 -0500 +++ linux-2.6.37/drivers/pci/probe.c 2011-01-17 02:41:01.000000000 -0500 @@ -30248,6 +30270,40 @@ diff -urNp linux-2.6.37/fs/btrfs/inode.c linux-2= .6.37/fs/btrfs/inode.c .fill_delalloc =3D run_delalloc_range, .submit_bio_hook =3D btrfs_submit_bio_hook, .merge_bio_hook =3D btrfs_merge_bio_hook, +diff -urNp linux-2.6.37/fs/btrfs/ioctl.c linux-2.6.37/fs/btrfs/ioctl.c +--- linux-2.6.37/fs/btrfs/ioctl.c 2011-01-04 19:50:19.000000000 -0500 ++++ linux-2.6.37/fs/btrfs/ioctl.c 2011-02-12 10:29:31.000000000 -0500 +@@ -2087,7 +2087,7 @@ long btrfs_ioctl_space_info(struct btrfs + int num_types =3D 4; + int alloc_size; + int ret =3D 0; +- int slot_count =3D 0; ++ u64 slot_count =3D 0; + int i, c; +=20 + if (copy_from_user(&space_args, +@@ -2126,7 +2126,7 @@ long btrfs_ioctl_space_info(struct btrfs + goto out; + } +=20 +- slot_count =3D min_t(int, space_args.space_slots, slot_count); ++ slot_count =3D min_t(u64, space_args.space_slots, slot_count); +=20 + alloc_size =3D sizeof(*dest) * slot_count; +=20 +@@ -2146,6 +2146,12 @@ long btrfs_ioctl_space_info(struct btrfs + for (i =3D 0; i < num_types; i++) { + struct btrfs_space_info *tmp; +=20 ++ /* Don't copy in more than we allocated */ ++ if (!slot_count) ++ break; ++ ++ slot_count--; ++ + info =3D NULL; + rcu_read_lock(); + list_for_each_entry_rcu(tmp, &root->fs_info->space_info, diff -urNp linux-2.6.37/fs/btrfs/relocation.c linux-2.6.37/fs/btrfs/relo= cation.c --- linux-2.6.37/fs/btrfs/relocation.c 2011-01-04 19:50:19.000000000 -05= 00 +++ linux-2.6.37/fs/btrfs/relocation.c 2011-01-17 02:41:01.000000000 -05= 00 @@ -30668,7 +30724,7 @@ diff -urNp linux-2.6.37/fs/ecryptfs/miscdev.c lin= ux-2.6.37/fs/ecryptfs/miscdev.c if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size)) diff -urNp linux-2.6.37/fs/exec.c linux-2.6.37/fs/exec.c --- linux-2.6.37/fs/exec.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/fs/exec.c 2011-01-17 02:41:01.000000000 -0500 ++++ linux-2.6.37/fs/exec.c 2011-02-12 11:21:04.000000000 -0500 @@ -55,12 +55,24 @@ #include #include @@ -31194,7 +31250,7 @@ diff -urNp linux-2.6.37/fs/exec.c linux-2.6.37/fs= /exec.c goto fail_corename; } =20 -+ if (signr =3D=3D SIGKILL || signr =3D=3D SIGILL) ++ if (signr =3D=3D SIGSEGV || signr =3D=3D SIGBUS || signr =3D=3D SIGKIL= L || signr =3D=3D SIGILL) + gr_handle_brute_attach(current); + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1); + @@ -47851,7 +47907,7 @@ diff -urNp linux-2.6.37/include/linux/screen_info= .h linux-2.6.37/include/linux/s #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */ diff -urNp linux-2.6.37/include/linux/security.h linux-2.6.37/include/li= nux/security.h --- linux-2.6.37/include/linux/security.h 2011-01-04 19:50:19.000000000 = -0500 -+++ linux-2.6.37/include/linux/security.h 2011-01-17 02:41:02.000000000 = -0500 ++++ linux-2.6.37/include/linux/security.h 2011-02-12 10:34:03.000000000 = -0500 @@ -35,6 +35,7 @@ #include #include @@ -47860,6 +47916,27 @@ diff -urNp linux-2.6.37/include/linux/security.h= linux-2.6.37/include/linux/secu #include =20 /* Maximum number of letters for an LSM name string */ +@@ -1664,7 +1665,7 @@ int security_capset(struct cred *new, co + const kernel_cap_t *effective, + const kernel_cap_t *inheritable, + const kernel_cap_t *permitted); +-int security_capable(int cap); ++int security_capable(const struct cred *cred, int cap); + int security_real_capable(struct task_struct *tsk, int cap); + int security_real_capable_noaudit(struct task_struct *tsk, int cap); + int security_sysctl(struct ctl_table *table, int op); +@@ -1857,9 +1858,9 @@ static inline int security_capset(struct + return cap_capset(new, old, effective, inheritable, permitted); + } +=20 +-static inline int security_capable(int cap) ++static inline int security_capable(const struct cred *cred, int cap) + { +- return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT); ++ return cap_capable(current, cred, cap, SECURITY_CAP_AUDIT); + } +=20 + static inline int security_real_capable(struct task_struct *tsk, int ca= p) diff -urNp linux-2.6.37/include/linux/shm.h linux-2.6.37/include/linux/s= hm.h --- linux-2.6.37/include/linux/shm.h 2011-01-04 19:50:19.000000000 -0500 +++ linux-2.6.37/include/linux/shm.h 2011-01-17 02:41:02.000000000 -0500 @@ -49247,7 +49324,7 @@ diff -urNp linux-2.6.37/kernel/acct.c linux-2.6.3= 7/kernel/acct.c set_fs(fs); diff -urNp linux-2.6.37/kernel/capability.c linux-2.6.37/kernel/capabili= ty.c --- linux-2.6.37/kernel/capability.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/kernel/capability.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/kernel/capability.c 2011-02-12 11:48:20.000000000 -0500 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_ * before modification is attempted and the application * fails. @@ -49263,7 +49340,7 @@ diff -urNp linux-2.6.37/kernel/capability.c linux= -2.6.37/kernel/capability.c } =20 - if (security_capable(cap) =3D=3D 0) { -+ if (security_capable(cap) =3D=3D 0 && gr_is_capable(cap)) { ++ if (security_capable(current_cred(), cap) =3D=3D 0 && gr_is_capable(ca= p)) { current->flags |=3D PF_SUPERPRIV; return 1; } @@ -49277,7 +49354,7 @@ diff -urNp linux-2.6.37/kernel/capability.c linux= -2.6.37/kernel/capability.c + BUG(); + } + -+ if (security_capable(cap) =3D=3D 0 && gr_is_capable_nolog(cap)) { ++ if (security_capable(current_cred(), cap) =3D=3D 0 && gr_is_capable_no= log(cap)) { + current->flags |=3D PF_SUPERPRIV; + return 1; + } @@ -49322,7 +49399,24 @@ diff -urNp linux-2.6.37/kernel/configs.c linux-2= .6.37/kernel/configs.c =20 diff -urNp linux-2.6.37/kernel/cred.c linux-2.6.37/kernel/cred.c --- linux-2.6.37/kernel/cred.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/kernel/cred.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/kernel/cred.c 2011-02-12 11:03:34.000000000 -0500 +@@ -252,13 +252,13 @@ struct cred *cred_alloc_blank(void) + #endif +=20 + atomic_set(&new->usage, 1); ++#ifdef CONFIG_DEBUG_CREDENTIALS ++ new->magic =3D CRED_MAGIC; ++#endif +=20 + if (security_cred_alloc_blank(new, GFP_KERNEL) < 0) + goto error; +=20 +-#ifdef CONFIG_DEBUG_CREDENTIALS +- new->magic =3D CRED_MAGIC; +-#endif + return new; +=20 + error: @@ -483,6 +483,8 @@ int commit_creds(struct cred *new) =20 get_cred(new); /* we will require a ref for the subj creds too */ @@ -49332,6 +49426,37 @@ diff -urNp linux-2.6.37/kernel/cred.c linux-2.6.= 37/kernel/cred.c /* dumpability changes */ if (old->euid !=3D new->euid || old->egid !=3D new->egid || +@@ -657,6 +659,8 @@ struct cred *prepare_kernel_cred(struct=20 + validate_creds(old); +=20 + *new =3D *old; ++ atomic_set(&new->usage, 1); ++ set_cred_subscribers(new, 0); + get_uid(new->user); + get_group_info(new->group_info); +=20 +@@ -674,8 +678,6 @@ struct cred *prepare_kernel_cred(struct=20 + if (security_prepare_creds(new, old, GFP_KERNEL) < 0) + goto error; +=20 +- atomic_set(&new->usage, 1); +- set_cred_subscribers(new, 0); + put_cred(old); + validate_creds(new); + return new; +@@ -748,7 +750,11 @@ bool creds_are_invalid(const struct cred + if (cred->magic !=3D CRED_MAGIC) + return true; + #ifdef CONFIG_SECURITY_SELINUX +- if (selinux_is_enabled()) { ++ /* ++ * cred->security =3D=3D NULL if security_cred_alloc_blank() or ++ * security_prepare_creds() returned an error. ++ */ ++ if (selinux_is_enabled() && cred->security) { + if ((unsigned long) cred->security < PAGE_SIZE) + return true; + if ((*(u32 *)cred->security & 0xffffff00) =3D=3D diff -urNp linux-2.6.37/kernel/debug/debug_core.c linux-2.6.37/kernel/de= bug/debug_core.c --- linux-2.6.37/kernel/debug/debug_core.c 2011-01-04 19:50:19.000000000= -0500 +++ linux-2.6.37/kernel/debug/debug_core.c 2011-01-17 02:41:02.000000000= -0500 @@ -50099,8 +50224,8 @@ diff -urNp linux-2.6.37/kernel/kallsyms.c linux-2= .6.37/kernel/kallsyms.c reset_iter(iter, 0); diff -urNp linux-2.6.37/kernel/kmod.c linux-2.6.37/kernel/kmod.c --- linux-2.6.37/kernel/kmod.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/kernel/kmod.c 2011-01-17 02:41:02.000000000 -0500 -@@ -90,6 +90,18 @@ int __request_module(bool wait, const ch ++++ linux-2.6.37/kernel/kmod.c 2011-02-12 10:56:18.000000000 -0500 +@@ -90,6 +90,28 @@ int __request_module(bool wait, const ch if (ret) return ret; =20 @@ -50111,7 +50236,17 @@ diff -urNp linux-2.6.37/kernel/kmod.c linux-2.6.= 37/kernel/kmod.c + auto-loaded + */ + if (current_uid()) { -+ gr_log_nonroot_mod_load(module_name); ++#if !defined(CONFIG_IPV6) && !defined(CONFIG_IPV6_MODULE) ++ /* There are known knowns. These are things we know ++ that we know. There are known unknowns. That is to say, ++ there are things that we know we don't know. But there are ++ also unknown unknowns. There are things we don't know ++ we don't know. ++ This here is a known unknown. ++ */ ++ if (strcmp(module_name, "net-pf-10")) ++#endif ++ gr_log_nonroot_mod_load(module_name); + return -EPERM; + } +#endif @@ -50203,7 +50338,7 @@ diff -urNp linux-2.6.37/kernel/lockdep_proc.c lin= ux-2.6.37/kernel/lockdep_proc.c if (!name) { diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c --- linux-2.6.37/kernel/module.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/kernel/module.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/kernel/module.c 2011-02-02 20:28:40.000000000 -0500 @@ -97,7 +97,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not =20 /* Bounds of module allocation, for speeding __module_address. @@ -50241,6 +50376,15 @@ diff -urNp linux-2.6.37/kernel/module.c linux-2.= 6.37/kernel/module.c printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n", mod->name, align, PAGE_SIZE); align =3D PAGE_SIZE; +@@ -1122,7 +1123,7 @@ resolve_symbol_wait(struct module *mod, + */ + #ifdef CONFIG_SYSFS +=20 +-#ifdef CONFIG_KALLSYMS ++#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM) + static inline bool sect_empty(const Elf_Shdr *sect) + { + return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size =3D=3D 0; @@ -1566,15 +1567,18 @@ static void free_module(struct module *m destroy_params(mod->kp, mod->num_kp); =20 @@ -50461,10 +50605,8 @@ diff -urNp linux-2.6.37/kernel/module.c linux-2.= 6.37/kernel/module.c + if (!ptr) { + module_free(mod, mod->module_init_rw); + module_free(mod, mod->module_core_rw); - return -ENOMEM; - } -- memset(ptr, 0, mod->init_size); -- mod->module_init =3D ptr; ++ return -ENOMEM; ++ } + + pax_open_kernel(); + memset(ptr, 0, mod->core_size_rx); @@ -50477,8 +50619,10 @@ diff -urNp linux-2.6.37/kernel/module.c linux-2.= 6.37/kernel/module.c + module_free_exec(mod, mod->module_core_rx); + module_free(mod, mod->module_init_rw); + module_free(mod, mod->module_core_rw); -+ return -ENOMEM; -+ } + return -ENOMEM; + } +- memset(ptr, 0, mod->init_size); +- mod->module_init =3D ptr; + + pax_open_kernel(); + memset(ptr, 0, mod->init_size_rx); @@ -50893,7 +51037,7 @@ diff -urNp linux-2.6.37/kernel/printk.c linux-2.6= .37/kernel/printk.c * at open time. diff -urNp linux-2.6.37/kernel/ptrace.c linux-2.6.37/kernel/ptrace.c --- linux-2.6.37/kernel/ptrace.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/kernel/ptrace.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/kernel/ptrace.c 2011-02-12 10:37:18.000000000 -0500 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru cred->gid !=3D tcred->egid || cred->gid !=3D tcred->sgid || @@ -50921,6 +51065,15 @@ diff -urNp linux-2.6.37/kernel/ptrace.c linux-2.= 6.37/kernel/ptrace.c task->ptrace |=3D PT_PTRACE_CAP; =20 __ptrace_link(task, current); +@@ -313,7 +313,7 @@ int ptrace_detach(struct task_struct *ch + child->exit_code =3D data; + dead =3D __ptrace_detach(current, child); + if (!child->exit_state) +- wake_up_process(child); ++ wake_up_state(child, TASK_TRACED | TASK_STOPPED); + } + write_unlock_irq(&tasklist_lock); +=20 @@ -369,7 +369,7 @@ int ptrace_readdata(struct task_struct * break; return -EIO; @@ -51105,7 +51258,7 @@ diff -urNp linux-2.6.37/kernel/sched_fair.c linux= -2.6.37/kernel/sched_fair.c struct rq *this_rq =3D cpu_rq(this_cpu); diff -urNp linux-2.6.37/kernel/signal.c linux-2.6.37/kernel/signal.c --- linux-2.6.37/kernel/signal.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/kernel/signal.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/kernel/signal.c 2011-02-12 11:22:39.000000000 -0500 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache =20 int print_fatal_signals __read_mostly; @@ -51168,17 +51321,34 @@ diff -urNp linux-2.6.37/kernel/signal.c linux-2= .6.37/kernel/signal.c specific_send_sig_info(int sig, struct siginfo *info, struct task_struc= t *t) { return send_signal(sig, info, t, 0); -@@ -1079,6 +1085,9 @@ force_sig_info(int sig, struct siginfo * +@@ -1062,6 +1068,7 @@ force_sig_info(int sig, struct siginfo * + unsigned long int flags; + int ret, blocked, ignored; + struct k_sigaction *action; ++ int is_unhandled =3D 0; +=20 + spin_lock_irqsave(&t->sighand->siglock, flags); + action =3D &t->sighand->action[sig-1]; +@@ -1076,9 +1083,18 @@ force_sig_info(int sig, struct siginfo * + } + if (action->sa.sa_handler =3D=3D SIG_DFL) + t->signal->flags &=3D ~SIGNAL_UNKILLABLE; ++ if (action->sa.sa_handler =3D=3D SIG_IGN || action->sa.sa_handler =3D=3D= SIG_DFL) ++ is_unhandled =3D 1; ret =3D specific_send_sig_info(sig, info, t); spin_unlock_irqrestore(&t->sighand->siglock, flags); =20 -+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t); -+ gr_handle_crash(t, sig); ++ /* only deal with unhandled signals, java etc trigger SIGSEGV during ++ normal operation */ ++ if (is_unhandled) { ++ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t); ++ gr_handle_crash(t, sig); ++ } + return ret; } =20 -@@ -1137,8 +1146,11 @@ int group_send_sig_info(int sig, struct=20 +@@ -1137,8 +1153,11 @@ int group_send_sig_info(int sig, struct=20 ret =3D check_kill_permission(sig, info, p); rcu_read_unlock(); =20 @@ -53219,7 +53389,7 @@ diff -urNp linux-2.6.37/mm/mlock.c linux-2.6.37/m= m/mlock.c ret =3D do_mlockall(flags); diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c --- linux-2.6.37/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/mm/mmap.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/mm/mmap.c 2011-02-12 11:36:29.000000000 -0500 @@ -45,6 +45,16 @@ #define arch_rebalance_pgtables(addr, len) (addr) #endif @@ -53442,12 +53612,13 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/= mm/mmap.c if (addr & ~PAGE_MASK) return addr; =20 -@@ -1016,6 +1093,31 @@ unsigned long do_mmap_pgoff(struct file=20 +@@ -1016,6 +1093,36 @@ unsigned long do_mmap_pgoff(struct file=20 vm_flags =3D calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; =20 +#ifdef CONFIG_PAX_MPROTECT + if (mm->pax_flags & MF_PAX_MPROTECT) { ++#ifndef CONFIG_PAX_MPROTECT_COMPAT + if ((vm_flags & (VM_WRITE | VM_EXEC)) =3D=3D (VM_WRITE | VM_EXEC)) { + gr_log_rwxmmap(file); + @@ -53461,6 +53632,10 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/m= m/mmap.c + + if (!(vm_flags & VM_EXEC)) + vm_flags &=3D ~VM_MAYEXEC; ++#else ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) !=3D VM_EXEC) ++ vm_flags &=3D ~(VM_EXEC | VM_MAYEXEC); ++#endif + else + vm_flags &=3D ~VM_MAYWRITE; + } @@ -53474,7 +53649,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; -@@ -1027,6 +1129,7 @@ unsigned long do_mmap_pgoff(struct file=20 +@@ -1027,6 +1134,7 @@ unsigned long do_mmap_pgoff(struct file=20 locked +=3D mm->locked_vm; lock_limit =3D rlimit(RLIMIT_MEMLOCK); lock_limit >>=3D PAGE_SHIFT; @@ -53482,7 +53657,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1097,6 +1200,9 @@ unsigned long do_mmap_pgoff(struct file=20 +@@ -1097,6 +1205,9 @@ unsigned long do_mmap_pgoff(struct file=20 if (error) return error; =20 @@ -53492,7 +53667,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c return mmap_region(file, addr, len, flags, vm_flags, pgoff); } EXPORT_SYMBOL(do_mmap_pgoff); -@@ -1174,10 +1280,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar +@@ -1174,10 +1285,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar */ int vma_wants_writenotify(struct vm_area_struct *vma) { @@ -53505,7 +53680,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c return 0; =20 /* The backer wishes to know when pages are first written to? */ -@@ -1226,14 +1332,24 @@ unsigned long mmap_region(struct file *f +@@ -1226,14 +1337,24 @@ unsigned long mmap_region(struct file *f unsigned long charged =3D 0; struct inode *inode =3D file ? file->f_path.dentry->d_inode : NULL; =20 @@ -53532,7 +53707,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c } =20 /* Check against address space limit. */ -@@ -1282,6 +1398,16 @@ munmap_back: +@@ -1282,6 +1403,16 @@ munmap_back: goto unacct_error; } =20 @@ -53549,7 +53724,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c vma->vm_mm =3D mm; vma->vm_start =3D addr; vma->vm_end =3D addr + len; -@@ -1305,6 +1431,19 @@ munmap_back: +@@ -1305,6 +1436,19 @@ munmap_back: error =3D file->f_op->mmap(file, vma); if (error) goto unmap_and_free_vma; @@ -53569,7 +53744,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c if (vm_flags & VM_EXECUTABLE) added_exe_file_vma(mm); =20 -@@ -1340,6 +1479,11 @@ munmap_back: +@@ -1340,6 +1484,11 @@ munmap_back: vma_link(mm, vma, prev, rb_link, rb_parent); file =3D vma->vm_file; =20 @@ -53581,7 +53756,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c /* Once vma denies write, undo our temporary denial count */ if (correct_wcount) atomic_inc(&inode->i_writecount); -@@ -1348,6 +1492,7 @@ out: +@@ -1348,6 +1497,7 @@ out: =20 mm->total_vm +=3D len >> PAGE_SHIFT; vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); @@ -53589,7 +53764,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c if (vm_flags & VM_LOCKED) { if (!mlock_vma_pages_range(vma, addr, addr + len)) mm->locked_vm +=3D (len >> PAGE_SHIFT); -@@ -1365,6 +1510,12 @@ unmap_and_free_vma: +@@ -1365,6 +1515,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); charged =3D 0; free_vma: @@ -53602,7 +53777,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c kmem_cache_free(vm_area_cachep, vma); unacct_error: if (charged) -@@ -1372,6 +1523,33 @@ unacct_error: +@@ -1372,6 +1528,33 @@ unacct_error: return error; } =20 @@ -53636,7 +53811,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c /* Get an address range which is currently unmapped. * For shmat() with addr=3D0. * -@@ -1398,18 +1576,23 @@ arch_get_unmapped_area(struct file *filp +@@ -1398,18 +1581,23 @@ arch_get_unmapped_area(struct file *filp if (flags & MAP_FIXED) return addr; =20 @@ -53667,7 +53842,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c } =20 full_search: -@@ -1420,34 +1603,40 @@ full_search: +@@ -1420,34 +1608,40 @@ full_search: * Start a new search - just in case we missed * some holes. */ @@ -53719,7 +53894,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c mm->free_area_cache =3D addr; mm->cached_hole_size =3D ~0UL; } -@@ -1465,7 +1654,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1465,7 +1659,7 @@ arch_get_unmapped_area_topdown(struct fi { struct vm_area_struct *vma; struct mm_struct *mm =3D current->mm; @@ -53728,7 +53903,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c =20 /* requested length too big for entire address space */ if (len > TASK_SIZE) -@@ -1474,13 +1663,18 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1474,13 +1668,18 @@ arch_get_unmapped_area_topdown(struct fi if (flags & MAP_FIXED) return addr; =20 @@ -53751,7 +53926,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c } =20 /* check if free_area_cache is useful for us */ -@@ -1495,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1495,7 +1694,7 @@ arch_get_unmapped_area_topdown(struct fi /* make sure it can fit in the remaining address space */ if (addr > len) { vma =3D find_vma(mm, addr-len); @@ -53760,7 +53935,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c /* remember the address as a hint for next time */ return (mm->free_area_cache =3D addr-len); } -@@ -1512,7 +1706,7 @@ arch_get_unmapped_area_topdown(struct fi +@@ -1512,7 +1711,7 @@ arch_get_unmapped_area_topdown(struct fi * return with success: */ vma =3D find_vma(mm, addr); @@ -53769,7 +53944,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c /* remember the address as a hint for next time */ return (mm->free_area_cache =3D addr); =20 -@@ -1531,13 +1725,21 @@ bottomup: +@@ -1531,13 +1730,21 @@ bottomup: * can happen with large stack limits and large mmap() * allocations. */ @@ -53793,7 +53968,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c mm->cached_hole_size =3D ~0UL; =20 return addr; -@@ -1546,6 +1748,12 @@ bottomup: +@@ -1546,6 +1753,12 @@ bottomup: =20 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr) { @@ -53806,7 +53981,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c /* * Is this a new hole at the highest possible address? */ -@@ -1553,8 +1761,10 @@ void arch_unmap_area_topdown(struct mm_s +@@ -1553,8 +1766,10 @@ void arch_unmap_area_topdown(struct mm_s mm->free_area_cache =3D addr; =20 /* dont allow allocations above current base */ @@ -53818,7 +53993,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c } =20 unsigned long -@@ -1662,6 +1872,28 @@ out: +@@ -1662,6 +1877,28 @@ out: return prev ? prev->vm_next : vma; } =20 @@ -53847,7 +54022,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c /* * Verify that the stack growth is acceptable and * update accounting. This is shared with both the -@@ -1678,6 +1910,7 @@ static int acct_stack_growth(struct vm_a +@@ -1678,6 +1915,7 @@ static int acct_stack_growth(struct vm_a return -ENOMEM; =20 /* Stack limit test */ @@ -53855,7 +54030,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) return -ENOMEM; =20 -@@ -1688,6 +1921,7 @@ static int acct_stack_growth(struct vm_a +@@ -1688,6 +1926,7 @@ static int acct_stack_growth(struct vm_a locked =3D mm->locked_vm + grow; limit =3D ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur); limit >>=3D PAGE_SHIFT; @@ -53863,7 +54038,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c if (locked > limit && !capable(CAP_IPC_LOCK)) return -ENOMEM; } -@@ -1718,37 +1952,48 @@ static int acct_stack_growth(struct vm_a +@@ -1718,37 +1957,48 @@ static int acct_stack_growth(struct vm_a * PA-RISC uses this for its stack; IA64 for its Register Backing Store= . * vma is the last one with address > vma->vm_end. Have to extend vma. */ @@ -53921,7 +54096,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c unsigned long size, grow; =20 size =3D address - vma->vm_start; -@@ -1760,6 +2005,8 @@ int expand_upwards(struct vm_area_struct +@@ -1760,6 +2010,8 @@ int expand_upwards(struct vm_area_struct perf_event_mmap(vma); } } @@ -53930,7 +54105,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c vma_unlock_anon_vma(vma); return error; } -@@ -1772,6 +2019,8 @@ static int expand_downwards(struct vm_ar +@@ -1772,6 +2024,8 @@ static int expand_downwards(struct vm_ar unsigned long address) { int error; @@ -53939,7 +54114,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c =20 /* * We must make sure the anon_vma is allocated -@@ -1785,6 +2034,15 @@ static int expand_downwards(struct vm_ar +@@ -1785,6 +2039,15 @@ static int expand_downwards(struct vm_ar if (error) return error; =20 @@ -53955,7 +54130,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c vma_lock_anon_vma(vma); =20 /* -@@ -1794,9 +2052,17 @@ static int expand_downwards(struct vm_ar +@@ -1794,9 +2057,17 @@ static int expand_downwards(struct vm_ar */ =20 /* Somebody else might have raced and expanded it already */ @@ -53974,7 +54149,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c size =3D vma->vm_end - address; grow =3D (vma->vm_start - address) >> PAGE_SHIFT; =20 -@@ -1804,10 +2070,21 @@ static int expand_downwards(struct vm_ar +@@ -1804,10 +2075,21 @@ static int expand_downwards(struct vm_ar if (!error) { vma->vm_start =3D address; vma->vm_pgoff -=3D grow; @@ -53996,7 +54171,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c return error; } =20 -@@ -1881,6 +2158,13 @@ static void remove_vma_list(struct mm_st +@@ -1881,6 +2163,13 @@ static void remove_vma_list(struct mm_st do { long nrpages =3D vma_pages(vma); =20 @@ -54010,7 +54185,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c mm->total_vm -=3D nrpages; vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages); vma =3D remove_vma(vma); -@@ -1926,6 +2210,16 @@ detach_vmas_to_be_unmapped(struct mm_str +@@ -1926,6 +2215,16 @@ detach_vmas_to_be_unmapped(struct mm_str insertion_point =3D (prev ? &prev->vm_next : &mm->mmap); vma->vm_prev =3D NULL; do { @@ -54027,7 +54202,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c rb_erase(&vma->vm_rb, &mm->mm_rb); mm->map_count--; tail_vma =3D vma; -@@ -1954,14 +2248,33 @@ static int __split_vma(struct mm_struct=20 +@@ -1954,14 +2253,33 @@ static int __split_vma(struct mm_struct=20 struct vm_area_struct *new; int err =3D -ENOMEM; =20 @@ -54061,7 +54236,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c /* most fields are the same, copy all, and then fixup */ *new =3D *vma; =20 -@@ -1974,6 +2287,22 @@ static int __split_vma(struct mm_struct=20 +@@ -1974,6 +2292,22 @@ static int __split_vma(struct mm_struct=20 new->vm_pgoff +=3D ((addr - vma->vm_start) >> PAGE_SHIFT); } =20 @@ -54084,7 +54259,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c pol =3D mpol_dup(vma_policy(vma)); if (IS_ERR(pol)) { err =3D PTR_ERR(pol); -@@ -1999,6 +2328,42 @@ static int __split_vma(struct mm_struct=20 +@@ -1999,6 +2333,42 @@ static int __split_vma(struct mm_struct=20 else err =3D vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new); =20 @@ -54127,7 +54302,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c /* Success. */ if (!err) return 0; -@@ -2011,10 +2376,18 @@ static int __split_vma(struct mm_struct=20 +@@ -2011,10 +2381,18 @@ static int __split_vma(struct mm_struct=20 removed_exe_file_vma(mm); fput(new->vm_file); } @@ -54147,7 +54322,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c kmem_cache_free(vm_area_cachep, new); out_err: return err; -@@ -2027,6 +2400,15 @@ static int __split_vma(struct mm_struct=20 +@@ -2027,6 +2405,15 @@ static int __split_vma(struct mm_struct=20 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, int new_below) { @@ -54163,7 +54338,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c if (mm->map_count >=3D sysctl_max_map_count) return -ENOMEM; =20 -@@ -2038,11 +2420,30 @@ int split_vma(struct mm_struct *mm, stru +@@ -2038,11 +2425,30 @@ int split_vma(struct mm_struct *mm, stru * work. This now handles partial unmappings. * Jeremy Fitzhardinge */ @@ -54194,7 +54369,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start= ) return -EINVAL; =20 -@@ -2116,6 +2517,8 @@ int do_munmap(struct mm_struct *mm, unsi +@@ -2116,6 +2522,8 @@ int do_munmap(struct mm_struct *mm, unsi /* Fix up all other VM information */ remove_vma_list(mm, vma); =20 @@ -54203,7 +54378,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c return 0; } =20 -@@ -2128,22 +2531,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a +@@ -2128,22 +2536,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a =20 profile_munmap(addr); =20 @@ -54232,7 +54407,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c /* * this is really a simplified "do_mmap". it only handles * anonymous maps. eventually we may be able to do some -@@ -2157,6 +2556,7 @@ unsigned long do_brk(unsigned long addr, +@@ -2157,6 +2561,7 @@ unsigned long do_brk(unsigned long addr, struct rb_node ** rb_link, * rb_parent; pgoff_t pgoff =3D addr >> PAGE_SHIFT; int error; @@ -54240,7 +54415,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c =20 len =3D PAGE_ALIGN(len); if (!len) -@@ -2168,16 +2568,30 @@ unsigned long do_brk(unsigned long addr, +@@ -2168,16 +2573,30 @@ unsigned long do_brk(unsigned long addr, =20 flags =3D VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; =20 @@ -54272,7 +54447,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c locked +=3D mm->locked_vm; lock_limit =3D rlimit(RLIMIT_MEMLOCK); lock_limit >>=3D PAGE_SHIFT; -@@ -2194,22 +2608,22 @@ unsigned long do_brk(unsigned long addr, +@@ -2194,22 +2613,22 @@ unsigned long do_brk(unsigned long addr, /* * Clear old maps. this also does some error checking for us */ @@ -54299,7 +54474,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c return -ENOMEM; =20 /* Can we just expand an old private anonymous mapping? */ -@@ -2223,7 +2637,7 @@ unsigned long do_brk(unsigned long addr, +@@ -2223,7 +2642,7 @@ unsigned long do_brk(unsigned long addr, */ vma =3D kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); if (!vma) { @@ -54308,7 +54483,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c return -ENOMEM; } =20 -@@ -2237,11 +2651,12 @@ unsigned long do_brk(unsigned long addr, +@@ -2237,11 +2656,12 @@ unsigned long do_brk(unsigned long addr, vma_link(mm, vma, prev, rb_link, rb_parent); out: perf_event_mmap(vma); @@ -54323,7 +54498,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c return addr; } =20 -@@ -2288,8 +2703,10 @@ void exit_mmap(struct mm_struct *mm) +@@ -2288,8 +2708,10 @@ void exit_mmap(struct mm_struct *mm) * Walk the list again, actually closing and freeing it, * with preemption enabled, without holding any MM locks. */ @@ -54335,7 +54510,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c =20 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT); } -@@ -2303,6 +2720,13 @@ int insert_vm_struct(struct mm_struct *=20 +@@ -2303,6 +2725,13 @@ int insert_vm_struct(struct mm_struct *=20 struct vm_area_struct * __vma, * prev; struct rb_node ** rb_link, * rb_parent; =20 @@ -54349,7 +54524,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c /* * The vm_pgoff of a purely anonymous vma should be irrelevant * until its first write fault, when page's anon_vma and index -@@ -2325,7 +2749,22 @@ int insert_vm_struct(struct mm_struct *=20 +@@ -2325,7 +2754,22 @@ int insert_vm_struct(struct mm_struct *=20 if ((vma->vm_flags & VM_ACCOUNT) && security_vm_enough_memory_mm(mm, vma_pages(vma))) return -ENOMEM; @@ -54372,7 +54547,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c return 0; } =20 -@@ -2343,6 +2782,8 @@ struct vm_area_struct *copy_vma(struct v +@@ -2343,6 +2787,8 @@ struct vm_area_struct *copy_vma(struct v struct rb_node **rb_link, *rb_parent; struct mempolicy *pol; =20 @@ -54381,7 +54556,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c /* * If anonymous vma has not yet been faulted, update new pgoff * to match new location, to increase its chance of merging. -@@ -2392,6 +2833,39 @@ struct vm_area_struct *copy_vma(struct v +@@ -2392,6 +2838,39 @@ struct vm_area_struct *copy_vma(struct v kmem_cache_free(vm_area_cachep, new_vma); return NULL; } @@ -54421,7 +54596,7 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm= /mmap.c =20 /* * Return true if the calling process may expand its vm space by the pa= ssed -@@ -2403,7 +2877,7 @@ int may_expand_vm(struct mm_struct *mm,=20 +@@ -2403,7 +2882,7 @@ int may_expand_vm(struct mm_struct *mm,=20 unsigned long lim; =20 lim =3D rlimit(RLIMIT_AS) >> PAGE_SHIFT; @@ -54430,16 +54605,21 @@ diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/= mm/mmap.c if (cur + npages > lim) return 0; return 1; -@@ -2474,6 +2948,17 @@ int install_special_mapping(struct mm_st +@@ -2474,6 +2953,22 @@ int install_special_mapping(struct mm_st vma->vm_start =3D addr; vma->vm_end =3D addr + len; =20 +#ifdef CONFIG_PAX_MPROTECT + if (mm->pax_flags & MF_PAX_MPROTECT) { ++#ifndef CONFIG_PAX_MPROTECT_COMPAT + if ((vm_flags & (VM_WRITE | VM_EXEC)) =3D=3D (VM_WRITE | VM_EXEC)) + return -EPERM; + if (!(vm_flags & VM_EXEC)) + vm_flags &=3D ~VM_MAYEXEC; ++#else ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) !=3D VM_EXEC) ++ vm_flags &=3D ~(VM_EXEC | VM_MAYEXEC); ++#endif + else + vm_flags &=3D ~VM_MAYWRITE; + } @@ -57966,8 +58146,8 @@ diff -urNp linux-2.6.37/security/integrity/ima/im= a_queue.c linux-2.6.37/security return 0; diff -urNp linux-2.6.37/security/Kconfig linux-2.6.37/security/Kconfig --- linux-2.6.37/security/Kconfig 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/security/Kconfig 2011-01-17 02:41:02.000000000 -0500 -@@ -4,6 +4,509 @@ ++++ linux-2.6.37/security/Kconfig 2011-02-12 11:32:56.000000000 -0500 +@@ -4,6 +4,527 @@ =20 menu "Security options" =20 @@ -58213,6 +58393,24 @@ diff -urNp linux-2.6.37/security/Kconfig linux-2= .6.37/security/Kconfig + NOTE: you can use the 'chpax' or 'paxctl' utilities to control + this feature on a per file basis. + ++config PAX_MPROTECT_COMPAT ++ bool "Use legacy/compat protection demoting (read help)" ++ depends on PAX_MPROTECT ++ default n ++ help ++ The current implementation of PAX_MPROTECT denies RWX allocations/mp= rotects ++ by sending the proper error code to the application. For some broke= n=20 ++ userland, this can cause problems with Python or other applications.= The ++ current implementation however allows for applications like clamav t= o ++ detect if JIT compilation/execution is allowed and to fall back grac= efully ++ to an interpreter-based mode if it does not. While we encourage eve= ryone ++ to use the current implementation as-is and push upstream to fix bro= ken ++ userland (note that the RWX logging option can assist with this), in= some ++ environments this may not be possible. Having to disable MPROTECT ++ completely on certain binaries reduces the security benefit of PaX, ++ so this option is provided for those environments to revert to the o= ld ++ behavior. ++ =20 +config PAX_ELFRELOCS + bool "Allow ELF text relocations (read help)" + depends on PAX_MPROTECT @@ -58477,7 +58675,7 @@ diff -urNp linux-2.6.37/security/Kconfig linux-2.= 6.37/security/Kconfig config KEYS bool "Enable access key retention support" help -@@ -136,7 +639,7 @@ config INTEL_TXT +@@ -136,7 +657,7 @@ config INTEL_TXT config LSM_MMAP_MIN_ADDR int "Low address space for LSM to protect from user allocation" depends on SECURITY && SECURITY_SELINUX @@ -58507,7 +58705,7 @@ diff -urNp linux-2.6.37/security/min_addr.c linux= -2.6.37/security/min_addr.c /* diff -urNp linux-2.6.37/security/security.c linux-2.6.37/security/securi= ty.c --- linux-2.6.37/security/security.c 2011-01-04 19:50:19.000000000 -0500 -+++ linux-2.6.37/security/security.c 2011-01-17 02:41:02.000000000 -0500 ++++ linux-2.6.37/security/security.c 2011-02-12 10:36:34.000000000 -0500 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI /* things that live in capability.c */ extern void __init security_fixup_ops(struct security_operations *ops); @@ -58529,9 +58727,22 @@ diff -urNp linux-2.6.37/security/security.c linu= x-2.6.37/security/security.c } =20 /* Save user chosen LSM */ +@@ -154,10 +156,9 @@ int security_capset(struct cred *new, co + effective, inheritable, permitted); + } +=20 +-int security_capable(int cap) ++int security_capable(const struct cred *cred, int cap) + { +- return security_ops->capable(current, current_cred(), cap, +- SECURITY_CAP_AUDIT); ++ return security_ops->capable(current, cred, cap, SECURITY_CAP_AUDIT); + } +=20 + int security_real_capable(struct task_struct *tsk, int cap) diff -urNp linux-2.6.37/security/selinux/hooks.c linux-2.6.37/security/s= elinux/hooks.c --- linux-2.6.37/security/selinux/hooks.c 2011-01-04 19:50:19.000000000 = -0500 -+++ linux-2.6.37/security/selinux/hooks.c 2011-01-17 02:41:02.000000000 = -0500 ++++ linux-2.6.37/security/selinux/hooks.c 2011-02-12 11:02:14.000000000 = -0500 @@ -90,7 +90,6 @@ #define NUM_SEL_MNT_OPTS 5 =20 @@ -58540,7 +58751,20 @@ diff -urNp linux-2.6.37/security/selinux/hooks.c= linux-2.6.37/security/selinux/h =20 /* SECMARK reference count */ atomic_t selinux_secmark_refcount =3D ATOMIC_INIT(0); -@@ -5388,7 +5387,7 @@ static int selinux_key_getsecurity(struc +@@ -3195,7 +3194,11 @@ static void selinux_cred_free(struct cre + { + struct task_security_struct *tsec =3D cred->security; +=20 +- BUG_ON((unsigned long) cred->security < PAGE_SIZE); ++ /* ++ * cred->security =3D=3D NULL if security_cred_alloc_blank() or ++ * security_prepare_creds() returned an error. ++ */ ++ BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); + cred->security =3D (void *) 0x7UL; + kfree(tsec); + } +@@ -5388,7 +5391,7 @@ static int selinux_key_getsecurity(struc =20 #endif =20