* [gentoo-commits] proj/hardened-patchset:experimental commit in: 2.6.39/, 2.6.32/
@ 2011-07-30 11:26 Anthony G. Basile
0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2011-07-30 11:26 UTC (permalink / raw
To: gentoo-commits
commit: 76c12f38d3c63651455fab1bee4090746993c6bb
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Jul 30 11:26:41 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Jul 30 11:26:41 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=76c12f38
Add patch to remove legacy PAX_EI_PAX
---
2.6.32/4421_remove-legacy-pax-ei.patch | 185 ++++++++++++++++++++
... => 4422_grsec-remove-localversion-grsec.patch} | 0
...rnings.patch => 4424_grsec-mute-warnings.patch} | 0
...tch => 4426_grsec-remove-protected-paths.patch} | 0
...ec.patch => 4428_grsec-pax-without-grsec.patch} | 0
2.6.32/4435_grsec-kconfig-gentoo.patch | 5 +-
2.6.39/4421_remove-legacy-pax-ei.patch | 185 ++++++++++++++++++++
... => 4422_grsec-remove-localversion-grsec.patch} | 0
...rnings.patch => 4424_grsec-mute-warnings.patch} | 0
...tch => 4426_grsec-remove-protected-paths.patch} | 0
...ec.patch => 4428_grsec-pax-without-grsec.patch} | 0
2.6.39/4435_grsec-kconfig-gentoo.patch | 9 +-
12 files changed, 374 insertions(+), 10 deletions(-)
diff --git a/2.6.32/4421_remove-legacy-pax-ei.patch b/2.6.32/4421_remove-legacy-pax-ei.patch
new file mode 100644
index 0000000..8a911f7
--- /dev/null
+++ b/2.6.32/4421_remove-legacy-pax-ei.patch
@@ -0,0 +1,185 @@
+diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c 2011-07-30 07:14:33.000000000 -0400
++++ b/fs/binfmt_elf.c 2011-07-30 07:17:26.000000000 -0400
+@@ -557,7 +557,7 @@
+ return error;
+ }
+
+-#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
++#if (defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
+ static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
+ {
+ unsigned long pax_flags = 0UL;
+@@ -643,50 +643,7 @@
+ }
+ #endif
+
+-#ifdef CONFIG_PAX_EI_PAX
+-static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
+-{
+- unsigned long pax_flags = 0UL;
+-
+-#ifdef CONFIG_PAX_PAGEEXEC
+- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
+- pax_flags |= MF_PAX_PAGEEXEC;
+-#endif
+-
+-#ifdef CONFIG_PAX_SEGMEXEC
+- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
+- pax_flags |= MF_PAX_SEGMEXEC;
+-#endif
+-
+-#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
+- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
+- if (nx_enabled)
+- pax_flags &= ~MF_PAX_SEGMEXEC;
+- else
+- pax_flags &= ~MF_PAX_PAGEEXEC;
+- }
+-#endif
+-
+-#ifdef CONFIG_PAX_EMUTRAMP
+- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
+- pax_flags |= MF_PAX_EMUTRAMP;
+-#endif
+-
+-#ifdef CONFIG_PAX_MPROTECT
+- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
+- pax_flags |= MF_PAX_MPROTECT;
+-#endif
+-
+-#ifdef CONFIG_PAX_ASLR
+- if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
+- pax_flags |= MF_PAX_RANDMMAP;
+-#endif
+-
+- return pax_flags;
+-}
+-#endif
+-
+-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
++#if defined(CONFIG_PAX_PT_PAX_FLAGS)
+ static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
+ {
+ unsigned long pax_flags = 0UL;
+@@ -696,10 +653,6 @@
+ int found_flags = 0;
+ #endif
+
+-#ifdef CONFIG_PAX_EI_PAX
+- pax_flags = pax_parse_ei_pax(elf_ex);
+-#endif
+-
+ #ifdef CONFIG_PAX_PT_PAX_FLAGS
+ for (i = 0UL; i < elf_ex->e_phnum; i++)
+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
+@@ -722,7 +675,7 @@
+ }
+ #endif
+
+-#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
++#if defined(CONFIG_PAX_PT_PAX_FLAGS)
+ if (found_flags == 0) {
+ struct elf_phdr phdr;
+ memset(&phdr, 0, sizeof(phdr));
+@@ -956,7 +909,7 @@
+
+ current->mm->def_flags = 0;
+
+-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
++#if defined(CONFIG_PAX_PT_PAX_FLAGS)
+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
+ send_sig(SIGKILL, current, 0);
+ goto out_free_dentry;
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+--- a/grsecurity/Kconfig 2011-07-30 07:14:33.000000000 -0400
++++ b/grsecurity/Kconfig 2011-07-30 07:17:56.000000000 -0400
+@@ -49,7 +49,6 @@
+ config GRKERNSEC_MEDIUM
+ bool "Medium"
+ select PAX
+- select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
+@@ -147,7 +146,6 @@
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
+- select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
+diff -Naur a/include/linux/grsecurity.h b/include/linux/grsecurity.h
+--- a/include/linux/grsecurity.h 2011-07-30 07:14:33.000000000 -0400
++++ b/include/linux/grsecurity.h 2011-07-30 07:19:50.000000000 -0400
+@@ -10,11 +10,11 @@
+ #if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
+ #error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
+ #endif
+-#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
+-#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
++#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
++#error "CONFIG_PAX_NOEXEC enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
+ #endif
+-#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
+-#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
++#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
++#error "CONFIG_PAX_ASLR enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
+ #endif
+ #if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
+ #error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
+diff -Naur a/include/linux/mm_types.h b/include/linux/mm_types.h
+--- a/include/linux/mm_types.h 2011-07-30 07:14:33.000000000 -0400
++++ b/include/linux/mm_types.h 2011-07-30 07:18:49.000000000 -0400
+@@ -290,7 +290,7 @@
+ struct mmu_notifier_mm *mmu_notifier_mm;
+ #endif
+
+-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
++#if defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
+ unsigned long pax_flags;
+ #endif
+
+diff -Naur a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig 2011-07-30 07:14:33.000000000 -0400
++++ b/security/Kconfig 2011-07-30 07:20:37.000000000 -0400
+@@ -48,20 +48,6 @@
+ line option on boot. Furthermore you can control various PaX features
+ at runtime via the entries in /proc/sys/kernel/pax.
+
+-config PAX_EI_PAX
+- bool 'Use legacy ELF header marking'
+- help
+- Enabling this option will allow you to control PaX features on
+- a per executable basis via the 'chpax' utility available at
+- http://pax.grsecurity.net/. The control flags will be read from
+- an otherwise reserved part of the ELF header. This marking has
+- numerous drawbacks (no support for soft-mode, toolchain does not
+- know about the non-standard use of the ELF header) therefore it
+- has been deprecated in favour of PT_PAX_FLAGS support.
+-
+- Note that if you enable PT_PAX_FLAGS marking support as well,
+- the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
+-
+ config PAX_PT_PAX_FLAGS
+ bool 'Use ELF program header marking'
+ help
+@@ -110,7 +96,7 @@
+
+ config PAX_NOEXEC
+ bool "Enforce non-executable pages"
+- depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
++ depends on (PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
+ help
+ By design some architectures do not allow for protecting memory
+ pages against execution or even if they do, Linux does not make
+@@ -356,7 +342,7 @@
+
+ config PAX_ASLR
+ bool "Address Space Layout Randomization"
+- depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
++ depends on PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
+ help
+ Many if not most exploit techniques rely on the knowledge of
+ certain addresses in the attacked program. The following options
diff --git a/2.6.32/4421_grsec-remove-localversion-grsec.patch b/2.6.32/4422_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 2.6.32/4421_grsec-remove-localversion-grsec.patch
rename to 2.6.32/4422_grsec-remove-localversion-grsec.patch
diff --git a/2.6.32/4422_grsec-mute-warnings.patch b/2.6.32/4424_grsec-mute-warnings.patch
similarity index 100%
rename from 2.6.32/4422_grsec-mute-warnings.patch
rename to 2.6.32/4424_grsec-mute-warnings.patch
diff --git a/2.6.32/4423_grsec-remove-protected-paths.patch b/2.6.32/4426_grsec-remove-protected-paths.patch
similarity index 100%
rename from 2.6.32/4423_grsec-remove-protected-paths.patch
rename to 2.6.32/4426_grsec-remove-protected-paths.patch
diff --git a/2.6.32/4425_grsec-pax-without-grsec.patch b/2.6.32/4428_grsec-pax-without-grsec.patch
similarity index 100%
rename from 2.6.32/4425_grsec-pax-without-grsec.patch
rename to 2.6.32/4428_grsec-pax-without-grsec.patch
diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4435_grsec-kconfig-gentoo.patch
index f2b8a25..9db4e1d 100644
--- a/2.6.32/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.32/4435_grsec-kconfig-gentoo.patch
@@ -27,7 +27,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
config GRKERNSEC_LOW
bool "Low"
-@@ -195,6 +195,261 @@
+@@ -195,6 +195,258 @@
- Restricted sysfs/debugfs
- Active kernel exploit response
@@ -78,7 +78,6 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
-+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
@@ -163,7 +162,6 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
-+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
@@ -248,7 +246,6 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
-+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
diff --git a/2.6.39/4421_remove-legacy-pax-ei.patch b/2.6.39/4421_remove-legacy-pax-ei.patch
new file mode 100644
index 0000000..fe3cdd4
--- /dev/null
+++ b/2.6.39/4421_remove-legacy-pax-ei.patch
@@ -0,0 +1,185 @@
+diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+--- a/fs/binfmt_elf.c 2011-07-30 06:31:54.000000000 -0400
++++ b/fs/binfmt_elf.c 2011-07-30 06:36:36.000000000 -0400
+@@ -553,7 +553,7 @@
+ return error;
+ }
+
+-#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
++#if (defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
+ static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
+ {
+ unsigned long pax_flags = 0UL;
+@@ -639,50 +639,7 @@
+ }
+ #endif
+
+-#ifdef CONFIG_PAX_EI_PAX
+-static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
+-{
+- unsigned long pax_flags = 0UL;
+-
+-#ifdef CONFIG_PAX_PAGEEXEC
+- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
+- pax_flags |= MF_PAX_PAGEEXEC;
+-#endif
+-
+-#ifdef CONFIG_PAX_SEGMEXEC
+- if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
+- pax_flags |= MF_PAX_SEGMEXEC;
+-#endif
+-
+-#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
+- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
+- if ((__supported_pte_mask & _PAGE_NX))
+- pax_flags &= ~MF_PAX_SEGMEXEC;
+- else
+- pax_flags &= ~MF_PAX_PAGEEXEC;
+- }
+-#endif
+-
+-#ifdef CONFIG_PAX_EMUTRAMP
+- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
+- pax_flags |= MF_PAX_EMUTRAMP;
+-#endif
+-
+-#ifdef CONFIG_PAX_MPROTECT
+- if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
+- pax_flags |= MF_PAX_MPROTECT;
+-#endif
+-
+-#ifdef CONFIG_PAX_ASLR
+- if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
+- pax_flags |= MF_PAX_RANDMMAP;
+-#endif
+-
+- return pax_flags;
+-}
+-#endif
+-
+-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
++#if defined(CONFIG_PAX_PT_PAX_FLAGS)
+ static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
+ {
+ unsigned long pax_flags = 0UL;
+@@ -692,10 +649,6 @@
+ int found_flags = 0;
+ #endif
+
+-#ifdef CONFIG_PAX_EI_PAX
+- pax_flags = pax_parse_ei_pax(elf_ex);
+-#endif
+-
+ #ifdef CONFIG_PAX_PT_PAX_FLAGS
+ for (i = 0UL; i < elf_ex->e_phnum; i++)
+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
+@@ -718,7 +671,7 @@
+ }
+ #endif
+
+-#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
++#if defined(CONFIG_PAX_PT_PAX_FLAGS)
+ if (found_flags == 0) {
+ struct elf_phdr phdr;
+ memset(&phdr, 0, sizeof(phdr));
+@@ -951,7 +904,7 @@
+
+ current->mm->def_flags = 0;
+
+-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
++#if defined(CONFIG_PAX_PT_PAX_FLAGS)
+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
+ send_sig(SIGKILL, current, 0);
+ goto out_free_dentry;
+diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
+--- a/grsecurity/Kconfig 2011-07-30 06:31:55.000000000 -0400
++++ b/grsecurity/Kconfig 2011-07-30 06:37:18.000000000 -0400
+@@ -49,7 +49,6 @@
+ config GRKERNSEC_MEDIUM
+ bool "Medium"
+ select PAX
+- select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
+@@ -147,7 +146,6 @@
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
+- select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
+diff -Naur a/include/linux/grsecurity.h b/include/linux/grsecurity.h
+--- a/include/linux/grsecurity.h 2011-07-30 06:31:55.000000000 -0400
++++ b/include/linux/grsecurity.h 2011-07-30 06:39:52.000000000 -0400
+@@ -10,11 +10,11 @@
+ #if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
+ #error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
+ #endif
+-#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
+-#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
++#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
++#error "CONFIG_PAX_NOEXEC enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
+ #endif
+-#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
+-#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
++#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
++#error "CONFIG_PAX_ASLR enabled, but CONFIG_PAX_PT_PAX_FLAGS is not enabled."
+ #endif
+ #if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
+ #error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
+diff -Naur a/include/linux/mm_types.h b/include/linux/mm_types.h
+--- a/include/linux/mm_types.h 2011-07-30 06:31:55.000000000 -0400
++++ b/include/linux/mm_types.h 2011-07-30 06:38:43.000000000 -0400
+@@ -320,7 +320,7 @@
+ pgtable_t pmd_huge_pte; /* protected by page_table_lock */
+ #endif
+
+-#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
++#if defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
+ unsigned long pax_flags;
+ #endif
+
+diff a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig 2011-07-30 06:31:56.000000000 -0400
++++ b/security/Kconfig 2011-07-30 06:40:40.000000000 -0400
+@@ -48,20 +48,6 @@
+ line option on boot. Furthermore you can control various PaX features
+ at runtime via the entries in /proc/sys/kernel/pax.
+
+-config PAX_EI_PAX
+- bool 'Use legacy ELF header marking'
+- help
+- Enabling this option will allow you to control PaX features on
+- a per executable basis via the 'chpax' utility available at
+- http://pax.grsecurity.net/. The control flags will be read from
+- an otherwise reserved part of the ELF header. This marking has
+- numerous drawbacks (no support for soft-mode, toolchain does not
+- know about the non-standard use of the ELF header) therefore it
+- has been deprecated in favour of PT_PAX_FLAGS support.
+-
+- Note that if you enable PT_PAX_FLAGS marking support as well,
+- the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
+-
+ config PAX_PT_PAX_FLAGS
+ bool 'Use ELF program header marking'
+ help
+@@ -110,7 +96,7 @@
+
+ config PAX_NOEXEC
+ bool "Enforce non-executable pages"
+- depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
++ depends on (PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
+ help
+ By design some architectures do not allow for protecting memory
+ pages against execution or even if they do, Linux does not make
+@@ -356,7 +342,7 @@
+
+ config PAX_ASLR
+ bool "Address Space Layout Randomization"
+- depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
++ depends on PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
+ help
+ Many if not most exploit techniques rely on the knowledge of
+ certain addresses in the attacked program. The following options
diff --git a/2.6.39/4421_grsec-remove-localversion-grsec.patch b/2.6.39/4422_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 2.6.39/4421_grsec-remove-localversion-grsec.patch
rename to 2.6.39/4422_grsec-remove-localversion-grsec.patch
diff --git a/2.6.39/4422_grsec-mute-warnings.patch b/2.6.39/4424_grsec-mute-warnings.patch
similarity index 100%
rename from 2.6.39/4422_grsec-mute-warnings.patch
rename to 2.6.39/4424_grsec-mute-warnings.patch
diff --git a/2.6.39/4423_grsec-remove-protected-paths.patch b/2.6.39/4426_grsec-remove-protected-paths.patch
similarity index 100%
rename from 2.6.39/4423_grsec-remove-protected-paths.patch
rename to 2.6.39/4426_grsec-remove-protected-paths.patch
diff --git a/2.6.39/4425_grsec-pax-without-grsec.patch b/2.6.39/4428_grsec-pax-without-grsec.patch
similarity index 100%
rename from 2.6.39/4425_grsec-pax-without-grsec.patch
rename to 2.6.39/4428_grsec-pax-without-grsec.patch
diff --git a/2.6.39/4435_grsec-kconfig-gentoo.patch b/2.6.39/4435_grsec-kconfig-gentoo.patch
index 5bae307..bc09842 100644
--- a/2.6.39/4435_grsec-kconfig-gentoo.patch
+++ b/2.6.39/4435_grsec-kconfig-gentoo.patch
@@ -27,7 +27,7 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene
config GRKERNSEC_LOW
bool "Low"
-@@ -195,6 +195,261 @@
+@@ -193,6 +193,258 @@
- Restricted sysfs/debugfs
- Active kernel exploit response
@@ -78,7 +78,6 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
-+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
@@ -163,7 +162,6 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
-+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
@@ -248,7 +246,6 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene
+ select PAX_RANDMMAP
+ select PAX_NOEXEC
+ select PAX_MPROTECT
-+ select PAX_EI_PAX
+ select PAX_PT_PAX_FLAGS
+ select PAX_HAVE_ACL_FLAGS
+ # select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
@@ -292,7 +289,7 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene
diff -Naur linux-2.6.38-hardened-r1.orig/security/Kconfig linux-2.6.38-hardened-r1/security/Kconfig
--- linux-2.6.38-hardened-r1.orig/security/Kconfig 2011-04-17 19:25:02.000000000 -0400
+++ linux-2.6.38-hardened-r1/security/Kconfig 2011-04-17 19:27:46.000000000 -0400
-@@ -319,8 +319,9 @@
+@@ -305,8 +305,9 @@
config PAX_KERNEXEC
bool "Enforce non-executable kernel pages"
@@ -303,7 +300,7 @@ diff -Naur linux-2.6.38-hardened-r1.orig/security/Kconfig linux-2.6.38-hardened-
help
This is the kernel land equivalent of PAGEEXEC and MPROTECT,
that is, enabling this option will make it harder to inject
-@@ -483,8 +484,9 @@
+@@ -469,8 +470,9 @@
config PAX_MEMORY_UDEREF
bool "Prevent invalid userland pointer dereference"
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-patchset:experimental commit in: 2.6.39/, 2.6.32/
@ 2011-08-06 13:09 Anthony G. Basile
0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2011-08-06 13:09 UTC (permalink / raw
To: gentoo-commits
commit: 31830276c80bebb426b286d78660b91c3f608a01
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Aug 6 13:09:46 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Aug 6 13:09:46 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=31830276
Add headers
---
2.6.32/4421_remove-legacy-pax-ei.patch | 6 ++++++
2.6.39/4421_remove-legacy-pax-ei.patch | 6 ++++++
2 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/2.6.32/4421_remove-legacy-pax-ei.patch b/2.6.32/4421_remove-legacy-pax-ei.patch
index 8a911f7..eb74a5f 100644
--- a/2.6.32/4421_remove-legacy-pax-ei.patch
+++ b/2.6.32/4421_remove-legacy-pax-ei.patch
@@ -1,3 +1,9 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+This patch removes all references to legacy EI_PAX markings
+in favor of PT_PAX. It should be applied immediately after
+the grsecurity patch.
+
diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
--- a/fs/binfmt_elf.c 2011-07-30 07:14:33.000000000 -0400
+++ b/fs/binfmt_elf.c 2011-07-30 07:17:26.000000000 -0400
diff --git a/2.6.39/4421_remove-legacy-pax-ei.patch b/2.6.39/4421_remove-legacy-pax-ei.patch
index fe3cdd4..1e5db3a 100644
--- a/2.6.39/4421_remove-legacy-pax-ei.patch
+++ b/2.6.39/4421_remove-legacy-pax-ei.patch
@@ -1,3 +1,9 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+This patch removes all references to legacy EI_PAX markings
+in favor of PT_PAX. It should be applied immediately after
+the grsecurity patch.
+
diff -Naur a/fs/binfmt_elf.c b/fs/binfmt_elf.c
--- a/fs/binfmt_elf.c 2011-07-30 06:31:54.000000000 -0400
+++ b/fs/binfmt_elf.c 2011-07-30 06:36:36.000000000 -0400
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-08-06 13:10 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-30 11:26 [gentoo-commits] proj/hardened-patchset:experimental commit in: 2.6.39/, 2.6.32/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2011-08-06 13:09 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox