Grsec/PaX: 3.1-{3.2.69,3.14.43,4.0.4}-20150519173720150519

author: Anthony G. Basile <blueness@gentoo.org> 2015-05-19 18:32:57 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2015-05-19 18:32:57 -0400
commit: 12a8a929cf98bbbf36cb9288eb3e03583ebc83e2 (patch)
tree: f239b9d543005b1181ca009f4a564b62d6e9c7b1
parent: Grsec/PaX: 3.1-{3.2.69,3.14.43,4.0.4}-201505171737 (diff)
download: hardened-patchset-12a8a929cf98bbbf36cb9288eb3e03583ebc83e2.tar.gz
hardened-patchset-12a8a929cf98bbbf36cb9288eb3e03583ebc83e2.tar.bz2
hardened-patchset-12a8a929cf98bbbf36cb9288eb3e03583ebc83e2.zip
6 files changed, 105 insertions, 82 deletions
diff --git a/3.14.43/0000_README b/3.14.43/0000_README
index 4d622d2..7c172ce 100644
--- a/3.14.43/0000_README
+++ b/3.14.43/0000_README
@@ -10,7 +10,7 @@ Patch:	1042_linux-3.14.43.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.14.43
 
-Patch:	4420_grsecurity-3.1-3.14.43-201505171736.patch
+Patch:	4420_grsecurity-3.1-3.14.43-201505191737.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.14.43/4420_grsecurity-3.1-3.14.43-201505171736.patch b/3.14.43/4420_grsecurity-3.1-3.14.43-201505191737.patch
index ed7265a..b7de7fd 100644
--- a/3.14.43/4420_grsecurity-3.1-3.14.43-201505171736.patch
+++ b/3.14.43/4420_grsecurity-3.1-3.14.43-201505191737.patch
@@ -18148,7 +18148,7 @@ index ed5903b..c7fe163 100644
  #define MODULES_END	VMALLOC_END
  #define MODULES_LEN	(MODULES_VADDR - MODULES_END)
 diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
-index d869931..aeba032 100644
+index d869931..9aff880 100644
 --- a/arch/x86/include/asm/pgtable_64.h
 +++ b/arch/x86/include/asm/pgtable_64.h
 @@ -16,11 +16,16 @@
@@ -18162,9 +18162,10 @@ index d869931..aeba032 100644
  extern pmd_t level2_kernel_pgt[512];
  extern pmd_t level2_fixmap_pgt[512];
 -extern pmd_t level2_ident_pgt[512];
-+extern pmd_t level2_ident_pgt[512*2];
- extern pte_t level1_fixmap_pgt[512];
+-extern pte_t level1_fixmap_pgt[512];
 -extern pgd_t init_level4_pgt[];
++extern pmd_t level2_ident_pgt[2][512];
++extern pte_t level1_fixmap_pgt[3][512];
 +extern pte_t level1_vsyscall_pgt[512];
 +extern pgd_t init_level4_pgt[512];
  
@@ -36361,7 +36362,7 @@ index 201d09a..2302db1 100644
  
  #ifdef CONFIG_ACPI_NUMA
 diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
-index c83da6f..9d019b4 100644
+index c83da6f..7dd4fbc 100644
 --- a/arch/x86/xen/mmu.c
 +++ b/arch/x86/xen/mmu.c
 @@ -379,7 +379,7 @@ static pteval_t pte_mfn_to_pfn(pteval_t val)
@@ -36386,7 +36387,7 @@ index c83da6f..9d019b4 100644
  		convert_pfn_mfn(level2_fixmap_pgt);
  	}
  	/* We get [511][511] and have Xen's version of level2_kernel_pgt */
-@@ -1929,11 +1933,16 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
+@@ -1929,11 +1933,18 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
  		set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
  		set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
  		set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
@@ -36398,12 +36399,15 @@ index c83da6f..9d019b4 100644
 +		set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
  		set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
  		set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
- 		set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO);
+-		set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO);
++		set_page_prot(level1_fixmap_pgt[0], PAGE_KERNEL_RO);
++		set_page_prot(level1_fixmap_pgt[1], PAGE_KERNEL_RO);
++		set_page_prot(level1_fixmap_pgt[2], PAGE_KERNEL_RO);
 +		set_page_prot(level1_vsyscall_pgt, PAGE_KERNEL_RO);
  
  		/* Pin down new L4 */
  		pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE,
-@@ -2120,6 +2129,7 @@ static void __init xen_post_allocator_init(void)
+@@ -2120,6 +2131,7 @@ static void __init xen_post_allocator_init(void)
  	pv_mmu_ops.set_pud = xen_set_pud;
  #if PAGETABLE_LEVELS == 4
  	pv_mmu_ops.set_pgd = xen_set_pgd;
@@ -36411,7 +36415,7 @@ index c83da6f..9d019b4 100644
  #endif
  
  	/* This will work as long as patching hasn't happened yet
-@@ -2198,6 +2208,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
+@@ -2198,6 +2210,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
  	.pud_val = PV_CALLEE_SAVE(xen_pud_val),
  	.make_pud = PV_CALLEE_SAVE(xen_make_pud),
  	.set_pgd = xen_set_pgd_hyper,
@@ -71412,7 +71416,7 @@ index 0000000..30ababb
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..6d31b72
+index 0000000..d03be1d
 --- /dev/null
 +++ b/grsecurity/gracl.c
 @@ -0,0 +1,2725 @@
@@ -71566,7 +71570,7 @@ index 0000000..6d31b72
 +	return gr_task_roletype_to_char(current);
 +}
 +
-+__inline__ int
++int
 +gr_acl_tpe_check(void)
 +{
 +	if (unlikely(!(gr_status & GR_READY)))
@@ -71797,7 +71801,7 @@ index 0000000..6d31b72
 +			   PAGE_SIZE);
 +}
 +
-+__inline__ __u32
++__u32
 +to_gr_audit(const __u32 reqmode)
 +{
 +	/* masks off auditable permission flags, then shifts them to create
@@ -72272,7 +72276,7 @@ index 0000000..6d31b72
 +	return retval;
 +}
 +
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
 +	    struct dentry *curr_dentry,
 +	    const struct acl_subject_label *subj, char **path, const int checkglob)
@@ -72377,7 +72381,7 @@ index 0000000..6d31b72
 +	return retval;
 +}
 +
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
 +	      const struct acl_subject_label *subj)
 +{
@@ -72385,7 +72389,7 @@ index 0000000..6d31b72
 +	return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
 +}
 +
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
 +	      const struct acl_subject_label *subj)
 +{
@@ -72393,7 +72397,7 @@ index 0000000..6d31b72
 +	return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
 +}
 +
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
 +		     const struct acl_subject_label *subj, char *path)
 +{
@@ -74143,7 +74147,7 @@ index 0000000..6d31b72
 +
 diff --git a/grsecurity/gracl_alloc.c b/grsecurity/gracl_alloc.c
 new file mode 100644
-index 0000000..18ffbbd
+index 0000000..9adc75c
 --- /dev/null
 +++ b/grsecurity/gracl_alloc.c
 @@ -0,0 +1,105 @@
@@ -74157,7 +74161,7 @@ index 0000000..18ffbbd
 +static struct gr_alloc_state __current_alloc_state = { 1, 1, NULL };
 +struct gr_alloc_state *current_alloc_state = &__current_alloc_state;
 +
-+static __inline__ int
++static int
 +alloc_pop(void)
 +{
 +	if (current_alloc_state->alloc_stack_next == 1)
@@ -74170,7 +74174,7 @@ index 0000000..18ffbbd
 +	return 1;
 +}
 +
-+static __inline__ int
++static int
 +alloc_push(void *buf)
 +{
 +	if (current_alloc_state->alloc_stack_next >= current_alloc_state->alloc_stack_size)
@@ -77573,7 +77577,7 @@ index 0000000..39645c9
 +}
 diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
 new file mode 100644
-index 0000000..218b66b
+index 0000000..35d9e65
 --- /dev/null
 +++ b/grsecurity/gracl_segv.c
 @@ -0,0 +1,324 @@
@@ -77678,7 +77682,7 @@ index 0000000..218b66b
 +	return -1;
 +}
 +
-+static __inline__ void
++static void
 +gr_insertsort(void)
 +{
 +	unsigned short i, j;
@@ -77697,7 +77701,7 @@ index 0000000..218b66b
 +	return;
 +}
 +
-+static __inline__ void
++static void
 +gr_insert_uid(const kuid_t kuid, const unsigned long expires)
 +{
 +	int loc;
@@ -77763,7 +77767,7 @@ index 0000000..218b66b
 +	return ret;
 +}
 +
-+static __inline__ int
++static int
 +proc_is_setxid(const struct cred *cred)
 +{
 +	if (!uid_eq(cred->uid, cred->euid) || !uid_eq(cred->uid, cred->suid) ||
@@ -80393,7 +80397,7 @@ index 0000000..3860c7e
 +}
 diff --git a/grsecurity/grsec_sock.c b/grsecurity/grsec_sock.c
 new file mode 100644
-index 0000000..e3650b6
+index 0000000..a523bd2
 --- /dev/null
 +++ b/grsecurity/grsec_sock.c
 @@ -0,0 +1,244 @@
@@ -80437,13 +80441,13 @@ index 0000000..e3650b6
 +extern const char * gr_proto_to_name(unsigned char proto);
 +extern const char * gr_sockfamily_to_name(unsigned char family);
 +
-+static __inline__ int 
++static int 
 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
 +{
 +	return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
 +}
 +
-+static __inline__ int
++static int
 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr, 
 +	   __u16 sport, __u16 dport)
 +{
@@ -82462,10 +82466,10 @@ index 2507fd2..55203f8 100644
   * Mark a position in code as unreachable.  This can be used to
   * suppress control flow warnings after asm blocks that transfer
 diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h
-index cdd1cc2..2401b2e 100644
+index cdd1cc2..9c1ee22 100644
 --- a/include/linux/compiler-gcc5.h
 +++ b/include/linux/compiler-gcc5.h
-@@ -28,6 +28,26 @@
+@@ -28,6 +28,31 @@
  # define __compiletime_error(message) __attribute__((error(message)))
  #endif /* __CHECKER__ */
  
@@ -82474,6 +82478,11 @@ index cdd1cc2..2401b2e 100644
 +#define __bos0(ptr)		__bos((ptr), 0)
 +#define __bos1(ptr)		__bos((ptr), 1)
 +
++#ifdef RANDSTRUCT_PLUGIN
++#define __randomize_layout __attribute__((randomize_layout))
++#define __no_randomize_layout __attribute__((no_randomize_layout))
++#endif
++
 +#ifdef CONSTIFY_PLUGIN
 +#define __no_const __attribute__((no_const))
 +#define __do_const __attribute__((do_const))
@@ -82492,7 +82501,7 @@ index cdd1cc2..2401b2e 100644
  /*
   * Mark a position in code as unreachable.  This can be used to
   * suppress control flow warnings after asm blocks that transfer
-@@ -53,7 +73,6 @@
+@@ -53,7 +78,6 @@
   *   http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
   *
   * Work it around via a compiler barrier quirk suggested by Jakub Jelinek.
@@ -128553,7 +128562,7 @@ index 0000000..1d296ce
 +}
 diff --git a/tools/gcc/structleak_plugin.c b/tools/gcc/structleak_plugin.c
 new file mode 100644
-index 0000000..4436cbe
+index 0000000..e9dbd4b
 --- /dev/null
 +++ b/tools/gcc/structleak_plugin.c
 @@ -0,0 +1,287 @@
@@ -128822,7 +128831,7 @@ index 0000000..4436cbe
 +		return 1;
 +	}
 +
-+	if (strncmp(lang_hooks.name, "GNU C", 5) || !strncmp(lang_hooks.name, "GNU C+", 6)) {
++	if (strncmp(lang_hooks.name, "GNU C", 5) && !strncmp(lang_hooks.name, "GNU C+", 6)) {
 +		inform(UNKNOWN_LOCATION, G_("%s supports C only"), plugin_name);
 +		enable = false;
 +	}
diff --git a/3.2.69/0000_README b/3.2.69/0000_README
index f609422..8bf4976 100644
--- a/3.2.69/0000_README
+++ b/3.2.69/0000_README
@@ -194,7 +194,7 @@ Patch:	1068_linux-3.2.69.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.69
 
-Patch:	4420_grsecurity-3.1-3.2.69-201505171733.patch
+Patch:	4420_grsecurity-3.1-3.2.69-201505181926.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.69/4420_grsecurity-3.1-3.2.69-201505171733.patch b/3.2.69/4420_grsecurity-3.1-3.2.69-201505181926.patch
index 93f7def..b43610c 100644
--- a/3.2.69/4420_grsecurity-3.1-3.2.69-201505171733.patch
+++ b/3.2.69/4420_grsecurity-3.1-3.2.69-201505181926.patch
@@ -69240,7 +69240,7 @@ index 0000000..30ababb
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..1b75b8a
+index 0000000..18911e9
 --- /dev/null
 +++ b/grsecurity/gracl.c
 @@ -0,0 +1,2873 @@
@@ -69398,7 +69398,7 @@ index 0000000..1b75b8a
 +	return gr_task_roletype_to_char(current);
 +}
 +
-+__inline__ int
++int
 +gr_acl_tpe_check(void)
 +{
 +	if (unlikely(!(gr_status & GR_READY)))
@@ -69627,7 +69627,7 @@ index 0000000..1b75b8a
 +			   PAGE_SIZE);
 +}
 +
-+__inline__ __u32
++__u32
 +to_gr_audit(const __u32 reqmode)
 +{
 +	/* masks off auditable permission flags, then shifts them to create
@@ -70102,7 +70102,7 @@ index 0000000..1b75b8a
 +	return retval;
 +}
 +
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
 +	    struct dentry *curr_dentry,
 +	    const struct acl_subject_label *subj, char **path, const int checkglob)
@@ -70191,7 +70191,7 @@ index 0000000..1b75b8a
 +	return retval;
 +}
 +
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
 +	      const struct acl_subject_label *subj)
 +{
@@ -70199,7 +70199,7 @@ index 0000000..1b75b8a
 +	return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
 +}
 +
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
 +	      const struct acl_subject_label *subj)
 +{
@@ -70207,7 +70207,7 @@ index 0000000..1b75b8a
 +	return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
 +}
 +
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
 +		     const struct acl_subject_label *subj, char *path)
 +{
@@ -72119,7 +72119,7 @@ index 0000000..1b75b8a
 +
 diff --git a/grsecurity/gracl_alloc.c b/grsecurity/gracl_alloc.c
 new file mode 100644
-index 0000000..18ffbbd
+index 0000000..9adc75c
 --- /dev/null
 +++ b/grsecurity/gracl_alloc.c
 @@ -0,0 +1,105 @@
@@ -72133,7 +72133,7 @@ index 0000000..18ffbbd
 +static struct gr_alloc_state __current_alloc_state = { 1, 1, NULL };
 +struct gr_alloc_state *current_alloc_state = &__current_alloc_state;
 +
-+static __inline__ int
++static int
 +alloc_pop(void)
 +{
 +	if (current_alloc_state->alloc_stack_next == 1)
@@ -72146,7 +72146,7 @@ index 0000000..18ffbbd
 +	return 1;
 +}
 +
-+static __inline__ int
++static int
 +alloc_push(void *buf)
 +{
 +	if (current_alloc_state->alloc_stack_next >= current_alloc_state->alloc_stack_size)
@@ -75539,7 +75539,7 @@ index 0000000..39645c9
 +}
 diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
 new file mode 100644
-index 0000000..275df2d
+index 0000000..8769655
 --- /dev/null
 +++ b/grsecurity/gracl_segv.c
 @@ -0,0 +1,320 @@
@@ -75644,7 +75644,7 @@ index 0000000..275df2d
 +	return -1;
 +}
 +
-+static __inline__ void
++static void
 +gr_insertsort(void)
 +{
 +	unsigned short i, j;
@@ -75663,7 +75663,7 @@ index 0000000..275df2d
 +	return;
 +}
 +
-+static __inline__ void
++static void
 +gr_insert_uid(const uid_t uid, const unsigned long expires)
 +{
 +	int loc;
@@ -75725,7 +75725,7 @@ index 0000000..275df2d
 +	return ret;
 +}
 +
-+static __inline__ int
++static int
 +proc_is_setxid(const struct cred *cred)
 +{
 +	if (cred->uid != cred->euid || cred->uid != cred->suid ||
@@ -78325,7 +78325,7 @@ index 0000000..c6a07aa
 +}
 diff --git a/grsecurity/grsec_sock.c b/grsecurity/grsec_sock.c
 new file mode 100644
-index 0000000..e3650b6
+index 0000000..a523bd2
 --- /dev/null
 +++ b/grsecurity/grsec_sock.c
 @@ -0,0 +1,244 @@
@@ -78369,13 +78369,13 @@ index 0000000..e3650b6
 +extern const char * gr_proto_to_name(unsigned char proto);
 +extern const char * gr_sockfamily_to_name(unsigned char family);
 +
-+static __inline__ int 
++static int 
 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
 +{
 +	return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
 +}
 +
-+static __inline__ int
++static int
 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr, 
 +	   __u16 sport, __u16 dport)
 +{
@@ -80559,10 +80559,10 @@ index 59a7e4c..8feb590 100644
  
  #if __GNUC_MINOR__ > 0
 diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h
-index cdd1cc2..2401b2e 100644
+index cdd1cc2..9c1ee22 100644
 --- a/include/linux/compiler-gcc5.h
 +++ b/include/linux/compiler-gcc5.h
-@@ -28,6 +28,26 @@
+@@ -28,6 +28,31 @@
  # define __compiletime_error(message) __attribute__((error(message)))
  #endif /* __CHECKER__ */
  
@@ -80571,6 +80571,11 @@ index cdd1cc2..2401b2e 100644
 +#define __bos0(ptr)		__bos((ptr), 0)
 +#define __bos1(ptr)		__bos((ptr), 1)
 +
++#ifdef RANDSTRUCT_PLUGIN
++#define __randomize_layout __attribute__((randomize_layout))
++#define __no_randomize_layout __attribute__((no_randomize_layout))
++#endif
++
 +#ifdef CONSTIFY_PLUGIN
 +#define __no_const __attribute__((no_const))
 +#define __do_const __attribute__((do_const))
@@ -80589,7 +80594,7 @@ index cdd1cc2..2401b2e 100644
  /*
   * Mark a position in code as unreachable.  This can be used to
   * suppress control flow warnings after asm blocks that transfer
-@@ -53,7 +73,6 @@
+@@ -53,7 +78,6 @@
   *   http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
   *
   * Work it around via a compiler barrier quirk suggested by Jakub Jelinek.
diff --git a/4.0.4/0000_README b/4.0.4/0000_README
index a4f7b92..cb9fc17 100644
--- a/4.0.4/0000_README
+++ b/4.0.4/0000_README
@@ -6,7 +6,7 @@ Patch:	1003_linux-4.0.4.patch
 From:	http://www.kernel.org
 Desc:	Linux 4.0.4
 
-Patch:	4420_grsecurity-3.1-4.0.4-201505171737.patch
+Patch:	4420_grsecurity-3.1-4.0.4-201505182014.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.0.4/4420_grsecurity-3.1-4.0.4-201505171737.patch b/4.0.4/4420_grsecurity-3.1-4.0.4-201505182014.patch
index 6314571..55969fb 100644
--- a/4.0.4/4420_grsecurity-3.1-4.0.4-201505171737.patch
+++ b/4.0.4/4420_grsecurity-3.1-4.0.4-201505182014.patch
@@ -18252,7 +18252,7 @@ index 9fb2f2b..b04b4bf 100644
  #define MODULES_END	VMALLOC_END
  #define MODULES_LEN	(MODULES_VADDR - MODULES_END)
 diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
-index 2ee7811..db41d8c 100644
+index 2ee7811..55aca24 100644
 --- a/arch/x86/include/asm/pgtable_64.h
 +++ b/arch/x86/include/asm/pgtable_64.h
 @@ -16,11 +16,16 @@
@@ -18266,9 +18266,10 @@ index 2ee7811..db41d8c 100644
  extern pmd_t level2_kernel_pgt[512];
  extern pmd_t level2_fixmap_pgt[512];
 -extern pmd_t level2_ident_pgt[512];
-+extern pmd_t level2_ident_pgt[512*2];
- extern pte_t level1_fixmap_pgt[512];
+-extern pte_t level1_fixmap_pgt[512];
 -extern pgd_t init_level4_pgt[];
++extern pmd_t level2_ident_pgt[2][512];
++extern pte_t level1_fixmap_pgt[3][512];
 +extern pte_t level1_vsyscall_pgt[512];
 +extern pgd_t init_level4_pgt[512];
  
@@ -35907,7 +35908,7 @@ index 5240f56..0c12163 100644
  
  #ifdef CONFIG_ACPI_NUMA
 diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
-index adca9e2..35d6a98 100644
+index adca9e2..cdba9d1 100644
 --- a/arch/x86/xen/mmu.c
 +++ b/arch/x86/xen/mmu.c
 @@ -379,7 +379,7 @@ static pteval_t pte_mfn_to_pfn(pteval_t val)
@@ -35931,7 +35932,7 @@ index adca9e2..35d6a98 100644
  		convert_pfn_mfn(level2_fixmap_pgt);
  	}
  	/* We get [511][511] and have Xen's version of level2_kernel_pgt */
-@@ -1860,11 +1864,16 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
+@@ -1860,11 +1864,18 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
  		set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
  		set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
  		set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
@@ -35943,12 +35944,15 @@ index adca9e2..35d6a98 100644
 +		set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
  		set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
  		set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
- 		set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO);
+-		set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO);
++		set_page_prot(level1_fixmap_pgt[0], PAGE_KERNEL_RO);
++		set_page_prot(level1_fixmap_pgt[1], PAGE_KERNEL_RO);
++		set_page_prot(level1_fixmap_pgt[2], PAGE_KERNEL_RO);
 +		set_page_prot(level1_vsyscall_pgt, PAGE_KERNEL_RO);
  
  		/* Pin down new L4 */
  		pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE,
-@@ -2048,6 +2057,7 @@ static void __init xen_post_allocator_init(void)
+@@ -2048,6 +2059,7 @@ static void __init xen_post_allocator_init(void)
  	pv_mmu_ops.set_pud = xen_set_pud;
  #if PAGETABLE_LEVELS == 4
  	pv_mmu_ops.set_pgd = xen_set_pgd;
@@ -35956,7 +35960,7 @@ index adca9e2..35d6a98 100644
  #endif
  
  	/* This will work as long as patching hasn't happened yet
-@@ -2126,6 +2136,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
+@@ -2126,6 +2138,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
  	.pud_val = PV_CALLEE_SAVE(xen_pud_val),
  	.make_pud = PV_CALLEE_SAVE(xen_make_pud),
  	.set_pgd = xen_set_pgd_hyper,
@@ -70792,7 +70796,7 @@ index 0000000..30ababb
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..f83bf15
+index 0000000..811af1f
 --- /dev/null
 +++ b/grsecurity/gracl.c
 @@ -0,0 +1,2749 @@
@@ -70946,7 +70950,7 @@ index 0000000..f83bf15
 +	return gr_task_roletype_to_char(current);
 +}
 +
-+__inline__ int
++int
 +gr_acl_tpe_check(void)
 +{
 +	if (unlikely(!(gr_status & GR_READY)))
@@ -71177,7 +71181,7 @@ index 0000000..f83bf15
 +			   PAGE_SIZE);
 +}
 +
-+__inline__ __u32
++__u32
 +to_gr_audit(const __u32 reqmode)
 +{
 +	/* masks off auditable permission flags, then shifts them to create
@@ -71652,7 +71656,7 @@ index 0000000..f83bf15
 +	return retval;
 +}
 +
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
 +	    struct dentry *curr_dentry,
 +	    const struct acl_subject_label *subj, char **path, const int checkglob)
@@ -71757,7 +71761,7 @@ index 0000000..f83bf15
 +	return retval;
 +}
 +
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
 +	      const struct acl_subject_label *subj)
 +{
@@ -71765,7 +71769,7 @@ index 0000000..f83bf15
 +	return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
 +}
 +
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
 +	      const struct acl_subject_label *subj)
 +{
@@ -71773,7 +71777,7 @@ index 0000000..f83bf15
 +	return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
 +}
 +
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
 +		     const struct acl_subject_label *subj, char *path)
 +{
@@ -73547,7 +73551,7 @@ index 0000000..f83bf15
 +
 diff --git a/grsecurity/gracl_alloc.c b/grsecurity/gracl_alloc.c
 new file mode 100644
-index 0000000..18ffbbd
+index 0000000..9adc75c
 --- /dev/null
 +++ b/grsecurity/gracl_alloc.c
 @@ -0,0 +1,105 @@
@@ -73561,7 +73565,7 @@ index 0000000..18ffbbd
 +static struct gr_alloc_state __current_alloc_state = { 1, 1, NULL };
 +struct gr_alloc_state *current_alloc_state = &__current_alloc_state;
 +
-+static __inline__ int
++static int
 +alloc_pop(void)
 +{
 +	if (current_alloc_state->alloc_stack_next == 1)
@@ -73574,7 +73578,7 @@ index 0000000..18ffbbd
 +	return 1;
 +}
 +
-+static __inline__ int
++static int
 +alloc_push(void *buf)
 +{
 +	if (current_alloc_state->alloc_stack_next >= current_alloc_state->alloc_stack_size)
@@ -76985,7 +76989,7 @@ index 0000000..39645c9
 +}
 diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
 new file mode 100644
-index 0000000..218b66b
+index 0000000..35d9e65
 --- /dev/null
 +++ b/grsecurity/gracl_segv.c
 @@ -0,0 +1,324 @@
@@ -77090,7 +77094,7 @@ index 0000000..218b66b
 +	return -1;
 +}
 +
-+static __inline__ void
++static void
 +gr_insertsort(void)
 +{
 +	unsigned short i, j;
@@ -77109,7 +77113,7 @@ index 0000000..218b66b
 +	return;
 +}
 +
-+static __inline__ void
++static void
 +gr_insert_uid(const kuid_t kuid, const unsigned long expires)
 +{
 +	int loc;
@@ -77175,7 +77179,7 @@ index 0000000..218b66b
 +	return ret;
 +}
 +
-+static __inline__ int
++static int
 +proc_is_setxid(const struct cred *cred)
 +{
 +	if (!uid_eq(cred->uid, cred->euid) || !uid_eq(cred->uid, cred->suid) ||
@@ -79805,7 +79809,7 @@ index 0000000..3860c7e
 +}
 diff --git a/grsecurity/grsec_sock.c b/grsecurity/grsec_sock.c
 new file mode 100644
-index 0000000..e3650b6
+index 0000000..a523bd2
 --- /dev/null
 +++ b/grsecurity/grsec_sock.c
 @@ -0,0 +1,244 @@
@@ -79849,13 +79853,13 @@ index 0000000..e3650b6
 +extern const char * gr_proto_to_name(unsigned char proto);
 +extern const char * gr_sockfamily_to_name(unsigned char family);
 +
-+static __inline__ int 
++static int 
 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
 +{
 +	return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
 +}
 +
-+static __inline__ int
++static int
 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr, 
 +	   __u16 sport, __u16 dport)
 +{
@@ -81918,10 +81922,10 @@ index 769e198..f670585 100644
   * Mark a position in code as unreachable.  This can be used to
   * suppress control flow warnings after asm blocks that transfer
 diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h
-index efee493..c388661 100644
+index efee493..06f9f63 100644
 --- a/include/linux/compiler-gcc5.h
 +++ b/include/linux/compiler-gcc5.h
-@@ -28,6 +28,25 @@
+@@ -28,6 +28,30 @@
  # define __compiletime_error(message) __attribute__((error(message)))
  #endif /* __CHECKER__ */
  
@@ -81930,6 +81934,11 @@ index efee493..c388661 100644
 +#define __bos0(ptr)		__bos((ptr), 0)
 +#define __bos1(ptr)		__bos((ptr), 1)
 +
++#ifdef RANDSTRUCT_PLUGIN
++#define __randomize_layout __attribute__((randomize_layout))
++#define __no_randomize_layout __attribute__((no_randomize_layout))
++#endif
++
 +#ifdef CONSTIFY_PLUGIN
 +#define __no_const __attribute__((no_const))
 +#define __do_const __attribute__((do_const))
@@ -150212,7 +150221,7 @@ index 0000000..1d296ce
 +}
 diff --git a/tools/gcc/structleak_plugin.c b/tools/gcc/structleak_plugin.c
 new file mode 100644
-index 0000000..4436cbe
+index 0000000..e9dbd4b
 --- /dev/null
 +++ b/tools/gcc/structleak_plugin.c
 @@ -0,0 +1,287 @@
@@ -150481,7 +150490,7 @@ index 0000000..4436cbe
 +		return 1;
 +	}
 +
-+	if (strncmp(lang_hooks.name, "GNU C", 5) || !strncmp(lang_hooks.name, "GNU C+", 6)) {
++	if (strncmp(lang_hooks.name, "GNU C", 5) && !strncmp(lang_hooks.name, "GNU C+", 6)) {
 +		inform(UNKNOWN_LOCATION, G_("%s supports C only"), plugin_name);
 +		enable = false;
 +	}
author	Anthony G. Basile <blueness@gentoo.org>	2015-05-19 18:32:57 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2015-05-19 18:32:57 -0400
commit	12a8a929cf98bbbf36cb9288eb3e03583ebc83e2 (patch)
tree	f239b9d543005b1181ca009f4a564b62d6e9c7b1
parent	Grsec/PaX: 3.1-{3.2.69,3.14.43,4.0.4}-201505171737 (diff)
download	hardened-patchset-12a8a929cf98bbbf36cb9288eb3e03583ebc83e2.tar.gz hardened-patchset-12a8a929cf98bbbf36cb9288eb3e03583ebc83e2.tar.bz2 hardened-patchset-12a8a929cf98bbbf36cb9288eb3e03583ebc83e2.zip