diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2016-03-15 02:48:40 -0400 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2016-03-15 02:48:40 -0400 |
| commit | 5f68ceaa5da203d872ca143eb4260189ddee289e (patch) | |
| tree | 9a302c97a04fb84d8e3868ae030b6770a762e69a | |
| parent | grsecurity-3.1-4.4.5-201603131305 (diff) | |
| download | hardened-patchset-5f68ceaa5da203d872ca143eb4260189ddee289e.tar.gz hardened-patchset-5f68ceaa5da203d872ca143eb4260189ddee289e.tar.bz2 hardened-patchset-5f68ceaa5da203d872ca143eb4260189ddee289e.zip | |
grsecurity-3.1-4.4.5-20160314222020160314
| -rw-r--r-- | 4.4.5/0000_README | 2 | ||||
| -rw-r--r-- | 4.4.5/4420_grsecurity-3.1-4.4.5-201603142220.patch (renamed from 4.4.5/4420_grsecurity-3.1-4.4.5-201603131305.patch) | 94 |
2 files changed, 47 insertions, 49 deletions
diff --git a/4.4.5/0000_README b/4.4.5/0000_README index c02a112..6d51814 100644 --- a/4.4.5/0000_README +++ b/4.4.5/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.1-4.4.5-201603131305.patch +Patch: 4420_grsecurity-3.1-4.4.5-201603142220.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/4.4.5/4420_grsecurity-3.1-4.4.5-201603131305.patch b/4.4.5/4420_grsecurity-3.1-4.4.5-201603142220.patch index c5fcaad..dac56bb 100644 --- a/4.4.5/4420_grsecurity-3.1-4.4.5-201603131305.patch +++ b/4.4.5/4420_grsecurity-3.1-4.4.5-201603142220.patch @@ -83496,7 +83496,7 @@ index 14db05d..687f6d8 100644 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */ diff --git a/fs/namei.c b/fs/namei.c -index d8ee4da..dc6d6b5 100644 +index d8ee4da..d6bf55e 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -336,17 +336,32 @@ int generic_permission(struct inode *inode, int mask) @@ -83711,19 +83711,22 @@ index d8ee4da..dc6d6b5 100644 if (flags & LOOKUP_ROOT) { struct dentry *root = nd->root.dentry; struct inode *inode = root->d_inode; -@@ -2138,6 +2231,11 @@ static int path_lookupat(struct nameidata *nd, unsigned flags, struct path *path +@@ -2138,6 +2231,14 @@ static int path_lookupat(struct nameidata *nd, unsigned flags, struct path *path if (!err) err = complete_walk(nd); + if (!err && !(nd->flags & LOOKUP_PARENT)) { + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) + err = -ENOENT; ++ if (!err) ++ err = gr_chroot_pathat(nd->dfd, nd->path.dentry, ++ nd->path.mnt, nd->flags); + } + if (!err && nd->flags & LOOKUP_DIRECTORY) if (!d_can_lookup(nd->path.dentry)) err = -ENOTDIR; -@@ -2186,6 +2284,10 @@ static int path_parentat(struct nameidata *nd, unsigned flags, +@@ -2186,6 +2287,14 @@ static int path_parentat(struct nameidata *nd, unsigned flags, err = link_path_walk(s, nd); if (!err) err = complete_walk(nd); @@ -83731,10 +83734,14 @@ index d8ee4da..dc6d6b5 100644 + if (!err && gr_handle_nameidata_symlinkowner(nd, nd->inode)) + err = -EACCES; + ++ if (!err) ++ err = gr_chroot_pathat(nd->dfd, nd->path.dentry, ++ nd->path.mnt, nd->flags); ++ if (!err) { *parent = nd->path; nd->path.mnt = NULL; -@@ -2717,6 +2819,13 @@ static int may_open(struct path *path, int acc_mode, int flag) +@@ -2717,6 +2826,13 @@ static int may_open(struct path *path, int acc_mode, int flag) if (flag & O_NOATIME && !inode_owner_or_capable(inode)) return -EPERM; @@ -83748,12 +83755,15 @@ index d8ee4da..dc6d6b5 100644 return 0; } -@@ -2983,6 +3092,18 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -2983,6 +3099,21 @@ static int lookup_open(struct nameidata *nd, struct path *path, /* Negative dentry, just create the file */ if (!dentry->d_inode && (op->open_flag & O_CREAT)) { umode_t mode = op->mode; + -+ ++ error = gr_chroot_pathat(nd->dfd, dentry, nd->path.mnt, nd->flags); ++ if (error) ++ goto out_dput; ++ + if (gr_handle_nameidata_symlinkowner(nd, dir_inode)) { + error = -EACCES; + goto out_dput; @@ -83767,7 +83777,7 @@ index d8ee4da..dc6d6b5 100644 if (!IS_POSIXACL(dir->d_inode)) mode &= ~current_umask(); /* -@@ -3004,6 +3125,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, +@@ -3004,6 +3135,8 @@ static int lookup_open(struct nameidata *nd, struct path *path, nd->flags & LOOKUP_EXCL); if (error) goto out_dput; @@ -83776,7 +83786,7 @@ index d8ee4da..dc6d6b5 100644 } out_no_open: path->dentry = dentry; -@@ -3109,11 +3232,24 @@ retry_lookup: +@@ -3109,11 +3242,24 @@ retry_lookup: goto finish_open_created; } @@ -83802,7 +83812,7 @@ index d8ee4da..dc6d6b5 100644 /* * If atomic_open() acquired write access it is dropped now due to -@@ -3166,6 +3302,17 @@ finish_open: +@@ -3166,6 +3312,21 @@ finish_open: path_put(&save_parent); return error; } @@ -83812,6 +83822,10 @@ index d8ee4da..dc6d6b5 100644 + goto out; + } + ++ error = gr_chroot_pathat(nd->dfd, nd->path.dentry, nd->path.mnt, nd->flags); ++ if (error) ++ goto out; ++ + if (gr_handle_nameidata_symlinkowner(nd, inode)) { + error = -EACCES; + goto out; @@ -83820,23 +83834,7 @@ index d8ee4da..dc6d6b5 100644 audit_inode(nd->name, nd->path.dentry, 0); if (unlikely(d_is_symlink(nd->path.dentry)) && !(open_flag & O_PATH)) { error = -ELOOP; -@@ -3351,6 +3498,15 @@ out2: - error = -ESTALE; - } - file = ERR_PTR(error); -+ } else { -+ error = gr_chroot_pathat(nd->dfd, file->f_path.dentry, file->f_path.mnt, flags); -+ if (error == -ECHILD) { -+ fput(file); -+ file = ERR_PTR(error); -+ } else if (!error) { -+ fput(file); -+ file = ERR_PTR(-ENOENT); -+ } - } - return file; - } -@@ -3440,9 +3596,11 @@ static struct dentry *filename_create(int dfd, struct filename *name, +@@ -3440,9 +3601,11 @@ static struct dentry *filename_create(int dfd, struct filename *name, goto unlock; error = -EEXIST; @@ -83850,7 +83848,7 @@ index d8ee4da..dc6d6b5 100644 /* * Special case - lookup gave negative, but... we had foo/bar/ * From the vfs_mknod() POV we just have a negative dentry - -@@ -3496,6 +3654,20 @@ inline struct dentry *user_path_create(int dfd, const char __user *pathname, +@@ -3496,6 +3659,20 @@ inline struct dentry *user_path_create(int dfd, const char __user *pathname, } EXPORT_SYMBOL(user_path_create); @@ -83871,7 +83869,7 @@ index d8ee4da..dc6d6b5 100644 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) { int error = may_create(dir, dentry); -@@ -3559,6 +3731,17 @@ retry: +@@ -3559,6 +3736,17 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -83889,7 +83887,7 @@ index d8ee4da..dc6d6b5 100644 error = security_path_mknod(&path, dentry, mode, dev); if (error) goto out; -@@ -3574,6 +3757,8 @@ retry: +@@ -3574,6 +3762,8 @@ retry: error = vfs_mknod(path.dentry->d_inode,dentry,mode,0); break; } @@ -83898,7 +83896,7 @@ index d8ee4da..dc6d6b5 100644 out: done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { -@@ -3628,9 +3813,16 @@ retry: +@@ -3628,9 +3818,16 @@ retry: if (!IS_POSIXACL(path.dentry->d_inode)) mode &= ~current_umask(); @@ -83915,7 +83913,7 @@ index d8ee4da..dc6d6b5 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -3663,7 +3855,7 @@ void dentry_unhash(struct dentry *dentry) +@@ -3663,7 +3860,7 @@ void dentry_unhash(struct dentry *dentry) { shrink_dcache_parent(dentry); spin_lock(&dentry->d_lock); @@ -83924,7 +83922,7 @@ index d8ee4da..dc6d6b5 100644 __d_drop(dentry); spin_unlock(&dentry->d_lock); } -@@ -3716,6 +3908,8 @@ static long do_rmdir(int dfd, const char __user *pathname) +@@ -3716,6 +3913,8 @@ static long do_rmdir(int dfd, const char __user *pathname) struct path path; struct qstr last; int type; @@ -83933,7 +83931,7 @@ index d8ee4da..dc6d6b5 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, -@@ -3748,10 +3942,20 @@ retry: +@@ -3748,10 +3947,20 @@ retry: error = -ENOENT; goto exit3; } @@ -83954,7 +83952,7 @@ index d8ee4da..dc6d6b5 100644 exit3: dput(dentry); exit2: -@@ -3846,6 +4050,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) +@@ -3846,6 +4055,8 @@ static long do_unlinkat(int dfd, const char __user *pathname) int type; struct inode *inode = NULL; struct inode *delegated_inode = NULL; @@ -83963,7 +83961,7 @@ index d8ee4da..dc6d6b5 100644 unsigned int lookup_flags = 0; retry: name = user_path_parent(dfd, pathname, -@@ -3872,10 +4078,21 @@ retry_deleg: +@@ -3872,10 +4083,21 @@ retry_deleg: if (d_is_negative(dentry)) goto slashes; ihold(inode); @@ -83985,7 +83983,7 @@ index d8ee4da..dc6d6b5 100644 exit2: dput(dentry); } -@@ -3964,9 +4181,17 @@ retry: +@@ -3964,9 +4186,17 @@ retry: if (IS_ERR(dentry)) goto out_putname; @@ -84003,7 +84001,7 @@ index d8ee4da..dc6d6b5 100644 done_path_create(&path, dentry); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; -@@ -4070,6 +4295,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, +@@ -4070,6 +4300,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname, struct dentry *new_dentry; struct path old_path, new_path; struct inode *delegated_inode = NULL; @@ -84011,7 +84009,7 @@ index d8ee4da..dc6d6b5 100644 int how = 0; int error; -@@ -4093,7 +4319,7 @@ retry: +@@ -4093,7 +4324,7 @@ retry: if (error) return error; @@ -84020,7 +84018,7 @@ index d8ee4da..dc6d6b5 100644 (how & LOOKUP_REVAL)); error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) -@@ -4105,11 +4331,26 @@ retry: +@@ -4105,11 +4336,26 @@ retry: error = may_linkat(&old_path); if (unlikely(error)) goto out_dput; @@ -84047,7 +84045,7 @@ index d8ee4da..dc6d6b5 100644 done_path_create(&new_path, new_dentry); if (delegated_inode) { error = break_deleg_wait(&delegated_inode); -@@ -4424,6 +4665,20 @@ retry_deleg: +@@ -4424,6 +4670,20 @@ retry_deleg: if (new_dentry == trap) goto exit5; @@ -84068,7 +84066,7 @@ index d8ee4da..dc6d6b5 100644 error = security_path_rename(&old_path, old_dentry, &new_path, new_dentry, flags); if (error) -@@ -4431,6 +4686,9 @@ retry_deleg: +@@ -4431,6 +4691,9 @@ retry_deleg: error = vfs_rename(old_path.dentry->d_inode, old_dentry, new_path.dentry->d_inode, new_dentry, &delegated_inode, flags); @@ -84078,7 +84076,7 @@ index d8ee4da..dc6d6b5 100644 exit5: dput(new_dentry); exit4: -@@ -4487,14 +4745,24 @@ EXPORT_SYMBOL(vfs_whiteout); +@@ -4487,14 +4750,24 @@ EXPORT_SYMBOL(vfs_whiteout); int readlink_copy(char __user *buffer, int buflen, const char *link) { @@ -95954,7 +95952,7 @@ index 0000000..bc0be01 +} diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c new file mode 100644 -index 0000000..aa6fed5 +index 0000000..1964ab1c --- /dev/null +++ b/grsecurity/grsec_chroot.c @@ -0,0 +1,506 @@ @@ -96223,17 +96221,17 @@ index 0000000..aa6fed5 + struct path file_path; + + if (!grsec_enable_chroot_fchdir) -+ return 1; ++ return 0; + + if (!proc_is_chrooted(current) || dfd == -1 || dfd == AT_FDCWD) -+ return 1; ++ return 0; + + if (flags & LOOKUP_RCU) + return -ECHILD; + + f = fdget_raw(dfd); + if (!f.file) -+ return 1; ++ return 0; + + fd_path = f.file->f_path; + path_get(&fd_path); @@ -96245,11 +96243,11 @@ index 0000000..aa6fed5 + if (!gr_is_outside_chroot(u_dentry, u_mnt) && !path_is_under(&file_path, &fd_path)) { + path_put(&fd_path); + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_PATHAT_MSG, u_dentry, u_mnt); -+ return 0; ++ return -ENOENT; + } + path_put(&fd_path); +#endif -+ return 1; ++ return 0; +} + +int |