grsecurity-3.1-4.5.7-201606282216

author: Anthony G. Basile <blueness@gentoo.org> 2016-06-30 09:12:16 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2016-06-30 09:12:16 -0400
commit: 9efc134b4d978753db4dd108ac3fb9e5b8f0a52b (patch)
tree: a9ddf2de15b2adbdd3e8d16d9930e4100a7a2689
parent: grsecurity-3.1-4.5.7-201606280009 (diff)
download: hardened-patchset-9efc134b4d978753db4dd108ac3fb9e5b8f0a52b.tar.gz
hardened-patchset-9efc134b4d978753db4dd108ac3fb9e5b8f0a52b.tar.bz2
hardened-patchset-9efc134b4d978753db4dd108ac3fb9e5b8f0a52b.zip
2 files changed, 524 insertions, 158 deletions
diff --git a/4.5.7/0000_README b/4.5.7/0000_README
index bdf9f5e..b74e534 100644
--- a/4.5.7/0000_README
+++ b/4.5.7/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.1-4.5.7-201606280009.patch
+Patch:	4420_grsecurity-3.1-4.5.7-201606282216.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch b/4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch
index f3179f6..01f7898 100644
--- a/4.5.7/4420_grsecurity-3.1-4.5.7-201606280009.patch
+++ b/4.5.7/4420_grsecurity-3.1-4.5.7-201606282216.patch
@@ -8554,6 +8554,37 @@ index 523673d..4aeef3b 100644
  	: "=&r"(tmp)
  	: "r"(&rw->lock)
  	: "cr0", "xer", "memory");
+diff --git a/arch/powerpc/include/asm/string.h b/arch/powerpc/include/asm/string.h
+index e40010a..d3c3d6b 100644
+--- a/arch/powerpc/include/asm/string.h
++++ b/arch/powerpc/include/asm/string.h
+@@ -15,17 +15,17 @@
+ #define __HAVE_ARCH_MEMCMP
+ #define __HAVE_ARCH_MEMCHR
+ 
+-extern char * strcpy(char *,const char *);
+-extern char * strncpy(char *,const char *, __kernel_size_t);
++extern char * strcpy(char *,const char *) __nocapture(2);
++extern char * strncpy(char *,const char *, __kernel_size_t) __nocapture(2);
+ extern __kernel_size_t strlen(const char *);
+-extern int strcmp(const char *,const char *);
+-extern int strncmp(const char *, const char *, __kernel_size_t);
+-extern char * strcat(char *, const char *);
++extern int strcmp(const char *,const char *) __nocapture(1, 2);
++extern int strncmp(const char *, const char *, __kernel_size_t) __nocapture(1, 2);
++extern char * strcat(char *, const char *) __nocapture(2);
+ extern void * memset(void *,int,__kernel_size_t);
+-extern void * memcpy(void *,const void *,__kernel_size_t);
+-extern void * memmove(void *,const void *,__kernel_size_t);
+-extern int memcmp(const void *,const void *,__kernel_size_t);
+-extern void * memchr(const void *,int,__kernel_size_t);
++extern void * memcpy(void *,const void *,__kernel_size_t) __nocapture(2);
++extern void * memmove(void *,const void *,__kernel_size_t) __nocapture(2);
++extern int memcmp(const void *,const void *,__kernel_size_t) __nocapture(1, 2);
++extern void * memchr(const void *,int,__kernel_size_t) __nocapture(1);
+ 
+ #endif /* __KERNEL__ */
+ 
 diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h
 index 7efee4a..48d47cc 100644
 --- a/arch/powerpc/include/asm/thread_info.h
@@ -12410,7 +12441,7 @@ index ad8f795..2c7eec6 100644
  /*
   * Memory returned by kmalloc() may be used for DMA, so we must make
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 3bf45a0..25ca7da 100644
+index 3bf45a0..b08241b 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
 @@ -38,14 +38,13 @@ config X86
@@ -12446,7 +12477,23 @@ index 3bf45a0..25ca7da 100644
  	select HAVE_GENERIC_DMA_COHERENT	if X86_32
  	select HAVE_HW_BREAKPOINT
  	select HAVE_IDE
-@@ -290,7 +290,7 @@ config X86_64_SMP
+@@ -184,11 +184,13 @@ config MMU
+ 	def_bool y
+ 
+ config ARCH_MMAP_RND_BITS_MIN
+-	default 28 if 64BIT
++	default 28 if 64BIT && !PAX_PER_CPU_PGD
++	default 27 if 64BIT && PAX_PER_CPU_PGD
+ 	default 8
+ 
+ config ARCH_MMAP_RND_BITS_MAX
+-	default 32 if 64BIT
++	default 32 if 64BIT && !PAX_PER_CPU_PGD
++	default 27 if 64BIT && PAX_PER_CPU_PGD
+ 	default 16
+ 
+ config ARCH_MMAP_RND_COMPAT_BITS_MIN
+@@ -290,7 +292,7 @@ config X86_64_SMP
  
  config X86_32_LAZY_GS
  	def_bool y
@@ -12455,7 +12502,7 @@ index 3bf45a0..25ca7da 100644
  
  config ARCH_HWEIGHT_CFLAGS
  	string
-@@ -674,6 +674,7 @@ config SCHED_OMIT_FRAME_POINTER
+@@ -674,6 +676,7 @@ config SCHED_OMIT_FRAME_POINTER
  
  menuconfig HYPERVISOR_GUEST
  	bool "Linux guest support"
@@ -12463,7 +12510,7 @@ index 3bf45a0..25ca7da 100644
  	---help---
  	  Say Y here to enable options for running Linux under various hyper-
  	  visors. This option enables basic hypervisor detection and platform
-@@ -1073,6 +1074,7 @@ config VM86
+@@ -1073,6 +1076,7 @@ config VM86
  
  config X86_16BIT
  	bool "Enable support for 16-bit segments" if EXPERT
@@ -12471,7 +12518,7 @@ index 3bf45a0..25ca7da 100644
  	default y
  	depends on MODIFY_LDT_SYSCALL
  	---help---
-@@ -1227,6 +1229,7 @@ choice
+@@ -1227,6 +1231,7 @@ choice
  
  config NOHIGHMEM
  	bool "off"
@@ -12479,7 +12526,7 @@ index 3bf45a0..25ca7da 100644
  	---help---
  	  Linux can use up to 64 Gigabytes of physical memory on x86 systems.
  	  However, the address space of 32-bit x86 processors is only 4
-@@ -1263,6 +1266,7 @@ config NOHIGHMEM
+@@ -1263,6 +1268,7 @@ config NOHIGHMEM
  
  config HIGHMEM4G
  	bool "4GB"
@@ -12487,7 +12534,7 @@ index 3bf45a0..25ca7da 100644
  	---help---
  	  Select this if you have a 32-bit processor and between 1 and 4
  	  gigabytes of physical RAM.
-@@ -1315,7 +1319,7 @@ config PAGE_OFFSET
+@@ -1315,7 +1321,7 @@ config PAGE_OFFSET
  	hex
  	default 0xB0000000 if VMSPLIT_3G_OPT
  	default 0x80000000 if VMSPLIT_2G
@@ -12496,7 +12543,7 @@ index 3bf45a0..25ca7da 100644
  	default 0x40000000 if VMSPLIT_1G
  	default 0xC0000000
  	depends on X86_32
-@@ -1336,7 +1340,6 @@ config X86_PAE
+@@ -1336,7 +1342,6 @@ config X86_PAE
  
  config ARCH_PHYS_ADDR_T_64BIT
  	def_bool y
@@ -12504,7 +12551,7 @@ index 3bf45a0..25ca7da 100644
  
  config ARCH_DMA_ADDR_T_64BIT
  	def_bool y
-@@ -1467,7 +1470,7 @@ config ARCH_PROC_KCORE_TEXT
+@@ -1467,7 +1472,7 @@ config ARCH_PROC_KCORE_TEXT
  
  config ILLEGAL_POINTER_VALUE
         hex
@@ -12513,7 +12560,7 @@ index 3bf45a0..25ca7da 100644
         default 0xdead000000000000 if X86_64
  
  source "mm/Kconfig"
-@@ -1776,6 +1779,7 @@ source kernel/Kconfig.hz
+@@ -1776,6 +1781,7 @@ source kernel/Kconfig.hz
  config KEXEC
  	bool "kexec system call"
  	select KEXEC_CORE
@@ -12521,7 +12568,7 @@ index 3bf45a0..25ca7da 100644
  	---help---
  	  kexec is a system call that implements the ability to shutdown your
  	  current kernel, and to start another kernel.  It is like a reboot
-@@ -1958,7 +1962,9 @@ config X86_NEED_RELOCS
+@@ -1958,7 +1964,9 @@ config X86_NEED_RELOCS
  
  config PHYSICAL_ALIGN
  	hex "Alignment value to which kernel should be aligned"
@@ -12532,7 +12579,7 @@ index 3bf45a0..25ca7da 100644
  	range 0x2000 0x1000000 if X86_32
  	range 0x200000 0x1000000 if X86_64
  	---help---
-@@ -2041,6 +2047,7 @@ config COMPAT_VDSO
+@@ -2041,6 +2049,7 @@ config COMPAT_VDSO
  	def_bool n
  	prompt "Disable the 32-bit vDSO (needed for glibc 2.3.3)"
  	depends on X86_32 || IA32_EMULATION
@@ -12540,7 +12587,7 @@ index 3bf45a0..25ca7da 100644
  	---help---
  	  Certain buggy versions of glibc will crash if they are
  	  presented with a 32-bit vDSO that is not mapped at the address
-@@ -2081,15 +2088,6 @@ choice
+@@ -2081,15 +2090,6 @@ choice
  
  	  If unsure, select "Emulate".
  
@@ -12556,7 +12603,7 @@ index 3bf45a0..25ca7da 100644
  	config LEGACY_VSYSCALL_EMULATE
  		bool "Emulate"
  		help
-@@ -2170,6 +2168,22 @@ config MODIFY_LDT_SYSCALL
+@@ -2170,6 +2170,22 @@ config MODIFY_LDT_SYSCALL
  
  	  Saying 'N' here may make sense for embedded or server kernels.
  
@@ -12995,22 +13042,6 @@ index db75d07..8e6d0af 100644
  	struct biosregs ireg, oreg;
  	struct e820entry *desc = boot_params.e820_map;
  	static struct e820entry buf; /* static so it is zeroed */
-diff --git a/arch/x86/boot/string.h b/arch/x86/boot/string.h
-index 725e820..d7ea2759 100644
---- a/arch/x86/boot/string.h
-+++ b/arch/x86/boot/string.h
-@@ -6,9 +6,9 @@
- #undef memset
- #undef memcmp
- 
--void *memcpy(void *dst, const void *src, size_t len);
-+void *memcpy(void *dst, const void *src, size_t len) __nocapture(2);
- void *memset(void *dst, int c, size_t len);
--int memcmp(const void *s1, const void *s2, size_t len);
-+int memcmp(const void *s1, const void *s2, size_t len) __nocapture(1, 2);
- 
- /*
-  * Access builtin version by default. If one needs to use optimized version,
 diff --git a/arch/x86/boot/video-vesa.c b/arch/x86/boot/video-vesa.c
 index ba3e100..6501b8f 100644
 --- a/arch/x86/boot/video-vesa.c
@@ -43254,6 +43285,40 @@ index aa872d2..afeae37 100644
  
  /**
   * struct samsung_clk_reg_dump: register dump of clock controller registers.
+diff --git a/drivers/clk/socfpga/clk-gate-a10.c b/drivers/clk/socfpga/clk-gate-a10.c
+index 1cebf25..ff2186f 100644
+--- a/drivers/clk/socfpga/clk-gate-a10.c
++++ b/drivers/clk/socfpga/clk-gate-a10.c
+@@ -19,6 +19,7 @@
+ #include <linux/mfd/syscon.h>
+ #include <linux/of.h>
+ #include <linux/regmap.h>
++#include <asm/pgtable.h>
+ 
+ #include "clk.h"
+ 
+@@ -97,7 +98,7 @@ static int socfpga_clk_prepare(struct clk_hw *hwclk)
+ 	return 0;
+ }
+ 
+-static struct clk_ops gateclk_ops = {
++static clk_ops_no_const gateclk_ops __read_only = {
+ 	.prepare = socfpga_clk_prepare,
+ 	.recalc_rate = socfpga_gate_clk_recalc_rate,
+ };
+@@ -129,8 +130,10 @@ static void __init __socfpga_gate_init(struct device_node *node,
+ 		socfpga_clk->hw.reg = clk_mgr_a10_base_addr + clk_gate[0];
+ 		socfpga_clk->hw.bit_idx = clk_gate[1];
+ 
+-		gateclk_ops.enable = clk_gate_ops.enable;
+-		gateclk_ops.disable = clk_gate_ops.disable;
++		pax_open_kernel();
++		const_cast(gateclk_ops.enable) = clk_gate_ops.enable;
++		const_cast(gateclk_ops.disable) = clk_gate_ops.disable;
++		pax_close_kernel();
+ 	}
+ 
+ 	rc = of_property_read_u32(node, "fixed-divider", &fixed_div);
 diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
 index aa7a6e6..1e9b426 100644
 --- a/drivers/clk/socfpga/clk-gate.c
@@ -43288,6 +43353,40 @@ index aa7a6e6..1e9b426 100644
  	}
  
  	rc = of_property_read_u32(node, "fixed-divider", &fixed_div);
+diff --git a/drivers/clk/socfpga/clk-pll-a10.c b/drivers/clk/socfpga/clk-pll-a10.c
+index 402d630..d8590c8 100644
+--- a/drivers/clk/socfpga/clk-pll-a10.c
++++ b/drivers/clk/socfpga/clk-pll-a10.c
+@@ -18,6 +18,7 @@
+ #include <linux/io.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
++#include <asm/pgtable.h>
+ 
+ #include "clk.h"
+ 
+@@ -69,7 +70,7 @@ static u8 clk_pll_get_parent(struct clk_hw *hwclk)
+ 		CLK_MGR_PLL_CLK_SRC_MASK;
+ }
+ 
+-static struct clk_ops clk_pll_ops = {
++static clk_ops_no_const clk_pll_ops __read_only = {
+ 	.recalc_rate = clk_pll_recalc_rate,
+ 	.get_parent = clk_pll_get_parent,
+ };
+@@ -112,8 +113,10 @@ static struct __init clk * __socfpga_pll_init(struct device_node *node,
+ 	pll_clk->hw.hw.init = &init;
+ 
+ 	pll_clk->hw.bit_idx = SOCFPGA_PLL_EXT_ENA;
+-	clk_pll_ops.enable = clk_gate_ops.enable;
+-	clk_pll_ops.disable = clk_gate_ops.disable;
++	pax_open_kernel();
++	const_cast(clk_pll_ops.enable) = clk_gate_ops.enable;
++	const_cast(clk_pll_ops.disable) = clk_gate_ops.disable;
++	pax_close_kernel();
+ 
+ 	clk = clk_register(NULL, &pll_clk->hw.hw);
+ 	if (WARN_ON(IS_ERR(clk))) {
 diff --git a/drivers/clk/socfpga/clk-pll.c b/drivers/clk/socfpga/clk-pll.c
 index c7f4631..8d1b7d0 100644
 --- a/drivers/clk/socfpga/clk-pll.c
@@ -48960,19 +49059,18 @@ index 1161d68..7a42e2c 100644
  	packetlen_aligned = ALIGN(packetlen, sizeof(u64));
  
 diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
-index 11bca51..360c83e 100644
+index 11bca51..cc7da6f 100644
 --- a/drivers/hv/hv.c
 +++ b/drivers/hv/hv.c
-@@ -183,6 +183,8 @@ static struct clocksource hyperv_cs_tsc = {
+@@ -183,6 +183,7 @@ static struct clocksource hyperv_cs_tsc = {
  };
  #endif
  
-+extern char hv_hypercall_page[PAGE_SIZE] __aligned(PAGE_SIZE);
-+asm(".text; .balign 4096; hv_hypercall_page: .fill 4096,1,0xcc; .previous;");
++static char hv_hypercall_page[PAGE_SIZE] __aligned(PAGE_SIZE) __used __section(".text");
  
  /*
   * hv_init - Main initialization routine.
-@@ -193,7 +195,6 @@ int hv_init(void)
+@@ -193,7 +194,6 @@ int hv_init(void)
  {
  	int max_leaf;
  	union hv_x64_msr_hypercall_contents hypercall_msr;
@@ -48980,7 +49078,7 @@ index 11bca51..360c83e 100644
  
  	memset(hv_context.synic_event_page, 0, sizeof(void *) * NR_CPUS);
  	memset(hv_context.synic_message_page, 0,
-@@ -218,14 +219,9 @@ int hv_init(void)
+@@ -218,14 +218,9 @@ int hv_init(void)
  	/* See if the hypercall page is already set */
  	rdmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
  
@@ -48996,7 +49094,7 @@ index 11bca51..360c83e 100644
  	wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
  
  	/* Confirm that hypercall page did get setup. */
-@@ -235,7 +231,7 @@ int hv_init(void)
+@@ -235,7 +230,7 @@ int hv_init(void)
  	if (!hypercall_msr.enable)
  		goto cleanup;
  
@@ -49005,7 +49103,7 @@ index 11bca51..360c83e 100644
  
  #ifdef CONFIG_X86_64
  	if (ms_hyperv.features & HV_X64_MSR_REFERENCE_TSC_AVAILABLE) {
-@@ -259,13 +255,9 @@ int hv_init(void)
+@@ -259,13 +254,9 @@ int hv_init(void)
  	return 0;
  
  cleanup:
@@ -49022,7 +49120,7 @@ index 11bca51..360c83e 100644
  	}
  
  	return -ENOTSUPP;
-@@ -286,7 +278,6 @@ void hv_cleanup(void)
+@@ -286,7 +277,6 @@ void hv_cleanup(void)
  	if (hv_context.hypercall_page) {
  		hypercall_msr.as_uint64 = 0;
  		wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
@@ -49160,7 +49258,7 @@ index 579bdf9..0dac21d5 100644
  		enable_cap_knobs, "IBM Active Energy Manager",
  		{
 diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
-index 0af7fd3..2701c0a 100644
+index 0af7fd3..9aade6a 100644
 --- a/drivers/hwmon/applesmc.c
 +++ b/drivers/hwmon/applesmc.c
 @@ -1105,7 +1105,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
@@ -49172,6 +49270,15 @@ index 0af7fd3..2701c0a 100644
  	int ret, i;
  
  	for (grp = groups; grp->format; grp++) {
+@@ -1242,7 +1242,7 @@ static int applesmc_dmi_match(const struct dmi_system_id *id)
+  * Note that DMI_MATCH(...,"MacBook") will match "MacBookPro1,1".
+  * So we need to put "Apple MacBook Pro" before "Apple MacBook".
+  */
+-static __initdata struct dmi_system_id applesmc_whitelist[] = {
++static __initconst struct dmi_system_id applesmc_whitelist[] = {
+ 	{ applesmc_dmi_match, "Apple MacBook Air", {
+ 	  DMI_MATCH(DMI_BOARD_VENDOR, "Apple"),
+ 	  DMI_MATCH(DMI_PRODUCT_NAME, "MacBookAir") },
 diff --git a/drivers/hwmon/asus_atk0110.c b/drivers/hwmon/asus_atk0110.c
 index cccef87..06ce8ec 100644
 --- a/drivers/hwmon/asus_atk0110.c
@@ -49214,7 +49321,7 @@ index 6a27eb2..349ed23 100644
  };
  
 diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c
-index c43318d..72f7656 100644
+index c43318d..2574fc5 100644
 --- a/drivers/hwmon/dell-smm-hwmon.c
 +++ b/drivers/hwmon/dell-smm-hwmon.c
 @@ -819,7 +819,7 @@ static const struct i8k_config_data i8k_config_data[] = {
@@ -49222,10 +49329,19 @@ index c43318d..72f7656 100644
  };
  
 -static struct dmi_system_id i8k_dmi_table[] __initdata = {
-+static const struct dmi_system_id i8k_dmi_table[] __initconst = {
++static struct dmi_system_id i8k_dmi_table[] __initconst = {
  	{
  		.ident = "Dell Inspiron",
  		.matches = {
+@@ -929,7 +929,7 @@ static struct dmi_system_id i8k_dmi_table[] __initdata = {
+ 
+ MODULE_DEVICE_TABLE(dmi, i8k_dmi_table);
+ 
+-static struct dmi_system_id i8k_blacklist_dmi_table[] __initdata = {
++static struct dmi_system_id i8k_blacklist_dmi_table[] __initconst = {
+ 	{
+ 		/*
+ 		 * CPU fan speed going up and down on Dell Studio XPS 8000
 diff --git a/drivers/hwmon/ibmaem.c b/drivers/hwmon/ibmaem.c
 index 1f64378..2b6e615 100644
 --- a/drivers/hwmon/ibmaem.c
@@ -51034,7 +51150,7 @@ index 59ee4b8..e4b6234 100644
  
  	if (smmu->features & ARM_SMMU_FEAT_TRANS_S1)
 diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
-index 381ca5a..f383021 100644
+index 381ca5a..6443bb0 100644
 --- a/drivers/iommu/io-pgtable-arm.c
 +++ b/drivers/iommu/io-pgtable-arm.c
 @@ -39,9 +39,6 @@
@@ -51114,7 +51230,14 @@ index 381ca5a..f383021 100644
  
  	return data;
  }
-@@ -911,9 +909,9 @@ static struct iommu_gather_ops dummy_tlb_ops __initdata = {
+@@ -905,15 +903,15 @@ static void dummy_tlb_sync(void *cookie)
+ 	WARN_ON(cookie != cfg_cookie);
+ }
+ 
+-static struct iommu_gather_ops dummy_tlb_ops __initdata = {
++static struct iommu_gather_ops dummy_tlb_ops __initconst = {
+ 	.tlb_flush_all	= dummy_tlb_flush_all,
+ 	.tlb_add_flush	= dummy_tlb_add_flush,
  	.tlb_sync	= dummy_tlb_sync,
  };
  
@@ -53132,6 +53255,32 @@ index 67c2187..fc71e33 100644
  	hc->timeout_tl.data = (ulong)hc;
  	init_timer(&hc->timeout_tl);
  	hc->timeout_on = 0; /* state that we have timer off */
+diff --git a/drivers/leds/leds-clevo-mail.c b/drivers/leds/leds-clevo-mail.c
+index 0f9ed1e..2715d6f 100644
+--- a/drivers/leds/leds-clevo-mail.c
++++ b/drivers/leds/leds-clevo-mail.c
+@@ -40,7 +40,7 @@ static int __init clevo_mail_led_dmi_callback(const struct dmi_system_id *id)
+  * detected as working, but in reality it is not) as low as
+  * possible.
+  */
+-static struct dmi_system_id clevo_mail_led_dmi_table[] __initdata = {
++static struct dmi_system_id clevo_mail_led_dmi_table[] __initconst = {
+ 	{
+ 		.callback = clevo_mail_led_dmi_callback,
+ 		.ident = "Clevo D410J",
+diff --git a/drivers/leds/leds-ss4200.c b/drivers/leds/leds-ss4200.c
+index 046cb70..6b20d39 100644
+--- a/drivers/leds/leds-ss4200.c
++++ b/drivers/leds/leds-ss4200.c
+@@ -91,7 +91,7 @@ MODULE_PARM_DESC(nodetect, "Skip DMI-based hardware detection");
+  * detected as working, but in reality it is not) as low as
+  * possible.
+  */
+-static struct dmi_system_id nas_led_whitelist[] __initdata = {
++static struct dmi_system_id nas_led_whitelist[] __initconst = {
+ 	{
+ 		.callback = ss4200_led_dmi_callback,
+ 		.ident = "Intel SS4200-E",
 diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c
 index 9e385b3..7077882 100644
 --- a/drivers/lguest/core.c
@@ -68239,6 +68388,19 @@ index 523b6b7..eb4c74d 100644
  
  	/* Disable irqs of this PIO controller */
  	writel_relaxed(~0, at91_gpio->regbase + PIO_IDR);
+diff --git a/drivers/platform/chrome/chromeos_laptop.c b/drivers/platform/chrome/chromeos_laptop.c
+index 2b441e9..855d867 100644
+--- a/drivers/platform/chrome/chromeos_laptop.c
++++ b/drivers/platform/chrome/chromeos_laptop.c
+@@ -498,7 +498,7 @@ static struct chromeos_laptop cr48 = {
+ 	.callback = chromeos_laptop_dmi_matched, \
+ 	.driver_data = (void *)&board_
+ 
+-static struct dmi_system_id chromeos_laptop_dmi_table[] __initdata = {
++static struct dmi_system_id chromeos_laptop_dmi_table[] __initconst = {
+ 	{
+ 		.ident = "Samsung Series 5 550",
+ 		.matches = {
 diff --git a/drivers/platform/chrome/chromeos_pstore.c b/drivers/platform/chrome/chromeos_pstore.c
 index 3474920..acc9581 100644
 --- a/drivers/platform/chrome/chromeos_pstore.c
@@ -68252,6 +68414,19 @@ index 3474920..acc9581 100644
  	{
  		/*
  		 * Today all Chromebooks/boxes ship with Google_* as version and
+diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
+index f9a2454..03f513c 100644
+--- a/drivers/platform/chrome/cros_ec_lpc.c
++++ b/drivers/platform/chrome/cros_ec_lpc.c
+@@ -300,7 +300,7 @@ static int cros_ec_lpc_remove(struct platform_device *pdev)
+ 	return 0;
+ }
+ 
+-static struct dmi_system_id cros_ec_lpc_dmi_table[] __initdata = {
++static struct dmi_system_id cros_ec_lpc_dmi_table[] __initconst = {
+ 	{
+ 		/*
+ 		 * Today all Chromebooks/boxes ship with Google_* as version and
 diff --git a/drivers/platform/x86/alienware-wmi.c b/drivers/platform/x86/alienware-wmi.c
 index 1e1e594..8fe59c5 100644
 --- a/drivers/platform/x86/alienware-wmi.c
@@ -112988,7 +113163,7 @@ index b6c00ce..ab37ad1 100644
  static struct pid *
  get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos)
 diff --git a/fs/proc/base.c b/fs/proc/base.c
-index 45f2162..6484c0f 100644
+index 45f2162..284806a 100644
 --- a/fs/proc/base.c
 +++ b/fs/proc/base.c
 @@ -113,6 +113,14 @@ struct pid_entry {
@@ -113149,18 +113324,40 @@ index 45f2162..6484c0f 100644
  			/*
  			 * Let's make getdents(), stat(), and open()
  			 * consistent with each other.  If a process
-@@ -811,6 +871,10 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
+@@ -804,13 +864,24 @@ static const struct file_operations proc_single_file_operations = {
+ };
  
+ 
+-struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
++struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode, u64 *ptracer_exec_id)
+ {
+ 	struct task_struct *task = get_proc_task(inode);
+ 	struct mm_struct *mm = ERR_PTR(-ESRCH);
+ 
++	if (ptracer_exec_id)
++		*ptracer_exec_id = 0;
++
  	if (task) {
  		mm = mm_access(task, mode | PTRACE_MODE_FSCREDS);
 +		if (!IS_ERR_OR_NULL(mm) && gr_acl_handle_procpidmem(task)) {
 +			mmput(mm);
 +			mm = ERR_PTR(-EPERM);
 +		}
++#ifdef CONFIG_GRKERNSEC
++		if (ptracer_exec_id)
++			current_is_ptracer(task, ptracer_exec_id);
++#endif
  		put_task_struct(task);
  
  		if (!IS_ERR_OR_NULL(mm)) {
-@@ -832,6 +896,11 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
+@@ -826,12 +897,17 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
+ 
+ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
+ {
+-	struct mm_struct *mm = proc_mem_open(inode, mode);
++	struct mm_struct *mm = proc_mem_open(inode, mode, NULL);
+ 
+ 	if (IS_ERR(mm))
  		return PTR_ERR(mm);
  
  	file->private_data = mm;
@@ -113172,25 +113369,34 @@ index 45f2162..6484c0f 100644
  	return 0;
  }
  
-@@ -853,6 +922,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
+@@ -853,6 +929,26 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
  	ssize_t copied;
  	char *page;
  
 +#ifdef CONFIG_GRKERNSEC
-+	if (write)
++	struct task_struct *task = get_proc_task(file_inode(file));
++	bool is_by_ptracer = false;
++
++	if (task) {
++		is_by_ptracer = current_is_ptracer(task, NULL);
++		put_task_struct(task);
++	}
++
++	if (write && !is_by_ptracer)
 +		return -EPERM;
-+#endif
++
 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+	if (file->f_version != current->exec_id) {
++	if (file->f_version != current->exec_id && !is_by_ptracer) {
 +		gr_log_badprocpid("mem");
 +		return 0;
 +	}
 +#endif
++#endif
 +
  	if (!mm)
  		return 0;
  
-@@ -865,7 +945,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
+@@ -865,7 +961,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
  		goto free;
  
  	while (count > 0) {
@@ -113199,7 +113405,7 @@ index 45f2162..6484c0f 100644
  
  		if (write && copy_from_user(page, buf, this_len)) {
  			copied = -EFAULT;
-@@ -959,6 +1039,13 @@ static ssize_t environ_read(struct file *file, char __user *buf,
+@@ -959,6 +1055,13 @@ static ssize_t environ_read(struct file *file, char __user *buf,
  	if (!mm || !mm->env_end)
  		return 0;
  
@@ -113213,7 +113419,7 @@ index 45f2162..6484c0f 100644
  	page = (char *)__get_free_page(GFP_TEMPORARY);
  	if (!page)
  		return -ENOMEM;
-@@ -972,9 +1059,12 @@ static ssize_t environ_read(struct file *file, char __user *buf,
+@@ -972,9 +1075,12 @@ static ssize_t environ_read(struct file *file, char __user *buf,
  	env_end = mm->env_end;
  	up_read(&mm->mmap_sem);
  
@@ -113227,7 +113433,7 @@ index 45f2162..6484c0f 100644
  
  		if (src >= (env_end - env_start))
  			break;
-@@ -1584,7 +1674,7 @@ static const char *proc_pid_get_link(struct dentry *dentry,
+@@ -1584,7 +1690,7 @@ static const char *proc_pid_get_link(struct dentry *dentry,
  		return ERR_PTR(-ECHILD);
  
  	/* Are we allowed to snoop on the tasks file descriptors? */
@@ -113236,7 +113442,7 @@ index 45f2162..6484c0f 100644
  		goto out;
  
  	error = PROC_I(inode)->op.proc_get_link(dentry, &path);
-@@ -1628,8 +1718,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b
+@@ -1628,8 +1734,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b
  	struct path path;
  
  	/* Are we allowed to snoop on the tasks file descriptors? */
@@ -113257,7 +113463,7 @@ index 45f2162..6484c0f 100644
  
  	error = PROC_I(inode)->op.proc_get_link(dentry, &path);
  	if (error)
-@@ -1679,7 +1779,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t
+@@ -1679,7 +1795,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t
  		rcu_read_lock();
  		cred = __task_cred(task);
  		inode->i_uid = cred->euid;
@@ -113269,7 +113475,7 @@ index 45f2162..6484c0f 100644
  		rcu_read_unlock();
  	}
  	security_task_to_inode(task, inode);
-@@ -1715,10 +1819,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
+@@ -1715,10 +1835,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
  			return -ENOENT;
  		}
  		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
@@ -113289,7 +113495,7 @@ index 45f2162..6484c0f 100644
  		}
  	}
  	rcu_read_unlock();
-@@ -1756,11 +1869,20 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags)
+@@ -1756,11 +1885,20 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags)
  
  	if (task) {
  		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
@@ -113310,7 +113516,7 @@ index 45f2162..6484c0f 100644
  			rcu_read_unlock();
  		} else {
  			inode->i_uid = GLOBAL_ROOT_UID;
-@@ -2301,6 +2423,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
+@@ -2301,6 +2439,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
  	if (!task)
  		goto out_no_task;
  
@@ -113320,7 +113526,7 @@ index 45f2162..6484c0f 100644
  	/*
  	 * Yes, it does not scale. And it should not. Don't add
  	 * new entries into /proc/<tgid>/ without very good reasons.
-@@ -2331,6 +2456,9 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx,
+@@ -2331,6 +2472,9 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx,
  	if (!task)
  		return -ENOENT;
  
@@ -113330,7 +113536,7 @@ index 45f2162..6484c0f 100644
  	if (!dir_emit_dots(file, ctx))
  		goto out;
  
-@@ -2743,7 +2871,9 @@ static const struct inode_operations proc_task_inode_operations;
+@@ -2743,7 +2887,9 @@ static const struct inode_operations proc_task_inode_operations;
  static const struct pid_entry tgid_base_stuff[] = {
  	DIR("task",       S_IRUGO|S_IXUGO, proc_task_inode_operations, proc_task_operations),
  	DIR("fd",         S_IRUSR|S_IXUSR, proc_fd_inode_operations, proc_fd_operations),
@@ -113340,7 +113546,7 @@ index 45f2162..6484c0f 100644
  	DIR("fdinfo",     S_IRUSR|S_IXUSR, proc_fdinfo_inode_operations, proc_fdinfo_operations),
  	DIR("ns",	  S_IRUSR|S_IXUGO, proc_ns_dir_inode_operations, proc_ns_dir_operations),
  #ifdef CONFIG_NET
-@@ -2761,7 +2891,7 @@ static const struct pid_entry tgid_base_stuff[] = {
+@@ -2761,7 +2907,7 @@ static const struct pid_entry tgid_base_stuff[] = {
  	REG("autogroup",  S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
  #endif
  	REG("comm",      S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
@@ -113349,7 +113555,7 @@ index 45f2162..6484c0f 100644
  	ONE("syscall",    S_IRUSR, proc_pid_syscall),
  #endif
  	REG("cmdline",    S_IRUGO, proc_pid_cmdline_ops),
-@@ -2786,10 +2916,10 @@ static const struct pid_entry tgid_base_stuff[] = {
+@@ -2786,10 +2932,10 @@ static const struct pid_entry tgid_base_stuff[] = {
  #ifdef CONFIG_SECURITY
  	DIR("attr",       S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
  #endif
@@ -113362,7 +113568,7 @@ index 45f2162..6484c0f 100644
  	ONE("stack",      S_IRUSR, proc_pid_stack),
  #endif
  #ifdef CONFIG_SCHED_INFO
-@@ -2823,6 +2953,9 @@ static const struct pid_entry tgid_base_stuff[] = {
+@@ -2823,6 +2969,9 @@ static const struct pid_entry tgid_base_stuff[] = {
  #ifdef CONFIG_HARDWALL
  	ONE("hardwall",   S_IRUGO, proc_pid_hardwall),
  #endif
@@ -113372,7 +113578,7 @@ index 45f2162..6484c0f 100644
  #ifdef CONFIG_USER_NS
  	REG("uid_map",    S_IRUGO|S_IWUSR, proc_uid_map_operations),
  	REG("gid_map",    S_IRUGO|S_IWUSR, proc_gid_map_operations),
-@@ -2955,7 +3088,14 @@ static int proc_pid_instantiate(struct inode *dir,
+@@ -2955,7 +3104,14 @@ static int proc_pid_instantiate(struct inode *dir,
  	if (!inode)
  		goto out;
  
@@ -113387,7 +113593,7 @@ index 45f2162..6484c0f 100644
  	inode->i_op = &proc_tgid_base_inode_operations;
  	inode->i_fop = &proc_tgid_base_operations;
  	inode->i_flags|=S_IMMUTABLE;
-@@ -2993,7 +3133,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
+@@ -2993,7 +3149,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
  	if (!task)
  		goto out;
  
@@ -113399,7 +113605,7 @@ index 45f2162..6484c0f 100644
  	put_task_struct(task);
  out:
  	return ERR_PTR(result);
-@@ -3107,7 +3251,7 @@ static const struct pid_entry tid_base_stuff[] = {
+@@ -3107,7 +3267,7 @@ static const struct pid_entry tid_base_stuff[] = {
  	REG("sched",     S_IRUGO|S_IWUSR, proc_pid_sched_operations),
  #endif
  	REG("comm",      S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
@@ -113408,7 +113614,7 @@ index 45f2162..6484c0f 100644
  	ONE("syscall",   S_IRUSR, proc_pid_syscall),
  #endif
  	REG("cmdline",   S_IRUGO, proc_pid_cmdline_ops),
-@@ -3134,10 +3278,10 @@ static const struct pid_entry tid_base_stuff[] = {
+@@ -3134,10 +3294,10 @@ static const struct pid_entry tid_base_stuff[] = {
  #ifdef CONFIG_SECURITY
  	DIR("attr",      S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
  #endif
@@ -113653,7 +113859,7 @@ index 42305dd..968caba 100644
  		if (de->size)
  			inode->i_size = de->size;
 diff --git a/fs/proc/internal.h b/fs/proc/internal.h
-index aa27810..9f2d3b2 100644
+index aa27810..6f98bdd 100644
 --- a/fs/proc/internal.h
 +++ b/fs/proc/internal.h
 @@ -47,9 +47,10 @@ struct proc_dir_entry {
@@ -113700,6 +113906,21 @@ index aa27810..9f2d3b2 100644
  extern int proc_readdir_de(struct proc_dir_entry *, struct file *, struct dir_context *);
  
  static inline struct proc_dir_entry *pde_get(struct proc_dir_entry *pde)
+@@ -285,9 +292,12 @@ struct proc_maps_private {
+ #ifdef CONFIG_NUMA
+ 	struct mempolicy *task_mempolicy;
+ #endif
+-};
++#ifdef CONFIG_GRKERNSEC
++	u64 ptracer_exec_id;
++#endif
++} __randomize_layout;
+ 
+-struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode);
++struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode, u64 *ptracer_exec_id);
+ 
+ extern const struct file_operations proc_pid_maps_operations;
+ extern const struct file_operations proc_tid_maps_operations;
 diff --git a/fs/proc/interrupts.c b/fs/proc/interrupts.c
 index a352d57..cb94a5c 100644
 --- a/fs/proc/interrupts.c
@@ -114256,7 +114477,7 @@ index 510413eb..34d9a8c 100644
  	seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq);
  
 diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index 9d2f3e0..52c3ee0 100644
+index 9d2f3e0..0cb1d3f 100644
 --- a/fs/proc/task_mmu.c
 +++ b/fs/proc/task_mmu.c
 @@ -15,12 +15,19 @@
@@ -114316,7 +114537,20 @@ index 9d2f3e0..52c3ee0 100644
  	hugetlb_report_usage(m, mm);
  }
  
-@@ -281,7 +305,7 @@ static int is_stack(struct proc_maps_private *priv,
+@@ -230,7 +254,11 @@ static int proc_maps_open(struct inode *inode, struct file *file,
+ 		return -ENOMEM;
+ 
+ 	priv->inode = inode;
+-	priv->mm = proc_mem_open(inode, PTRACE_MODE_READ);
++#ifdef CONFIG_GRKERNSEC
++	priv->mm = proc_mem_open(inode, PTRACE_MODE_READ, &priv->ptracer_exec_id);
++#else
++	priv->mm = proc_mem_open(inode, PTRACE_MODE_READ, NULL);
++#endif
+ 	if (IS_ERR(priv->mm)) {
+ 		int err = PTR_ERR(priv->mm);
+ 
+@@ -281,11 +309,11 @@ static int is_stack(struct proc_maps_private *priv,
  			stack = vma_is_stack_for_task(vma, task);
  		rcu_read_unlock();
  	}
@@ -114325,38 +114559,37 @@ index 9d2f3e0..52c3ee0 100644
  }
  
  static void
-@@ -304,13 +328,13 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
+-show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
++show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid, bool restrict)
+ {
+ 	struct mm_struct *mm = vma->vm_mm;
+ 	struct file *file = vma->vm_file;
+@@ -304,13 +332,8 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
  		pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
  	}
  
 -	/* We don't show the stack guard page in /proc/maps */
-+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+	start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
-+	end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
-+#else
- 	start = vma->vm_start;
+-	start = vma->vm_start;
 -	if (stack_guard_page_start(vma, start))
 -		start += PAGE_SIZE;
- 	end = vma->vm_end;
+-	end = vma->vm_end;
 -	if (stack_guard_page_end(vma, end))
 -		end -= PAGE_SIZE;
-+#endif
++	start = restrict ? 0UL : vma->vm_start;
++	end = restrict ? 0UL : vma->vm_end;
  
  	seq_setwidth(m, 25 + sizeof(void *) * 6 - 1);
  	seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu ",
-@@ -320,7 +344,11 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
+@@ -320,7 +343,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
  			flags & VM_WRITE ? 'w' : '-',
  			flags & VM_EXEC ? 'x' : '-',
  			flags & VM_MAYSHARE ? 's' : 'p',
-+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+			PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
-+#else
- 			pgoff,
-+#endif
+-			pgoff,
++			restrict ? 0UL : pgoff,
  			MAJOR(dev), MINOR(dev), ino);
  
  	/*
-@@ -329,7 +357,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
+@@ -329,7 +352,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
  	 */
  	if (file) {
  		seq_pad(m, ' ');
@@ -114365,20 +114598,29 @@ index 9d2f3e0..52c3ee0 100644
  		goto done;
  	}
  
-@@ -366,6 +394,12 @@ done:
+@@ -366,7 +389,20 @@ done:
  
  static int show_map(struct seq_file *m, void *v, int is_pid)
  {
+-	show_map_vma(m, v, is_pid);
++	bool restrict = false;
++
 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+	if (current->exec_id != m->exec_id) {
++	struct vm_area_struct *vma = (struct vm_area_struct *)v;
++	struct proc_maps_private *priv = m->private;
++	restrict = current->exec_id != priv->ptracer_exec_id;
++	if (current->exec_id != m->exec_id && restrict) {
 +		gr_log_badprocpid("maps");
 +		return 0;
 +	}
++	if (restrict)
++		restrict = PAX_RAND_FLAGS(vma->vm_mm);
 +#endif
- 	show_map_vma(m, v, is_pid);
++	show_map_vma(m, v, is_pid, restrict);
  	m_cache_vma(m, v);
  	return 0;
-@@ -646,6 +680,9 @@ static void show_smap_vma_flags(struct seq_file *m, struct vm_area_struct *vma)
+ }
+@@ -646,6 +682,9 @@ static void show_smap_vma_flags(struct seq_file *m, struct vm_area_struct *vma)
  		[ilog2(VM_RAND_READ)]	= "rr",
  		[ilog2(VM_DONTCOPY)]	= "dc",
  		[ilog2(VM_DONTEXPAND)]	= "de",
@@ -114388,9 +114630,11 @@ index 9d2f3e0..52c3ee0 100644
  		[ilog2(VM_ACCOUNT)]	= "ac",
  		[ilog2(VM_NORESERVE)]	= "nr",
  		[ilog2(VM_HUGETLB)]	= "ht",
-@@ -715,6 +752,12 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
+@@ -714,7 +753,14 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
+ 		.mm = vma->vm_mm,
  		.private = &mss,
  	};
++	bool restrict = false;
  
 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
 +	if (current->exec_id != m->exec_id) {
@@ -114401,33 +114645,44 @@ index 9d2f3e0..52c3ee0 100644
  	memset(&mss, 0, sizeof mss);
  
  #ifdef CONFIG_SHMEM
-@@ -741,8 +784,11 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
+@@ -741,10 +787,15 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
  	}
  #endif
  
 -	/* mmap_sem is held in m_start */
 -	walk_page_vma(vma, &smaps_walk);
 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+	if (!PAX_RAND_FLAGS(vma->vm_mm))
++	if (PAX_RAND_FLAGS(vma->vm_mm))
++		restrict = true;
++	else
 +#endif
 +		/* mmap_sem is held in m_start */
 +		walk_page_vma(vma, &smaps_walk);
  
- 	show_map_vma(m, vma, is_pid);
+-	show_map_vma(m, vma, is_pid);
++	show_map_vma(m, vma, is_pid, restrict);
  
-@@ -764,7 +810,11 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
+ 	seq_printf(m,
+ 		   "Size:           %8lu kB\n"
+@@ -764,7 +815,7 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
  		   "KernelPageSize: %8lu kB\n"
  		   "MMUPageSize:    %8lu kB\n"
  		   "Locked:         %8lu kB\n",
-+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+		   PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
-+#else
- 		   (vma->vm_end - vma->vm_start) >> 10,
-+#endif
+-		   (vma->vm_end - vma->vm_start) >> 10,
++		   restrict ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
  		   mss.resident >> 10,
  		   (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
  		   mss.shared_clean  >> 10,
-@@ -1615,6 +1665,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
+@@ -1412,7 +1463,7 @@ static int pagemap_open(struct inode *inode, struct file *file)
+ {
+ 	struct mm_struct *mm;
+ 
+-	mm = proc_mem_open(inode, PTRACE_MODE_READ);
++	mm = proc_mem_open(inode, PTRACE_MODE_READ, NULL);
+ 	if (IS_ERR(mm))
+ 		return PTR_ERR(mm);
+ 	file->private_data = mm;
+@@ -1615,6 +1666,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
  	char buffer[64];
  	int nid;
  
@@ -114441,7 +114696,7 @@ index 9d2f3e0..52c3ee0 100644
  	if (!mm)
  		return 0;
  
-@@ -1629,11 +1686,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
+@@ -1629,11 +1687,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
  		mpol_to_str(buffer, sizeof(buffer), proc_priv->task_mempolicy);
  	}
  
@@ -114459,7 +114714,7 @@ index 9d2f3e0..52c3ee0 100644
  		seq_puts(m, " heap");
  	} else if (is_stack(proc_priv, vma, is_pid)) {
 diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
-index faacb0c..ce736cd 100644
+index faacb0c..b185575 100644
 --- a/fs/proc/task_nommu.c
 +++ b/fs/proc/task_nommu.c
 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
@@ -114489,6 +114744,15 @@ index faacb0c..ce736cd 100644
  	} else if (mm && is_stack(priv, vma, is_pid)) {
  		seq_pad(m, ' ');
  		seq_printf(m, "[stack]");
+@@ -287,7 +287,7 @@ static int maps_open(struct inode *inode, struct file *file,
+ 		return -ENOMEM;
+ 
+ 	priv->inode = inode;
+-	priv->mm = proc_mem_open(inode, PTRACE_MODE_READ);
++	priv->mm = proc_mem_open(inode, PTRACE_MODE_READ, NULL);
+ 	if (IS_ERR(priv->mm)) {
+ 		int err = PTR_ERR(priv->mm);
+ 
 diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c
 index 4e61388..1a2523d 100644
 --- a/fs/proc/vmcore.c
@@ -131914,6 +132178,19 @@ index 792c898..3f045d6 100644
  	atomic_t	numainfo_updating;
  #endif
  
+diff --git a/include/linux/memory.h b/include/linux/memory.h
+index 8b8d8d1..75abd50 100644
+--- a/include/linux/memory.h
++++ b/include/linux/memory.h
+@@ -123,7 +123,7 @@ extern struct memory_block *find_memory_block(struct mem_section *);
+ 
+ #ifdef CONFIG_MEMORY_HOTPLUG
+ #define hotplug_memory_notifier(fn, pri) ({		\
+-	static __meminitdata struct notifier_block fn##_mem_nb =\
++	static __meminitconst struct notifier_block fn##_mem_nb =\
+ 		{ .notifier_call = fn, .priority = pri };\
+ 	register_memory_notifier(&fn##_mem_nb);			\
+ })
 diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h
 index 2696c1f..9320d41 100644
 --- a/include/linux/mempolicy.h
@@ -133552,7 +133829,7 @@ index 556ec1e..38c19c9 100644
  
  /*
 diff --git a/include/linux/sched.h b/include/linux/sched.h
-index a10494a..2d7faf1 100644
+index a10494a..3ab8d31 100644
 --- a/include/linux/sched.h
 +++ b/include/linux/sched.h
 @@ -7,7 +7,7 @@
@@ -133825,7 +134102,7 @@ index a10494a..2d7faf1 100644
  {
  	return tsk->pid;
  }
-@@ -2289,6 +2397,25 @@ extern u64 sched_clock_cpu(int cpu);
+@@ -2289,6 +2397,46 @@ extern u64 sched_clock_cpu(int cpu);
  
  extern void sched_clock_init(void);
  
@@ -133848,10 +134125,31 @@ index a10494a..2d7faf1 100644
 +}
 +#endif
 +
++#ifdef CONFIG_GRKERNSEC
++static inline bool current_is_ptracer(struct task_struct *task, u64 *exec_id)
++{
++	bool ret = false;
++        if (!task->ptrace)
++		return ret;
++
++	rcu_read_lock();
++	read_lock(&tasklist_lock);
++	if (task->parent && task->parent == current) {
++		ret = true;
++		if (exec_id)
++			*exec_id = task->parent->exec_id;
++	}
++	read_unlock(&tasklist_lock);
++	rcu_read_unlock();
++
++	return ret;
++}
++#endif
++
  #ifndef CONFIG_HAVE_UNSTABLE_SCHED_CLOCK
  static inline void sched_clock_tick(void)
  {
-@@ -2417,7 +2544,9 @@ extern void set_curr_task(int cpu, struct task_struct *p);
+@@ -2417,7 +2565,9 @@ extern void set_curr_task(int cpu, struct task_struct *p);
  void yield(void);
  
  union thread_union {
@@ -133861,7 +134159,7 @@ index a10494a..2d7faf1 100644
  	unsigned long stack[THREAD_SIZE/sizeof(long)];
  };
  
-@@ -2450,6 +2579,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2450,6 +2600,7 @@ extern struct pid_namespace init_pid_ns;
   */
  
  extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -133869,7 +134167,7 @@ index a10494a..2d7faf1 100644
  extern struct task_struct *find_task_by_pid_ns(pid_t nr,
  		struct pid_namespace *ns);
  
-@@ -2481,7 +2611,7 @@ extern void proc_caches_init(void);
+@@ -2481,7 +2632,7 @@ extern void proc_caches_init(void);
  extern void flush_signals(struct task_struct *);
  extern void ignore_signals(struct task_struct *);
  extern void flush_signal_handlers(struct task_struct *, int force_default);
@@ -133878,7 +134176,7 @@ index a10494a..2d7faf1 100644
  
  static inline int kernel_dequeue_signal(siginfo_t *info)
  {
-@@ -2635,7 +2765,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2635,7 +2786,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
  extern void exit_itimers(struct signal_struct *);
  extern void flush_itimer_signals(void);
  
@@ -133887,7 +134185,7 @@ index a10494a..2d7faf1 100644
  
  extern int do_execve(struct filename *,
  		     const char __user * const __user *,
-@@ -2750,11 +2880,13 @@ static inline int thread_group_empty(struct task_struct *p)
+@@ -2750,11 +2901,13 @@ static inline int thread_group_empty(struct task_struct *p)
   * It must not be nested with write_lock_irq(&tasklist_lock),
   * neither inside nor outside.
   */
@@ -133901,7 +134199,7 @@ index a10494a..2d7faf1 100644
  static inline void task_unlock(struct task_struct *p)
  {
  	spin_unlock(&p->alloc_lock);
-@@ -2840,9 +2972,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2840,9 +2993,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
  #define task_stack_end_corrupted(task) \
  		(*(end_of_stack(task)) != STACK_END_MAGIC)
  
@@ -162129,10 +162427,10 @@ index 53449a6..c1fd180 100644
  warning-2 += -Wdisabled-optimization
 diff --git a/scripts/Makefile.gcc-plugins b/scripts/Makefile.gcc-plugins
 new file mode 100644
-index 0000000..97e7a48
+index 0000000..3dfdd31
 --- /dev/null
 +++ b/scripts/Makefile.gcc-plugins
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,98 @@
 +ifdef CONFIG_GCC_PLUGINS
 +  __PLUGINCC := $(call cc-ifversion, -ge, 0408, $(HOSTCXX), $(HOSTCC))
 +  PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(__PLUGINCC)" "$(HOSTCXX)" "$(CC)")
@@ -162180,6 +162478,8 @@ index 0000000..97e7a48
 +
 +  gcc-plugin-y						+= initify_plugin.so
 +  gcc-plugin-cflags-y					+= -DINITIFY_PLUGIN
++# -fplugin-arg-initify_plugin-search_init_exit_functions
++#  gcc-plugin-cflags-y					+= -fplugin-arg-initify_plugin-verbose
 +
 +  gcc-plugin-subdir-$(CONFIG_PAX_RAP)			+= rap_plugin
 +  gcc-plugin-$(CONFIG_PAX_RAP)				+= rap_plugin/rap_plugin.so
@@ -163326,10 +163626,10 @@ index 0000000..ffe60f6
 +}
 diff --git a/scripts/gcc-plugins/constify_plugin.c b/scripts/gcc-plugins/constify_plugin.c
 new file mode 100644
-index 0000000..7142f36
+index 0000000..e25c12c
 --- /dev/null
 +++ b/scripts/gcc-plugins/constify_plugin.c
-@@ -0,0 +1,521 @@
+@@ -0,0 +1,574 @@
 +/*
 + * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
 + * Copyright 2011-2016 by PaX Team <pageexec@freemail.hu>
@@ -163355,10 +163655,25 @@ index 0000000..7142f36
 +static bool enabled = true;
 +
 +static struct plugin_info const_plugin_info = {
-+	.version	= "201605212045",
++	.version	= "201606280200",
 +	.help		= "disable\tturn off constification\n",
 +};
 +
++static struct {
++	const char *name;
++	const char *asm_op;
++} const_sections[] = {
++	{".init.rodata",     "\t.section\t.init.rodata,\"a\""},
++	{".ref.rodata",      "\t.section\t.ref.rodata,\"a\""},
++	{".devinit.rodata",  "\t.section\t.devinit.rodata,\"a\""},
++	{".devexit.rodata",  "\t.section\t.devexit.rodata,\"a\""},
++	{".cpuinit.rodata",  "\t.section\t.cpuinit.rodata,\"a\""},
++	{".cpuexit.rodata",  "\t.section\t.cpuexit.rodata,\"a\""},
++	{".meminit.rodata",  "\t.section\t.meminit.rodata,\"a\""},
++	{".memexit.rodata",  "\t.section\t.memexit.rodata,\"a\""},
++	{".data..read_only", "\t.section\t.data..read_only,\"a\""},
++};
++
 +typedef struct {
 +	bool has_fptr_field;
 +	bool has_writable_field;
@@ -163706,33 +164021,85 @@ index 0000000..7142f36
 +	TYPE_CONSTIFY_VISITED(type) = 1;
 +}
 +
-+static void check_global_variables(void *event_data, void *data)
++static bool is_constified_var(varpool_node_ptr node)
 +{
-+	varpool_node_ptr node;
++	tree var = NODE_DECL(node);
++	tree type = TREE_TYPE(var);
 +
-+	FOR_EACH_VARIABLE(node) {
-+		tree var = NODE_DECL(node);
-+		tree type = TREE_TYPE(var);
++	if (DECL_EXTERNAL(var))
++		return false;
 +
-+		if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
-+			continue;
++	// XXX handle more complex nesting of arrays/structs
++	if (TREE_CODE(type) == ARRAY_TYPE)
++		type = TREE_TYPE(type);
 +
-+		if (!TYPE_READONLY(type) || !C_TYPE_FIELDS_READONLY(type))
-+			continue;
++	if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
++		return false;
 +
-+		if (!TYPE_CONSTIFY_VISITED(type))
-+			continue;
++	if (!TYPE_READONLY(type) || !C_TYPE_FIELDS_READONLY(type))
++		return false;
 +
-+		if (DECL_EXTERNAL(var))
-+			continue;
++	if (!TYPE_CONSTIFY_VISITED(type))
++		return false;
++
++	return true;
++}
++
++static void check_section_mismatch(varpool_node_ptr node)
++{
++	tree var, section;
++	size_t i;
++
++	var = NODE_DECL(node);
++	section = lookup_attribute("section", DECL_ATTRIBUTES(var));
++	if (!section) {
++		gcc_assert(!get_decl_section_name(var));
++		return;
++	} else
++		gcc_assert(get_decl_section_name(var));
++
++//fprintf(stderr, "SECTIONAME: [%s] ", get_decl_section_name(var));
++//debug_tree(var);
++
++	gcc_assert(!TREE_CHAIN(section));
++	gcc_assert(TREE_VALUE(section));
++
++	section = TREE_VALUE(TREE_VALUE(section));
++	gcc_assert(!strcmp(TREE_STRING_POINTER(section), get_decl_section_name(var)));
++//debug_tree(section);
++
++	for (i = 0; i < ARRAY_SIZE(const_sections); i++)
++		if (!strcmp(const_sections[i].name, get_decl_section_name(var)))
++			return;
++
++	error_at(DECL_SOURCE_LOCATION(var), "constified variable %qD placed into writable section %E", var, section);
++}
++
++// this works around a gcc bug/feature where uninitialized globals
++// are moved into the .bss section regardless of any constification
++// see gcc/varasm.c:bss_initializer_p()
++static void fix_initializer(varpool_node_ptr node)
++{
++	tree var = NODE_DECL(node);
++	tree type = TREE_TYPE(var);
++
++	if (DECL_INITIAL(var))
++		return;
++
++	DECL_INITIAL(var) = build_constructor(type, NULL);
++//	inform(DECL_SOURCE_LOCATION(var), "constified variable %qE moved into .rodata", var);
++}
++
++static void check_global_variables(void *event_data, void *data)
++{
++	varpool_node_ptr node;
 +
-+		if (DECL_INITIAL(var))
++	FOR_EACH_VARIABLE(node) {
++		if (!is_constified_var(node))
 +			continue;
 +
-+		// this works around a gcc bug/feature where uninitialized globals
-+		// are moved into the .bss section regardless of any constification
-+		DECL_INITIAL(var) = build_constructor(type, NULL);
-+//		inform(DECL_SOURCE_LOCATION(var), "constified variable %qE moved into .rodata", var);
++		check_section_mismatch(node);
++		fix_initializer(node);
 +	}
 +}
 +
@@ -163769,30 +164136,16 @@ index 0000000..7142f36
 +#define NO_GATE
 +#include "gcc-generate-gimple-pass.h"
 +
-+static struct {
-+	const char *name;
-+	const char *asm_op;
-+} sections[] = {
-+	{".init.rodata",     "\t.section\t.init.rodata,\"a\""},
-+	{".ref.rodata",      "\t.section\t.ref.rodata,\"a\""},
-+	{".devinit.rodata",  "\t.section\t.devinit.rodata,\"a\""},
-+	{".devexit.rodata",  "\t.section\t.devexit.rodata,\"a\""},
-+	{".cpuinit.rodata",  "\t.section\t.cpuinit.rodata,\"a\""},
-+	{".cpuexit.rodata",  "\t.section\t.cpuexit.rodata,\"a\""},
-+	{".meminit.rodata",  "\t.section\t.meminit.rodata,\"a\""},
-+	{".memexit.rodata",  "\t.section\t.memexit.rodata,\"a\""},
-+	{".data..read_only", "\t.section\t.data..read_only,\"a\""},
-+};
-+
 +static unsigned int (*old_section_type_flags)(tree decl, const char *name, int reloc);
 +
 +static unsigned int constify_section_type_flags(tree decl, const char *name, int reloc)
 +{
 +	size_t i;
 +
-+	for (i = 0; i < ARRAY_SIZE(sections); i++)
-+		if (!strcmp(sections[i].name, name))
++	for (i = 0; i < ARRAY_SIZE(const_sections); i++)
++		if (!strcmp(const_sections[i].name, name))
 +			return 0;
++
 +	return old_section_type_flags(decl, name, reloc);
 +}
 +
@@ -163800,9 +164153,9 @@ index 0000000..7142f36
 +{
 +//	size_t i;
 +
-+//	for (i = 0; i < ARRAY_SIZE(sections); i++)
-+//		sections[i].section = get_unnamed_section(0, output_section_asm_op, sections[i].asm_op);
-+//		sections[i].section = get_section(sections[i].name, 0, NULL);
++//	for (i = 0; i < ARRAY_SIZE(const_sections); i++)
++//		const_sections[i].section = get_unnamed_section(0, output_section_asm_op, const_sections[i].asm_op);
++//		const_sections[i].section = get_section(const_sections[i].name, 0, NULL);
 +
 +	old_section_type_flags = targetm.section_type_flags;
 +	targetm.section_type_flags = constify_section_type_flags;
@@ -163853,10 +164206,10 @@ index 0000000..7142f36
 +}
 diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h
 new file mode 100644
-index 0000000..0c0b842
+index 0000000..fd6362e7
 --- /dev/null
 +++ b/scripts/gcc-plugins/gcc-common.h
-@@ -0,0 +1,879 @@
+@@ -0,0 +1,892 @@
 +#ifndef GCC_COMMON_H_INCLUDED
 +#define GCC_COMMON_H_INCLUDED
 +
@@ -164396,6 +164749,14 @@ index 0000000..0c0b842
 +
 +typedef struct rtx_def rtx_insn;
 +
++static inline const char *get_decl_section_name(const_tree decl)
++{
++	if (!DECL_SECTION_NAME(decl))
++		return  NULL;
++
++	return TREE_STRING_POINTER(DECL_SECTION_NAME(decl));
++}
++
 +static inline void set_decl_section_name(tree node, const char *value)
 +{
 +	if (value)
@@ -164513,6 +164874,11 @@ index 0000000..0c0b842
 +
 +#define INSN_DELETED_P(insn) (insn)->deleted()
 +
++static inline const char *get_decl_section_name(const_tree decl)
++{
++	return DECL_SECTION_NAME(decl);
++}
++
 +/* symtab/cgraph related */
 +#define debug_cgraph_node(node) (node)->debug()
 +#define cgraph_get_node(decl) cgraph_node::get(decl)
author	Anthony G. Basile <blueness@gentoo.org>	2016-06-30 09:12:16 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2016-06-30 09:12:16 -0400
commit	9efc134b4d978753db4dd108ac3fb9e5b8f0a52b (patch)
tree	a9ddf2de15b2adbdd3e8d16d9930e4100a7a2689
parent	grsecurity-3.1-4.5.7-201606280009 (diff)
download	hardened-patchset-9efc134b4d978753db4dd108ac3fb9e5b8f0a52b.tar.gz hardened-patchset-9efc134b4d978753db4dd108ac3fb9e5b8f0a52b.tar.bz2 hardened-patchset-9efc134b4d978753db4dd108ac3fb9e5b8f0a52b.zip