diff options
Diffstat (limited to 'kernels/linux-libre-grsec')
7 files changed, 228 insertions, 370 deletions
diff --git a/kernels/linux-libre-grsec/0001-SUNRPC-Ensure-that-gss_auth-isn-t-freed-before-its-u.patch b/kernels/linux-libre-grsec/0001-SUNRPC-Ensure-that-gss_auth-isn-t-freed-before-its-u.patch deleted file mode 100644 index 93803d2e6..000000000 --- a/kernels/linux-libre-grsec/0001-SUNRPC-Ensure-that-gss_auth-isn-t-freed-before-its-u.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 2bd7c7b5f011b3d57e4f5625b561a6f3f2f34a81 Mon Sep 17 00:00:00 2001 -From: Trond Myklebust <trond.myklebust@primarydata.com> -Date: Sun, 16 Feb 2014 12:14:13 -0500 -Subject: [PATCH] SUNRPC: Ensure that gss_auth isn't freed before its upcall - messages - -Fix a race in which the RPC client is shutting down while the -gss daemon is processing a downcall. If the RPC client manages to -shut down before the gss daemon is done, then the struct gss_auth -used in gss_release_msg() may have already been freed. - -Link: http://lkml.kernel.org/r/1392494917.71728.YahooMailNeo@web140002.mail.bf1.yahoo.com -Reported-by: John <da_audiophile@yahoo.com> -Reported-by: Borislav Petkov <bp@alien8.de> -Cc: stable@vger.kernel.org # 3.12+ -Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com> ---- - net/sunrpc/auth_gss/auth_gss.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c -index 42fdfc6..a642fd616 100644 ---- a/net/sunrpc/auth_gss/auth_gss.c -+++ b/net/sunrpc/auth_gss/auth_gss.c -@@ -108,6 +108,7 @@ struct gss_auth { - static DEFINE_SPINLOCK(pipe_version_lock); - static struct rpc_wait_queue pipe_version_rpc_waitqueue; - static DECLARE_WAIT_QUEUE_HEAD(pipe_version_waitqueue); -+static void gss_put_auth(struct gss_auth *gss_auth); - - static void gss_free_ctx(struct gss_cl_ctx *); - static const struct rpc_pipe_ops gss_upcall_ops_v0; -@@ -320,6 +321,7 @@ gss_release_msg(struct gss_upcall_msg *gss_msg) - if (gss_msg->ctx != NULL) - gss_put_ctx(gss_msg->ctx); - rpc_destroy_wait_queue(&gss_msg->rpc_waitqueue); -+ gss_put_auth(gss_msg->auth); - kfree(gss_msg); - } - -@@ -500,6 +502,7 @@ gss_alloc_msg(struct gss_auth *gss_auth, - if (err) - goto err_free_msg; - }; -+ kref_get(&gss_auth->kref); - return gss_msg; - err_free_msg: - kfree(gss_msg); -@@ -1071,6 +1074,12 @@ gss_free_callback(struct kref *kref) - } - - static void -+gss_put_auth(struct gss_auth *gss_auth) -+{ -+ kref_put(&gss_auth->kref, gss_free_callback); -+} -+ -+static void - gss_destroy(struct rpc_auth *auth) - { - struct gss_auth *gss_auth = container_of(auth, -@@ -1091,7 +1100,7 @@ gss_destroy(struct rpc_auth *auth) - gss_auth->gss_pipe[1] = NULL; - rpcauth_destroy_credcache(auth); - -- kref_put(&gss_auth->kref, gss_free_callback); -+ gss_put_auth(gss_auth); - } - - /* -@@ -1262,7 +1271,7 @@ gss_destroy_nullcred(struct rpc_cred *cred) - call_rcu(&cred->cr_rcu, gss_free_cred_callback); - if (ctx) - gss_put_ctx(ctx); -- kref_put(&gss_auth->kref, gss_free_callback); -+ gss_put_auth(gss_auth); - } - - static void --- -1.9.0 - diff --git a/kernels/linux-libre-grsec/0001-quirk-asm_volatile_goto.patch b/kernels/linux-libre-grsec/0001-quirk-asm_volatile_goto.patch deleted file mode 100644 index c9ee40400..000000000 --- a/kernels/linux-libre-grsec/0001-quirk-asm_volatile_goto.patch +++ /dev/null @@ -1,51 +0,0 @@ -From a9f180345f5378ac87d80ed0bea55ba421d83859 Mon Sep 17 00:00:00 2001 -From: Steven Noonan <steven@uplinklabs.net> -Date: Thu, 13 Feb 2014 07:01:07 +0000 -Subject: compiler/gcc4: Make quirk for asm_volatile_goto() unconditional - -I started noticing problems with KVM guest destruction on Linux -3.12+, where guest memory wasn't being cleaned up. I bisected it -down to the commit introducing the new 'asm goto'-based atomics, -and found this quirk was later applied to those. - -Unfortunately, even with GCC 4.8.2 (which ostensibly fixed the -known 'asm goto' bug) I am still getting some kind of -miscompilation. If I enable the asm_volatile_goto quirk for my -compiler, KVM guests are destroyed correctly and the memory is -cleaned up. - -So make the quirk unconditional for now, until bug is found -and fixed. - -Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Steven Noonan <steven@uplinklabs.net> -Cc: Peter Zijlstra <peterz@infradead.org> -Cc: Steven Rostedt <rostedt@goodmis.org> -Cc: Jakub Jelinek <jakub@redhat.com> -Cc: Richard Henderson <rth@twiddle.net> -Cc: Andrew Morton <akpm@linux-foundation.org> -Cc: Oleg Nesterov <oleg@redhat.com> -Cc: <stable@vger.kernel.org> -Link: http://lkml.kernel.org/r/1392274867-15236-1-git-send-email-steven@uplinklabs.net -Link: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 -Signed-off-by: Ingo Molnar <mingo@kernel.org> ---- -diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h -index ded4299..2507fd2 100644 ---- a/include/linux/compiler-gcc4.h -+++ b/include/linux/compiler-gcc4.h -@@ -75,11 +75,7 @@ - * - * (asm goto is automatically volatile - the naming reflects this.) - */ --#if GCC_VERSION <= 40801 --# define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) --#else --# define asm_volatile_goto(x...) do { asm goto(x); } while (0) --#endif -+#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) - - #ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP - #if GCC_VERSION >= 40400 --- -cgit v0.9.2 diff --git a/kernels/linux-libre-grsec/PKGBUILD b/kernels/linux-libre-grsec/PKGBUILD index b5aad3bbb..8f83b01e3 100644 --- a/kernels/linux-libre-grsec/PKGBUILD +++ b/kernels/linux-libre-grsec/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 206177 2014-02-20 22:43:41Z thomas $ +# $Id: PKGBUILD 206252 2014-02-22 22:54:25Z thomas $ # Maintainer: Tobias Powalowski <tpowa@archlinux.org> # Maintainer: Thomas Baechler <thomas@archlinux.org> # Maintainer (Parabola): André Silva <emulatorman@parabola.nu> @@ -10,12 +10,12 @@ pkgbase=linux-libre-grsec # Build stock -LIBRE-GRSEC kernel #pkgbase=linux-libre-custom # Build kernel with a different name _basekernel=3.13 -_sublevel=4 +_sublevel=5 _grsecver=3.0 -_timestamp=201402201908 +_timestamp=201402241943 pkgver=${_basekernel}.${_sublevel} pkgrel=1 -_lxopkgver=${_basekernel}.3 # nearly always the same as pkgver +_lxopkgver=${_basekernel}.5 # nearly always the same as pkgver arch=('i686' 'x86_64' 'mips64el') url="http://linux-libre.fsfla.org/" license=('GPL2') @@ -39,16 +39,17 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn '0004-rpc_pipe-remove-the-clntXX-dir-if-creating-the-pipe-.patch' '0005-sunrpc-add-an-info-file-for-the-dummy-gssd-pipe.patch' '0006-rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-no.patch' - '0001-SUNRPC-Ensure-that-gss_auth-isn-t-freed-before-its-u.patch' '0001-syscalls.h-use-gcc-alias-instead-of-assembler-aliase.patch' - '0001-quirk-asm_volatile_goto.patch' 'i8042-fix-aliases.patch' + 'module-blacklist.conf' + 'sysctl.conf' + 'known-exploit-detection.patch' "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz") md5sums=('98a8e803e0ed08557f3cdd4d56b0ddc1' - '3659d30b1d06dd5b7874ae04c946863b' - '98bb51189e0fe96a10362ddcbb79a134' - 'a2718a1b47c6c3b0774ce786488d22c3' - 'cbe58a543b96ae282c674875b1940e59' + '6e59a1e4b891ca5fa8b03d488fa64e04' + '810f3caa18b89eda5b41a2cff5821a4a' + '21da34d98cc007a78a11660863537c0d' + 'd4b95575b9cc32b7ba4ad8624972ddf9' '5f66bed97a5c37e48eb2f71b2d354b9a' '2967cecc3af9f954ccc822fd63dca6ff' '8267264d9a8966e57fdacd1fa1fc65c4' @@ -61,11 +62,12 @@ md5sums=('98a8e803e0ed08557f3cdd4d56b0ddc1' '10dbaf863e22b2437e68f9190d65c861' 'd5907a721b97299f0685c583499f7820' 'a724515b350b29c53f20e631c6cf9a14' - '1ae4ec847f41fa1b6d488f956e94c893' 'e6fa278c092ad83780e2dd0568e24ca6' - '6baa312bc166681f48e972824f3f6649' '93dbf73af819b77f03453a9c6de2bb47' - 'ac92b702b8497d2be14f96e077a7f48f') + 'f93ef6157fbb23820bd5ae08fd3f451e' + '0db7629711f4ed76bd1f9da9f97bc4ea' + 'cb789bf97bc65fd4cf240d99df9c24c0' + '5fcb6203b54aaf7dcbdf6e2c6f159b14') if [ "$CARCH" != "mips64el" ]; then # don't use the Loongson-specific patches on non-mips64el arches. unset source[${#source[@]}-1] @@ -116,18 +118,15 @@ prepare() { # http://git.linux-nfs.org/?p=trondmy/linux-nfs.git;a=commitdiff;h=23e66ba97127ff3b064d4c6c5138aa34eafc492f patch -p1 -i "${srcdir}/0006-rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-no.patch" - # Fix FS#38921 - # http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9eb2ddb48ce3a7bd745c14a933112994647fa3cd - patch -p1 -i "${srcdir}/0001-SUNRPC-Ensure-that-gss_auth-isn-t-freed-before-its-u.patch" - # Fix symbols: Revert http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=83460ec8dcac14142e7860a01fa59c267ac4657c patch -Rp1 -i "${srcdir}/0001-syscalls.h-use-gcc-alias-instead-of-assembler-aliase.patch" # Fix i8042 aliases patch -p1 -i "${srcdir}/i8042-fix-aliases.patch" - # Fix compile issues - # http://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/patch/?id=a9f180345f5378ac87d80ed0bea55ba421d83859 - patch -Np1 -i "${srcdir}/0001-quirk-asm_volatile_goto.patch" + + # add known exploit detection patch + # http://lkml.org/lkml/2013/12/12/358 + patch -Np1 -i "${srcdir}/known-exploit-detection.patch" if [ "$CARCH" == "mips64el" ]; then sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-grsec|" Makefile diff --git a/kernels/linux-libre-grsec/config.i686 b/kernels/linux-libre-grsec/config.i686 index 3d48a9b03..07840923d 100644 --- a/kernels/linux-libre-grsec/config.i686 +++ b/kernels/linux-libre-grsec/config.i686 @@ -497,7 +497,7 @@ CONFIG_KEXEC=y CONFIG_PHYSICAL_START=0x1000000 CONFIG_RELOCATABLE=y CONFIG_X86_NEED_RELOCS=y -CONFIG_PHYSICAL_ALIGN=0x100000 +CONFIG_PHYSICAL_ALIGN=0x1000000 CONFIG_HOTPLUG_CPU=y # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set # CONFIG_DEBUG_HOTPLUG_CPU0 is not set @@ -5874,7 +5874,9 @@ CONFIG_JFFS2_FS_DEBUG=0 CONFIG_JFFS2_FS_WRITEBUFFER=y # CONFIG_JFFS2_FS_WBUF_VERIFY is not set # CONFIG_JFFS2_SUMMARY is not set -# CONFIG_JFFS2_FS_XATTR is not set +CONFIG_JFFS2_FS_XATTR=y +CONFIG_JFFS2_FS_POSIX_ACL=y +CONFIG_JFFS2_FS_SECURITY=y # CONFIG_JFFS2_COMPRESSION_OPTIONS is not set CONFIG_JFFS2_ZLIB=y # CONFIG_JFFS2_LZO is not set diff --git a/kernels/linux-libre-grsec/config.x86_64 b/kernels/linux-libre-grsec/config.x86_64 index 0269c67cc..f89860f78 100644 --- a/kernels/linux-libre-grsec/config.x86_64 +++ b/kernels/linux-libre-grsec/config.x86_64 @@ -5662,7 +5662,9 @@ CONFIG_JFFS2_FS_DEBUG=0 CONFIG_JFFS2_FS_WRITEBUFFER=y # CONFIG_JFFS2_FS_WBUF_VERIFY is not set # CONFIG_JFFS2_SUMMARY is not set -# CONFIG_JFFS2_FS_XATTR is not set +CONFIG_JFFS2_FS_XATTR=y +CONFIG_JFFS2_FS_POSIX_ACL=y +CONFIG_JFFS2_FS_SECURITY=y # CONFIG_JFFS2_COMPRESSION_OPTIONS is not set CONFIG_JFFS2_ZLIB=y # CONFIG_JFFS2_LZO is not set diff --git a/kernels/linux-libre-grsec/known-exploit-detection.patch b/kernels/linux-libre-grsec/known-exploit-detection.patch index 4837a9ce5..7629b4d85 100644 --- a/kernels/linux-libre-grsec/known-exploit-detection.patch +++ b/kernels/linux-libre-grsec/known-exploit-detection.patch @@ -1,147 +1,29 @@ -diff --git a/include/linux/exploit.h b/include/linux/exploit.h -new file mode 100644 -index 0000000..a8df72a ---- /dev/null -+++ b/include/linux/exploit.h -@@ -0,0 +1,23 @@ -+#ifndef _LINUX_EXPLOIT_H -+#define _LINUX_EXPLOIT_H -+ -+#ifdef CONFIG_EXPLOIT_DETECTION -+extern void _exploit(const char *id); -+ -+#define exploit_on(cond, id) \ -+ do { \ -+ if (unlikely(cond)) \ -+ _exploit(id); \ -+ } while (0) -+ -+#else -+ -+#define exploit_on(cond, id) \ -+ do { \ -+ } while (0) -+ -+#endif -+ -+#define exploit(id) exploit_on(true, id) -+ -+#endif -diff --git a/security/Kconfig b/security/Kconfig -index e9c6ac7..a828dfb 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -167,5 +167,17 @@ config DEFAULT_SECURITY - default "yama" if DEFAULT_SECURITY_YAMA - default "" if DEFAULT_SECURITY_DAC - --endmenu -+config EXPLOIT_DETECTION -+ bool "Known exploit detection" -+ depends on PRINTK -+ default y -+ help -+ This option enables the detection of users/programs who attempt to -+ break into the kernel using publicly known (past) exploits. -+ -+ Upon detection, a message will be printed in the kernel log. - -+ The runtime overhead of enabling this option is extremely small, so -+ you are recommended to say Y. -+ -+endmenu -diff --git a/security/Makefile b/security/Makefile -index c26c81e..d152a1d 100644 ---- a/security/Makefile -+++ b/security/Makefile -@@ -28,3 +28,5 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o - # Object integrity file lists - subdir-$(CONFIG_INTEGRITY) += integrity - obj-$(CONFIG_INTEGRITY) += integrity/built-in.o -+ -+obj-$(CONFIG_EXPLOIT_DETECTION) += exploit.o -diff --git a/security/exploit.c b/security/exploit.c -new file mode 100644 -index 0000000..a732613 ---- /dev/null -+++ b/security/exploit.c -@@ -0,0 +1,28 @@ -+#include <linux/cred.h> +diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c +index 3432443..f5af562 100644 +--- a/arch/x86/kernel/msr.c ++++ b/arch/x86/kernel/msr.c +@@ -38,6 +38,7 @@ + #include <linux/uaccess.h> + #include <linux/gfp.h> + #include <linux/grsecurity.h> +#include <linux/exploit.h> -+#include <linux/printk.h> -+#include <linux/ratelimit.h> -+#include <linux/sched.h> -+ -+void _exploit(const char *id) -+{ -+ /* -+ * This function needs to be super defensive/conservative, since -+ * userspace can easily get to it from several different contexts. -+ * We don't want it to become an attack vector in itself! -+ * -+ * We can assume that we're in process context, but spinlocks may -+ * be held, etc. -+ */ -+ -+ struct task_struct *task = current; -+ pid_t pid = task_pid_nr(task); -+ uid_t uid = from_kuid(&init_user_ns, current_uid()); -+ char comm[sizeof(task->comm)]; -+ -+ get_task_comm(comm, task); -+ -+ pr_warn_ratelimited("warning: possible %s exploit attempt by pid=%u uid=%u comm=%s\n", -+ id, pid, uid, comm); -+} -+EXPORT_SYMBOL(_exploit); -diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h -index 75cef3f..65811d4 100644 ---- a/include/uapi/linux/audit.h -+++ b/include/uapi/linux/audit.h -@@ -131,6 +131,7 @@ - #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ - #define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ - #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ -+#define AUDIT_ANOM_EXPLOIT 1703 /* Known exploit attempt */ - #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ - #define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */ - #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ -diff --git a/security/exploit.c b/security/exploit.c -index a732613..3d8ee5b 100644 ---- a/security/exploit.c -+++ b/security/exploit.c -@@ -1,3 +1,4 @@ -+#include <linux/audit.h> - #include <linux/cred.h> - #include <linux/exploit.h> - #include <linux/printk.h> -@@ -19,9 +20,24 @@ void _exploit(const char *id) - pid_t pid = task_pid_nr(task); - uid_t uid = from_kuid(&init_user_ns, current_uid()); - char comm[sizeof(task->comm)]; -+#ifdef CONFIG_AUDIT -+ struct audit_buffer *ab; -+#endif - get_task_comm(comm, task); + #include <asm/processor.h> + #include <asm/msr.h> +@@ -184,8 +185,10 @@ static int msr_open(struct inode *inode, struct file *file) + unsigned int cpu = iminor(file_inode(file)); + struct cpuinfo_x86 *c; -+#ifdef CONFIG_AUDIT -+ ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_ANOM_EXPLOIT); -+ if (ab) { -+ audit_log_format(ab, "exploit id=%s pid=%u uid=%u auid=%u ses=%u comm=", -+ id, pid, uid, -+ from_kuid(&init_user_ns, audit_get_loginuid(task)), -+ audit_get_sessionid(task)); -+ audit_log_untrustedstring(ab, comm); -+ audit_log_end(ab); +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO)) { ++ exploit("CVE-2013-0268"); + return -EPERM; + } -+#endif -+ - pr_warn_ratelimited("warning: possible %s exploit attempt by pid=%u uid=%u comm=%s\n", - id, pid, uid, comm); - } + + if (cpu >= nr_cpu_ids || !cpu_online(cpu)) + return -ENXIO; /* No such CPU */ diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index bf34577..48490c1 100644 +index ee52ddd..be4c296 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -32,6 +32,7 @@ @@ -150,9 +32,9 @@ index bf34577..48490c1 100644 #include <linux/dma_remapping.h> +#include <linux/exploit.h> - struct eb_objects { - struct list_head objects; -@@ -785,8 +786,10 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, + #define __EXEC_OBJECT_HAS_PIN (1<<31) + #define __EXEC_OBJECT_HAS_FENCE (1<<30) +@@ -878,8 +879,10 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, * the worst case where we need to allocate the entire * relocation tree as a single array. */ @@ -164,30 +46,6 @@ index bf34577..48490c1 100644 relocs_total += exec[i].relocation_count; length = exec[i].relocation_count * -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 88458fa..fad04f1 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -37,6 +37,7 @@ - #include <linux/notifier.h> - #include <linux/uaccess.h> - #include <linux/gfp.h> -+#include <linux/exploit.h> - - #include <asm/processor.h> - #include <asm/msr.h> -@@ -174,8 +175,10 @@ static int msr_open(struct inode *inode, struct file *file) - unsigned int cpu = iminor(file_inode(file)); - struct cpuinfo_x86 *c; - -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO)) { -+ exploit("CVE-2013-0268"); - return -EPERM; -+ } - - if (cpu >= nr_cpu_ids || !cpu_online(cpu)) - return -ENXIO; /* No such CPU */ diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c index b1ce4c7..2fe83f0 100644 --- a/fs/hfs/trans.c @@ -212,50 +70,6 @@ index b1ce4c7..2fe83f0 100644 dst = out; dstlen = HFS_MAX_NAMELEN; if (nls_io) { -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 13fb113..df7a51a 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -22,6 +22,7 @@ - #include <linux/ctype.h> - #include <linux/projid.h> - #include <linux/fs_struct.h> -+#include <linux/exploit.h> - - static struct kmem_cache *user_ns_cachep __read_mostly; - -@@ -806,11 +807,15 @@ static bool new_idmap_permitted(const struct file *file, - kuid_t uid = make_kuid(ns->parent, id); - if (uid_eq(uid, file->f_cred->fsuid)) - return true; -+ -+ exploit_on(uid_eq(uid, current_fsuid()), "CVE-2013-1959"); - } - else if (cap_setid == CAP_SETGID) { - kgid_t gid = make_kgid(ns->parent, id); - if (gid_eq(gid, file->f_cred->fsgid)) - return true; -+ -+ exploit_on(gid_eq(gid, current_fsgid()), "CVE-2013-1959"); - } - } - -@@ -822,9 +827,12 @@ static bool new_idmap_permitted(const struct file *file, - * (CAP_SETUID or CAP_SETGID) over the parent user namespace. - * And the opener of the id file also had the approprpiate capability. - */ -- if (ns_capable(ns->parent, cap_setid) && -- file_ns_capable(file, ns->parent, cap_setid)) -- return true; -+ if (ns_capable(ns->parent, cap_setid)) { -+ if (file_ns_capable(file, ns->parent, cap_setid)) -+ return true; -+ -+ exploit("CVE-2013-1959"); -+ } - - return false; - } diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c index 968ce41..5f47a1a 100644 --- a/fs/hfsplus/catalog.c @@ -304,8 +118,49 @@ index 4a4fea0..2d5e283 100644 err = -EIO; goto out; } +diff --git a/include/linux/exploit.h b/include/linux/exploit.h +new file mode 100644 +index 0000000..a8df72a +--- /dev/null ++++ b/include/linux/exploit.h +@@ -0,0 +1,23 @@ ++#ifndef _LINUX_EXPLOIT_H ++#define _LINUX_EXPLOIT_H ++ ++#ifdef CONFIG_EXPLOIT_DETECTION ++extern void _exploit(const char *id); ++ ++#define exploit_on(cond, id) \ ++ do { \ ++ if (unlikely(cond)) \ ++ _exploit(id); \ ++ } while (0) ++ ++#else ++ ++#define exploit_on(cond, id) \ ++ do { \ ++ } while (0) ++ ++#endif ++ ++#define exploit(id) exploit_on(true, id) ++ ++#endif +diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h +index 44b05a0..0a820b4 100644 +--- a/include/uapi/linux/audit.h ++++ b/include/uapi/linux/audit.h +@@ -134,6 +134,7 @@ + #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ + #define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ + #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ ++#define AUDIT_ANOM_EXPLOIT 1703 /* Known exploit attempt */ + #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ + #define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */ + #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ diff --git a/kernel/events/core.c b/kernel/events/core.c -index 953c143..32b9383 100644 +index 11b21f0..a881843 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -39,6 +39,7 @@ @@ -316,7 +171,7 @@ index 953c143..32b9383 100644 #include "internal.h" -@@ -5721,6 +5722,7 @@ static void sw_perf_event_destroy(struct perf_event *event) +@@ -5772,6 +5773,7 @@ static void sw_perf_event_destroy(struct perf_event *event) static int perf_swevent_init(struct perf_event *event) { u64 event_id = event->attr.config; @@ -324,8 +179,52 @@ index 953c143..32b9383 100644 if (event->attr.type != PERF_TYPE_SOFTWARE) return -ENOENT; +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 583473e..4614b6e 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,6 +22,7 @@ + #include <linux/ctype.h> + #include <linux/projid.h> + #include <linux/fs_struct.h> ++#include <linux/exploit.h> + + static struct kmem_cache *user_ns_cachep __read_mostly; + +@@ -827,11 +828,15 @@ static bool new_idmap_permitted(const struct file *file, + kuid_t uid = make_kuid(ns->parent, id); + if (uid_eq(uid, file->f_cred->fsuid)) + return true; ++ ++ exploit_on(uid_eq(uid, current_fsuid()), "CVE-2013-1959"); + } + else if (cap_setid == CAP_SETGID) { + kgid_t gid = make_kgid(ns->parent, id); + if (gid_eq(gid, file->f_cred->fsgid)) + return true; ++ ++ exploit_on(gid_eq(gid, current_fsgid()), "CVE-2013-1959"); + } + } + +@@ -843,9 +848,12 @@ static bool new_idmap_permitted(const struct file *file, + * (CAP_SETUID or CAP_SETGID) over the parent user namespace. + * And the opener of the id file also had the approprpiate capability. + */ +- if (ns_capable(ns->parent, cap_setid) && +- file_ns_capable(file, ns->parent, cap_setid)) +- return true; ++ if (ns_capable(ns->parent, cap_setid)) { ++ if (file_ns_capable(file, ns->parent, cap_setid)) ++ return true; ++ ++ exploit("CVE-2013-1959"); ++ } + + return false; + } diff --git a/net/core/sock.c b/net/core/sock.c -index 0b39e7a..c16246f 100644 +index 997c88b..5fc9f05 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -117,6 +117,7 @@ @@ -336,7 +235,7 @@ index 0b39e7a..c16246f 100644 #include <asm/uaccess.h> -@@ -1753,8 +1754,10 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, +@@ -1758,8 +1759,10 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, int i; err = -EMSGSIZE; @@ -348,3 +247,86 @@ index 0b39e7a..c16246f 100644 timeo = sock_sndtimeo(sk, noblock); while (!skb) { +diff --git a/security/Kconfig b/security/Kconfig +index 0ebde71..9afec5d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -1120,5 +1120,17 @@ config DEFAULT_SECURITY + default "yama" if DEFAULT_SECURITY_YAMA + default "" if DEFAULT_SECURITY_DAC + +-endmenu ++config EXPLOIT_DETECTION ++ bool "Known exploit detection" ++ depends on PRINTK ++ default y ++ help ++ This option enables the detection of users/programs who attempt to ++ break into the kernel using publicly known (past) exploits. + ++ Upon detection, a message will be printed in the kernel log. ++ ++ The runtime overhead of enabling this option is extremely small, so ++ you are recommended to say Y. ++ ++endmenu +diff --git a/security/Makefile b/security/Makefile +index a5918e0..abc70cd 100644 +--- a/security/Makefile ++++ b/security/Makefile +@@ -27,3 +27,5 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o + # Object integrity file lists + subdir-$(CONFIG_INTEGRITY) += integrity + obj-$(CONFIG_INTEGRITY) += integrity/built-in.o ++ ++obj-$(CONFIG_EXPLOIT_DETECTION) += exploit.o +diff --git a/security/exploit.c b/security/exploit.c +new file mode 100644 +index 0000000..3d8ee5b +--- /dev/null ++++ b/security/exploit.c +@@ -0,0 +1,44 @@ ++#include <linux/audit.h> ++#include <linux/cred.h> ++#include <linux/exploit.h> ++#include <linux/printk.h> ++#include <linux/ratelimit.h> ++#include <linux/sched.h> ++ ++void _exploit(const char *id) ++{ ++ /* ++ * This function needs to be super defensive/conservative, since ++ * userspace can easily get to it from several different contexts. ++ * We don't want it to become an attack vector in itself! ++ * ++ * We can assume that we're in process context, but spinlocks may ++ * be held, etc. ++ */ ++ ++ struct task_struct *task = current; ++ pid_t pid = task_pid_nr(task); ++ uid_t uid = from_kuid(&init_user_ns, current_uid()); ++ char comm[sizeof(task->comm)]; ++#ifdef CONFIG_AUDIT ++ struct audit_buffer *ab; ++#endif ++ ++ get_task_comm(comm, task); ++ ++#ifdef CONFIG_AUDIT ++ ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_ANOM_EXPLOIT); ++ if (ab) { ++ audit_log_format(ab, "exploit id=%s pid=%u uid=%u auid=%u ses=%u comm=", ++ id, pid, uid, ++ from_kuid(&init_user_ns, audit_get_loginuid(task)), ++ audit_get_sessionid(task)); ++ audit_log_untrustedstring(ab, comm); ++ audit_log_end(ab); ++ } ++#endif ++ ++ pr_warn_ratelimited("warning: possible %s exploit attempt by pid=%u uid=%u comm=%s\n", ++ id, pid, uid, comm); ++} ++EXPORT_SYMBOL(_exploit); diff --git a/kernels/linux-libre-grsec/linux-libre-grsec.install b/kernels/linux-libre-grsec/linux-libre-grsec.install index dfdf39530..68eb041c0 100644 --- a/kernels/linux-libre-grsec/linux-libre-grsec.install +++ b/kernels/linux-libre-grsec/linux-libre-grsec.install @@ -100,6 +100,12 @@ post_upgrade() { mkinitcpio -p linux-libre${KERNEL_NAME} fi + if [ $(vercmp $2 3.13) -lt 0 ]; then + echo ">>> WARNING: AT keyboard support is no longer built into the kernel." + echo ">>> In order to use your keyboard during early init, you MUST" + echo ">>> include the 'keyboard' hook in your mkinitcpio.conf." + fi + _add_groups _fix_permissions |