From f87f46a4b736917e557907e70268f47533e48a72 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Fabian=20Silva=20Delgado?=
 <emulatorman@parabola.nu>
Date: Tue, 25 Feb 2014 01:30:27 -0200
Subject: linux-libre-grsec: add module-blacklist.conf, sysctl.conf and
 known-exploit-detection.patch on source line

---
 kernels/linux-libre-grsec/PKGBUILD                 |  12 +-
 kernels/linux-libre-grsec/config.i686              |   2 +-
 .../known-exploit-detection.patch                  | 410 ++++++++++-----------
 3 files changed, 208 insertions(+), 216 deletions(-)

diff --git a/kernels/linux-libre-grsec/PKGBUILD b/kernels/linux-libre-grsec/PKGBUILD
index 1bc252caf..e17657146 100644
--- a/kernels/linux-libre-grsec/PKGBUILD
+++ b/kernels/linux-libre-grsec/PKGBUILD
@@ -41,11 +41,14 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn
         '0006-rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-no.patch'
         '0001-syscalls.h-use-gcc-alias-instead-of-assembler-aliase.patch'
         'i8042-fix-aliases.patch'
+        'module-blacklist.conf'
+        'sysctl.conf'
+        'known-exploit-detection.patch'
         "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz")
 md5sums=('98a8e803e0ed08557f3cdd4d56b0ddc1'
          '3659d30b1d06dd5b7874ae04c946863b'
          '0022d89a923e5e871ba53db1f969e46e'
-         'c7dae5d3fbb294ea14e67915ac86a37a'
+         '21da34d98cc007a78a11660863537c0d'
          'd4b95575b9cc32b7ba4ad8624972ddf9'
          '5f66bed97a5c37e48eb2f71b2d354b9a'
          '2967cecc3af9f954ccc822fd63dca6ff'
@@ -61,6 +64,9 @@ md5sums=('98a8e803e0ed08557f3cdd4d56b0ddc1'
          'a724515b350b29c53f20e631c6cf9a14'
          'e6fa278c092ad83780e2dd0568e24ca6'
          '93dbf73af819b77f03453a9c6de2bb47'
+         'f93ef6157fbb23820bd5ae08fd3f451e'
+         '0db7629711f4ed76bd1f9da9f97bc4ea'
+         'cb789bf97bc65fd4cf240d99df9c24c0'
          'ac92b702b8497d2be14f96e077a7f48f')
 if [ "$CARCH" != "mips64el" ]; then
     # don't use the Loongson-specific patches on non-mips64el arches.
@@ -118,6 +124,10 @@ prepare() {
   # Fix i8042 aliases
   patch -p1 -i "${srcdir}/i8042-fix-aliases.patch"
 
+  # add known exploit detection patch
+  # http://lkml.org/lkml/2013/12/12/358
+  patch -Np1 -i "${srcdir}/known-exploit-detection.patch"
+
   if [ "$CARCH" == "mips64el" ]; then
     sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-grsec|" Makefile
     sed -r "s|^( SUBLEVEL = ).*|\1$_sublevel|" \
diff --git a/kernels/linux-libre-grsec/config.i686 b/kernels/linux-libre-grsec/config.i686
index 5bbdedd4a..07840923d 100644
--- a/kernels/linux-libre-grsec/config.i686
+++ b/kernels/linux-libre-grsec/config.i686
@@ -497,7 +497,7 @@ CONFIG_KEXEC=y
 CONFIG_PHYSICAL_START=0x1000000
 CONFIG_RELOCATABLE=y
 CONFIG_X86_NEED_RELOCS=y
-CONFIG_PHYSICAL_ALIGN=0x100000
+CONFIG_PHYSICAL_ALIGN=0x1000000
 CONFIG_HOTPLUG_CPU=y
 # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
 # CONFIG_DEBUG_HOTPLUG_CPU0 is not set
diff --git a/kernels/linux-libre-grsec/known-exploit-detection.patch b/kernels/linux-libre-grsec/known-exploit-detection.patch
index 4837a9ce5..7629b4d85 100644
--- a/kernels/linux-libre-grsec/known-exploit-detection.patch
+++ b/kernels/linux-libre-grsec/known-exploit-detection.patch
@@ -1,147 +1,29 @@
-diff --git a/include/linux/exploit.h b/include/linux/exploit.h
-new file mode 100644
-index 0000000..a8df72a
---- /dev/null
-+++ b/include/linux/exploit.h
-@@ -0,0 +1,23 @@
-+#ifndef _LINUX_EXPLOIT_H
-+#define _LINUX_EXPLOIT_H
-+
-+#ifdef CONFIG_EXPLOIT_DETECTION
-+extern void _exploit(const char *id);
-+
-+#define exploit_on(cond, id) \
-+	do { \
-+		if (unlikely(cond)) \
-+			_exploit(id); \
-+	} while (0)
-+
-+#else
-+
-+#define exploit_on(cond, id) \
-+	do { \
-+	} while (0)
-+
-+#endif
-+
-+#define exploit(id) exploit_on(true, id)
-+
-+#endif
-diff --git a/security/Kconfig b/security/Kconfig
-index e9c6ac7..a828dfb 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -167,5 +167,17 @@ config DEFAULT_SECURITY
- 	default "yama" if DEFAULT_SECURITY_YAMA
- 	default "" if DEFAULT_SECURITY_DAC
- 
--endmenu
-+config EXPLOIT_DETECTION
-+	bool "Known exploit detection"
-+	depends on PRINTK
-+	default y
-+	help
-+	  This option enables the detection of users/programs who attempt to
-+	  break into the kernel using publicly known (past) exploits.
-+
-+	  Upon detection, a message will be printed in the kernel log.
- 
-+	  The runtime overhead of enabling this option is extremely small, so
-+	  you are recommended to say Y.
-+
-+endmenu
-diff --git a/security/Makefile b/security/Makefile
-index c26c81e..d152a1d 100644
---- a/security/Makefile
-+++ b/security/Makefile
-@@ -28,3 +28,5 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
- # Object integrity file lists
- subdir-$(CONFIG_INTEGRITY)		+= integrity
- obj-$(CONFIG_INTEGRITY)			+= integrity/built-in.o
-+
-+obj-$(CONFIG_EXPLOIT_DETECTION)		+= exploit.o
-diff --git a/security/exploit.c b/security/exploit.c
-new file mode 100644
-index 0000000..a732613
---- /dev/null
-+++ b/security/exploit.c
-@@ -0,0 +1,28 @@
-+#include <linux/cred.h>
+diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
+index 3432443..f5af562 100644
+--- a/arch/x86/kernel/msr.c
++++ b/arch/x86/kernel/msr.c
+@@ -38,6 +38,7 @@
+ #include <linux/uaccess.h>
+ #include <linux/gfp.h>
+ #include <linux/grsecurity.h>
 +#include <linux/exploit.h>
-+#include <linux/printk.h>
-+#include <linux/ratelimit.h>
-+#include <linux/sched.h>
-+
-+void _exploit(const char *id)
-+{
-+	/*
-+	 * This function needs to be super defensive/conservative, since
-+	 * userspace can easily get to it from several different contexts.
-+	 * We don't want it to become an attack vector in itself!
-+	 *
-+	 * We can assume that we're in process context, but spinlocks may
-+	 * be held, etc.
-+	 */
-+
-+	struct task_struct *task = current;
-+	pid_t pid = task_pid_nr(task);
-+	uid_t uid = from_kuid(&init_user_ns, current_uid());
-+	char comm[sizeof(task->comm)];
-+
-+	get_task_comm(comm, task);
-+
-+	pr_warn_ratelimited("warning: possible %s exploit attempt by pid=%u uid=%u comm=%s\n",
-+		id, pid, uid, comm);
-+}
-+EXPORT_SYMBOL(_exploit);
-diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
-index 75cef3f..65811d4 100644
---- a/include/uapi/linux/audit.h
-+++ b/include/uapi/linux/audit.h
-@@ -131,6 +131,7 @@
- #define AUDIT_ANOM_PROMISCUOUS      1700 /* Device changed promiscuous mode */
- #define AUDIT_ANOM_ABEND            1701 /* Process ended abnormally */
- #define AUDIT_ANOM_LINK		    1702 /* Suspicious use of file links */
-+#define AUDIT_ANOM_EXPLOIT          1703 /* Known exploit attempt */
- #define AUDIT_INTEGRITY_DATA	    1800 /* Data integrity verification */
- #define AUDIT_INTEGRITY_METADATA    1801 /* Metadata integrity verification */
- #define AUDIT_INTEGRITY_STATUS	    1802 /* Integrity enable status */
-diff --git a/security/exploit.c b/security/exploit.c
-index a732613..3d8ee5b 100644
---- a/security/exploit.c
-+++ b/security/exploit.c
-@@ -1,3 +1,4 @@
-+#include <linux/audit.h>
- #include <linux/cred.h>
- #include <linux/exploit.h>
- #include <linux/printk.h>
-@@ -19,9 +20,24 @@ void _exploit(const char *id)
- 	pid_t pid = task_pid_nr(task);
- 	uid_t uid = from_kuid(&init_user_ns, current_uid());
- 	char comm[sizeof(task->comm)];
-+#ifdef CONFIG_AUDIT
-+	struct audit_buffer *ab;
-+#endif
  
- 	get_task_comm(comm, task);
+ #include <asm/processor.h>
+ #include <asm/msr.h>
+@@ -184,8 +185,10 @@ static int msr_open(struct inode *inode, struct file *file)
+ 	unsigned int cpu = iminor(file_inode(file));
+ 	struct cpuinfo_x86 *c;
  
-+#ifdef CONFIG_AUDIT
-+	ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_ANOM_EXPLOIT);
-+	if (ab) {
-+		audit_log_format(ab, "exploit id=%s pid=%u uid=%u auid=%u ses=%u comm=",
-+			id, pid, uid,
-+			from_kuid(&init_user_ns, audit_get_loginuid(task)),
-+			audit_get_sessionid(task));
-+		audit_log_untrustedstring(ab, comm);
-+		audit_log_end(ab);
+-	if (!capable(CAP_SYS_RAWIO))
++	if (!capable(CAP_SYS_RAWIO)) {
++		exploit("CVE-2013-0268");
+ 		return -EPERM;
 +	}
-+#endif
-+
- 	pr_warn_ratelimited("warning: possible %s exploit attempt by pid=%u uid=%u comm=%s\n",
- 		id, pid, uid, comm);
- }
+ 
+ 	if (cpu >= nr_cpu_ids || !cpu_online(cpu))
+ 		return -ENXIO;	/* No such CPU */
 diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-index bf34577..48490c1 100644
+index ee52ddd..be4c296 100644
 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
 +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
 @@ -32,6 +32,7 @@
@@ -150,9 +32,9 @@ index bf34577..48490c1 100644
  #include <linux/dma_remapping.h>
 +#include <linux/exploit.h>
  
- struct eb_objects {
- 	struct list_head objects;
-@@ -785,8 +786,10 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
+ #define  __EXEC_OBJECT_HAS_PIN (1<<31)
+ #define  __EXEC_OBJECT_HAS_FENCE (1<<30)
+@@ -878,8 +879,10 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
  		 * the worst case where we need to allocate the entire
  		 * relocation tree as a single array.
  		 */
@@ -164,30 +46,6 @@ index bf34577..48490c1 100644
  		relocs_total += exec[i].relocation_count;
  
  		length = exec[i].relocation_count *
-diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index 88458fa..fad04f1 100644
---- a/arch/x86/kernel/msr.c
-+++ b/arch/x86/kernel/msr.c
-@@ -37,6 +37,7 @@
- #include <linux/notifier.h>
- #include <linux/uaccess.h>
- #include <linux/gfp.h>
-+#include <linux/exploit.h>
- 
- #include <asm/processor.h>
- #include <asm/msr.h>
-@@ -174,8 +175,10 @@ static int msr_open(struct inode *inode, struct file *file)
- 	unsigned int cpu = iminor(file_inode(file));
- 	struct cpuinfo_x86 *c;
- 
--	if (!capable(CAP_SYS_RAWIO))
-+	if (!capable(CAP_SYS_RAWIO)) {
-+		exploit("CVE-2013-0268");
- 		return -EPERM;
-+	}
- 
- 	if (cpu >= nr_cpu_ids || !cpu_online(cpu))
- 		return -ENXIO;	/* No such CPU */
 diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c
 index b1ce4c7..2fe83f0 100644
 --- a/fs/hfs/trans.c
@@ -212,50 +70,6 @@ index b1ce4c7..2fe83f0 100644
  	dst = out;
  	dstlen = HFS_MAX_NAMELEN;
  	if (nls_io) {
-diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index 13fb113..df7a51a 100644
---- a/kernel/user_namespace.c
-+++ b/kernel/user_namespace.c
-@@ -22,6 +22,7 @@
- #include <linux/ctype.h>
- #include <linux/projid.h>
- #include <linux/fs_struct.h>
-+#include <linux/exploit.h>
- 
- static struct kmem_cache *user_ns_cachep __read_mostly;
- 
-@@ -806,11 +807,15 @@ static bool new_idmap_permitted(const struct file *file,
- 			kuid_t uid = make_kuid(ns->parent, id);
- 			if (uid_eq(uid, file->f_cred->fsuid))
- 				return true;
-+
-+			exploit_on(uid_eq(uid, current_fsuid()), "CVE-2013-1959");
- 		}
- 		else if (cap_setid == CAP_SETGID) {
- 			kgid_t gid = make_kgid(ns->parent, id);
- 			if (gid_eq(gid, file->f_cred->fsgid))
- 				return true;
-+
-+			exploit_on(gid_eq(gid, current_fsgid()), "CVE-2013-1959");
- 		}
- 	}
- 
-@@ -822,9 +827,12 @@ static bool new_idmap_permitted(const struct file *file,
- 	 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
- 	 * And the opener of the id file also had the approprpiate capability.
- 	 */
--	if (ns_capable(ns->parent, cap_setid) &&
--	    file_ns_capable(file, ns->parent, cap_setid))
--		return true;
-+	if (ns_capable(ns->parent, cap_setid)) {
-+		if (file_ns_capable(file, ns->parent, cap_setid))
-+			return true;
-+
-+		exploit("CVE-2013-1959");
-+	}
- 
- 	return false;
- }
 diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
 index 968ce41..5f47a1a 100644
 --- a/fs/hfsplus/catalog.c
@@ -304,8 +118,49 @@ index 4a4fea0..2d5e283 100644
  			err = -EIO;
  			goto out;
  		}
+diff --git a/include/linux/exploit.h b/include/linux/exploit.h
+new file mode 100644
+index 0000000..a8df72a
+--- /dev/null
++++ b/include/linux/exploit.h
+@@ -0,0 +1,23 @@
++#ifndef _LINUX_EXPLOIT_H
++#define _LINUX_EXPLOIT_H
++
++#ifdef CONFIG_EXPLOIT_DETECTION
++extern void _exploit(const char *id);
++
++#define exploit_on(cond, id) \
++	do { \
++		if (unlikely(cond)) \
++			_exploit(id); \
++	} while (0)
++
++#else
++
++#define exploit_on(cond, id) \
++	do { \
++	} while (0)
++
++#endif
++
++#define exploit(id) exploit_on(true, id)
++
++#endif
+diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
+index 44b05a0..0a820b4 100644
+--- a/include/uapi/linux/audit.h
++++ b/include/uapi/linux/audit.h
+@@ -134,6 +134,7 @@
+ #define AUDIT_ANOM_PROMISCUOUS      1700 /* Device changed promiscuous mode */
+ #define AUDIT_ANOM_ABEND            1701 /* Process ended abnormally */
+ #define AUDIT_ANOM_LINK		    1702 /* Suspicious use of file links */
++#define AUDIT_ANOM_EXPLOIT          1703 /* Known exploit attempt */
+ #define AUDIT_INTEGRITY_DATA	    1800 /* Data integrity verification */
+ #define AUDIT_INTEGRITY_METADATA    1801 /* Metadata integrity verification */
+ #define AUDIT_INTEGRITY_STATUS	    1802 /* Integrity enable status */
 diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 953c143..32b9383 100644
+index 11b21f0..a881843 100644
 --- a/kernel/events/core.c
 +++ b/kernel/events/core.c
 @@ -39,6 +39,7 @@
@@ -316,7 +171,7 @@ index 953c143..32b9383 100644
  
  #include "internal.h"
  
-@@ -5721,6 +5722,7 @@ static void sw_perf_event_destroy(struct perf_event *event)
+@@ -5772,6 +5773,7 @@ static void sw_perf_event_destroy(struct perf_event *event)
  static int perf_swevent_init(struct perf_event *event)
  {
  	u64 event_id = event->attr.config;
@@ -324,8 +179,52 @@ index 953c143..32b9383 100644
  
  	if (event->attr.type != PERF_TYPE_SOFTWARE)
  		return -ENOENT;
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 583473e..4614b6e 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -22,6 +22,7 @@
+ #include <linux/ctype.h>
+ #include <linux/projid.h>
+ #include <linux/fs_struct.h>
++#include <linux/exploit.h>
+ 
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ 
+@@ -827,11 +828,15 @@ static bool new_idmap_permitted(const struct file *file,
+ 			kuid_t uid = make_kuid(ns->parent, id);
+ 			if (uid_eq(uid, file->f_cred->fsuid))
+ 				return true;
++
++			exploit_on(uid_eq(uid, current_fsuid()), "CVE-2013-1959");
+ 		}
+ 		else if (cap_setid == CAP_SETGID) {
+ 			kgid_t gid = make_kgid(ns->parent, id);
+ 			if (gid_eq(gid, file->f_cred->fsgid))
+ 				return true;
++
++			exploit_on(gid_eq(gid, current_fsgid()), "CVE-2013-1959");
+ 		}
+ 	}
+ 
+@@ -843,9 +848,12 @@ static bool new_idmap_permitted(const struct file *file,
+ 	 * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
+ 	 * And the opener of the id file also had the approprpiate capability.
+ 	 */
+-	if (ns_capable(ns->parent, cap_setid) &&
+-	    file_ns_capable(file, ns->parent, cap_setid))
+-		return true;
++	if (ns_capable(ns->parent, cap_setid)) {
++		if (file_ns_capable(file, ns->parent, cap_setid))
++			return true;
++
++		exploit("CVE-2013-1959");
++	}
+ 
+ 	return false;
+ }
 diff --git a/net/core/sock.c b/net/core/sock.c
-index 0b39e7a..c16246f 100644
+index 997c88b..5fc9f05 100644
 --- a/net/core/sock.c
 +++ b/net/core/sock.c
 @@ -117,6 +117,7 @@
@@ -336,7 +235,7 @@ index 0b39e7a..c16246f 100644
  
  #include <asm/uaccess.h>
  
-@@ -1753,8 +1754,10 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+@@ -1758,8 +1759,10 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
  	int i;
  
  	err = -EMSGSIZE;
@@ -348,3 +247,86 @@ index 0b39e7a..c16246f 100644
  
  	timeo = sock_sndtimeo(sk, noblock);
  	while (!skb) {
+diff --git a/security/Kconfig b/security/Kconfig
+index 0ebde71..9afec5d 100644
+--- a/security/Kconfig
++++ b/security/Kconfig
+@@ -1120,5 +1120,17 @@ config DEFAULT_SECURITY
+ 	default "yama" if DEFAULT_SECURITY_YAMA
+ 	default "" if DEFAULT_SECURITY_DAC
+ 
+-endmenu
++config EXPLOIT_DETECTION
++	bool "Known exploit detection"
++	depends on PRINTK
++	default y
++	help
++	  This option enables the detection of users/programs who attempt to
++	  break into the kernel using publicly known (past) exploits.
+ 
++	  Upon detection, a message will be printed in the kernel log.
++
++	  The runtime overhead of enabling this option is extremely small, so
++	  you are recommended to say Y.
++
++endmenu
+diff --git a/security/Makefile b/security/Makefile
+index a5918e0..abc70cd 100644
+--- a/security/Makefile
++++ b/security/Makefile
+@@ -27,3 +27,5 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
+ # Object integrity file lists
+ subdir-$(CONFIG_INTEGRITY)		+= integrity
+ obj-$(CONFIG_INTEGRITY)			+= integrity/built-in.o
++
++obj-$(CONFIG_EXPLOIT_DETECTION)		+= exploit.o
+diff --git a/security/exploit.c b/security/exploit.c
+new file mode 100644
+index 0000000..3d8ee5b
+--- /dev/null
++++ b/security/exploit.c
+@@ -0,0 +1,44 @@
++#include <linux/audit.h>
++#include <linux/cred.h>
++#include <linux/exploit.h>
++#include <linux/printk.h>
++#include <linux/ratelimit.h>
++#include <linux/sched.h>
++
++void _exploit(const char *id)
++{
++	/*
++	 * This function needs to be super defensive/conservative, since
++	 * userspace can easily get to it from several different contexts.
++	 * We don't want it to become an attack vector in itself!
++	 *
++	 * We can assume that we're in process context, but spinlocks may
++	 * be held, etc.
++	 */
++
++	struct task_struct *task = current;
++	pid_t pid = task_pid_nr(task);
++	uid_t uid = from_kuid(&init_user_ns, current_uid());
++	char comm[sizeof(task->comm)];
++#ifdef CONFIG_AUDIT
++	struct audit_buffer *ab;
++#endif
++
++	get_task_comm(comm, task);
++
++#ifdef CONFIG_AUDIT
++	ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_ANOM_EXPLOIT);
++	if (ab) {
++		audit_log_format(ab, "exploit id=%s pid=%u uid=%u auid=%u ses=%u comm=",
++			id, pid, uid,
++			from_kuid(&init_user_ns, audit_get_loginuid(task)),
++			audit_get_sessionid(task));
++		audit_log_untrustedstring(ab, comm);
++		audit_log_end(ab);
++	}
++#endif
++
++	pr_warn_ratelimited("warning: possible %s exploit attempt by pid=%u uid=%u comm=%s\n",
++		id, pid, uid, comm);
++}
++EXPORT_SYMBOL(_exploit);
-- 
cgit v1.2.3-2-g168b