[gentoo-dev] 2.4.22-hardened O1/Low-latency/EA/ACL/grsecurity/propolice

Thu, 06 Nov 2003 02:44:50 -0800 

Hello!

Sorry for cross-posting, some part is related to dev, some to hardened 
only.

0. I propose using the versions of "original" patches in the name of the 
applied patches (like 001_originalname), so tracking diffs/updates is 
easier. 
Also, if one original patch is applying cleanly (as the ck/eaacl patches), 
then use the original (numbered with xx0_name) and add the changes as 
separate patches (xx1_name-version, xx2_name-version)

I have compared the patches from hardened with the originals. Please 
comment on the described patches for 2.,3., if they are needed, and 
solution for the warning in 4.

1. O1/Lowlatency/Preemptive from ck (200309132043-ck2) diffed to hardened 
(patch OK)

--- linux-2.4.22.orig/kernel/sched.c    Wed Nov  5 12:31:13 2003
+++ linux-2.4.22/kernel/sched.c Wed Nov  5 12:31:43 2003
@@ -1033,7 +1033,7 @@
         */
 
 #define CAN_MIGRATE_TASK(p,rq,this_cpu)                                        \
-       ((jiffies - (p)->sleep_timestamp > cache_decay_ticks) &&        \
+       ((jiffies - (p)->sleep_avg > cache_decay_ticks) &&      \
                !task_running(rq, p) &&                                 \
                        ((p)->cpus_allowed & (1UL << (this_cpu))))

So for our case (use 3 characters, to have enough free slots for addons)
101_patch-2.4.22-1000-ckbase-0309132043.bz2
102_<the_diff_above>
103_<the_diff_below>, consider applying it.
Patch needed (O1)
--- kernel/sys.c.mps    Tue Sep  2 15:29:26 2003
+++ kernel/sys.c        Tue Sep  2 15:30:06 2003
@@ -520,7 +520,7 @@
        }
 }
 
-static int set_user(uid_t new_ruid, int dumpclear)
+int set_user(uid_t new_ruid, int dumpclear)
 {
        struct user_struct *new_user, *old_user;
 
 

2. EA/ACL
for our case
121_ea+acl+nfsacl-2.4.22-0.8.64.diff.gz
122_<maybe_the_patch_below>
The diff is to intrusive, so that I can't say, if you've done changes to 
it, but 0.8.64 is newer then the one applied (see attached eaacl.dif, 
you can reverse apply it, or better, take the original), some bugs 
(intermezzo, nfs) solved

I have though found this diff (and I am not sure if it has to be applied
(could be related to the eaaclnfs update)

diff -urN linux-2.4.22.orig/mm/vmscan.c linux-2.4.22/mm/vmscan.c
--- linux-2.4.22.orig/mm/vmscan.c       Wed Nov  5 22:33:41 2003
+++ linux-2.4.22/mm/vmscan.c    Wed Nov  5 22:35:32 2003
@@ -642,7 +642,7 @@
 #ifdef CONFIG_QUOTA
        shrink_dqcache_memory(DEF_PRIORITY, gfp_mask);
 #endif
-       shrink_other_caches(DEF_PRIORITY, gfp_mask);
+       shrink_other_caches(priority, gfp_mask);
 
        return nr_pages;
 }

3. grsecurity
Due to the fact that it won't apply after O1 and EA/ACL, it has to be 
changed (well, I prefer patching the original patch and apply cleanly, so 
I track all the changes, if some wants to go this way, I can supply the 
needed patches for grsecurity after O1 scheduler, lowlatency, eaacl)
If you change the original patch, then name it xxx_origname_gentoo (and 
comment the changes done, for example: changed vfs_create/vfs_mkdir in 
fs/namei.c for POSIX_ACL)

I found this diff between my version and yours
diff -urN linux-2.4.22.orig/mm/mmap.c linux-2.4.22/mm/mmap.c
--- linux-2.4.22.orig/mm/mmap.c Wed Nov  5 14:08:53 2003
+++ linux-2.4.22/mm/mmap.c      Wed Nov  5 14:09:42 2003
@@ -1045,7 +1045,7 @@
                atomic_dec(&file->f_dentry->d_inode->i_writecount);
        }
        remove_shared_vm_struct(mpnt);
-       zap_page_range(mm, st, size, ZPR_COND_RESCHED); /* sys_munmap() */
+       zap_page_range(mm, st, size, 0);
 
        /*
         * Fix the mapping, and free the old area if it wasn't reused.

Is this diff necessary? (related to the lowlatency patch from ck)

4. Propolice
The patch attached is a cleanup of lib/propolice.c (include kernel.h, 
typo), one warning remaining regarding unsupported characters in __guard. 
How to solve this one?


Thanks, Peter

-- 
Peter S. Mazinger <[EMAIL PROTECTED]>   ID: 0xA5F059F2    NIC: IXUYHSKQLI
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08  BB6E C389 975E A5F0 59F2

____________________________________________________________________
Miert fizetsz az internetert? Korlatlan, ingyenes internet hozzaferes a FreeStarttol.
Probald ki most! http://www.freestart.hu

--- lib/propolice.c.mps Mon Nov  3 12:04:36 2003
+++ lib/propolice.c     Mon Nov  3 12:06:27 2003
@@ -1,13 +1,14 @@
- /*
-  *  linux/lib/errno.c
-  *
-  *
-  */
- 
- int __guard = '\0\0\n\777';
- 
- void __stack_smash_handler (int damaged, char func[])
-        {
-          static char *message = "propolice detects %x at function %s.\n" ;
-          panic (message, damaged, func);
+/*
+ *  linux/lib/propolice.c
+ *
+ *
+ */
+#include <linux/kernel.h>
+
+int __guard = '\0\0\n\777';
+
+void __stack_smash_handler (int damaged, char func[])
+{
+       static char *message = "propolice detects %x at function %s.\n" ;
+       panic (message, damaged, func);
 }

Attachment: eaacl.dif.bz2
Description: BZip2 compressed data

--
[EMAIL PROTECTED] mailing list

Reply via email to