minipli / linux-unofficial_grsec Goto Github PK

Unofficial forward ports of the last publicly available grsecurity patch

License: Other

Makefile 0.27% C 95.44% Assembly 1.73% C++ 2.22% Objective-C 0.12% Shell 0.03% Perl 0.13% Awk 0.01% Python 0.04% GDB 0.01% SourcePawn 0.01% Yacc 0.01% Lex 0.01% UnrealScript 0.01%

linux-unofficial_grsec's People

Contributors

Stargazers

Watchers

linux-unofficial_grsec's Issues

4.9.39 fails with undefined reference to "current_thread_info" in binfmt_elf.c

Kernel 4.9.38 was fine, but I'm not able to compile the latest one, which fails on:

fs/built-in.o: In Function `load_elf_binary':
binfmt_elf.c:(.text+0x9a710): undefined reference to `current_thread_info'

Thank you very much for your port!

Add GRKERNSEC_LOGSPOOF

Hi,

What do you think about adding this feature?

grsec_logspoof-4.9.x.txt

Thank you. Best regards

4.9.68->4.9.70 develops hardware related issue landing in blk_mq_run_hw_queue

Putting this here for reference, as i'm not able to track this to the source at present.
Somewhere in the last update cycle we found that a specific server in our datacenter can't access SSDs without tripping a pretty long stack trace which seems to mention scsi (but we couldn't catch it given the nature of the problem - host won't get to decrypting the OS volume, udev seems to kill it). The top of what we did catch was __list_del_entry, __blk_mq_run_hw_queue, blk_mq_run_hw_queue, blk_mq_insert_requests.constprop, blk_mq_flush_plug_list. It looks like something, specific to the drivers in that host, went south between .68 and .70.

Having noticed that the (potentially touchy, this is old gear) EFI subtree was touched, we reproduced the crash in BIOS mode as well.

Storage controllers are:

00:1f.2 SATA controller: Intel Corporation C600/X79 series chipset 6-Port SATA AHCI Controller (rev 06)
03:00.0 Serial Attached SCSI controller: Intel Corporation C606 chipset Dual 4-Port SATA/SAS Storage Control Unit (rev 06)

using the ahci and isci modules respectively. Somewhere between one of those controllers and the blk_mq function call, things go south.

Rolling back to 4.9.68 resolved the problem.
A similarly old host using uhci_hcd for its Intel controller is unaffected (the LSI SAS controller in there is also fine, currently resilvering ~1T of ZFS data without issue).

Thanks as always for maintaining this tree, hope what little data we were able to pull along the way is helpful in debugging this. Will add more as we get it.

size_overflow_plugin fails to build with GCC6 and musl-libc

Since GCC6 the size_overflow_plugin fails to build due to the prototype in musl's libgen.h being different than libiberty. The error message is as such:

tatooine /usr/src/linux  # make
  CHK     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  HOSTCXX -fPIC scripts/gcc-plugins/size_overflow_plugin/size_overflow_ipa.o
In file included from scripts/gcc-plugins/size_overflow_plugin/size_overflow_ipa.c:21:0:
/usr/include/libgen.h:9:7: error: conflicting declaration of C function 'char* basename(char*)'
 char *basename(char *);
       ^~~~~~~~
In file included from /usr/lib/gcc/x86_64-gentoo-linux-musl/6.4.0/plugin/include/system.h:685:0,
                 from /usr/lib/gcc/x86_64-gentoo-linux-musl/6.4.0/plugin/include/gcc-plugin.h:28,
                 from scripts/gcc-plugins/gcc-common.h:6,
                 from scripts/gcc-plugins/size_overflow_plugin/size_overflow.h:29,
                 from scripts/gcc-plugins/size_overflow_plugin/size_overflow_ipa.c:20:
/usr/lib/gcc/x86_64-gentoo-linux-musl/6.4.0/plugin/include/libiberty.h:112:14: note: previous declaration 'char* basename(const char*)'
 extern char *basename (const char *) ATTRIBUTE_RETURNS_NONNULL ATTRIBUTE_NONNULL(1);
              ^~~~~~~~
make[2]: *** [scripts/Makefile.host:158: scripts/gcc-plugins/size_overflow_plugin/size_overflow_ipa.o] Error 1
make[1]: *** [scripts/Makefile.build:544: scripts/gcc-plugins/size_overflow_plugin] Error 2
make: *** [scripts/Makefile.gcc-plugins:129: gcc-plugins] Error 2

To fix it, we can apply the following patch:

--- scripts/gcc-plugins/size_overflow_plugin/size_overflow_ipa.c.orig	2017-09-09 21:47:58.442437114 +0200
+++ scripts/gcc-plugins/size_overflow_plugin/size_overflow_ipa.c	2017-09-09 21:47:11.851434184 +0200
@@ -18,7 +18,7 @@
  */
 
 #include "size_overflow.h"
-#include <libgen.h>
+extern const char *lbasename (const char *);
 
 static void walk_use_def_next_functions(struct walk_use_def_data *use_def_data, tree lhs);
 
@@ -52,14 +52,15 @@ static bool compare_next_interesting_fun
 static const char* get_vardecl_context(const_tree decl)
 {
 	expanded_location xloc;
-	char *buf, *path;
+	char *buf;
+	const char *path;
 	const char *bname;
 	int len;
 
 	xloc = expand_location(DECL_SOURCE_LOCATION(decl));
 	gcc_assert(xloc.file);
 	path = xstrdup(xloc.file);
-	bname = basename(path);
+	bname = lbasename(path);
 
 	len = asprintf(&buf, "vardecl_%s", bname);
 	gcc_assert(len > 0);

Keep in mind I haven't done a test on glibc or versions of GCC older than 6. Would you consider applying this patch for future releases?

mencoder: page allocation failure: order:1, mode:0x2080024(GFP_ATOMIC|GFP_DMA32)

This is complete, with what I was doing, except, the mencoder was recording on composite input to Hauppauge HVR3000, was started earlier:

Dec  3 17:30:04 gdOv kernel: [79226.214967] grsec: (mr:U:/) exec of /usr/local/bin/tzap-cat-g0.sh (tzap-cat-g0.sh RTL RTL ) by /usr/local/bin/tzap-cat-g0.sh[bash:5070] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3480] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.235449] grsec: (mr:U:/bin/ps) exec of /bin/ps (ps aux ) by /bin/ps[tzap-cat-g0.sh:5071] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.236698] grsec: (mr:U:/) exec of /bin/grep (grep [t]zap ) by /bin/grep[tzap-cat-g0.sh:5073] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.237716] grsec: (mr:U:/) exec of /bin/grep (grep -v tzap-cat ) by /bin/grep[tzap-cat-g0.sh:5072] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.237819] grsec: (mr:U:/) exec of /usr/bin/gawk (awk { print $2 } ) by /usr/bin/gawk[tzap-cat-g0.sh:5074] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.265146] grsec: (mr:U:/bin/cat) exec of /bin/cat (cat tzap.pid ) by /bin/cat[tzap-cat-g0.sh:5075] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.267594] grsec: (mr:U:/) exec of /bin/grep (grep -v tzap-cat ) by /bin/grep[tzap-cat-g0.sh:5077] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.267977] grsec: (mr:U:/bin/ps) exec of /bin/ps (ps aux ) by /bin/ps[tzap-cat-g0.sh:5076] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.269376] grsec: (mr:U:/) exec of /bin/grep (grep [c]at ) by /bin/grep[tzap-cat-g0.sh:5078] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.269950] grsec: (mr:U:/) exec of /usr/bin/gawk (awk { print $2 } ) by /usr/bin/gawk[tzap-cat-g0.sh:5079] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.280567] grsec: (mr:U:/bin/cat) exec of /bin/cat (cat cat.pid ) by /bin/cat[tzap-cat-g0.sh:5080] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.284784] grsec: (mr:U:/bin/cat) exec of /bin/cat (cat tzap.pid ) by /bin/cat[tzap-cat-g0.sh:5081] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.289393] grsec: (mr:U:/bin/cat) exec of /bin/cat (cat tzap.pid ) by /bin/cat[tzap-cat-g0.sh:5082] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.291586] grsec: (mr:U:/bin/cat) exec of /bin/cat (cat cat.pid ) by /bin/cat[tzap-cat-g0.sh:5083] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.293118] grsec: (mr:U:/bin/cat) exec of /bin/cat (cat cat.pid ) by /bin/cat[tzap-cat-g0.sh:5084] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.295453] grsec: (mr:U:/) exec of /usr/bin/tzap (tzap -a0 -f1 -d1 -r RTL ) by /usr/bin/tzap[tzap-cat-g0.sh:5085] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.298815] grsec: (mr:U:/) exec of /bin/date (date +H%m%d_%H%M ) by /bin/date[tzap-cat-g0.sh:5086] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5070] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:04 gdOv kernel: [79226.301244] grsec: (mr:U:/) exec of /bin/sleep (sleep 3 ) by /bin/sleep[tzap-cat-g0.sh:5088] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5087] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:07 gdOv kernel: [79229.304638] grsec: (mr:U:/bin/cat) exec of /bin/cat (cat /dev/dvb/adapter0/dvr1 ) by /bin/cat[tzap-cat-g0.sh:5091] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/tzap-cat-g0.sh[tzap-cat-g0.sh:5087] uid/euid:1000/1000 gid/egid:1000/1000
Dec  3 17:30:24 gdOv kernel: [79245.889599] mencoder: page allocation failure: order:1, mode:0x2080024(GFP_ATOMIC|GFP_DMA32)
Dec  3 17:30:24 gdOv kernel: [79245.889627] CPU: 1 PID: 4991 Comm: mencoder Not tainted 4.9.65-unofficial+grsec171124-23 #1
Dec  3 17:30:24 gdOv kernel: [79245.889639] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
Dec  3 17:30:24 gdOv kernel: [79245.889649]  ffffc9000a3e77f8 ffffffff818211eb 0000000000000020 ce922b3502529753
Dec  3 17:30:24 gdOv kernel: [79245.889665]  ffffffff829de6c0 0000000000000000 ffffc9000a3e7880 ffffffff81244c3d
Dec  3 17:30:24 gdOv kernel: [79245.889679]  0208002400000000 ffffffff829de6c0 ffffc9000a3e7820 ffffffff00000010
Dec  3 17:30:24 gdOv kernel: [79245.889693] Call Trace:
Dec  3 17:30:24 gdOv kernel: [79245.889716]  [<ffffffff818211eb>] dump_stack+0x94/0xf9
Dec  3 17:30:24 gdOv kernel: [79245.889729]  [<ffffffff81244c3d>] warn_alloc+0x1ad/0x1f0
Dec  3 17:30:24 gdOv kernel: [79245.889740]  [<ffffffff81244ff2>] ? __alloc_pages_slowpath+0x2c2/0xff0
Dec  3 17:30:24 gdOv kernel: [79245.889749]  [<ffffffff8124506c>] __alloc_pages_slowpath+0x33c/0xff0
Dec  3 17:30:24 gdOv kernel: [79245.889760]  [<ffffffff81246142>] __alloc_pages_nodemask+0x1c2/0x2c0
Dec  3 17:30:24 gdOv kernel: [79245.889770]  [<ffffffff81096344>] dma_generic_alloc_coherent+0xb4/0x1a0
Dec  3 17:30:24 gdOv kernel: [79245.889780]  [<ffffffff810cf65d>] gart_alloc_coherent+0x6d/0x1a0
Dec  3 17:30:24 gdOv kernel: [79245.889791]  [<ffffffff8205dba5>] cx88_risc_buffer+0x125/0x260
Dec  3 17:30:24 gdOv kernel: [79245.889801]  [<ffffffff82064ebf>] buffer_prepare+0x1ef/0x330
Dec  3 17:30:24 gdOv kernel: [79245.889813]  [<ffffffff82028fef>] __buf_prepare+0x18f/0x230
Dec  3 17:30:24 gdOv kernel: [79245.889822]  [<ffffffff8202afbd>] vb2_core_qbuf+0x1bd/0x300
Dec  3 17:30:24 gdOv kernel: [79245.889833]  [<ffffffff8202f3be>] vb2_qbuf+0x9e/0xe0
Dec  3 17:30:24 gdOv kernel: [79245.889843]  [<ffffffff8202fdfd>] vb2_ioctl_qbuf+0x7d/0xa0
Dec  3 17:30:24 gdOv kernel: [79245.889854]  [<ffffffff820102c0>] v4l_qbuf+0xb0/0xd0
Dec  3 17:30:24 gdOv kernel: [79245.889864]  [<ffffffff82012877>] __video_do_ioctl+0x2c7/0x480
Dec  3 17:30:24 gdOv kernel: [79245.889875]  [<ffffffff82012e0d>] video_usercopy+0x3dd/0x850
Dec  3 17:30:24 gdOv kernel: [79245.889886]  [<ffffffff820125b0>] ? v4l_printk_ioctl+0x100/0x100
Dec  3 17:30:24 gdOv kernel: [79245.889895]  [<ffffffff820132c9>] video_ioctl2+0x49/0x80
Dec  3 17:30:24 gdOv kernel: [79245.889904]  [<ffffffff82006cb9>] v4l2_ioctl+0x149/0x1b0
Dec  3 17:30:24 gdOv kernel: [79245.889915]  [<ffffffff813120d2>] do_vfs_ioctl+0xf2/0xb40
Dec  3 17:30:24 gdOv kernel: [79245.889925]  [<ffffffff81312c76>] rap_sys_ioctl+0x76/0xe0
Dec  3 17:30:24 gdOv kernel: [79245.889936]  [<ffffffff825ad653>] entry_SYSCALL_64_fastpath+0x1e/0xec
Dec  3 17:30:24 gdOv kernel: [79245.889944] Mem-Info:
Dec  3 17:30:24 gdOv kernel: [79245.889962] active_anon:107057 inactive_anon:133576 isolated_anon:0
Dec  3 17:30:24 gdOv kernel: [79245.889962]  active_file:1190633 inactive_file:444549 isolated_file:0
Dec  3 17:30:24 gdOv kernel: [79245.889962]  unevictable:1 dirty:3649 writeback:0 unstable:0
Dec  3 17:30:24 gdOv kernel: [79245.889962]  slab_reclaimable:111180 slab_unreclaimable:8852
Dec  3 17:30:24 gdOv kernel: [79245.889962]  mapped:16800 shmem:2751 pagetables:3735 bounce:0
Dec  3 17:30:24 gdOv kernel: [79245.889962]  free:13082 free_pcp:982 free_cma:0
Dec  3 17:30:24 gdOv kernel: [79245.889991] Node 0 active_anon:428228kB inactive_anon:534304kB active_file:4762532kB inactive_file:1778196kB unevictable:4kB isolated(anon):0kB isolated(file):0kB mapped:67200kB dirty:14596kB writeback:0kB shmem:11004kB writeback_tmp:0kB unstable:0kB pages_scanned:42 all_unreclaimable? no
Dec  3 17:30:24 gdOv kernel: [79245.890000] Node 0 DMA free:12476kB min:20kB low:32kB high:44kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
Dec  3 17:30:24 gdOv kernel: [79245.890015] lowmem_reserve[]: 0 3116 7851 7851
Dec  3 17:30:24 gdOv kernel: [79245.890027] Node 0 DMA32 free:28876kB min:4496kB low:7684kB high:10872kB active_anon:133692kB inactive_anon:17936kB active_file:2132392kB inactive_file:699484kB unevictable:4kB writepending:14556kB present:3364976kB managed:3263712kB mlocked:4kB slab_reclaimable:233116kB slab_unreclaimable:7008kB kernel_stack:208kB pagetables:2456kB bounce:0kB free_pcp:2424kB local_pcp:684kB free_cma:0kB
Dec  3 17:30:24 gdOv kernel: [79245.890043] lowmem_reserve[]: 0 0 4735 4735
Dec  3 17:30:24 gdOv kernel: [79245.890054] Node 0 Normal free:10976kB min:6832kB low:11680kB high:16528kB active_anon:294536kB inactive_anon:516368kB active_file:2630140kB inactive_file:1078712kB unevictable:0kB writepending:40kB present:4980732kB managed:4849116kB mlocked:0kB slab_reclaimable:211604kB slab_unreclaimable:28400kB kernel_stack:4256kB pagetables:12484kB bounce:0kB free_pcp:1504kB local_pcp:212kB free_cma:0kB
Dec  3 17:30:24 gdOv kernel: [79245.890068] lowmem_reserve[]: 0 0 0 0
Dec  3 17:30:24 gdOv kernel: [79245.890079] Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 0*32kB 1*64kB (H) 1*128kB (H) 0*256kB 0*512kB 0*1024kB 2*2048kB (UM) 2*4096kB (M) = 12484kB
Dec  3 17:30:24 gdOv kernel: [79245.890205] Node 0 DMA32: 7211*4kB (UME) 4*8kB (E) 0*16kB 0*32kB 0*64kB 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 28876kB
Dec  3 17:30:24 gdOv kernel: [79245.890240] Node 0 Normal: 2612*4kB (UEH) 40*8kB (H) 9*16kB (H) 2*32kB (H) 0*64kB 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 10976kB
Dec  3 17:30:24 gdOv kernel: [79245.890283] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
Dec  3 17:30:24 gdOv kernel: [79245.890286] 1637951 total pagecache pages
Dec  3 17:30:24 gdOv kernel: [79245.890293] 1 pages in swap cache
Dec  3 17:30:24 gdOv kernel: [79245.890299] Swap cache stats: add 489, delete 488, find 0/0
Dec  3 17:30:24 gdOv kernel: [79245.890304] Free swap  = 8995992kB
Dec  3 17:30:24 gdOv kernel: [79245.890309] Total swap = 8997948kB
Dec  3 17:30:24 gdOv kernel: [79245.890314] 2090425 pages RAM
Dec  3 17:30:24 gdOv kernel: [79245.890319] 0 pages HighMem/MovableOnly
Dec  3 17:30:24 gdOv kernel: [79245.890330] 58241 pages reserved
Dec  3 17:30:24 gdOv kernel: [79245.890346] PAX: please report this to [email protected]
Dec  3 17:30:24 gdOv kernel: [79245.890357] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
Dec  3 17:30:24 gdOv kernel: [79245.896818] IP: [<ffffffff82064ba3>] buffer_queue+0x43/0x170
Dec  3 17:30:24 gdOv kernel: [79245.903396] PGD 1ee3ba000 
Dec  3 17:30:24 gdOv kernel: [79245.903449] 
Dec  3 17:30:24 gdOv kernel: [79245.909987] Oops: 0002 [#1] SMP
Dec  3 17:30:24 gdOv kernel: [79245.916571] CPU: 1 PID: 4991 Comm: mencoder Not tainted 4.9.65-unofficial+grsec171124-23 #1
Dec  3 17:30:24 gdOv kernel: [79245.923372] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
Dec  3 17:30:24 gdOv kernel: [79245.930246] task: ffff880086ace400 task.stack: ffffc9000a3e4000
Dec  3 17:30:24 gdOv kernel: [79245.932687] grsec: (root:U:/usr/sbin/rsyslogd) denied access to hidden file /run/utmp by /usr/sbin/rsyslogd[rs:main Q:Reg:2031] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Dec  3 17:30:24 gdOv kernel: [79245.932766] grsec: (root:U:/usr/sbin/rsyslogd) denied access to hidden file /run/utmp by /usr/sbin/rsyslogd[rs:main Q:Reg:2031] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Dec  3 17:30:24 gdOv kernel: [79245.965938] RIP: 0010:[<ffffffff82064ba3>]  [<ffffffff82064ba3>] buffer_queue+0x43/0x170
Dec  3 17:30:24 gdOv kernel: [79245.973433] RSP: 0018:ffffc9000a3e7b60  EFLAGS: 00010286
Dec  3 17:30:24 gdOv kernel: [79245.980876] RAX: ffff880224764000 RBX: ffff880162a4f000 RCX: 0000000000000000
Dec  3 17:30:24 gdOv kernel: [79245.988373] RDX: 0000000000000008 RSI: 0000000000000000 RDI: ffff880162a4f000
Dec  3 17:30:24 gdOv kernel: [79245.995859] RBP: ffffc9000a3e7b78 R08: 0000000000000005 R09: 0000000000000000
Dec  3 17:30:24 gdOv kernel: [79246.003396] R10: ffff88022fff9dd0 R11: 0000000000011612 R12: ffff880224721000
Dec  3 17:30:24 gdOv kernel: [79246.010948] R13: 8000000000000000 R14: ffff880162a4f000 R15: ffff880224764010
Dec  3 17:30:24 gdOv kernel: [79246.018333] FS:  00000356ac402700(0000) GS:ffff88022fc80000(0000) knlGS:0000000000000000
Dec  3 17:30:24 gdOv kernel: [79246.025582] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Dec  3 17:30:24 gdOv kernel: [79246.032662] CR2: 0000000000000004 CR3: 0000000002c22000 CR4: 00000000000006f0
Dec  3 17:30:24 gdOv kernel: [79246.039603] Stack:
Dec  3 17:30:24 gdOv kernel: [79246.046321]  0000000000000001 ffff880162a4f048 8000000000000000 ffffc9000a3e7ba8
Dec  3 17:30:24 gdOv kernel: [79246.053023]  ffffffff820279d2 ffff880224764b80 ffff880162a4f000 ffffc9000a3e7d38
Dec  3 17:30:24 gdOv kernel: [79246.059542]  ffffffff82853e00 ffffc9000a3e7bd0 ffffffff8202b034 ffff880224764b80
Dec  3 17:30:24 gdOv kernel: [79246.065893] Call Trace:
Dec  3 17:30:24 gdOv kernel: [79246.072023]  [<ffffffff820279d2>] __enqueue_in_driver+0xd2/0x110
Dec  3 17:30:24 gdOv kernel: [79246.078051]  [<ffffffff8202b034>] vb2_core_qbuf+0x234/0x300
Dec  3 17:30:24 gdOv kernel: [79246.084022]  [<ffffffff8202f3be>] vb2_qbuf+0x9e/0xe0
Dec  3 17:30:24 gdOv kernel: [79246.089812]  [<ffffffff8202fdfd>] vb2_ioctl_qbuf+0x7d/0xa0
Dec  3 17:30:24 gdOv kernel: [79246.095394]  [<ffffffff820102c0>] v4l_qbuf+0xb0/0xd0
Dec  3 17:30:24 gdOv kernel: [79246.100927]  [<ffffffff82012877>] __video_do_ioctl+0x2c7/0x480
Dec  3 17:30:24 gdOv kernel: [79246.106534]  [<ffffffff82012e0d>] video_usercopy+0x3dd/0x850
Dec  3 17:30:24 gdOv kernel: [79246.112126]  [<ffffffff820125b0>] ? v4l_printk_ioctl+0x100/0x100
Dec  3 17:30:24 gdOv kernel: [79246.117729]  [<ffffffff820132c9>] video_ioctl2+0x49/0x80
Dec  3 17:30:24 gdOv kernel: [79246.123325]  [<ffffffff82006cb9>] v4l2_ioctl+0x149/0x1b0
Dec  3 17:30:24 gdOv kernel: [79246.128780]  [<ffffffff813120d2>] do_vfs_ioctl+0xf2/0xb40
Dec  3 17:30:24 gdOv kernel: [79246.134120]  [<ffffffff81312c76>] rap_sys_ioctl+0x76/0xe0
Dec  3 17:30:24 gdOv kernel: [79246.139345]  [<ffffffff825ad653>] entry_SYSCALL_64_fastpath+0x1e/0xec
Dec  3 17:30:24 gdOv kernel: [79246.144561] Code: 10 07 6e 9d db ff ff ff ff cc cc cc cc cc cc cc cc 48 8b 03 8b b3 18 02 00 00 48 8b 8b 08 02 00 00 48 8b 40 48 8d 56 08 4c 8b 20 <89> 51 04 48 8b 93 10 02 00 00 c7 02 00 00 01 70 8b b3 18 02 00 
Dec  3 17:30:24 gdOv kernel: [79246.155952] RIP  [<ffffffff82064ba3>] buffer_queue+0x43/0x170
Dec  3 17:30:24 gdOv kernel: [79246.161437]  RSP <ffffc9000a3e7b60>
Dec  3 17:30:24 gdOv kernel: [79246.166856] CR2: 0000000000000004
Dec  3 17:30:24 gdOv kernel: [79246.196544] ---[ end trace fbbe04dc53961045 ]---
Dec  3 17:30:24 gdOv kernel: [79246.196553] grsec: banning user with uid 1000 until system restart for suspicious kernel crash
Dec  3 17:30:24 gdOv kernel: [79246.333477] grsec: (root:U:/bin/bash) special role admin (id 8) exited by /bin/bash[bash:3670] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sudo[sudo:3669] uid/euid:0/0 gid/egid:0/0
Dec  3 17:30:24 gdOv kernel: [79246.493856] grsec: (root:U:/sbin/init) denied access to hidden file /sbin/getty by /sbin/init[init:5093] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Dec  3 17:30:24 gdOv kernel: [79246.523903] grsec: (root:U:/sbin/agetty) exec of /sbin/agetty (/sbin/getty 38400 tty6 ) by /sbin/agetty[init:5094] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

kernel tried to execute NX-protected page - exploit attempt? (uid: 1000, task: Xorg, pid: 3433)

Dec  1 23:21:10 gdOv kernel: [ 3413.024896] mrfw_dropIN=eth1 OUT= MAC=01:00:5e:00:00:01:24:9e:ab:ab:0b:b3:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=30291 PROTO=2 
Dec  1 23:22:33 gdOv kernel: [ 3496.150121] kernel tried to execute NX-protected page - exploit attempt? (uid: 1000, task: Xorg, pid: 3433)
Dec  1 23:22:33 gdOv kernel: [ 3496.163060] BUG: unable to handle kernel paging request at ffffc9000c6ffb80
Dec  1 23:22:33 gdOv kernel: [ 3496.169720] IP: [<ffffc9000c6ffb80>] 0xffffc9000c6ffb80
Dec  1 23:22:33 gdOv kernel: [ 3496.176424] PGD 8000000002c31063 
Dec  1 23:22:33 gdOv kernel: [ 3496.176489] PUD 32300a063 
Dec  1 23:22:33 gdOv kernel: [ 3496.183192] PMD 2e32bb063 
Dec  1 23:22:33 gdOv kernel: [ 3496.183222] PTE 80000002d702b163
Dec  1 23:22:33 gdOv kernel: [ 3496.189987] 
Dec  1 23:22:33 gdOv kernel: [ 3496.196651] Oops: 0011 [#1] SMP
Dec  1 23:22:33 gdOv kernel: [ 3496.203281] CPU: 1 PID: 3433 Comm: Xorg Not tainted 4.9.65-unofficial+grsec171124-23 #1
Dec  1 23:22:33 gdOv kernel: [ 3496.210011] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
Dec  1 23:22:33 gdOv kernel: [ 3496.210016] task: ffff88031b6fc380 task.stack: ffffc9000c6fc000
Dec  1 23:22:33 gdOv kernel: [ 3496.210024] RIP: 0010:[<ffffc9000c6ffb80>]  [<ffffc9000c6ffb80>] 0xffffc9000c6ffb80
Dec  1 23:22:33 gdOv kernel: [ 3496.210027] RSP: 0018:ffffc9000c6ffb70  EFLAGS: 00010283
Dec  1 23:22:33 gdOv kernel: [ 3496.210031] RAX: 0000000000000000 RBX: ffff8802d1b0bc68 RCX: ffffffff81a3e74e
Dec  1 23:22:33 gdOv kernel: [ 3496.210034] RDX: 000000000000003e RSI: 00000000000000fe RDI: ffff8802bab77c80
Dec  1 23:22:33 gdOv kernel: [ 3496.210036] RBP: ffffc9000c6ffb68 R08: ffff8802c2d20b20 R09: ffff8802bab77c00
Dec  1 23:22:33 gdOv kernel: [ 3496.210039] R10: ffff8802bab77c20 R11: ffff8802c2d20b20 R12: 0000000000000002
Dec  1 23:22:33 gdOv kernel: [ 3496.210041] R13: ffff880320180740 R14: ffff8802d1b0bc68 R15: ffff880320154c00
Dec  1 23:22:33 gdOv kernel: [ 3496.210047] FS:  0000036130345a80(0000) GS:ffff88032fc80000(0000) knlGS:0000000000000000
Dec  1 23:22:33 gdOv kernel: [ 3496.210067] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Dec  1 23:22:33 gdOv kernel: [ 3496.210070] CR2: ffffc9000c6ffb80 CR3: 0000000002c22000 CR4: 00000000000006f0
Dec  1 23:22:33 gdOv kernel: [ 3496.210072] Stack:
Dec  1 23:22:33 gdOv kernel: [ 3496.210082]  ffffffff81a3e74e ffff8802d1b0bc98 ffffc9000c6ffbd0 ffffffff81a40c93
Dec  1 23:22:33 gdOv kernel: [ 3496.210089]  ffffffffffff4111 00ffffffffff4111 f8f834b34e9287a1 ffffc9000c6ffbf8
Dec  1 23:22:33 gdOv kernel: [ 3496.210095]  ffff880320161800 ffff88031dffff30 ffff88031dfffe60 ffff880320161800
Dec  1 23:22:33 gdOv kernel: [ 3496.210097] Call Trace:
Dec  1 23:22:33 gdOv kernel: [ 3496.210110]  [<ffffffff81a3e74e>] ? ttm_bo_cleanup_memtype_use+0xce/0x120
Dec  1 23:22:33 gdOv kernel: [ 3496.210117]  [<ffffffff81a40c93>] ? ttm_bo_release+0x2c3/0x370
Dec  1 23:22:33 gdOv kernel: [ 3496.210123]  [<ffffffff81a40d87>] ? ttm_bo_unref+0x47/0x70
Dec  1 23:22:33 gdOv kernel: [ 3496.210131]  [<ffffffff81a7afa3>] ? radeon_bo_unref+0x53/0xb0
Dec  1 23:22:33 gdOv kernel: [ 3496.210138]  [<ffffffff81a986ff>] ? radeon_gem_object_free+0x8f/0xd0
Dec  1 23:22:33 gdOv kernel: [ 3496.210146]  [<ffffffff81a04d81>] ? drm_gem_object_free+0x61/0x100
Dec  1 23:22:33 gdOv kernel: [ 3496.210154]  [<ffffffff81a05a4f>] ? drm_gem_object_unreference_unlocked+0x7f/0x130
Dec  1 23:22:33 gdOv kernel: [ 3496.210161]  [<ffffffff81a05bad>] ? drm_gem_object_handle_unreference_unlocked+0xad/0x140
Dec  1 23:22:33 gdOv kernel: [ 3496.210168]  [<ffffffff81a05cee>] ? drm_gem_object_release_handle+0xae/0x140
Dec  1 23:22:33 gdOv kernel: [ 3496.210175]  [<ffffffff81a05e2f>] ? drm_gem_handle_delete+0xaf/0x140
Dec  1 23:22:33 gdOv kernel: [ 3496.210182]  [<ffffffff81a05f8a>] ? drm_gem_close_ioctl+0x5a/0x90
Dec  1 23:22:33 gdOv kernel: [ 3496.210188]  [<ffffffff81a07c1f>] ? drm_ioctl+0x31f/0x6c0
Dec  1 23:22:33 gdOv kernel: [ 3496.210195]  [<ffffffff81a05f30>] ? drm_gem_dumb_destroy+0x70/0x70
Dec  1 23:22:33 gdOv kernel: [ 3496.210204]  [<ffffffff81a4f052>] ? radeon_drm_ioctl+0x82/0x100
Dec  1 23:22:33 gdOv kernel: [ 3496.210211]  [<ffffffff813120d2>] ? do_vfs_ioctl+0xf2/0xb40
Dec  1 23:22:33 gdOv kernel: [ 3496.210218]  [<ffffffff81312c76>] ? rap_sys_ioctl+0x76/0xe0
Dec  1 23:22:33 gdOv kernel: [ 3496.210225]  [<ffffffff825ad653>] ? entry_SYSCALL_64_fastpath+0x1e/0xec
Dec  1 23:22:33 gdOv kernel: [ 3496.210297] Code: 00 00 00 83 02 01 00 00 00 00 00 70 fb 6f 0c 00 c9 ff ff 18 00 00 00 00 00 00 00 4e e7 a3 81 ff ff ff ff 98 bc b0 d1 02 88 ff ff <d0> fb 6f 0c 00 c9 ff ff 93 0c a4 81 ff ff ff ff 11 41 ff ff ff 
Dec  1 23:22:33 gdOv kernel: [ 3496.210302] RIP  [<ffffc9000c6ffb80>] 0xffffc9000c6ffb80
Dec  1 23:22:33 gdOv kernel: [ 3496.210304]  RSP <ffffc9000c6ffb70>
Dec  1 23:22:33 gdOv kernel: [ 3496.210306] CR2: ffffc9000c6ffb80
Dec  1 23:22:33 gdOv kernel: [ 3496.234789] ---[ end trace 5a75a1db89292227 ]---
Dec  1 23:22:33 gdOv kernel: [ 3496.234793] grsec: banning user with uid 1000 until system restart for suspicious kernel crash
Dec  1 23:22:33 gdOv kernel: [ 3496.320858] grsec: (root:U:/bin/bash) special role admin (id 1) exited by /bin/bash[bash:3667] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sudo[sudo:3666] uid/euid:0/0 gid/egid:0/0
Dec  1 23:22:33 gdOv kernel: [ 3496.320968] grsec: (root:U:/bin/bash) special role admin (id 2) exited by /bin/bash[bash:7282] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sudo[sudo:7281] uid/euid:0/0 gid/egid:0/0
Dec  1 23:22:33 gdOv kernel: [ 3496.336492] grsec: (root:U:/sbin/agetty) exec of /sbin/agetty (/sbin/getty 38400 tty6 ) by /sbin/agetty[init:10537] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Dec  1 23:22:59 gdOv kernel: [ 3522.377686] sky2 0000:06:00.0 eth1: Link is down

eapply_user (or default) must be called in src_prepare()!

seems portage changed a bit, enforcing user-patches to be in the right spot, refusing to install if it's absent or elsewhere. so when I emerge sys-kernel/minipli-sources I get

>>> Preparing source in /var/tmp/portage/sys-kernel/minipli-sources-4.9.74/work/linux-4.9.74-minipli ...
 * ERROR: sys-kernel/minipli-sources-4.9.74::pentoo failed (prepare phase):
 *   eapply_user (or default) must be called in src_prepare()!

Static link for scripted download

Could you somehow provide a way to discover the latest version of the patch (diff file) from a script? Grsecurity originally provided a static link to a text file containing the name of the latest patch, but I guess this is not possible here given the possibilities of github?

vma_wants_writenotify general protection fault

Nov 25 00:34:24 gdOv kernel: [ 4174.947170] general protection fault: 0000 [#1] SMP
Nov 25 00:34:24 gdOv kernel: [ 4174.947275] Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_tcpudp xt_conntrack iptable_filter iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_raw ip_tables x_tables cx22702 isl6421 cx24123 cx88_dvb cx88_vp3054_i2c wm8775 videobuf2_dvb dvb_core ir_lirc_codec ir_rc5_decoder lirc_dev rc_hauppauge tuner_simple tuner_types tda9887 edac_mce_amd edac_core kvm_amd kvm mxm_wmi irqbypass amdkfd tda8290 radeon ttm tuner drm_kms_helper cx8800 cx8802 cx88_alsa cx88xx pcspkr evdev tveeprom videobuf2_dma_sg videobuf2_memops videobuf2_v4l2 v4l2_common videobuf2_core drm snd_hda_codec_realtek snd_hda_codec_generic videodev serio_raw snd_hda_intel snd_hda_codec k10temp media snd_hda_core snd_hwdep snd_pcm snd_timer snd i2c_algo_bit soundcore fb_sys_fops syscopyarea
Nov 25 00:34:24 gdOv kernel: [ 4174.958058]  sysfillrect wmi sysimgblt shpchp sg sp5100_tco nuvoton_cir rc_core button acpi_cpufreq ext4 crc16 jbd2 fscrypto mbcache xts gf128mul algif_skcipher af_alg dm_crypt dm_mod sr_mod cdrom sd_mod ata_generic uas usb_storage ohci_pci psmouse r8169 mii firewire_ohci firewire_core crc_itu_t sky2 ahci pata_atiixp libahci ohci_hcd xhci_pci ehci_pci ehci_hcd xhci_hcd libata i2c_piix4 usbcore scsi_mod fjes
Nov 25 00:34:24 gdOv kernel: [ 4174.979696] CPU: 3 PID: 4130 Comm: Xorg Not tainted 4.9.65-unofficial+grsec171124-19 #1
Nov 25 00:34:24 gdOv kernel: [ 4174.985496] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
Nov 25 00:34:24 gdOv kernel: [ 4174.991416] task: ffff88031d49e800 task.stack: ffffc9000a250000
Nov 25 00:34:24 gdOv kernel: [ 4174.997404] RIP: 0010:[<ffffffff8115a534>]  [<ffffffff8115a534>] vma_wants_writenotify+0x94/0xc0
Nov 25 00:34:24 gdOv kernel: [ 4175.003510] RSP: 0018:ffffc9000a253c90  EFLAGS: 00010287
Nov 25 00:34:24 gdOv kernel: [ 4175.009523] RAX: ff880320b34800ff RBX: 8000000000000027 RCX: 4000000000000000
Nov 25 00:34:24 gdOv kernel: [ 4175.015566] RDX: 0000000000000020 RSI: 2000000000000000 RDI: ffff88031c92e48f
Nov 25 00:34:24 gdOv kernel: [ 4175.021537] RBP: ffff8802e1154cc0 R08: ffff8802e1154cc0 R09: 00000000140440bb
Nov 25 00:34:24 gdOv kernel: [ 4175.027532] R10: 8000000000000027 R11: ffff88031eab6860 R12: 00003ffffffff278
Nov 25 00:34:24 gdOv kernel: [ 4175.033505] R13: 00000000140440bb R14: 0000000000000001 R15: 00000374bb7cf000
Nov 25 00:34:24 gdOv kernel: [ 4175.039453] FS:  00000374bb7b6a40(0000) GS:ffff88032fd80000(0000) knlGS:0000000000000000
Nov 25 00:34:24 gdOv kernel: [ 4175.045452] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov 25 00:34:24 gdOv kernel: [ 4175.051399] CR2: 0000040000000000 CR3: 00000000017e9000 CR4: 00000000000006f0
Nov 25 00:34:24 gdOv kernel: [ 4175.057441] Stack:
Nov 25 00:34:24 gdOv kernel: [ 4175.063448]  ffffffff8115a594 00000000140440bb 00000374bb7cf000 ffff88031d4959
Nov 25 00:34:24 gdOv kernel: [ 4175.069591]  ffff880320eea100 ffffffff8115c27f ffff88031f278d00 00000000001015
Nov 25 00:34:24 gdOv kernel: [ 4175.075826]  0000000000000000 ffff8802e1154cc0 00000000140440bb ffff8802e1154c
Nov 25 00:34:24 gdOv kernel: [ 4175.082147] Call Trace:
Nov 25 00:34:24 gdOv kernel: [ 4175.088447]  [<ffffffff8115a594>] ? vma_set_page_prot+0x34/0x60
Nov 25 00:34:24 gdOv kernel: [ 4175.094845]  [<ffffffff8115c27f>] ? mmap_region+0x2cf/0x6d0
Nov 25 00:34:24 gdOv kernel: [ 4175.101240]  [<ffffffff8115cbe0>] ? do_mmap+0x560/0x620
Nov 25 00:34:24 gdOv kernel: [ 4175.107598]  [<ffffffff81142259>] ? vm_mmap_pgoff+0xb9/0x100
Nov 25 00:34:24 gdOv kernel: [ 4175.113854]  [<ffffffff8115a3d9>] ? sys_mmap_pgoff+0x1a9/0x270
Nov 25 00:34:24 gdOv kernel: [ 4175.119941]  [<ffffffff811b68e8>] ? sys_ioctl+0x58/0x80
Nov 25 00:34:24 gdOv kernel: [ 4175.125885]  [<ffffffff8154fdb9>] ? entry_SYSCALL_64_fastpath+0x17/0xa8
Nov 25 00:34:24 gdOv kernel: [ 4175.131808] Code: c0 74 a4 48 8b 80 f8 00 00 00 48 85 c0 74 98 48 8b 38 48 c7 0 00 00 8b 40 18 f7 d0 83 e0 01 c3 e8 a7 0d 08 00 
Nov 25 00:34:24 gdOv kernel: [ 4175.144458] RIP  [<ffffffff8115a534>] vma_wants_writenotify+0x94/0xc0
Nov 25 00:34:24 gdOv kernel: [ 4175.150683]  RSP <ffffc9000a253c90>
Nov 25 00:34:24 gdOv kernel: [ 4175.180523] ---[ end trace f27b58d845ba30f4 ]---
Nov 25 00:34:24 gdOv kernel: [ 4175.180541] grsec: banning user with uid 1000 until system restart for suspici

__fput unable to handle kernel paging request at ffffffbfa02c6430

Nov 25 06:15:10 gdOv kernel: [ 6127.027227] BUG: unable to handle kernel paging request at ffffffbfa02c6430
Nov 25 06:15:10 gdOv kernel: [ 6127.029802] IP: [] __fput+0xbf/0x220
Nov 25 06:15:10 gdOv kernel: [ 6127.031149] PGD 1bec067
Nov 25 06:15:10 gdOv kernel: [ 6127.031161] PUD 0
Nov 25 06:15:10 gdOv kernel: [ 6127.032506]
Nov 25 06:15:10 gdOv kernel: [ 6127.033855] Oops: 0000 [#1] SMP
Nov 25 06:15:10 gdOv kernel: [ 6127.035216] Modules linked in: nfnetlink_queue nfnetlink_log nfnetlink bluetooth rfkill nf_log_ipv4 nf_log_common xt_LOG xt_tcpudp xt_conntrack iptable_filter iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_raw ip_tables x_tables cx22702 isl6421 cx24123 cx88_dvb cx88_vp3054_i2c videobuf2_dvb dvb_core wm8775 ir_rc5_decoder ir_lirc_codec lirc_dev rc_hauppauge tuner_simple tuner_types tda9887 tda8290 tuner edac_mce_amd edac_core kvm_amd cx88_alsa cx8800 cx8802 kvm cx88xx videobuf2_dma_sg videobuf2_memops videobuf2_v4l2 tveeprom v4l2_common mxm_wmi videobuf2_core irqbypass amdkfd evdev videodev radeon pcspkr k10temp serio_raw media snd_hda_codec_realtek snd_hda_codec_generic ttm drm_kms_helper snd_hda_intel drm i2c_algo_bit sp5100_tco fb_sys_fops nuvoton_cir
Nov 25 06:15:10 gdOv kernel: [ 6127.041723] rc_core syscopyarea sysfillrect sg sysimgblt snd_hda_codec acpi_cpufreq wmi shpchp snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore button ext4 crc16 jbd2 fscrypto mbcache xts gf128mul algif_skcipher af_alg dm_crypt dm_mod sr_mod cdrom sd_mod ata_generic uas usb_storage ohci_pci psmouse firewire_ohci r8169 firewire_core mii crc_itu_t sky2 pata_atiixp ahci libahci ohci_hcd xhci_pci ehci_pci ehci_hcd xhci_hcd libata i2c_piix4 usbcore scsi_mod fjes
Nov 25 06:15:10 gdOv kernel: [ 6127.049145] CPU: 1 PID: 29962 Comm: tshark Not tainted 4.9.65-unofficial+grsec171124-19 #1
Nov 25 06:15:10 gdOv kernel: [ 6127.051097] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
Nov 25 06:15:10 gdOv kernel: [ 6127.053120] task: ffff880051d7c5c0 task.stack: ffffc9000da28000
Nov 25 06:15:10 gdOv kernel: [ 6127.055128] RIP: 0010:[] [] __fput+0xbf/0x220
Nov 25 06:15:10 gdOv kernel: [ 6127.057197] RSP: 0018:ffffc9000da2bdc0 EFLAGS: 00010246
Nov 25 06:15:10 gdOv kernel: [ 6127.059245] RAX: ffffffbfa02c63c0 RBX: ffff880085932c00 RCX: 0000000000000001
Nov 25 06:15:10 gdOv kernel: [ 6127.061356] RDX: ffff880085932cd8 RSI: 0000000000000010 RDI: ffff880085932c00
Nov 25 06:15:10 gdOv kernel: [ 6127.063411] RBP: 0000000000000010 R08: 0000000000000000 R09: 0000000000000000
Nov 25 06:15:10 gdOv kernel: [ 6127.065374] R10: ffff880085932c10 R11: 0000000000000000 R12: ffff8801248401e8
Nov 25 06:15:10 gdOv kernel: [ 6127.067307] R13: ffff8803216900a0 R14: ffff8800757447d0 R15: ffff8801248401e8
Nov 25 06:15:10 gdOv kernel: [ 6127.069179] FS: 0000030bfe92aec0(0000) GS:ffff88032fc80000(0000) knlGS:0000000000000000
Nov 25 06:15:10 gdOv kernel: [ 6127.071043] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov 25 06:15:10 gdOv kernel: [ 6127.072818] CR2: ffffffbfa02c6430 CR3: 00000000017e5000 CR4: 00000000000006f0
Nov 25 06:15:10 gdOv kernel: [ 6127.074626] Stack:
Nov 25 06:15:10 gdOv kernel: [ 6127.076448] ffff880085932c10 ffff880085932c00 ffff880051d7c5c0 ffffffff828b5df0
Nov 25 06:15:10 gdOv kernel: [ 6127.078290] 0000000000000000 ffff880051d7cd60 ffff880085a0a800 ffffffff81078e54
Nov 25 06:15:10 gdOv kernel: [ 6127.080172] ffff880051d7cd94 ffff880051d7c5c0 ffffc9000da2be68 ffff88031ef82140
Nov 25 06:15:10 gdOv kernel: [ 6127.082044] Call Trace:
Nov 25 06:15:10 gdOv kernel: [ 6127.083915] [] ? task_work_run+0x74/0xa0
Nov 25 06:15:10 gdOv kernel: [ 6127.085843] [] ? do_exit+0x2f1/0xb80
Nov 25 06:15:10 gdOv kernel: [ 6127.087739] [] ? return_from_SYSCALL_64+0xd/0x73
Nov 25 06:15:10 gdOv kernel: [ 6127.089663] [] ? do_group_exit+0x49/0xb0
Nov 25 06:15:10 gdOv kernel: [ 6127.091527] [] ? sys_exit_group+0xb/0x10
Nov 25 06:15:10 gdOv kernel: [ 6127.093367] [] ? entry_SYSCALL_64_fastpath+0x17/0xa8
Nov 25 06:15:10 gdOv kernel: [ 6127.095141] Code: d8 00 00 00 48 39 c2 0f 85 13 01 00 00 48 89 df e8 47 36 05 00 f6 43 41 20 0f 85 1b 01 00 00 48 89 df e8 b5 92 0a 00 48 8b 43 28 <48> 8b 40 70 48 85 c0 74 08 48 89 de 4c 89 e7 ff d0 48 89 df e8
Nov 25 06:15:10 gdOv kernel: [ 6127.098876] RIP [] __fput+0xbf/0x220
Nov 25 06:15:10 gdOv kernel: [ 6127.100696] RSP
Nov 25 06:15:10 gdOv kernel: [ 6127.102533] CR2: ffffffbfa02c6430
Nov 25 06:15:10 gdOv kernel: [ 6127.112137] ---[ end trace 0d9c001ca28ee136 ]---
Nov 25 06:15:10 gdOv kernel: [ 6127.112139] grsec: banning user with uid 1000 until system restart for suspicious kernel crash
Nov 25 06:15:10 gdOv kernel: [ 6127.112351] Fixing recursive fault but reboot is needed!

Add GRKERNSEC_RANDOM_TIMESTAMPS

Hi,

What do you think about adding this feature?

random_timestamp-4.9.x.txt

Thank you. Best regards

Remove the master branch plz

https://matthew-brett.github.io/pydagogue/gh_delete_master.html

PAX_RAP at work

This is manually copied screen with possible typoes (but likely not many nor grave), the panic happened very soon after boot.

[   32.097759] CPU: 0 PID: 7 Comm: rcu_sched Tainted: G     D           4.9.73-unofficial+grsec171230-04 #1 
[   32.102705] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
[   32.107654]  ffffc90000003d98 ffffffff818038c6 0000000000000000 0000000000000000 
[   32.112652]  ffffc90000003dd8 ffffffff81118205 0000007f8116c2ad 0000000000000001 
[   32.117637]  ffff88032fc946c0 0000000000000000 ffff8803216b2c40 ffff88032fc10dc0 
[   32.122570] Call Trace: 
[   32.127391]  <IRQ> [   32.127441]  [<ffffffff818038c6>] dump_stack+0x81/0xcb 
[   32.132297]  [<ffffffff81118205>] __warn+0x185/0x1c0
[   32.137146]  [<ffffffff81118439>] warn_slowpath_null +0x49/0x80 
[   32.141921]  [<ffffffff810b8245>] native_smp_send_reschedule+0x95/0xb0 
[   32.146662]  [<ffffffff8117bda5>] trigger_load_balance+0x1d5/0x2a0 
[   32.151291]  [<ffffffff81161456>] scheduler_tick+0x136/0x1a0 
[   32.155864]  [<ffffffff811b3b46>] update_process_times+0x96/0xe0
[   32.160346]  [<ffffffff811ce71a>] tick_sched_handle.isra.16+0x6a/0xa0 
[   32.164833]  [<ffffffff811cf00c>] tick_sched_timer+0x7c/0xe0
[   32.169266]  [<ffffffff811b4776>] __hrtimer_run_queues+0x106/0x220 
[   32.173717]  [<ffffffff811b56dd>] hrtimer_interrupt+0xcd/0x210
[   32.178138]  [<ffffffff810bbd7c>] local_apic_timer_interrupt+0x9d/0xf0 
[   32.182599]  [<ffffffff810bd38d>] smp_apic_timer_interrupt+0x9d/0xf0 
[   32.186998]  [<ffffffff82569d02>] apic_timer_interrupt+0xb2/0xc0 
[   32.191358]  <EOI> [   32.191408]  [<ffffffff8122cfea>] ? panic+0x2f8/0x379 
[   32.195790]  [<ffffffff8122cfed>] ? panic+0x2fb/0x379
[   32.200134]  [<ffffffff8108e914>] ? oops_end+0x84/0x100 
[   32.204421]  [<ffffffff817ed7ad>] gr_handle_kernel_exploit+0x1bd/0x1d0 
[   32.208748]  [<ffffffff8108e943>] oops_end+0xb3/0x100 
[   32.213041]  [<ffffffff8108eb8c>] die+0x8c/0xf0 
[   32.217258]  [<ffffffff81089e99>] do_trap+0xb9/0x280 
[   32.221449]  [<ffffffff8108a134>] do_error_trap+0xd4/0x180
[   32.225654]  [<ffffffff811a8890>] ? sync_exp_work_done.part.16+0x50/0x50 
[   32.229897]  [<ffffffff8108abfe>] do_rap_ret_error+0x4e/0x80 
[   32.234139]  [<ffffffff8256a982>] rap_ret_error+0x32/0x40
[   32.238409]  [<ffffffff811a8890>] ? sync_exp_work_done.part.16+0x50/0x50 
[   32.242685]  [<ffffffff811ab948>] ? force_qs_rnp+0x128/0x240 
[   32.246798]  [<ffffffff811a8902>] ? dyntick_save_progress_counter+0x72/0x90 
[   32.250787]  [<ffffffff811ab948>] force_qs_rnp+0x128/0x240  
[   32.254714]  [<ffffffff811abe28>] rcu_qp_kthread+0x3c8/0xa80 
[   32.258593]  [<ffffffff811aba60>] ? force_qs_rnp+0x240/0x240 
[   32.262458]  [<ffffffff81150681>] kthread+0x161/0x1a0 
[   32.266222]  [<ffffffff81150520>] ? __kthread_parkme+0xd0/0xd0 
[   32.269919]  [<ffffffff82569288>] ret_from_fork+0x88/0xa0 
[   32.273504]  --[ end trace 40f9b8955beb4e3b ]---

After tolied a little to copy that, I rebooted. On the next (mechanical) reboot:

early console in extact_kernel
input_data: 0x0000000002d8343b4
input_len: 0x0000000000059274
output: 0x0000000001000000
output_len: 0x00000000024ba868
kernel_total_size: 0x0000000003600000

Decompressing Linux...

XZ-compressed data is corrupt

 -- System halted

And one more time on the next (mechanical) reboot:

Upon issuing

$ startx

some terminals opened (almost all) and Xorg froze (with likely kernel crash having happened).

But nothing in the logs.

And afterwards, the system again appears to work just fine.

Someone more knowledgeable (minipli of HacKurx or someone else) pls. change the title to a better fit.

segfaults upon install of uBlock0 in Pale Moon on grsecunoff kernel-based Linux

So tired that I'm only posting links (all links go from there):
gorhill/uBlock#3530
grsecunoff must live, GNU/Linux on google-sponsored security would be/almost is (it's happening, God!) worse than death of GNU/Linux!

No updates in forever

Can we get some more commits? I'd like to be on a more modern kernel as I have some newer hardware in my server.

join forces?

I'm looking for a replacement of grsecurity patch and found a link (https://www.gentoo.org/support/news-items/2017-08-19-hardened-sources-removal.html) to your site.

Meanwhile, there is a new initiative from multi-distro (Gentoo, Arch and hopefully Debian) emerging:
https://github.com/copperhead/linux-hardened/wiki

This all is confusing and I was wondering, could you join forces with these guys?

PAX: RAP hash violation for return address: __ext4_get_inode_loc+0x258/0xab0

Nov 23 22:21:52 gdOv kernel: [12952.904885] PAX: RAP hash violation for return address: __ext4_get_inode_loc+0x258/0xab0
Nov 23 22:21:52 gdOv kernel: [12952.904894] PAX: overwritten return address detected: 0000 [#1] SMP
Nov 23 22:21:52 gdOv kernel: [12952.904942] CPU: 1 PID: 5273 Comm: mencoder Not tainted 4.9.64-unofficial+grsec171123-16 #1
Nov 23 22:21:52 gdOv kernel: [12952.904990] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
Nov 23 22:21:52 gdOv kernel: [12952.905049] task: ffff8802e12eac00 task.stack: ffffc90006d14000
Nov 23 22:21:52 gdOv kernel: [12952.905084] RIP: 0010:[<ffffffff8135888c>]  [<ffffffff8135888c>] __getblk_gfp+0x50c/0x580
Nov 23 22:21:52 gdOv kernel: [12952.905137] RSP: 0018:ffffc90006d179e0  EFLAGS: 00000287
Nov 23 22:21:52 gdOv kernel: [12952.906575] RAX: 0000000000000000 RBX: 0000000000000008 RCX: ffffffff81428988
Nov 23 22:21:52 gdOv kernel: [12952.908062] RDX: 0000000080000000 RSI: 0000000001680174 RDI: ffffea000b43b700
Nov 23 22:21:52 gdOv kernel: [12952.909523] RBP: ffffc90006d17a70 R08: ffff8802d2e0f0d0 R09: 0000000000000000
Nov 23 22:21:52 gdOv kernel: [12952.911000] R10: 0000000000000000 R11: 0000000001680174 R12: ffff8802d2e0f0d0
Nov 23 22:21:52 gdOv kernel: [12952.912495] R13: 0000000000001000 R14: 0000000001680174 R15: ffff880322ca1080
Nov 23 22:21:52 gdOv kernel: [12952.913980] FS:  0000035a8dd5d480(0000) GS:ffff88032fc80000(0000) knlGS:0000000000000000
Nov 23 22:21:52 gdOv kernel: [12952.915466] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov 23 22:21:52 gdOv kernel: [12952.916934] CR2: 0000035a69edf00c CR3: 0000000002c22000 CR4: 00000000000006f0
Nov 23 22:21:52 gdOv kernel: [12952.918437] Stack:
Nov 23 22:21:52 gdOv kernel: [12952.919881]  ffffffffffff4111 ffffffffffff4111 ffffffffffff4111 ffffffffffff4111
Nov 23 22:21:52 gdOv kernel: [12952.921357]  ffffffffffff4111 ffffffffffff4111 ffffffffffff4111 ffffffffffff4111
Nov 23 22:21:52 gdOv kernel: [12952.922813]  ffffffffffff4111 ffffffffffff4111 ffffffffffff4111 4ace801aa4e2e566
Nov 23 22:21:52 gdOv kernel: [12952.924255] Call Trace:
Nov 23 22:21:52 gdOv kernel: [12952.925677]  [<ffffffff81428988>] __ext4_get_inode_loc+0x258/0xab0
Nov 23 22:21:52 gdOv kernel: [12952.927152]  [<ffffffff81497dbb>] ? start_this_handle+0x12b/0x570
Nov 23 22:21:52 gdOv kernel: [12952.928631]  [<ffffffff81431b8c>] ext4_reserve_inode_write+0x5c/0x120
Nov 23 22:21:52 gdOv kernel: [12952.930143]  [<ffffffff81431ccf>] ext4_mark_inode_dirty+0x7f/0x370
Nov 23 22:21:52 gdOv kernel: [12952.931630]  [<ffffffff81437e55>] ext4_dirty_inode+0x75/0xd0
Nov 23 22:21:52 gdOv kernel: [12952.933131]  [<ffffffff81341a67>] __mark_inode_dirty+0x97/0x3a0
Nov 23 22:21:52 gdOv kernel: [12952.934640]  [<ffffffff813206c6>] generic_update_time+0xd6/0x170
Nov 23 22:21:52 gdOv kernel: [12952.936154]  [<ffffffff813254eb>] file_update_time+0x14b/0x1d0
Nov 23 22:21:52 gdOv kernel: [12952.937671]  [<ffffffff8123c5a7>] __generic_file_write_iter+0xf7/0x4a0
Nov 23 22:21:52 gdOv kernel: [12952.939214]  [<ffffffff81421463>] ext4_file_write_iter+0xe3/0x620
Nov 23 22:21:52 gdOv kernel: [12952.940696]  [<ffffffff812e8c76>] __vfs_write+0x1a6/0x220
Nov 23 22:21:52 gdOv kernel: [12952.942135]  [<ffffffff812e8f9c>] vfs_write+0xfc/0x270
Nov 23 22:21:52 gdOv kernel: [12952.943508]  [<ffffffff812e9561>] rap_sys_write+0x91/0x140
Nov 23 22:21:52 gdOv kernel: [12952.944886]  [<ffffffff825b1b53>] entry_SYSCALL_64_fastpath+0x1e/0xec
Nov 23 22:21:52 gdOv kernel: [12952.946256]  [<ffffffff825b26c2>] ? retint_user+0x3c/0x44
Nov 23 22:21:52 gdOv kernel: [12952.947619] Code: ff b8 ff 01 00 00 e9 f2 fb ff ff 4c 8b 64 24 10 e9 81 fb ff ff 4c 8b 64 24 10 e9 77 fb ff ff be 00 02 00 00 eb ab e8 e4 26 dc ff <cd> 83 48 c7 c1 88 04 a0 82 48 c7 c2 57 a3 9e 82 be 0d 04 00 00
Nov 23 22:21:52 gdOv kernel: [12952.950541] RIP  [<ffffffff8135888c>] __getblk_gfp+0x50c/0x580
Nov 23 22:21:52 gdOv kernel: [12952.951959]  RSP <ffffc90006d179e0>
Nov 23 22:21:52 gdOv kernel: [12952.961267] ---[ end trace 201549ef2346af5f ]---

I've studied hard and presented some traces of the last week and longer, but exactly this one I noticed, and failed to post at: grsec-unoff RAP related Call Traces

Please remove bnx2-mips (firmware data in hexadecimal)

Hi Mathias,

I suggest removing bnx2-mips-09-6.2.1b.fw and bnx2-mips-09-6.2.1b.fw as this will lighten the patch (-0.6 mo) and this is easier to read (no ihex).
Moreover it is written: "This file contains firmware data derived from proprietary unpublished source code" So considering the architecture and the license I do not see the interest to keep this.
Also I do not think there is a lot of user of this driver.

The user who needs it will always be able to add this one (I can attach the driver here if necessary).

Thanks.

4.9.61

I noticed there was no patch for .60 or .61, I still use these patches regularly.
Hope you are doing well - Keep up the good work! 👍

NULL pointer deref in do_blockdev_direct_IO()

grsec-unoff RAP related Call Traces
http://www.croatiafidelis.hr/foss/cap/cap-171117-grsec-RAP-Oops/
Will be back to tell more, ask more...

v4.9.{62…64}-unofficial_grsec fail with gcc version 6.4.0

# make
  CHK     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  CHK     include/generated/bounds.h
  CHK     include/generated/timeconst.h
  CHK     include/generated/asm-offsets.h
  CALL    scripts/checksyscalls.sh
  DESCEND  objtool
  CHK     include/generated/compile.h
  CHK     kernel/config_data.h
make[1]: [grsecurity/Makefile:50: grsecurity/grsec_hidesym.o] Error 1 (ignored)
  grsec: protected kernel image paths
  CC      sound/core/seq/oss/seq_oss_readq.o
sound/core/seq/oss/seq_oss_readq.c: In function 'snd_seq_oss_readq_sysex':
sound/core/seq/oss/seq_oss_readq.c:146:36: error: passing argument 2 of 'snd_seq_dump_var_event' from incompatible pointer type [-Werror=incompatible-pointer-types]
  return snd_seq_dump_var_event(ev, readq_dump_sysex, &ctx);
                                    ^~~~~~~~~~~~~~~~
In file included from ./include/sound/seq_oss.h:25:0,
                 from sound/core/seq/oss/seq_oss_device.h:29,
                 from sound/core/seq/oss/seq_oss_readq.h:25,
                 from sound/core/seq/oss/seq_oss_readq.c:23:
./include/sound/seq_kernel.h:87:5: note: expected 'snd_seq_dump_func_t {aka int (*)(void *, const void *, int)}' but argument is of type 'int (*)(void *, void *, int)'
 int snd_seq_dump_var_event(const struct snd_seq_event *event,
     ^~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:294: sound/core/seq/oss/seq_oss_readq.o] Error 1
make[3]: *** [scripts/Makefile.build:544: sound/core/seq/oss] Error 2
make[2]: *** [scripts/Makefile.build:544: sound/core/seq] Error 2
make[1]: *** [scripts/Makefile.build:544: sound/core] Error 2
make: *** [Makefile:993: sound] Error 2

Thanks for maintaining grsec for 4.9!

Build fails with CONFIG_GRKERNSEC_RANDSTRUCT=y and gcc 7.1

HOSTCXX -fPIC scripts/gcc-plugins/randomize_layout_plugin.o
  HOSTLLD -shared scripts/gcc-plugins/structleak_plugin.so
  GENHASH  scripts/gcc-plugins/size_overflow_plugin/e_fns.h
scripts/gcc-plugins/randomize_layout_plugin.c: In function ‘void randomize_layout_finish_decl(void*, void*)’:
scripts/gcc-plugins/randomize_layout_plugin.c:528:21: error: lvalue required as left operand of assignment
  DECL_ALIGN(decl) = 0;
                     ^
make[1]: *** [scripts/Makefile.host:158: scripts/gcc-plugins/randomize_layout_plugin.o] Error 1
make[1]: *** Waiting for unfinished jobs....

Similiar report in gentoo with latest official patch 4.9.24:
https://bugs.gentoo.org/show_bug.cgi?id=618372

KPTI backport conflicts

Spent a bit of time looking at the KPTI thing and trying to figure how the pieces impacted by the changes in this tree actually work, and what the kpti patches are doing there. It looks like there's a bunch of delta around the way tss_struct is handled, and lower down to things i dont yet understand, seemingly related to how data is laid out on the stack. It appears that some of the memory access is actually occuring from kernel context whereas the 4.9 upstream code being patched seems to expect its in the user context (in truct tss_struct doublefault_tss for instance)

@minipli: if this is actually "portable" into the fork, is there any chance you might be able to detail the changes from upstream in the commit log so we could better understand the clockwork? Thanks as always.

chmod 0700 while make

Sorry if this has nothing with grsec, but I never have seen such behaviour on official kernels before:

web /usr/src/linux-unofficial_grsec # ls -ld .
drwx------ 27 root root 4096 Nov 23 15:39 .
web /usr/src/linux-unofficial_grsec # chmod 0755 .
web /usr/src/linux-unofficial_grsec # ls -ld .
drwxr-xr-x 27 root root 4096 Nov 23 15:39 .
web /usr/src/linux-unofficial_grsec # make
  CHK     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  CHK     include/generated/bounds.h
  CHK     include/generated/timeconst.h
  CHK     include/generated/asm-offsets.h
  CALL    scripts/checksyscalls.sh
  DESCEND  objtool
  CHK     include/generated/compile.h
  CHK     kernel/config_data.h
make[1]: [grsecurity/Makefile:48: grsecurity/grsec_hidesym.o] Error 1 (ignored)
make[1]: [grsecurity/Makefile:49: grsecurity/grsec_hidesym.o] Error 1 (ignored)
make[1]: [grsecurity/Makefile:50: grsecurity/grsec_hidesym.o] Error 1 (ignored)
  grsec: protected kernel image paths
  LD      arch/x86/boot/compressed/vmlinux
ld: arch/x86/boot/compressed/head_64.o: warning: relocation in readonly section `.head.text'
ld: warning: creating a DT_TEXTREL in a shared object.
  ZOFFSET arch/x86/boot/zoffset.h
  AS      arch/x86/boot/header.o
  LD      arch/x86/boot/setup.elf
  OBJCOPY arch/x86/boot/setup.bin
  OBJCOPY arch/x86/boot/vmlinux.bin
  BUILD   arch/x86/boot/bzImage
Setup is 16348 bytes (padded to 16384 bytes).
System is 4877 kB
CRC 32a230c7
Kernel: arch/x86/boot/bzImage is ready  (#1)
web /usr/src/linux-unofficial_grsec # ls -ld .
drwx------ 27 root root 4096 Nov 23 15:40 .

Problem is 0700 permissions prevent building external kernel modules using non-root account (like it happens in Gentoo while emerge nvidia-drivers, for example).

any plans to port the patch for a newer kernel?

We are having an internal debates and I was wondering would you be porting the patch for a newer kernel?
Any plans/works so far?

Build failures with gold linker

I'm not sure if this is something you're interested in, but it's worth a shot. I noticed this build failure a while ago with the official grsec sources and reported it in Gentoo bug #607974. I just tested it with HEAD from the repo, and get a similar failure:

  HOSTCC  scripts/mod/sumversion.o
  HOSTLD  scripts/mod/modpost
  HOSTCC  scripts/kallsyms
  HOSTCC  scripts/pnmtologo
  HOSTCC  scripts/conmakehash
  HOSTCC  scripts/sortextable
  CC      init/main.o
ld: warning: init/.tmp_main.o: section .init.rodata.str contains incorrectly aligned strings; the alignment of those strings won't be preserved
  CHK     include/generated/compile.h
  CC      init/version.o
  CC      init/do_mounts.o
ld: warning: init/.tmp_do_mounts.o: section .init.rodata.str contains incorrectly aligned strings; the alignment of those strings won't be preserved
  LD      init/mounts.o
  CC      init/noinitramfs.o
  CC      init/calibrate.o
  CC      init/init_task.o
  LD      init/built-in.o
ld: error: init/version.o: multiple definition of '__rap_hash_call_this_cpu_cmpxchg16b_emu'
ld: init/main.o: previous definition here
ld: error: init/version.o: multiple definition of '__rap_hash_ret_this_cpu_cmpxchg16b_emu'
ld: init/main.o: previous definition here
ld: error: init/version.o: multiple definition of '__rap_hash_call_call_rwsem_down_read_failed'
ld: init/main.o: previous definition here
ld: error: init/version.o: multiple definition of '__rap_hash_ret_call_rwsem_down_read_failed'
ld: init/main.o: previous definition here
...

This happens whenever my "ld" is set to the gold linker:

$ ld --version
GNU gold (Gentoo 2.28.1 p1.0 2.28.1) 1.14

I'll paste only my pax/grsec config options below, but anything else you need is available too.

#
# Security options
#

#
# Grsecurity
#
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_TASK_SIZE_MAX_SHIFT=42
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set

#
# Default Special Groups
#
CONFIG_GRKERNSEC_PROC_GID=0
CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=117

#
# Customize Configuration
#

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_MPROTECT_COMPAT=y
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_SIZE_OVERFLOW_EXTRA=y
CONFIG_PAX_INITIFY=y
CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y
# CONFIG_PAX_INITIFY_VERBOSE is not set
CONFIG_PAX_LATENT_ENTROPY=y
CONFIG_PAX_RAP=y
# CONFIG_PAX_RAP_VERBOSE is not set

#
# Memory Protections
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_BPF_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_NO_RBAC=y
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_RENAME=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
CONFIG_GRKERNSEC_SIGNAL=y
# CONFIG_GRKERNSEC_FORKFAIL is not set
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y

#
# Executable Protections
#
# CONFIG_GRKERNSEC_DMESG is not set
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_HARDEN_TTY=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
# CONFIG_GRKERNSEC_TPE_INVERT is not set
CONFIG_GRKERNSEC_TPE_GID=117

#
# Network Protections
#
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Physical Protections
#
CONFIG_GRKERNSEC_DENYUSB=y
# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set

#
# Sysctl Support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6
# CONFIG_KEYS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
# CONFIG_SECURITYFS is not set
# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_PATH is not set
CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
CONFIG_HARDENED_USERCOPY=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
CONFIG_SECURITY_LOADPIN=y
CONFIG_SECURITY_LOADPIN_ENABLED=y
# CONFIG_INTEGRITY is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_CRYPTO=y

Spectre mitigation (retpoline)

Hi Matthias,

Thanks for your amazing effort. I know you have plenty to do right now, but let me ask, do you plan to backport the spectre mitigations (retpoline) too?

(https://lkml.org/lkml/2018/1/3/780)

minipli / linux-unofficial_grsec Goto Github PK

linux-unofficial_grsec's People

Contributors

Stargazers

Watchers

Forkers

linux-unofficial_grsec's Issues

Recommend Projects

Recommend Topics

Recommend Org