Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

initial commit of extracted grsecurity chroot hardening #1

Closed
wants to merge 34 commits into from
+1,665 −46
Closed

initial commit of extracted grsecurity chroot hardening #1

Changes from 1 commit
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
c607904
enable CONFIG_PANIC_ON_OOPS by default
thestinger May 3, 2017
313bc9a
enable CONFIG_DEBUG_LIST by default
thestinger May 3, 2017
ae12fbf
enable SLAB_FREELIST_RANDOM by default
thestinger May 3, 2017
cdb398d
set kptr_restrict=2 by default
thestinger May 3, 2017
e32ea1a
add __ro_after_init to slab_nomerge
thestinger May 3, 2017
b835fbc
add a SLAB_HARDENED configuration option
thestinger May 3, 2017
8f36fe9
disable slab merging
thestinger May 3, 2017
b238307
add missing cache_from_obj !PageSlab check
thestinger May 3, 2017
133cc26
real slab_equal_or_root check for !MEMCG_KMEM
thestinger Mar 31, 2017
e45250a
bug on kmem_cache_free with the wrong cache
thestinger May 3, 2017
6e098ef
always perform cache_from_obj consistency checks
thestinger May 3, 2017
eb54ce7
bug on !PageSlab && !PageCompound in ksize
thestinger May 3, 2017
6efe84c
add kmalloc alloc_size attributes
thestinger May 3, 2017
d342da3
add vmalloc alloc_size attributes
thestinger May 3, 2017
e1f59d4
arm64: zero the leading stack canary byte
thestinger May 3, 2017
624349a
x86_64: zero the leading stack canary byte
thestinger May 3, 2017
0926d3f
use get_random_long for the per-task stack canary
thestinger May 3, 2017
daaf36f
zero leading per-task stack canary byte on 64-bit
thestinger May 3, 2017
e1d4586
add slub free list XOR encryption
thestinger May 3, 2017
7048d1b
add fortified string.h functions
thestinger Apr 9, 2017
4764563
work around undefined memcmp in arch/arm64/kernel/vdso.c
thestinger Apr 9, 2017
7a841c1
work around undefined memcmp in kernel/kexec_file.c
thestinger May 3, 2017
46e3c06
work around undefined memcpy in drivers/net/ethernet/brocade/bna/bnad…
thestinger May 3, 2017
9e2e0bd
work around undefined memcpy in drivers/net/ethernet/brocade/bna/bfa_…
thestinger May 3, 2017
3222859
work around undefined memcpy calls in drivers/net/ethernet/qlogic/qlg…
thestinger May 3, 2017
0638b18
work around undefined memcpy in drivers/net/wireless/marvell/libertas…
thestinger May 3, 2017
81f5f22
work around undefined memcpy in drivers/net/wireless/ray_cs.c
thestinger May 3, 2017
bfe45e0
work around undefined memcpy in drivers/scsi/csiostor/csio_lnode.c
thestinger May 3, 2017
e20aada
add basic full slab sanitization
thestinger May 3, 2017
c8e0e67
slub: add multi-purpose random canaries
thestinger May 3, 2017
7538062
initial commit of extracted grsecurity chroot hardening
andyrj May 4, 2017
b5d9315
corrected error from a squash merge, left GRKERNSEC and grsec_, inste…
andyrj May 4, 2017
5e51c71
missed another rename in squash merge for handle_chroot_sysctl
andyrj May 4, 2017
8e43a35
another rename correction missed in initial merge
andyrj May 4, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
zero leading per-task stack canary byte on 64-bit 
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
@thestinger
thestinger committed May 3, 2017
commit daaf36f7849d3533a84b3e19a0b73e3c8da68a9d
5 changes: 5 additions & 0 deletions kernel/fork.c
View file
Original file line number Diff line number Diff line change
@@ -537,6 +537,11 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node)

#ifdef CONFIG_CC_STACKPROTECTOR
tsk->stack_canary = get_random_long();

#ifdef CONFIG_64BIT
/* Sacrifice 8 bits of entropy to mitigate non-terminated C string overflows */
memset(&tsk->stack_canary, 0, 1);
#endif
#endif

/*