]>
Commit | Line | Data |
---|---|---|
6231578f PS |
1 | diff -urNp linux-2.6.26.orig/arch/sparc/Makefile linux-2.6.26/arch/sparc/Makefile |
2 | --- linux-2.6.26.orig/arch/sparc/Makefile 2008-09-01 11:44:21.000000000 +0200 | |
3 | +++ linux-2.6.26/arch/sparc/Makefile 2008-09-02 12:17:21.000000000 +0200 | |
f4615840 | 4 | @@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc |
228b9850 JR |
5 | # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-) |
6 | INIT_Y := $(patsubst %/, %/built-in.o, $(init-y)) | |
7 | CORE_Y := $(core-y) | |
8 | -CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ | |
9 | +CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/ | |
10 | CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y)) | |
11 | DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y)) | |
12 | NET_Y := $(patsubst %/, %/built-in.o, $(net-y)) | |
6231578f PS |
13 | diff -urNp linux-2.6.26.orig/drivers/char/keyboard.c linux-2.6.26/drivers/char/keyboard.c |
14 | --- linux-2.6.26.orig/drivers/char/keyboard.c 2008-09-01 11:43:37.000000000 +0200 | |
15 | +++ linux-2.6.26/drivers/char/keyboard.c 2008-09-02 12:17:21.000000000 +0200 | |
16 | @@ -633,6 +633,16 @@ static void k_spec(struct vc_data *vc, u | |
177d642c | 17 | kbd->kbdmode == VC_MEDIUMRAW) && |
8b732bb7 | 18 | value != KVAL(K_SAK)) |
19 | return; /* SAK is allowed even in raw mode */ | |
20 | + | |
21 | +#if defined(CONFIG_GRKERNSEC_PROC) | |
22 | + { | |
23 | + void *func = fn_handler[value]; | |
24 | + if (func == fn_show_state || func == fn_show_ptregs || | |
25 | + func == fn_show_mem) | |
26 | + return; | |
27 | + } | |
28 | +#endif | |
29 | + | |
bd69be18 | 30 | fn_handler[value](vc); |
8b732bb7 | 31 | } |
32 | ||
6231578f PS |
33 | diff -urNp linux-2.6.26.orig/drivers/pci/proc.c linux-2.6.26/drivers/pci/proc.c |
34 | --- linux-2.6.26.orig/drivers/pci/proc.c 2008-09-01 11:43:47.000000000 +0200 | |
35 | +++ linux-2.6.26/drivers/pci/proc.c 2008-09-02 12:17:21.000000000 +0200 | |
36 | @@ -472,7 +472,16 @@ static const struct file_operations proc | |
37 | static int __init pci_proc_init(void) | |
8b732bb7 | 38 | { |
8b732bb7 | 39 | struct pci_dev *dev = NULL; |
6231578f | 40 | + |
8b732bb7 | 41 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD |
42 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
6231578f | 43 | + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL); |
17bffd3d | 44 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
6231578f | 45 | + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); |
8b732bb7 | 46 | +#endif |
47 | +#else | |
6231578f | 48 | proc_bus_pci_dir = proc_mkdir("bus/pci", NULL); |
8b732bb7 | 49 | +#endif |
6231578f PS |
50 | proc_create("devices", 0, proc_bus_pci_dir, |
51 | &proc_bus_pci_dev_operations); | |
52 | proc_initialized = 1; | |
53 | diff -urNp linux-2.6.26.orig/fs/Kconfig linux-2.6.26/fs/Kconfig | |
54 | --- linux-2.6.26.orig/fs/Kconfig 2008-09-01 11:43:58.000000000 +0200 | |
55 | +++ linux-2.6.26/fs/Kconfig 2008-09-02 12:17:21.000000000 +0200 | |
56 | @@ -926,12 +926,12 @@ config PROC_FS | |
8b732bb7 | 57 | |
58 | config PROC_KCORE | |
59 | bool "/proc/kcore support" if !ARM | |
60 | - depends on PROC_FS && MMU | |
61 | + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD | |
62 | ||
1ecd2cf9 JR |
63 | config PROC_VMCORE |
64 | bool "/proc/vmcore support (EXPERIMENTAL)" | |
6231578f PS |
65 | - depends on PROC_FS && EXPERIMENTAL && CRASH_DUMP |
66 | - default y | |
67 | + depends on PROC_FS && EXPERIMENTAL && CRASH_DUMP && !GRKERNSEC | |
68 | + default n | |
69 | help | |
70 | Exports the dump image of crashed kernel in ELF format. | |
71 | ||
72 | diff -urNp linux-2.6.26.orig/fs/namei.c linux-2.6.26/fs/namei.c | |
73 | --- linux-2.6.26.orig/fs/namei.c 2008-09-01 11:43:59.000000000 +0200 | |
74 | +++ linux-2.6.26/fs/namei.c 2008-09-02 12:17:21.000000000 +0200 | |
75 | @@ -38,6 +38,7 @@ | |
58ded626 | 76 | #include <linux/vs_cowbl.h> |
f4615840 | 77 | #include <linux/vs_device.h> |
c6f81b8a | 78 | #include <linux/vs_context.h> |
177d642c JR |
79 | +#include <linux/grsecurity.h> |
80 | #include <asm/namei.h> | |
81 | #include <asm/uaccess.h> | |
82 | ||
6231578f | 83 | @@ -740,6 +741,13 @@ static inline int do_follow_link(struct |
8b732bb7 | 84 | err = security_inode_follow_link(path->dentry, nd); |
85 | if (err) | |
86 | goto loop; | |
87 | + | |
177d642c | 88 | + if (gr_handle_follow_link(path->dentry->d_parent->d_inode, |
9e282013 | 89 | + path->dentry->d_inode, path->dentry)) { |
8b732bb7 | 90 | + err = -EACCES; |
91 | + goto loop; | |
92 | + } | |
8b732bb7 | 93 | + |
94 | current->link_count++; | |
95 | current->total_link_count++; | |
96 | nd->depth++; | |
6231578f | 97 | @@ -1925,6 +1933,12 @@ do_last: |
8b732bb7 | 98 | /* |
99 | * It already exists. | |
100 | */ | |
177d642c | 101 | + |
9e282013 | 102 | + if (gr_handle_fifo(path.dentry, dir, flag, acc_mode)) { |
8b732bb7 | 103 | + error = -EACCES; |
6231578f | 104 | + goto exit_mutex_unlock; |
8b732bb7 | 105 | + } |
177d642c JR |
106 | + |
107 | mutex_unlock(&dir->d_inode->i_mutex); | |
f4615840 | 108 | audit_inode(pathname, path.dentry); |
8b732bb7 | 109 | |
6231578f PS |
110 | @@ -2028,6 +2042,13 @@ do_link: |
111 | error = security_inode_follow_link(path.dentry, &nd); | |
8b732bb7 | 112 | if (error) |
113 | goto exit_dput; | |
114 | + | |
177d642c | 115 | + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode, |
9e282013 | 116 | + path.dentry)) { |
8b732bb7 | 117 | + error = -EACCES; |
118 | + goto exit_dput; | |
119 | + } | |
8b732bb7 | 120 | + |
6231578f | 121 | error = __do_follow_link(&path, &nd); |
5aa068cb | 122 | if (error) { |
123 | /* Does someone understand code flow here? Or it is only | |
6231578f | 124 | @@ -2669,6 +2690,13 @@ asmlinkage long sys_linkat(int olddfd, c |
8b732bb7 | 125 | error = PTR_ERR(new_dentry); |
bd69be18 JR |
126 | if (IS_ERR(new_dentry)) |
127 | goto out_unlock; | |
128 | + | |
9e282013 | 129 | + if (gr_handle_hardlink(old_nd.path.dentry, old_nd.path.dentry->d_inode, |
130 | + old_nd.path.dentry->d_inode->i_mode, to)) { | |
bd69be18 | 131 | + error = -EACCES; |
6231578f | 132 | + goto out_dput; |
bd69be18 JR |
133 | + } |
134 | + | |
6231578f PS |
135 | error = mnt_want_write(nd.path.mnt); |
136 | if (error) | |
137 | goto out_dput; | |
138 | diff -urNp linux-2.6.26.orig/fs/proc/array.c linux-2.6.26/fs/proc/array.c | |
139 | --- linux-2.6.26.orig/fs/proc/array.c 2008-09-01 11:43:59.000000000 +0200 | |
140 | +++ linux-2.6.26/fs/proc/array.c 2008-09-02 12:17:21.000000000 +0200 | |
141 | @@ -639,3 +639,10 @@ int proc_pid_statm(struct seq_file *m, s | |
9e282013 | 142 | |
143 | return 0; | |
8b732bb7 | 144 | } |
145 | + | |
146 | +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR | |
6231578f | 147 | +int proc_pid_ipaddr(struct task_struct *task, char *buffer) |
8b732bb7 | 148 | +{ |
6231578f | 149 | + return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip)); |
8b732bb7 | 150 | +} |
151 | +#endif | |
6231578f PS |
152 | diff -urNp linux-2.6.26.orig/fs/proc/base.c linux-2.6.26/fs/proc/base.c |
153 | --- linux-2.6.26.orig/fs/proc/base.c 2008-09-01 11:43:59.000000000 +0200 | |
154 | +++ linux-2.6.26/fs/proc/base.c 2008-09-02 12:23:45.000000000 +0200 | |
155 | @@ -79,6 +79,8 @@ | |
156 | #include <linux/pid_namespace.h> | |
157 | #include <linux/vs_context.h> | |
158 | #include <linux/vs_network.h> | |
159 | +#include <linux/grsecurity.h> | |
160 | + | |
161 | #include "internal.h" | |
162 | ||
163 | /* NOTE: | |
164 | @@ -148,7 +150,7 @@ static unsigned int pid_entry_count_dirs | |
165 | return count; | |
166 | } | |
167 | ||
168 | -int maps_protect; | |
169 | +int maps_protect = 1; | |
170 | EXPORT_SYMBOL(maps_protect); | |
171 | ||
172 | static struct fs_struct *get_fs_struct(struct task_struct *task) | |
173 | @@ -307,9 +312,9 @@ static int proc_pid_auxv(struct task_str | |
174 | struct mm_struct *mm = get_task_mm(task); | |
175 | if (mm) { | |
176 | unsigned int nwords = 0; | |
177 | - do | |
178 | + do { | |
179 | nwords += 2; | |
180 | - while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */ | |
181 | + } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */ | |
182 | res = nwords * sizeof(mm->saved_auxv[0]); | |
183 | if (res > PAGE_SIZE) | |
184 | res = PAGE_SIZE; | |
185 | @@ -1412,7 +1417,11 @@ static struct inode *proc_pid_make_inode | |
186 | inode->i_gid = 0; | |
187 | if (task_dumpable(task)) { | |
188 | inode->i_uid = task->euid; | |
189 | +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP | |
190 | + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; | |
191 | +#else | |
192 | inode->i_gid = task->egid; | |
193 | +#endif | |
194 | } | |
195 | /* procfs is xid tagged */ | |
196 | inode->i_tag = (tag_t)vx_task_xid(task); | |
197 | @@ -1430,17 +1439,39 @@ static int pid_getattr(struct vfsmount * | |
198 | { | |
199 | struct inode *inode = dentry->d_inode; | |
200 | struct task_struct *task; | |
201 | +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) | |
202 | + struct task_struct *tmp = current; | |
203 | +#endif | |
204 | + | |
205 | generic_fillattr(inode, stat); | |
206 | ||
207 | rcu_read_lock(); | |
208 | stat->uid = 0; | |
209 | stat->gid = 0; | |
210 | task = pid_task(proc_pid(inode), PIDTYPE_PID); | |
211 | - if (task) { | |
212 | + | |
213 | + if (task | |
214 | +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) | |
215 | + && (!tmp->uid || (tmp->uid == task->uid) | |
216 | +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP | |
217 | + || in_group_p(CONFIG_GRKERNSEC_PROC_GID) | |
218 | +#endif | |
219 | + ) | |
220 | +#endif | |
221 | + ) { | |
222 | if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || | |
223 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
224 | + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) || | |
225 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) | |
226 | + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) || | |
227 | +#endif | |
228 | task_dumpable(task)) { | |
229 | stat->uid = task->euid; | |
230 | +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP | |
231 | + stat->gid = CONFIG_GRKERNSEC_PROC_GID; | |
232 | +#else | |
233 | stat->gid = task->egid; | |
234 | +#endif | |
235 | } | |
236 | } | |
237 | rcu_read_unlock(); | |
238 | @@ -1468,11 +1505,21 @@ static int pid_revalidate(struct dentry | |
239 | { | |
240 | struct inode *inode = dentry->d_inode; | |
241 | struct task_struct *task = get_proc_task(inode); | |
242 | + | |
243 | if (task) { | |
244 | if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || | |
245 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
246 | + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) || | |
247 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) | |
248 | + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) || | |
249 | +#endif | |
250 | task_dumpable(task)) { | |
251 | inode->i_uid = task->euid; | |
252 | +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP | |
253 | + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; | |
254 | +#else | |
255 | inode->i_gid = task->egid; | |
256 | +#endif | |
257 | } else { | |
258 | inode->i_uid = 0; | |
259 | inode->i_gid = 0; | |
260 | @@ -1841,12 +1888,19 @@ static int proc_fd_permission(struct ino | |
261 | struct nameidata *nd) | |
262 | { | |
263 | int rv; | |
264 | + struct task_struct *task; | |
265 | ||
266 | rv = generic_permission(inode, mask, NULL); | |
267 | - if (rv == 0) | |
268 | - return 0; | |
269 | + | |
270 | if (task_pid(current) == proc_pid(inode)) | |
271 | rv = 0; | |
272 | + | |
273 | + task = get_proc_task(inode); | |
274 | + if (task == NULL) | |
275 | + return rv; | |
276 | + | |
277 | + put_task_struct(task); | |
278 | + | |
279 | return rv; | |
280 | } | |
281 | ||
282 | @@ -2617,7 +2683,14 @@ static struct dentry *proc_pid_instantia | |
283 | if (!inode) | |
284 | goto out; | |
285 | ||
286 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
287 | + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR; | |
288 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) | |
289 | + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; | |
290 | + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP; | |
291 | +#else | |
292 | inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; | |
293 | +#endif | |
294 | inode->i_op = &proc_tgid_base_inode_operations; | |
295 | inode->i_fop = &proc_tgid_base_operations; | |
296 | inode->i_flags|=S_IMMUTABLE; | |
297 | @@ -2724,6 +2801,9 @@ int proc_pid_readdir(struct file * filp, | |
298 | { | |
299 | unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; | |
300 | struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode); | |
301 | +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) | |
302 | + struct task_struct *tmp = current; | |
303 | +#endif | |
304 | struct tgid_iter iter; | |
305 | struct pid_namespace *ns; | |
306 | ||
307 | @@ -2742,6 +2822,15 @@ int proc_pid_readdir(struct file * filp, | |
308 | for (iter = next_tgid(ns, iter); | |
309 | iter.task; | |
310 | iter.tgid += 1, iter = next_tgid(ns, iter)) { | |
311 | +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) | |
312 | + if (tmp->uid && (iter.task->uid != tmp->uid) | |
313 | +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP | |
314 | + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID) | |
315 | +#endif | |
316 | + ) | |
317 | +#endif | |
318 | + continue; | |
8b732bb7 | 319 | + |
6231578f PS |
320 | filp->f_pos = iter.tgid + TGID_OFFSET; |
321 | if (!vx_proc_task_visible(iter.task)) | |
322 | continue; | |
323 | @@ -2815,6 +2906,9 @@ static const struct pid_entry tid_base_s | |
324 | #ifdef CONFIG_FAULT_INJECTION | |
325 | REG("make-it-fail", S_IRUGO|S_IWUSR, fault_inject), | |
326 | #endif | |
327 | +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR | |
328 | + INF("ipaddr", S_IRUSR, pid_ipaddr), | |
329 | +#endif | |
330 | }; | |
331 | ||
332 | static int proc_tid_base_readdir(struct file * filp, | |
333 | diff -urNp linux-2.6.26.orig/fs/proc/inode.c linux-2.6.26/fs/proc/inode.c | |
334 | --- linux-2.6.26.orig/fs/proc/inode.c 2008-09-01 11:43:59.000000000 +0200 | |
335 | +++ linux-2.6.26/fs/proc/inode.c 2008-09-02 12:17:21.000000000 +0200 | |
336 | @@ -403,7 +403,11 @@ struct inode *proc_get_inode(struct supe | |
337 | if (de->mode) { | |
338 | inode->i_mode = de->mode; | |
339 | inode->i_uid = de->uid; | |
8b732bb7 | 340 | +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP |
6231578f | 341 | + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; |
8b732bb7 | 342 | +#else |
6231578f | 343 | inode->i_gid = de->gid; |
8b732bb7 | 344 | +#endif |
6231578f | 345 | } |
af553824 JR |
346 | if (de->vx_flags) |
347 | PROC_I(inode)->vx_flags = de->vx_flags; | |
6231578f PS |
348 | diff -urNp linux-2.6.26.orig/fs/proc/internal.h linux-2.6.26/fs/proc/internal.h |
349 | --- linux-2.6.26.orig/fs/proc/internal.h 2008-09-01 11:43:59.000000000 +0200 | |
350 | +++ linux-2.6.26/fs/proc/internal.h 2008-09-02 12:17:21.000000000 +0200 | |
351 | @@ -58,6 +58,9 @@ extern int proc_pid_statm(struct seq_fil | |
9e282013 | 352 | struct pid *pid, struct task_struct *task); |
353 | extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns, | |
354 | struct pid *pid, struct task_struct *task); | |
8b732bb7 | 355 | +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR |
6231578f | 356 | +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer); |
8b732bb7 | 357 | +#endif |
358 | ||
9e282013 | 359 | extern loff_t mem_lseek(struct file *file, loff_t offset, int orig); |
360 | ||
6231578f PS |
361 | diff -urNp linux-2.6.26.orig/fs/proc/proc_misc.c linux-2.6.26/fs/proc/proc_misc.c |
362 | --- linux-2.6.26.orig/fs/proc/proc_misc.c 2008-09-01 11:43:59.000000000 +0200 | |
363 | +++ linux-2.6.26/fs/proc/proc_misc.c 2008-09-02 12:17:21.000000000 +0200 | |
364 | @@ -851,6 +851,8 @@ struct proc_dir_entry *proc_root_kcore; | |
82e305a8 | 365 | |
8b732bb7 | 366 | void __init proc_misc_init(void) |
367 | { | |
8b732bb7 | 368 | + int gr_mode = 0; |
369 | + | |
370 | static struct { | |
371 | char *name; | |
372 | int (*read_proc)(char*,char**,off_t,int,int*,void*); | |
6231578f | 373 | @@ -866,13 +868,24 @@ void __init proc_misc_init(void) |
8b732bb7 | 374 | {"stram", stram_read_proc}, |
375 | #endif | |
8b732bb7 | 376 | {"filesystems", filesystems_read_proc}, |
377 | +#ifndef CONFIG_GRKERNSEC_PROC_ADD | |
378 | {"cmdline", cmdline_read_proc}, | |
379 | +#endif | |
8b732bb7 | 380 | {"execdomains", execdomains_read_proc}, |
381 | {NULL,} | |
c6f81b8a | 382 | }; |
8b732bb7 | 383 | for (p = simple_ones; p->name; p++) |
384 | create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL); | |
385 | ||
386 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
387 | + gr_mode = S_IRUSR; | |
177d642c | 388 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
8b732bb7 | 389 | + gr_mode = S_IRUSR | S_IRGRP; |
390 | +#endif | |
391 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD | |
8b732bb7 | 392 | + create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL); |
393 | +#endif | |
394 | + | |
395 | proc_symlink("mounts", NULL, "self/mounts"); | |
396 | ||
397 | /* And now for trickier ones */ | |
6231578f PS |
398 | @@ -880,14 +893,18 @@ void __init proc_misc_init(void) |
399 | proc_create("kmsg", S_IRUSR, NULL, &proc_kmsg_operations); | |
ca74d27b | 400 | #endif |
6231578f | 401 | proc_create("locks", 0, NULL, &proc_locks_operations); |
177d642c | 402 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD |
6231578f | 403 | + proc_create("devices", gr_mode, NULL, &proc_devinfo_operations); |
177d642c | 404 | +#else |
6231578f | 405 | proc_create("devices", 0, NULL, &proc_devinfo_operations); |
177d642c | 406 | +#endif |
6231578f | 407 | proc_create("cpuinfo", 0, NULL, &proc_cpuinfo_operations); |
bd69be18 | 408 | #ifdef CONFIG_BLOCK |
6231578f | 409 | proc_create("partitions", 0, NULL, &proc_partitions_operations); |
89fc9a43 | 410 | #endif |
6231578f PS |
411 | proc_create("stat", 0, NULL, &proc_stat_operations); |
412 | proc_create("interrupts", 0, NULL, &proc_interrupts_operations); | |
413 | -#ifdef CONFIG_SLABINFO | |
414 | +#if defined(CONFIG_SLABINFO) && !defined(CONFIG_GRKERNSEC_PROC_ADD) | |
415 | proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations); | |
416 | #ifdef CONFIG_DEBUG_SLAB_LEAK | |
417 | proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations); | |
418 | @@ -909,7 +926,7 @@ void __init proc_misc_init(void) | |
8b732bb7 | 419 | #ifdef CONFIG_SCHEDSTATS |
6231578f | 420 | proc_create("schedstat", 0, NULL, &proc_schedstat_operations); |
8b732bb7 | 421 | #endif |
422 | -#ifdef CONFIG_PROC_KCORE | |
423 | +#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD) | |
6231578f PS |
424 | proc_root_kcore = proc_create("kcore", S_IRUSR, NULL, &proc_kcore_operations); |
425 | if (proc_root_kcore) | |
426 | proc_root_kcore->size = | |
427 | diff -urNp linux-2.6.26.orig/fs/proc/root.c linux-2.6.26/fs/proc/root.c | |
428 | --- linux-2.6.26.orig/fs/proc/root.c 2008-09-01 11:43:59.000000000 +0200 | |
429 | +++ linux-2.6.26/fs/proc/root.c 2008-09-02 12:17:21.000000000 +0200 | |
430 | @@ -139,7 +139,15 @@ void __init proc_root_init(void) | |
8b732bb7 | 431 | #ifdef CONFIG_PROC_DEVICETREE |
432 | proc_device_tree_init(); | |
433 | #endif | |
434 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD | |
435 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
6231578f | 436 | + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL); |
177d642c | 437 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
6231578f | 438 | + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); |
8b732bb7 | 439 | +#endif |
440 | +#else | |
6231578f | 441 | proc_mkdir("bus", NULL); |
8b732bb7 | 442 | +#endif |
f4615840 | 443 | proc_sys_init(); |
6231578f | 444 | proc_vx_init(); |
8b732bb7 | 445 | } |
6231578f PS |
446 | diff -urNp linux-2.6.26.orig/grsecurity/grsec_disabled.c linux-2.6.26/grsecurity/grsec_disabled.c |
447 | --- linux-2.6.26.orig/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100 | |
448 | +++ linux-2.6.26/grsecurity/grsec_disabled.c 2008-09-02 12:17:21.000000000 +0200 | |
f4615840 | 449 | @@ -0,0 +1,6 @@ |
177d642c JR |
450 | +void |
451 | +grsecurity_init(void) | |
452 | +{ | |
453 | + return; | |
454 | +} | |
f4615840 | 455 | + |
6231578f PS |
456 | diff -urNp linux-2.6.26.orig/grsecurity/grsec_fifo.c linux-2.6.26/grsecurity/grsec_fifo.c |
457 | --- linux-2.6.26.orig/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100 | |
458 | +++ linux-2.6.26/grsecurity/grsec_fifo.c 2008-09-02 12:17:21.000000000 +0200 | |
459 | @@ -0,0 +1,20 @@ | |
177d642c JR |
460 | +#include <linux/kernel.h> |
461 | +#include <linux/sched.h> | |
462 | +#include <linux/fs.h> | |
463 | +#include <linux/file.h> | |
464 | +#include <linux/grinternal.h> | |
465 | + | |
466 | +int | |
6231578f PS |
467 | +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt, |
468 | + const struct dentry *dir, const int flag, const int acc_mode) | |
177d642c JR |
469 | +{ |
470 | +#ifdef CONFIG_GRKERNSEC_FIFO | |
471 | + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) && | |
472 | + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) && | |
473 | + (dentry->d_inode->i_uid != dir->d_inode->i_uid) && | |
474 | + (current->fsuid != dentry->d_inode->i_uid)) { | |
475 | + return -EACCES; | |
476 | + } | |
477 | +#endif | |
478 | + return 0; | |
479 | +} | |
6231578f PS |
480 | diff -urNp linux-2.6.26.orig/grsecurity/grsec_init.c linux-2.6.26/grsecurity/grsec_init.c |
481 | --- linux-2.6.26.orig/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100 | |
482 | +++ linux-2.6.26/grsecurity/grsec_init.c 2008-09-02 12:17:21.000000000 +0200 | |
f4615840 | 483 | @@ -0,0 +1,29 @@ |
177d642c JR |
484 | +#include <linux/kernel.h> |
485 | +#include <linux/sched.h> | |
486 | +#include <linux/mm.h> | |
487 | +#include <linux/smp_lock.h> | |
488 | +#include <linux/slab.h> | |
489 | +#include <linux/vmalloc.h> | |
490 | +#include <linux/percpu.h> | |
491 | + | |
177d642c JR |
492 | +int grsec_enable_link; |
493 | +int grsec_enable_fifo; | |
494 | +int grsec_lock; | |
495 | + | |
496 | +void | |
497 | +grsecurity_init(void) | |
498 | +{ | |
499 | +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON) | |
500 | +#ifndef CONFIG_GRKERNSEC_SYSCTL | |
501 | + grsec_lock = 1; | |
502 | +#endif | |
177d642c JR |
503 | +#ifdef CONFIG_GRKERNSEC_LINK |
504 | + grsec_enable_link = 1; | |
505 | +#endif | |
506 | +#ifdef CONFIG_GRKERNSEC_FIFO | |
507 | + grsec_enable_fifo = 1; | |
508 | +#endif | |
509 | +#endif | |
510 | + | |
511 | + return; | |
512 | +} | |
6231578f PS |
513 | diff -urNp linux-2.6.26.orig/grsecurity/grsec_link.c linux-2.6.26/grsecurity/grsec_link.c |
514 | --- linux-2.6.26.orig/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100 | |
515 | +++ linux-2.6.26/grsecurity/grsec_link.c 2008-09-02 12:17:21.000000000 +0200 | |
516 | @@ -0,0 +1,37 @@ | |
177d642c JR |
517 | +#include <linux/kernel.h> |
518 | +#include <linux/sched.h> | |
519 | +#include <linux/fs.h> | |
520 | +#include <linux/file.h> | |
521 | +#include <linux/grinternal.h> | |
522 | + | |
523 | +int | |
524 | +gr_handle_follow_link(const struct inode *parent, | |
525 | + const struct inode *inode, | |
6231578f | 526 | + const struct dentry *dentry, const struct vfsmount *mnt) |
177d642c JR |
527 | +{ |
528 | +#ifdef CONFIG_GRKERNSEC_LINK | |
529 | + if (grsec_enable_link && S_ISLNK(inode->i_mode) && | |
530 | + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) && | |
531 | + (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) { | |
532 | + return -EACCES; | |
533 | + } | |
534 | +#endif | |
535 | + return 0; | |
536 | +} | |
8b732bb7 | 537 | + |
177d642c | 538 | +int |
6231578f PS |
539 | +gr_handle_hardlink(const struct dentry *dentry, |
540 | + const struct vfsmount *mnt, | |
541 | + struct inode *inode, const int mode, const char *to) | |
177d642c JR |
542 | +{ |
543 | +#ifdef CONFIG_GRKERNSEC_LINK | |
544 | + if (grsec_enable_link && current->fsuid != inode->i_uid && | |
545 | + (!S_ISREG(mode) || (mode & S_ISUID) || | |
546 | + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) || | |
547 | + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) && | |
548 | + !capable(CAP_FOWNER) && current->uid) { | |
549 | + return -EPERM; | |
550 | + } | |
8b732bb7 | 551 | +#endif |
177d642c JR |
552 | + return 0; |
553 | +} | |
6231578f PS |
554 | diff -urNp linux-2.6.26.orig/grsecurity/grsec_sock.c linux-2.6.26/grsecurity/grsec_sock.c |
555 | --- linux-2.6.26.orig/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100 | |
556 | +++ linux-2.6.26/grsecurity/grsec_sock.c 2008-09-02 12:17:21.000000000 +0200 | |
557 | @@ -0,0 +1,170 @@ | |
177d642c JR |
558 | +#include <linux/kernel.h> |
559 | +#include <linux/module.h> | |
560 | +#include <linux/sched.h> | |
561 | +#include <linux/file.h> | |
562 | +#include <linux/net.h> | |
563 | +#include <linux/in.h> | |
564 | +#include <linux/ip.h> | |
565 | +#include <net/sock.h> | |
566 | +#include <net/inet_sock.h> | |
567 | +#include <linux/grsecurity.h> | |
568 | +#include <linux/grinternal.h> | |
8b732bb7 | 569 | + |
570 | +#ifdef CONFIG_GRKERNSEC | |
177d642c JR |
571 | +#define gr_conn_table_size 32749 |
572 | +struct conn_table_entry { | |
573 | + struct conn_table_entry *next; | |
574 | + struct signal_struct *sig; | |
575 | +}; | |
576 | + | |
577 | +struct conn_table_entry *gr_conn_table[gr_conn_table_size]; | |
8b732bb7 | 578 | +spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED; |
579 | + | |
6231578f PS |
580 | +extern const char * gr_socktype_to_name(unsigned char type); |
581 | +extern const char * gr_proto_to_name(unsigned char proto); | |
582 | + | |
8b732bb7 | 583 | +static __inline__ int |
584 | +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size) | |
585 | +{ | |
586 | + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size); | |
587 | +} | |
588 | + | |
589 | +static __inline__ int | |
590 | +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr, | |
591 | + __u16 sport, __u16 dport) | |
592 | +{ | |
177d642c JR |
593 | + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr && |
594 | + sig->gr_sport == sport && sig->gr_dport == dport)) | |
8b732bb7 | 595 | + return 1; |
596 | + else | |
597 | + return 0; | |
598 | +} | |
599 | + | |
177d642c | 600 | +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent) |
8b732bb7 | 601 | +{ |
177d642c | 602 | + struct conn_table_entry **match; |
8b732bb7 | 603 | + unsigned int index; |
8b732bb7 | 604 | + |
605 | + index = conn_hash(sig->gr_saddr, sig->gr_daddr, | |
606 | + sig->gr_sport, sig->gr_dport, | |
607 | + gr_conn_table_size); | |
608 | + | |
177d642c JR |
609 | + newent->sig = sig; |
610 | + | |
611 | + match = &gr_conn_table[index]; | |
612 | + newent->next = *match; | |
613 | + *match = newent; | |
8b732bb7 | 614 | + |
615 | + return; | |
616 | +} | |
617 | + | |
618 | +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig) | |
619 | +{ | |
177d642c | 620 | + struct conn_table_entry *match, *last = NULL; |
8b732bb7 | 621 | + unsigned int index; |
622 | + | |
623 | + index = conn_hash(sig->gr_saddr, sig->gr_daddr, | |
624 | + sig->gr_sport, sig->gr_dport, | |
625 | + gr_conn_table_size); | |
626 | + | |
177d642c JR |
627 | + match = gr_conn_table[index]; |
628 | + while (match && !conn_match(match->sig, | |
8b732bb7 | 629 | + sig->gr_saddr, sig->gr_daddr, sig->gr_sport, |
630 | + sig->gr_dport)) { | |
177d642c JR |
631 | + last = match; |
632 | + match = match->next; | |
8b732bb7 | 633 | + } |
634 | + | |
177d642c JR |
635 | + if (match) { |
636 | + if (last) | |
637 | + last->next = match->next; | |
8b732bb7 | 638 | + else |
639 | + gr_conn_table[index] = NULL; | |
177d642c | 640 | + kfree(match); |
8b732bb7 | 641 | + } |
642 | + | |
643 | + return; | |
644 | +} | |
645 | + | |
646 | +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr, | |
647 | + __u16 sport, __u16 dport) | |
648 | +{ | |
177d642c | 649 | + struct conn_table_entry *match; |
8b732bb7 | 650 | + unsigned int index; |
651 | + | |
652 | + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size); | |
653 | + | |
177d642c JR |
654 | + match = gr_conn_table[index]; |
655 | + while (match && !conn_match(match->sig, saddr, daddr, sport, dport)) | |
656 | + match = match->next; | |
8b732bb7 | 657 | + |
177d642c JR |
658 | + if (match) |
659 | + return match->sig; | |
660 | + else | |
661 | + return NULL; | |
8b732bb7 | 662 | +} |
663 | + | |
664 | +#endif | |
665 | + | |
177d642c JR |
666 | +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet) |
667 | +{ | |
668 | +#ifdef CONFIG_GRKERNSEC | |
669 | + struct signal_struct *sig = task->signal; | |
670 | + struct conn_table_entry *newent; | |
671 | + | |
672 | + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC); | |
673 | + if (newent == NULL) | |
674 | + return; | |
f4615840 | 675 | + /* no bh lock needed since we are called with bh disabled */ |
177d642c JR |
676 | + spin_lock(&gr_conn_table_lock); |
677 | + gr_del_task_from_ip_table_nolock(sig); | |
678 | + sig->gr_saddr = inet->rcv_saddr; | |
679 | + sig->gr_daddr = inet->daddr; | |
680 | + sig->gr_sport = inet->sport; | |
681 | + sig->gr_dport = inet->dport; | |
682 | + gr_add_to_task_ip_table_nolock(sig, newent); | |
683 | + spin_unlock(&gr_conn_table_lock); | |
684 | +#endif | |
685 | + return; | |
686 | +} | |
687 | + | |
8b732bb7 | 688 | +void gr_del_task_from_ip_table(struct task_struct *task) |
689 | +{ | |
690 | +#ifdef CONFIG_GRKERNSEC | |
691 | + spin_lock(&gr_conn_table_lock); | |
692 | + gr_del_task_from_ip_table_nolock(task->signal); | |
693 | + spin_unlock(&gr_conn_table_lock); | |
694 | +#endif | |
695 | + return; | |
696 | +} | |
697 | + | |
6231578f PS |
698 | +void |
699 | +gr_attach_curr_ip(const struct sock *sk) | |
700 | +{ | |
701 | +#ifdef CONFIG_GRKERNSEC | |
702 | + struct signal_struct *p, *set; | |
703 | + const struct inet_sock *inet = inet_sk(sk); | |
704 | + | |
705 | + if (unlikely(sk->sk_protocol != IPPROTO_TCP)) | |
706 | + return; | |
707 | + | |
708 | + set = current->signal; | |
709 | + | |
710 | + spin_lock_bh(&gr_conn_table_lock); | |
711 | + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr, | |
712 | + inet->dport, inet->sport); | |
713 | + if (unlikely(p != NULL)) { | |
714 | + set->curr_ip = p->curr_ip; | |
715 | + set->used_accept = 1; | |
716 | + gr_del_task_from_ip_table_nolock(p); | |
717 | + spin_unlock_bh(&gr_conn_table_lock); | |
718 | + return; | |
719 | + } | |
720 | + spin_unlock_bh(&gr_conn_table_lock); | |
721 | + | |
722 | + set->curr_ip = inet->daddr; | |
723 | + set->used_accept = 1; | |
724 | +#endif | |
725 | + return; | |
726 | +} | |
727 | + | |
728 | diff -urNp linux-2.6.26.orig/grsecurity/grsec_sysctl.c linux-2.6.26/grsecurity/grsec_sysctl.c | |
729 | --- linux-2.6.26.orig/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100 | |
730 | +++ linux-2.6.26/grsecurity/grsec_sysctl.c 2008-09-02 12:17:21.000000000 +0200 | |
731 | @@ -0,0 +1,52 @@ | |
732 | +#include <linux/kernel.h> | |
733 | +#include <linux/sched.h> | |
734 | +#include <linux/sysctl.h> | |
735 | +#include <linux/grsecurity.h> | |
736 | +#include <linux/grinternal.h> | |
737 | + | |
738 | +int | |
739 | +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op) | |
740 | +{ | |
741 | +#ifdef CONFIG_GRKERNSEC_SYSCTL | |
742 | + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) { | |
743 | + return -EACCES; | |
744 | + } | |
745 | +#endif | |
746 | + return 0; | |
747 | +} | |
748 | + | |
749 | +#if defined(CONFIG_GRKERNSEC_SYSCTL) | |
750 | +ctl_table grsecurity_table[] = { | |
751 | +#ifdef CONFIG_GRKERNSEC_SYSCTL | |
752 | +#ifdef CONFIG_GRKERNSEC_LINK | |
753 | + { | |
754 | + .ctl_name = CTL_UNNUMBERED, | |
755 | + .procname = "linking_restrictions", | |
756 | + .data = &grsec_enable_link, | |
757 | + .maxlen = sizeof(int), | |
758 | + .mode = 0600, | |
759 | + .proc_handler = &proc_dointvec, | |
760 | + }, | |
761 | +#endif | |
762 | +#ifdef CONFIG_GRKERNSEC_FIFO | |
763 | + { | |
764 | + .ctl_name = CTL_UNNUMBERED, | |
765 | + .procname = "fifo_restrictions", | |
766 | + .data = &grsec_enable_fifo, | |
767 | + .maxlen = sizeof(int), | |
768 | + .mode = 0600, | |
769 | + .proc_handler = &proc_dointvec, | |
770 | + }, | |
771 | +#endif | |
772 | + { | |
773 | + .ctl_name = CTL_UNNUMBERED, | |
774 | + .procname = "grsec_lock", | |
775 | + .data = &grsec_lock, | |
776 | + .maxlen = sizeof(int), | |
777 | + .mode = 0600, | |
778 | + .proc_handler = &proc_dointvec, | |
779 | + }, | |
780 | +#endif | |
781 | + { .ctl_name = 0 } | |
782 | +}; | |
783 | +#endif | |
784 | diff -urNp linux-2.6.26.orig/grsecurity/Kconfig linux-2.6.26/grsecurity/Kconfig | |
785 | --- linux-2.6.26.orig/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100 | |
786 | +++ linux-2.6.26/grsecurity/Kconfig 2008-09-02 12:17:21.000000000 +0200 | |
787 | @@ -0,0 +1,123 @@ | |
788 | +# | |
789 | +# grecurity configuration | |
790 | +# | |
791 | + | |
792 | +menu "Grsecurity" | |
793 | + | |
794 | +config GRKERNSEC | |
795 | + bool "Grsecurity" | |
796 | + select CRYPTO | |
797 | + select CRYPTO_SHA256 | |
798 | + select SECURITY | |
799 | + select SECURITY_CAPABILITIES | |
800 | + help | |
801 | + If you say Y here, you will be able to configure many features | |
802 | + that will enhance the security of your system. It is highly | |
803 | + recommended that you say Y here and read through the help | |
804 | + for each option so that you fully understand the features and | |
805 | + can evaluate their usefulness for your machine. | |
806 | + | |
807 | +menu "Filesystem Protections" | |
808 | +depends on GRKERNSEC | |
809 | + | |
810 | +config GRKERNSEC_PROC | |
811 | + bool "Proc restrictions" | |
812 | + help | |
813 | + If you say Y here, the permissions of the /proc filesystem | |
814 | + will be altered to enhance system security and privacy. You MUST | |
815 | + choose either a user only restriction or a user and group restriction. | |
816 | + Depending upon the option you choose, you can either restrict users to | |
817 | + see only the processes they themselves run, or choose a group that can | |
818 | + view all processes and files normally restricted to root if you choose | |
819 | + the "restrict to user only" option. NOTE: If you're running identd as | |
820 | + a non-root user, you will have to run it as the group you specify here. | |
821 | + | |
822 | +config GRKERNSEC_PROC_USER | |
823 | + bool "Restrict /proc to user only" | |
824 | + depends on GRKERNSEC_PROC | |
825 | + help | |
826 | + If you say Y here, non-root users will only be able to view their own | |
827 | + processes, and restricts them from viewing network-related information, | |
828 | + and viewing kernel symbol and module information. | |
829 | + | |
830 | +config GRKERNSEC_PROC_USERGROUP | |
831 | + bool "Allow special group" | |
832 | + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER | |
833 | + help | |
834 | + If you say Y here, you will be able to select a group that will be | |
835 | + able to view all processes, network-related information, and | |
836 | + kernel and symbol information. This option is useful if you want | |
837 | + to run identd as a non-root user. | |
838 | + | |
839 | +config GRKERNSEC_PROC_GID | |
840 | + int "GID for special group" | |
841 | + depends on GRKERNSEC_PROC_USERGROUP | |
842 | + default 1001 | |
843 | + | |
844 | +config GRKERNSEC_PROC_ADD | |
845 | + bool "Additional restrictions" | |
846 | + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP | |
847 | + help | |
848 | + If you say Y here, additional restrictions will be placed on | |
849 | + /proc that keep normal users from viewing device information and | |
850 | + slabinfo information that could be useful for exploits. | |
851 | + | |
852 | +config GRKERNSEC_LINK | |
853 | + bool "Linking restrictions" | |
854 | + help | |
855 | + If you say Y here, /tmp race exploits will be prevented, since users | |
856 | + will no longer be able to follow symlinks owned by other users in | |
857 | + world-writable +t directories (i.e. /tmp), unless the owner of the | |
858 | + symlink is the owner of the directory. users will also not be | |
859 | + able to hardlink to files they do not own. If the sysctl option is | |
860 | + enabled, a sysctl option with name "linking_restrictions" is created. | |
861 | + | |
862 | +config GRKERNSEC_FIFO | |
863 | + bool "FIFO restrictions" | |
864 | + help | |
865 | + If you say Y here, users will not be able to write to FIFOs they don't | |
866 | + own in world-writable +t directories (i.e. /tmp), unless the owner of | |
867 | + the FIFO is the same owner of the directory it's held in. If the sysctl | |
868 | + option is enabled, a sysctl option with name "fifo_restrictions" is | |
869 | + created. | |
870 | + | |
871 | +config GRKERNSEC_PROC_IPADDR | |
872 | + bool "/proc/<pid>/ipaddr support" | |
873 | + help | |
874 | + If you say Y here, a new entry will be added to each /proc/<pid> | |
875 | + directory that contains the IP address of the person using the task. | |
876 | + The IP is carried across local TCP and AF_UNIX stream sockets. | |
877 | + This information can be useful for IDS/IPSes to perform remote response | |
878 | + to a local attack. The entry is readable by only the owner of the | |
879 | + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via | |
880 | + the RBAC system), and thus does not create privacy concerns. | |
881 | + | |
882 | +endmenu | |
8b732bb7 | 883 | + |
6231578f PS |
884 | +config GRKERNSEC_SYSCTL |
885 | + bool "Sysctl support" | |
886 | + help | |
887 | + If you say Y here, you will be able to change the options that | |
888 | + grsecurity runs with at bootup, without having to recompile your | |
889 | + kernel. You can echo values to files in /proc/sys/kernel/grsecurity | |
890 | + to enable (1) or disable (0) various features. All the sysctl entries | |
891 | + are mutable until the "grsec_lock" entry is set to a non-zero value. | |
892 | + All features enabled in the kernel configuration are disabled at boot | |
893 | + if you do not say Y to the "Turn on features by default" option. | |
894 | + All options should be set at startup, and the grsec_lock entry should | |
895 | + be set to a non-zero value after all the options are set. | |
896 | + *THIS IS EXTREMELY IMPORTANT* | |
8b732bb7 | 897 | + |
6231578f PS |
898 | +config GRKERNSEC_SYSCTL_ON |
899 | + bool "Turn on features by default" | |
900 | + depends on GRKERNSEC_SYSCTL | |
901 | + help | |
902 | + If you say Y here, instead of having all features enabled in the | |
903 | + kernel configuration disabled at boot time, the features will be | |
904 | + enabled at boot time. It is recommended you say Y here unless | |
905 | + there is some reason you would want all sysctl-tunable features to | |
906 | + be disabled by default. As mentioned elsewhere, it is important | |
907 | + to enable the grsec_lock entry once you have finished modifying | |
908 | + the sysctl entries. | |
8b732bb7 | 909 | + |
6231578f PS |
910 | +endmenu |
911 | diff -urNp linux-2.6.26.orig/grsecurity/Makefile linux-2.6.26/grsecurity/Makefile | |
912 | --- linux-2.6.26.orig/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100 | |
913 | +++ linux-2.6.26/grsecurity/Makefile 2008-09-02 12:17:21.000000000 +0200 | |
914 | @@ -0,0 +1,11 @@ | |
915 | +# All code in this directory and various hooks inserted throughout the kernel | |
916 | +# are copyright Brad Spengler, and released under the GPL v2 or higher | |
8b732bb7 | 917 | + |
6231578f | 918 | +obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o |
f4615840 | 919 | + |
6231578f | 920 | +obj-$(CONFIG_GRKERNSEC) += grsec_init.o |
177d642c | 921 | + |
6231578f PS |
922 | +ifndef CONFIG_GRKERNSEC |
923 | +obj-y += grsec_disabled.o | |
924 | +endif | |
177d642c | 925 | + |
6231578f PS |
926 | diff -urNp linux-2.6.26.orig/include/linux/grinternal.h linux-2.6.26/include/linux/grinternal.h |
927 | --- linux-2.6.26.orig/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100 | |
928 | +++ linux-2.6.26/include/linux/grinternal.h 2008-09-02 12:17:21.000000000 +0200 | |
f4615840 | 929 | @@ -0,0 +1,14 @@ |
177d642c JR |
930 | +#ifndef __GRINTERNAL_H |
931 | +#define __GRINTERNAL_H | |
932 | + | |
933 | +#ifdef CONFIG_GRKERNSEC | |
934 | + | |
935 | +#include <linux/fs.h> | |
936 | + | |
937 | +extern int grsec_enable_link; | |
938 | +extern int grsec_enable_fifo; | |
177d642c JR |
939 | +extern int grsec_lock; |
940 | + | |
941 | +#endif | |
942 | + | |
943 | +#endif | |
6231578f PS |
944 | diff -urNp linux-2.6.26.orig/include/linux/grsecurity.h linux-2.6.26/include/linux/grsecurity.h |
945 | --- linux-2.6.26.orig/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100 | |
946 | +++ linux-2.6.26/include/linux/grsecurity.h 2008-09-02 12:17:21.000000000 +0200 | |
9e282013 | 947 | @@ -0,0 +1,18 @@ |
177d642c JR |
948 | +#ifndef GR_SECURITY_H |
949 | +#define GR_SECURITY_H | |
950 | +#include <linux/fs.h> | |
951 | +#include <linux/binfmts.h> | |
952 | + | |
f4615840 | 953 | +void gr_del_task_from_ip_table(struct task_struct *p); |
177d642c | 954 | + |
f4615840 | 955 | +int gr_handle_follow_link(const struct inode *parent, |
177d642c | 956 | + const struct inode *inode, |
9e282013 | 957 | + const struct dentry *dentry); |
f4615840 | 958 | +int gr_handle_fifo(const struct dentry *dentry, |
177d642c JR |
959 | + const struct dentry *dir, const int flag, |
960 | + const int acc_mode); | |
f4615840 | 961 | +int gr_handle_hardlink(const struct dentry *dentry, |
177d642c JR |
962 | + struct inode *inode, |
963 | + const int mode, const char *to); | |
964 | + | |
177d642c | 965 | +#endif |
6231578f PS |
966 | diff -urNp linux-2.6.26.orig/include/linux/sched.h linux-2.6.26/include/linux/sched.h |
967 | --- linux-2.6.26.orig/include/linux/sched.h 2008-09-01 11:43:34.000000000 +0200 | |
968 | +++ linux-2.6.26/include/linux/sched.h 2008-09-02 12:17:21.000000000 +0200 | |
9e282013 | 969 | @@ -544,6 +544,15 @@ struct signal_struct { |
f4615840 | 970 | unsigned audit_tty; |
971 | struct tty_audit_buf *tty_audit_buf; | |
177d642c | 972 | #endif |
f4615840 | 973 | + |
177d642c JR |
974 | +#ifdef CONFIG_GRKERNSEC |
975 | + u32 curr_ip; | |
976 | + u32 gr_saddr; | |
977 | + u32 gr_daddr; | |
978 | + u16 gr_sport; | |
979 | + u16 gr_dport; | |
f4615840 | 980 | + u8 used_accept:1; |
177d642c JR |
981 | +#endif |
982 | }; | |
983 | ||
984 | /* Context switch must be unlocked if interrupts are to be enabled */ | |
6231578f PS |
985 | diff -urNp linux-2.6.26.orig/include/linux/sysctl.h linux-2.6.26/include/linux/sysctl.h |
986 | --- linux-2.6.26.orig/include/linux/sysctl.h 2008-09-01 11:43:34.000000000 +0200 | |
987 | +++ linux-2.6.26/include/linux/sysctl.h 2008-09-02 12:17:21.000000000 +0200 | |
9e282013 | 988 | @@ -165,8 +165,11 @@ enum |
f4615840 | 989 | KERN_MAX_LOCK_DEPTH=74, |
990 | KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */ | |
991 | KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */ | |
992 | -}; | |
177d642c JR |
993 | +#ifdef CONFIG_GRKERNSEC |
994 | + KERN_GRSECURITY=98, /* grsecurity */ | |
995 | +#endif | |
177d642c | 996 | |
f4615840 | 997 | +}; |
177d642c | 998 | |
177d642c | 999 | |
f4615840 | 1000 | /* CTL_VM names: */ |
6231578f PS |
1001 | diff -urNp linux-2.6.26.orig/kernel/configs.c linux-2.6.26/kernel/configs.c |
1002 | --- linux-2.6.26.orig/kernel/configs.c 2008-09-01 11:43:58.000000000 +0200 | |
1003 | +++ linux-2.6.26/kernel/configs.c 2008-09-02 12:17:21.000000000 +0200 | |
1004 | @@ -79,8 +79,19 @@ static int __init ikconfig_init(void) | |
0dca9e73 JR |
1005 | struct proc_dir_entry *entry; |
1006 | ||
1007 | /* create the current config file */ | |
1008 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD | |
1009 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
6231578f PS |
1010 | + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL, |
1011 | + &ikconfig_file_ops); | |
17bffd3d | 1012 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
6231578f PS |
1013 | + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL, |
1014 | + &ikconfig_file_ops); | |
0dca9e73 JR |
1015 | +#endif |
1016 | +#else | |
6231578f PS |
1017 | entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL, |
1018 | &ikconfig_file_ops); | |
0dca9e73 | 1019 | +#endif |
6231578f | 1020 | + |
0dca9e73 JR |
1021 | if (!entry) |
1022 | return -ENOMEM; | |
1023 | ||
6231578f PS |
1024 | diff -urNp linux-2.6.26.orig/kernel/exit.c linux-2.6.26/kernel/exit.c |
1025 | --- linux-2.6.26.orig/kernel/exit.c 2008-09-01 11:43:58.000000000 +0200 | |
1026 | +++ linux-2.6.26/kernel/exit.c 2008-09-02 12:17:21.000000000 +0200 | |
1027 | @@ -50,6 +50,7 @@ | |
89fc9a43 | 1028 | #include <linux/vs_network.h> |
f4615840 | 1029 | #include <linux/vs_pid.h> |
1030 | #include <linux/vserver/global.h> | |
1031 | +#include <linux/grsecurity.h> | |
1032 | ||
1033 | #include <asm/uaccess.h> | |
1034 | #include <asm/unistd.h> | |
6231578f PS |
1035 | @@ -137,6 +138,7 @@ static void __exit_signal(struct task_st |
1036 | */ | |
1037 | flush_sigqueue(&tsk->pending); | |
bd69be18 JR |
1038 | |
1039 | + gr_del_task_from_ip_table(tsk); | |
1040 | tsk->signal = NULL; | |
1041 | tsk->sighand = NULL; | |
1042 | spin_unlock(&sighand->siglock); | |
6231578f PS |
1043 | diff -urNp linux-2.6.26.orig/kernel/kallsyms.c linux-2.6.26/kernel/kallsyms.c |
1044 | --- linux-2.6.26.orig/kernel/kallsyms.c 2008-09-01 11:43:58.000000000 +0200 | |
1045 | +++ linux-2.6.26/kernel/kallsyms.c 2008-09-02 12:17:21.000000000 +0200 | |
1046 | @@ -472,7 +472,15 @@ static const struct file_operations kall | |
0dca9e73 | 1047 | |
6231578f PS |
1048 | static int __init kallsyms_init(void) |
1049 | { | |
0dca9e73 JR |
1050 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD |
1051 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
6231578f | 1052 | + proc_create("kallsyms", S_IFREG | S_IRUSR, NULL, &kallsyms_operations); |
17bffd3d | 1053 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
6231578f | 1054 | + proc_create("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL, &kallsyms_operations); |
0dca9e73 JR |
1055 | +#endif |
1056 | +#else | |
6231578f | 1057 | proc_create("kallsyms", 0444, NULL, &kallsyms_operations); |
0dca9e73 | 1058 | +#endif |
0dca9e73 | 1059 | return 0; |
6231578f PS |
1060 | } |
1061 | __initcall(kallsyms_init); | |
1062 | diff -urNp linux-2.6.26.orig/kernel/resource.c linux-2.6.26/kernel/resource.c | |
1063 | --- linux-2.6.26.orig/kernel/resource.c 2008-09-01 11:43:58.000000000 +0200 | |
1064 | +++ linux-2.6.26/kernel/resource.c 2008-09-02 12:17:21.000000000 +0200 | |
1065 | @@ -131,8 +131,18 @@ static const struct file_operations proc | |
0dca9e73 | 1066 | |
6231578f PS |
1067 | static int __init ioresources_init(void) |
1068 | { | |
0dca9e73 JR |
1069 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD |
1070 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
6231578f PS |
1071 | + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations); |
1072 | + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations); | |
17bffd3d | 1073 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
6231578f PS |
1074 | + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations); |
1075 | + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations); | |
0dca9e73 JR |
1076 | +#endif |
1077 | +#else | |
6231578f PS |
1078 | proc_create("ioports", 0, NULL, &proc_ioports_operations); |
1079 | proc_create("iomem", 0, NULL, &proc_iomem_operations); | |
0dca9e73 | 1080 | +#endif |
0dca9e73 | 1081 | return 0; |
6231578f PS |
1082 | } |
1083 | __initcall(ioresources_init); | |
1084 | diff -urNp linux-2.6.26.orig/kernel/sysctl.c linux-2.6.26/kernel/sysctl.c | |
1085 | --- linux-2.6.26.orig/kernel/sysctl.c 2008-09-01 11:43:58.000000000 +0200 | |
1086 | +++ linux-2.6.26/kernel/sysctl.c 2008-09-02 12:17:21.000000000 +0200 | |
1087 | @@ -59,6 +59,11 @@ | |
f4615840 | 1088 | static int deprecated_sysctl_warning(struct __sysctl_args *args); |
177d642c JR |
1089 | |
1090 | #if defined(CONFIG_SYSCTL) | |
1091 | +#include <linux/grsecurity.h> | |
1092 | +#include <linux/grinternal.h> | |
1093 | + | |
1094 | +extern int gr_handle_sysctl_mod(const char *dirname, const char *name, | |
1095 | + const int op); | |
1096 | ||
1097 | /* External variables not in a header file. */ | |
1098 | extern int C_A_D; | |
6231578f | 1099 | @@ -153,6 +158,7 @@ static int proc_do_cad_pid(struct ctl_ta |
f4615840 | 1100 | static int proc_dointvec_taint(struct ctl_table *table, int write, struct file *filp, |
1101 | void __user *buffer, size_t *lenp, loff_t *ppos); | |
177d642c JR |
1102 | #endif |
1103 | +extern ctl_table grsecurity_table[]; | |
1104 | ||
f4615840 | 1105 | static struct ctl_table root_table[]; |
9e282013 | 1106 | static struct ctl_table_root sysctl_table_root; |
6231578f PS |
1107 | @@ -823,6 +829,15 @@ static struct ctl_table kern_table[] = { |
1108 | .child = key_sysctls, | |
177d642c | 1109 | }, |
6231578f PS |
1110 | #endif |
1111 | + | |
177d642c JR |
1112 | +#if defined(CONFIG_GRKERNSEC_SYSCTL) |
1113 | + { | |
f4615840 | 1114 | + .ctl_name = CTL_UNNUMBERED, |
177d642c JR |
1115 | + .procname = "grsecurity", |
1116 | + .mode = 0500, | |
1117 | + .child = grsecurity_table, | |
1118 | + }, | |
1119 | +#endif | |
f4615840 | 1120 | /* |
1121 | * NOTE: do not add new entries to this table unless you have read | |
1122 | * Documentation/sysctl/ctl_unnumbered.txt | |
6231578f | 1123 | @@ -1585,6 +1600,10 @@ int sysctl_perm(struct ctl_table_root *r |
177d642c | 1124 | int error; |
6231578f PS |
1125 | int mode; |
1126 | ||
82e305a8 | 1127 | + if (table->parent != NULL && table->parent->procname != NULL && |
1128 | + table->procname != NULL && | |
1129 | + gr_handle_sysctl_mod(table->parent->procname, table->procname, op)) | |
177d642c JR |
1130 | + return -EACCES; |
1131 | error = security_sysctl(table, op); | |
1132 | if (error) | |
1133 | return error; | |
6231578f PS |
1134 | diff -urNp linux-2.6.26.orig/Makefile linux-2.6.26/Makefile |
1135 | --- linux-2.6.26.orig/Makefile 2008-09-01 11:44:01.000000000 +0200 | |
1136 | +++ linux-2.6.26/Makefile 2008-09-02 12:17:21.000000000 +0200 | |
1137 | @@ -607,7 +607,7 @@ export mod_strip_cmd | |
1138 | ||
1139 | ||
1140 | ifeq ($(KBUILD_EXTMOD),) | |
1141 | -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ | |
1142 | +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/ | |
1143 | ||
1144 | vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ | |
1145 | $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ | |
1146 | diff -urNp linux-2.6.26.orig/net/ipv4/inet_hashtables.c linux-2.6.26/net/ipv4/inet_hashtables.c | |
1147 | --- linux-2.6.26.orig/net/ipv4/inet_hashtables.c 2008-09-01 11:43:37.000000000 +0200 | |
1148 | +++ linux-2.6.26/net/ipv4/inet_hashtables.c 2008-09-02 12:17:21.000000000 +0200 | |
f4615840 | 1149 | @@ -18,12 +18,15 @@ |
177d642c JR |
1150 | #include <linux/sched.h> |
1151 | #include <linux/slab.h> | |
1152 | #include <linux/wait.h> | |
1153 | +#include <linux/grsecurity.h> | |
1154 | ||
1155 | #include <net/inet_connection_sock.h> | |
1156 | #include <net/inet_hashtables.h> | |
b1a7b62c | 1157 | #include <net/route.h> |
177d642c JR |
1158 | #include <net/ip.h> |
1159 | ||
1160 | +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet); | |
1161 | + | |
1162 | /* | |
1163 | * Allocate and initialize a new local port bind bucket. | |
1164 | * The bindhash mutex for snum's hash chain must be held here. | |
6231578f | 1165 | @@ -484,6 +487,8 @@ ok: |
82e305a8 | 1166 | } |
1167 | spin_unlock(&head->lock); | |
177d642c JR |
1168 | |
1169 | + gr_update_task_in_ip_table(current, inet_sk(sk)); | |
1170 | + | |
82e305a8 | 1171 | if (tw) { |
1172 | inet_twsk_deschedule(tw, death_row); | |
1173 | inet_twsk_put(tw); | |
6231578f PS |
1174 | diff -urNp linux-2.6.26.orig/net/socket.c linux-2.6.26/net/socket.c |
1175 | --- linux-2.6.26.orig/net/socket.c 2008-09-01 11:43:36.000000000 +0200 | |
1176 | +++ linux-2.6.26/net/socket.c 2008-09-02 12:17:21.000000000 +0200 | |
f4615840 | 1177 | @@ -85,6 +85,7 @@ |
177d642c | 1178 | #include <linux/audit.h> |
89fc9a43 | 1179 | #include <linux/wireless.h> |
f4615840 | 1180 | #include <linux/nsproxy.h> |
1181 | +#include <linux/in.h> | |
177d642c | 1182 | |
89fc9a43 | 1183 | #include <asm/uaccess.h> |
f4615840 | 1184 | #include <asm/unistd.h> |
1185 | @@ -98,6 +99,8 @@ | |
1186 | #include <linux/vs_inet.h> | |
1187 | #include <linux/vs_inet6.h> | |
177d642c JR |
1188 | |
1189 | +extern void gr_attach_curr_ip(const struct sock *sk); | |
f4615840 | 1190 | + |
177d642c | 1191 | static int sock_no_open(struct inode *irrelevant, struct file *dontcare); |
f4615840 | 1192 | static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov, |
1193 | unsigned long nr_segs, loff_t pos); | |
9e282013 | 1194 | @@ -1502,6 +1505,7 @@ asmlinkage long sys_accept(int fd, struc |
5aa068cb | 1195 | err = newfd; |
177d642c JR |
1196 | |
1197 | security_socket_post_accept(sock, newsock); | |
1198 | + gr_attach_curr_ip(newsock->sk); | |
1199 | ||
1200 | out_put: | |
5aa068cb | 1201 | fput_light(sock->file, fput_needed); |
6231578f PS |
1202 | diff -urNp linux-2.6.26.orig/security/Kconfig linux-2.6.26/security/Kconfig |
1203 | --- linux-2.6.26.orig/security/Kconfig 2008-09-01 11:43:58.000000000 +0200 | |
1204 | +++ linux-2.6.26/security/Kconfig 2008-09-02 12:17:21.000000000 +0200 | |
177d642c JR |
1205 | @@ -4,6 +4,8 @@ |
1206 | ||
1207 | menu "Security options" | |
1208 | ||
1209 | +source grsecurity/Kconfig | |
1210 | + | |
1211 | config KEYS | |
1212 | bool "Enable access key retention support" | |
1213 | help |