]>
Commit | Line | Data |
---|---|---|
9e282013 | 1 | diff -urNp linux-2.6.25.orig/arch/sparc/Makefile linux-2.6.25/arch/sparc/Makefile |
2 | --- linux-2.6.25.orig/arch/sparc/Makefile 2008-04-25 15:09:15.000000000 +0200 | |
3 | +++ linux-2.6.25/arch/sparc/Makefile 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 4 | @@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc |
228b9850 JR |
5 | # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-) |
6 | INIT_Y := $(patsubst %/, %/built-in.o, $(init-y)) | |
7 | CORE_Y := $(core-y) | |
8 | -CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ | |
9 | +CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/ | |
10 | CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y)) | |
11 | DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y)) | |
12 | NET_Y := $(patsubst %/, %/built-in.o, $(net-y)) | |
9e282013 | 13 | diff -urNp linux-2.6.25.orig/Makefile linux-2.6.25/Makefile |
14 | --- linux-2.6.25.orig/Makefile 2008-04-25 15:09:13.000000000 +0200 | |
15 | +++ linux-2.6.25/Makefile 2008-04-25 15:10:25.000000000 +0200 | |
16 | @@ -603,7 +603,7 @@ export mod_strip_cmd | |
177d642c JR |
17 | |
18 | ||
19 | ifeq ($(KBUILD_EXTMOD),) | |
20 | -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ | |
21 | +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/ | |
22 | ||
23 | vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ | |
24 | $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ | |
9e282013 | 25 | diff -urNp linux-2.6.25.orig/drivers/char/keyboard.c linux-2.6.25/drivers/char/keyboard.c |
26 | --- linux-2.6.25.orig/drivers/char/keyboard.c 2008-04-25 15:09:06.000000000 +0200 | |
27 | +++ linux-2.6.25/drivers/char/keyboard.c 2008-04-25 15:10:25.000000000 +0200 | |
28 | @@ -630,6 +630,16 @@ static void k_spec(struct vc_data *vc, u | |
177d642c | 29 | kbd->kbdmode == VC_MEDIUMRAW) && |
8b732bb7 | 30 | value != KVAL(K_SAK)) |
31 | return; /* SAK is allowed even in raw mode */ | |
32 | + | |
33 | +#if defined(CONFIG_GRKERNSEC_PROC) | |
34 | + { | |
35 | + void *func = fn_handler[value]; | |
36 | + if (func == fn_show_state || func == fn_show_ptregs || | |
37 | + func == fn_show_mem) | |
38 | + return; | |
39 | + } | |
40 | +#endif | |
41 | + | |
bd69be18 | 42 | fn_handler[value](vc); |
8b732bb7 | 43 | } |
44 | ||
9e282013 | 45 | diff -urNp linux-2.6.25.orig/drivers/pci/proc.c linux-2.6.25/drivers/pci/proc.c |
46 | --- linux-2.6.25.orig/drivers/pci/proc.c 2008-04-25 15:09:08.000000000 +0200 | |
47 | +++ linux-2.6.25/drivers/pci/proc.c 2008-04-25 15:10:25.000000000 +0200 | |
48 | @@ -472,7 +472,15 @@ static int __init pci_proc_init(void) | |
8b732bb7 | 49 | { |
50 | struct proc_dir_entry *entry; | |
51 | struct pci_dev *dev = NULL; | |
52 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD | |
53 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
54 | + proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus); | |
17bffd3d | 55 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
8b732bb7 | 56 | + proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus); |
57 | +#endif | |
58 | +#else | |
59 | proc_bus_pci_dir = proc_mkdir("pci", proc_bus); | |
60 | +#endif | |
61 | entry = create_proc_entry("devices", 0, proc_bus_pci_dir); | |
62 | if (entry) | |
63 | entry->proc_fops = &proc_bus_pci_dev_operations; | |
9e282013 | 64 | diff -urNp linux-2.6.25.orig/fs/Kconfig linux-2.6.25/fs/Kconfig |
65 | --- linux-2.6.25.orig/fs/Kconfig 2008-04-25 15:09:12.000000000 +0200 | |
66 | +++ linux-2.6.25/fs/Kconfig 2008-04-25 15:10:25.000000000 +0200 | |
67 | @@ -899,7 +899,7 @@ config PROC_FS | |
8b732bb7 | 68 | |
69 | config PROC_KCORE | |
70 | bool "/proc/kcore support" if !ARM | |
71 | - depends on PROC_FS && MMU | |
72 | + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD | |
73 | ||
1ecd2cf9 JR |
74 | config PROC_VMCORE |
75 | bool "/proc/vmcore support (EXPERIMENTAL)" | |
9e282013 | 76 | diff -urNp linux-2.6.25.orig/fs/namei.c linux-2.6.25/fs/namei.c |
77 | --- linux-2.6.25.orig/fs/namei.c 2008-04-25 15:09:12.000000000 +0200 | |
78 | +++ linux-2.6.25/fs/namei.c 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 79 | @@ -37,6 +37,7 @@ |
58ded626 | 80 | #include <linux/vs_cowbl.h> |
f4615840 | 81 | #include <linux/vs_device.h> |
c6f81b8a | 82 | #include <linux/vs_context.h> |
177d642c JR |
83 | +#include <linux/grsecurity.h> |
84 | #include <asm/namei.h> | |
85 | #include <asm/uaccess.h> | |
86 | ||
9e282013 | 87 | @@ -729,6 +730,13 @@ static inline int do_follow_link(struct |
8b732bb7 | 88 | err = security_inode_follow_link(path->dentry, nd); |
89 | if (err) | |
90 | goto loop; | |
91 | + | |
177d642c | 92 | + if (gr_handle_follow_link(path->dentry->d_parent->d_inode, |
9e282013 | 93 | + path->dentry->d_inode, path->dentry)) { |
8b732bb7 | 94 | + err = -EACCES; |
95 | + goto loop; | |
96 | + } | |
8b732bb7 | 97 | + |
98 | current->link_count++; | |
99 | current->total_link_count++; | |
100 | nd->depth++; | |
9e282013 | 101 | @@ -1859,6 +1867,13 @@ do_last: |
8b732bb7 | 102 | /* |
103 | * It already exists. | |
104 | */ | |
177d642c | 105 | + |
9e282013 | 106 | + if (gr_handle_fifo(path.dentry, dir, flag, acc_mode)) { |
177d642c | 107 | + mutex_unlock(&dir->d_inode->i_mutex); |
8b732bb7 | 108 | + error = -EACCES; |
109 | + goto exit_dput; | |
110 | + } | |
177d642c JR |
111 | + |
112 | mutex_unlock(&dir->d_inode->i_mutex); | |
f4615840 | 113 | audit_inode(pathname, path.dentry); |
8b732bb7 | 114 | |
9e282013 | 115 | @@ -1930,6 +1945,13 @@ do_link: |
8b732bb7 | 116 | error = security_inode_follow_link(path.dentry, nd); |
117 | if (error) | |
118 | goto exit_dput; | |
119 | + | |
177d642c | 120 | + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode, |
9e282013 | 121 | + path.dentry)) { |
8b732bb7 | 122 | + error = -EACCES; |
123 | + goto exit_dput; | |
124 | + } | |
8b732bb7 | 125 | + |
126 | error = __do_follow_link(&path, nd); | |
5aa068cb | 127 | if (error) { |
128 | /* Does someone understand code flow here? Or it is only | |
9e282013 | 129 | @@ -2514,8 +2536,16 @@ asmlinkage long sys_linkat(int olddfd, c |
8b732bb7 | 130 | error = PTR_ERR(new_dentry); |
bd69be18 JR |
131 | if (IS_ERR(new_dentry)) |
132 | goto out_unlock; | |
133 | + | |
9e282013 | 134 | + if (gr_handle_hardlink(old_nd.path.dentry, old_nd.path.dentry->d_inode, |
135 | + old_nd.path.dentry->d_inode->i_mode, to)) { | |
bd69be18 JR |
136 | + error = -EACCES; |
137 | + goto out_unlock_dput; | |
138 | + } | |
139 | + | |
9e282013 | 140 | error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode, |
141 | new_dentry, &nd); | |
bd69be18 JR |
142 | +out_unlock_dput: |
143 | dput(new_dentry); | |
144 | out_unlock: | |
9e282013 | 145 | mutex_unlock(&nd.path.dentry->d_inode->i_mutex); |
146 | diff -urNp linux-2.6.25.orig/fs/proc/array.c linux-2.6.25/fs/proc/array.c | |
147 | --- linux-2.6.25.orig/fs/proc/array.c 2008-04-25 15:09:12.000000000 +0200 | |
148 | +++ linux-2.6.25/fs/proc/array.c 2008-04-25 15:10:25.000000000 +0200 | |
149 | @@ -637,3 +637,15 @@ int proc_pid_statm(struct seq_file *m, s | |
150 | ||
151 | return 0; | |
8b732bb7 | 152 | } |
153 | + | |
154 | +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR | |
9e282013 | 155 | +int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns, |
156 | + struct pid *pid, struct task_struct *task) | |
8b732bb7 | 157 | +{ |
158 | + int len; | |
159 | + | |
9e282013 | 160 | + len = seq_printf(m, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip)); |
8b732bb7 | 161 | + return len; |
162 | +} | |
163 | +#endif | |
164 | + | |
9e282013 | 165 | diff -urNp linux-2.6.25.orig/fs/proc/inode.c linux-2.6.25/fs/proc/inode.c |
166 | --- linux-2.6.25.orig/fs/proc/inode.c 2008-04-25 15:09:12.000000000 +0200 | |
167 | +++ linux-2.6.25/fs/proc/inode.c 2008-04-25 15:10:25.000000000 +0200 | |
168 | @@ -406,7 +406,11 @@ struct inode *proc_get_inode(struct supe | |
169 | if (de->mode) { | |
170 | inode->i_mode = de->mode; | |
171 | inode->i_uid = de->uid; | |
8b732bb7 | 172 | +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP |
9e282013 | 173 | + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; |
8b732bb7 | 174 | +#else |
9e282013 | 175 | inode->i_gid = de->gid; |
8b732bb7 | 176 | +#endif |
9e282013 | 177 | } |
af553824 JR |
178 | if (de->vx_flags) |
179 | PROC_I(inode)->vx_flags = de->vx_flags; | |
9e282013 | 180 | diff -urNp linux-2.6.25.orig/fs/proc/internal.h linux-2.6.25/fs/proc/internal.h |
181 | --- linux-2.6.25.orig/fs/proc/internal.h 2008-04-25 15:09:12.000000000 +0200 | |
182 | +++ linux-2.6.25/fs/proc/internal.h 2008-04-25 15:10:25.000000000 +0200 | |
183 | @@ -60,6 +60,10 @@ extern int proc_pid_statm(struct seq_fil | |
184 | struct pid *pid, struct task_struct *task); | |
185 | extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns, | |
186 | struct pid *pid, struct task_struct *task); | |
8b732bb7 | 187 | +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR |
9e282013 | 188 | +extern int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns, |
189 | + struct pid *pid, struct task_struct *task); | |
8b732bb7 | 190 | +#endif |
191 | ||
9e282013 | 192 | extern loff_t mem_lseek(struct file *file, loff_t offset, int orig); |
193 | ||
194 | diff -urNp linux-2.6.25.orig/fs/proc/proc_misc.c linux-2.6.25/fs/proc/proc_misc.c | |
195 | --- linux-2.6.25.orig/fs/proc/proc_misc.c 2008-04-25 15:09:12.000000000 +0200 | |
196 | +++ linux-2.6.25/fs/proc/proc_misc.c 2008-04-25 15:10:25.000000000 +0200 | |
197 | @@ -843,6 +843,8 @@ void create_seq_entry(char *name, mode_t | |
82e305a8 | 198 | |
8b732bb7 | 199 | void __init proc_misc_init(void) |
200 | { | |
8b732bb7 | 201 | + int gr_mode = 0; |
202 | + | |
203 | static struct { | |
204 | char *name; | |
205 | int (*read_proc)(char*,char**,off_t,int,int*,void*); | |
9e282013 | 206 | @@ -858,13 +860,24 @@ void __init proc_misc_init(void) |
8b732bb7 | 207 | {"stram", stram_read_proc}, |
208 | #endif | |
8b732bb7 | 209 | {"filesystems", filesystems_read_proc}, |
210 | +#ifndef CONFIG_GRKERNSEC_PROC_ADD | |
211 | {"cmdline", cmdline_read_proc}, | |
212 | +#endif | |
8b732bb7 | 213 | {"execdomains", execdomains_read_proc}, |
214 | {NULL,} | |
c6f81b8a | 215 | }; |
8b732bb7 | 216 | for (p = simple_ones; p->name; p++) |
217 | create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL); | |
218 | ||
219 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
220 | + gr_mode = S_IRUSR; | |
177d642c | 221 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
8b732bb7 | 222 | + gr_mode = S_IRUSR | S_IRGRP; |
223 | +#endif | |
224 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD | |
8b732bb7 | 225 | + create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL); |
226 | +#endif | |
227 | + | |
228 | proc_symlink("mounts", NULL, "self/mounts"); | |
229 | ||
230 | /* And now for trickier ones */ | |
9e282013 | 231 | @@ -877,7 +890,11 @@ void __init proc_misc_init(void) |
c6f81b8a | 232 | } |
ca74d27b | 233 | #endif |
c6f81b8a | 234 | create_seq_entry("locks", 0, &proc_locks_operations); |
177d642c JR |
235 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD |
236 | + create_seq_entry("devices", gr_mode, &proc_devinfo_operations); | |
237 | +#else | |
238 | create_seq_entry("devices", 0, &proc_devinfo_operations); | |
239 | +#endif | |
240 | create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations); | |
bd69be18 | 241 | #ifdef CONFIG_BLOCK |
8b732bb7 | 242 | create_seq_entry("partitions", 0, &proc_partitions_operations); |
9e282013 | 243 | @@ -885,7 +902,11 @@ void __init proc_misc_init(void) |
8b732bb7 | 244 | create_seq_entry("stat", 0, &proc_stat_operations); |
245 | create_seq_entry("interrupts", 0, &proc_interrupts_operations); | |
c6f81b8a | 246 | #ifdef CONFIG_SLABINFO |
f4615840 | 247 | +#ifdef CONFIG_GRKRENSEC_PROC_ADD |
8b732bb7 | 248 | + create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations); |
249 | +#else | |
250 | create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations); | |
251 | +#endif | |
89fc9a43 | 252 | #ifdef CONFIG_DEBUG_SLAB_LEAK |
253 | create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations); | |
254 | #endif | |
9e282013 | 255 | @@ -903,7 +924,7 @@ void __init proc_misc_init(void) |
8b732bb7 | 256 | #ifdef CONFIG_SCHEDSTATS |
257 | create_seq_entry("schedstat", 0, &proc_schedstat_operations); | |
258 | #endif | |
259 | -#ifdef CONFIG_PROC_KCORE | |
260 | +#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD) | |
261 | proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL); | |
262 | if (proc_root_kcore) { | |
263 | proc_root_kcore->proc_fops = &proc_kcore_operations; | |
9e282013 | 264 | diff -urNp linux-2.6.25.orig/fs/proc/root.c linux-2.6.25/fs/proc/root.c |
265 | --- linux-2.6.25.orig/fs/proc/root.c 2008-04-25 15:09:12.000000000 +0200 | |
266 | +++ linux-2.6.25/fs/proc/root.c 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 267 | @@ -140,7 +140,15 @@ void __init proc_root_init(void) |
8b732bb7 | 268 | #ifdef CONFIG_PROC_DEVICETREE |
269 | proc_device_tree_init(); | |
270 | #endif | |
271 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD | |
272 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
273 | + proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL); | |
177d642c | 274 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
8b732bb7 | 275 | + proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); |
276 | +#endif | |
277 | +#else | |
278 | proc_bus = proc_mkdir("bus", NULL); | |
279 | +#endif | |
af553824 | 280 | proc_vx_init(); |
f4615840 | 281 | proc_sys_init(); |
8b732bb7 | 282 | } |
9e282013 | 283 | diff -urNp linux-2.6.25.orig/grsecurity/Kconfig linux-2.6.25/grsecurity/Kconfig |
284 | --- linux-2.6.25.orig/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100 | |
285 | +++ linux-2.6.25/grsecurity/Kconfig 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 286 | @@ -0,0 +1,123 @@ |
8b732bb7 | 287 | +# |
288 | +# grecurity configuration | |
289 | +# | |
290 | + | |
291 | +menu "Grsecurity" | |
292 | + | |
293 | +config GRKERNSEC | |
294 | + bool "Grsecurity" | |
177d642c JR |
295 | + select CRYPTO |
296 | + select CRYPTO_SHA256 | |
f4615840 | 297 | + select SECURITY |
298 | + select SECURITY_CAPABILITIES | |
8b732bb7 | 299 | + help |
300 | + If you say Y here, you will be able to configure many features | |
301 | + that will enhance the security of your system. It is highly | |
302 | + recommended that you say Y here and read through the help | |
303 | + for each option so that you fully understand the features and | |
304 | + can evaluate their usefulness for your machine. | |
305 | + | |
306 | +menu "Filesystem Protections" | |
307 | +depends on GRKERNSEC | |
308 | + | |
309 | +config GRKERNSEC_PROC | |
310 | + bool "Proc restrictions" | |
311 | + help | |
312 | + If you say Y here, the permissions of the /proc filesystem | |
313 | + will be altered to enhance system security and privacy. You MUST | |
314 | + choose either a user only restriction or a user and group restriction. | |
315 | + Depending upon the option you choose, you can either restrict users to | |
316 | + see only the processes they themselves run, or choose a group that can | |
317 | + view all processes and files normally restricted to root if you choose | |
318 | + the "restrict to user only" option. NOTE: If you're running identd as | |
319 | + a non-root user, you will have to run it as the group you specify here. | |
320 | + | |
321 | +config GRKERNSEC_PROC_USER | |
322 | + bool "Restrict /proc to user only" | |
323 | + depends on GRKERNSEC_PROC | |
324 | + help | |
325 | + If you say Y here, non-root users will only be able to view their own | |
326 | + processes, and restricts them from viewing network-related information, | |
327 | + and viewing kernel symbol and module information. | |
328 | + | |
329 | +config GRKERNSEC_PROC_USERGROUP | |
330 | + bool "Allow special group" | |
331 | + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER | |
332 | + help | |
333 | + If you say Y here, you will be able to select a group that will be | |
334 | + able to view all processes, network-related information, and | |
335 | + kernel and symbol information. This option is useful if you want | |
336 | + to run identd as a non-root user. | |
337 | + | |
338 | +config GRKERNSEC_PROC_GID | |
339 | + int "GID for special group" | |
340 | + depends on GRKERNSEC_PROC_USERGROUP | |
341 | + default 1001 | |
342 | + | |
343 | +config GRKERNSEC_PROC_ADD | |
344 | + bool "Additional restrictions" | |
345 | + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP | |
346 | + help | |
347 | + If you say Y here, additional restrictions will be placed on | |
348 | + /proc that keep normal users from viewing device information and | |
349 | + slabinfo information that could be useful for exploits. | |
350 | + | |
8b732bb7 | 351 | +config GRKERNSEC_LINK |
352 | + bool "Linking restrictions" | |
353 | + help | |
354 | + If you say Y here, /tmp race exploits will be prevented, since users | |
355 | + will no longer be able to follow symlinks owned by other users in | |
356 | + world-writable +t directories (i.e. /tmp), unless the owner of the | |
357 | + symlink is the owner of the directory. users will also not be | |
358 | + able to hardlink to files they do not own. If the sysctl option is | |
359 | + enabled, a sysctl option with name "linking_restrictions" is created. | |
360 | + | |
361 | +config GRKERNSEC_FIFO | |
362 | + bool "FIFO restrictions" | |
363 | + help | |
364 | + If you say Y here, users will not be able to write to FIFOs they don't | |
365 | + own in world-writable +t directories (i.e. /tmp), unless the owner of | |
366 | + the FIFO is the same owner of the directory it's held in. If the sysctl | |
367 | + option is enabled, a sysctl option with name "fifo_restrictions" is | |
368 | + created. | |
369 | + | |
370 | +endmenu | |
371 | + | |
177d642c | 372 | +config GRKERNSEC_PROC_IPADDR |
177d642c JR |
373 | + bool "/proc/<pid>/ipaddr support" |
374 | + help | |
375 | + If you say Y here, a new entry will be added to each /proc/<pid> | |
376 | + directory that contains the IP address of the person using the task. | |
377 | + The IP is carried across local TCP and AF_UNIX stream sockets. | |
378 | + This information can be useful for IDS/IPSes to perform remote response | |
379 | + to a local attack. The entry is readable by only the owner of the | |
380 | + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via | |
381 | + the RBAC system), and thus does not create privacy concerns. | |
382 | + | |
177d642c | 383 | +config GRKERNSEC_SYSCTL |
177d642c JR |
384 | + bool "Sysctl support" |
385 | + help | |
386 | + If you say Y here, you will be able to change the options that | |
387 | + grsecurity runs with at bootup, without having to recompile your | |
388 | + kernel. You can echo values to files in /proc/sys/kernel/grsecurity | |
389 | + to enable (1) or disable (0) various features. All the sysctl entries | |
390 | + are mutable until the "grsec_lock" entry is set to a non-zero value. | |
391 | + All features enabled in the kernel configuration are disabled at boot | |
392 | + if you do not say Y to the "Turn on features by default" option. | |
393 | + All options should be set at startup, and the grsec_lock entry should | |
394 | + be set to a non-zero value after all the options are set. | |
395 | + *THIS IS EXTREMELY IMPORTANT* | |
396 | + | |
397 | +config GRKERNSEC_SYSCTL_ON | |
398 | + bool "Turn on features by default" | |
399 | + depends on GRKERNSEC_SYSCTL | |
400 | + help | |
401 | + If you say Y here, instead of having all features enabled in the | |
402 | + kernel configuration disabled at boot time, the features will be | |
403 | + enabled at boot time. It is recommended you say Y here unless | |
404 | + there is some reason you would want all sysctl-tunable features to | |
405 | + be disabled by default. As mentioned elsewhere, it is important | |
406 | + to enable the grsec_lock entry once you have finished modifying | |
407 | + the sysctl entries. | |
408 | + | |
8b732bb7 | 409 | +endmenu |
9e282013 | 410 | diff -urNp linux-2.6.25.orig/grsecurity/Makefile linux-2.6.25/grsecurity/Makefile |
411 | --- linux-2.6.25.orig/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100 | |
412 | +++ linux-2.6.25/grsecurity/Makefile 2008-04-25 15:10:25.000000000 +0200 | |
177d642c JR |
413 | @@ -0,0 +1,11 @@ |
414 | +# All code in this directory and various hooks inserted throughout the kernel | |
415 | +# are copyright Brad Spengler, and released under the GPL v2 or higher | |
416 | + | |
417 | +obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o | |
418 | + | |
419 | +obj-$(CONFIG_GRKERNSEC) += grsec_init.o | |
420 | + | |
421 | +ifndef CONFIG_GRKERNSEC | |
422 | +obj-y += grsec_disabled.o | |
423 | +endif | |
8b732bb7 | 424 | + |
9e282013 | 425 | diff -urNp linux-2.6.25.orig/grsecurity/grsec_disabled.c linux-2.6.25/grsecurity/grsec_disabled.c |
426 | --- linux-2.6.25.orig/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100 | |
427 | +++ linux-2.6.25/grsecurity/grsec_disabled.c 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 428 | @@ -0,0 +1,6 @@ |
177d642c JR |
429 | +void |
430 | +grsecurity_init(void) | |
431 | +{ | |
432 | + return; | |
433 | +} | |
f4615840 | 434 | + |
9e282013 | 435 | diff -urNp linux-2.6.25.orig/grsecurity/grsec_fifo.c linux-2.6.25/grsecurity/grsec_fifo.c |
436 | --- linux-2.6.25.orig/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100 | |
437 | +++ linux-2.6.25/grsecurity/grsec_fifo.c 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 438 | @@ -0,0 +1,21 @@ |
177d642c JR |
439 | +#include <linux/kernel.h> |
440 | +#include <linux/sched.h> | |
441 | +#include <linux/fs.h> | |
442 | +#include <linux/file.h> | |
443 | +#include <linux/grinternal.h> | |
444 | + | |
445 | +int | |
9e282013 | 446 | +gr_handle_fifo(const struct dentry *dentry, const struct dentry *dir, |
447 | + const int flag, const int acc_mode) | |
177d642c JR |
448 | +{ |
449 | +#ifdef CONFIG_GRKERNSEC_FIFO | |
450 | + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) && | |
451 | + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) && | |
452 | + (dentry->d_inode->i_uid != dir->d_inode->i_uid) && | |
453 | + (current->fsuid != dentry->d_inode->i_uid)) { | |
f4615840 | 454 | + if (!generic_permission(dentry->d_inode, acc_mode, NULL)) |
177d642c JR |
455 | + return -EACCES; |
456 | + } | |
457 | +#endif | |
458 | + return 0; | |
459 | +} | |
9e282013 | 460 | diff -urNp linux-2.6.25.orig/grsecurity/grsec_init.c linux-2.6.25/grsecurity/grsec_init.c |
461 | --- linux-2.6.25.orig/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100 | |
462 | +++ linux-2.6.25/grsecurity/grsec_init.c 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 463 | @@ -0,0 +1,29 @@ |
177d642c JR |
464 | +#include <linux/kernel.h> |
465 | +#include <linux/sched.h> | |
466 | +#include <linux/mm.h> | |
467 | +#include <linux/smp_lock.h> | |
468 | +#include <linux/slab.h> | |
469 | +#include <linux/vmalloc.h> | |
470 | +#include <linux/percpu.h> | |
471 | + | |
177d642c JR |
472 | +int grsec_enable_link; |
473 | +int grsec_enable_fifo; | |
474 | +int grsec_lock; | |
475 | + | |
476 | +void | |
477 | +grsecurity_init(void) | |
478 | +{ | |
479 | +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON) | |
480 | +#ifndef CONFIG_GRKERNSEC_SYSCTL | |
481 | + grsec_lock = 1; | |
482 | +#endif | |
177d642c JR |
483 | +#ifdef CONFIG_GRKERNSEC_LINK |
484 | + grsec_enable_link = 1; | |
485 | +#endif | |
486 | +#ifdef CONFIG_GRKERNSEC_FIFO | |
487 | + grsec_enable_fifo = 1; | |
488 | +#endif | |
489 | +#endif | |
490 | + | |
491 | + return; | |
492 | +} | |
9e282013 | 493 | diff -urNp linux-2.6.25.orig/grsecurity/grsec_link.c linux-2.6.25/grsecurity/grsec_link.c |
494 | --- linux-2.6.25.orig/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100 | |
495 | +++ linux-2.6.25/grsecurity/grsec_link.c 2008-04-25 15:10:25.000000000 +0200 | |
496 | @@ -0,0 +1,36 @@ | |
177d642c JR |
497 | +#include <linux/kernel.h> |
498 | +#include <linux/sched.h> | |
499 | +#include <linux/fs.h> | |
500 | +#include <linux/file.h> | |
501 | +#include <linux/grinternal.h> | |
502 | + | |
503 | +int | |
504 | +gr_handle_follow_link(const struct inode *parent, | |
505 | + const struct inode *inode, | |
9e282013 | 506 | + const struct dentry *dentry) |
177d642c JR |
507 | +{ |
508 | +#ifdef CONFIG_GRKERNSEC_LINK | |
509 | + if (grsec_enable_link && S_ISLNK(inode->i_mode) && | |
510 | + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) && | |
511 | + (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) { | |
512 | + return -EACCES; | |
513 | + } | |
514 | +#endif | |
515 | + return 0; | |
516 | +} | |
8b732bb7 | 517 | + |
177d642c | 518 | +int |
9e282013 | 519 | +gr_handle_hardlink(const struct dentry *dentry, struct inode *inode, |
520 | + const int mode, const char *to) | |
177d642c JR |
521 | +{ |
522 | +#ifdef CONFIG_GRKERNSEC_LINK | |
523 | + if (grsec_enable_link && current->fsuid != inode->i_uid && | |
524 | + (!S_ISREG(mode) || (mode & S_ISUID) || | |
525 | + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) || | |
526 | + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) && | |
527 | + !capable(CAP_FOWNER) && current->uid) { | |
528 | + return -EPERM; | |
529 | + } | |
8b732bb7 | 530 | +#endif |
177d642c JR |
531 | + return 0; |
532 | +} | |
9e282013 | 533 | diff -urNp linux-2.6.25.orig/grsecurity/grsec_sock.c linux-2.6.25/grsecurity/grsec_sock.c |
534 | --- linux-2.6.25.orig/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100 | |
535 | +++ linux-2.6.25/grsecurity/grsec_sock.c 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 536 | @@ -0,0 +1,167 @@ |
177d642c JR |
537 | +#include <linux/kernel.h> |
538 | +#include <linux/module.h> | |
539 | +#include <linux/sched.h> | |
540 | +#include <linux/file.h> | |
541 | +#include <linux/net.h> | |
542 | +#include <linux/in.h> | |
543 | +#include <linux/ip.h> | |
544 | +#include <net/sock.h> | |
545 | +#include <net/inet_sock.h> | |
546 | +#include <linux/grsecurity.h> | |
547 | +#include <linux/grinternal.h> | |
8b732bb7 | 548 | + |
549 | +#ifdef CONFIG_GRKERNSEC | |
177d642c JR |
550 | +#define gr_conn_table_size 32749 |
551 | +struct conn_table_entry { | |
552 | + struct conn_table_entry *next; | |
553 | + struct signal_struct *sig; | |
554 | +}; | |
555 | + | |
556 | +struct conn_table_entry *gr_conn_table[gr_conn_table_size]; | |
8b732bb7 | 557 | +spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED; |
558 | + | |
559 | +static __inline__ int | |
560 | +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size) | |
561 | +{ | |
562 | + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size); | |
563 | +} | |
564 | + | |
565 | +static __inline__ int | |
566 | +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr, | |
567 | + __u16 sport, __u16 dport) | |
568 | +{ | |
177d642c JR |
569 | + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr && |
570 | + sig->gr_sport == sport && sig->gr_dport == dport)) | |
8b732bb7 | 571 | + return 1; |
572 | + else | |
573 | + return 0; | |
574 | +} | |
575 | + | |
177d642c | 576 | +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent) |
8b732bb7 | 577 | +{ |
177d642c | 578 | + struct conn_table_entry **match; |
8b732bb7 | 579 | + unsigned int index; |
8b732bb7 | 580 | + |
581 | + index = conn_hash(sig->gr_saddr, sig->gr_daddr, | |
582 | + sig->gr_sport, sig->gr_dport, | |
583 | + gr_conn_table_size); | |
584 | + | |
177d642c JR |
585 | + newent->sig = sig; |
586 | + | |
587 | + match = &gr_conn_table[index]; | |
588 | + newent->next = *match; | |
589 | + *match = newent; | |
8b732bb7 | 590 | + |
591 | + return; | |
592 | +} | |
593 | + | |
594 | +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig) | |
595 | +{ | |
177d642c | 596 | + struct conn_table_entry *match, *last = NULL; |
8b732bb7 | 597 | + unsigned int index; |
598 | + | |
599 | + index = conn_hash(sig->gr_saddr, sig->gr_daddr, | |
600 | + sig->gr_sport, sig->gr_dport, | |
601 | + gr_conn_table_size); | |
602 | + | |
177d642c JR |
603 | + match = gr_conn_table[index]; |
604 | + while (match && !conn_match(match->sig, | |
8b732bb7 | 605 | + sig->gr_saddr, sig->gr_daddr, sig->gr_sport, |
606 | + sig->gr_dport)) { | |
177d642c JR |
607 | + last = match; |
608 | + match = match->next; | |
8b732bb7 | 609 | + } |
610 | + | |
177d642c JR |
611 | + if (match) { |
612 | + if (last) | |
613 | + last->next = match->next; | |
8b732bb7 | 614 | + else |
615 | + gr_conn_table[index] = NULL; | |
177d642c | 616 | + kfree(match); |
8b732bb7 | 617 | + } |
618 | + | |
619 | + return; | |
620 | +} | |
621 | + | |
622 | +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr, | |
623 | + __u16 sport, __u16 dport) | |
624 | +{ | |
177d642c | 625 | + struct conn_table_entry *match; |
8b732bb7 | 626 | + unsigned int index; |
627 | + | |
628 | + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size); | |
629 | + | |
177d642c JR |
630 | + match = gr_conn_table[index]; |
631 | + while (match && !conn_match(match->sig, saddr, daddr, sport, dport)) | |
632 | + match = match->next; | |
8b732bb7 | 633 | + |
177d642c JR |
634 | + if (match) |
635 | + return match->sig; | |
636 | + else | |
637 | + return NULL; | |
8b732bb7 | 638 | +} |
639 | + | |
640 | +#endif | |
641 | + | |
177d642c JR |
642 | +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet) |
643 | +{ | |
644 | +#ifdef CONFIG_GRKERNSEC | |
645 | + struct signal_struct *sig = task->signal; | |
646 | + struct conn_table_entry *newent; | |
647 | + | |
648 | + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC); | |
649 | + if (newent == NULL) | |
650 | + return; | |
f4615840 | 651 | + /* no bh lock needed since we are called with bh disabled */ |
177d642c JR |
652 | + spin_lock(&gr_conn_table_lock); |
653 | + gr_del_task_from_ip_table_nolock(sig); | |
654 | + sig->gr_saddr = inet->rcv_saddr; | |
655 | + sig->gr_daddr = inet->daddr; | |
656 | + sig->gr_sport = inet->sport; | |
657 | + sig->gr_dport = inet->dport; | |
658 | + gr_add_to_task_ip_table_nolock(sig, newent); | |
659 | + spin_unlock(&gr_conn_table_lock); | |
660 | +#endif | |
661 | + return; | |
662 | +} | |
663 | + | |
8b732bb7 | 664 | +void gr_del_task_from_ip_table(struct task_struct *task) |
665 | +{ | |
666 | +#ifdef CONFIG_GRKERNSEC | |
667 | + spin_lock(&gr_conn_table_lock); | |
668 | + gr_del_task_from_ip_table_nolock(task->signal); | |
669 | + spin_unlock(&gr_conn_table_lock); | |
670 | +#endif | |
671 | + return; | |
672 | +} | |
673 | + | |
674 | +void | |
675 | +gr_attach_curr_ip(const struct sock *sk) | |
676 | +{ | |
677 | +#ifdef CONFIG_GRKERNSEC | |
678 | + struct signal_struct *p, *set; | |
679 | + const struct inet_sock *inet = inet_sk(sk); | |
680 | + | |
681 | + if (unlikely(sk->sk_protocol != IPPROTO_TCP)) | |
682 | + return; | |
683 | + | |
684 | + set = current->signal; | |
685 | + | |
f4615840 | 686 | + spin_lock_bh(&gr_conn_table_lock); |
8b732bb7 | 687 | + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr, |
688 | + inet->dport, inet->sport); | |
689 | + if (unlikely(p != NULL)) { | |
690 | + set->curr_ip = p->curr_ip; | |
f4615840 | 691 | + set->used_accept = 1; |
8b732bb7 | 692 | + gr_del_task_from_ip_table_nolock(p); |
f4615840 | 693 | + spin_unlock_bh(&gr_conn_table_lock); |
8b732bb7 | 694 | + return; |
695 | + } | |
f4615840 | 696 | + spin_unlock_bh(&gr_conn_table_lock); |
8b732bb7 | 697 | + |
698 | + set->curr_ip = inet->daddr; | |
f4615840 | 699 | + set->used_accept = 1; |
8b732bb7 | 700 | +#endif |
701 | + return; | |
702 | +} | |
f4615840 | 703 | + |
9e282013 | 704 | diff -urNp linux-2.6.25.orig/grsecurity/grsec_sysctl.c linux-2.6.25/grsecurity/grsec_sysctl.c |
705 | --- linux-2.6.25.orig/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100 | |
706 | +++ linux-2.6.25/grsecurity/grsec_sysctl.c 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 707 | @@ -0,0 +1,52 @@ |
177d642c JR |
708 | +#include <linux/kernel.h> |
709 | +#include <linux/sched.h> | |
710 | +#include <linux/sysctl.h> | |
711 | +#include <linux/grsecurity.h> | |
712 | +#include <linux/grinternal.h> | |
713 | + | |
714 | +int | |
715 | +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op) | |
716 | +{ | |
717 | +#ifdef CONFIG_GRKERNSEC_SYSCTL | |
718 | + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) { | |
719 | + return -EACCES; | |
720 | + } | |
721 | +#endif | |
722 | + return 0; | |
723 | +} | |
724 | + | |
725 | +#if defined(CONFIG_GRKERNSEC_SYSCTL) | |
177d642c JR |
726 | +ctl_table grsecurity_table[] = { |
727 | +#ifdef CONFIG_GRKERNSEC_SYSCTL | |
728 | +#ifdef CONFIG_GRKERNSEC_LINK | |
729 | + { | |
f4615840 | 730 | + .ctl_name = CTL_UNNUMBERED, |
177d642c JR |
731 | + .procname = "linking_restrictions", |
732 | + .data = &grsec_enable_link, | |
733 | + .maxlen = sizeof(int), | |
734 | + .mode = 0600, | |
735 | + .proc_handler = &proc_dointvec, | |
736 | + }, | |
737 | +#endif | |
738 | +#ifdef CONFIG_GRKERNSEC_FIFO | |
739 | + { | |
f4615840 | 740 | + .ctl_name = CTL_UNNUMBERED, |
177d642c JR |
741 | + .procname = "fifo_restrictions", |
742 | + .data = &grsec_enable_fifo, | |
743 | + .maxlen = sizeof(int), | |
744 | + .mode = 0600, | |
745 | + .proc_handler = &proc_dointvec, | |
746 | + }, | |
747 | +#endif | |
177d642c | 748 | + { |
f4615840 | 749 | + .ctl_name = CTL_UNNUMBERED, |
177d642c JR |
750 | + .procname = "grsec_lock", |
751 | + .data = &grsec_lock, | |
752 | + .maxlen = sizeof(int), | |
753 | + .mode = 0600, | |
754 | + .proc_handler = &proc_dointvec, | |
755 | + }, | |
756 | +#endif | |
757 | + { .ctl_name = 0 } | |
758 | +}; | |
759 | +#endif | |
9e282013 | 760 | diff -urNp linux-2.6.25.orig/include/linux/grinternal.h linux-2.6.25/include/linux/grinternal.h |
761 | --- linux-2.6.25.orig/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100 | |
762 | +++ linux-2.6.25/include/linux/grinternal.h 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 763 | @@ -0,0 +1,14 @@ |
177d642c JR |
764 | +#ifndef __GRINTERNAL_H |
765 | +#define __GRINTERNAL_H | |
766 | + | |
767 | +#ifdef CONFIG_GRKERNSEC | |
768 | + | |
769 | +#include <linux/fs.h> | |
770 | + | |
771 | +extern int grsec_enable_link; | |
772 | +extern int grsec_enable_fifo; | |
177d642c JR |
773 | +extern int grsec_lock; |
774 | + | |
775 | +#endif | |
776 | + | |
777 | +#endif | |
9e282013 | 778 | diff -urNp linux-2.6.25.orig/include/linux/grsecurity.h linux-2.6.25/include/linux/grsecurity.h |
779 | --- linux-2.6.25.orig/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100 | |
780 | +++ linux-2.6.25/include/linux/grsecurity.h 2008-04-25 15:10:25.000000000 +0200 | |
781 | @@ -0,0 +1,18 @@ | |
177d642c JR |
782 | +#ifndef GR_SECURITY_H |
783 | +#define GR_SECURITY_H | |
784 | +#include <linux/fs.h> | |
785 | +#include <linux/binfmts.h> | |
786 | + | |
f4615840 | 787 | +void gr_del_task_from_ip_table(struct task_struct *p); |
177d642c | 788 | + |
f4615840 | 789 | +int gr_handle_follow_link(const struct inode *parent, |
177d642c | 790 | + const struct inode *inode, |
9e282013 | 791 | + const struct dentry *dentry); |
f4615840 | 792 | +int gr_handle_fifo(const struct dentry *dentry, |
177d642c JR |
793 | + const struct dentry *dir, const int flag, |
794 | + const int acc_mode); | |
f4615840 | 795 | +int gr_handle_hardlink(const struct dentry *dentry, |
177d642c JR |
796 | + struct inode *inode, |
797 | + const int mode, const char *to); | |
798 | + | |
177d642c | 799 | +#endif |
9e282013 | 800 | diff -urNp linux-2.6.25.orig/include/linux/sched.h linux-2.6.25/include/linux/sched.h |
801 | --- linux-2.6.25.orig/include/linux/sched.h 2008-04-25 15:09:05.000000000 +0200 | |
802 | +++ linux-2.6.25/include/linux/sched.h 2008-04-25 15:10:25.000000000 +0200 | |
803 | @@ -544,6 +544,15 @@ struct signal_struct { | |
f4615840 | 804 | unsigned audit_tty; |
805 | struct tty_audit_buf *tty_audit_buf; | |
177d642c | 806 | #endif |
f4615840 | 807 | + |
177d642c JR |
808 | +#ifdef CONFIG_GRKERNSEC |
809 | + u32 curr_ip; | |
810 | + u32 gr_saddr; | |
811 | + u32 gr_daddr; | |
812 | + u16 gr_sport; | |
813 | + u16 gr_dport; | |
f4615840 | 814 | + u8 used_accept:1; |
177d642c JR |
815 | +#endif |
816 | }; | |
817 | ||
818 | /* Context switch must be unlocked if interrupts are to be enabled */ | |
9e282013 | 819 | diff -urNp linux-2.6.25.orig/include/linux/sysctl.h linux-2.6.25/include/linux/sysctl.h |
820 | --- linux-2.6.25.orig/include/linux/sysctl.h 2008-04-25 15:09:05.000000000 +0200 | |
821 | +++ linux-2.6.25/include/linux/sysctl.h 2008-04-25 15:10:25.000000000 +0200 | |
822 | @@ -165,8 +165,11 @@ enum | |
f4615840 | 823 | KERN_MAX_LOCK_DEPTH=74, |
824 | KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */ | |
825 | KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */ | |
826 | -}; | |
177d642c JR |
827 | +#ifdef CONFIG_GRKERNSEC |
828 | + KERN_GRSECURITY=98, /* grsecurity */ | |
829 | +#endif | |
177d642c | 830 | |
f4615840 | 831 | +}; |
177d642c | 832 | |
177d642c | 833 | |
f4615840 | 834 | /* CTL_VM names: */ |
9e282013 | 835 | diff -urNp linux-2.6.25.orig/kernel/configs.c linux-2.6.25/kernel/configs.c |
836 | --- linux-2.6.25.orig/kernel/configs.c 2008-04-25 15:09:12.000000000 +0200 | |
837 | +++ linux-2.6.25/kernel/configs.c 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 838 | @@ -79,8 +79,16 @@ static int __init ikconfig_init(void) |
0dca9e73 JR |
839 | struct proc_dir_entry *entry; |
840 | ||
841 | /* create the current config file */ | |
842 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD | |
843 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
844 | + entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root); | |
17bffd3d | 845 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
0dca9e73 JR |
846 | + entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root); |
847 | +#endif | |
848 | +#else | |
849 | entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO, | |
850 | &proc_root); | |
851 | +#endif | |
852 | if (!entry) | |
853 | return -ENOMEM; | |
854 | ||
9e282013 | 855 | diff -urNp linux-2.6.25.orig/kernel/exit.c linux-2.6.25/kernel/exit.c |
856 | --- linux-2.6.25.orig/kernel/exit.c 2008-04-25 15:09:12.000000000 +0200 | |
857 | +++ linux-2.6.25/kernel/exit.c 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 858 | @@ -49,6 +49,7 @@ |
89fc9a43 | 859 | #include <linux/vs_network.h> |
f4615840 | 860 | #include <linux/vs_pid.h> |
861 | #include <linux/vserver/global.h> | |
862 | +#include <linux/grsecurity.h> | |
863 | ||
864 | #include <asm/uaccess.h> | |
865 | #include <asm/unistd.h> | |
9e282013 | 866 | @@ -125,6 +126,7 @@ static void __exit_signal(struct task_st |
bd69be18 JR |
867 | |
868 | __unhash_process(tsk); | |
869 | ||
870 | + gr_del_task_from_ip_table(tsk); | |
871 | tsk->signal = NULL; | |
872 | tsk->sighand = NULL; | |
873 | spin_unlock(&sighand->siglock); | |
9e282013 | 874 | diff -urNp linux-2.6.25.orig/kernel/kallsyms.c linux-2.6.25/kernel/kallsyms.c |
875 | --- linux-2.6.25.orig/kernel/kallsyms.c 2008-04-25 15:09:12.000000000 +0200 | |
876 | +++ linux-2.6.25/kernel/kallsyms.c 2008-04-25 15:10:25.000000000 +0200 | |
877 | @@ -474,7 +474,15 @@ static int __init kallsyms_init(void) | |
0dca9e73 JR |
878 | { |
879 | struct proc_dir_entry *entry; | |
880 | ||
881 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD | |
882 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
883 | + entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL); | |
17bffd3d | 884 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
0dca9e73 JR |
885 | + entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL); |
886 | +#endif | |
887 | +#else | |
888 | entry = create_proc_entry("kallsyms", 0444, NULL); | |
889 | +#endif | |
890 | if (entry) | |
891 | entry->proc_fops = &kallsyms_operations; | |
892 | return 0; | |
9e282013 | 893 | diff -urNp linux-2.6.25.orig/kernel/resource.c linux-2.6.25/kernel/resource.c |
894 | --- linux-2.6.25.orig/kernel/resource.c 2008-04-25 15:09:12.000000000 +0200 | |
895 | +++ linux-2.6.25/kernel/resource.c 2008-04-25 15:10:25.000000000 +0200 | |
0dca9e73 JR |
896 | @@ -133,10 +133,27 @@ static int __init ioresources_init(void) |
897 | { | |
898 | struct proc_dir_entry *entry; | |
899 | ||
900 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD | |
901 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
902 | + entry = create_proc_entry("ioports", S_IRUSR, NULL); | |
17bffd3d | 903 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
0dca9e73 JR |
904 | + entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL); |
905 | +#endif | |
906 | +#else | |
907 | entry = create_proc_entry("ioports", 0, NULL); | |
908 | +#endif | |
909 | if (entry) | |
910 | entry->proc_fops = &proc_ioports_operations; | |
911 | + | |
912 | +#ifdef CONFIG_GRKERNSEC_PROC_ADD | |
913 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
914 | + entry = create_proc_entry("iomem", S_IRUSR, NULL); | |
17bffd3d | 915 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
0dca9e73 JR |
916 | + entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL); |
917 | +#endif | |
918 | +#else | |
919 | entry = create_proc_entry("iomem", 0, NULL); | |
920 | +#endif | |
921 | if (entry) | |
922 | entry->proc_fops = &proc_iomem_operations; | |
923 | return 0; | |
9e282013 | 924 | diff -urNp linux-2.6.25.orig/kernel/sysctl.c linux-2.6.25/kernel/sysctl.c |
925 | --- linux-2.6.25.orig/kernel/sysctl.c 2008-04-25 15:09:12.000000000 +0200 | |
926 | +++ linux-2.6.25/kernel/sysctl.c 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 927 | @@ -58,6 +58,11 @@ |
928 | static int deprecated_sysctl_warning(struct __sysctl_args *args); | |
177d642c JR |
929 | |
930 | #if defined(CONFIG_SYSCTL) | |
931 | +#include <linux/grsecurity.h> | |
932 | +#include <linux/grinternal.h> | |
933 | + | |
934 | +extern int gr_handle_sysctl_mod(const char *dirname, const char *name, | |
935 | + const int op); | |
936 | ||
937 | /* External variables not in a header file. */ | |
938 | extern int C_A_D; | |
9e282013 | 939 | @@ -157,6 +162,7 @@ static int proc_do_cad_pid(struct ctl_ta |
f4615840 | 940 | static int proc_dointvec_taint(struct ctl_table *table, int write, struct file *filp, |
941 | void __user *buffer, size_t *lenp, loff_t *ppos); | |
177d642c JR |
942 | #endif |
943 | +extern ctl_table grsecurity_table[]; | |
944 | ||
f4615840 | 945 | static struct ctl_table root_table[]; |
9e282013 | 946 | static struct ctl_table_root sysctl_table_root; |
947 | @@ -830,6 +836,14 @@ static struct ctl_table kern_table[] = { | |
f4615840 | 948 | .proc_handler = &proc_dostring, |
949 | .strategy = &sysctl_string, | |
177d642c | 950 | }, |
177d642c JR |
951 | +#if defined(CONFIG_GRKERNSEC_SYSCTL) |
952 | + { | |
f4615840 | 953 | + .ctl_name = CTL_UNNUMBERED, |
177d642c JR |
954 | + .procname = "grsecurity", |
955 | + .mode = 0500, | |
956 | + .child = grsecurity_table, | |
957 | + }, | |
958 | +#endif | |
f4615840 | 959 | /* |
960 | * NOTE: do not add new entries to this table unless you have read | |
961 | * Documentation/sysctl/ctl_unnumbered.txt | |
9e282013 | 962 | @@ -1517,6 +1531,10 @@ static int test_perm(int mode, int op) |
f4615840 | 963 | int sysctl_perm(struct ctl_table *table, int op) |
177d642c JR |
964 | { |
965 | int error; | |
82e305a8 | 966 | + if (table->parent != NULL && table->parent->procname != NULL && |
967 | + table->procname != NULL && | |
968 | + gr_handle_sysctl_mod(table->parent->procname, table->procname, op)) | |
177d642c JR |
969 | + return -EACCES; |
970 | error = security_sysctl(table, op); | |
971 | if (error) | |
972 | return error; | |
9e282013 | 973 | diff -urNp linux-2.6.25.orig/net/ipv4/inet_hashtables.c linux-2.6.25/net/ipv4/inet_hashtables.c |
974 | --- linux-2.6.25.orig/net/ipv4/inet_hashtables.c 2008-04-25 15:09:05.000000000 +0200 | |
975 | +++ linux-2.6.25/net/ipv4/inet_hashtables.c 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 976 | @@ -18,12 +18,15 @@ |
177d642c JR |
977 | #include <linux/sched.h> |
978 | #include <linux/slab.h> | |
979 | #include <linux/wait.h> | |
980 | +#include <linux/grsecurity.h> | |
981 | ||
982 | #include <net/inet_connection_sock.h> | |
983 | #include <net/inet_hashtables.h> | |
b1a7b62c | 984 | #include <net/route.h> |
177d642c JR |
985 | #include <net/ip.h> |
986 | ||
987 | +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet); | |
988 | + | |
989 | /* | |
990 | * Allocate and initialize a new local port bind bucket. | |
991 | * The bindhash mutex for snum's hash chain must be held here. | |
9e282013 | 992 | @@ -467,6 +470,8 @@ ok: |
82e305a8 | 993 | } |
994 | spin_unlock(&head->lock); | |
177d642c JR |
995 | |
996 | + gr_update_task_in_ip_table(current, inet_sk(sk)); | |
997 | + | |
82e305a8 | 998 | if (tw) { |
999 | inet_twsk_deschedule(tw, death_row); | |
1000 | inet_twsk_put(tw); | |
9e282013 | 1001 | diff -urNp linux-2.6.25.orig/net/socket.c linux-2.6.25/net/socket.c |
1002 | --- linux-2.6.25.orig/net/socket.c 2008-04-25 15:09:05.000000000 +0200 | |
1003 | +++ linux-2.6.25/net/socket.c 2008-04-25 15:10:25.000000000 +0200 | |
f4615840 | 1004 | @@ -85,6 +85,7 @@ |
177d642c | 1005 | #include <linux/audit.h> |
89fc9a43 | 1006 | #include <linux/wireless.h> |
f4615840 | 1007 | #include <linux/nsproxy.h> |
1008 | +#include <linux/in.h> | |
177d642c | 1009 | |
89fc9a43 | 1010 | #include <asm/uaccess.h> |
f4615840 | 1011 | #include <asm/unistd.h> |
1012 | @@ -98,6 +99,8 @@ | |
1013 | #include <linux/vs_inet.h> | |
1014 | #include <linux/vs_inet6.h> | |
177d642c JR |
1015 | |
1016 | +extern void gr_attach_curr_ip(const struct sock *sk); | |
f4615840 | 1017 | + |
177d642c | 1018 | static int sock_no_open(struct inode *irrelevant, struct file *dontcare); |
f4615840 | 1019 | static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov, |
1020 | unsigned long nr_segs, loff_t pos); | |
9e282013 | 1021 | @@ -1502,6 +1505,7 @@ asmlinkage long sys_accept(int fd, struc |
5aa068cb | 1022 | err = newfd; |
177d642c JR |
1023 | |
1024 | security_socket_post_accept(sock, newsock); | |
1025 | + gr_attach_curr_ip(newsock->sk); | |
1026 | ||
1027 | out_put: | |
5aa068cb | 1028 | fput_light(sock->file, fput_needed); |
9e282013 | 1029 | diff -urNp linux-2.6.25.orig/security/Kconfig linux-2.6.25/security/Kconfig |
1030 | --- linux-2.6.25.orig/security/Kconfig 2008-04-25 15:09:12.000000000 +0200 | |
1031 | +++ linux-2.6.25/security/Kconfig 2008-04-25 15:10:25.000000000 +0200 | |
177d642c JR |
1032 | @@ -4,6 +4,8 @@ |
1033 | ||
1034 | menu "Security options" | |
1035 | ||
1036 | +source grsecurity/Kconfig | |
1037 | + | |
1038 | config KEYS | |
1039 | bool "Enable access key retention support" | |
1040 | help | |
9e282013 | 1041 | diff -urNp linux-2.6.25.orig/fs/proc/base.c linux-2.6.25/fs/proc/base.c |
1042 | --- linux-2.6.25.orig/fs/proc/base.c 2008-04-25 15:09:12.000000000 +0200 | |
1043 | +++ linux-2.6.25/fs/proc/base.c 2008-04-25 15:10:25.000000000 +0200 | |
1044 | @@ -1290,7 +1290,11 @@ static struct inode *proc_pid_make_inode | |
f4615840 | 1045 | inode->i_gid = 0; |
374708e5 | 1046 | if (task_dumpable(task)) { |
1047 | inode->i_uid = task->euid; | |
374708e5 | 1048 | +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP |
1049 | + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; | |
f4615840 | 1050 | +#else |
1051 | inode->i_gid = task->egid; | |
374708e5 | 1052 | +#endif |
1053 | } | |
374708e5 | 1054 | /* procfs is xid tagged */ |
1055 | inode->i_tag = (tag_t)vx_task_xid(task); | |
9e282013 | 1056 | @@ -1308,17 +1312,38 @@ static int pid_getattr(struct vfsmount * |
374708e5 | 1057 | { |
1058 | struct inode *inode = dentry->d_inode; | |
bd69be18 | 1059 | struct task_struct *task; |
374708e5 | 1060 | +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
1061 | + struct task_struct *tmp = current; | |
1062 | +#endif | |
bd69be18 JR |
1063 | + |
1064 | generic_fillattr(inode, stat); | |
374708e5 | 1065 | |
bd69be18 JR |
1066 | rcu_read_lock(); |
1067 | stat->uid = 0; | |
1068 | stat->gid = 0; | |
1069 | task = pid_task(proc_pid(inode), PIDTYPE_PID); | |
374708e5 | 1070 | - if (task) { |
1071 | + if (task | |
bd69be18 JR |
1072 | +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) |
1073 | + && (!tmp->uid || (tmp->uid == task->uid) | |
1074 | +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP | |
1075 | + || in_group_p(CONFIG_GRKERNSEC_PROC_GID) | |
1076 | +#endif | |
1077 | + ) | |
1078 | +#endif | |
f4615840 | 1079 | + ) { |
374708e5 | 1080 | if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || |
1081 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
1082 | + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) || | |
1083 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) | |
1084 | + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) || | |
1085 | +#endif | |
1086 | task_dumpable(task)) { | |
1087 | stat->uid = task->euid; | |
374708e5 | 1088 | +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP |
1089 | + stat->gid = CONFIG_GRKERNSEC_PROC_GID; | |
bd69be18 JR |
1090 | +#else |
1091 | stat->gid = task->egid; | |
374708e5 | 1092 | +#endif |
1093 | } | |
1094 | } | |
1095 | rcu_read_unlock(); | |
9e282013 | 1096 | @@ -1348,9 +1373,18 @@ static int pid_revalidate(struct dentry |
bd69be18 JR |
1097 | struct task_struct *task = get_proc_task(inode); |
1098 | if (task) { | |
1099 | if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || | |
1100 | +#ifdef CONFIG_GRKERNSEC_PROC_USER | |
1101 | + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) || | |
1102 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) | |
1103 | + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) || | |
1104 | +#endif | |
1105 | task_dumpable(task)) { | |
1106 | inode->i_uid = task->euid; | |
1107 | +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP | |
1108 | + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; | |
1109 | +#else | |
1110 | inode->i_gid = task->egid; | |
1111 | +#endif | |
1112 | } else { | |
1113 | inode->i_uid = 0; | |
1114 | inode->i_gid = 0; | |
9e282013 | 1115 | @@ -2367,6 +2401,9 @@ static const struct pid_entry tgid_base_ |
f4615840 | 1116 | INF("io", S_IRUGO, pid_io_accounting), |
bd69be18 | 1117 | #endif |
9e282013 | 1118 | ONE("nsproxy", S_IRUGO, pid_nsproxy), |
374708e5 | 1119 | +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR |
9e282013 | 1120 | + INF("ipaddr", S_IRUSR, pid_ipaddr), |
bd69be18 JR |
1121 | +#endif |
1122 | }; | |
1123 | ||
f4615840 | 1124 | static int proc_tgid_base_readdir(struct file * filp, |
9e282013 | 1125 | @@ -2496,7 +2533,14 @@ static struct dentry *proc_pid_instantia |
374708e5 | 1126 | if (!inode) |
bd69be18 | 1127 | goto out; |
f4615840 | 1128 | |
374708e5 | 1129 | +#ifdef CONFIG_GRKERNSEC_PROC_USER |
1130 | + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR; | |
1131 | +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) | |
1132 | + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; | |
bd69be18 | 1133 | + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP; |
374708e5 | 1134 | +#else |
1135 | inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; | |
1136 | +#endif | |
f4615840 | 1137 | inode->i_op = &proc_tgid_base_inode_operations; |
1138 | inode->i_fop = &proc_tgid_base_operations; | |
374708e5 | 1139 | inode->i_flags|=S_IMMUTABLE; |
9e282013 | 1140 | @@ -2604,6 +2648,9 @@ int proc_pid_readdir(struct file * filp, |
374708e5 | 1141 | { |
f4615840 | 1142 | unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; |
1143 | struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode); | |
1144 | +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) | |
1145 | + struct task_struct *tmp = current; | |
374708e5 | 1146 | +#endif |
f4615840 | 1147 | struct tgid_iter iter; |
1148 | struct pid_namespace *ns; | |
374708e5 | 1149 | |
9e282013 | 1150 | @@ -2622,6 +2669,15 @@ int proc_pid_readdir(struct file * filp, |
f4615840 | 1151 | for (iter = next_tgid(ns, iter); |
1152 | iter.task; | |
1153 | iter.tgid += 1, iter = next_tgid(ns, iter)) { | |
1154 | +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) | |
1155 | + if (tmp->uid && (iter.task->uid != tmp->uid) | |
1156 | +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP | |
1157 | + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID) | |
1158 | +#endif | |
1159 | + ) | |
1160 | +#endif | |
1161 | + continue; | |
1162 | + | |
1163 | filp->f_pos = iter.tgid + TGID_OFFSET; | |
1164 | if (!vx_proc_task_visible(iter.task)) | |
1165 | continue; |