]>
Commit | Line | Data |
---|---|---|
e6a87675 JR |
1 | diff -urN linux-2.4.22/Documentation/Configure.help linux-2.4.22-grsec/Documentation/Configure.help |
2 | --- linux-2.4.22/Documentation/Configure.help 2003-10-09 18:47:38.000000000 +0200 | |
3 | +++ linux-2.4.22-grsec/Documentation/Configure.help 2003-10-09 19:13:26.000000000 +0200 | |
4 | @@ -2977,6 +2977,20 @@ | |
5 | If you want to compile it as a module, say M here and read | |
6 | Documentation/modules.txt. If unsure, say `N'. | |
7 | ||
8 | +stealth networking support | |
9 | +CONFIG_IP_NF_MATCH_STEALTH | |
10 | + Enabling this option will drop all syn packets coming to unserved tcp | |
11 | + ports as well as all packets coming to unserved udp ports. If you | |
12 | + are using your system to route any type of packets (ie. via NAT) | |
13 | + you should put this module at the end of your ruleset, since it will | |
14 | + drop packets that aren't going to ports that are listening on your | |
15 | + machine itself, it doesn't take into account that the packet might be | |
16 | + destined for someone on your internal network if you're using NAT for | |
17 | + instance. | |
18 | + | |
19 | + If you want to compile it as a module, say M here and read | |
20 | + Documentation/modules.txt. If unsure, say `N'. | |
21 | + | |
22 | MAC address match support | |
23 | CONFIG_IP_NF_MATCH_MAC | |
24 | MAC matching allows you to match packets based on the source | |
4fa954ff | 25 | @@ -23554,6 +23568,233 @@ |
e6a87675 JR |
26 | |
27 | "Area6" will work for most boards. For ADX, select "Area5". | |
28 | ||
29 | +Grsecurity | |
30 | +CONFIG_GRKERNSEC | |
31 | + If you say Y here, you will be able to configure many features that | |
32 | + will enhance the security of your system. It is highly recommended | |
33 | + that you say Y here and read through the help for each option so | |
34 | + you fully understand the features and can evaluate their usefulness | |
35 | + for your machine. | |
36 | + | |
37 | +/proc/<pid>/ipaddr support | |
38 | +CONFIG_GRKERNSEC_PROC_IPADDR | |
39 | + If you say Y here, a new entry will be added to each /proc/<pid> | |
40 | + directory that contains the IP address of the person using the task. | |
41 | + The IP is carried across local TCP and AF_UNIX stream sockets. | |
42 | + This information can be useful for IDS/IPSes to perform remote response | |
43 | + to a local attack. The entry is readable by only the owner of the | |
44 | + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via | |
45 | + the RBAC system), and thus does not create privacy concerns. | |
46 | + | |
47 | +Deny access to abstract AF_UNIX sockets out of chroot | |
48 | +CONFIG_GRKERNSEC_CHROOT_UNIX | |
49 | + If you say Y here, processes inside a chroot will not be able to | |
50 | + connect to abstract (meaning not belonging to a filesystem) Unix | |
51 | + domain sockets that were bound outside of a chroot. It is recommended | |
52 | + that you say Y here. If the sysctl option is enabled, a sysctl option | |
53 | + with name "chroot_deny_unix" is created. | |
54 | + | |
55 | +Deny shmat() out of chroot | |
56 | +CONFIG_GRKERNSEC_CHROOT_SHMAT | |
57 | + If you say Y here, processes inside a chroot will not be able to attach | |
58 | + to shared memory segments that were created outside of the chroot jail. | |
59 | + It is recommended that you say Y here. If the sysctl option is enabled, | |
60 | + a sysctl option with name "chroot_deny_shmat" is created. | |
61 | + | |
62 | +Protect outside processes | |
63 | +CONFIG_GRKERNSEC_CHROOT_FINDTASK | |
64 | + If you say Y here, processes inside a chroot will not be able to | |
65 | + kill, send signals with fcntl, ptrace, capget, setpgid, getpgid, | |
66 | + getsid, or view any process outside of the chroot. If the sysctl | |
67 | + option is enabled, a sysctl option with name "chroot_findtask" is | |
68 | + created. | |
69 | + | |
70 | +Deny mounts in chroot | |
71 | +CONFIG_GRKERNSEC_CHROOT_MOUNT | |
72 | + If you say Y here, processes inside a chroot will not be able to | |
73 | + mount or remount filesystems. If the sysctl option is enabled, a | |
74 | + sysctl option with name "chroot_deny_mount" is created. | |
75 | + | |
76 | +Deny pivot_root in chroot | |
77 | +CONFIG_GRKERNSEC_CHROOT_PIVOT | |
78 | + If you say Y here, processes inside a chroot will not be able to use | |
79 | + a function called pivot_root() that was introduced in Linux 2.3.41. It | |
80 | + works similar to chroot in that it changes the root filesystem. This | |
81 | + function could be misused in a chrooted process to attempt to break out | |
82 | + of the chroot, and therefore should not be allowed. If the sysctl | |
83 | + option is enabled, a sysctl option with name "chroot_deny_pivot" is | |
84 | + created. | |
85 | + | |
86 | +Deny double-chroots | |
87 | +CONFIG_GRKERNSEC_CHROOT_DOUBLE | |
88 | + If you say Y here, processes inside a chroot will not be able to chroot | |
89 | + again. This is a widely used method of breaking out of a chroot jail | |
90 | + and should not be allowed. If the sysctl option is enabled, a sysctl | |
91 | + option with name "chroot_deny_chroot" is created. | |
92 | + | |
93 | +Deny fchdir outside of chroot | |
94 | +CONFIG_GRKERNSEC_CHROOT_FCHDIR | |
95 | + If you say Y here, a well-known method of breaking chroots by fchdir'ing | |
96 | + to a file descriptor of the chrooting process that points to a directory | |
97 | + outside the filesystem will be stopped. If the sysctl option | |
98 | + is enabled, a sysctl option with name "chroot_deny_fchdir" is created. | |
99 | + | |
100 | +Enforce chdir("/") on all chroots | |
101 | +CONFIG_GRKERNSEC_CHROOT_CHDIR | |
102 | + If you say Y here, the current working directory of all newly-chrooted | |
103 | + applications will be set to the the root directory of the chroot. | |
104 | + The man page on chroot(2) states: | |
105 | + Note that this call does not change the current working | |
106 | + directory, so that `.' can be outside the tree rooted at | |
107 | + `/'. In particular, the super-user can escape from a | |
108 | + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. | |
109 | + | |
110 | + It is recommended that you say Y here, since it's not known to break | |
111 | + any software. If the sysctl option is enabled, a sysctl option with | |
112 | + name "chroot_enforce_chdir" is created. | |
113 | + | |
114 | +Deny (f)chmod +s in chroot | |
115 | +CONFIG_GRKERNSEC_CHROOT_CHMOD | |
116 | + If you say Y here, processes inside a chroot will not be able to chmod | |
117 | + or fchmod files to make them have suid or sgid bits. This protects | |
118 | + against another published method of breaking a chroot. If the sysctl | |
119 | + option is enabled, a sysctl option with name "chroot_deny_chmod" is | |
120 | + created. | |
121 | + | |
122 | +Deny mknod in chroot | |
123 | +CONFIG_GRKERNSEC_CHROOT_MKNOD | |
124 | + If you say Y here, processes inside a chroot will not be allowed to | |
125 | + mknod. The problem with using mknod inside a chroot is that it | |
126 | + would allow an attacker to create a device entry that is the same | |
127 | + as one on the physical root of your system, which could range from | |
128 | + anything from the console device to a device for your harddrive (which | |
129 | + they could then use to wipe the drive or steal data). It is recommended | |
130 | + that you say Y here, unless you run into software incompatibilities. | |
131 | + If the sysctl option is enabled, a sysctl option with name | |
132 | + "chroot_deny_mknod" is created. | |
133 | + | |
134 | +Restrict priority changes in chroot | |
135 | +CONFIG_GRKERNSEC_CHROOT_NICE | |
136 | + If you say Y here, processes inside a chroot will not be able to raise | |
137 | + the priority of processes in the chroot, or alter the priority of | |
138 | + processes outside the chroot. This provides more security than simply | |
139 | + removing CAP_SYS_NICE from the process' capability set. If the | |
140 | + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" | |
141 | + is created. | |
142 | + | |
143 | +Log all execs within chroot | |
144 | +CONFIG_GRKERNSEC_CHROOT_EXECLOG | |
145 | + If you say Y here, all executions inside a chroot jail will be logged | |
146 | + to syslog. This can cause a large amount of logs if certain | |
147 | + applications (eg. djb's daemontools) are installed on the system, and | |
148 | + is therefore left as an option. If the sysctl option is enabled, a | |
149 | + sysctl option with name "chroot_execlog" is created. | |
150 | + | |
151 | +Deny sysctl writes in chroot | |
152 | +CONFIG_GRKERNSEC_CHROOT_SYSCTL | |
153 | + If you say Y here, an attacker in a chroot will not be able to | |
154 | + write to sysctl entries, either by sysctl(2) or through a /proc | |
155 | + interface. It is strongly recommended that you say Y here. If the | |
156 | + sysctl option is enabled, a sysctl option with name | |
157 | + "chroot_deny_sysctl" is created. | |
158 | + | |
159 | +Chroot jail capability restrictions | |
160 | +CONFIG_GRKERNSEC_CHROOT_CAPS | |
161 | + If you say Y here, the capabilities on all root processes within a | |
162 | + chroot jail will be lowered to stop module insertion, raw i/o, | |
163 | + system and net admin tasks, rebooting the system, modifying immutable | |
164 | + files, modifying IPC owned by another, and changing the system time. | |
165 | + This is left an option because it can break some apps. Disable this | |
166 | + if your chrooted apps are having problems performing those kinds of | |
167 | + tasks. If the sysctl option is enabled, a sysctl option with | |
168 | + name "chroot_caps" is created. | |
4fa954ff JR |
169 | + |
170 | +Trusted path execution | |
171 | +CONFIG_GRKERNSEC_TPE | |
172 | + If you say Y here, you will be able to choose a gid to add to the | |
173 | + supplementary groups of users you want to mark as "untrusted." | |
174 | + These users will not be able to execute any files that are not in | |
175 | + root-owned directories writable only by root. If the sysctl option | |
176 | + is enabled, a sysctl option with name "tpe" is created. | |
177 | + | |
178 | +Group for trusted path execution | |
179 | +CONFIG_GRKERNSEC_TPE_GID | |
180 | + Here you can choose the GID to enable trusted path protection for. | |
181 | + Remember to add the users you want protection enabled for to the GID | |
182 | + specified here. If the sysctl option is enabled, whatever you choose | |
183 | + here won't matter. You'll have to specify the GID in your bootup | |
184 | + script by echoing the GID to the proper /proc entry. View the help | |
185 | + on the sysctl option for more information. If the sysctl option is | |
186 | + enabled, a sysctl option with name "tpe_gid" is created. | |
187 | + | |
188 | +Partially restrict non-root users | |
189 | +CONFIG_GRKERNSEC_TPE_ALL | |
190 | + If you say Y here, All non-root users other than the ones in the | |
191 | + group specified in the main TPE option will only be allowed to | |
192 | + execute files in directories they own that are not group or | |
193 | + world-writable, or in directories owned by root and writable only by | |
194 | + root. If the sysctl option is enabled, a sysctl option with name | |
195 | + "tpe_restrict_all" is created. | |
196 | + | |
197 | +Socket restrictions | |
198 | +CONFIG_GRKERNSEC_SOCKET | |
199 | + If you say Y here, you will be able to choose from several options. | |
200 | + If you assign a GID on your system and add it to the supplementary | |
201 | + groups of users you want to restrict socket access to, this patch | |
202 | + will perform up to three things, based on the option(s) you choose. | |
203 | + | |
204 | +Deny all socket access | |
205 | +CONFIG_GRKERNSEC_SOCKET_ALL | |
206 | + If you say Y here, you will be able to choose a GID of whose users will | |
207 | + be unable to connect to other hosts from your machine or run server | |
208 | + applications from your machine. If the sysctl option is enabled, a | |
209 | + sysctl option with name "socket_all" is created. | |
210 | + | |
211 | +Group for disabled socket access | |
212 | +CONFIG_GRKERNSEC_SOCKET_ALL_GID | |
213 | + Here you can choose the GID to disable socket access for. Remember to | |
214 | + add the users you want socket access disabled for to the GID | |
215 | + specified here. If the sysctl option is enabled, whatever you choose | |
216 | + here won't matter. You'll have to specify the GID in your bootup | |
217 | + script by echoing the GID to the proper /proc entry. View the help | |
218 | + on the sysctl option for more information. If the sysctl option is | |
219 | + enabled, a sysctl option with name "socket_all_gid" is created. | |
220 | + | |
221 | +Deny all client socket access | |
222 | +CONFIG_GRKERNSEC_SOCKET_CLIENT | |
223 | + If you say Y here, you will be able to choose a GID of whose users will | |
224 | + be unable to connect to other hosts from your machine, but will be | |
225 | + able to run servers. If this option is enabled, all users in the group | |
226 | + you specify will have to use passive mode when initiating ftp transfers | |
227 | + from the shell on your machine. If the sysctl option is enabled, a | |
228 | + sysctl option with name "socket_client" is created. | |
229 | + | |
230 | +Group for disabled client socket access | |
231 | +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID | |
232 | + Here you can choose the GID to disable client socket access for. | |
233 | + Remember to add the users you want client socket access disabled for to | |
234 | + the GID specified here. If the sysctl option is enabled, whatever you | |
235 | + choose here won't matter. You'll have to specify the GID in your bootup | |
236 | + script by echoing the GID to the proper /proc entry. View the help | |
237 | + on the sysctl option for more information. If the sysctl option is | |
238 | + enabled, a sysctl option with name "socket_client_gid" is created. | |
239 | + | |
240 | +Deny all server socket access | |
241 | +CONFIG_GRKERNSEC_SOCKET_SERVER | |
242 | + If you say Y here, you will be able to choose a GID of whose users will | |
243 | + be unable to run server applications from your machine. If the sysctl | |
244 | + option is enabled, a sysctl option with name "socket_server" is created. | |
245 | + | |
246 | +Group for disabled server socket access | |
247 | +CONFIG_GRKERNSEC_SOCKET_SERVER_GID | |
248 | + Here you can choose the GID to disable server socket access for. | |
249 | + Remember to add the users you want server socket access disabled for to | |
250 | + the GID specified here. If the sysctl option is enabled, whatever you | |
251 | + choose here won't matter. You'll have to specify the GID in your bootup | |
252 | + script by echoing the GID to the proper /proc entry. View the help | |
253 | + on the sysctl option for more information. If the sysctl option is | |
254 | + enabled, a sysctl option with name "socket_server_gid" is created. | |
e6a87675 JR |
255 | + |
256 | Disable data cache | |
257 | CONFIG_DCACHE_DISABLE | |
258 | This option allows you to run the kernel with data cache disabled. | |
259 | diff -urN linux-2.4.22/Makefile linux-2.4.22-grsec/Makefile | |
260 | --- linux-2.4.22/Makefile 2003-10-09 18:47:38.000000000 +0200 | |
261 | +++ linux-2.4.22-grsec/Makefile 2003-10-09 19:13:26.000000000 +0200 | |
262 | @@ -134,9 +134,10 @@ | |
263 | ||
264 | CORE_FILES =kernel/kernel.o mm/mm.o fs/fs.o ipc/ipc.o | |
265 | NETWORKS =net/network.o | |
266 | +GRSECURITY =grsecurity/grsec.o | |
267 | ||
268 | LIBS =$(TOPDIR)/lib/lib.a | |
269 | -SUBDIRS =kernel drivers mm fs net ipc lib crypto | |
270 | +SUBDIRS =kernel drivers mm fs net ipc lib crypto grsecurity | |
271 | ||
272 | DRIVERS-n := | |
273 | DRIVERS-y := | |
274 | @@ -279,7 +280,7 @@ | |
275 | ||
276 | export CPPFLAGS CFLAGS CFLAGS_KERNEL AFLAGS AFLAGS_KERNEL | |
277 | ||
278 | -export NETWORKS DRIVERS LIBS HEAD LDFLAGS LINKFLAGS MAKEBOOT ASFLAGS | |
279 | +export NETWORKS DRIVERS LIBS HEAD LDFLAGS LINKFLAGS MAKEBOOT ASFLAGS GRSECURITY | |
280 | ||
281 | .S.s: | |
282 | $(CPP) $(AFLAGS) $(AFLAGS_KERNEL) -traditional -o $*.s $< | |
283 | @@ -298,6 +299,7 @@ | |
284 | $(CORE_FILES) \ | |
285 | $(DRIVERS) \ | |
286 | $(NETWORKS) \ | |
287 | + $(GRSECURITY) \ | |
288 | $(LIBS) \ | |
289 | --end-group \ | |
290 | -o vmlinux | |
291 | diff -urN linux-2.4.22/arch/alpha/config.in linux-2.4.22-grsec/arch/alpha/config.in | |
292 | --- linux-2.4.22/arch/alpha/config.in 2003-08-25 13:44:39.000000000 +0200 | |
293 | +++ linux-2.4.22-grsec/arch/alpha/config.in 2003-10-09 19:13:26.000000000 +0200 | |
294 | @@ -457,3 +457,12 @@ | |
295 | ||
296 | source crypto/Config.in | |
297 | source lib/Config.in | |
298 | + | |
299 | +mainmenu_option next_comment | |
300 | +comment 'Grsecurity' | |
301 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
302 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
303 | + source grsecurity/Config.in | |
304 | +fi | |
305 | +endmenu | |
306 | + | |
307 | diff -urN linux-2.4.22/arch/arm/config.in linux-2.4.22-grsec/arch/arm/config.in | |
308 | --- linux-2.4.22/arch/arm/config.in 2003-08-25 13:44:39.000000000 +0200 | |
309 | +++ linux-2.4.22-grsec/arch/arm/config.in 2003-10-09 19:13:26.000000000 +0200 | |
310 | @@ -734,3 +734,11 @@ | |
311 | ||
312 | source crypto/Config.in | |
313 | source lib/Config.in | |
314 | + | |
315 | +mainmenu_option next_comment | |
316 | +comment 'Grsecurity' | |
317 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
318 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
319 | + source grsecurity/Config.in | |
320 | +fi | |
321 | +endmenu | |
322 | diff -urN linux-2.4.22/arch/cris/config.in linux-2.4.22-grsec/arch/cris/config.in | |
323 | --- linux-2.4.22/arch/cris/config.in 2003-08-25 13:44:39.000000000 +0200 | |
324 | +++ linux-2.4.22-grsec/arch/cris/config.in 2003-10-09 19:13:26.000000000 +0200 | |
325 | @@ -275,3 +275,12 @@ | |
326 | source crypto/Config.in | |
327 | source lib/Config.in | |
328 | endmenu | |
329 | + | |
330 | +mainmenu_option next_comment | |
331 | +comment 'Grsecurity' | |
332 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
333 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
334 | + source grsecurity/Config.in | |
335 | +fi | |
336 | +endmenu | |
337 | + | |
338 | diff -urN linux-2.4.22/arch/i386/config.in linux-2.4.22-grsec/arch/i386/config.in | |
339 | --- linux-2.4.22/arch/i386/config.in 2003-10-09 18:47:37.000000000 +0200 | |
340 | +++ linux-2.4.22-grsec/arch/i386/config.in 2003-10-09 19:13:26.000000000 +0200 | |
341 | @@ -502,3 +502,11 @@ | |
342 | ||
343 | source crypto/Config.in | |
344 | source lib/Config.in | |
345 | + | |
346 | +mainmenu_option next_comment | |
347 | +comment 'Grsecurity' | |
348 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
349 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
350 | + source grsecurity/Config.in | |
351 | +fi | |
352 | +endmenu | |
353 | diff -urN linux-2.4.22/arch/ia64/config.in linux-2.4.22-grsec/arch/ia64/config.in | |
354 | --- linux-2.4.22/arch/ia64/config.in 2003-08-25 13:44:39.000000000 +0200 | |
355 | +++ linux-2.4.22-grsec/arch/ia64/config.in 2003-10-09 19:13:26.000000000 +0200 | |
356 | @@ -291,3 +291,12 @@ | |
357 | fi | |
358 | ||
359 | endmenu | |
360 | + | |
361 | +mainmenu_option next_comment | |
362 | +comment 'Grsecurity' | |
363 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
364 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
365 | + source grsecurity/Config.in | |
366 | +fi | |
367 | +endmenu | |
368 | + | |
369 | diff -urN linux-2.4.22/arch/m68k/config.in linux-2.4.22-grsec/arch/m68k/config.in | |
370 | --- linux-2.4.22/arch/m68k/config.in 2003-08-25 13:44:39.000000000 +0200 | |
371 | +++ linux-2.4.22-grsec/arch/m68k/config.in 2003-10-09 19:13:26.000000000 +0200 | |
372 | @@ -564,3 +564,11 @@ | |
373 | ||
374 | source crypto/Config.in | |
375 | source lib/Config.in | |
376 | + | |
377 | +mainmenu_option next_comment | |
378 | +comment 'Grsecurity' | |
379 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
380 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
381 | + source grsecurity/Config.in | |
382 | +fi | |
383 | +endmenu | |
384 | diff -urN linux-2.4.22/arch/mips/config.in linux-2.4.22-grsec/arch/mips/config.in | |
385 | --- linux-2.4.22/arch/mips/config.in 2002-11-29 00:53:09.000000000 +0100 | |
386 | +++ linux-2.4.22-grsec/arch/mips/config.in 2003-10-09 19:13:26.000000000 +0200 | |
387 | @@ -7,3 +7,11 @@ | |
388 | define_bool CONFIG_MIPS64 n | |
389 | ||
390 | source arch/mips/config-shared.in | |
391 | + | |
392 | +mainmenu_option next_comment | |
393 | +comment 'Grsecurity' | |
394 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
395 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
396 | + source grsecurity/Config.in | |
397 | +fi | |
398 | +endmenu | |
399 | diff -urN linux-2.4.22/arch/mips64/config.in linux-2.4.22-grsec/arch/mips64/config.in | |
400 | --- linux-2.4.22/arch/mips64/config.in 2002-11-29 00:53:10.000000000 +0100 | |
401 | +++ linux-2.4.22-grsec/arch/mips64/config.in 2003-10-09 19:13:26.000000000 +0200 | |
402 | @@ -7,3 +7,11 @@ | |
403 | define_bool CONFIG_MIPS64 y | |
404 | ||
405 | source arch/mips/config-shared.in | |
406 | + | |
407 | +mainmenu_option next_comment | |
408 | +comment 'Grsecurity' | |
409 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
410 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
411 | + source grsecurity/Config.in | |
412 | +fi | |
413 | +endmenu | |
414 | diff -urN linux-2.4.22/arch/parisc/config.in linux-2.4.22-grsec/arch/parisc/config.in | |
415 | --- linux-2.4.22/arch/parisc/config.in 2003-08-25 13:44:40.000000000 +0200 | |
416 | +++ linux-2.4.22-grsec/arch/parisc/config.in 2003-10-09 19:13:26.000000000 +0200 | |
417 | @@ -198,3 +198,11 @@ | |
418 | ||
419 | source crypto/Config.in | |
420 | source lib/Config.in | |
421 | + | |
422 | +mainmenu_option next_comment | |
423 | +comment 'Grsecurity' | |
424 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
425 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
426 | + source grsecurity/Config.in | |
427 | +fi | |
428 | +endmenu | |
429 | diff -urN linux-2.4.22/arch/parisc/kernel/sys_parisc32.c linux-2.4.22/arch/parisc/kernel/sys_parisc32.c | |
430 | --- linux-2.4.22/arch/parisc/kernel/sys_parisc32.c 2003-09-01 22:19:44.000000000 -0400 | |
431 | +++ linux-2.4.22/arch/parisc/kernel/sys_parisc32.c 2003-09-02 19:29:41.000000000 -0400 | |
432 | @@ -50,6 +50,7 @@ | |
433 | #include <linux/highmem.h> | |
434 | #include <linux/highuid.h> | |
435 | #include <linux/mman.h> | |
436 | +#include <linux/grsecurity.h> | |
437 | ||
438 | #include <asm/types.h> | |
439 | #include <asm/uaccess.h> | |
440 | @@ -177,6 +178,9 @@ | |
441 | struct file *file; | |
442 | int retval; | |
443 | int i; | |
444 | +#ifdef CONFIG_GRKERNSEC | |
445 | + struct file *old_exec_file; | |
446 | +#endif | |
447 | ||
448 | file = open_exec(filename); | |
449 | ||
4fa954ff JR |
450 | @@ -209,6 +234,13 @@ |
451 | if (retval < 0) | |
452 | goto out; | |
453 | ||
454 | +#ifdef CONFIG_GRKERNSEC | |
455 | + if (!gr_tpe_allow(file)) { | |
456 | + retval = -EACCES; | |
457 | + goto out; | |
458 | + } | |
459 | +#endif | |
460 | + | |
461 | retval = copy_strings_kernel(1, &bprm.filename, &bprm); | |
462 | if (retval < 0) | |
463 | goto out; | |
e6a87675 JR |
464 | @@ -222,11 +260,26 @@ |
465 | if (retval < 0) | |
466 | goto out; | |
467 | ||
468 | +#ifdef CONFIG_GRKERNSEC | |
469 | + old_exec_file = current->exec_file; | |
470 | + get_file(file); | |
471 | + current->exec_file = file; | |
472 | +#endif | |
473 | + | |
474 | retval = search_binary_handler(&bprm,regs); | |
475 | - if (retval >= 0) | |
476 | + if (retval >= 0) { | |
477 | +#ifdef CONFIG_GRKERNSEC | |
478 | + if (old_exec_file) | |
479 | + fput(old_exec_file); | |
480 | +#endif | |
481 | /* execve success */ | |
482 | return retval; | |
483 | + } | |
484 | ||
485 | +#ifdef CONFIG_GRKERNSEC | |
486 | + fput(current->exec_file); | |
487 | + current->exec_file = old_exec_file; | |
488 | +#endif | |
489 | out: | |
490 | /* Something went wrong, return the inode and free the argument pages*/ | |
491 | allow_write_access(bprm.file); | |
492 | diff -urN linux-2.4.22/arch/ppc/config.in linux-2.4.22-grsec/arch/ppc/config.in | |
493 | --- linux-2.4.22/arch/ppc/config.in 2003-08-25 13:44:40.000000000 +0200 | |
494 | +++ linux-2.4.22-grsec/arch/ppc/config.in 2003-10-09 19:13:26.000000000 +0200 | |
495 | @@ -488,3 +488,12 @@ | |
496 | bool 'Support for early boot texts over serial port' CONFIG_SERIAL_TEXT_DEBUG | |
497 | fi | |
498 | endmenu | |
499 | + | |
500 | +mainmenu_option next_comment | |
501 | +comment 'Grsecurity' | |
502 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
503 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
504 | + source grsecurity/Config.in | |
505 | +fi | |
506 | +endmenu | |
507 | + | |
508 | diff -urN linux-2.4.22/arch/s390/config.in linux-2.4.22-grsec/arch/s390/config.in | |
509 | --- linux-2.4.22/arch/s390/config.in 2003-08-25 13:44:40.000000000 +0200 | |
510 | +++ linux-2.4.22-grsec/arch/s390/config.in 2003-10-09 19:13:26.000000000 +0200 | |
511 | @@ -81,3 +81,11 @@ | |
512 | ||
513 | source crypto/Config.in | |
514 | source lib/Config.in | |
515 | + | |
516 | +mainmenu_option next_comment | |
517 | +comment 'Grsecurity' | |
518 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
519 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
520 | + source grsecurity/Config.in | |
521 | +fi | |
522 | +endmenu | |
523 | diff -urN linux-2.4.22/arch/s390x/config.in linux-2.4.22-grsec/arch/s390x/config.in | |
524 | --- linux-2.4.22/arch/s390x/config.in 2003-08-25 13:44:40.000000000 +0200 | |
525 | +++ linux-2.4.22-grsec/arch/s390x/config.in 2003-10-09 19:13:26.000000000 +0200 | |
526 | @@ -85,3 +85,11 @@ | |
527 | ||
528 | source crypto/Config.in | |
529 | source lib/Config.in | |
530 | + | |
531 | +mainmenu_option next_comment | |
532 | +comment 'Grsecurity' | |
533 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
534 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
535 | + source grsecurity/Config.in | |
536 | +fi | |
537 | +endmenu | |
538 | diff -urN linux-2.4.22/arch/sh/config.in linux-2.4.22-grsec/arch/sh/config.in | |
539 | --- linux-2.4.22/arch/sh/config.in 2003-08-25 13:44:40.000000000 +0200 | |
540 | +++ linux-2.4.22-grsec/arch/sh/config.in 2003-10-09 19:13:26.000000000 +0200 | |
541 | @@ -469,3 +469,11 @@ | |
542 | ||
543 | source crypto/Config.in | |
544 | source lib/Config.in | |
545 | + | |
546 | +mainmenu_option next_comment | |
547 | +comment 'Grsecurity' | |
548 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
549 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
550 | + source grsecurity/Config.in | |
551 | +fi | |
552 | +endmenu | |
553 | diff -urN linux-2.4.22/arch/sparc/boot/Makefile linux-2.4.22-grsec/arch/sparc/boot/Makefile | |
554 | --- linux-2.4.22/arch/sparc/boot/Makefile 2002-08-03 02:39:43.000000000 +0200 | |
555 | +++ linux-2.4.22-grsec/arch/sparc/boot/Makefile 2003-10-09 19:13:26.000000000 +0200 | |
556 | @@ -24,7 +24,7 @@ | |
557 | ||
558 | BTOBJS := $(HEAD) init/main.o init/version.o init/do_mounts.o | |
559 | BTLIBS := $(CORE_FILES_NO_BTFIX) $(FILESYSTEMS) \ | |
560 | - $(DRIVERS) $(NETWORKS) | |
561 | + $(DRIVERS) $(NETWORKS) $(GRSECURITY) | |
562 | ||
563 | # I wanted to make this depend upon BTOBJS so that a parallel | |
564 | # build would work, but this fails because $(HEAD) cannot work | |
565 | diff -urN linux-2.4.22/arch/sparc/config.in linux-2.4.22-grsec/arch/sparc/config.in | |
566 | --- linux-2.4.22/arch/sparc/config.in 2003-08-25 13:44:40.000000000 +0200 | |
567 | +++ linux-2.4.22-grsec/arch/sparc/config.in 2003-10-09 19:13:26.000000000 +0200 | |
568 | @@ -277,3 +277,11 @@ | |
569 | ||
570 | source crypto/Config.in | |
571 | source lib/Config.in | |
572 | + | |
573 | +mainmenu_option next_comment | |
574 | +comment 'Grsecurity' | |
575 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
576 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
577 | + source grsecurity/Config.in | |
578 | +fi | |
579 | +endmenu | |
580 | diff -urN linux-2.4.22/arch/sparc64/config.in linux-2.4.22-grsec/arch/sparc64/config.in | |
581 | --- linux-2.4.22/arch/sparc64/config.in 2003-10-09 18:47:24.000000000 +0200 | |
582 | +++ linux-2.4.22-grsec/arch/sparc64/config.in 2003-10-09 19:13:26.000000000 +0200 | |
583 | @@ -312,3 +312,11 @@ | |
584 | ||
585 | source crypto/Config.in | |
586 | source lib/Config.in | |
587 | + | |
588 | +mainmenu_option next_comment | |
589 | +comment 'Grsecurity' | |
590 | +bool 'Grsecurity' CONFIG_GRKERNSEC | |
591 | +if [ "$CONFIG_GRKERNSEC" = "y" ]; then | |
592 | + source grsecurity/Config.in | |
593 | +fi | |
594 | +endmenu | |
595 | diff -urN linux-2.4.22/arch/sparc64/kernel/sys_sparc32.c linux-2.4.22/arch/sparc64/kernel/sys_sparc32.c | |
596 | --- linux-2.4.22/arch/sparc64/kernel/sys_sparc32.c 2003-09-01 22:19:37.000000000 -0400 | |
597 | +++ linux-2.4.22/arch/sparc64/kernel/sys_sparc32.c 2003-09-02 19:29:41.000000000 -0400 | |
598 | @@ -52,6 +52,8 @@ | |
599 | #include <linux/sysctl.h> | |
600 | #include <linux/dnotify.h> | |
601 | #include <linux/netfilter_ipv4/ip_tables.h> | |
602 | +#include <linux/random.h> | |
603 | +#include <linux/grsecurity.h> | |
604 | ||
605 | #include <asm/types.h> | |
606 | #include <asm/ipc.h> | |
607 | @@ -3233,6 +3235,9 @@ | |
608 | struct file * file; | |
609 | int retval; | |
610 | int i; | |
611 | +#ifdef CONFIG_GRKERNSEC | |
612 | + struct file *old_exec_file; | |
613 | +#endif | |
614 | ||
615 | bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *); | |
616 | memset(bprm.page, 0, MAX_ARG_PAGES * sizeof(bprm.page[0])); | |
4fa954ff JR |
617 | @@ -3263,6 +3289,13 @@ |
618 | if (retval < 0) | |
619 | goto out; | |
620 | ||
621 | +#ifdef CONFIG_GRKERNSEC | |
622 | + if(!gr_tpe_allow(file)) { | |
623 | + retval = -EACCES; | |
624 | + goto out; | |
625 | + } | |
626 | +#endif | |
627 | + | |
628 | retval = copy_strings_kernel(1, &bprm.filename, &bprm); | |
629 | if (retval < 0) | |
630 | goto out; | |
e6a87675 JR |
631 | @@ -3276,11 +3315,26 @@ |
632 | if (retval < 0) | |
633 | goto out; | |
634 | ||
635 | +#ifdef CONFIG_GRKERNSEC | |
636 | + old_exec_file = current->exec_file; | |
637 | + get_file(file); | |
638 | + current->exec_file = file; | |
639 | +#endif | |
640 | + | |
641 | retval = search_binary_handler(&bprm, regs); | |
642 | - if (retval >= 0) | |
643 | + if (retval >= 0) { | |
644 | +#ifdef CONFIG_GRKERNSEC | |
645 | + if (old_exec_file) | |
646 | + fput(old_exec_file); | |
647 | +#endif | |
648 | /* execve success */ | |
649 | return retval; | |
650 | + } | |
651 | ||
652 | +#ifdef CONFIG_GRKERNSEC | |
653 | + fput(current->exec_file); | |
654 | + current->exec_file = old_exec_file; | |
655 | +#endif | |
656 | out: | |
657 | /* Something went wrong, return the inode and free the argument pages*/ | |
658 | allow_write_access(bprm.file); | |
659 | diff -urN linux-2.4.22/fs/exec.c linux-2.4.22-grsec/fs/exec.c | |
660 | --- linux-2.4.22/fs/exec.c 2003-10-09 18:47:38.000000000 +0200 | |
661 | +++ linux-2.4.22-grsec/fs/exec.c 2003-10-09 19:13:26.000000000 +0200 | |
662 | @@ -43,6 +43,9 @@ | |
663 | #include <asm/uaccess.h> | |
664 | #include <asm/pgalloc.h> | |
665 | #include <asm/mmu_context.h> | |
666 | +#include <linux/major.h> | |
667 | +#include <linux/random.h> | |
668 | +#include <linux/grsecurity.h> | |
669 | ||
670 | #ifdef CONFIG_KMOD | |
671 | #include <linux/kmod.h> | |
672 | @@ -780,6 +783,10 @@ | |
673 | current->suid = current->euid = current->fsuid = bprm->e_uid; | |
674 | current->sgid = current->egid = current->fsgid = bprm->e_gid; | |
675 | ||
676 | +#ifdef CONFIG_GRKERNSEC | |
677 | + gr_handle_chroot_caps(current); | |
678 | +#endif | |
679 | + | |
680 | if(do_unlock) | |
681 | unlock_kernel(); | |
682 | current->keep_capabilities = 0; | |
683 | @@ -907,6 +944,9 @@ | |
684 | struct file *file; | |
685 | int retval; | |
686 | int i; | |
687 | +#ifdef CONFIG_GRKERNSEC | |
688 | + struct file *old_exec_file; | |
689 | +#endif | |
690 | ||
691 | file = open_exec(filename); | |
692 | ||
4fa954ff JR |
693 | @@ -938,6 +999,13 @@ |
694 | if (retval < 0) | |
695 | goto out; | |
696 | ||
697 | +#ifdef CONFIG_GRKERNSEC | |
698 | + if (!gr_tpe_allow(file)) { | |
699 | + retval = -EACCES; | |
700 | + goto out; | |
701 | + } | |
702 | +#endif | |
703 | + | |
704 | retval = copy_strings_kernel(1, &bprm.filename, &bprm); | |
705 | if (retval < 0) | |
706 | goto out; | |
e6a87675 JR |
707 | @@ -949,6 +954,11 @@ |
708 | goto out; | |
709 | ||
710 | bprm.exec = bprm.p; | |
711 | + | |
712 | +#ifdef CONFIG_GRKERNSEC | |
713 | + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt); | |
714 | +#endif | |
715 | + | |
716 | retval = copy_strings(bprm.envc, envp, &bprm); | |
717 | if (retval < 0) | |
718 | goto out; | |
719 | @@ -951,11 +1027,26 @@ | |
720 | if (retval < 0) | |
721 | goto out; | |
722 | ||
723 | +#ifdef CONFIG_GRKERNSEC | |
724 | + old_exec_file = current->exec_file; | |
725 | + get_file(file); | |
726 | + current->exec_file = file; | |
727 | +#endif | |
728 | + | |
729 | retval = search_binary_handler(&bprm,regs); | |
730 | - if (retval >= 0) | |
731 | + if (retval >= 0) { | |
732 | +#ifdef CONFIG_GRKERNSEC | |
733 | + if (old_exec_file) | |
734 | + fput(old_exec_file); | |
735 | +#endif | |
736 | /* execve success */ | |
737 | return retval; | |
738 | + } | |
739 | ||
740 | +#ifdef CONFIG_GRKERNSEC | |
741 | + fput(current->exec_file); | |
742 | + current->exec_file = old_exec_file; | |
743 | +#endif | |
744 | out: | |
745 | /* Something went wrong, return the inode and free the argument pages*/ | |
746 | allow_write_access(bprm.file); | |
747 | diff -urN linux-2.4.22/fs/fcntl.c linux-2.4.22-grsec/fs/fcntl.c | |
748 | --- linux-2.4.22/fs/fcntl.c 2002-11-29 00:53:15.000000000 +0100 | |
749 | +++ linux-2.4.22-grsec/fs/fcntl.c 2003-10-09 19:13:26.000000000 +0200 | |
750 | @@ -11,6 +11,7 @@ | |
751 | #include <linux/smp_lock.h> | |
752 | #include <linux/slab.h> | |
753 | #include <linux/iobuf.h> | |
754 | +#include <linux/grsecurity.h> | |
755 | ||
756 | #include <asm/poll.h> | |
757 | #include <asm/siginfo.h> | |
758 | @@ -448,6 +449,10 @@ | |
759 | match = -p->pgrp; | |
760 | if (pid != match) | |
761 | continue; | |
762 | +#ifdef CONFIG_GRKERNSEC | |
763 | + if (gr_pid_is_chrooted(p)) | |
764 | + continue; | |
765 | +#endif | |
766 | send_sigio_to_task(p, fown, fd, band); | |
767 | } | |
768 | out: | |
769 | diff -urN linux-2.4.22/fs/namei.c linux-2.4.22-grsec/fs/namei.c | |
770 | --- linux-2.4.22/fs/namei.c 2003-10-09 18:47:32.000000000 +0200 | |
771 | +++ linux-2.4.22-grsec/fs/namei.c 2003-10-09 19:13:26.000000000 +0200 | |
772 | @@ -22,6 +22,7 @@ | |
773 | #include <linux/dnotify.h> | |
774 | #include <linux/smp_lock.h> | |
775 | #include <linux/personality.h> | |
776 | +#include <linux/grsecurity.h> | |
777 | ||
778 | #include <asm/namei.h> | |
779 | #include <asm/uaccess.h> | |
780 | @@ -1284,6 +1285,14 @@ | |
781 | if (!IS_POSIXACL(nd.dentry->d_inode)) | |
782 | mode &= ~current->fs->umask; | |
783 | if (!IS_ERR(dentry)) { | |
784 | +#ifdef CONFIG_GRKERNSEC | |
785 | + if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) { | |
786 | + error = -EPERM; | |
787 | + dput(dentry); | |
788 | + goto out_dput; | |
789 | + } | |
790 | +#endif | |
791 | + | |
792 | switch (mode & S_IFMT) { | |
793 | case 0: case S_IFREG: | |
794 | error = vfs_create(nd.dentry->d_inode,dentry,mode); | |
795 | @@ -1295,6 +1370,7 @@ | |
796 | } | |
797 | dput(dentry); | |
798 | } | |
799 | +out_dput: | |
800 | up(&nd.dentry->d_inode->i_sem); | |
801 | path_release(&nd); | |
802 | out: | |
803 | diff -urN linux-2.4.22/fs/namespace.c linux-2.4.22-grsec/fs/namespace.c | |
804 | --- linux-2.4.22/fs/namespace.c 2003-06-13 16:51:37.000000000 +0200 | |
805 | +++ linux-2.4.22-grsec/fs/namespace.c 2003-10-09 19:13:26.000000000 +0200 | |
806 | @@ -15,6 +15,8 @@ | |
807 | #include <linux/quotaops.h> | |
808 | #include <linux/acct.h> | |
809 | #include <linux/module.h> | |
810 | +#include <linux/sched.h> | |
811 | +#include <linux/grsecurity.h> | |
812 | ||
813 | #include <asm/uaccess.h> | |
814 | ||
815 | @@ -729,6 +731,14 @@ | |
816 | if (retval) | |
817 | return retval; | |
818 | ||
819 | +#ifdef CONFIG_GRKERNSEC | |
820 | + if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) { | |
821 | + retval = -EPERM; | |
822 | + path_release(&nd); | |
823 | + return retval; | |
824 | + } | |
825 | +#endif | |
826 | + | |
827 | if (flags & MS_REMOUNT) | |
828 | retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags, | |
829 | data_page); | |
830 | @@ -909,6 +917,11 @@ | |
831 | if (!capable(CAP_SYS_ADMIN)) | |
832 | return -EPERM; | |
833 | ||
834 | +#ifdef CONFIG_GRKERNSEC | |
835 | + if (gr_handle_chroot_pivot()) | |
836 | + return -EPERM; | |
837 | +#endif | |
838 | + | |
839 | lock_kernel(); | |
840 | ||
841 | error = __user_walk(new_root, LOOKUP_POSITIVE|LOOKUP_FOLLOW|LOOKUP_DIRECTORY, &new_nd); | |
842 | diff -urN linux-2.4.22/fs/open.c linux-2.4.22-grsec/fs/open.c | |
843 | --- linux-2.4.22/fs/open.c 2003-08-25 13:44:43.000000000 +0200 | |
844 | +++ linux-2.4.22-grsec/fs/open.c 2003-10-09 19:13:26.000000000 +0200 | |
845 | @@ -15,6 +15,7 @@ | |
846 | #include <linux/slab.h> | |
847 | #include <linux/tty.h> | |
848 | #include <linux/iobuf.h> | |
849 | +#include <linux/grsecurity.h> | |
850 | ||
851 | #include <asm/uaccess.h> | |
852 | ||
853 | @@ -426,6 +427,12 @@ | |
854 | goto out_putf; | |
855 | ||
856 | error = permission(inode, MAY_EXEC); | |
857 | + | |
858 | +#ifdef CONFIG_GRKERNSEC | |
859 | + if (!error && !gr_chroot_fchdir(dentry, mnt)) | |
860 | + error = -EPERM; | |
861 | +#endif | |
862 | + | |
863 | if (!error) | |
864 | set_fs_pwd(current->fs, mnt, dentry); | |
865 | out_putf: | |
866 | @@ -452,8 +457,20 @@ | |
867 | if (!capable(CAP_SYS_CHROOT)) | |
868 | goto dput_and_out; | |
869 | ||
870 | +#ifdef CONFIG_GRKERNSEC | |
871 | + if (gr_handle_chroot_chroot(nd.dentry, nd.mnt)) | |
872 | + goto dput_and_out; | |
873 | +#endif | |
874 | + | |
875 | set_fs_root(current->fs, nd.mnt, nd.dentry); | |
876 | set_fs_altroot(); | |
877 | + | |
878 | +#ifdef CONFIG_GRKERNSEC | |
879 | + gr_handle_chroot_caps(current); | |
880 | + | |
881 | + gr_handle_chroot_chdir(nd.dentry, nd.mnt); | |
882 | +#endif | |
883 | + | |
884 | error = 0; | |
885 | dput_and_out: | |
886 | path_release(&nd); | |
887 | @@ -484,6 +497,14 @@ | |
888 | goto out_putf; | |
889 | if (mode == (mode_t) -1) | |
890 | mode = inode->i_mode; | |
891 | + | |
892 | +#ifdef CONFIG_GRKERNSEC | |
893 | + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) { | |
894 | + err = -EPERM; | |
895 | + goto out_putf; | |
896 | + } | |
897 | +#endif | |
898 | + | |
899 | newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); | |
900 | newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; | |
901 | err = notify_change(dentry, &newattrs); | |
902 | @@ -516,6 +535,14 @@ | |
903 | ||
904 | if (mode == (mode_t) -1) | |
905 | mode = inode->i_mode; | |
906 | + | |
907 | +#ifdef CONFIG_GRKERNSEC | |
908 | + if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) { | |
909 | + error = -EACCES; | |
910 | + goto dput_and_out; | |
911 | + } | |
912 | +#endif | |
913 | + | |
914 | newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); | |
915 | newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; | |
916 | error = notify_change(nd.dentry, &newattrs); | |
917 | diff -urN linux-2.4.22/fs/proc/array.c linux-2.4.22-grsec/fs/proc/array.c | |
918 | --- linux-2.4.22/fs/proc/array.c 2003-10-09 18:46:57.000000000 +0200 | |
919 | +++ linux-2.4.22-grsec/fs/proc/array.c 2003-10-09 19:13:26.000000000 +0200 | |
920 | @@ -683,6 +683,16 @@ | |
921 | return retval; | |
922 | } | |
923 | ||
924 | +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR | |
925 | +int proc_pid_ipaddr(struct task_struct *task, char * buffer) | |
926 | +{ | |
927 | + int len; | |
928 | + | |
929 | + len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->curr_ip)); | |
930 | + return len; | |
931 | +} | |
932 | +#endif | |
933 | + | |
934 | #ifdef CONFIG_SMP | |
935 | int proc_pid_cpu(struct task_struct *task, char * buffer) | |
936 | { | |
937 | diff -urN linux-2.4.22/fs/proc/base.c linux-2.4.22-grsec/fs/proc/base.c | |
938 | --- linux-2.4.22/fs/proc/base.c 2003-08-25 13:44:43.000000000 +0200 | |
939 | +++ linux-2.4.22-grsec/fs/proc/base.c 2003-10-09 19:13:26.000000000 +0200 | |
940 | @@ -25,6 +25,7 @@ | |
941 | #include <linux/string.h> | |
942 | #include <linux/seq_file.h> | |
943 | #include <linux/namespace.h> | |
944 | +#include <linux/grsecurity.h> | |
945 | ||
946 | /* | |
947 | * For hysterical raisins we keep the same inumbers as in the old procfs. | |
948 | @@ -41,6 +42,9 @@ | |
949 | int proc_pid_status(struct task_struct*,char*); | |
950 | int proc_pid_statm(struct task_struct*,char*); | |
951 | int proc_pid_cpu(struct task_struct*,char*); | |
952 | +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR | |
953 | +int proc_pid_ipaddr(struct task_struct*,char*); | |
954 | +#endif | |
955 | ||
956 | static int proc_fd_link(struct inode *inode, struct dentry **dentry, struct vfsmount **mnt) | |
957 | { | |
958 | @@ -576,6 +580,9 @@ | |
959 | PROC_PID_STATM, | |
960 | PROC_PID_MAPS, | |
961 | PROC_PID_CPU, | |
962 | +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR | |
963 | + PROC_PID_IPADDR, | |
964 | +#endif | |
965 | PROC_PID_MOUNTS, | |
966 | PROC_PID_FD_DIR = 0x8000, /* 0x8000-0xffff */ | |
967 | }; | |
968 | @@ -591,6 +598,9 @@ | |
969 | #ifdef CONFIG_SMP | |
970 | E(PROC_PID_CPU, "cpu", S_IFREG|S_IRUGO), | |
971 | #endif | |
972 | +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR | |
973 | + E(PROC_PID_IPADDR, "ipaddr", S_IFREG|S_IRUSR), | |
974 | +#endif | |
975 | E(PROC_PID_MAPS, "maps", S_IFREG|S_IRUGO), | |
976 | E(PROC_PID_MEM, "mem", S_IFREG|S_IRUSR|S_IWUSR), | |
977 | E(PROC_PID_CWD, "cwd", S_IFLNK|S_IRWXUGO), | |
978 | @@ -958,6 +968,12 @@ | |
979 | inode->u.proc_i.op.proc_read = proc_pid_cpu; | |
980 | break; | |
981 | #endif | |
982 | +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR | |
983 | + case PROC_PID_IPADDR: | |
984 | + inode->i_fop = &proc_info_file_operations; | |
985 | + inode->u.proc_i.op.proc_read = proc_pid_ipaddr; | |
986 | + break; | |
987 | +#endif | |
988 | case PROC_PID_MEM: | |
989 | inode->i_op = &proc_mem_inode_operations; | |
990 | inode->i_fop = &proc_mem_operations; | |
991 | @@ -1102,6 +1118,10 @@ | |
992 | int pid = p->pid; | |
993 | if (!pid) | |
994 | continue; | |
995 | +#ifdef CONFIG_GRKERNSEC | |
996 | + if(gr_pid_is_chrooted(p)) | |
997 | + continue; | |
998 | +#endif | |
999 | if (--index >= 0) | |
1000 | continue; | |
1001 | pids[nr_pids] = pid; | |
1002 | diff -urN linux-2.4.22/grsecurity/Config.in linux-2.4.22-grsec/grsecurity/Config.in | |
1003 | --- linux-2.4.22/grsecurity/Config.in 1970-01-01 01:00:00.000000000 +0100 | |
1004 | +++ linux-2.4.22-grsec/grsecurity/Config.in 2003-10-09 19:13:26.000000000 +0200 | |
4fa954ff | 1005 | @@ -0,0 +1,39 @@ |
e6a87675 JR |
1006 | +bool 'Deny mounts' CONFIG_GRKERNSEC_CHROOT_MOUNT |
1007 | +bool 'Deny double-chroots' CONFIG_GRKERNSEC_CHROOT_DOUBLE | |
1008 | +bool 'Deny pivot_root in chroot' CONFIG_GRKERNSEC_CHROOT_PIVOT | |
1009 | +bool 'Enforce chdir("/") on all chroots' CONFIG_GRKERNSEC_CHROOT_CHDIR | |
1010 | +bool 'Deny (f)chmod +s' CONFIG_GRKERNSEC_CHROOT_CHMOD | |
1011 | +bool 'Deny fchdir out of chroot' CONFIG_GRKERNSEC_CHROOT_FCHDIR | |
1012 | +bool 'Deny mknod' CONFIG_GRKERNSEC_CHROOT_MKNOD | |
1013 | +bool 'Deny shmat() out of chroot' CONFIG_GRKERNSEC_CHROOT_SHMAT | |
1014 | +bool 'Deny access to abstract AF_UNIX sockets out of chroot' CONFIG_GRKERNSEC_CHROOT_UNIX | |
1015 | +bool 'Protect outside processes' CONFIG_GRKERNSEC_CHROOT_FINDTASK | |
1016 | +bool 'Restrict priority changes' CONFIG_GRKERNSEC_CHROOT_NICE | |
1017 | +bool 'Deny sysctl writes in chroot' CONFIG_GRKERNSEC_CHROOT_SYSCTL | |
1018 | +bool 'Capability restrictions within chroot' CONFIG_GRKERNSEC_CHROOT_CAPS | |
4fa954ff JR |
1019 | +bool 'Trusted path execution' CONFIG_GRKERNSEC_TPE |
1020 | +if [ "$CONFIG_GRKERNSEC_TPE" != "n" ]; then | |
1021 | +bool ' Partially restrict non-root users' CONFIG_GRKERNSEC_TPE_ALL | |
1022 | +int ' GID for untrusted users:' CONFIG_GRKERNSEC_TPE_GID 1005 | |
1023 | +fi | |
1024 | +bool 'Socket restrictions' CONFIG_GRKERNSEC_SOCKET | |
1025 | +if [ "$CONFIG_GRKERNSEC_SOCKET" != "n" ]; then | |
1026 | +bool ' Deny any sockets to group' CONFIG_GRKERNSEC_SOCKET_ALL | |
1027 | +if [ "$CONFIG_GRKERNSEC_SOCKET_ALL" != "n" ]; then | |
1028 | +int ' GID to deny all sockets for:' CONFIG_GRKERNSEC_SOCKET_ALL_GID 1004 | |
1029 | +fi | |
1030 | +bool ' Deny client sockets to group' CONFIG_GRKERNSEC_SOCKET_CLIENT | |
1031 | +if [ "$CONFIG_GRKERNSEC_SOCKET_CLIENT" != "n" ]; then | |
1032 | +int ' GID to deny client sockets for:' CONFIG_GRKERNSEC_SOCKET_CLIENT_GID 1003 | |
1033 | +fi | |
1034 | +bool ' Deny server sockets to group' CONFIG_GRKERNSEC_SOCKET_SERVER | |
1035 | +if [ "$CONFIG_GRKERNSEC_SOCKET_SERVER" != "n" ]; then | |
1036 | +int ' GID to deny server sockets for:' CONFIG_GRKERNSEC_SOCKET_SERVER_GID 1002 | |
1037 | +fi | |
1038 | +fi | |
e6a87675 JR |
1039 | +bool '/proc/<pid>/ipaddr support' CONFIG_GRKERNSEC_PROC_IPADDR |
1040 | +int 'Seconds in between log messages (minimum)' CONFIG_GRKERNSEC_FLOODTIME 10 | |
1041 | +int 'Number of messages in a burst (maximum)' CONFIG_GRKERNSEC_FLOODBURST 4 | |
1042 | +if [ "$CONFIG_SYSCTL" != "n" ]; then | |
1043 | +bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL | |
1044 | +fi | |
1045 | diff -urN linux-2.4.22/grsecurity/Makefile linux-2.4.22-grsec/grsecurity/Makefile | |
1046 | --- linux-2.4.22/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100 | |
1047 | +++ linux-2.4.22-grsec/grsecurity/Makefile 2003-10-09 19:19:48.000000000 +0200 | |
1048 | @@ -0,0 +1,13 @@ | |
1049 | +# grsecurity's ACL system was originally written in 2001 by Michael Dalton | |
1050 | +# during 2001, 2002, and 2003 it has been completely redesigned by | |
1051 | +# Brad Spengler | |
1052 | +# | |
1053 | +# All code in this directory and various hooks inserted throughout the kernel | |
1054 | +# are copyright Brad Spengler, and released under the GPL, unless otherwise | |
1055 | +# noted (as in obsd_rand.c) | |
1056 | + | |
1057 | +O_TARGET := grsec.o | |
1058 | + | |
4fa954ff | 1059 | +obj-$(CONFIG_GRKERNSEC) = grsec_chroot.o grsec_sysctl.o grsec_init.o grsec_sock.o grsec_tpe.o |
e6a87675 JR |
1060 | + |
1061 | +include $(TOPDIR)/Rules.make | |
1062 | diff -urN linux-2.4.22/grsecurity/grsec_chroot.c linux-2.4.22-grsec/grsecurity/grsec_chroot.c | |
1063 | --- linux-2.4.22/grsecurity/grsec_chroot.c 1970-01-01 01:00:00.000000000 +0100 | |
1064 | +++ linux-2.4.22-grsec/grsecurity/grsec_chroot.c 2003-10-09 19:13:26.000000000 +0200 | |
1065 | @@ -0,0 +1,402 @@ | |
1066 | +#include <linux/kernel.h> | |
1067 | +#include <linux/sched.h> | |
1068 | +#include <linux/file.h> | |
1069 | +#include <linux/fs.h> | |
1070 | +#include <linux/types.h> | |
1071 | +#include <linux/grinternal.h> | |
1072 | + | |
1073 | +static __inline__ char * | |
1074 | +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt, | |
1075 | + char *buf, int buflen) | |
1076 | +{ | |
1077 | + char *res; | |
1078 | + struct dentry *our_dentry; | |
1079 | + struct vfsmount *our_mount; | |
1080 | + struct vfsmount *rootmnt; | |
1081 | + struct dentry *root; | |
1082 | + | |
1083 | + our_dentry = (struct dentry *) dentry; | |
1084 | + our_mount = (struct vfsmount *) vfsmnt; | |
1085 | + | |
1086 | + read_lock(&child_reaper->fs->lock); | |
1087 | + rootmnt = mntget(child_reaper->fs->rootmnt); | |
1088 | + root = dget(child_reaper->fs->root); | |
1089 | + read_unlock(&child_reaper->fs->lock); | |
1090 | + | |
1091 | + spin_lock(&dcache_lock); | |
1092 | + res = __d_path(our_dentry, our_mount, root, rootmnt, buf, buflen); | |
1093 | + spin_unlock(&dcache_lock); | |
1094 | + dput(root); | |
1095 | + mntput(rootmnt); | |
1096 | + return res; | |
1097 | +} | |
1098 | + | |
1099 | +char * | |
1100 | +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt) | |
1101 | +{ | |
1102 | + return d_real_path(dentry, mnt, gr_shared_page[0][smp_processor_id()], | |
1103 | + PAGE_SIZE); | |
1104 | +} | |
1105 | + | |
1106 | +char * | |
1107 | +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt) | |
1108 | +{ | |
1109 | + return d_real_path(dentry, mnt, gr_shared_page[1][smp_processor_id()], | |
1110 | + PAGE_SIZE); | |
1111 | +} | |
1112 | + | |
1113 | +char * | |
1114 | +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt) | |
1115 | +{ | |
1116 | + return d_real_path(dentry, mnt, gr_shared_page[2][smp_processor_id()], | |
1117 | + PAGE_SIZE); | |
1118 | +} | |
1119 | + | |
1120 | +char * | |
1121 | +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt) | |
1122 | +{ | |
1123 | + return d_real_path(dentry, mnt, gr_shared_page[3][smp_processor_id()], | |
1124 | + PAGE_SIZE); | |
1125 | +} | |
1126 | + | |
1127 | +int | |
1128 | +gr_handle_chroot_unix(const pid_t pid) | |
1129 | +{ | |
1130 | +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX | |
1131 | + struct task_struct *p, **htable; | |
1132 | + | |
1133 | + if (unlikely(!grsec_enable_chroot_unix)) | |
1134 | + return 1; | |
1135 | + | |
1136 | + if (likely(!proc_is_chrooted(current))) | |
1137 | + return 1; | |
1138 | + | |
1139 | + read_lock(&tasklist_lock); | |
1140 | + | |
1141 | + htable = &pidhash[pid_hashfn(pid)]; | |
1142 | + | |
1143 | + for (p = *htable; p && p->pid != pid; p = p->pidhash_next) ; | |
1144 | + | |
1145 | + if (unlikely(p && !have_same_root(current, p))) { | |
1146 | + read_unlock(&tasklist_lock); | |
1147 | + gr_security_alert(GR_UNIX_CHROOT_MSG, DEFAULTSECARGS); | |
1148 | + return 0; | |
1149 | + } | |
1150 | + read_unlock(&tasklist_lock); | |
1151 | +#endif | |
1152 | + return 1; | |
1153 | +} | |
1154 | + | |
1155 | +int | |
1156 | +gr_handle_chroot_nice(void) | |
1157 | +{ | |
1158 | +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE | |
1159 | + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) { | |
1160 | + gr_security_alert(GR_NICE_CHROOT_MSG, DEFAULTSECARGS); | |
1161 | + return -EPERM; | |
1162 | + } | |
1163 | +#endif | |
1164 | + return 0; | |
1165 | +} | |
1166 | + | |
1167 | +int | |
1168 | +gr_handle_chroot_setpriority(const struct task_struct *p, const int niceval) | |
1169 | +{ | |
1170 | +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE | |
1171 | + if (grsec_enable_chroot_nice && (!have_same_root(p, current) | |
1172 | + || (have_same_root(p, current) | |
1173 | + && (niceval < task_nice(p)) | |
1174 | + && proc_is_chrooted(current)))) { | |
1175 | + gr_security_alert(GR_PRIORITY_CHROOT_MSG, p->comm, p->pid, | |
1176 | + DEFAULTSECARGS); | |
1177 | + return -ESRCH; | |
1178 | + } | |
1179 | +#endif | |
1180 | + return 0; | |
1181 | +} | |
1182 | + | |
1183 | +int | |
1184 | +gr_handle_chroot_capset(const struct task_struct *target) | |
1185 | +{ | |
1186 | +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS | |
1187 | + if (grsec_enable_chroot_caps && proc_is_chrooted(current) && | |
1188 | + !have_same_root(current, target)) { | |
1189 | + gr_security_alert(GR_CAPSET_CHROOT_MSG, target->comm, target->pid, | |
1190 | + DEFAULTSECARGS); | |
1191 | + return 1; | |
1192 | + } | |
1193 | +#endif | |
1194 | + return 0; | |
1195 | +} | |
1196 | + | |
1197 | +int | |
1198 | +gr_handle_chroot_rawio(const struct inode *inode) | |
1199 | +{ | |
1200 | +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS | |
1201 | + if (grsec_enable_chroot_caps && proc_is_chrooted(current) && | |
1202 | + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO)) | |
1203 | + return 1; | |
1204 | +#endif | |
1205 | + return 0; | |
1206 | +} | |
1207 | + | |
1208 | +int | |
1209 | +gr_pid_is_chrooted(const struct task_struct *p) | |
1210 | +{ | |
1211 | +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK | |
1212 | + if (!grsec_enable_chroot_findtask || (current->pid <= 1)) | |
1213 | + return 0; | |
1214 | + | |
1215 | + if (p && p->fs && p->fs->root && p->fs->root->d_inode && | |
1216 | + child_reaper && child_reaper->fs && child_reaper->fs->root && | |
1217 | + child_reaper->fs->root->d_inode && current && current->fs && | |
1218 | + current->fs->root && current->fs->root->d_inode) { | |
1219 | + if (proc_is_chrooted(current) && !have_same_root(current, p)) | |
1220 | + return 1; | |
1221 | + } | |
1222 | +#endif | |
1223 | + return 0; | |
1224 | +} | |
1225 | + | |
1226 | +int | |
1227 | +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt) | |
1228 | +{ | |
1229 | +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR | |
1230 | + if (!grsec_enable_chroot_fchdir) | |
1231 | + return 1; | |
1232 | + | |
1233 | + if (!proc_is_chrooted(current)) | |
1234 | + return 1; | |
1235 | + else { | |
1236 | + struct dentry *dentry = u_dentry; | |
1237 | + struct vfsmount *mnt = u_mnt; | |
1238 | + struct dentry *realroot; | |
1239 | + struct vfsmount *realrootmnt; | |
1240 | + struct dentry *currentroot; | |
1241 | + struct vfsmount *currentmnt; | |
1242 | + | |
1243 | + read_lock(&child_reaper->fs->lock); | |
1244 | + realrootmnt = mntget(child_reaper->fs->rootmnt); | |
1245 | + realroot = dget(child_reaper->fs->root); | |
1246 | + read_unlock(&child_reaper->fs->lock); | |
1247 | + | |
1248 | + read_lock(¤t->fs->lock); | |
1249 | + currentmnt = mntget(current->fs->rootmnt); | |
1250 | + currentroot = dget(current->fs->root); | |
1251 | + read_unlock(¤t->fs->lock); | |
1252 | + | |
1253 | + spin_lock(&dcache_lock); | |
1254 | + for (;;) { | |
1255 | + if (unlikely | |
1256 | + ((dentry == realroot && mnt == realrootmnt) | |
1257 | + || (dentry == currentroot && mnt == currentmnt))) | |
1258 | + break; | |
1259 | + if (unlikely | |
1260 | + (dentry == mnt->mnt_root || IS_ROOT(dentry))) { | |
1261 | + if (mnt->mnt_parent == mnt) | |
1262 | + break; | |
1263 | + dentry = mnt->mnt_mountpoint; | |
1264 | + mnt = mnt->mnt_parent; | |
1265 | + continue; | |
1266 | + } | |
1267 | + dentry = dentry->d_parent; | |
1268 | + } | |
1269 | + spin_unlock(&dcache_lock); | |
1270 | + | |
1271 | + dput(currentroot); | |
1272 | + mntput(currentmnt); | |
1273 | + | |
1274 | + if (dentry == realroot && mnt == realrootmnt) { | |
1275 | + /* ok, they're definitely trying to fchdir outside of the | |
1276 | + chroot. */ | |
1277 | + dput(realroot); | |
1278 | + mntput(realrootmnt); | |
1279 | + gr_security_alert(GR_CHROOT_FCHDIR_MSG, | |
1280 | + gr_to_filename(u_dentry, u_mnt), | |
1281 | + DEFAULTSECARGS); | |
1282 | + return 0; | |
1283 | + } else { | |
1284 | + dput(realroot); | |
1285 | + mntput(realrootmnt); | |
1286 | + return 1; | |
1287 | + } | |
1288 | + } | |
1289 | +#endif | |
1290 | + return 1; | |
1291 | +} | |
1292 | + | |
1293 | +int | |
1294 | +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid, | |
1295 | + const time_t shm_createtime) | |
1296 | +{ | |
1297 | +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT | |
1298 | + struct task_struct *p, **htable; | |
1299 | + | |
1300 | + if (unlikely(!grsec_enable_chroot_shmat)) | |
1301 | + return 1; | |
1302 | + | |
1303 | + if (likely(!proc_is_chrooted(current))) | |
1304 | + return 1; | |
1305 | + | |
1306 | + read_lock(&tasklist_lock); | |
1307 | + | |
1308 | + htable = &pidhash[pid_hashfn(shm_cprid)]; | |
1309 | + | |
1310 | + for (p = *htable; p && p->pid != shm_cprid; p = p->pidhash_next) ; | |
1311 | + | |
1312 | + if (unlikely(p && !have_same_root(current, p) && | |
1313 | + (p->start_time < shm_createtime))) { | |
1314 | + read_unlock(&tasklist_lock); | |
1315 | + gr_security_alert(GR_SHMAT_CHROOT_MSG, DEFAULTSECARGS); | |
1316 | + return 0; | |
1317 | + } | |
1318 | + | |
1319 | + if (unlikely(!p)) { | |
1320 | + htable = &pidhash[pid_hashfn(shm_lapid)]; | |
1321 | + for (p = *htable; p && p->pid != shm_lapid; | |
1322 | + p = p->pidhash_next) ; | |
1323 | + | |
1324 | + if (unlikely(p && !have_same_root(current, p))) { | |
1325 | + read_unlock(&tasklist_lock); | |
1326 | + gr_security_alert(GR_SHMAT_CHROOT_MSG, DEFAULTSECARGS); | |
1327 | + return 0; | |
1328 | + } | |
1329 | + } | |
1330 | + | |
1331 | + read_unlock(&tasklist_lock); | |
1332 | +#endif | |
1333 | + return 1; | |
1334 | +} | |
1335 | + | |
1336 | +void | |
1337 | +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt) | |
1338 | +{ | |
1339 | +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG | |
1340 | + if (grsec_enable_chroot_execlog && proc_is_chrooted(current)) | |
1341 | + security_audit(GR_EXEC_CHROOT_MSG, gr_to_filename(dentry, mnt), | |
1342 | + DEFAULTSECARGS); | |
1343 | +#endif | |
1344 | + return; | |
1345 | +} | |
1346 | + | |
1347 | +int | |
1348 | +gr_handle_chroot_mknod(const struct dentry *dentry, | |
1349 | + const struct vfsmount *mnt, const int mode) | |
1350 | +{ | |
1351 | +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD | |
1352 | + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && | |
1353 | + proc_is_chrooted(current)) { | |
1354 | + gr_security_alert(GR_MKNOD_CHROOT_MSG, | |
1355 | + gr_to_filename(dentry, mnt), DEFAULTSECARGS); | |
1356 | + return -EPERM; | |
1357 | + } | |
1358 | +#endif | |
1359 | + return 0; | |
1360 | +} | |
1361 | + | |
1362 | +int | |
1363 | +gr_handle_chroot_mount(const struct dentry *dentry, | |
1364 | + const struct vfsmount *mnt, const char *dev_name) | |
1365 | +{ | |
1366 | +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT | |
1367 | + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) { | |
1368 | + gr_security_alert(GR_MOUNT_CHROOT_MSG, dev_name, | |
1369 | + gr_to_filename(dentry, mnt), DEFAULTSECARGS); | |
1370 | + return -EPERM; | |
1371 | + } | |
1372 | +#endif | |
1373 | + return 0; | |
1374 | +} | |
1375 | + | |
1376 | +int | |
1377 | +gr_handle_chroot_pivot(void) | |
1378 | +{ | |
1379 | +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT | |
1380 | + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) { | |
1381 | + gr_security_alert(GR_PIVOT_CHROOT_MSG, DEFAULTSECARGS); | |
1382 | + return -EPERM; | |
1383 | + } | |
1384 | +#endif | |
1385 | + return 0; | |
1386 | +} | |
1387 | + | |
1388 | +int | |
1389 | +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt) | |
1390 | +{ | |
1391 | +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE | |
1392 | + if (grsec_enable_chroot_double && proc_is_chrooted(current)) { | |
1393 | + gr_security_alert(GR_CHROOT_CHROOT_MSG, | |
1394 | + gr_to_filename(dentry, mnt), DEFAULTSECARGS); | |
1395 | + return -EPERM; | |
1396 | + } | |
1397 | +#endif | |
1398 | + return 0; | |
1399 | +} | |
1400 | + | |
1401 | +void | |
1402 | +gr_handle_chroot_caps(struct task_struct *task) | |
1403 | +{ | |
1404 | +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS | |
1405 | + if (grsec_enable_chroot_caps && proc_is_chrooted(task)) { | |
1406 | + task->cap_permitted = | |
1407 | + cap_drop(task->cap_permitted, GR_CHROOT_CAPS); | |
1408 | + task->cap_inheritable = | |
1409 | + cap_drop(task->cap_inheritable, GR_CHROOT_CAPS); | |
1410 | + task->cap_effective = | |
1411 | + cap_drop(task->cap_effective, GR_CHROOT_CAPS); | |
1412 | + } | |
1413 | +#endif | |
1414 | + return; | |
1415 | +} | |
1416 | + | |
1417 | +int | |
1418 | +gr_handle_chroot_sysctl(const int op) | |
1419 | +{ | |
1420 | +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL | |
1421 | + if (grsec_enable_chroot_sysctl && proc_is_chrooted(current) | |
1422 | + && (op & 002)) | |
1423 | + return -EACCES; | |
1424 | +#endif | |
1425 | + return 0; | |
1426 | +} | |
1427 | + | |
1428 | +void | |
1429 | +gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt) | |
1430 | +{ | |
1431 | +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR | |
1432 | + if (grsec_enable_chroot_chdir) | |
1433 | + set_fs_pwd(current->fs, mnt, dentry); | |
1434 | +#endif | |
1435 | + return; | |
1436 | +} | |
1437 | + | |
1438 | +int | |
1439 | +gr_handle_chroot_chmod(const struct dentry *dentry, | |
1440 | + const struct vfsmount *mnt, const int mode) | |
1441 | +{ | |
1442 | +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD | |
1443 | + if (grsec_enable_chroot_chmod && | |
1444 | + ((mode & S_ISUID) || (mode & S_ISGID)) && | |
1445 | + proc_is_chrooted(current)) { | |
1446 | + gr_security_alert(GR_CHMOD_CHROOT_MSG, | |
1447 | + gr_to_filename(dentry, mnt), DEFAULTSECARGS); | |
1448 | + return -EPERM; | |
1449 | + } | |
1450 | +#endif | |
1451 | + return 0; | |
1452 | +} | |
1453 | + | |
1454 | +__inline__ void | |
1455 | +gr_copy_label(struct task_struct *tsk) | |
1456 | +{ | |
1457 | + tsk->used_accept = 0; | |
1458 | + tsk->used_connect = 0; | |
1459 | + tsk->curr_ip = current->curr_ip; | |
1460 | + if (current->exec_file) | |
1461 | + get_file(current->exec_file); | |
1462 | + tsk->exec_file = current->exec_file; | |
1463 | + if (unlikely(current->used_accept)) | |
1464 | + current->curr_ip = 0; | |
1465 | + | |
1466 | + return; | |
1467 | +} | |
1468 | diff -urN linux-2.4.22/grsecurity/grsec_init.c linux-2.4.22-grsec/grsecurity/grsec_init.c | |
1469 | --- linux-2.4.22/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100 | |
1470 | +++ linux-2.4.22-grsec/grsecurity/grsec_init.c 2003-10-09 19:16:48.000000000 +0200 | |
4fa954ff | 1471 | @@ -0,0 +1,126 @@ |
e6a87675 JR |
1472 | +#include <linux/kernel.h> |
1473 | +#include <linux/sched.h> | |
1474 | +#include <linux/mm.h> | |
1475 | +#include <linux/smp_lock.h> | |
1476 | +#include <linux/slab.h> | |
1477 | + | |
1478 | +int grsec_enable_chroot_findtask; | |
1479 | +int grsec_enable_chroot_mount; | |
1480 | +int grsec_enable_chroot_shmat; | |
1481 | +int grsec_enable_chroot_fchdir; | |
1482 | +int grsec_enable_chroot_double; | |
1483 | +int grsec_enable_chroot_pivot; | |
1484 | +int grsec_enable_chroot_chdir; | |
1485 | +int grsec_enable_chroot_chmod; | |
1486 | +int grsec_enable_chroot_mknod; | |
1487 | +int grsec_enable_chroot_nice; | |
1488 | +int grsec_enable_chroot_execlog; | |
1489 | +int grsec_enable_chroot_caps; | |
1490 | +int grsec_enable_chroot_sysctl; | |
1491 | +int grsec_enable_chroot_unix; | |
4fa954ff JR |
1492 | +int grsec_enable_tpe; |
1493 | +int grsec_tpe_gid; | |
1494 | +int grsec_enable_tpe_all; | |
1495 | +int grsec_enable_socket_all; | |
1496 | +int grsec_socket_all_gid; | |
1497 | +int grsec_enable_socket_client; | |
1498 | +int grsec_socket_client_gid; | |
1499 | +int grsec_enable_socket_server; | |
1500 | +int grsec_socket_server_gid; | |
e6a87675 JR |
1501 | +int grsec_lock; |
1502 | + | |
1503 | +spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED; | |
1504 | +unsigned long grsec_alert_wtime = 0; | |
1505 | +unsigned long grsec_alert_fyet = 0; | |
1506 | + | |
1507 | +spinlock_t grsec_alertgood_lock = SPIN_LOCK_UNLOCKED; | |
1508 | +unsigned long grsec_alertgood_wtime = 0; | |
1509 | +unsigned long grsec_alertgood_fyet = 0; | |
1510 | + | |
1511 | +spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED; | |
1512 | + | |
1513 | +char *gr_shared_page[4][NR_CPUS]; | |
1514 | + | |
1515 | +void | |
1516 | +grsecurity_init(void) | |
1517 | +{ | |
1518 | + int i, j; | |
1519 | + /* create the per-cpu shared pages */ | |
1520 | + | |
1521 | + for (j = 0; j < 4; j++) { | |
1522 | + for (i = 0; i < NR_CPUS; i++) { | |
1523 | + gr_shared_page[j][i] = (char *) get_zeroed_page(GFP_KERNEL); | |
1524 | + if (!gr_shared_page[j][i]) { | |
1525 | + panic("Unable to allocate grsecurity shared page"); | |
1526 | + return; | |
1527 | + } | |
1528 | + } | |
1529 | + } | |
1530 | + | |
1531 | +#ifndef CONFIG_GRKERNSEC_SYSCTL | |
1532 | + grsec_lock = 1; | |
1533 | +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK | |
1534 | + grsec_enable_chroot_findtask = 1; | |
1535 | +#endif | |
1536 | +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX | |
1537 | + grsec_enable_chroot_unix = 1; | |
1538 | +#endif | |
1539 | +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT | |
1540 | + grsec_enable_chroot_mount = 1; | |
1541 | +#endif | |
1542 | +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR | |
1543 | + grsec_enable_chroot_fchdir = 1; | |
1544 | +#endif | |
1545 | +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT | |
1546 | + grsec_enable_chroot_shmat = 1; | |
1547 | +#endif | |
1548 | +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE | |
1549 | + grsec_enable_chroot_double = 1; | |
1550 | +#endif | |
1551 | +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT | |
1552 | + grsec_enable_chroot_pivot = 1; | |
1553 | +#endif | |
1554 | +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR | |
1555 | + grsec_enable_chroot_chdir = 1; | |
1556 | +#endif | |
1557 | +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD | |
1558 | + grsec_enable_chroot_chmod = 1; | |
1559 | +#endif | |
1560 | +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD | |
1561 | + grsec_enable_chroot_mknod = 1; | |
1562 | +#endif | |
1563 | +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE | |
1564 | + grsec_enable_chroot_nice = 1; | |
1565 | +#endif | |
1566 | +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG | |
1567 | + grsec_enable_chroot_execlog = 1; | |
1568 | +#endif | |
1569 | +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS | |
1570 | + grsec_enable_chroot_caps = 1; | |
1571 | +#endif | |
1572 | +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL | |
1573 | + grsec_enable_chroot_sysctl = 1; | |
1574 | +#endif | |
4fa954ff JR |
1575 | +#ifdef CONFIG_GRKERNSEC_TPE |
1576 | + grsec_enable_tpe = 1; | |
1577 | + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID; | |
1578 | +#ifdef CONFIG_GRKERNSEC_TPE_ALL | |
1579 | + grsec_enable_tpe_all = 1; | |
1580 | +#endif | |
1581 | +#endif | |
1582 | +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL | |
1583 | + grsec_enable_socket_all = 1; | |
1584 | + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID; | |
1585 | +#endif | |
1586 | +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT | |
1587 | + grsec_enable_socket_client = 1; | |
1588 | + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID; | |
1589 | +#endif | |
1590 | +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER | |
1591 | + grsec_enable_socket_server = 1; | |
1592 | + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID; | |
1593 | +#endif | |
e6a87675 JR |
1594 | +#endif |
1595 | + | |
1596 | + return; | |
1597 | +} | |
1598 | diff -urN linux-2.4.22/grsecurity/grsec_sock.c linux-2.4.22/grsecurity/grsec_sock.c | |
1599 | --- linux-2.4.22/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500 | |
1600 | +++ linux-2.4.22/grsecurity/grsec_sock.c 2003-09-02 19:29:42.000000000 -0400 | |
4fa954ff | 1601 | @@ -0,0 +1,109 @@ |
e6a87675 JR |
1602 | +#include <linux/kernel.h> |
1603 | +#include <linux/sched.h> | |
1604 | +#include <linux/file.h> | |
1605 | +#include <linux/net.h> | |
1606 | +#include <net/sock.h> | |
1607 | +#include <linux/grsecurity.h> | |
1608 | +#include <linux/grinternal.h> | |
1609 | + | |
1610 | +void | |
1611 | +gr_attach_curr_ip(const struct sock *sk) | |
1612 | +{ | |
1613 | +#ifdef CONFIG_GRKERNSEC | |
1614 | + struct task_struct *p; | |
1615 | + unsigned int i; | |
1616 | + struct inode *inode; | |
1617 | + struct file *filp; | |
1618 | + struct socket *connect_sock; | |
1619 | + | |
1620 | + if (unlikely(sk->protocol != IPPROTO_TCP)) | |
1621 | + return; | |
1622 | + | |
1623 | + read_lock(&tasklist_lock); | |
1624 | + for_each_task(p) { | |
1625 | + if (!p->used_connect) | |
1626 | + continue; | |
1627 | + task_lock(p); | |
1628 | + if (unlikely(!p->files)) { | |
1629 | + task_unlock(p); | |
1630 | + continue; | |
1631 | + } | |
1632 | + read_lock(&p->files->file_lock); | |
1633 | + for (i = 0; i < p->files->max_fds; i++) { | |
1634 | + filp = fcheck_files(p->files, i); | |
1635 | + if (likely(!filp)) | |
1636 | + continue; | |
1637 | + inode = filp->f_dentry->d_inode; | |
1638 | + if (likely(!inode || !inode->i_sock)) | |
1639 | + continue; | |
1640 | + connect_sock = &inode->u.socket_i; | |
1641 | + if (unlikely(!connect_sock || | |
1642 | + connect_sock->sk->protocol != IPPROTO_TCP)) | |
1643 | + continue; | |
1644 | + if (unlikely(sk->rcv_saddr == connect_sock->sk->daddr && | |
1645 | + sk->daddr == connect_sock->sk->rcv_saddr && | |
1646 | + ntohs(sk->sport) == | |
1647 | + ntohs(connect_sock->sk->dport) | |
1648 | + && ntohs(sk->dport) == | |
1649 | + ntohs(connect_sock->sk->sport))) { | |
1650 | + current->curr_ip = p->curr_ip; | |
1651 | + current->used_accept = 1; | |
1652 | + read_unlock(&p->files->file_lock); | |
1653 | + task_unlock(p); | |
1654 | + read_unlock(&tasklist_lock); | |
1655 | + return; | |
1656 | + } | |
1657 | + } | |
1658 | + read_unlock(&p->files->file_lock); | |
1659 | + task_unlock(p); | |
1660 | + } | |
1661 | + read_unlock(&tasklist_lock); | |
1662 | + | |
1663 | + current->curr_ip = sk->daddr; | |
1664 | + current->used_accept = 1; | |
1665 | +#endif | |
1666 | + return; | |
1667 | +} | |
4fa954ff JR |
1668 | + |
1669 | +int | |
1670 | +gr_handle_sock_all(const int family, const int type, const int protocol) | |
1671 | +{ | |
1672 | +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL | |
1673 | + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) && | |
1674 | + (family != AF_UNIX) && (family != AF_LOCAL)) { | |
1675 | + gr_security_alert(GR_SOCK_MSG, family, type, protocol, | |
1676 | + DEFAULTSECARGS); | |
1677 | + return -EACCES; | |
1678 | + } | |
1679 | +#endif | |
1680 | + return 0; | |
1681 | +} | |
1682 | + | |
1683 | +int | |
1684 | +gr_handle_sock_server(const struct sockaddr *sck) | |
1685 | +{ | |
1686 | +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER | |
1687 | + if (grsec_enable_socket_server && | |
1688 | + in_group_p(grsec_socket_server_gid) && | |
1689 | + sck && (sck->sa_family != AF_UNIX) && | |
1690 | + (sck->sa_family != AF_LOCAL)) { | |
1691 | + gr_security_alert(GR_BIND_MSG, DEFAULTSECARGS); | |
1692 | + return -EACCES; | |
1693 | + } | |
1694 | +#endif | |
1695 | + return 0; | |
1696 | +} | |
1697 | + | |
1698 | +int | |
1699 | +gr_handle_sock_client(const struct sockaddr *sck) | |
1700 | +{ | |
1701 | +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT | |
1702 | + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) && | |
1703 | + sck && (sck->sa_family != AF_UNIX) && | |
1704 | + (sck->sa_family != AF_LOCAL)) { | |
1705 | + gr_security_alert(GR_CONNECT_MSG, DEFAULTSECARGS); | |
1706 | + return -EACCES; | |
1707 | + } | |
1708 | +#endif | |
1709 | + return 0; | |
1710 | +} | |
e6a87675 JR |
1711 | diff -urN linux-2.4.22/grsecurity/grsec_sysctl.c linux-2.4.22-grsec/grsecurity/grsec_sysctl.c |
1712 | --- linux-2.4.22/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100 | |
1713 | +++ linux-2.4.22-grsec/grsecurity/grsec_sysctl.c 2003-10-09 19:13:26.000000000 +0200 | |
1714 | @@ -0,0 +1,16 @@ | |
1715 | +#include <linux/kernel.h> | |
1716 | +#include <linux/sched.h> | |
1717 | +#include <linux/sysctl.h> | |
1718 | +#include <linux/grinternal.h> | |
1719 | + | |
1720 | +int | |
1721 | +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op) | |
1722 | +{ | |
1723 | +#ifdef CONFIG_GRKERNSEC_SYSCTL | |
1724 | + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) { | |
1725 | + gr_security_alert(GR_SYSCTL_MSG, name, DEFAULTSECARGS); | |
1726 | + return -EACCES; | |
1727 | + } | |
1728 | +#endif | |
1729 | + return 0; | |
1730 | +} | |
4fa954ff JR |
1731 | diff -urN linux-2.4.22/grsecurity/grsec_tpe.c linux-2.4.22/grsecurity/grsec_tpe.c |
1732 | --- linux-2.4.22/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500 | |
1733 | +++ linux-2.4.22/grsecurity/grsec_tpe.c 2003-09-02 19:29:42.000000000 -0400 | |
1734 | @@ -0,0 +1,33 @@ | |
1735 | +#include <linux/kernel.h> | |
1736 | +#include <linux/sched.h> | |
1737 | +#include <linux/file.h> | |
1738 | +#include <linux/fs.h> | |
1739 | +#include <linux/grinternal.h> | |
1740 | + | |
1741 | +int | |
1742 | +gr_tpe_allow(const struct file *file) | |
1743 | +{ | |
1744 | +#ifdef CONFIG_GRKERNSEC | |
1745 | + struct inode *inode = file->f_dentry->d_parent->d_inode; | |
1746 | + | |
1747 | + if (current->uid && ((grsec_enable_tpe && in_group_p(grsec_tpe_gid))) && | |
1748 | + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) || | |
1749 | + (inode->i_mode & S_IWOTH))))) { | |
1750 | + gr_security_alert(GR_EXEC_TPE_MSG, | |
1751 | + gr_to_filename(file->f_dentry, file->f_vfsmnt), | |
1752 | + DEFAULTSECARGS); | |
1753 | + return 0; | |
1754 | + } | |
1755 | +#ifdef CONFIG_GRKERNSEC_TPE_ALL | |
1756 | + if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all && | |
1757 | + ((inode->i_uid && (inode->i_uid != current->uid)) || | |
1758 | + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) { | |
1759 | + gr_security_alert(GR_EXEC_TPE_MSG, | |
1760 | + gr_to_filename(file->f_dentry, file->f_vfsmnt), | |
1761 | + DEFAULTSECARGS); | |
1762 | + return 0; | |
1763 | + } | |
1764 | +#endif | |
1765 | +#endif | |
1766 | + return 1; | |
1767 | +} | |
e6a87675 JR |
1768 | diff -urN linux-2.4.22/include/linux/grinternal.h linux-2.4.22-grsec/include/linux/grinternal.h |
1769 | --- linux-2.4.22/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100 | |
1770 | +++ linux-2.4.22-grsec/include/linux/grinternal.h 2003-10-09 19:13:26.000000000 +0200 | |
4fa954ff | 1771 | @@ -0,0 +1,130 @@ |
e6a87675 JR |
1772 | +#ifndef __GRINTERNAL_H |
1773 | +#define __GRINTERNAL_H | |
1774 | + | |
1775 | +#ifdef CONFIG_GRKERNSEC | |
1776 | + | |
1777 | +#include <linux/grmsg.h> | |
1778 | + | |
1779 | +extern char *gr_shared_page[4][NR_CPUS]; | |
1780 | + | |
1781 | +extern char *gr_to_filename(const struct dentry *dentry, | |
1782 | + const struct vfsmount *mnt); | |
1783 | +extern char *gr_to_filename1(const struct dentry *dentry, | |
1784 | + const struct vfsmount *mnt); | |
1785 | +extern char *gr_to_filename2(const struct dentry *dentry, | |
1786 | + const struct vfsmount *mnt); | |
1787 | +extern char *gr_to_filename3(const struct dentry *dentry, | |
1788 | + const struct vfsmount *mnt); | |
1789 | + | |
1790 | +extern int grsec_enable_chroot_shmat; | |
1791 | +extern int grsec_enable_chroot_findtask; | |
1792 | +extern int grsec_enable_chroot_mount; | |
1793 | +extern int grsec_enable_chroot_double; | |
1794 | +extern int grsec_enable_chroot_pivot; | |
1795 | +extern int grsec_enable_chroot_chdir; | |
1796 | +extern int grsec_enable_chroot_chmod; | |
1797 | +extern int grsec_enable_chroot_mknod; | |
1798 | +extern int grsec_enable_chroot_fchdir; | |
1799 | +extern int grsec_enable_chroot_nice; | |
1800 | +extern int grsec_enable_chroot_execlog; | |
1801 | +extern int grsec_enable_chroot_caps; | |
1802 | +extern int grsec_enable_chroot_sysctl; | |
1803 | +extern int grsec_enable_chroot_unix; | |
4fa954ff JR |
1804 | +extern int grsec_enable_tpe; |
1805 | +extern int grsec_tpe_gid; | |
1806 | +extern int grsec_enable_tpe_all; | |
1807 | +extern int grsec_enable_socket_all; | |
1808 | +extern int grsec_socket_all_gid; | |
1809 | +extern int grsec_enable_socket_client; | |
1810 | +extern int grsec_socket_client_gid; | |
1811 | +extern int grsec_enable_socket_server; | |
1812 | +extern int grsec_socket_server_gid; | |
e6a87675 JR |
1813 | +extern int grsec_lock; |
1814 | + | |
1815 | +extern struct task_struct *child_reaper; | |
1816 | + | |
1817 | +extern spinlock_t grsec_alert_lock; | |
1818 | +extern unsigned long grsec_alert_wtime; | |
1819 | +extern unsigned long grsec_alert_fyet; | |
1820 | + | |
1821 | +extern spinlock_t grsec_alertgood_lock; | |
1822 | +extern unsigned long grsec_alertgood_wtime; | |
1823 | +extern unsigned long grsec_alertgood_fyet; | |
1824 | + | |
1825 | +extern spinlock_t grsec_audit_lock; | |
1826 | + | |
1827 | +#define gr_task_fullpath(tsk) (tsk->exec_file ? \ | |
1828 | + gr_to_filename2(tsk->exec_file->f_dentry, \ | |
1829 | + tsk->exec_file->f_vfsmnt) : "/") | |
1830 | + | |
1831 | +#define gr_parent_task_fullpath(tsk) (tsk->p_pptr->exec_file ? \ | |
1832 | + gr_to_filename3(tsk->p_pptr->exec_file->f_dentry, \ | |
1833 | + tsk->p_pptr->exec_file->f_vfsmnt) : "/") | |
1834 | + | |
1835 | +#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && \ | |
1836 | + ((tsk_a->fs->root->d_inode->i_dev != \ | |
1837 | + child_reaper->fs->root->d_inode->i_dev) || \ | |
1838 | + (tsk_a->fs->root->d_inode->i_ino != \ | |
1839 | + child_reaper->fs->root->d_inode->i_ino))) | |
1840 | + | |
1841 | +#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs->root->d_inode->i_dev == \ | |
1842 | + tsk_b->fs->root->d_inode->i_dev) && \ | |
1843 | + (tsk_a->fs->root->d_inode->i_ino == \ | |
1844 | + tsk_b->fs->root->d_inode->i_ino)) | |
1845 | + | |
1846 | +#define DEFAULTSECARGS gr_task_fullpath(current), current->comm, \ | |
1847 | + current->pid, current->uid, \ | |
1848 | + current->euid, current->gid, current->egid, \ | |
1849 | + gr_parent_task_fullpath(current), \ | |
1850 | + current->p_pptr->comm, current->p_pptr->pid, \ | |
1851 | + current->p_pptr->uid, current->p_pptr->euid, \ | |
1852 | + current->p_pptr->gid, current->p_pptr->egid | |
1853 | + | |
1854 | +#define GR_CHROOT_CAPS ( \ | |
1855 | + CAP_TO_MASK(CAP_FOWNER) | \ | |
1856 | + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \ | |
1857 | + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \ | |
1858 | + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \ | |
1859 | + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \ | |
1860 | + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \ | |
1861 | + CAP_TO_MASK(CAP_IPC_OWNER)) | |
1862 | + | |
1863 | +#define gr_security_alert(normal_msg,args...) \ | |
1864 | +({ \ | |
1865 | + spin_lock(&grsec_alert_lock); \ | |
1866 | + \ | |
1867 | + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) { \ | |
1868 | + grsec_alert_wtime = jiffies; grsec_alert_fyet = 0; \ | |
1869 | + if (current->curr_ip) \ | |
1870 | + printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \ | |
1871 | + else \ | |
1872 | + printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \ | |
1873 | + } else if((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { \ | |
1874 | + grsec_alert_fyet++; \ | |
1875 | + if (current->curr_ip) \ | |
1876 | + printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \ | |
1877 | + else \ | |
1878 | + printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \ | |
1879 | + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) { \ | |
1880 | + grsec_alert_wtime = jiffies; grsec_alert_fyet++; \ | |
1881 | + printk(KERN_ALERT "grsec: more alerts, logging disabled for " \ | |
1882 | + "%d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); \ | |
1883 | + } \ | |
1884 | + \ | |
1885 | + spin_unlock(&grsec_alert_lock); \ | |
1886 | +}) | |
1887 | + | |
1888 | +#define security_audit(normal_msg,args...) \ | |
1889 | +({ \ | |
1890 | + spin_lock(&grsec_audit_lock); \ | |
1891 | + if (current->curr_ip) \ | |
1892 | + printk(KERN_INFO "grsec: From %u.%u.%u.%u: " normal_msg "\n", \ | |
1893 | + NIPQUAD(current->curr_ip) , ## args); \ | |
1894 | + else \ | |
1895 | + printk(KERN_INFO "grsec: " normal_msg "\n", ## args); \ | |
1896 | + spin_unlock(&grsec_audit_lock); \ | |
1897 | +}) | |
1898 | + | |
1899 | +#endif | |
1900 | + | |
1901 | +#endif | |
1902 | diff -urN linux-2.4.22/include/linux/grmsg.h linux-2.4.22-grsec/include/linux/grmsg.h | |
1903 | --- linux-2.4.22/include/linux/grmsg.h 1970-01-01 01:00:00.000000000 +0100 | |
1904 | +++ linux-2.4.22-grsec/include/linux/grmsg.h 2003-10-09 19:13:26.000000000 +0200 | |
4fa954ff | 1905 | @@ -0,0 +1,18 @@ |
e6a87675 JR |
1906 | +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%d/%d gid/egid:%d/%d, parent %.256s[%.16s:%d] uid/euid:%d/%d gid/egid:%d/%d" |
1907 | +#define GR_UNIX_CHROOT_MSG "denied connect to abstract AF_UNIX socket outside of chroot by " DEFAULTSECMSG | |
1908 | +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by " DEFAULTSECMSG | |
1909 | +#define GR_MKNOD_CHROOT_MSG "refused attempt to mknod %.950s from chroot by " DEFAULTSECMSG | |
1910 | +#define GR_MOUNT_CHROOT_MSG "denied attempt to mount %.30s as %.930s from chroot by " DEFAULTSECMSG | |
1911 | +#define GR_PIVOT_CHROOT_MSG "denied attempt to pivot_root from chroot by " DEFAULTSECMSG | |
1912 | +#define GR_CHROOT_CHROOT_MSG "denied attempt to double chroot to %.950s by " DEFAULTSECMSG | |
1913 | +#define GR_CHMOD_CHROOT_MSG "denied attempt to chmod +s %.950s by " DEFAULTSECMSG | |
1914 | +#define GR_CHROOT_FCHDIR_MSG "attempted fchdir outside of chroot to %.950s by " DEFAULTSECMSG | |
1915 | +#define GR_PRIORITY_CHROOT_MSG "attempted priority change of process (%.16s:%d) by " DEFAULTSECMSG | |
1916 | +#define GR_CAPSET_CHROOT_MSG "denied capset of (%.16s:%d) within chroot by " DEFAULTSECMSG | |
1917 | +#define GR_NICE_CHROOT_MSG "attempted priority change by " DEFAULTSECMSG | |
1918 | +#define GR_SYSCTL_MSG "attempt to modify grsecurity sysctl value : %.32s by " DEFAULTSECMSG | |
1919 | +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process " DEFAULTSECMSG | |
4fa954ff JR |
1920 | +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by " DEFAULTSECMSG |
1921 | +#define GR_SOCK_MSG "attempted socket(%d,%d,%d) by " DEFAULTSECMSG | |
1922 | +#define GR_BIND_MSG "attempted bind() by " DEFAULTSECMSG | |
1923 | +#define GR_CONNECT_MSG "attempted connect by " DEFAULTSECMSG | |
e6a87675 JR |
1924 | diff -urN linux-2.4.22/include/linux/grsecurity.h linux-2.4.22-grsec/include/linux/grsecurity.h |
1925 | --- linux-2.4.22/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100 | |
1926 | +++ linux-2.4.22-grsec/include/linux/grsecurity.h 2003-10-09 19:13:26.000000000 +0200 | |
4fa954ff | 1927 | @@ -0,0 +1,32 @@ |
e6a87675 JR |
1928 | +#ifndef GR_SECURITY_H |
1929 | +#define GR_SECURITY_H | |
1930 | + | |
1931 | +extern int gr_pid_is_chrooted(const struct task_struct *p); | |
1932 | +extern int gr_handle_chroot_nice(void); | |
1933 | +extern int gr_handle_chroot_sysctl(const int op); | |
1934 | +extern int gr_handle_chroot_capset(const struct task_struct *target); | |
1935 | +extern int gr_handle_chroot_setpriority(const struct task_struct *p, | |
1936 | + const int niceval); | |
1937 | +extern int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt); | |
1938 | +extern int gr_handle_chroot_chroot(const struct dentry *dentry, | |
1939 | + const struct vfsmount *mnt); | |
1940 | +extern void gr_handle_chroot_caps(struct task_struct *task); | |
1941 | +extern void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt); | |
1942 | +extern int gr_handle_chroot_chmod(const struct dentry *dentry, | |
1943 | + const struct vfsmount *mnt, const int mode); | |
1944 | +extern int gr_handle_chroot_mknod(const struct dentry *dentry, | |
1945 | + const struct vfsmount *mnt, const int mode); | |
1946 | +extern int gr_handle_chroot_mount(const struct dentry *dentry, | |
1947 | + const struct vfsmount *mnt, | |
1948 | + const char *dev_name); | |
1949 | +extern int gr_handle_chroot_pivot(void); | |
1950 | +extern int gr_handle_chroot_unix(const pid_t pid); | |
1951 | + | |
1952 | +extern void gr_log_chroot_exec(const struct dentry *dentry, | |
1953 | + const struct vfsmount *mnt); | |
1954 | + | |
1955 | +extern void gr_copy_label(struct task_struct *tsk); | |
1956 | + | |
4fa954ff JR |
1957 | +extern int gr_tpe_allow(const struct file *file); |
1958 | + | |
e6a87675 JR |
1959 | +#endif |
1960 | diff -urN linux-2.4.22/include/linux/sched.h linux-2.4.22-grsec/include/linux/sched.h | |
1961 | --- linux-2.4.22/include/linux/sched.h 2003-10-09 18:47:38.000000000 +0200 | |
1962 | +++ linux-2.4.22-grsec/include/linux/sched.h 2003-10-09 19:13:26.000000000 +0200 | |
1963 | @@ -28,6 +28,8 @@ | |
1964 | #include <linux/securebits.h> | |
1965 | #include <linux/fs_struct.h> | |
1966 | ||
1967 | +extern int gr_pid_is_chrooted(const struct task_struct *p); | |
1968 | + | |
1969 | struct exec_domain; | |
1970 | ||
1971 | /* | |
1972 | @@ -415,6 +432,13 @@ | |
1973 | ||
1974 | /* journalling filesystem info */ | |
1975 | void *journal_info; | |
1976 | + | |
1977 | +#ifdef CONFIG_GRKERNSEC | |
1978 | + struct file *exec_file; | |
1979 | + u32 curr_ip; | |
1980 | + u8 used_accept:1; | |
1981 | + u8 used_connect:1; | |
1982 | +#endif | |
1983 | }; | |
1984 | ||
1985 | /* | |
1986 | @@ -556,6 +595,10 @@ | |
1987 | for(p = *htable; p && p->pid != pid; p = p->pidhash_next) | |
1988 | ; | |
1989 | ||
1990 | +#ifdef CONFIG_GRKERNSEC | |
1991 | + if(gr_pid_is_chrooted(p)) p = NULL; | |
1992 | +#endif | |
1993 | + | |
1994 | return p; | |
1995 | } | |
1996 | ||
1997 | @@ -583,6 +585,10 @@ | |
1998 | for(p = *htable; p && p->pid != pid; p = p->pidhash_next) | |
1999 | ; | |
2000 | ||
2001 | +#ifdef CONFIG_GRKERNSEC | |
2002 | + if(gr_pid_is_chrooted(p)) p = NULL; | |
2003 | +#endif | |
2004 | + | |
2005 | return p; | |
2006 | } | |
2007 | ||
2008 | diff -urN linux-2.4.22/include/linux/sysctl.h linux-2.4.22-grsec/include/linux/sysctl.h | |
2009 | --- linux-2.4.22/include/linux/sysctl.h 2003-10-09 18:47:24.000000000 +0200 | |
2010 | +++ linux-2.4.22-grsec/include/linux/sysctl.h 2003-10-09 19:13:26.000000000 +0200 | |
2011 | @@ -127,6 +127,7 @@ | |
2012 | KERN_CORE_PATTERN=56, /* string: pattern for core-files */ | |
2013 | KERN_PPC_L3CR=57, /* l3cr register on PPC */ | |
2014 | KERN_EXCEPTION_TRACE=58, /* boolean: exception trace */ | |
2015 | + KERN_GRSECURITY=68, /* grsecurity */ | |
2016 | }; | |
2017 | ||
2018 | ||
2019 | diff -urN linux-2.4.22/init/main.c linux-2.4.22-grsec/init/main.c | |
2020 | --- linux-2.4.22/init/main.c 2003-10-09 18:47:32.000000000 +0200 | |
2021 | +++ linux-2.4.22-grsec/init/main.c 2003-10-09 19:13:26.000000000 +0200 | |
2022 | @@ -27,6 +27,7 @@ | |
2023 | #include <linux/iobuf.h> | |
2024 | #include <linux/bootmem.h> | |
2025 | #include <linux/tty.h> | |
2026 | +#include <linux/grsecurity.h> | |
2027 | ||
2028 | #include <asm/io.h> | |
2029 | #include <asm/bugs.h> | |
2030 | @@ -112,6 +113,8 @@ | |
2031 | extern void ipc_init(void); | |
2032 | #endif | |
2033 | ||
2034 | +extern void grsecurity_init(void); | |
2035 | + | |
2036 | /* | |
2037 | * Boot command-line arguments | |
2038 | */ | |
2039 | @@ -563,6 +566,9 @@ | |
2040 | do_basic_setup(); | |
2041 | ||
2042 | prepare_namespace(); | |
2043 | +#ifdef CONFIG_GRKERNSEC | |
2044 | + grsecurity_init(); | |
2045 | +#endif | |
2046 | ||
2047 | /* | |
2048 | * Ok, we have completed the initial bootup, and | |
2049 | diff -urN linux-2.4.22/ipc/shm.c linux-2.4.22-grsec/ipc/shm.c | |
2050 | --- linux-2.4.22/ipc/shm.c 2002-08-03 02:39:46.000000000 +0200 | |
2051 | +++ linux-2.4.22-grsec/ipc/shm.c 2003-10-09 19:13:26.000000000 +0200 | |
2052 | @@ -23,6 +23,7 @@ | |
2053 | #include <linux/mman.h> | |
2054 | #include <linux/proc_fs.h> | |
2055 | #include <asm/uaccess.h> | |
2056 | +#include <linux/grsecurity.h> | |
2057 | ||
2058 | #include "util.h" | |
2059 | ||
2060 | @@ -38,8 +39,18 @@ | |
2061 | time_t shm_ctim; | |
2062 | pid_t shm_cprid; | |
2063 | pid_t shm_lprid; | |
2064 | + | |
2065 | +#ifdef CONFIG_GRKERNSEC | |
2066 | + time_t shm_createtime; | |
2067 | + pid_t shm_lapid; | |
2068 | +#endif | |
2069 | }; | |
2070 | ||
2071 | +#ifdef CONFIG_GRKERNSEC | |
2072 | +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid, | |
2073 | + const time_t shm_createtime); | |
2074 | +#endif | |
2075 | + | |
2076 | #define shm_flags shm_perm.mode | |
2077 | ||
2078 | static struct file_operations shm_file_operations; | |
2079 | @@ -209,6 +220,9 @@ | |
2080 | shp->shm_lprid = 0; | |
2081 | shp->shm_atim = shp->shm_dtim = 0; | |
2082 | shp->shm_ctim = CURRENT_TIME; | |
2083 | +#ifdef CONFIG_GRKERNSEC | |
2084 | + shp->shm_createtime = CURRENT_TIME; | |
2085 | +#endif | |
2086 | shp->shm_segsz = size; | |
2087 | shp->shm_nattch = 0; | |
2088 | shp->id = shm_buildid(id,shp->shm_perm.seq); | |
2089 | @@ -622,9 +636,22 @@ | |
2090 | shm_unlock(shmid); | |
2091 | return -EACCES; | |
2092 | } | |
2093 | + | |
2094 | +#ifdef CONFIG_GRKERNSEC | |
2095 | + if (!gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) { | |
2096 | + shm_unlock(shmid); | |
2097 | + return -EACCES; | |
2098 | + } | |
2099 | +#endif | |
2100 | + | |
2101 | file = shp->shm_file; | |
2102 | size = file->f_dentry->d_inode->i_size; | |
2103 | shp->shm_nattch++; | |
2104 | + | |
2105 | +#ifdef CONFIG_GRKERNSEC | |
2106 | + shp->shm_lapid = current->pid; | |
2107 | +#endif | |
2108 | + | |
2109 | shm_unlock(shmid); | |
2110 | ||
2111 | down_write(¤t->mm->mmap_sem); | |
2112 | diff -urN linux-2.4.22/kernel/capability.c linux-2.4.22-grsec/kernel/capability.c | |
2113 | --- linux-2.4.22/kernel/capability.c 2003-10-09 18:46:57.000000000 +0200 | |
2114 | +++ linux-2.4.22-grsec/kernel/capability.c 2003-10-09 19:13:26.000000000 +0200 | |
2115 | @@ -7,6 +7,7 @@ | |
2116 | ||
2117 | #include <linux/mm.h> | |
2118 | #include <asm/uaccess.h> | |
2119 | +#include <linux/grsecurity.h> | |
2120 | ||
2121 | unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */ | |
2122 | ||
2123 | @@ -170,6 +171,12 @@ | |
2124 | target = current; | |
2125 | } | |
2126 | ||
2127 | +#ifdef CONFIG_GRKERNSEC | |
2128 | + if (gr_handle_chroot_capset(target)) { | |
2129 | + error = -ESRCH; | |
2130 | + goto out; | |
2131 | + } | |
2132 | +#endif | |
2133 | ||
2134 | /* verify restrictions on target's new Inheritable set */ | |
2135 | if (!cap_issubset(inheritable, | |
2136 | diff -urN linux-2.4.22/kernel/exit.c linux-2.4.22/kernel/exit.c | |
2137 | --- linux-2.4.22/kernel/exit.c 2003-09-01 22:19:01.000000000 -0400 | |
2138 | +++ linux-2.4.22/kernel/exit.c 2003-09-02 19:29:42.000000000 -0400 | |
4fa954ff | 2139 | @@ -16,6 +16,8 @@ |
e6a87675 JR |
2140 | #ifdef CONFIG_BSD_PROCESS_ACCT |
2141 | #include <linux/acct.h> | |
2142 | #endif | |
4fa954ff | 2143 | +#include <linux/file.h> |
e6a87675 JR |
2144 | +#include <linux/grsecurity.h> |
2145 | ||
2146 | #include <asm/uaccess.h> | |
2147 | #include <asm/pgtable.h> | |
2148 | @@ -165,6 +165,13 @@ | |
2149 | ||
2150 | write_lock_irq(&tasklist_lock); | |
2151 | ||
2152 | +#ifdef CONFIG_GRKERNSEC | |
2153 | + if (current->exec_file) { | |
2154 | + fput(current->exec_file); | |
2155 | + current->exec_file = NULL; | |
2156 | + } | |
2157 | +#endif | |
2158 | + | |
2159 | /* Reparent to init */ | |
2160 | REMOVE_LINKS(current); | |
2161 | current->p_pptr = child_reaper; | |
2162 | diff -urN linux-2.4.22/kernel/fork.c linux-2.4.22/kernel/fork.c | |
2163 | --- linux-2.4.22/kernel/fork.c 2003-09-01 22:19:01.000000000 -0400 | |
2164 | +++ linux-2.4.22/kernel/fork.c 2003-09-02 19:29:42.000000000 -0400 | |
2165 | @@ -22,6 +22,7 @@ | |
2166 | #include <linux/namespace.h> | |
2167 | #include <linux/personality.h> | |
2168 | #include <linux/compiler.h> | |
2169 | +#include <linux/grsecurity.h> | |
2170 | ||
2171 | #include <asm/pgtable.h> | |
2172 | #include <asm/pgalloc.h> | |
2173 | @@ -751,6 +759,9 @@ | |
2174 | retval = copy_thread(0, clone_flags, stack_start, stack_size, p, regs); | |
2175 | if (retval) | |
2176 | goto bad_fork_cleanup_namespace; | |
2177 | +#ifdef CONFIG_GRKERNSEC | |
2178 | + gr_copy_label(p); | |
2179 | +#endif | |
2180 | p->semundo = NULL; | |
2181 | ||
2182 | /* Our parent execution domain becomes current domain | |
2183 | diff -urN linux-2.4.22/kernel/ksyms.c linux-2.4.22-grsec/kernel/ksyms.c | |
2184 | --- linux-2.4.22/kernel/ksyms.c 2003-10-09 18:47:35.000000000 +0200 | |
2185 | +++ linux-2.4.22-grsec/kernel/ksyms.c 2003-10-09 19:13:26.000000000 +0200 | |
2186 | @@ -50,6 +50,7 @@ | |
2187 | #include <linux/seq_file.h> | |
2188 | #include <linux/dnotify.h> | |
2189 | #include <linux/crc32.h> | |
2190 | +#include <linux/grsecurity.h> | |
2191 | #include <asm/checksum.h> | |
2192 | ||
2193 | #if defined(CONFIG_PROC_FS) | |
2194 | @@ -621,3 +622,8 @@ | |
2195 | /* To match ksyms with System.map */ | |
2196 | extern const char _end[]; | |
2197 | EXPORT_SYMBOL(_end); | |
2198 | + | |
2199 | +/* grsecurity */ | |
2200 | +#ifdef CONFIG_GRKERNSEC | |
2201 | +EXPORT_SYMBOL(gr_pid_is_chrooted); | |
2202 | +#endif | |
2203 | diff -urN linux-2.4.22/kernel/sched.c linux-2.4.22-grsec/kernel/sched.c | |
2204 | --- linux-2.4.22/kernel/sched.c 2003-10-09 18:47:25.000000000 +0200 | |
2205 | +++ linux-2.4.22-grsec/kernel/sched.c 2003-10-09 19:13:26.000000000 +0200 | |
2206 | @@ -20,11 +20,13 @@ | |
2207 | #include <linux/nmi.h> | |
2208 | #include <linux/interrupt.h> | |
2209 | #include <linux/init.h> | |
2210 | +#include <linux/file.h> | |
2211 | #include <asm/uaccess.h> | |
2212 | #include <linux/smp_lock.h> | |
2213 | #include <asm/mmu_context.h> | |
2214 | #include <linux/kernel_stat.h> | |
2215 | #include <linux/completion.h> | |
2216 | +#include <linux/grsecurity.h> | |
2217 | ||
2218 | /* | |
2219 | * Convert user-nice values [ -20 ... 0 ... 19 ] | |
2220 | @@ -1192,6 +1194,11 @@ | |
2221 | return -EPERM; | |
2222 | if (increment < -40) | |
2223 | increment = -40; | |
2224 | + | |
2225 | +#ifdef CONFIG_GRKERNSEC | |
2226 | + if (gr_handle_chroot_nice()) | |
2227 | + return -EPERM; | |
2228 | +#endif | |
2229 | } | |
2230 | if (increment > 40) | |
2231 | increment = 40; | |
2232 | diff -urN linux-2.4.22/kernel/sys.c linux-2.4.22-grsec/kernel/sys.c | |
2233 | --- linux-2.4.22/kernel/sys.c 2003-10-09 18:46:57.000000000 +0200 | |
2234 | +++ linux-2.4.22-grsec/kernel/sys.c 2003-10-09 19:13:26.000000000 +0200 | |
2235 | @@ -4,6 +4,7 @@ | |
2236 | * Copyright (C) 1991, 1992 Linus Torvalds | |
2237 | */ | |
2238 | ||
2239 | +#include <linux/config.h> | |
2240 | #include <linux/module.h> | |
2241 | #include <linux/mm.h> | |
2242 | #include <linux/utsname.h> | |
2243 | @@ -14,6 +15,7 @@ | |
2244 | #include <linux/prctl.h> | |
2245 | #include <linux/init.h> | |
2246 | #include <linux/highuid.h> | |
2247 | +#include <linux/grsecurity.h> | |
2248 | ||
2249 | #include <asm/uaccess.h> | |
2250 | #include <asm/io.h> | |
2251 | @@ -239,6 +241,14 @@ | |
2252 | } | |
2253 | if (error == -ESRCH) | |
2254 | error = 0; | |
2255 | + | |
2256 | +#ifdef CONFIG_GRKERNSEC | |
2257 | + if (gr_handle_chroot_setpriority(p, niceval)) { | |
2258 | + read_unlock(&tasklist_lock); | |
2259 | + return -ESRCH; | |
2260 | + } | |
2261 | +#endif | |
2262 | + | |
2263 | if (niceval < task_nice(p) && !capable(CAP_SYS_NICE)) | |
2264 | error = -EACCES; | |
2265 | else | |
2266 | diff -urN linux-2.4.22/kernel/sysctl.c linux-2.4.22-grsec/kernel/sysctl.c | |
2267 | --- linux-2.4.22/kernel/sysctl.c 2003-10-09 18:47:38.000000000 +0200 | |
2268 | +++ linux-2.4.22-grsec/kernel/sysctl.c 2003-10-09 19:13:26.000000000 +0200 | |
2269 | @@ -38,6 +38,11 @@ | |
2270 | #endif | |
2271 | ||
2272 | #if defined(CONFIG_SYSCTL) | |
2273 | +#include <linux/grsecurity.h> | |
2274 | +#include <linux/grinternal.h> | |
2275 | + | |
2276 | +extern int gr_handle_sysctl_mod(const char *dirname, const char *name, const int op); | |
2277 | +extern int gr_handle_chroot_sysctl(const int op); | |
2278 | ||
2279 | /* External variables not in a header file. */ | |
2280 | extern int panic_timeout; | |
2281 | @@ -126,6 +135,8 @@ | |
2282 | static ctl_table dev_table[]; | |
2283 | extern ctl_table random_table[]; | |
2284 | ||
2285 | +static ctl_table grsecurity_table[]; | |
2286 | + | |
2287 | /* /proc declarations: */ | |
2288 | ||
2289 | #ifdef CONFIG_PROC_FS | |
4fa954ff | 2290 | @@ -272,8 +283,112 @@ |
e6a87675 JR |
2291 | {KERN_EXCEPTION_TRACE,"exception-trace", |
2292 | &exception_trace,sizeof(int),0644,NULL,&proc_dointvec}, | |
2293 | #endif | |
2294 | +#ifdef CONFIG_GRKERNSEC_SYSCTL | |
2295 | + {KERN_GRSECURITY, "grsecurity", NULL, 0, 0500, grsecurity_table}, | |
2296 | +#endif | |
2297 | + {0} | |
2298 | +}; | |
2299 | + | |
2300 | +#ifdef CONFIG_GRKERNSEC_SYSCTL | |
2301 | +enum {GS_CHROOT_SHMAT=1, GS_CHROOT_UNIX, GS_CHROOT_MNT, | |
2302 | +GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM, | |
2303 | +GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS, | |
4fa954ff JR |
2304 | +GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS_TPE_ALL, |
2305 | +GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT, | |
2306 | +GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, GS_LOCK}; | |
e6a87675 JR |
2307 | + |
2308 | +static ctl_table grsecurity_table[] = { | |
2309 | +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT | |
2310 | + {GS_CHROOT_SHMAT, "chroot_deny_shmat", &grsec_enable_chroot_shmat, sizeof (int), | |
2311 | + 0600, NULL, &proc_dointvec}, | |
2312 | +#endif | |
2313 | +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX | |
2314 | + {GS_CHROOT_UNIX, "chroot_deny_unix", &grsec_enable_chroot_unix, sizeof(int), | |
2315 | + 0600, NULL, &proc_dointvec}, | |
2316 | +#endif | |
2317 | +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT | |
2318 | + {GS_CHROOT_MNT, "chroot_deny_mount", &grsec_enable_chroot_mount, sizeof (int), | |
2319 | + 0600, NULL, &proc_dointvec}, | |
2320 | +#endif | |
2321 | +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR | |
2322 | + {GS_CHROOT_FCHDIR, "chroot_deny_fchdir", &grsec_enable_chroot_fchdir, sizeof (int), | |
2323 | + 0600, NULL, &proc_dointvec}, | |
2324 | +#endif | |
2325 | +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE | |
2326 | + {GS_CHROOT_DBL, "chroot_deny_chroot", &grsec_enable_chroot_double, sizeof (int), | |
2327 | + 0600, NULL, &proc_dointvec}, | |
2328 | +#endif | |
2329 | +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT | |
2330 | + {GS_CHROOT_PVT, "chroot_deny_pivot", &grsec_enable_chroot_pivot, sizeof (int), | |
2331 | + 0600, NULL, &proc_dointvec}, | |
2332 | +#endif | |
2333 | +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR | |
2334 | + {GS_CHROOT_CD, "chroot_enforce_chdir", &grsec_enable_chroot_chdir, sizeof (int), | |
2335 | + 0600, NULL, &proc_dointvec}, | |
2336 | +#endif | |
2337 | +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD | |
2338 | + {GS_CHROOT_CM, "chroot_deny_chmod", &grsec_enable_chroot_chmod, sizeof (int), | |
2339 | + 0600, NULL, &proc_dointvec}, | |
2340 | +#endif | |
2341 | +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD | |
2342 | + {GS_CHROOT_MK, "chroot_deny_mknod", &grsec_enable_chroot_mknod, sizeof (int), | |
2343 | + 0600, NULL, &proc_dointvec}, | |
2344 | +#endif | |
2345 | +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE | |
2346 | + {GS_CHROOT_NI, "chroot_restrict_nice", &grsec_enable_chroot_nice, sizeof (int), | |
2347 | + 0600, NULL, &proc_dointvec}, | |
2348 | +#endif | |
2349 | +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG | |
2350 | + {GS_CHROOT_EXECLOG, "chroot_execlog", | |
2351 | + &grsec_enable_chroot_execlog, sizeof (int), | |
2352 | + 0600, NULL, &proc_dointvec}, | |
2353 | +#endif | |
2354 | +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS | |
2355 | + {GS_CHROOT_CAPS, "chroot_caps", &grsec_enable_chroot_caps, sizeof (int), | |
2356 | + 0600, NULL, &proc_dointvec}, | |
2357 | +#endif | |
2358 | +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL | |
2359 | + {GS_CHROOT_SYSCTL, "chroot_deny_sysctl", &grsec_enable_chroot_sysctl, sizeof (int), | |
2360 | + 0600, NULL, &proc_dointvec}, | |
2361 | +#endif | |
4fa954ff JR |
2362 | +#ifdef CONFIG_GRKERNSEC_TPE |
2363 | + {GS_TPE, "tpe", &grsec_enable_tpe, sizeof (int), | |
2364 | + 0600, NULL, &proc_dointvec}, | |
2365 | + {GS_TPE_GID, "tpe_gid", &grsec_tpe_gid, sizeof (int), | |
2366 | + 0600, NULL, &proc_dointvec}, | |
2367 | +#endif | |
2368 | +#ifdef CONFIG_GRKERNSEC_TPE_ALL | |
2369 | + {GS_TPE_ALL, "tpe_restrict_all", &grsec_enable_tpe_all, sizeof (int), | |
2370 | + 0600, NULL, &proc_dointvec}, | |
2371 | +#endif | |
2372 | +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL | |
2373 | + {GS_SOCKET_ALL, "socket_all", &grsec_enable_socket_all, sizeof (int), | |
2374 | + 0600, NULL, &proc_dointvec}, | |
2375 | + {GS_SOCKET_ALL_GID, "socket_all_gid", | |
2376 | + &grsec_socket_all_gid, sizeof (int), | |
2377 | + 0600, NULL, &proc_dointvec}, | |
2378 | +#endif | |
2379 | +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT | |
2380 | + {GS_SOCKET_CLIENT, "socket_client", | |
2381 | + &grsec_enable_socket_client, sizeof (int), | |
2382 | + 0600, NULL, &proc_dointvec}, | |
2383 | + {GS_SOCKET_CLIENT_GID, "socket_client_gid", | |
2384 | + &grsec_socket_client_gid, sizeof (int), | |
2385 | + 0600, NULL, &proc_dointvec}, | |
2386 | +#endif | |
2387 | +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER | |
2388 | + {GS_SOCKET_SERVER, "socket_server", | |
2389 | + &grsec_enable_socket_server, sizeof (int), | |
2390 | + 0600, NULL, &proc_dointvec}, | |
2391 | + {GS_SOCKET_SERVER_GID, "socket_server_gid", | |
2392 | + &grsec_socket_server_gid, sizeof (int), | |
2393 | + 0600, NULL, &proc_dointvec}, | |
2394 | +#endif | |
e6a87675 JR |
2395 | + {GS_LOCK, "grsec_lock", &grsec_lock, sizeof (int), 0600, NULL, |
2396 | + &proc_dointvec}, | |
2397 | {0} | |
2398 | }; | |
2399 | +#endif | |
2400 | ||
2401 | static ctl_table vm_table[] = { | |
2402 | {VM_BDFLUSH, "bdflush", &bdf_prm, 9*sizeof(int), 0644, NULL, | |
2403 | @@ -413,6 +607,13 @@ | |
2404 | ||
2405 | static inline int ctl_perm(ctl_table *table, int op) | |
2406 | { | |
2407 | +#ifdef CONFIG_GRKERNSEC | |
2408 | + if (gr_handle_sysctl_mod(table->de->parent->name, table->de->name, op)) | |
2409 | + return -EACCES; | |
2410 | + if (gr_handle_chroot_sysctl(op)) | |
2411 | + return -EACCES; | |
2412 | +#endif | |
2413 | + | |
2414 | return test_perm(table->mode, op); | |
2415 | } | |
2416 | ||
4fa954ff JR |
2417 | diff -urN linux-2.4.22/mm/mmap.c linux-2.4.22/mm/mmap.c |
2418 | --- linux-2.4.22/mm/mmap.c 2003-09-01 22:19:02.000000000 -0400 | |
2419 | +++ linux-2.4.22/mm/mmap.c 2003-09-02 19:29:42.000000000 -0400 | |
2420 | @@ -14,6 +14,8 @@ | |
2421 | #include <linux/file.h> | |
2422 | #include <linux/fs.h> | |
2423 | #include <linux/personality.h> | |
2424 | +#include <linux/random.h> | |
2425 | +#include <linux/grsecurity.h> | |
2426 | ||
2427 | #include <asm/uaccess.h> | |
2428 | #include <asm/pgalloc.h> | |
2429 | @@ -480,6 +532,11 @@ | |
2430 | } | |
2431 | } | |
2432 | ||
2433 | +#ifdef CONFIG_GRKERNSEC | |
2434 | + if (!gr_tpe_allow(file)) | |
2435 | + return -EACCES; | |
2436 | +#endif | |
2437 | + | |
2438 | /* Clear old maps */ | |
2439 | munmap_back: | |
2440 | vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent); | |
2441 | diff -urN linux-2.4.22/mm/mprotect.c linux-2.4.22/mm/mprotect.c | |
2442 | --- linux-2.4.22/mm/mprotect.c 2003-09-01 22:19:02.000000000 -0400 | |
2443 | +++ linux-2.4.22/mm/mprotect.c 2003-09-02 19:29:42.000000000 -0400 | |
2444 | @@ -7,6 +7,7 @@ | |
2445 | #include <linux/smp_lock.h> | |
2446 | #include <linux/shm.h> | |
2447 | #include <linux/mman.h> | |
2448 | +#include <linux/grsecurity.h> | |
2449 | ||
2450 | #include <asm/uaccess.h> | |
2451 | #include <asm/pgalloc.h> | |
2452 | @@ -288,6 +393,13 @@ | |
2453 | if (!vma || vma->vm_start > start) | |
2454 | goto out; | |
2455 | ||
2456 | +#ifdef CONFIG_GRKERNSEC | |
2457 | + if (!gr_tpe_allow(vma->vm_file)) { | |
2458 | + error = -EACCES; | |
2459 | + goto out; | |
2460 | + } | |
2461 | +#endif | |
2462 | + | |
2463 | for (nstart = start ; ; ) { | |
2464 | unsigned int newflags; | |
2465 | int last = 0; | |
e6a87675 JR |
2466 | diff -urN linux-2.4.22/net/ipv4/netfilter/Config.in linux-2.4.22-grsec/net/ipv4/netfilter/Config.in |
2467 | --- linux-2.4.22/net/ipv4/netfilter/Config.in 2003-10-09 18:47:22.000000000 +0200 | |
2468 | +++ linux-2.4.22-grsec/net/ipv4/netfilter/Config.in 2003-10-09 19:13:26.000000000 +0200 | |
2469 | @@ -75,6 +75,7 @@ | |
2470 | dep_tristate ' address type match support' CONFIG_IP_NF_MATCH_ADDRTYPE $CONFIG_IP_NF_IPTABLES | |
2471 | dep_tristate ' tcpmss match support' CONFIG_IP_NF_MATCH_TCPMSS $CONFIG_IP_NF_IPTABLES | |
2472 | dep_tristate ' realm match support' CONFIG_IP_NF_MATCH_REALM $CONFIG_IP_NF_IPTABLES | |
2473 | + dep_tristate ' stealth match support' CONFIG_IP_NF_MATCH_STEALTH $CONFIG_IP_NF_IPTABLES | |
2474 | if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then | |
2475 | dep_tristate ' Helper match support' CONFIG_IP_NF_MATCH_HELPER $CONFIG_IP_NF_IPTABLES | |
2476 | fi | |
2477 | diff -urN linux-2.4.22/net/ipv4/netfilter/Makefile linux-2.4.22-grsec/net/ipv4/netfilter/Makefile | |
2478 | --- linux-2.4.22/net/ipv4/netfilter/Makefile 2003-10-09 18:47:21.000000000 +0200 | |
2479 | +++ linux-2.4.22-grsec/net/ipv4/netfilter/Makefile 2003-10-09 19:13:26.000000000 +0200 | |
2480 | @@ -175,6 +175,7 @@ | |
2481 | obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o | |
2482 | obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o | |
2483 | obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o | |
2484 | +obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o | |
2485 | ||
2486 | obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o | |
2487 | ||
2488 | diff -urN linux-2.4.22/net/ipv4/netfilter/ipt_stealth.c linux-2.4.22-grsec/net/ipv4/netfilter/ipt_stealth.c | |
2489 | --- linux-2.4.22/net/ipv4/netfilter/ipt_stealth.c 1970-01-01 01:00:00.000000000 +0100 | |
2490 | +++ linux-2.4.22-grsec/net/ipv4/netfilter/ipt_stealth.c 2003-10-09 19:13:26.000000000 +0200 | |
2491 | @@ -0,0 +1,109 @@ | |
2492 | +/* Kernel module to add stealth support. | |
2493 | + * | |
2494 | + * Copyright (C) 2002 Brad Spengler <spender@grsecurity.net> | |
2495 | + * | |
2496 | + */ | |
2497 | + | |
2498 | +#include <linux/kernel.h> | |
2499 | +#include <linux/module.h> | |
2500 | +#include <linux/skbuff.h> | |
2501 | +#include <linux/net.h> | |
2502 | +#include <linux/sched.h> | |
2503 | +#include <linux/inet.h> | |
2504 | +#include <linux/stddef.h> | |
2505 | + | |
2506 | +#include <net/ip.h> | |
2507 | +#include <net/sock.h> | |
2508 | +#include <net/tcp.h> | |
2509 | +#include <net/udp.h> | |
2510 | +#include <net/route.h> | |
2511 | +#include <net/inet_common.h> | |
2512 | + | |
2513 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
2514 | + | |
2515 | +MODULE_LICENSE("GPL"); | |
2516 | + | |
2517 | +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif); | |
2518 | + | |
2519 | +static int | |
2520 | +match(const struct sk_buff *skb, | |
2521 | + const struct net_device *in, | |
2522 | + const struct net_device *out, | |
2523 | + const void *matchinfo, | |
2524 | + int offset, | |
2525 | + const void *hdr, | |
2526 | + u_int16_t datalen, | |
2527 | + int *hotdrop) | |
2528 | +{ | |
2529 | + struct iphdr *ip = skb->nh.iph; | |
2530 | + struct tcphdr *th = (struct tcphdr *) hdr; | |
2531 | + struct udphdr *uh = (struct udphdr *) hdr; | |
2532 | + struct sock *sk = NULL; | |
2533 | + | |
2534 | + if (!ip || !hdr || offset) return 0; | |
2535 | + | |
2536 | + switch(ip->protocol) { | |
2537 | + case IPPROTO_TCP: | |
2538 | + if (datalen < sizeof(struct tcphdr)) { | |
2539 | + *hotdrop = 1; | |
2540 | + return 0; | |
2541 | + } | |
2542 | + if (!(th->syn && !th->ack)) return 0; | |
2543 | + sk = tcp_v4_lookup_listener(ip->daddr, ntohs(th->dest), ((struct rtable*)skb->dst)->rt_iif); | |
2544 | + break; | |
2545 | + case IPPROTO_UDP: | |
2546 | + if (datalen < sizeof(struct udphdr)) { | |
2547 | + *hotdrop = 1; | |
2548 | + return 0; | |
2549 | + } | |
2550 | + sk = udp_v4_lookup(ip->saddr, uh->source, ip->daddr, uh->dest, skb->dev->ifindex); | |
2551 | + break; | |
2552 | + default: | |
2553 | + return 0; | |
2554 | + } | |
2555 | + | |
2556 | + if(!sk) // port is being listened on, match this | |
2557 | + return 1; | |
2558 | + else { | |
2559 | + sock_put(sk); | |
2560 | + return 0; | |
2561 | + } | |
2562 | +} | |
2563 | + | |
2564 | +/* Called when user tries to insert an entry of this type. */ | |
2565 | +static int | |
2566 | +checkentry(const char *tablename, | |
2567 | + const struct ipt_ip *ip, | |
2568 | + void *matchinfo, | |
2569 | + unsigned int matchsize, | |
2570 | + unsigned int hook_mask) | |
2571 | +{ | |
2572 | + if (matchsize != IPT_ALIGN(0)) | |
2573 | + return 0; | |
2574 | + | |
2575 | + if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) || | |
2576 | + ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO))) | |
2577 | + && (hook_mask & (1 << NF_IP_LOCAL_IN))) | |
2578 | + return 1; | |
2579 | + | |
2580 | + printk("stealth: Only works on TCP and UDP for the INPUT chain.\n"); | |
2581 | + | |
2582 | + return 0; | |
2583 | +} | |
2584 | + | |
2585 | + | |
2586 | +static struct ipt_match stealth_match | |
2587 | += { { NULL, NULL }, "stealth", &match, &checkentry, NULL, THIS_MODULE }; | |
2588 | + | |
2589 | +static int __init init(void) | |
2590 | +{ | |
2591 | + return ipt_register_match(&stealth_match); | |
2592 | +} | |
2593 | + | |
2594 | +static void __exit fini(void) | |
2595 | +{ | |
2596 | + ipt_unregister_match(&stealth_match); | |
2597 | +} | |
2598 | + | |
2599 | +module_init(init); | |
2600 | +module_exit(fini); | |
2601 | diff -urN linux-2.4.22/net/netsyms.c linux-2.4.22-grsec/net/netsyms.c | |
2602 | --- linux-2.4.22/net/netsyms.c 2003-10-09 18:47:31.000000000 +0200 | |
2603 | +++ linux-2.4.22-grsec/net/netsyms.c 2003-10-09 19:13:26.000000000 +0200 | |
2604 | @@ -24,6 +24,7 @@ | |
2605 | #include <net/checksum.h> | |
2606 | #include <linux/etherdevice.h> | |
2607 | #include <net/route.h> | |
2608 | +#include <linux/grsecurity.h> | |
2609 | #ifdef CONFIG_HIPPI | |
2610 | #include <linux/hippidevice.h> | |
2611 | #endif | |
827b1e4d | 2612 | @@ -613,6 +614,20 @@ |
e6a87675 JR |
2613 | |
2614 | EXPORT_SYMBOL(softnet_data); | |
2615 | ||
2616 | +#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE) | |
2617 | +#if !defined (CONFIG_IPV6_MODULE) && !defined (CONFIG_KHTTPD) && !defined (CONFIG_KHTTPD_MODULE) | |
2618 | +EXPORT_SYMBOL(tcp_v4_lookup_listener); | |
2619 | +#endif | |
827b1e4d | 2620 | +#if !defined(CONFIG_IP_NF_MATCH_OWNER) && !defined(CONFIG_IP_NF_MATCH_OWNER_MODULE) |
e6a87675 JR |
2621 | +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif); |
2622 | +EXPORT_SYMBOL(udp_v4_lookup); | |
2623 | +#endif | |
827b1e4d | 2624 | +#endif |
e6a87675 JR |
2625 | + |
2626 | +#ifdef CONFIG_UNIX_MODULE | |
2627 | +EXPORT_SYMBOL(gr_handle_chroot_unix); | |
2628 | +#endif | |
2629 | + | |
2630 | #if defined(CONFIG_NET_RADIO) || defined(CONFIG_NET_PCMCIA_RADIO) | |
2631 | #include <net/iw_handler.h> | |
2632 | EXPORT_SYMBOL(wireless_send_event); | |
2633 | diff -urN linux-2.4.22/net/socket.c linux-2.4.22/net/socket.c | |
2634 | --- linux-2.4.22/net/socket.c 2003-09-01 22:19:08.000000000 -0400 | |
2635 | +++ linux-2.4.22/net/socket.c 2003-09-02 19:29:42.000000000 -0400 | |
4fa954ff | 2636 | @@ -85,6 +85,12 @@ |
e6a87675 JR |
2637 | #include <net/scm.h> |
2638 | #include <linux/netfilter.h> | |
2639 | ||
2640 | +extern void gr_attach_curr_ip(const struct sock *sk); | |
4fa954ff JR |
2641 | +extern int gr_handle_sock_all(const int family, const int type, |
2642 | + const int protocol); | |
2643 | +extern int gr_handle_sock_server(const struct sockaddr *sck); | |
2644 | +extern int gr_handle_sock_client(const struct sockaddr *sck); | |
2645 | + | |
e6a87675 JR |
2646 | static int sock_no_open(struct inode *irrelevant, struct file *dontcare); |
2647 | static ssize_t sock_read(struct file *file, char *buf, | |
2648 | size_t size, loff_t *ppos); | |
2649 | @@ -699,6 +711,7 @@ | |
2650 | ||
2651 | int sock_close(struct inode *inode, struct file *filp) | |
2652 | { | |
2653 | + struct socket *sock; | |
2654 | /* | |
2655 | * It was possible the inode is NULL we were | |
2656 | * closing an unfinished socket. | |
2657 | @@ -709,8 +722,21 @@ | |
2658 | printk(KERN_DEBUG "sock_close: NULL inode\n"); | |
2659 | return 0; | |
2660 | } | |
2661 | + sock = socki_lookup(inode); | |
2662 | + | |
2663 | sock_fasync(-1, filp, 0); | |
2664 | + | |
2665 | +#ifdef CONFIG_GRKERNSEC | |
2666 | + if (unlikely(current->used_accept && sock->sk && | |
2667 | + (sock->sk->protocol == IPPROTO_TCP) && | |
2668 | + (sock->sk->daddr == current->curr_ip))) { | |
2669 | + current->used_accept = 0; | |
2670 | + current->curr_ip = 0; | |
2671 | + } | |
2672 | +#endif | |
2673 | + | |
2674 | sock_release(socki_lookup(inode)); | |
2675 | + | |
2676 | return 0; | |
2677 | } | |
2678 | ||
4fa954ff JR |
2679 | @@ -903,6 +929,13 @@ |
2680 | int retval; | |
2681 | struct socket *sock; | |
2682 | ||
2683 | +#ifdef CONFIG_GRKERNSEC | |
2684 | + if (gr_handle_sock_all(family, type, protocol)) { | |
2685 | + retval = -EACCES; | |
2686 | + goto out; | |
2687 | + } | |
2688 | +#endif | |
2689 | + | |
2690 | retval = sock_create(family, type, protocol, &sock); | |
2691 | if (retval < 0) | |
2692 | goto out; | |
2693 | @@ -998,12 +1034,23 @@ | |
2694 | { | |
2695 | struct socket *sock; | |
2696 | char address[MAX_SOCK_ADDR]; | |
2697 | + struct sockaddr * sck; | |
2698 | int err; | |
2699 | ||
2700 | if((sock = sockfd_lookup(fd,&err))!=NULL) | |
2701 | { | |
2702 | - if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) | |
2703 | + if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) { | |
2704 | +#ifdef CONFIG_GRKERNSEC | |
2705 | + sck = (struct sockaddr *) address; | |
2706 | + | |
2707 | + if (gr_handle_sock_server(sck)) { | |
2708 | + sockfd_put(sock); | |
2709 | + return -EACCES; | |
2710 | + } | |
2711 | +#endif | |
2712 | + | |
2713 | err = sock->ops->bind(sock, (struct sockaddr *)address, addrlen); | |
2714 | + } | |
2715 | sockfd_put(sock); | |
2716 | } | |
2717 | return err; | |
e6a87675 JR |
2718 | @@ -1079,6 +1129,10 @@ |
2719 | if ((err = sock_map_fd(newsock)) < 0) | |
2720 | goto out_release; | |
2721 | ||
2722 | +#ifdef CONFIG_GRKERNSEC | |
2723 | + gr_attach_curr_ip(newsock->sk); | |
2724 | +#endif | |
2725 | + | |
2726 | out_put: | |
2727 | sockfd_put(sock); | |
2728 | out: | |
4fa954ff JR |
2729 | @@ -1106,6 +1158,7 @@ |
2730 | { | |
2731 | struct socket *sock; | |
2732 | char address[MAX_SOCK_ADDR]; | |
2733 | + struct sockaddr * sck; | |
2734 | int err; | |
2735 | ||
2736 | sock = sockfd_lookup(fd, &err); | |
2737 | @@ -1114,6 +1167,19 @@ | |
2738 | err = move_addr_to_kernel(uservaddr, addrlen, address); | |
2739 | if (err < 0) | |
2740 | goto out_put; | |
2741 | + | |
2742 | +#ifdef CONFIG_GRKERNSEC | |
2743 | + sck = (struct sockaddr *) address; | |
2744 | + | |
2745 | + if (gr_handle_sock_client(sck)) { | |
2746 | + err = -EACCES; | |
2747 | + goto out_put; | |
2748 | + } | |
2749 | + | |
2750 | + if (sock->sk->protocol == IPPROTO_TCP) | |
2751 | + current->used_connect = 1; | |
2752 | +#endif | |
2753 | + | |
2754 | err = sock->ops->connect(sock, (struct sockaddr *) address, addrlen, | |
2755 | sock->file->f_flags); | |
2756 | out_put: | |
e6a87675 JR |
2757 | @@ -1333,6 +1404,14 @@ |
2758 | err=sock->ops->shutdown(sock, how); | |
2759 | sockfd_put(sock); | |
2760 | } | |
2761 | + | |
2762 | +#ifdef CONFIG_GRKERNSEC | |
2763 | + if (likely(!err && current->used_accept)) { | |
2764 | + current->used_accept = 0; | |
2765 | + current->curr_ip = 0; | |
2766 | + } | |
2767 | +#endif | |
2768 | + | |
2769 | return err; | |
2770 | } | |
2771 | ||
2772 | diff -urN linux-2.4.22/net/unix/af_unix.c linux-2.4.22-grsec/net/unix/af_unix.c | |
2773 | --- linux-2.4.22/net/unix/af_unix.c 2003-10-09 18:47:35.000000000 +0200 | |
2774 | +++ linux-2.4.22-grsec/net/unix/af_unix.c 2003-10-09 19:13:26.000000000 +0200 | |
2775 | @@ -109,6 +109,7 @@ | |
2776 | #include <linux/poll.h> | |
2777 | #include <linux/smp_lock.h> | |
2778 | #include <linux/rtnetlink.h> | |
2779 | +#include <linux/grsecurity.h> | |
2780 | ||
2781 | #include <asm/checksum.h> | |
2782 | ||
2783 | @@ -622,6 +623,15 @@ | |
2784 | if (u) { | |
2785 | struct dentry *dentry; | |
2786 | dentry = u->protinfo.af_unix.dentry; | |
2787 | + | |
2788 | +#ifdef CONFIG_GRKERNSEC | |
2789 | + if (!gr_handle_chroot_unix(u->peercred.pid)) { | |
2790 | + err = -EPERM; | |
2791 | + sock_put(u); | |
2792 | + goto fail; | |
2793 | + } | |
2794 | +#endif | |
2795 | + | |
2796 | if (dentry) | |
2797 | UPDATE_ATIME(dentry->d_inode); | |
2798 | } else | |
2799 | @@ -740,6 +748,10 @@ | |
2800 | goto out_unlock; | |
2801 | } | |
2802 | ||
2803 | +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX | |
2804 | + sk->peercred.pid = current->pid; | |
2805 | +#endif | |
2806 | + | |
2807 | list = &unix_socket_table[addr->hash]; | |
2808 | } else { | |
2809 | list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)]; | |
4fa954ff JR |
2810 | @@ -866,6 +893,9 @@ |
2811 | int st; | |
2812 | int err; | |
2813 | long timeo; | |
2814 | +#ifdef CONFIG_GRKERNSEC | |
2815 | + struct task_struct *p, **htable; | |
2816 | +#endif | |
2817 | ||
2818 | err = unix_mkname(sunaddr, addr_len, &hash); | |
2819 | if (err < 0) | |
e6a87675 JR |
2820 | @@ -989,6 +1019,17 @@ |
2821 | /* Set credentials */ | |
2822 | sk->peercred = other->peercred; | |
2823 | ||
2824 | +#ifdef CONFIG_GRKERNSEC | |
2825 | + read_lock(&tasklist_lock); | |
2826 | + htable = &pidhash[pid_hashfn(other->peercred.pid)]; | |
2827 | + for (p = *htable; p && p->pid != other->peercred.pid; p = p->pidhash_next); | |
2828 | + if (p) { | |
2829 | + p->curr_ip = current->curr_ip; | |
2830 | + p->used_accept = 1; | |
2831 | + } | |
2832 | + read_unlock(&tasklist_lock); | |
2833 | +#endif | |
2834 | + | |
2835 | sock_hold(newsk); | |
2836 | unix_peer(sk)=newsk; | |
2837 | sock->state=SS_CONNECTED; |